fleet
fleet copied to clipboard
fleetdm
Enroll BYOD iOS/iPadOS hosts
Goal
| User story |
|---|
| As an IT admin, |
| I want to invite BYOD (iPhones and iPads) enroll |
| so that I can install software and enforce settings on end user devices that can access organization resources/tools. |
Context
- Product designer: @randy-fleet
Changes
- Introduce BYOD enrollment page that includes instructions for downloading and installing on device
- Include 404(like) page in the event the Secret URL is wrong, and encourages user to reach out to IT admins (not Fleet)
Product
- [ ] UI changes: Figma designs.
- [ ] REST API changes: https://github.com/fleetdm/fleet/pull/21657/files
- [ ] Outdated documentation changes: TODO
- [ ] Changes to paid features or tiers: Available in Fleet Free and Premium
Engineering
- [ ] Test BYOD redelivering the enrollment profile to an already enrolled iOS/iPadOS host w/ a change in AccessRights (less rights to more and more rights to less). Does the end user get notified?
- [ ] Database schema migrations: TODO
- [ ] Load testing: TODO
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
@Patagonia121 This one didn't make to estimation. We plan to prioritize this in the next design sprint.
Adding @ddribeiro's helpful information from the older, closed issue: Support for account driven user enrollment would enable an organization to allow their employees to enroll their personally owned devices (iOS/iPadOS) into Fleet using a Managed Apple ID. User Enrollment provides several benefits to the employee and organization when enrolling personally owned devices:
Organization data is cryptographically separated from personal data. Enrollment of personal devices is streamlined as there is a standardized flow built into iOS in Settings > General Some typical MDM capabilities for organization owned devices is not available (i.e. Erase Device), offering an employee peace of mind that their personal information cannot be erased when they enroll. Organization can see limited device details (i.e. Can only see a list of managed apps, not a full list). Links: Apple Platform Deployment: User Enrollment and MDM Apple Platform Deployment: User Enrollment MDM Information
@noahtalerman when issues like this are transferred to other issues & the prior issues are closed do you think it would be possible to always bring the labels over to the new issue? I copied them over from #19329. Is there something we can do to automate this? Thanks.
Hey @nonpunctual, I think let's manually copy them over for now. I didn't do that this time. Apologies.
Doesn't save a ton of time to automate. If we mess up, we have a record.
Noah: Might not be able to wipe BYOD if you install an enrollment profile.
Marko: I think you can.
Noah: Maybe it's some permissions you can change in the enrollment profile that gets installed.
@marko-lisica when you get the chance can you please drop your research on this here.
Hey @zayhanlon and @mikermcneil heads up that this didn't get designed in the current design sprint. Bringing it to the next design sprint because it's a high priority for the business (OKR)
Hey @noahtalerman, I shared this with Mike. He asked if you could share this with the e-group on how/if this changes the summers high-level road map.
From design review on 2024-08-14:
TODO Noah: Some webpage for iOS/iPadOS to walk end user through steps like we have on the My device page:
TODO Noah: Ask IT admins what profiles BYOD iPhones get.
- This will help us dig into if we need a "BYOD iPhones - staging" team or if they go straight into "BYOD iPhones" team
TODO Noah: Do end users have access to IdP (ex. Okta) on their iPhone before they enroll?
- This will help us determine if we can use SSO as authentication to get the enrollment profile or if we need to build auth into Fleet.
Roberto: Using the OTA flow, Fleet can reject enrolling a host. So, if we use the enroll secret in the profile, Fleet can say this is an invalid enroll secret and reject the host.
TODO Noah: What happens in Fleet if I delete all the enroll secrets on a team? We should understand this if we're relying on a valid enroll secret to enroll BYOD iOS/iPadOS hosts.
