fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Run policies and scripts offline

Open dherder opened this issue 1 year ago • 2 comments

Goal

User story
As a Client Platform Engineer,
I want hosts to evaluate policies and run scripts if they're failing policies
so that I can ensure my hosts are compliant even when they're not connected to the internet.

Context

  • Product designer: @noahtalerman

Changes

Product

  • [ ] UI changes: TODO
  • [ ] CLI usage changes: TODO
  • [ ] REST API changes: TODO
  • [ ] Permissions changes: TODO
  • [ ] Outdated documentation changes: TODO
  • [ ] Changes to paid features or tiers: TODO

Engineering

  • [ ] Database schema migrations: TODO
  • [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

dherder avatar Jun 19 '24 16:06 dherder

Hey @dherder, @kennyb-222, and @williamtheaker what's an example of one of these scripts? As a guess, I'm thinking these are scripts that set and keep a host in a desired state. As an example script: "Linux - Turn Firewall on"

So, I'm guessing the expected behavior here is the CPE adds this script to Fleet and every 30 minutes the host runs the script w/o checking into the Fleet server.

Currently, the host has to checkin with the fleet server in order to get the instruction to run the script

@dherder the host has to checkin at least once to get the script it should run, right? And checkin at some interval to see if the script(s) changed.

So, I'm guessing the host should check in to the server every 30 minutes to see if the script changed or there are new scripts to run.

Does that sounds right?

noahtalerman avatar Jun 20 '24 14:06 noahtalerman

Hey @dherder heads up, I updated this issue to user story format and moved your original issue description below.

Problem

As a CPE, I want to declare a group of actions to run on hosts or groups of hosts (teams). Currently, the host has to checkin with the fleet server in order to get the instruction to run the script, which is not ideal. Similar to how we are planning to declare which version of software to pin on a host, declaring the list of scripts to run on a host is desired.

noahtalerman avatar Jun 25 '24 15:06 noahtalerman

aka "Run policies and scripts offline" aka "Offline policy enforcement, beyond what is already supported by OS setting controls"

User story: As an IT customer excited about expanding Fleet from MDM to configuration management, if a workstation is on an airplane and it goes out of configuration, I want a script to run on policy failure so that the device is always in compliance

Goal

User story
As a Client Platform Engineer,
I want hosts to evaluate policies and run scripts if they're failing policies
so that I can ensure my hosts are compliant even when they're not connected to the internet.

Context

  • Product designer: @noahtalerman

Changes

Product

  • [ ] UI changes: TODO
  • [ ] CLI usage changes: TODO
  • [ ] REST API changes: TODO
  • [ ] Permissions changes: TODO
  • [ ] Outdated documentation changes: TODO
  • [ ] Changes to paid features or tiers: TODO

Engineering

  • [ ] Database schema migrations: TODO
  • [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

randy-fleet avatar Oct 08 '24 16:10 randy-fleet

@AnthonySnyder8 @ambrusps Could you edit the description and add Gong links? Thanks!

randy-fleet avatar Oct 08 '24 16:10 randy-fleet

@randy-fleet while the title "Auto-deal wifi while offline" is an example of a use case that can be solved with this feature, it is a very narrow example. I want to ensure that the scope of the intent for the original ask "Enforce policies offline with scripts" is not lost.

dherder avatar Oct 09 '24 17:10 dherder

@noahtalerman updated for prospect-numa

AnthonySnyder8 avatar Oct 11 '24 19:10 AnthonySnyder8

https://github.com/fleetdm/fleet/issues/15530#issuecomment-2386382235

nonpunctual avatar Dec 06 '24 19:12 nonpunctual

@noahtalerman: TODO: File a user story for resending the configuration profile in My device page

noahtalerman avatar Jan 14 '25 19:01 noahtalerman

Moving the old user stories list out of the issue description to below. User stories that contribute to this request now live in the "Sub-issues" section.

User stories

  • #26687

noahtalerman avatar Jul 15 '25 14:07 noahtalerman

  • @noahtalerman: numa requested this because they want to run this script to re-connect end users to corporate Wi-Fi interface when certificates are being swapped out and something goes wrong. Offline script would be needed in order to remediate.
    • UPDATE: @noahtalerman: We decided to solve this w/ the ability for the end user to connect to a guest network and resend the Wi-Fi/VPN configuration profile via Fleet Desktop > My device page.

@zayhanlon in Fleet 4.75, we shipped the ability for the end user to connect to a guest network and resend the Wi-Fi/VPN configuration profile via Fleet Desktop > My device page.

We think this meets numa's needs for healing Wi-Fi.

I think let's demo it at our next numa call and get feedback.

From the guide: Image

noahtalerman avatar Oct 24 '25 15:10 noahtalerman