Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitOps & API design: Add multiple Apple Business Manager and Volume Purchasing Program connections #21043

Merged
merged 54 commits into from
Sep 20, 2024
Merged

GitOps & API design: Add multiple Apple Business Manager and Volume Purchasing Program connections #21043

Show file tree
Hide file tree
Changes from 52 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
601fddc
Add GitOps
noahtalerman Aug 5, 2024
1dcc0be
Add API
noahtalerman Aug 5, 2024
efc85f9
Add comment
noahtalerman Aug 5, 2024
39af40a
Update API
noahtalerman Aug 5, 2024
65419c6
Add redirects for error messages
noahtalerman Aug 5, 2024
4e693e3
Add API errors for transfer
noahtalerman Aug 6, 2024
01286bd
Remove apple_bm from docs
noahtalerman Aug 6, 2024
b34628b
/tokens
noahtalerman Aug 6, 2024
42d5dbd
Update routes.js
noahtalerman Aug 6, 2024
047b86c
_tokens
noahtalerman Aug 6, 2024
bc04aff
Merge branch 'gitops-and-api-9956' of github.com:fleetdm/fleet into g…
noahtalerman Aug 6, 2024
bd9b301
Add contributor endpoints
noahtalerman Aug 6, 2024
2fec90f
Add ID
noahtalerman Aug 6, 2024
88291f6
No apostrophe
noahtalerman Aug 6, 2024
180387e
Allow transfer
noahtalerman Aug 8, 2024
c8c768f
Allow transfer
noahtalerman Aug 8, 2024
124cf80
Add redirect
noahtalerman Aug 8, 2024
ce8f43f
Fix redirect
noahtalerman Aug 8, 2024
c782051
Add response payload to Add ABM token
mna Aug 14, 2024
215cf3c
Update docs/Contributing/API-for-contributors.md
noahtalerman Aug 16, 2024
361c12a
Remove terms_expired copy pasta
noahtalerman Aug 17, 2024
37dcf5f
Update API-for-contributors.md
marko-lisica Aug 19, 2024
4c56553
Update API-for-contributors.md
marko-lisica Aug 19, 2024
1833cca
Update API-for-contributors.md
marko-lisica Aug 19, 2024
855ddde
Update docs/REST API/rest-api.md
marko-lisica Aug 22, 2024
33e0b09
Update docs/REST API/rest-api.md
marko-lisica Aug 22, 2024
6f5ccb4
Update rest-api.md
marko-lisica Aug 22, 2024
50872a1
Update docs/Contributing/API-for-contributors.md
noahtalerman Aug 28, 2024
03bfdb1
Update docs/Contributing/API-for-contributors.md
marko-lisica Aug 30, 2024
3b896b9
Tokens and merge in main
noahtalerman Sep 9, 2024
c05e170
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 10, 2024
d6caa89
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 10, 2024
86ca325
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 10, 2024
d6c745d
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 11, 2024
2a2a90d
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 11, 2024
2936396
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 11, 2024
37de18e
Resolve conflicts
noahtalerman Sep 18, 2024
ff93190
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 19, 2024
a748baa
Update docs/Configuration/yaml-files.md
rachaelshaw Sep 19, 2024
ba94f64
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
9617e26
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
1d38e18
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
25f2564
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
9d21712
Update docs/Contributing/API-for-contributors.md
noahtalerman Sep 19, 2024
8dbd1ab
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
0e02bb6
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
282b1f1
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
eebd60c
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
d344445
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
f4e3b91
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
f50496d
Update docs/REST API/rest-api.md
noahtalerman Sep 19, 2024
49a3ea0
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 19, 2024
40c52c1
Update docs/Contributing/API-for-contributors.md
rachaelshaw Sep 19, 2024
cadf2db
Merge branch 'main' into gitops-and-api-9956
noahtalerman Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions docs/Configuration/yaml-files.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -585,16 +585,44 @@ Can only be configured for all teams (`org_settings`).

#### mdm

The `mdm` section lets you enable MDM features in Fleet.
##### apple_business_manager

- `apple_bm_default_team` - is name of the team that macOS hosts in Apple Business Manager automatically enroll to when they're first set up. If empty, hosts will enroll to "No team" (default: `""`).
- `organization_name` is the organization name associated with the Apple Business Manager account.
- `macos_team` is the team where macOS hosts are automatically added when they appear in Apple Business Manager.
- `ios_team` is the the team where iOS hosts are automatically added when they appear in Apple Business Manager.
- `ipados_team` is the team where iPadOS hosts are automatically added when they appear in Apple Business Manager.

