fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Research: account-based user enrollment for Apple devices

Open marko-lisica opened this issue 8 months ago • 5 comments

Goal

User story
As a Fleet contributor,
I want to understand what we need in order to implement Apple user enrollment
so that I can easier implement and estimate upcoming user story.

Key result

Account-based user enrollment for personal Apple devices (BYOD)

Original requests

#19329

Context

  • Product Designer: @marko-lisica

Changes

Product

  • [ ] Research Apple user based enrollment, to understand what it takes to implement based on wireframes in: #27390
  • [x] UI changes: No changes.
  • [x] YAML changes: No changes.
  • [x] REST API changes: No changes.
  • [x] Fleet's agent (fleetd) changes: No changes.
  • [x] GitOps mode changes: No changes.
  • [x] Activity changes: No changes.
  • [x] Permissions changes: No changes.
  • [x] Changes to paid features or tiers: N/A.
  • [x] Transparency changes: No changes.
  • [x] First draft of test plan added. Not needed for research story.
  • [x] Other reference documentation changes: No changes.
  • [x] Once shipped, requester has been notified. No need to notify anyone as it's research only.
  • [x] Once shipped, dogfooding issue has been filed. No need for dogfooding, as we won't release anything.

Engineering

  • [ ] Test plan is finalized
  • [ ] Contributor API changes: TODO
  • [ ] Feature guide changes: TODO
  • [ ] Database schema migrations: TODO
  • [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer: Added comment to user story confirming successful completion of test plan.
  2. [ ] QA: Added comment to user story confirming successful completion of test plan.

marko-lisica avatar Mar 21 '25 14:03 marko-lisica

Hey @georgekarrv, we filed a research story that we should work on next sprint, to investigate what it takes to implement Apple user based enrollment. In this sprint we're designing #27390 which is air-guitar story (we won't release this in the next sprint). This air-guitar should serve as reference for this research story.

I'm moving it to ready to spec column

marko-lisica avatar Mar 25 '25 17:03 marko-lisica

Hey @georgekarrv just a reminder that this story and the following stories are ready to spec. Several of them have been in "Ready to spec" for over 1 week.

Can you please work with the team to fill out the Engineering TODOs so we can estimate them?

  • #27386
  • #26822
  • #24119
  • #26016
  • #26688
  • #26169

More generally, we want to estimate stories as soon as possible. This way @marko-lisica and I know when to stop drafting and work on other things: https://fleetdm.com/handbook/product-design#drafting:~:text=Each%20product%20group%20stops%20drafting%20once%20they%20reach%20engineering%20capacity%20for%20the%20upcoming%20engineering%20sprint.%20This%20way%2C%20we%20avoid%20creating%20a%20backlog%20which%20causes%20us%20to%20spend%20time%20updating%20soon%2Dto%2Dbe%20stale%20designs.

noahtalerman avatar Mar 27 '25 13:03 noahtalerman

Hey @georgekarrv just a reminder that this story and the following stories are ready to spec.

Can you please work with the team to fill out the Engineering TODOs and move them to "Ready to estimate" so we can estimate them tomorrow?

  • #27386
  • #26822
  • #24119
  • #26016
  • #26688
  • #26169

cc @lukeheath @marko-lisica

noahtalerman avatar Apr 01 '25 13:04 noahtalerman

@noahtalerman Apologies, will have these specced by Monday for an extra estimation session.

georgekarrv avatar Apr 02 '25 17:04 georgekarrv

Rough plan.

  1. Create a Managed Apple ID (or use existing ABM account)
  2. Assign user to an MDM server (like default server for User Enrollment; need admin access?)
  3. Initiate enrollment flow: Settings > General > VPN & Device Management > Sign in with Managed Apple ID
  4. Update MDM profile with EnrollmentMode = BYOD
  5. Ensure that SCEP works as before, and no changes are needed there.
  6. Do we need user-specific APNs topic?
  7. Do we now need to maintain user-specific device records?
  8. Make sure unenrollment works.

Questions:

  • Only iOS/iPadOS?

getvictor avatar Apr 09 '25 15:04 getvictor

I'm leaving this here for safekeeping. @getvictor:

Let me know if there is anything else you'd like me to look into for this POC. Design questions:

  • Which Fleet team will the enrolling device be assigned to?
  • Will we identify account-driven user enrolled devices in Fleet somehow?
  • Do we need to allow user-scoped configuration profiles for all Apple devices first? Currently we only support system/device-scoped.
  • What is the typical usecase -- what kinds of profiles and apps will IT load on the device?

marko-lisica avatar Apr 30 '25 08:04 marko-lisica

Apple enrollment blooms, Easier contributions, Fleet sails on smooth winds.

fleet-release avatar May 23 '25 12:05 fleet-release

Apple user sign-up, Fleet's research charts the path, Ease in every step.

fleet-release avatar May 27 '25 13:05 fleet-release