Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iOS/iPadOS automatic (DEP) enrollment and custom MDM commands (CLI/API) #18119

Closed
6 of 10 tasks
noahtalerman opened this issue Apr 8, 2024 · 17 comments
Closed
6 of 10 tasks

iOS/iPadOS automatic (DEP) enrollment and custom MDM commands (CLI/API) #18119

noahtalerman opened this issue Apr 8, 2024 · 17 comments
Assignees
@noahtalerman
Labels
~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-numa customer-preston customer-starchik #g-endpoint-ops Endpoint ops product group P2 Prioritize as urgent :product Product Design department (shows up on 🦢 Drafting board) ~sc Request is a requirement in a presales opportunity story A user story defining an entire feature
Milestone
4.51.0

Comments

@noahtalerman
Copy link
Member

noahtalerman commented Apr 8, 2024
edited
Loading

Goal

User story
As an endpoint operator,
I want my iOS and iPadOS hosts in Apple Business Manager to automatically enroll to Fleet w/ MDM features on
so that I can run MDM commands on these hosts in Fleet.

This is an MVP for dogfooding and early adopters. We won't include an announcement in the release blogpost.

What's included in the MVP?

  1. New iPhones and iPads in Apple Business Manager that aren’t being used yet show up in Fleet as pending. When the enroll, they start reporting minimal host vitals.
  2. No new workflow for manual (BYOD) enrollment as part of this story. The existing manual enrollment profile API can be used to get an enrollment profile for enrolling test iOS/iPadOS devices to dogfood.
  3. New platforms: ios and ipados.
  4. iOS/iPadOS hosts only show up on the Hosts page for now. No filters for iOS/iPadOS.
  5. Host details page (in case of direct navigation) will be mostly empty.
  6. Run custom MDM command & see results using the existing CLI commands or API endpoints (docs here)
  7. iPhones/iPads are included in the fleetctl get hosts --mdm filter

Context

Changes

Product

Engineering

  • Database schema migrations: TODO
  • Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

IMPORTANT: Given that we've made changes all over the place to support iOS/iPadOS, ALL macOS MDM features should be re-tested on this release (DEP, bootstrap packages, XML profiles and DDM profiles, Setup experience, DEP with SSO, Disk encryption, running commands, Wipe/Lock/Unlock, etc.).

NOTE: After being enrolled to MDM (after following the DEP setup on the device) it can take up to 10 minutes for iPhones and iPads to fetch their details (like OS version and disk utilization). Then these details are refetched every 1h.

The tests that should be executed on iPhone and iPads are well summarized in the What's included in the MVP? and how it should look like is on the linked Figma document.

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. QA (@____): Added comment to user story confirming successful completion of QA.
@noahtalerman noahtalerman added story A user story defining an entire feature :product Product Design department (shows up on 🦢 Drafting board) labels Apr 8, 2024
@noahtalerman
Copy link
Member Author

Hey @rachaelshaw here's the first iOS/iPadOS story.

For designs, I think we want to think through what an iOS/iPadOS host looks like on the Hosts and Host details page.

Also, while the goal of this story is a read-only view of iOS/iPadOS hosts, I think we should also wireframe lock/wipe as part of this story. We can carve these out later.

Unless we find a way to install osquery (or something like it) on these hosts, I think Fleet will send the "Get Device Information" MDM command to get host vitals.

We can see the info we'd get back by looking at the list of properties here: https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command/queries

@noahtalerman noahtalerman added ~feature fest Will be reviewed at next Feature Fest and removed :product Product Design department (shows up on 🦢 Drafting board) labels Apr 18, 2024
@noahtalerman noahtalerman self-assigned this Apr 18, 2024
@noahtalerman
Copy link
Member Author

Brock: Customer-preston might want BYOD as well. We don't know.

JD: If there's an enrollment profile, we "support" BYOD. It's a matter of whether we document this workflow or build dedicated UI for it.

@noahtalerman noahtalerman mentioned this issue Apr 19, 2024
Closed
1 task
@noahtalerman noahtalerman added :product Product Design department (shows up on 🦢 Drafting board) and removed ~feature fest Will be reviewed at next Feature Fest labels Apr 19, 2024
@noahtalerman
Copy link
Member Author

Marko: Declaration (DDM) profiles are supported on iOS 15+

This means we might be able to subscribe to a status channel to get read-only info that we want to display in the UI. Instead of MDM commands.