##### Example

```yaml
org_settings:
mdm:
apple_bm_default_team: "Workstations" # Available in Fleet Premium
apple_business_manager: # Available in Fleet Premium
- organization_name: Fleet Device Management Inc.
macos_team: "💻 Workstations"
ios_team: "📱🏢 Company-owned iPhones"
ipados_team: "🔳🏢 Company-owned iPads"
```

> Apple Business Manager settings can only be configured for all teams (`org_settings`).

##### volume_purchasing_program

- `location` is the name of the location in the Apple Business Manager account.
- `teams` is a list of team names. If you choose specific teams, App Store apps in this VPP account will only be available to install on hosts in these teams. If not specified, App Store apps are available to install on hosts in all teams.

##### Example

```yaml
org_settings:
mdm:
volume_purchasing_program: # Available in Fleet Premium
- location: Fleet Device Management Inc.
teams:
- "💻 Workstations"
- "💻🐣 Workstations (canary)"
- "📱🏢 Company-owned iPhones"
- "🔳🏢 Company-owned iPads"
```

Can only be configured for all teams (`org_settings`).
Expand Down
282 changes: 273 additions & 9 deletions docs/Contributing/API-for-contributors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -531,9 +531,15 @@ The MDM endpoints exist to support the related command-line interface sub-comman
- [Generate Apple Business Manager public key (ADE)](#generate-apple-business-manager-public-key-ade)
- [Request Certificate Signing Request (CSR)](#request-certificate-signing-request-csr)
- [Upload APNS certificate](#upload-apns-certificate)
- [Upload ABM Token](#upload-abm-token)
- [Add ABM token](#add-abm-token)
- [Turn off Apple MDM](#turn-off-apple-mdm)
- [Disable automatic enrollment (ADE)](#disable-automatic-enrollment-ade)
- [Update ABM token's teams](#update-abm-tokens-teams)
- [Renew ABM token](#renew-abm-token)
- [Delete ABM token](#delete-abm-token)
- [Add VPP token](#add-VPP-token)
- [Update VPP token's teams](#update-vpp-tokens-teams)
- [Renew VPP token](#renew-vpp-token)
- [Delete VPP token](#delete-vpp-token)
- [Batch-apply MDM custom settings](#batch-apply-mdm-custom-settings)
- [Initiate SSO during DEP enrollment](#initiate-sso-during-dep-enrollment)
- [Complete SSO during DEP enrollment](#complete-sso-during-dep-enrollment)
Expand Down Expand Up @@ -620,9 +626,9 @@ Content-Type: application/octet-stream

`Status: 200`

### Upload ABM Token
### Add ABM token

`POST /api/v1/fleet/mdm/apple/abm_token`
`POST /api/v1/fleet/abm_tokens`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note

We can break this endpoint and others because they're in the contributor docs.


#### Parameters

Expand All @@ -632,7 +638,7 @@ Content-Type: application/octet-stream

#### Example

`POST /api/v1/fleet/mdm/apple/abm_token`
`POST /api/v1/fleet/abm_tokens`

##### Request header

Expand All @@ -653,11 +659,23 @@ Content-Type: application/octet-stream
--------------------------f02md47480und42y
```


##### Default response
mna marked this conversation as resolved.
Show resolved Hide resolved

`Status: 200`

