Install software and run setup script when Macs boot

[dherder]

Goal

User story
As a Client Platform Engineer (aka IT admin),
I want to block the end user's screen while installing software and running a script after the end user completes macOS Setup Assistant
so that I can enforce required configuration before the end user can click around on their desktop.

Auto-install productivity apps when Macs boot.

Context

• Product designer: @randy-fleet

Changes

Product

• [ ] UI changes: Figma
• [ ] Changes to paid features or tiers: Only available in Fleet Premium
• [ ] Permissions changes: PR is here

Engineering

• [ ] WIP specs: https://github.com/fleetdm/fleet/compare/main...george-temp
• [ ] YAML changes: PR is here
• [ ] REST API changes: #22650
• [ ] Feature guide changes: Add the new features to this guide: https://fleetdm.com/guides/macos-setup-experience#macos-setup-assistant
• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @dherder heads up, I updated the issue to user story format and moved your original issue description here for safekeeping:

Problem

As an IT admin, I have the option to use several different tools to provide an amazing end user experience when my end user first opens their macOS laptop on provisioning. Some of these tools are open source (DEPNotify, SwiftDialog) and some are commercially available (Kandji liftoff). Instead of having to configure a separate tool, I would like to leverage the Fleet Desktop to handle the onboarding experience of my end users.

[dherder]

@noahtalerman the new description for this issue doesn't match what the original intent (or the title) describes.

[noahtalerman]

the new description for this issue doesn't match what the original intent (or the title) describes.

Hey @dherder I think you saw a temporary placeholder. How does the user story look now?

[randy-fleet]

Questions during discovery:

• Do we need to freeze the device until this is finished, or can users use other apps/etc while this is happening. Security apps might need to block being able to use other apps during download.

• Browsers are closable, so might be an issue. Can we freeze safari?

• Should probably use MacOS Dialog Component: https://github.com/swiftDialog/swiftDialog. Update: It's actually the Window component: https://developer.apple.com/documentation/SwiftUI/WindowStyle

• Apple business manager is the trigger to connect to Fleet. What happens next? Ask Eng about when policies run/trigger, while opening a new mac... When do the queries happen? Immediate, or does it take a little while?

• Will use Policy triggers to run scripts in the future.

• Q: Is there any need to navigate to (or bring up) "My Device" page?

[noahtalerman]

Thanks @randy-fleet!

Will use Policy triggers to run scripts in the future.

To expand on this, soon, policies in Fleet will trigger software install. Here's the user story for this: #19551

Soon, policies in Fleet will trigger script runs: #17129

This means that, in the next iteration of this "show progress on new Macs" feature, Fleet will add the ability to "Run and show script progress on new Macs." This will allow IT admins to enforce configuration, using scripts, right when the end user hits their macOS desktop for the first time.

[noahtalerman]

Do we need to freeze the device until this is finished, or can users use other apps/etc while this is happening

Hey @randy-fleet I think let's go w/ freeze the device until finished. This is prospect-numa's desired behavior. Check out this Gong snippet here (internal) for more background.

in the next iteration of this "show progress on new Macs" feature, Fleet will add the ability to "Run and show script progress on new Macs."

@randy-fleet after we chatted and I watched more of that Gong I linked to above, I we do want to design this feature to show scripts AND software. I updated the title and user story.

Running and showing scripts is prospect-numa requirement.

Since we think that showing scripts will require #17129, I think we want to consider finding room to design it this sprint and build it next sprint. I'll chat w/ @lukeheath during our 1:1 see how we can make this happen.

[noahtalerman]

During design review today we decided to cut the scope of this feature to match exactly mission critical Apple MDM parity.

In this iteration, we'll block the end user with a simple message while software is installing and scripts are running. After software is installed and scripts run, the end user sees a simple message and is allowed to continue.

This frees up more time to work on other mission critical Apple MDM parity features.

In later iterations, we'll show progress of individual software installation and scripts runs. Check this out in Figma here.

cc @dherder @zayhanlon @lukeheath

[noahtalerman]

cc @randy-fleet ^^

[noahtalerman]

@randy-fleet I think we want to make this feature optional and turned off by default. Not all customers will want to hold their end users up.

I think this means that we'll want to add this option (maybe a new tab) to the Setup experience page. This is the area of the UI in which the IT admin configures options for the macOS setup experience:

Since all options are configurable via YAML files, we'll also want to add this option in Fleet's YAML files so organizations that use GitOps can configure the option.

Since I think it's your first time opening a PR for YAML file design, I added an item to our 1:1 to do this together.

[noahtalerman]

Hey @dherder and @zayhanlon, heads up this didn't make the 3 week drafting timeline. We left it on the drafting board.

@lukeheath I think we want to bring this one through expedited drafting so that we can start working on it in the upcoming engineering sprint.

[iansltx]

Is this blocked on any part of #17129? Asking so I can e.g. cut an API or GitOps path sooner rather than later if I'm going to wind up blocking, as I'm working on that functionality.

[iansltx]

Also, this seems like it got moved to In Review erroneously by an automation, where it should still be Ready, as subtasks haven't been defined yet etc.

[noahtalerman]

@georgekarrv, @lukeheath, and I decided to make the following changes in this iteration to simplify the user story so that we can move faster:

• We won't automatically create and use policies to trigger software installs and script run. We want control over timing: software is installed in alphanumeric order and then script is run.
• Setup script is a separate setup. Doesn’t show up in the scripts library

Summary of changes and what's to come in future iteration are in the Loom here.

cc @randy-fleet @dherder @zayhanlon

[noahtalerman]

Hey @georgekarrv it looks like y'all pulled this user story (and subtasks) onto the release board.

