Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enroll BYOD iOS/iPadOS hosts #19448

Closed
3 of 9 tasks
noahtalerman opened this issue Jun 3, 2024 · 33 comments
Closed
3 of 9 tasks

Enroll BYOD iOS/iPadOS hosts #19448

noahtalerman opened this issue Jun 3, 2024 · 33 comments
Assignees
@ghernandez345
Labels
~apple-mdm-maturity Contributes to maturity in macOS, iOS, or iPadOS MDM product category. ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-eponym customer-figali customer-nortia customer-preston customer-reedtimmer customer-starchik #g-mdm MDM product group P2 Prioritize as urgent :product Product Design department (shows up on 🦢 Drafting board) ~sc Request is a requirement in a presales opportunity story A user story defining an entire feature
Milestone
4.57.0

Comments

@noahtalerman
Copy link
Member

noahtalerman commented Jun 3, 2024
edited
Loading

Goal

User story
As an IT admin,
I want to invite BYOD (iPhones and iPads) enroll
so that I can install software and enforce settings on end user devices that can access organization resources/tools.

Context

Changes

  • Introduce BYOD enrollment page that includes instructions for downloading and installing on device

Product

Engineering

  • Test BYOD redelivering the enrollment profile to an already enrolled iOS/iPadOS host w/ a change in AccessRights (less rights to more and more rights to less). Does the end user get notified?
  • Database schema migrations: TODO
  • Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. QA (@____): Added comment to user story confirming successful completion of QA.
@noahtalerman noahtalerman added story A user story defining an entire feature :product Product Design department (shows up on 🦢 Drafting board) ~air-guitar labels Jun 3, 2024
@noahtalerman noahtalerman mentioned this issue Jun 3, 2024
Closed
10 tasks
@willmayhone88 willmayhone88 added the ~sc Request is a requirement in a presales opportunity label Jun 17, 2024
@noahtalerman noahtalerman changed the title 🎸 Enroll BYOD iOS/iPadOS hosts Enroll BYOD iOS/iPadOS hosts Jun 19, 2024
@noahtalerman noahtalerman changed the title Enroll BYOD iOS/iPadOS hosts 🎸Enroll BYOD iOS/iPadOS hosts Jun 19, 2024
@noahtalerman noahtalerman changed the title 🎸Enroll BYOD iOS/iPadOS hosts Enroll BYOD iOS/iPadOS hosts Jun 19, 2024
@noahtalerman noahtalerman added #g-mdm MDM product group and removed ~air-guitar labels Jun 19, 2024
@marko-lisica marko-lisica added the ~feature fest Will be reviewed at next Feature Fest label Jun 20, 2024
@marko-lisica
Copy link
Member

@Patagonia121 This one didn't make to estimation. We plan to prioritize this in the next design sprint.

@noahtalerman noahtalerman added #g-endpoint-ops Endpoint ops product group and removed #g-mdm MDM product group ~feature fest Will be reviewed at next Feature Fest labels Jun 21, 2024
@noahtalerman noahtalerman mentioned this issue Jun 25, 2024
Open
@dherder
Copy link
Contributor

dherder commented Jun 25, 2024

Adding @ddribeiro's helpful information from the older, closed issue:
Support for account driven user enrollment would enable an organization to allow their employees to enroll their personally owned devices (iOS/iPadOS) into Fleet using a Managed Apple ID. User Enrollment provides several benefits to the employee and organization when enrolling personally owned devices:

Organization data is cryptographically separated from personal data.
Enrollment of personal devices is streamlined as there is a standardized flow built into iOS in Settings > General
Some typical MDM capabilities for organization owned devices is not available (i.e. Erase Device), offering an employee peace of mind that their personal information cannot be erased when they enroll.
Organization can see limited device details (i.e. Can only see a list of managed apps, not a full list).
Links:
Apple Platform Deployment: User Enrollment and MDM
Apple Platform Deployment: User Enrollment MDM Information

@noahtalerman
Copy link
Member Author

noahtalerman commented Sep 4, 2024
edited
Loading

@randy-fleet, I thought about this more. If we commit to adding Mac screenshots, we're committing to maintaining screenshots and this flow for macOS.

So, I think it would be easier now and in the short term to show some "Open this page on your iPhones or iPads" screen/state if we detect that the end user isn't on an iPhone or iPad.

Can you please help prepare that screen for the next design review?

@nonpunctual makes a good point we don't have customers asking for this flow on macOS. Note that we already support BYOD enrollment for macOS. fleetd gets installed first.

@noahtalerman
Copy link
Member Author

@randy-fleet FYI I followed up to your questions here (before we decided to not support macOS)

I'm assuming macOS experience would be exactly the same as iOS/iPadOS, with profile download, etc. Is that correct?

I think it's very similar. The steps the end user takes and where they click to find the enrollment profile will be slightly different. For example, on a Mac, the user will see a macOS notification and go to System Settings in the top menu bar, etc.

If we are going to expand this experience to also support macOS, is there a reason why we wouldn't do the same for Windows, Linux, and Chrome?

Yes.

The enrollment profile download/install is specific to the Apple's MDM protocol (macOS, iOS, iPadOS). Windows, Linux, and Chrome don't support enrollment via this flow.

@ghernandez345 ghernandez345 mentioned this issue Sep 5, 2024
Merged
roperzh added a commit that referenced this issue Sep 5, 2024
@roperzh
add end user BYOD enrollment into Fleet MDM (#21836)
c0373cb 
relates to #19448

Adds the ability for a user to enroll a their device into fleet MDM.

