fleet
fleet copied to clipboard
fleetdm
Install App Store apps on iOS/iPadOS
Goal
| User story |
|---|
| As an IT admin, |
| I want to install apps on my iOS/iPadOS hosts using Apple's Volume Purchasing Program (VPP) |
| so that I can install software on my conference room iPads and iOS engineers' iPhones. |
Context
- Requestor(s): @noahtalerman
- Product designer: @rachaelshaw
For reference, here's the macOS story:
- #18867
Changes
Product
- [ ] UI changes: TODO
- [ ] CLI usage changes: TODO
- [ ] REST API changes: TODO
- [ ] Permissions changes: TODO
- [ ] Outdated documentation changes: TODO
- [ ] Changes to paid features or tiers: TODO
Engineering
- [ ] Database schema migrations: TODO
- [ ] Load testing: TODO
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
@rachaelshaw FYI here's the 1st air guitar we chatted about during our 1:1. Re: get ahead on drafting before you're OOO
Here's the 2nd air guitar:
- #19448
I moved these to the bottom of the prioritized column.
Hey @rachaelshaw heads up, I unassigned you and assigned @marko-lisica to this story.
Plan is for Marko to get a head start on this ahead of next design sprint.
@Patagonia121 This one didn't make to estimation. We plan to prioritize this in the next design sprint.
TODO: include read-only software tab on host detail page in the designs for this
Hey @rachaelshaw here's the resources for that a customer shared w/ us re: special app config for the Duo app on iOS:
- Duo: https://duo.com/docs/trusted-endpoints-jamf#ios-configuration
- Jamf: https://learn.jamf.com/en-US/bundle/jamf-setup-reset-configuration-guide/page/Managed_App_Configuration_Setup.html
From Duo:
It sounds like some App Store apps allow for configuration via XML.
@nonpunctual what other iOS/iPadOS apps have you seen this app configuration XML used for?
Another potentially helpful resource: https://www.appconfig.org/ios.html
cc @marko-lisica
@noahtalerman AppConfig is the thing that is probably talked about by Jamf the most for this kind of thing. Also, kiosk-type configs like Zoom / conf room. Envoy is an app that is commonly configured for kiosk mode. Theoretically any profile can be delivered to iOS / iPad devices. AppConfig was kind of pushed as a protocol but i am not sure it's very widely adopted.
@nonpunctual Are you saying that we can do the same thing with configuration profiles, instead of using AppConfig? This config for Duo app can be delivered to host via configuration profile?
@marko-lisica I don't think AppConfig is required for anything. It's a protocol that an app developer can use to add MDM functions on top of their app. For this particular Duo feature I can't say I know - maybe that is the only way to do it. It varies from app to app & it depends on what the app developer has enabled with AppConfig.
@mostlikelee do you know if we can get iOS/iPadOS app vulns from NVD?
It looks like it. https://nvd.nist.gov/vuln/detail/CVE-2018-0611. iPhone OS vulnerabilities are also available.
Hey team! Please add your planning poker estimate with Zenhub @getvictor @jacobshandling @lucasmrod @mostlikelee @RachelElysia
TODO @noahtalerman. Add API changes and make sure there are no GitOps changes (I think there are no changes from what the MDM team worked on)
@noahtalerman Re: our discussion about iOS vs iPadOS versions. Here's something I found and I'll throw it here so we don't forget about it.
Currently, I'm not sure if there are App Store apps that have different versions for iOS and iPad. I wasn't able to find an example.
I found this repo and seems they use different user agent when sending request to Apple's iTunes lookup API.
Maybe that's way on how to get iPad specific metadata.
I'm not sure if there are App Store apps that have different versions for iOS and iPad. I wasn't able to find an example.
@marko-lisica thanks! So, our current understand is that apps have the same versions for iOS and iPadOS.
I think this doesn't impact the way we designed the feature, right? We still want IT admins to be able to add an app store app for iOS or iPadOS:
Please jump in if you think that's the wrong decision!
Hey @mostlikelee and @getvictor heads up that we want to detect vulnerabilities for iOS/iPadOS apps if possible.
From Figma here:
Can we get these CVEs from NVD?
I think I forgot to bring this up at standup. Sorry about that.