```json
"abm_token": {
"id": 1,
"apple_id": "apple@example.com",
"org_name": "Fleet Device Management Inc.",
"mdm_server_url": "https://example.com/mdm/apple/mdm",
"renew_date": "2024-10-20T00:00:00Z",
"terms_expired": false,
"macos_team": "",
"ios_team": "",
"ipados_team": ""
rachaelshaw marked this conversation as resolved.
Show resolved Hide resolved
}
```

### Turn off Apple MDM

Expand All @@ -671,19 +689,265 @@ Content-Type: application/octet-stream

`Status: 204`

### Update ABM token's teams

`PATCH /api/v1/fleet/abm_tokens/:id/teams`

### Disable automatic enrollment (ADE)
#### Parameters

`DELETE /api/v1/fleet/mdm/apple/abm_token`
| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| id | integer | path | *Required* The ABM token's ID |
| macos_team_id | integer | body | macOS hosts are automatically added to this team in Fleet when they appear in Apple Business Manager. If not specified, defaults to "No team" |
| ios_team_id | integer | body | iOS hosts are automatically added to this team in Fleet when they appear in Apple Business Manager. If not specified, defaults to "No team" |
| ipados_team_id | integer | body | iPadOS hosts are automatically added to this team in Fleet when they appear in Apple Business Manager. If not specified, defaults to "No team" |

#### Example

`DELETE /api/v1/fleet/mdm/apple/abm_token`
`PATCH /api/v1/fleet/abm_tokens/1/teams`

##### Request body

```json
{
"macos_team_id": 1,
"ios_team_id": 2,
"ipados_team_id": 3
}
```

##### Default response

`Status: 200`

```json
"abm_token": {
"id": 1,
"apple_id": "apple@example.com",
"org_name": "Fleet Device Management Inc.",
"mdm_server_url": "https://example.com/mdm/apple/mdm",
"renew_date": "2024-11-29T00:00:00Z",
"terms_expired": false,
"macos_team": 1,
"ios_team": 2,
"ipados_team": 3
}
```

### Renew ABM token

`PATCH /api/v1/fleet/abm_tokens/:id/renew`

This comment was marked as resolved.

Sign in to view

This comment was marked as resolved.

Sign in to view


#### Parameters

| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| id | integer | path | *Required* The ABM token's ID |

#### Example

`PATCH /api/v1/fleet/abm_tokens/1/renew`

##### Request header

```http
Content-Length: 850
Content-Type: multipart/form-data; boundary=------------------------f02md47480und42y
```

##### Request body

```http
--------------------------f02md47480und42y
Content-Disposition: form-data; name="token"; filename="server_token_abm.p7m"
Content-Type: application/octet-stream

<TOKEN_DATA>

--------------------------f02md47480und42y
```

##### Default response

`Status: 200`
jahzielv marked this conversation as resolved.
Show resolved Hide resolved

```json
"abm_token": {
"id": 1,
"apple_id": "apple@example.com",
"org_name": "Fleet Device Management Inc.",
"mdm_server_url": "https://example.com/mdm/apple/mdm",
"renew_date": "2025-10-20T00:00:00Z",
"terms_expired": false,
"macos_team": null,
"ios_team": null,
"ipados_team": null
}
```

### Delete ABM token

`DELETE /api/v1/fleet/abm_tokens/:id`

#### Parameters

| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| id | integer | path | *Required* The ABM token's ID |

#### Example

`DELETE /api/v1/fleet/abm_tokens/1`

##### Default response

`Status: 204`

### Add VPP token
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note

This is not a whole new endpoint. We added an upload VPP token endpoint as part of #18867: https://github.com/fleetdm/fleet/pull/19291/files#diff-831a63ebb3cab9b4e6b82d803d9ffcdc3722b12d486dcd7b13e9576643bb50b0R874


`POST /api/v1/fleet/vpp_tokens`

#### Parameters

| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| token | file | form | *Required* The file containing the content token (.vpptoken) from Apple Business Manager |

#### Example

`POST /api/v1/fleet/vpp_tokens`

##### Request header

```http
Content-Length: 850
Content-Type: multipart/form-data; boundary=------------------------f02md47480und42y
```

##### Request body

