Skip to content

GitOps & API design: Add multiple Apple Business Manager and Volume Purchasing Program connections #21043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 54 commits into from
Sep 20, 2024
Merged

GitOps & API design: Add multiple Apple Business Manager and Volume Purchasing Program connections #21043

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
601fddc
Add GitOps
noahtalerman Aug 5, 2024
1dcc0be
Add API
noahtalerman Aug 5, 2024
efc85f9
Add comment
noahtalerman Aug 5, 2024
39af40a
Update API
noahtalerman Aug 5, 2024
65419c6
Add redirects for error messages
noahtalerman Aug 5, 2024
4e693e3
Add API errors for transfer
noahtalerman Aug 6, 2024
01286bd
Remove apple_bm from docs
noahtalerman Aug 6, 2024
b34628b
/tokens
noahtalerman Aug 6, 2024
42d5dbd
Update routes.js
noahtalerman Aug 6, 2024
047b86c
_tokens
noahtalerman Aug 6, 2024
bc04aff
Merge branch 'gitops-and-api-9956' of github.com:fleetdm/fleet into g…
noahtalerman Aug 6, 2024
bd9b301
Add contributor endpoints
noahtalerman Aug 6, 2024
2fec90f
Add ID
noahtalerman Aug 6, 2024
88291f6
No apostrophe
noahtalerman Aug 6, 2024
180387e
Allow transfer
noahtalerman Aug 8, 2024
c8c768f
Allow transfer
noahtalerman Aug 8, 2024
124cf80
Add redirect
noahtalerman Aug 8, 2024
ce8f43f
Fix redirect
noahtalerman Aug 8, 2024
c782051
Add response payload to Add ABM token
mna Aug 14, 2024
215cf3c
Update docs/Contributing/API-for-contributors.md
noahtalerman Aug 16, 2024
361c12a
Remove terms_expired copy pasta
noahtalerman Aug 17, 2024
37dcf5f
Update API-for-contributors.md
marko-lisica Aug 19, 2024
4c56553
Update API-for-contributors.md
marko-lisica Aug 19, 2024
1833cca
Update API-for-contributors.md
marko-lisica Aug 19, 2024
855ddde
Update docs/REST API/rest-api.md
marko-lisica Aug 22, 2024
33e0b09
Update docs/REST API/rest-api.md
marko-lisica Aug 22, 2024
6f5ccb4
Update rest-api.md
marko-lisica Aug 22, 2024
50872a1
Update docs/Contributing/API-for-contributors.md
noahtalerman Aug 28, 2024
03bfdb1
Update docs/Contributing/API-for-contributors.md
marko-lisica Aug 30, 2024
3b896b9
Tokens and merge in main
noahtalerman Sep 9, 2024
c05e170
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 10, 2024
d6caa89
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 10, 2024
86ca325
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 10, 2024
d6c745d
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 11, 2024
2a2a90d
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 11, 2024
2936396
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 11, 2024
37de18e
Resolve conflicts
noahtalerman Sep 18, 2024
ff93190
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 19, 2024
a748baa
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 19, 2024
ba94f64
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
9617e26
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
1d38e18
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
25f2564
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
9d21712
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
8dbd1ab
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
0e02bb6
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
282b1f1
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
eebd60c
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
d344445
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
f4e3b91
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
f50496d
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
49a3ea0
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 19, 2024
40c52c1
Update docs/Contributing/API-for-contributors.md
rachaelshaw Sep 19, 2024
cadf2db
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 54 additions & 13 deletions docs/REST API/rest-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1163,8 +1163,8 @@ Modifies the Fleet's configuration with the supplied information.
},
"mdm": {
"apple_bm_default_team": "",
"apple_bm_terms_expired": false,
"apple_bm_enabled_and_configured": false,
"apple_bm_terms_expired": false, # set to true is there's one or more Apple Business Manager connections w/ terms expired
"apple_bm_enabled_and_configured": false, # set to true is there's one or more Apple Business Manager connections
"enabled_and_configured": false,
"windows_enabled_and_configured": false,
"enable_disk_encryption": true,
Expand Down Expand Up @@ -6349,7 +6349,8 @@ This endpoint returns the list of custom MDM commands that have been executed.
## Integrations

- [Get Apple Push Notification service (APNs)](#get-apple-push-notification-service-apns)
- [Get Apple Business Manager (ABM)](#get-apple-business-manager-abm)
- [List Apple Business Manager (ABM) connections](#list-apple-business-manager-abm-connections)
- [List Volume Purchasing Program (VPP) connections](#list-volume-purchasing-program-vpp-connections)

### Get Apple Push Notification service (APNs)

Expand All @@ -6376,32 +6377,72 @@ None.
}
```

### Get Apple Business Manager (ABM)
### List Apple Business Manager (ABM) connections

_Available in Fleet Premium_

`GET /api/v1/fleet/abm`
`GET /api/v1/fleet/apple_business_manager`

#### Parameters

None.

#### Example

`GET /api/v1/fleet/abm`
`GET /api/v1/fleet/apple_business_manager`

##### Default response

`Status: 200`

