GitOps & API design: Add multiple Apple Business Manager and Volume Purchasing Program connections

[noahtalerman]

GitOps and API changes for the following story:

• Add multiple Apple Business Manager and Volume Purchasing Program connections #9956

DONE:

• Contributor API endpoints to support best practice GitOps (fleetctl gitops) and backwards compatibility GitOps (fleetctl apply)
  • GitOps & API design: Add multiple Apple Business Manager and Volume Purchasing Program connections #21043 (comment)

[noahtalerman]

Dev note

Maintain support for the old apple_bm_default_team. If there's only one ABM token, this value populates the macos_team for the one ABM team.

When the user upgrades, set the new organization_name.macos_team to the value for the apple_bm_default_team.

If the user sets apple_bm_default_team and organization_name at the same time or they set apple_bm_default_team when there are more than one ABM tokens, return the following error:

"mdm.apple_bm_default_team has been deprecated. Please use the new mdm.apple_business_manager key documented here: https://fleetdm.com/learn-more-about/apple-business-manager-gitops"

[noahtalerman]

Redirect for the URL in the error message is here: https://github.com/fleetdm/fleet/pull/21043/files#diff-0c6120927d3e65309562b5b15b261d3298d05fcb0ff18e5b6512ee683b7ad6b3R533

[noahtalerman]

Dev note

Deprecate the apple_bm_default_team, apple_bm_terms_expired, apple_bm_enabled_and_configured flags (and remove them from docs) but support them for backwards compatibility.

What does support them mean?

• apple_bm_default_team - If there's only one ABM token, during migration, this value populates the macos_team, ios_team, and ipados_team for the one ABM token. If there are more than one ABM tokens and the user tries to set apple_bm_default_team, return the following error: "mdm.apple_bm_default_team has been deprecated. Please use the new endpoint documented here: https://fleetdm.com/learn-more-about/apple-business-manager-teams-api"
• apple_bm_terms_expired - set to true is there's one or more ABM tokens w/ terms expired
• apple_bm_enabled_and_configured- set to true is there's one or more ABM tokens

[noahtalerman]

Website redirect for the error message is added here: https://github.com/fleetdm/fleet/pull/21043/files#diff-0c6120927d3e65309562b5b15b261d3298d05fcb0ff18e5b6512ee683b7ad6b3R533

[noahtalerman]

Dev note

If the user tries to add a team that doesn't exist, show the following error:

Couldn't edit org_settings.mdm.volume_purchasing_program. "💻 Workstations" team doesn't exist.

[noahtalerman]

QA note

The above error will likely happen when a user changes a team's name via GitOps but forgets to update the team name here.

[noahtalerman]

Dev note

If the user tries to add a team that already has a VPP token, show the following error:

Couldn't edit org_settings.mdm.volume_purchasing_program. "💻 Workstations" team already has a VPP token.  Each team can only have on VPP token.

[noahtalerman]

Hey @roperzh, now that a new VPP token doesn't have any teams by default (instead of "All team") how do you think the user should specify "All teams" via GitOps?

Could we make it so empty teams for a VPP token means it's available for "All teams." And once, the user adds a second VPP token we error and say you have to assign specific teams.

[roperzh]

Hey @noahtalerman that makes sense, the only gotcha I see is how would you define "no team"?

[noahtalerman]

I think they would specify "No team" which is a special, reserved team name in Fleet.

That made me wonder, what happens if I create a team w/ "No team" name in Fleet...

It actually breaks the team. And so does naming a team "All teams." Filed a bug for this here: #21264

[noahtalerman]

@roperzh I think we want to add the reserved "All teams" and "No teams" teams as part of this story.

This way, the IT admin can specify these here in GitOps.

I think let's track this effort as part of the bug: #21264

What do you think?

Feedback addressed

[noahtalerman]

@rachaelshaw please feel free to merge when the API doc changes look good to go!

Thank you for the review.

[jahzielv]

@noahtalerman

I would say for consistency's sake (we do return a similar error from the GET /api/latest/fleet/abm endpoint if there are > 1 ABM tokens) we should add this error.

Having a global default team doesn't seem make sense anymore now that we allow multiple tokens.

I can create a released bug if that works to track this?

[noahtalerman]

I would say for consistency's sake (we do return a similar error from the GET /api/latest/fleet/abm endpoint if there are > 1 ABM tokens) we should add this error.

Having a global default team doesn't seem make sense anymore now that we allow multiple tokens.

I can create a released bug if that works to track this?

@jahzielv sounds good! Thanks for following up.

[noahtalerman]

@lukeheath please feel free to merge this PR is the changes look good to you!

These reference docs are for the already released "Add multiple Apple Business Manager and Volume Purchasing Program connections" (#9956) story.

[lukeheath]

@noahtalerman Thanks! Our goal is publish doc changes at the same time as the release. Let's evaluate this issue history together to determine where we need to improve process.

[jahzielv]

@noahtalerman sorry for the delay! Bug created for the missing error here: #22359