fleetdm
IdP host vitals: create labels & variables for configuration profiles
-
olympus(prospect for macOS MDM replacement):- User to device mapping. Users are mapped to a device on enrollment. The "assigned' user can later be changed manually if needed.
- User attribute sync. Any attribute from the IdP can be synced to Fleet and surfaced in the UI. Team, role, cost center, etc.
- User attribute updates. These attributes should be automatically kept up to date on a regular schedule to match the IdP.
- Profile variable interpolation. When user attributes update, and a corresponding variable is used in a profile, the profile should optionally automatically redistribute. For example, if a user's last name changes and that value is used in a profile, the profile should be redistributed to update the value on device.
- User attributes in labels. All user attributes synced from the IdP (or manually set) should be available to be used when constructing dynamic labels. We need to be able to easily group "all engineers on the devices team" or "remote employees in Mexico".
-
customer-reedtimmer: Gong snippets:- https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1526%2C%22to%22%3A1588%7D%5D
- https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1907%2C%22to%22%3A2117%7D%5D
-
customer-pingali: Gong snippet: https://us-65885.app.gong.io/call?id=1989192898666666867&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A3834%2C%22to%22%3A3935%7D%5D- @harrisonravazzolo:
customer-pingalihas the following asks for this feature request:- Robust user association to both company-issued devices and BYOD allows admins to reliably identify all devices assigned to a user and take action on them in a single mechanism. i.e. automation at offboarding
- Allows the issuing of certs, which have user details attributed to them.
- Allows the customer to build device approval flows. When a user enrolls a new device into MDM, a notification is sent to users original device before it can be granted config profiles.
- @harrisonravazzolo:
customer-pingaliwould like to see this supported by the SCIM protocol. A workflow similar to this:- User added to Okta
- The user and their attributes are populated in 'Users' section of Fleet
- For each host in Fleet, a user from the users directory can we assigned.
- From Fleets user section, a user can be selected and show their attributes synced from IdP i.e. department, title, location as well as all devices assigned to them.
- @harrisonravazzolo:
-
customer-flacourtia: Gong snippet: https://us-65885.app.gong.io/call?id=4611615615987162505&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1876%2C%22to%22%3A2020%7D%5D -
customer-sarahwu: The row labeled "IDENTITY: IdP data integration with Fleet Host records" in this document- Gong snippet: https://us-65885.app.gong.io/call?id=2045552602800541978&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1675%2C%22to%22%3A1995%7D%5D
-
customer-nortia: Gong snippet: https://us-65885.app.gong.io/call?id=3659970139851900100&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A584%2C%22to%22%3A628%7D%5D -
customer-ramzel: Gong snippet: https://us-65885.app.gong.io/call?id=5454217124457213480&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A410%2C%22to%22%3A452%7D%5D - @allenhouchins: Scope apps, config profiles, and scripts or user info in config profiles and scripts: "Users" table concept where a user, and associated data, can be tied to a specific device. Often this is for scoping, everyone in Product Management group gets this app. Scripting w/ variables like $USERNAME. Show me all the devices for a specific user. Show me all engineering devices. Syncing/updates is important.
- @mikermcneil: We've been calling this roadmap feature "foreign vitals". But what specifically are the minimally viable columns to start with? We'll handle them bespoke. (We will always have a tendency to piggyback multiple requests into a single issue. The problem is that it then devolves into "over-genericism" and it's hard to understand the problem. Instead of one or two separate deeply unerstood probems, we end up with 5 different shallowly-understood problems and some misunderstandings)
User stories
- #23236
- #23899
- #23900
- Includes IdP email, groups, and username portion of email. The full name will be included in the future iteration.
- #28070
Hey @dherder, ignoring the sync part, how did we solve this (w/o sync) w/ customer-rosner?
Are they using the Tines story you created?
cc @Patagonia121
Hey @noahtalerman - Resurfacing this one as customer-pingali considers an integration with their IdP and being able to tie users to a device(s) is a must-have in order to consider Fleet MDM.