Hey @getvictor and @jacobshandling heads up that I opened a draft PR with API changes for this story here: https://github.com/fleetdm/fleet/pull/20598
heads up that we want to detect vulnerabilities for iOS/iPadOS apps if possible. Can we get these CVEs from NVD?
I think the CVEs for iOS/iPadOS question is still unresolved. cc @mostlikelee
If y'all have any questions/thoughts/concerns please schedule 30 mins w/ me! Thanks.
@marko-lisica @noahtalerman there are are apps that are iPad only or iPhone only. Maybe not a lot of them. These are old docs but they spell out how you would define an iPhone-only or iPad-only app
https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html#//apple_ref/doc/uid/TP40009252-SW3
& it has to do with the capabilities defined, i.e., if your app has no telephony features, etc... Hope this make sense. I can try to find examples of iPad only / iPhone only apps. I used to know some that we distributed as demos but I don't remember them.
Hey @nonpunctual, an example of iPad only app is Procreate. They also have iOS only app.
Why this discussion started is because we're using iTunes API and there's no way to request metadata for iPad app when app is multiplatform (for ex. if you open Canva app in App Store they support for macOS, iOS, and iPad under the same app). iTunes API by default returns iOS data and there's a param to get macOS app metadata, but no param for iPadOS.
Usually, iOS and iPad apps have the same version, but my concern is that they might have different versions. In this case, we might display the wrong version in Fleet UI/API.
When it comes to the updates for App Store apps in the future we can rally on MDM protocol and not any external API, since there's a command to list managed apps. The command returns a list of installed VPP apps and has the flag HasUpdateAvailable which means that we can repeat install command to install latest version.
Additionally, we might need to use iTunes API occasionally to check what's the current version so we can display up-to-date info in the Software details page (see screenshot)
cc @noahtalerman
Hey @marko-lisica do you know of an example iOS/iPadOS app that's iOS only? What about iPadOS only?
Chatting w/ @getvictor and Victor told me that we want to be able to test these scenarios.
FYI @getvictor ^
iPadOS only: https://apps.apple.com/us/app/procreate/id425073498
Thanks Brock!
Hey @jacobshandling and @marko-lisica heads up, I got some good feedback from Mike M and we want to make the following UI tweaks to the "Add software" modal:
- Removed header and added footer (highlighted in screenshot below) and link so that IT admins who stumble upon this feature for the first time, when apps are already present, know where these apps are coming from and where to go to add more.
- No client-side pagination. Why? Users have at most 40 apps (not huge). If we paginate then they can't CMD+F to search.
I brought in the error and empty states to Figma and illustrated the same changes in those screens.
Please let me know if you have any questions!
@noahtalerman looks good, thanks! Since we'll display all apps at once, do we want to handle vertical overflow via a scrollbar on the list itself (i.e., maintain the height of the modal), or let the modal extend vertically and handle scrolling with the viewport scroll?
@noahtalerman Procreate has both iPad and iPhone only apps
iPad: https://apps.apple.com/us/app/procreate/id425073498 iPhone: https://apps.apple.com/us/app/procreate-pocket/id916366645
Since we'll display all apps at once, do we want to handle vertical overflow via a scrollbar on the list itself (i.e., maintain the height of the modal), or let the modal extend vertically and handle scrolling with the viewport scroll?
Hey @jacobshandling, good call out. I think we can let the modal extend vertically in this pass (similar to Policies > Manage automations modal).
I think the future we might make improve this and either add a scrollbar or pagination + search box.
@marko-lisica Can you add an iPhone-only app to our VPP so I can test it during development? Let me know which one it is. Procreate apps cost money, so maybe something else is free?
I already see Calculator - Pad Edition as an iPad-only app.
Hey @getvictor, I added these:
- iPad only: https://apps.apple.com/us/app/calculator-pad-edition/id685860762
- iPhone only: https://apps.apple.com/us/app/fitbit-health-fitness/id462638897
@marko-lisica Fitbit also shows up on my iPad. Is there another iPhone-only app?
@marko-lisica @noahtalerman This story requires GitOps changes -- the same app_store_id may be used for ios and ipad apps, so we need to add platform option (darwin,ios,ipados). We can default to darwin