fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Migrate microMDM to Fleet w/o end user interaction

Open dherder opened this issue 1 year ago • 13 comments

Goal

User story
As a MicroMDM user,
I want to migrate from MicroMDM to Fleet w/o end user interaction
so that I can switch to using Fleet w/ no gap in MDM coverage.

Context

  • Product designer: @noahtalerman

Changes

Product

No product changes. Current understanding is that this requires infrastructure changes.

Infrastructure

  • [ ] At the load balancer level, translate MicroMDM's /mdm/checkin/ requests to Fleet requests
  • [ ] At the load balancer level, translate MicroMDM's SCEP requests to Fleet requests

Engineering

  • [ ] Write a script to import MicroMDM enrollment information into Fleet. We need to get the SCEP certificate and magic token for each host
  • [ ] Database schema migrations: TODO
  • [ ] Load testing: TODO

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

dherder avatar Nov 01 '23 15:11 dherder

Feature fest: What customers are coming from microMDM? I think this is a great idea but not going to sell more Fleet. Let's try to use the migration tools we've already built. If those fail we can reconsider.

noahtalerman avatar Nov 02 '23 19:11 noahtalerman

@noahtalerman bringing back to Feature Fest.

dherder avatar Nov 16 '23 17:11 dherder

Heads up @dherder this request was discussed during feature fest last week and didn't make it into the current design sprint.

noahtalerman avatar Jan 10 '24 14:01 noahtalerman

@noahtalerman do you need any help on this one? I have a micromdm server stood up and ready to test.

dherder avatar Feb 23 '24 20:02 dherder

Hey @dherder, I moved your original issue description here:

Internal discussion:

https://fleetdm.slack.com/archives/C03C41L5YEL/p1698794431295409

Background

  • How might this have a positive effect? Migration is the biggest pain for MDM adoption. When we talk to prospects about switching MDMs to Fleet, it becomes apparent that if they need to do a "proper" migration, it will involve a substantial amount of resources and is prone to many edge case failures. In this scenario, the best case scenario is that devices (macOS) will need an end user to click a box to approve the new mdm to manage their device. Fleet has a great migration tool for this. But, what if we could make it even better for microMDM users?

At the 2023 MDOYVR conference, Calvin Lee from Meta presented their "Invisible journey from microMDM to nanoMDM". This was an awesome presentation and showed that it was indeed possible to migrate with a "db" approach. They leveraged the micro2nano project to move enrollment records, which required usage of the migration endpoint in the nanoMDM API.

  • What is the current situation? Why does the current situation hurt? Migrations are a big hurdle. If we can eliminate the end user migration for the microMDM users, we should do it.

Noah: How will migration work for profiles? We don’t want the end user to notice anything

Problem

  • see above

Potential solutions

Support the migration endpoint from the nanoMDM project. I do have a microMDM environment configured with a device checking in and it would be awesome to leverage this endpoint to get that device to redirect to a Fleet demo instance.

noahtalerman avatar Mar 28 '24 14:03 noahtalerman

Still TODO: Map profile scope to Fleet teams + labels

noahtalerman avatar Mar 28 '24 14:03 noahtalerman

During the air guitar sessions, we learned how we're going to accomplish this.

Notes from the air guitar sessions are here (internal):

  • Pt. 1: https://docs.google.com/document/d/1rCMt9pSke6pLtpwuIf2F6Mp78VaVpc3fol5JZZCQZZ0/edit#heading=h.p0ke0b2xwzzg
  • Pt. 2: https://docs.google.com/document/d/1Bk5fLoxqiA8gOD2pFnb-DSdfipvj3HE9e0Y9Wz9-sj0/edit#heading=h.kpc4huhqqfp4
  • Pt. 3: https://docs.google.com/document/d/1w4tN0m040WRM_7GM_cKvpPAsBFzS1s9EpV9oVo2ia1Q/edit#heading=h.ochnisprs01j

Still TODO are mapping the customers profiles to Fleet teams + labels.

Bringing this back to feature fest.

noahtalerman avatar Mar 28 '24 18:03 noahtalerman

FYI @dherder ^^

noahtalerman avatar Mar 28 '24 18:03 noahtalerman

Hey @noahtalerman I do have a draft ready in the gsheet under the "team to profile mapping" tab. Thoughts on hosts that may exist in different teams from the team that the label is assigned within? Maybe that shouldn't matter?

dherder avatar Apr 18 '24 14:04 dherder

I do have a draft ready in the gsheet under the "team to profile mapping" tab. Thoughts on hosts that may exist in different teams from the team that the label is assigned within? Maybe that shouldn't matter?

Hey @dherder let's chat about this during our call tomorrow! (2024-04-22)

noahtalerman avatar Apr 22 '24 17:04 noahtalerman

Hey @dherder who is the DRI of this issue? Should it be you? What board should this issue live on?

Bringing this one to feature fest to discuss.

noahtalerman avatar May 09 '24 15:05 noahtalerman

@noahtalerman yes, you can assign this to me. We can transfer it to the #g-sales board.

dherder avatar May 09 '24 15:05 dherder

yes, you can assign this to me. We can transfer it to the #g-sales board.

@dherder done.

I added the #g-sales label.

noahtalerman avatar May 09 '24 18:05 noahtalerman

@zwass assigning to you in order to mine this issue for any additional documentation on the mdm proxy.

dherder avatar Jul 03 '24 20:07 dherder

@zwass I think this can be closed?

dherder avatar Sep 05 '24 15:09 dherder