Advantage of status channel is the device sends updates to the Fleet server. Fleet server doesn't have to run a job to send an MDM commands.

@noahtalerman noahtalerman added the #g-endpoint-ops Endpoint ops product group label Apr 19, 2024
@noahtalerman
Copy link
Member Author

FYI @lucasmrod ^^

@lucasmrod
Copy link
Member

@noahtalerman OK, so I will assume we will build iOS/iPadOS support leveraging DDM, correct?

@noahtalerman
Copy link
Member Author

@lucasmrod I'm not sure but I think we'll want to leverage both DDM and the MDM v1 protocol.

We want to deliver MDM v1 profiles and DDM profiles.

We want to deliver MDM v1 commands (lock, wipe, etc.)

For the read-only information about the host (OS, software, etc.) what do we get from DDM v. the MDM v1 protocol?

@noahtalerman noahtalerman changed the title iOS/iPadOS automatic (DEP) enrollment iOS/iPadOS automatic (DEP) enrollment and custom MDM commands (CLI/API) May 8, 2024
@lukeheath lukeheath added the P2 Prioritize as urgent label May 8, 2024
@sharon-fdm sharon-fdm removed their assignment May 13, 2024
@lucasmrod
Copy link
Member

lucasmrod commented May 13, 2024
edited
Loading

Main backend tasks for estimation today (I may be missing some details):

  • Detect iOS/iPadOS CheckIn requests:
    • Insert host with:
      • hosts.platform ios and ipados
      • Map available values (like model) in the CheckIn to hosts columns.
  • When enrolling iOS/iPadOS do not send the fleetd configuration profile and/or other macOS only profiles.
  • Mechanism to send DeviceInformation command every ~ 1 hour and ingest results.
  • Automatically insert "All Hosts" label on all iOS/iPadOS devices.
  • DEP fetching of devices might need some changes in Fleet:
    • Check that device is listed properly in Fleet after being enrolled via DEP.

@sharon-fdm sharon-fdm added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. and removed :product Product Design department (shows up on 🦢 Drafting board) labels May 13, 2024
@sharon-fdm sharon-fdm added this to the 4.51.0-tentative milestone May 14, 2024
@lucasmrod lucasmrod mentioned this issue May 29, 2024
Merged
@nonpunctual nonpunctual mentioned this issue May 29, 2024
Open
lucasmrod added a commit that referenced this issue May 29, 2024
@lucasmrod
Add few missing iOS/iPadOS UI changes (#19323)
55c8c74 
#18119

Figma:
https://www.figma.com/design/eiKrrFY5cUpTit6ha4VNbB/%2318119-iOS%2FiPadOS-automatic-(DEP)-enrollment?node-id=2-130
@noahtalerman noahtalerman mentioned this issue May 29, 2024
Merged
@lucasmrod
Copy link
Member

@xpkoala I've updated the QA section in the description.

mikermcneil pushed a commit that referenced this issue Jun 3, 2024
@noahtalerman
Update features.yml: iOS/iPadOS dates (#19341)
f63c004 
- iOS/iPadOS launch pushed from 6/30 => 7/15
- Why? We didn't have enough design nor engineering capacity. Bugs,
dogfooding feature requests and features for the "Improve the
self-service tech eval experience" were prioritized first

Noah: I don't think we'll be ready for the public launch until we ship
the following:
- #19319 

Why? We want iOS/iPadOS support to feel first class when we publicly
announce it.

Note that Fleet is shipping enrollment + custom MDM commands (#18119)
for iOS/iPadOS and dogfooding profiles (#18866) starting 2024-06-03.
`customer-eponym` will be an early adopter.
@lucasmrod lucasmrod mentioned this issue Jun 5, 2024
Merged
1 task
This was referenced Jun 7, 2024
Merged
Closed
@lukeheath lukeheath added :product Product Design department (shows up on 🦢 Drafting board) and removed :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. labels Jun 10, 2024
lucasmrod added a commit that referenced this issue Jun 10, 2024
@lucasmrod
Add support for iOS/iPadOS to osquery-perf (#19522)
3dbdbc1 
#18119

- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.

Sample on how to simulate 50 iPads and 50 iPhones:
```sh
go run ./cmd/osquery-perf -host_count 100 -os_templates iphone_14.6.tmpl:50,ipad_13.18.tmpl:50 -mdm_scep_challenge <...>
```
@willmayhone88 willmayhone88 added the ~sc Request is a requirement in a presales opportunity label Jun 17, 2024
@noahtalerman
Copy link
Member Author

Hey @lucasmrod, when you get the chance, can you please confirm that the above changes were shipped as part of this story?