> NOTE: this is the PR for the feature branch to go into main so all
code has already been approved.
@randy-fleet
Copy link
Contributor

@noahtalerman I've updated the Figma to incorporate macOS as well. https://www.figma.com/design/zMNFxTLMS4yYZjylJMQ5uv/%2319448-Enroll-BYOD-iOS%2FiPadOS-hosts?node-id=5493-17247&t=FMt11fj07eQaQSTF-4
Please let me know if you have any questions.

@noahtalerman
Copy link
Member Author

Thanks @randy-fleet!

I think at this point it makes sense to address macOS behavior in a later iteration. We have an issue for this tracked here. I moved your Figma wires to scratchpad here for safekeeping.

That said, I think it’s worth making the copy more explicit in this iteration.

As an IT admin and end user, how do I know that the best practice is to follow instructions on my iPhone and iPad? What if I pull up this page on my Mac?

Here's what I'm thining...

Fleet detects iOS:
Screenshot 2024-09-10 at 2 13 34 PM

Fleet detects iPadOS:
Screenshot 2024-09-10 at 2 13 45 PM

Fleet detects neither iOS nor iPadOS:
Screenshot 2024-09-10 at 2 14 11 PM

I updated Figma w/ the above^

@roperzh and @georgekarrv, is that something we can fit into this iteration?

cc @ghernandez345

roperzh added a commit that referenced this issue Sep 10, 2024
@roperzh
update UI OTA template with late copy changes based on device
676eba9 
for #19448
roperzh added a commit that referenced this issue Sep 10, 2024
@roperzh
update UI OTA template with late copy changes based on device
cdf9058 
for #19448
@roperzh roperzh mentioned this issue Sep 10, 2024
Merged
1 task
roperzh added a commit that referenced this issue Sep 10, 2024
@roperzh
update UI OTA template with late copy changes based on device (#21957)
ff9cb68 
for #19448

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Manual QA for all new/changed functionality
@roperzh
Copy link
Contributor

roperzh commented Sep 12, 2024

@marko-lisica @noahtalerman In regards to:

Test BYOD redelivering the enrollment profile to an already enrolled iOS/iPadOS host w/ a change in AccessRights (less rights to more and more rights to less). Does the end user get notified?

I prepared two enrollment profiles, each with different access rights:

  • 8179 all access rights except lock & erase
  • 8191 all access rights

Findings:

  • If the user enrolls with 8179, and you send an InstallProfile command with an enrollment profile with 8191, you get an error from the device and the profile is not installed. Error is: The new MDM payload contains more access rights than the old payload.
  • If the user enrolls with 8191, and you send an InstallProfile command with an enrollment profile with 8179, the profile is installed, and the access rights are updated. If you try to go back to 8191, you get an error.

@marko-lisica
Copy link
Member

Thanks for investigation @roperzh! I think that's what I mentioned @noahtalerman, we can easily cut permissions in the next iteration if we need to, without end-user action.

@noahtalerman
Copy link
Member Author

Thanks @roperzh! That report is awesome sauce.

@georgekarrv georgekarrv added :demo and removed :demo labels Sep 13, 2024
@noahtalerman
Copy link
Member Author

TODO @noahtalerman: using other MDM solutions, do end user's see red text when they open the enrollment profile?

@roperzh
Copy link
Contributor

roperzh commented Sep 13, 2024

note that a demo and the decision to go with the red text was discussed in the sibling issue: #21019 (comment)

@spokanemac spokanemac mentioned this issue Sep 13, 2024
Closed
1 task
@PezHub
Copy link
Contributor

PezHub commented Sep 13, 2024
edited
Loading

QA Notes:

Only iPadOS and iOS was tested, macOS will come later

  • Confirmed enrollment URL works, download/install enrollment profile succeeds
  • Confirm instructions (copy & screenshots) change dynamically based on device type
  • Errors if enrollment secret is wrong
  • Tested removing downloaded profile from device

Loom video walking thru workflow on an iPad
https://www.loom.com/share/7a28226a89374db68f94f2c4442a88e6

@roperzh roperzh mentioned this issue Sep 16, 2024
Closed
@noahtalerman noahtalerman mentioned this issue Sep 23, 2024
Merged
noahtalerman added a commit that referenced this issue Sep 23, 2024
@noahtalerman
API design - Enroll BYOD iOS/iPadOS hosts (#22312)
11dc2d7 
API design for the following story:
#19448
@lukeheath lukeheath added :product Product Design department (shows up on 🦢 Drafting board) and removed :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. labels Sep 24, 2024
@noahtalerman
Copy link
Member Author

@zayhanlon, heads up that this user story was shipped in 4.57 :shipit:

@fleet-release
Copy link
Contributor

Enrollment page shines,
BYOD iOS hosts align,
In cloud city's design.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ghernandez345 ghernandez345

Labels
~apple-mdm-maturity Contributes to maturity in macOS, iOS, or iPadOS MDM product category. ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-eponym customer-figali customer-nortia customer-preston customer-reedtimmer customer-starchik #g-mdm MDM product group P2 Prioritize as urgent :product Product Design department (shows up on 🦢 Drafting board) ~sc Request is a requirement in a presales opportunity story A user story defining an entire feature
Projects
None yet
Milestone
4.57.0
Development

No branches or pull requests