So, I pulled the story and subtasks off of the drafting board (:product).

Please feel free to add them back to drafting if I jumped the gun.

[georgekarrv]

Yes our estimation got interrupted so I left it on product till we finished estimating but that happened async. Thanks

[noahtalerman]

• [ ] Changes to paid features or tiers: Only available in Fleet Premium
• [ ] Permissions changes: PR is here

• [ ] Feature guide changes: Add the new features to this guide: https://fleetdm.com/guides/macos-setup-experience#macos-setup-assistant

Hey @georgekarrv I updated these checkboxes in the issue description b/c I noticed they were empty :)

• [ ] REST API changes: TODO: Specify changes in the the REST API doc page as a PR to reference docs release branch. Put "No changes" if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes.

~~When you get the chance, can you please open a PR for the API changes?~~

~~Please let us know if you could use some help from a Product Designer. We have the capacity to take this.~~

UPDATE: Bringing the "who will take API docs PR?" discussion to design review today (noahtalerman)

cc @marko-lisica @roperzh @gillespi314 @dantecatalfamo @ghernandez345

[noahtalerman]

Hey @marko-lisica and @jahzielv I took a look at the updated copy and made some suggested tweaks.

Also, if we have the time, it would be awesome if we can add a GIF for the end user experience like we have on other tabs.

Summary is in the Loom here.

[mna]

QA notes (@PezHub ): note that all device release will now go through that swift dialog during ADE setup, so it should be tested both with and without software to install/script to execute, with and without manual release enabled (in which case the device will not be released until a manual DeviceConfigured command is sent to the host).

[marko-lisica]

Hey @jahzielv, regarding our discussion about how Zoom opens dialog over Setup Assistant when installed during ADE (DEP) workflow, I found in Mac Admins Slack that when using Zoom for IT admins it doesn't open dialog automatically after install. I tested this on my Mac and it works without any pop ups.

AFAIK there's no configuration options that can be used for regular Zoom installer downloaded here. When adding Fleet-maintained app user gets regular installer.

@noahtalerman I think we should change Hombrew cask that we use for Zoom, and use Zoom for IT instead: https://formulae.brew.sh/cask/zoom-for-it-admins ?

[mna]

Another QA note (@PezHub ): for the CLI, there is a (released) bug that prevents setting VPP apps to the "No team" team via gitops, and so this bug prevents us from adding Setup experience VPP software to "No team". I noted it here: https://github.com/fleetdm/fleet/pull/22956#issuecomment-2430210445, there's a ticket that tracks the bug.

[noahtalerman]

@noahtalerman I think we should change Hombrew cask that we use for Zoom, and use Zoom for IT instead: https://formulae.brew.sh/cask/zoom-for-it-admins ?

@marko-lisica I think up to you. Do you think it should be a part of this story or should we file a separate issue? (bug or user story)

[marko-lisica]

@noahtalerman I think it should be a separate story. I'll file a feature request. It works as it is, so this will be a slight improvement for the end user experience.

[PezHub]

QA Notes:

UI testing is complete as is GitOps workflow. Performed some end-to-end testing while pairing with Jahziel using his local config to get Setup Experience to run on the host. Since this feature requires a new version of Fleetd, I will wait for 1.35 to move from edge to stable so that I can test again in both my local instance and dogfood.

*All unreleased bugs have been resolved as of this comment

[PezHub]

Completed end to end testing and things are looking good. Comprehensive QA checlist is above in the description.

[noahtalerman]

Hey @zayhanlon this user story shipped in 4.59.

Leaving the user story open until we update the pricing page and file a follow up feature request for activity feed (audit log) changes.

[noahtalerman]

TODO: @marko-lisica: See if there's a spot that makes sense to call out this feature on the pricing page. Does it deserve it's own row?

TODO: @marko-lisica: Check if we shipped any activity feed changes. If not, let's file a follow up feature request to add those.

Hey @marko-lisica, just giving you a ping! as a reminder for these TODOs

[noahtalerman]

TODO: @marko-lisica: See if there's a spot that makes sense to call out this feature on the pricing page. Does it deserve it's own row?

TODO: @marko-lisica: Check if we shipped any activity feed changes. If not, let's file a follow up feature request to add those.

Hey @marko-lisica can you please prioritize these TODOs that we can close this user story? Thanks!

[marko-lisica]

Thanks for the ping @noahtalerman. I just checked and we have Zero-touch setup row in pricing table. I think that covers this, and it's linked to MDM setup experience guide which mentions software and scripts.

[marko-lisica]

Changes to paid features or tiers: Only available in Fleet Premium. It's covered by Zero-touch setup in pricing table.

@noahtalerman I updated "Changes to paid features", since I think it's already covered by "Zero-touch" row. Could you let me know if you think it's not enough?

Activity changes: TODO: @marko-lisica: Check if we shipped any activity feed changes. If not, let's file a follow up feature request to add those.

Regarding activities, I checked and we didn't specify any activity. I filed FR: #23907.

[noahtalerman]

I just checked and we have Zero-touch setup row in pricing table. I think that covers this, and it's linked to MDM setup experience guide which mentions software and scripts.

Nice! Agreed "Zero-touch" covers this.

I checked and we didn't specify any activity. I filed FR: https://github.com/fleetdm/fleet/issues/23907.

Thanks! Linked to this FR in the issue description.

Closing this story.