```json
{
"apple_id": "apple@example.com",
"org_name": "Fleet Device Management",
"mdm_server_url": "https://example.com/mdm/apple/mdm",
"renew_date": "2023-11-29T00:00:00Z",
"default_team": ""
}
[
{
"apple_id": "apple@example.com",
"org_name": "Fleet Device Management Inc.",
"mdm_server_url": "https://example.com/mdm/apple/mdm",
"renew_date": "2023-11-29T00:00:00Z",
"terms_expired": false,
"macos_team": "💻 Workstations",
"ios_team": "📱🏢 Company-owned iPhones",
"ipados_team": "🔳🏢 Company-owned iPads"
}
]
```

### List Volume Purchasing Program (VPP) connections

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev

Let's break the existing GET /vpp endpoint. It's tagged as experimental: https://github.com/fleetdm/fleet/pull/19291/files#diff-7246bc304b15c8865ed8eaa205e9c244d0a0314e4bae60cf553dc06147c38b64R6395

_Available in Fleet Premium_

`GET /api/v1/fleet/volume_purchasing_program`

#### Parameters

None.

#### Example

`GET /api/v1/fleet/volume_purchasing_program`

##### Default response

`Status: 200`

```json
[
{
"org_name": "Fleet Device Management Inc.",
"location": "https://example.com/mdm/apple/mdm",
"renew_date": "2023-11-29T00:00:00Z",
"terms_expired": false,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahtalerman, what does terms_expired mean in the context of VPP tokens? I thought terms renewal was just related to ABM tokens?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

VPP doesn't have such a concept, I think it's a copy 🍝

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct! It's some copy pasta. Great catch. I removed terms_expired from this endpoint.

That said, do we know if VPP breaks when ABM terms are expired? I think let's test that so that we know if we have to surface this in the UI.

cc @PezHub

"teams": [
"💻 Workstations",
"💻🐣 Workstations (canary)",
"📱🏢 Company-owned iPhones",
"🔳🏢 Company-owned iPads"
],
}
]
```

---
Expand Down
34 changes: 31 additions & 3 deletions docs/Using Fleet/GitOps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -569,16 +569,44 @@ Can only be configured for all teams (`org_settings`).

#### mdm

The `mdm` section lets you enable MDM features in Fleet.
##### apple_business_manager

- `apple_bm_default_team` - is name of the team that macOS hosts in Apple Business Manager automatically enroll to when they're first set up. If empty, hosts will enroll to "No team" (default: `""`).
- `organization_name` - is the organziation name associated with the Apple Business Manager account.
- `macos_team` - macOS hosts are automatically added to this team in Fleet when they appear in Apple Business Manager.
- `ios_team` - iOS hosts are automatically added to this team in Fleet when they appear in Apple Business Manager.
- `ipados_team` - iPadOS hosts are automatically added to this team in Fleet when they appear in Apple Business Manager.

##### Example

```yaml
org_settings:
mdm:
apple_bm_default_team: "Workstations" # Available in Fleet Premium
apple_business_manager: # Available in Fleet Premium
Copy link
Member Author

@noahtalerman noahtalerman Aug 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note

Maintain support for the old apple_bm_default_team. If there's only one ABM token, this value populates the macos_team for the one ABM team.

When the user upgrades, set the new organization_name.macos_team to the value for the apple_bm_default_team.

If the user sets apple_bm_default_team and organization_name at the same time or they set apple_bm_default_team when there are more than one ABM tokens, return the following error:

"mdm.apple_bm_default_team has been deprecated. Please use the new mdm.apple_business_manager key documented here: https://fleetdm.com/learn-more-about/apple-business-manager-gitops"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redirect for the URL in the error message is here: https://github.com/fleetdm/fleet/pull/21043/files#diff-0c6120927d3e65309562b5b15b261d3298d05fcb0ff18e5b6512ee683b7ad6b3R533

- organization_name: Fleet Device Management Inc.
macos_team: "💻 Workstations"
ios_team: "📱🏢 Company-owned iPhones"
ipados_team: "🔳🏢 Company-owned iPads"
```

Can only be configured for all teams (`org_settings`).

##### volume_purchasing_program

- `location` - is the name of the location in the Apple Business Manager account.
- `teams` - is a list of team names. If you choose specific teams, App Store apps in this VPP account will only be available to install on hosts in these teams. If not specified, App Store apps are available to install on hosts in all teams.

##### Example

```yaml
org_settings:
mdm:
volume_purchasing_program: # Available in Fleet Premium
- location: Fleet Device Management Inc.
teams:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note

If the user tries to add a team that doesn't exist, show the following error:

Couldn't edit org_settings.mdm.volume_purchasing_program. "💻 Workstations" team doesn't exist.

Copy link
Member Author

@noahtalerman noahtalerman Aug 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA note

The above error will likely happen when a user changes a team's name via GitOps but forgets to update the team name here.

Copy link
Member Author

@noahtalerman noahtalerman Aug 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note

If the user tries to add a team that already has a VPP token, show the following error:

Couldn't edit org_settings.mdm.volume_purchasing_program. "💻 Workstations" team already has a VPP token.  Each team can only have on VPP token.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @roperzh, now that a new VPP token doesn't have any teams by default (instead of "All team") how do you think the user should specify "All teams" via GitOps?

Could we make it so empty teams for a VPP token means it's available for "All teams." And once, the user adds a second VPP token we error and say you have to assign specific teams.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @noahtalerman that makes sense, the only gotcha I see is how would you define "no team"?

Copy link
Member Author

@noahtalerman noahtalerman Aug 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think they would specify "No team" which is a special, reserved team name in Fleet.

That made me wonder, what happens if I create a team w/ "No team" name in Fleet...

It actually breaks the team. And so does naming a team "All teams." Filed a bug for this here: #21264

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@roperzh I think we want to add the reserved "All teams" and "No teams" teams as part of this story.

This way, the IT admin can specify these here in GitOps.

I think let's track this effort as part of the bug: #21264

What do you think?

- "💻 Workstations"
- "💻🐣 Workstations (canary)"
- "📱🏢 Company-owned iPhones"
- "🔳🏢 Company-owned iPads"
```

Can only be configured for all teams (`org_settings`).
Expand Down
Loading