I updated the "Changes" section in the issue description. That should have been filled out prior to pulling this into a sprint. That's a miss from me.

@lucasmrod
Copy link
Member

All has been implemented except this requirement:

Changes to paid features or tiers: Only Fleet Premium users can automatically enroll iOS/iPadOS hosts

I didn't add any restrictions to prevent iOS/iPadOS from enrolling on free instances.
However, I did add a check to not do refetch of host details of iOS/iPadOS devices on free instances.

Let me know if we want to prevent iOS/iPadOS devices from enrolling on free instances and I can work on the changes.

Also I'm confused by the first and third bullets here (they look like the same thing?):

CLI usage changes:

  • Add support for running custom MDM commands using fleetctl mdm run-command against iOS/iPadOS hosts.
  • Add support for seeing results for custom MDM commands run against iOS/iPadOS hosts using mdm-command-results
  • Add custom MDM commands run against iOS/iPadOS hosts to fleetctl get mdm-commands
  • Return iOS/iPadOS hosts when running fleetctl get hosts --mdm

@noahtalerman
Copy link
Member Author

I didn't add any restrictions to prevent iOS/iPadOS from enrolling on free instances.

@lucasmrod got it. I think that's ok. If I'm understanding correctly, free users can manually enroll iOS/iPadOS using an undocumented workflow of installing the manual enrollment profile.

Only premium users can automatically enroll iOS/iPadOS because only premium users can connect Fleet to Apple Business Manager (ABM). Automatic enrollment requires Fleet <=> ABM connection.

However, I did add a check to not do refetch of host details of iOS/iPadOS devices on free instances.

Good to know. I think at some point soon we'll end up removing this restriction. Probably when we support BYOD iOS/iPadOS (aka manual enrollment).

Also I'm confused by the first and third bullets here (they look like the same thing?)

Ah, sorry. The 3rd bullet is confusing (fixed it in my above comment). Instead it should be this: Add iOS/iPadOS commands to fleetctl get mdm-commands

I think we added iOS/iPadOS support for this command but I'm just double checking before we close the issue.

@lucasmrod
Copy link
Member

fleetctl get mdm-commands

Ah yes, I can see commands sent to iPhone/iPads when running fleetctl get mdm-commands.

@marko-lisica
Copy link
Member

@noahtalerman TODO: open a new PR for docs changes aScreenshot 2024-06-27 at 17.00.55.png
nd update copy in ABM docs (see screenshot below)

[Uploading... Screenshot 2024-06-27 at 17.00.55.png]

@noahtalerman noahtalerman mentioned this issue Jul 1, 2024
Merged
@noahtalerman
Copy link
Member Author

update copy in ABM docs

Here's the PR:

@noahtalerman
Copy link
Member Author

Hey @zayhanlon, @dherder, and @Patagonia121 heads up, "iOS/iPadOS automatic (DEP) enrollment and custom MDM commands (CLI/API)" was shipped in Fleet 4.51 🚀

@fleet-release
Copy link
Contributor

Fleet's iOS embrace,
Auto-enroll, secure with grace,
Cloud city, safe space.

@noahtalerman noahtalerman mentioned this issue Aug 13, 2024
Merged
@nonpunctual nonpunctual mentioned this issue Aug 19, 2024
Open
zayhanlon pushed a commit that referenced this issue Aug 26, 2024
@noahtalerman @gillespi314
Update features.yml: features are shipped ! (#21289)
4c28682 
- Zero-touch for iOS/iPadOS (#18119) shipped in Fleet 4.51
- Exclude labels from configuration profiles (#17315) shipped in 4.54
  - `customer-rosner` commit
- Configuration profiles for iOS/iPadOS (#19319) shipped in 4.54
- MDM commands for iOS/iPadOS (#18119) shipped in 4.51
- Deploy Apple App Store apps on macOS (#18867) and iOS/iPadOS (#19447)
shipped in 4.55
  - `customer-rosner` commit

---------

Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noahtalerman noahtalerman

Labels
~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-numa customer-preston customer-starchik #g-endpoint-ops Endpoint ops product group P2 Prioritize as urgent :product Product Design department (shows up on 🦢 Drafting board) ~sc Request is a requirement in a presales opportunity story A user story defining an entire feature
Projects
None yet
Milestone
4.51.0
Development

No branches or pull requests