Use end user's IdP info as variables in configuration profiles

[marko-lisica]

Goal

User story
As an IT admin,
I want to add variables in configuration profiles that will represent end user's information and will be replaced before they are sent to the macOS/iOS/iPadOS host
so that I can issue certificates, which have user details attributed to them.

Key result

Fleet users can add host vitals from their IdP as variables in configuration profiles

Original requests

• #21028
• #13420

Context

• Product designer: @marko-lisica

This should include a feature to have a variable for username portion of email address (everything before @example.com)

Changes

Product

• [ ] Add new $FLEET_VAR_ variables specified in Figma.
• [x] UI changes: No changes.
• [x] CLI (fleetctl) usage changes: No changes.
• [x] YAML changes: No changes.
• [x] REST API changes: No changes.
• [x] Fleet's agent (fleetd) changes: No changes.
• [x] GitOps mode changes: No changes.
• [x] Activity changes: #27698
• [x] Permissions changes: No changes.
• [x] Changes to paid features or tiers: Fleet Premium only (IdP information are available only in Fleet Premium).
• [x] Transparency changes: No changes.
• [x] First draft of test plan added
• [x] Other reference documentation changes: YAML files docs changes
• [ ] Once shipped, requester has been notified
• [ ] Once shipped, dogfooding issue has been filed

Engineering

• [ ] Feature guide changes: TODO
• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: no
• Risk level: Low
• Risk description: minimal risk as we already have Variables available in Fleet

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

• [ ] Make sure that the user can add new variables to macOS/iOS/iPadOS configuration profiles specified in Figma.
• [ ] Make sure that the user can't upload a variable that doesn't exist.
• [ ] Make sure that when the variable value changes, that profile is resent to the host automatically.
• [ ] Make sure that Fleet shows global activity when the profile is resent. It should show when user resends the profile manually on host details, when user edits the profile content, and when Fleet resends it when the variable value changes.
• [ ] Make sure that $FLEET_VAR_HOST_END_USER_EMAIL_IDP still works for backwards compatibility.
• [ ] Make sure that the profile fails and the error message specified in Figma is displayed if $FLEET_VAR_HOST_END_USER_IDP_GROUPS or $FLEET_VAR_HOST_END_USER_IDP_USERNAME is added to a profile and the host doesn't have a username or groups assigned to it.

Happy path 1

1. Create SCEP configuration profile that uses $FLEET_VAR_HOST_END_USER_USERNAME_LOCAL_PART as CN and $FLEET_VAR_HOST_END_USER_USERNAME as UPN.
2. Upload SCEP profile to Fleet and send it to a host
3. $FLEET_VAR_HOST_END_USER_USERNAME_LOCAL_PART is resolved to e.g username, and $FLEET_VAR_HOST_END_USER_USERNAME is resolved to [email protected]

Happy path 2

1. Create ManagedPreferences configuration profile that uses $FLEET_VAR_HOST_END_USER_IDP_GROUPS in one of the keys
2. Upload the profile and send it to a host in Fleet
3. $FLEET_VAR_HOST_END_USER_IDP_GROUPS should resolve to comma separated list of groups that the host belongs to.

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[marko-lisica]

Closing this one, as we're going to work on this as part of #23236

[fleet-release]

Certificates issue, swift, User details now adrift, Security's gift.

[marko-lisica]

@PezHub, here's the profile I used to add managed preferences that might be useful for testing: https://gist.github.com/marko-lisica/d0030957c7f0047f76de8e7274080780

Here's the script I used to check if a group exists to mock customer's flow where they check this in order to scope software install with Munki:

#!/bin/bash

# Define the plist file path and the group to check
plist_file="/Library/Managed Preferences/com.fleet.idp.info.plist"
group_to_check="Product"

# Check if the plist file exists
if [[ ! -f "$plist_file" ]]; then
    echo "Plist file not found: $plist_file"
    exit 1
fi

# Read the Groups key using defaults
groups=$(defaults read "$plist_file" idp_groups)

# Check if the group exists in the comma-separated list
if [[ "$groups" == *"$group_to_check"* ]]; then
    echo "Group '$group_to_check' exists."
else
    echo "Group '$group_to_check' does not exist."
fi

@noahtalerman Here's the video that we can share with customer-pingali: https://drive.google.com/file/d/1P3xuQzlJw7aNs9jaqZE0SaTtuOaFsa4I/view?usp=sharing

[marko-lisica]

@getvictor @noahtalerman I just learned that if I use $FLEET_VAR_HOST_END_USER_EMAIL_IDP in a configuration profile and the host doesn't have IdP email (mdm_idp_accounts) assigned to it, then the profile will fail on that host. Do you remember why we designed it that way?

I'm thinking now about FLEET_VAR_HOST_END_USER_IDP_GROUPS variable. I don't think we want the profile to fail just because the host isn't a member of any group. I'm wondering if it still makes sense to fail if it doesn't have an IdP username.

btw. @PezHub I tested, and profile won't fail if some key is empty, e.g. if idp_groups is empty:

<dict>
  <key>idp_groups</key>
  <string></string>
  <key>idp_groups</key>
  <string>$FLEET_VAR_HOST_END_USER_IDP_USERNAME</string>
</dict>

[getvictor]

@getvictor @noahtalerman I just learned that if I use $FLEET_VAR_HOST_END_USER_EMAIL_IDP in a configuration profile and the host doesn't have IdP email (mdm_idp_accounts) assigned to it, then the profile will fail on that host. Do you remember why we designed it that way?

Don't recall exactly. I think it was safer/easier to fail. There are some places that can't be empty. For example, if the admin tries to put that variable as the CN of a certificate.

[noahtalerman]

Here's the video that we can share with customer-pingali: https://drive.google.com/file/d/1P3xuQzlJw7aNs9jaqZE0SaTtuOaFsa4I/view?usp=sharing

@marko-lisica thanks! Let Jason know about sharing with pingali in Slack here: https://fleetdm.slack.com/archives/C04THNWKN6Q/p1743542137254699

Also, I think we post this vid to YouTube (build in the open). @Drew-P-drawers can you please help us with that?

[mna]

@PezHub I smoke-tested the feature, all went well, recording here: https://drive.google.com/file/d/1bfOVOa-TW-PSXU43bX3wN0sWi-CL5BLn/view?usp=sharing

[PezHub]

QA Test Plan Results

• Make sure that the user can't upload a variable that doesn't exist -

• Make sure that when the variable value changes, that profile is resent to the host automatically.

Works except when there are more than one hosts on a team. Bug has been filed

• Make sure that the profile fails and the error message specified in Figma is displayed if $FLEET_VAR_HOST_END_USER_IDP_GROUPS or $FLEET_VAR_HOST_END_USER_IDP_USERNAME is added to a profile and the host doesn't have a username or groups assigned to it.

• Tested managed preference profiles and that the customer script works

[PezHub]

Completed test plan and verified the bug fix.

[fleet-release]

Usernames flow like a river, In digital clouds, no shiver. Fleet brings peace, delivers.

[fleet-release]

Certificates with ease, Cloud city's secrets align, Fleet whispers in breeze.