Related: https://github.com/fleetdm/fleet/issues/21849 Use WebClip profile for MyDevice page on iOS/iPadOS
Hey @Patagonia121 and @harrisonravazzolo when you get the chance, can you please add the Gong snippet from the respective customers to the top of the issue description? Thanks :)
@noahtalerman hey Noah, Added comments, use case and Gong to the body of the issue.
Moved the original issue description here for safekeeping:
Customer user story: As an admin, I want the MDM to integrate with Okta to synchronize attributes like department and role to the host’s device record based on the assigned user, dynamically scoping applications and configuration data to user personas.
As of July 2024, this is unsolved, due to the inability to set host attributes arbitrarily based on IdP data.
Additional feedback from customer: Something more like SimpleMDM's custom attributes: https://simplemdm.pdq.com/hc/en-us/articles/9355313240347-Attributes-Custom-Attributes Or very specifically Jamf Pro's https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-10.39.0/page/Computer_Extension_Attributes.html
From Fleet CSA: When a device in Jamf updates its inventory (like refetch in Fleet) it refreshes the end user data via an integration with an organization's "directory" service which can be AD or a cloud IdP.
@pintomi1989 @allenhouchins @phtardif1 can you please add Gong snippets for sarahwu, ramzel, and flacourtia? Thanks!
@noahtalerman added gong snippets for customer-flacourtia & customer-sarahwu. @harrisonravazzolo could not find a reference in Gong for prospect-ramzel on this topic. Maybe in a doc?
Hey @Patagonia121 and @harrisonravazzolo heads up, we peeled this user story off this request and brought it into the current design sprint.
Keep in mind that they user story will likely not address all aspects of this request. It's a small iterative piece.
Hey @noahtalerman - Here is a Gong snippet for customer-ramzel regarding this ask: https://us-65885.app.gong.io/call?id=5454217124457213480&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A410%2C%22to%22%3A452%7D%5D
Here is a Gong snippet for customer-ramzel regarding this ask: https://us-65885.app.gong.io/call?id=5454217124457213480&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A410%2C%22to%22%3A452%7D%5D
FYI @marko-lisica
Hey @zayhanlon, Noah and I looked at engineering capacity in the next sprint and decided to push this user story #23236 out of the current design sprint. MDM team is going to prioritize bugs and starchick's and numa's requests. We're still targeting delivering this request in Q1.
Hey @zayhanlon @Patagonia121 @kc9wwh, we shipped a piece of this request (mapping Okta users to Fleet host vitals). Entra ID and authentik support coming soon, as well as using this information as configuration profile variables and labels based on IdP groups.
Can you please ask MDM customers who use Okta for feedback on just the mapping users to host vitals? Is Fleet missing anything? Heads up, this is only available for macOS hosts that automatically enroll.
@marko-lisica I think this is relevant? https://fleetdm.slack.com/archives/C0389SEPLR3/p1745880430485479
@nonpunctual I agree. We have a user story for this (#28070), but it's not prioritized yet.
FYI @noahtalerman
Hey @zayhanlon @Patagonia121 @kc9wwh, we shipped a piece of this request (https://github.com/fleetdm/fleet/issues/23236). Entra ID and authentik support coming soon, as well as using this information as configuration profile variables and labels based on IdP groups.
Can you please ask MDM customers who use Okta for feedback on just the mapping users to host vitals? Is Fleet missing anything? Heads up, this is only available for macOS hosts that automatically enroll.
Hey @zayhanlon @Patagonia121 @kc9wwh, just checking, any feedback from customers who use Okta yet? What is Feet missing?
- @noahtalerman: No Gong snippet for
reedtimmer's labels request. We think they want labels for IdP groups and IdP departments.
@ambrusps can you please bring up IdP labels on the next call? Does reedtimmer want to scope based on IdP group, department, or both?
@noahtalerman seeing a couple attached at the top, I'll look thru them and can search through previous calls to see if there are other snippets. Otherwise, meeting on 5/20 and will ask!
Hey @zayhanlon @Patagonia121 as of 4.69, we added support for these foreign host vital variables (other variables here):
-
$FLEET_VAR_HOST_END_USER_IDP_USERNAME: host's IdP username. -
$FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART: local part of the email (e.g. john from [email protected]). -
$FLEET_VAR_HOST_END_USER_IDP_GROUPS: comma separated IdP groups that host belongs to.
