fleetdm
Feature request: Schedule scripts for all hosts that are failing a policy using Fleet's calendar feature.
Problem
As an IT admin, I can not schedule scripts to run on both online/offline hosts during or after a maintenance window when hosts are failing a policy.
Context:
I started wondering if calendar events can be used to queue up scripts whether devices are online or not. (Currently, the calendar webhook only fires for online devices) See: https://www.figma.com/board/ortmlbhvDZ1OiLcBBFKNXq/%2317230-Fleet-in-your-calendar?node-id=0-1&t=4lgH2L9sV7IBXLgH-0
Curious how scripts can be run for all hosts failing a policy, and with a delay using the calendar feature.
Potential solutions
-
From JD: Add the ability to run a script in a calendar window from the scripts action dropdown on the controls page.
-
Add a variable for the host online step: Designate in Fleet policy that remediation includes running a script and will send the webhook for offline hosts as well.
As an IT admin, I can not schedule scripts to run on both online/offline hosts during or after a maintenance window when hosts are failing a policy.
Hey @Drew-P-drawers what's the specific problem here? Why do we want to schedule scripts during or after a maintenance window? During dogfooding/demos are folks forgetting to connect to Wi-Fi?
The reason I ask is because adding scheduling might be a shift away from the way we want maintenance windows to work.
My understanding is that the abbreviated pitch is "IT finds time to fix/update your computer when you're free."
The "when you're free" part is core to the pitch.
Let's say an offline host has a maintenance window and we schedule a script. 1 hr later the end user comes back online to jump on a Zoom call and the script runs, making them late to the call.
Let's say the specific problem we experienced during demos is that the end user sees the calendar event and says "whoops I forgot to connect to the internet"
If that's the problem, then maybe instead of just ending if the host is offline, Fleet checks again and again during the coarse of the maintenance window to see if the host comes online.
In this scenario we also might want to update the calendar event to say "Please leave your device on, connected to Wi-Fi, and plugged in"
Hey @Drew-P-drawers, what's the specific problem here? Why do we want to schedule scripts during or after a maintenance window? During dogfooding/demos, are folks forgetting to connect to Wi-Fi?
Thanks for taking a look at this @noahtalerman
I guess this is more of a general request to add capability for admins outside of applying updates that require restarting and potentially breaking changes to devices. This could be treated as a separate use case from our current maintenance windows.
For the highest-level example, think of changing the desktop background, opening Fleet desktop, or uninstalling applications that aren't approved. There are many use cases outside of software updates. Being able to schedule scripts and add a calendar event for them plugs back into Fleet's customizability.
For scheduling scripts, maybe a company chooses to execute a script late on a Friday so that they have all weekend to fix any unexpected issues. But along with the scheduled script, it would be nice to have the calendar event pop up as a reminder it's happening without having to manually create the event for all of those users by switching over to Google Calendar and creating the event there.
Example: "Hello {company}, We'll be removing access to all Adobe products due to their recent additions to terms and conditions allowing them access to potentially sensitive company information. You will retain access until {future_date} until at which time we will be uninstalling it from any company devices."
Calendar event reminds them of the final date they have access to adobe, so they have time to back up what they need and save any work. Then a script runs to uninstall adobe.
Having the policy and calendar event makes it a seamless experience to ensure where it's still installed, and continues to try and remediate until all devices are compliant.