Noah: Let’s call the profile the end user gets in OTA the “first enrollment profile” and the profile we currently get if you hit GET /enrollment_profile/manual Fleet API the “second enrollment profile”
- Noah:
customer-prestonhits the API and sends the second enrollment profile to end users. - Roberto: When we add support for the OTA enrollment flow, we will by default support
customer-prestonsflow - Roberto: For
cusotmer-prestonswitch to using the first enrollment profile we would have to add support for specifying the end user's email in the first enrollment profile (only supported in the second enrollment profile today)
Pulling this old comment out of the description for safe keeping:
@noahtalerman: My current understanding is that there's two ways/workflows to enroll BYOD iOS/iPadOS hosts:
- End user downloads/installs manual enrollment profile. Fleet supports this workflow today for macOS hosts.
- End user logs in using Managed Apple ID. Fleet doesn't support this workflow for macOS.
@noahtalerman: We think our customers are looking to use workflow (2). It's also the workflow we understand the least. So, let's prioritize drafting that workflow in this air guitar.
Hey @randy-fleet! I left some UI feedback in a Loom video here: https://www.loom.com/share/5127c626f54b4cb5a289f5462b23e7f4?sid=f87369d6-504f-4baa-a0d4-8f07586abcf0
Since this story is in the current engineering sprint, can you please pick this up as your top priority tomorrow?
Heads up @georgekarrv, we want to make some tweaks to the UI (style changes and copy changes).
@georgekarrv styling changes and copy changes have been updated in "Ready" page within Figma.
- [ ] Test BYOD redelivering the enrollment profile to an already enrolled iOS/iPadOS host w/ a change in AccessRights (less rights to more and more rights to less). Does the end user get notified?
Hey @roperzh I added this testing TODO to the engineering section.
Do you think we can test that as part of this issue? We want to learn for future iterations.
More context in the Slack thread here (internal).
cc @georgekarrv
@noahtalerman sounds good! we know that you can't change AccessRights in macOS, but we'll give it a try in the other systems
@noahtalerman @randy-fleet I had a chat with @ghernandez345 on what to show on /enroll page for users that aren't on iOS or iPadOS.
Since we decided that this way of enrollment isn't going to be used for macOS, do we want to show something special, or to show same content?
To unblock Gabe, I decided to keep content same and we can always show different content for macOS. We can even show something like "only iOS and iPadOS supported..."
I decided to keep content same and we can always show different content for macOS. We can even show something like "only iOS and iPadOS supported..."
Hey @marko-lisica, I hear you but I think it's worth solving this in the first pass.
My understanding is that it would be relatively quick to design/build unique content for macOS. Please let me know if I'm wrong.
If that's right, I think it makes sense to add screenshots for macOS in this pass.
II bet IT admins / end users will try to hit this URL on a Mac. And, downloading/installing the enrollment profile works right? That is, on macOS, fleetd is delivered after the enrollment profile is installed.
@randy-fleet, can you please update the Figma w/ screenshots for macOS?
cc @PezHub @georgekarrv
It seems unusual to be adding scope if we don't have a specific customers asking for BYOD macOS features.
I don't really know of production BYOD macOS at scale. It's certainly something that gets discussed as a potential cost-saving measure. Also, if these features are going to be enhanced by Apple in the future it seems like they will be more focused on Managed Apple ID / Accounts rather than enrollment profile based. Was this direction something that was discussed the Apple dev sessions earlier this year? cc @roperzh @lukeheath @dherder @ddribeiro @allenhouchins @spokanemac
I'll just give my two cents that manual enrollment for macOS would be a nice to have. While we don't enroll BYOD at scale, we certainly have one-offs for global employees who need to enroll a personal laptop in a pinch for a break-fix scenario. Even if we had managed apple IDs turned on (which we don't yet), I am not sure we would go that route for one-off BYOD enrollments especially if we could just generate a manual enrollment invite, but then I haven't given that scenario a lot of thought yet.
Hi @bolaussen The problem is a move away from enrollment profiles generally. Yes a manual enrollment profile might be what you would do today but in the future I believe the only way to set up something like a BYOD Mac will be with a Managed Apple Account (Apple ID) & once you have enabled & federated these in your environment it perhaps won't seem as far off the mark as it might now for ad hoc deployments. Thanks!