These variables are populated for macOS hosts that automatically enroll. Supported IdPs are Okta, Entra ID, and authentik.
We think these variables fulfill numa and pingali's needs. Can you please them if Fleet missing any IdP variables for macOS?
If the answer is no, please drop a comment but leave this issue open. There are other customers and prospects attached. For now, I think let's focus on numa and pingali.
- @allenhouchins: For variables Fleet's current `FLEET_VAR_IDP_GROUPS` won't work with this syncing department to group strategy because `blondelet` can't programmatically pick out which values are departments.
@rachaelshaw heads up that I think we want to increase the scope of our labels story to include syncing departments and creating labels + variables.
Hey @zayhanlon, we shipped part of this request (user story) in 4.69.|
Please let me know if customer-numa has feedback on this story.
Moving the old user stories list out of the issue description to below. User stories that contribute to this request now live in the "Sub-issues" section.
User stories
- #23236
- #23899
- #23900
- Includes IdP email, groups, and username portion of email. The full name will be included in the future iteration.
- #28070
- #28196
- #28197
- #29609
- #30448
Hey @zayhanlon @Patagonia121 as of 4.69, we added support for these foreign host vital variables (other variables here):
$FLEET_VAR_HOST_END_USER_IDP_USERNAME: host's IdP username.$FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART: local part of the email (e.g. john from [email protected]).$FLEET_VAR_HOST_END_USER_IDP_GROUPS: comma separated IdP groups that host belongs to.These variables are populated for macOS hosts that automatically enroll. Supported IdPs are Okta, Entra ID, and authentik.
We think these variables fulfill
numaandpingali's needs. Can you please them if Fleet missing any IdP variables for macOS?If the answer is no, please drop a comment but leave this issue open. There are other customers and prospects attached. For now, I think let's focus on
numaandpingali.
FYI @zayhanlon @Patagonia121, moved this customer request over to #g-unicorns now that y'all are using that board.
@Patagonia121 @zayhanlon https://github.com/fleetdm/fleet/issues/29609 and https://github.com/fleetdm/fleet/issues/23899 shipped in 4.71.0 🎉
customer-blondelet: Gong snippet
- @allenhouchins:
customer-blondeletis trying to scope things to an entire department (ex. Engineering) minus a specific group. The plan to achieve this would be to build the logic in the IdP and sync that group over as a label for scoping.- Slack thread here: https://fleetdm.slack.com/archives/C07AK6CUDFC/p1746485257390359
- @allenhouchins: For variables Fleet's current
FLEET_VAR_IDP_GROUPSwon't work with this syncing department to group strategy becauseblondeletcan't programmatically pick out which values are departments.
- @noahtalerman: We think they want their SCEP certificate to contains the user's Department as an OU in the Subject. Ex: CN=Fleet, OU=$DEPARTMENT
Hey @kc9wwh, in Fleet 4.71, we shipped the ability to use IdP department as a label (for custom targets aka scoping) and a variable in macOS configuration profiles.
We think this fulfills customer-blondelet's needs. Can you please show them the improvements and ask if Fleet is missing anything?
If this request is complete for blondelet, please leave this request open. After we confirm for blondelet, we want to confirm if it's complete for reedtimmer and pingali.
https://fleetdm.com/handbook/customer-success#communicate-feedback-on-prioritized-customer-requests
Hey @kc9wwh, in Fleet 4.71, we shipped the ability to use IdP department as a label (for custom targets aka scoping) and a variable in macOS configuration profiles.
We think this fulfills
customer-blondelet's needs. Can you please show them the improvements and ask if Fleet is missing anything?
@kc9wwh just realized that we want to confirm that Fleet now supports customer-thumper's workflow (below from the issue description). We think it does. Up to you to ask if Fleet is missing anything.
customer-thumper: @allenhouchins: This prospect wants department as a host vital, variable, and label.
- They set organization unit (OU), which is department from their IdP, in their certificate for Wi-Fi.
- Admins need to deploy a SCEP certificate that contains the user's Department as an OU in the Subject. Ex: CN=Fleet, OU=$DEPARTMENT