```http
--------------------------f02md47480und42y
Content-Disposition: form-data; name="token"; filename="sToken_for_Acme.vpptoken"
Content-Type: application/octet-stream
<TOKEN_DATA>
--------------------------f02md47480und42y
```

##### Default response
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahtalerman as for the Add ABM token, I'd suggest returning a payload of the newly created VPP token here (similar to how it gets represented in List VPP tokens), except with teams: null as it doesn't have any association yet :

  {
    "id": 1,
    "org_name": "Fleet Device Management Inc.",
    "location": "https://example.com/mdm/apple/mdm",
    "renew_date": "2023-11-29T00:00:00Z",
    "terms_expired": false,
    "teams": null
  }

If that sounds good to you I can push that update.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks good! Please feel free to push that update. cc @dantecatalfamo @marko-lisica

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mna I updated PR to include a payload. I did the same for:

  • PATCH /api/v1/fleet/vpp_tokens/renew/:id
  • PATCH /api/v1/fleet/vpp_tokens/:id/teams

They now include payload (vpp_token details after upload/update). I realized we do this in other endpoints, such as create/update policy or create/update query.


`Status: 200`

Copy link
Member Author

@noahtalerman noahtalerman Aug 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dev note

If the user hits PATCH /vpp_tokens/:id/teams and tries to add a team that already has a VPP token, show the following error:

Error: "💻 Workstations" team already has a VPP token.  Each team can only have on VPP token.

This comment was marked as resolved.

Sign in to view

This comment was marked as resolved.

Sign in to view

This comment was marked as resolved.

Sign in to view

```json
"vpp_token": {
"id": 1,
"org_name": "Fleet Device Management Inc.",
"location": "https://example.com/mdm/apple/mdm",
"renew_date": "2024-10-20T00:00:00Z",
"terms_expired": false,
"teams": null
}
```

### Update VPP token's teams

`PATCH /api/v1/fleet/vpp_tokens/:id/teams`

#### Parameters

| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| id | integer | path | *Required* The ABM token's ID |
| team_ids | list | body | If you choose specific teams, App Store apps in this VPP account will only be available to install on hosts in these teams. If not specified, defaults to all teams. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for whoever will work on the VPP API ticket - we decided to limit 1 VPP token to a single team (or "no team" or "all teams") for this release: https://fleetdm.slack.com/archives/C03C41L5YEL/p1723561317435649

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update: this is incorrect, a VPP token can be assigned to multiple teams but a team can only have 1 VPP token


#### Example

`PATCH /api/v1/fleet/vpp_tokens/1/teams`

##### Request body

```json
{
"team_ids": [1, 2, 3]
Copy link
Member

@georgekarrv georgekarrv Aug 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahtalerman to patch it back to 'all teams' I think it should be [] thoughts?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch. I forgot about all teams.

How do we solve this in existing API endpoints? I think let's be consistent with what we do in other API endpoints. If that's [] then makes sense.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no team - 0

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

null - not configured

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about all teams?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of adding another key, can we introduce the convention that passing an empty array for teams means "All teams"? Does that conflict with any of the other endpoints?

Copy link
Member

@dantecatalfamo dantecatalfamo Aug 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noahtalerman In the current iteration we only support one team per VPP token, should we be passing in an array and validating that it only has one element or making a top level team_id integer?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving forward with:

  • [0] no team
  • null not configured
  • [1] team 1
  • [1, 2] error, more than one team

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • [1,2] should work

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • [] all teams

}
```

##### Default response

`Status: 200`

```json
"vpp_token": {
"id": 1,
"org_name": "Fleet Device Management Inc.",
"location": "https://example.com/mdm/apple/mdm",
"renew_date": "2024-10-20T00:00:00Z",
"terms_expired": false,
"teams": [1, 2, 3]
}
```

### Renew VPP token

`PATCH /api/v1/fleet/vpp_tokens/:id/renew`

#### Parameters

| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| id | integer | path | *Required* The VPP token's ID |

##### Request header

```http
Content-Length: 850
Content-Type: multipart/form-data; boundary=------------------------f02md47480und42y
```

##### Request body

```http
--------------------------f02md47480und42y
Content-Disposition: form-data; name="token"; filename="sToken_for_Acme.vpptoken"
Content-Type: application/octet-stream

<TOKEN_DATA>

--------------------------f02md47480und42y
```

##### Default response

`Status: 200`

```json
"vpp_token": {
"id": 1,
"org_name": "Fleet Device Management Inc.",
"location": "https://example.com/mdm/apple/mdm",
"renew_date": "2025-10-20T00:00:00Z",
"terms_expired": false,
"teams": [1, 2, 3]
}
```

### Delete VPP token

`DELETE /api/v1/fleet/vpp_token/:id`

#### Parameters

| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| id | integer | path | *Required* The VPP token's ID |

#### Example

`DELETE /api/v1/fleet/vpp_tokens/1`

##### Default response

`Status: 204`

### Batch-apply MDM custom settings

Expand Down
Loading
Loading