I decided to keep content same and we can always show different content for macOS. We can even show something like "only iOS and iPadOS supported..."
Hey @marko-lisica, I hear you but I think it's worth solving this in the first pass.
My understanding is that it would be relatively quick to design/build unique content for macOS. Please let me know if I'm wrong.
If that's right, I think it makes sense to add screenshots for macOS in this pass.
II bet IT admins / end users will try to hit this URL on a Mac. And, downloading/installing the enrollment profile works right? That is, on macOS, fleetd is delivered after the enrollment profile is installed.
@noahtalerman Two questions:
- I'm assuming macOS experience would be exactly the same as iOS/iPadOS, with profile download, etc. Is that correct?
- If we are going to expand this experience to also support macOS, is there a reason why we wouldn't do the same for Windows, Linux, and Chrome?
@randy-fleet, I thought about this more. If we commit to adding Mac screenshots, we're committing to maintaining screenshots and this flow for macOS.
So, I think it would be easier now and in the short term to show some "Open this page on your iPhones or iPads" screen/state if we detect that the end user isn't on an iPhone or iPad.
Can you please help prepare that screen for the next design review?
@nonpunctual makes a good point we don't have customers asking for this flow on macOS. Note that we already support BYOD enrollment for macOS. fleetd gets installed first.
@randy-fleet FYI I followed up to your questions here (before we decided to not support macOS)
I'm assuming macOS experience would be exactly the same as iOS/iPadOS, with profile download, etc. Is that correct?
I think it's very similar. The steps the end user takes and where they click to find the enrollment profile will be slightly different. For example, on a Mac, the user will see a macOS notification and go to System Settings in the top menu bar, etc.
If we are going to expand this experience to also support macOS, is there a reason why we wouldn't do the same for Windows, Linux, and Chrome?
Yes.
The enrollment profile download/install is specific to the Apple's MDM protocol (macOS, iOS, iPadOS). Windows, Linux, and Chrome don't support enrollment via this flow.
@noahtalerman I've updated the Figma to incorporate macOS as well. https://www.figma.com/design/zMNFxTLMS4yYZjylJMQ5uv/%2319448-Enroll-BYOD-iOS%2FiPadOS-hosts?node-id=5493-17247&t=FMt11fj07eQaQSTF-4 Please let me know if you have any questions.
Thanks @randy-fleet!
I think at this point it makes sense to address macOS behavior in a later iteration. We have an issue for this tracked here. I moved your Figma wires to scratchpad here for safekeeping.
That said, I think it’s worth making the copy more explicit in this iteration.
As an IT admin and end user, how do I know that the best practice is to follow instructions on my iPhone and iPad? What if I pull up this page on my Mac?
Here's what I'm thining...
Fleet detects iOS:
Fleet detects iPadOS:
Fleet detects neither iOS nor iPadOS:
I updated Figma w/ the above^
@roperzh and @georgekarrv, is that something we can fit into this iteration?
cc @ghernandez345
@marko-lisica @noahtalerman In regards to:
Test BYOD redelivering the enrollment profile to an already enrolled iOS/iPadOS host w/ a change in AccessRights (less rights to more and more rights to less). Does the end user get notified?
I prepared two enrollment profiles, each with different access rights:
8179all access rights except lock & erase8191all access rights
Findings:
- If the user enrolls with
8179, and you send anInstallProfilecommand with an enrollment profile with8191, you get an error from the device and the profile is not installed. Error is:The new MDM payload contains more access rights than the old payload. - If the user enrolls with
8191, and you send anInstallProfilecommand with an enrollment profile with8179, the profile is installed, and the access rights are updated. If you try to go back to8191, you get an error.
Thanks for investigation @roperzh! I think that's what I mentioned @noahtalerman, we can easily cut permissions in the next iteration if we need to, without end-user action.
TODO @noahtalerman: using other MDM solutions, do end user's see red text when they open the enrollment profile?
note that a demo and the decision to go with the red text was discussed in the sibling issue: https://github.com/fleetdm/fleet/issues/21019#issuecomment-2331794824