Support `--end-user-email` flag when creating fleetd for macOS & Linux

[pintomi1989]

Goal

User story
As an IT admin creating a fleetd agent for Linux,
I want to specify the end user email as part of the package
so that I can map the end user (human) to the host they're using when fleetd is installed.

Context

• Product designer: @noahtalerman

Changes

Product

• [ ] UI changes: No changes. The specified email shows up in the "Used by" field.
• [ ] CLI usage changes: Update fleetctl package to accept the --end-user-email argument for macOS (.pkg) and Linux agents (.deb and .rpm).
  • Note that supported for this flag for Windows (.msi) agents was added in this story: #15057
• [ ] REST API changes: No changes. The specified email shows up in the device_mapping field in GET /hosts/:id/device_mapping
• [ ] Outdated documentation changes: Add the --end-user-email flag to the output of fleetctl package -h. Here's the description: End user's email that populates human to host mapping in Fleet
• [ ] Changes to paid features or tiers: Available in Fleet Free and Premium

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[valentinpezon-primo]

Hi,

As you guys added the --end-user-email for Windows, we want it to work aswell for Linux (https://github.com/fleetdm/fleet/issues/15057)

Example with the MSI package build :

fleetctl package --type="msi" --enable-scripts --fleet-desktop --fleet-url="$FLEET_URL" --end-user-email="$EMPLOYEE_EMAIL" --enroll-secret="$ENROLLMENT_SECRET"

Then, the used_by value is populated by whatever we insert in EMPLOYEE_EMAIL, as a CUSTOM enum type

We would like the same behavior for Linux package creation

[noahtalerman]

Hey @valentinpezon-primo, thanks for following up!

Are y'all starting to enroll Linux devices?

[valentinpezon-primo]

Hey @valentinpezon-primo, thanks for following up!

Are y'all starting to enroll Linux devices?

Yeah we are building the linux integration this quarter !

[martinpannier]

Just to be clear, we are working on it right now and should ship in 2-3 weeks!

[nonpunctual]

@noahtalerman @marko-lisica @rachaelshaw Shouldn't there be a product tag if it's actively being worked on by engineering or is it already past that stage? Thanks!

[georgekarrv]

@nonpunctual martinpannier is not working for fleet. This is not currently in progress by engineering.

[nonpunctual]

This issue was prioritized per the "blocking workflow" sort on the Feature Fest board. Thanks.

[noahtalerman]

@nonpunctual the issue description is updated w/ the user story changes we're making to fleetctl package.

Please let us know if the customer has any feedback. Thanks!

Shouldn't there be a product tag if it's actively being worked on by engineering or is it already past that stage?

If a story has the :product tag it's in the current design sprint (drafting): ships in ~6 weeks.

If a story has the :release tag, it's in the current engineering sprint: ships in ~3 weeks.

[marko-lisica]

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @gillespi314 @jahzielv @mna @roperzh

[zayhanlon]

@noahtalerman looking for a confirmation after MDM sprint planning today on an eta for this, are we still thinking 4.52.0?

[roperzh]

@noahtalerman for macOS, fleetd can also get the email from the enrollment profile.

If there's an email in both places, who wins?

[noahtalerman]

@roperzh good point...

I don't think we need to support --end-user-email on macOS.

The customer is requesting Linux. We thought it would be nice to just make it cross-platform but forgot about the "who wins?" on macOS.

I think we can cut macOS to reduce complexity. I updated the issue to reflect this.

@nonpunctual please let me know if I'm wrong.

cc @gillespi314 @georgekarrv

[nonpunctual]

@gillespi314 @georgekarrv @noahtalerman @zayhanlon I think the reason we got this FR specifically for Linux is that the feature wasn't implemented for cross-platform capability.

My opinion (but it's only me...) is that we should implement for cross-platform always where possible, otherwise, customers are constantly stubbing their toes on feature differences they expect to work on all devices. We were just talking about dogfooding & "sharp corners" today. Not having this the same for all platforms is a sharp corner...

I realize this says it's specifically for Linux.

@roperzh what if we checked -end-user-email value against the enrollment profile value? For 1:1 end user device deployments my hunch is the email will match 99/100. If they don't match, enrollment profile wins.

Thanks.

[roperzh]

@nonpunctual

what if we checked -end-user-email value against the enrollment profile value? For 1:1 end user device deployments my hunch is the email will match 99/100. If they don't match, enrollment profile wins.

for sure! we just need a clear definition of what's the expected behavior and to properly document it.

[noahtalerman]

@nonpunctual the customer requesting the feature is trying to specify the end user email at enrollment time for macOS, Windows, and Linux.

We want there to be one best practice for this. Ideally it's the same for each platform but we're stuck with a unique best practice on macOS (for now)

As far as I know, this customer the accomplishing this by setting the end user email in the enrollment profile on macOS devices.

I think we can be confident that they won't use the --end-user-email flag for fleetd on macOS.

So, I think let's decide to cut the flag on macOS now so we can move quickly. We'll make it clear in the help text (fleetctl package -h) that it's for Windows and Linux only.

If they want to switch to --end-user-email flag for macOS (instead of the enrollment profile) then we can iterate and add this later. Hopefully at the same time remove/deprecate the configuration profile method.

If you think I'm wrong or have concerns with that cut, let's jump on a call.

cc @gillespi314 @roperzh

[samleb]

I can confirm your assumption @noahtalerman, we don't need --en-user-email on MacOS here 👍

[zayhanlon]

@gillespi314 do you think we're still tentative for 4.52 on this? thanks!

[gillespi314]

@zayhanlon, we're looking good for the release next week. Note I've been told that our weekly patch release for this week is going to constitute a minor release and will become 4.52, which means this will tentatively ship in 4.53 next week.

[PezHub]

QA Notes:

• Built pkg with the --end-user-email flag and confirmed it appears in the UI
• Ensured host enrolled with fleetd installed
• The used by field displays "Custom" next to the email address
• Validated emails captured by this feature return results when searched on the Hosts page
• fleetctl package -h now shows the description: End user's email that populates human to host mapping in Fleet (only available on Windows and Linux)

APPROVED!

[marko-lisica]

Hey @zayhanlon this story has shipped.

[fleet-release]

Mapping host to user, In the cloud city, a thread, Connection is clear.