Automatically install and scope software within a team

[nonpunctual]

customer-preston: Gong recording (full): https://us-65885.app.gong.io/call?id=1740943306810384507
customer-schur: TODO: Gong snippet
customer-rosner: TODO: Gong snippet
customer-easterwood: https://us-65885.app.gong.io/call?id=4336811297696402414&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A484%2C%22to%22%3A523%7D%5D
prospect-disa: TODO: Gong snippet
prospect-gispen: No Gong recording. They had asked if we had the ability to scope software installs via labels and we referred them to this issue. Example is Item 1 in this slack thread: https://fleetdm.slack.com/archives/C07FSHNNG3C/p1726601549891569
prospect-salix: TODO: Gong snippet
customer-numa: No Gong recording. The commit was (#19551) which may be sufficient. The need is re: self-service, to be able to scope on the software package similar to what is done with labels in config profiles.
prospect-mozartia: No Gong snippet. Written feedback given directly: "In the ideal state we’d like to ship laptops directly to new hires, they open up their machine, get prompted to login and we’ll be able to install specific apps for this user. I’m not sure if “Teams” is a good label but maybe “profiles” might be better? Essentially based on the user’s cost center (or department or ou as described in the ticket), Fleet would be able to determine that this user will need these set of apps on top of the normal onboarding configurations we’re already doing.

• For example, the Finance team / “profile”. In addition to the default Slack, Zoom and Firefox apps we’re already installing in the “Onboarding” team, we’d like to see Microsoft Office and Box installed for users in this “profile. The UX profile would include Adobe apps like Photoshop and Illustrator, etc.
• @noahtalerman: User requested this because they're building a white-label MDM solution on top of Fleet and they want to install a set of apps on macOS and Windows workstations based on the owner's (employee) is group membership (aka profile). This user doesn't utilize teams in Fleet. All workstations are in "No team." The grouping happens inside the white-label MSP solution.
• @noahtalerman: User requested this because they want only install software on Macs that have the required dependencies/hardware/specs (ex. Rosetta, Apple Silicon, Windows ARM, other apps) for the software. This way, the end user only gets software that they can use on their Workstations. Sometimes incompatible software can be installed but fail to run when end user goes and tries to use them.
• @noahtalerman: User requested this because they want to install at first Mac boot an app that's intended for a specific department (ex. Marketing) or role (ex. IT Help Desk). Everyone gets the same base 3-4 applications at new Mac boot but some apps are catered to their department or role.
• @noahtalerman: User requested this because they want to offer an app that's intended for a specific department (ex. Marketing) or role (ex. IT Help Desk) in self-service. Everyone gets the same base 3-4 applications at new Mac boot but their self-service apps are catered to their department.
• @noahtalerman: User requested this because they want to install this new app that my business bought a limited number of licenses for on a specific set of devices. Usually grouped by department (ex. Marketing).
• @noahtalerman: User requested this because they want to install this new app that my business is using and I don't want to install it on each host one by one or build some automation w/ a third-party tool to do this. This could be for a productivity app or a security tool.

---

User stories

• Policy automations: install software #19551
• Create policies automatically for Fleet-maintained apps #22077
• Policy automations: install App Store apps on macOS #23115
• Create policies automatically for custom packages #23344
• Software > Add software: create policies automatically for installing App Store apps (VPP) #23744
• Scope Fleet-maintained apps and custom packages via labels #22813
• Scope App Store apps via labels #24609
• Setup experience: scope software via labels when Macs boot #24989
• Prevent auto-created policies for RPM/deb packages from running on Debian/RPM based Linux distributions #25007
• Hide policies outside software target on Host details and My device page #25226

[noahtalerman]

Thanks for tracking this @nonpunctual.

Heads up that when we ship the new policy automation (#19551), for some scoping software use cases, there's a workaround: add scoping to the policy's query.

For example, I could write a policy's query to fail (not return results) only for specific serial numbers (w/ hardware_serial in system_info table here).

Using the new policy automation, this would scope a software install only to those specific serial numbers.

cc @dherder @ddribeiro @pintomi1989 @zayhanlon

[nonpunctual]

Thanks for explaining the workaround. The original customer feature request is to scope using labels.

[noahtalerman]

Hey @zayhanlon, I think let's start by taking this one one as an air guitar.

When you get the chance, can you please help me set up discovery calls w/ customer-preston and customer-rosner? The fewer attendees the better! Thank you :)

[noahtalerman]

• @noahtalerman: Chatted w/ customer-preston (Gong recording here) and learned that "Automatic install" might be covered by work we're doing in the "Automatically install" story (Custom packages: set minimum version and automatic install #22076)
  • Scoping software w/ labels is still needed for customer's "Profiles" feature

Hey @zayhanlon we learned the above during today's call w/ customer-preston.

I think it makes sense to bring in a user story for scoping software w/ labels next design sprint (we're at capacity this sprint). Or we can pull something out of the current design sprint.

If it's the latter, please schedule 15 mins w/ me ASAP so we can jump on a call what you think we could bring out. Happy to jump on chat about what to pull out.

[zayhanlon]

@noahtalerman let's take it next design sprint. i don't think there's anything on the board that i would be able to pull off (all prospect things so i can't make that call). lets focus on 'labels any' for them for the current design sprint

[noahtalerman]

Hey @pintomi1989, soon we're planning on building a piece of this request: "Create policies automatically for custom packages" (#23344).

Can you please show preston these Figma wireframes and collect their feedback?

[pintomi1989]

Hey @noahtalerman - Will do. I will show these to the customer-preston team during our meeting this week, and let you know what their feedback is

[martinpannier]

Checked with @valentinpezon-primo, looks good on our end 👌

[noahtalerman]

@pintomi1989 heads up that you don't need to add the :product label back when you're sending this back to me. Please just @ mention me. Thanks!

I'm tracking all customer requests in the new Customer requests board.

[noahtalerman]

@pintomi1989 in Fleet 4.62, we shipped an iterative improvement (this user story) to automatically create policies for custom packages.

Fleet does it's best to create the right policy so that Fleet doesn't install software over existing installs. Sometimes Fleet might get it wrong and will require IT admin intervention. I think this improvement is ready for preston to test. Can you please make sure they understand the potential for IT admin intervention?

We call this out in the the UI here:

[noahtalerman]

@pintomi1989 we also shipped this iterative improvement for this request in 4.62: scope (target) Fleet-maintained apps and custom packages via labels (#22813)

This feature isn't finished:

• Creating policies automatically for App Store (VPP) apps is coming soon (story here)
• Scoping App Store (VPP) apps is coming soon (story here)
• Hiding policies outside software scope (target) on Host details page and My device page is coming soon (story here)

So, @pintomi1989 @zayhanlon I think we can let preston and numa know that this request is still in progress but we added these iterative improvements in 4.62:

• target Fleet-maintained apps and custom packages via labels
• automatically create policies for custom packages

[pintomi1989]

Thank you @noahtalerman - I meet with them again this week and will bring it up