fleet Software: automatically install, patch, and add custom targets (labels)

customer-numa: No Gong recording. The commit was (https://github.com/fleetdm/fleet/issues/19551) which may be sufficient. The need is re: self-service, to be able to scope on the software package similar to what is done with labels in config profiles.
- @noahtalerman: customer-numa promise. Called "Install, update, and remove software on macOS with Fleet" on the order form. These issues are listed:
- #20320
- #20404
- #18865
  - @noahtalerman: These issues are stories because they were worked on before we decided to split stories from customer requests. "Update" or patch is still TODO. That's captured in this request.
customer-preston: Gong recording (full): https://us-65885.app.gong.io/call?id=1740943306810384507
customer-easterwood: Gong snippet: https://us-65885.app.gong.io/call?id=4336811297696402414&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A484%2C%22to%22%3A523%7D%5D
prospect-gispen: Slack thread: https://fleetdm.slack.com/archives/C07FSHNNG3C/p1726601549891569
prospect-mozartia: No Gong snippet. Written feedback given directly: "In the ideal state we’d like to ship laptops directly to new hires, they open up their machine, get prompted to login and we’ll be able to install specific apps for this user. I’m not sure if “Teams” is a good label but maybe “profiles” might be better? Essentially based on the user’s cost center (or department or ou as described in the ticket), Fleet would be able to determine that this user will need these set of apps on top of the normal onboarding configurations we’re already doing.
- For example, the Finance team / “profile”. In addition to the default Slack, Zoom and Firefox apps we’re already installing in the “Onboarding” team, we’d like to see Microsoft Office and Box installed for users in this “profile. The UX profile would include Adobe apps like Photoshop and Illustrator, etc.
customer-schur: TODO: Gong snippet
customer-rosner: TODO: Gong snippet
prospect-salix: TODO: Gong snippet
prospect-disa: TODO: Gong snippet
@noahtalerman: User requested this because they're building a white-label MDM solution on top of Fleet and they want to install a set of apps on macOS and Windows workstations based on the owner's (employee) is group membership (aka profile). This user doesn't utilize teams in Fleet. All workstations are in "No team." The grouping happens inside the white-label MSP solution.
@noahtalerman: User requested this because they want only install software on Macs that have the required dependencies/hardware/specs (ex. Rosetta, Apple Silicon, Windows ARM, other apps) for the software. This way, the end user only gets software that they can use on their Workstations. Sometimes incompatible software can be installed but fail to run when end user goes and tries to use them.
@noahtalerman: User requested this because they want to install at first Mac boot an app that's intended for a specific department (ex. Marketing) or role (ex. IT Help Desk). Everyone gets the same base 3-4 applications at new Mac boot but some apps are catered to their department or role.
@noahtalerman: User requested this because they want to offer an app that's intended for a specific department (ex. Marketing) or role (ex. IT Help Desk) in self-service. Everyone gets the same base 3-4 applications at new Mac boot but their self-service apps are catered to their department.
@noahtalerman: User requested this because they want to install this new app that my business bought a limited number of licenses for on a specific set of devices. Usually grouped by department (ex. Marketing).
@noahtalerman: User requested this because they want to install this new app that my business is using and I don't want to install it on each host one by one or build some automation w/ a third-party tool to do this. This could be for a productivity app or a security tool.
@noahtalerman: User requested this because they want to choose a software and set a minimum version (version floor). If a computer has a version of that software below the minimum version they want Fleet to update the software.
- Users also want to be able to choose a software and ask Fleet to keep it at the latest version for them. If a computer has a version of that software older than latest, they want Fleet to update the software.
- To not interrupt employees at their organization (end users), users want Fleet to install the update only if the app isn't running. They also want to set add a deadline at which the software will update whether it's being actively used or not. They want to warn end users when this is about to happen so that the end users can save their work.

User stories

#19551
#22077
#23115
#23344
#23744
#22813
#24609
#24989
#25007
#25226
#25514
#26204
#25499
#25636
#26829
#25912

Sep 04 '24 21:09 nonpunctual

Thanks for tracking this @nonpunctual.

Heads up that when we ship the new policy automation (#19551), for some scoping software use cases, there's a workaround: add scoping to the policy's query.

For example, I could write a policy's query to fail (not return results) only for specific serial numbers (w/ hardware_serial in system_info table here).

Using the new policy automation, this would scope a software install only to those specific serial numbers.

cc @dherder @ddribeiro @pintomi1989 @zayhanlon

Sep 05 '24 13:09 noahtalerman

Thanks for explaining the workaround. The original customer feature request is to scope using labels.

Sep 05 '24 15:09 nonpunctual

Hey @zayhanlon, I think let's start by taking this one one as an air guitar.

When you get the chance, can you please help me set up discovery calls w/ customer-preston and customer-rosner? The fewer attendees the better! Thank you :)

Sep 13 '24 18:09 noahtalerman

@noahtalerman: Chatted w/ customer-preston (Gong recording here) and learned that "Automatic install" might be covered by work we're doing in the "Automatically install" story (#22076)

Scoping software w/ labels is still needed for customer's "Profiles" feature

Hey @zayhanlon we learned the above during today's call w/ customer-preston.

I think it makes sense to bring in a user story for scoping software w/ labels next design sprint (we're at capacity this sprint). Or we can pull something out of the current design sprint.

If it's the latter, please schedule 15 mins w/ me ASAP so we can jump on a call what you think we could bring out. Happy to jump on chat about what to pull out.

Sep 17 '24 14:09 noahtalerman

@noahtalerman let's take it next design sprint. i don't think there's anything on the board that i would be able to pull off (all prospect things so i can't make that call). lets focus on 'labels any' for them for the current design sprint

Sep 17 '24 14:09 zayhanlon

@zayhanlon sounds good. I pulled this issue off the drafting board (removed air guitar).

I'll leave it up to you (as Customer support DRI) to bring this back to the next feature fest.

Sep 17 '24 17:09 noahtalerman

Adding additional info about this FR :

Automatically install software is going to be done in #22076
Since #22028 is going to be release before this one, the scoping of software install by label should also include the "OR" from #22028

Sep 18 '24 09:09 valentinpezon-primo

Hey @zayhanlon and @dherder, when you get the chance, can y'all please help me more Gong recordings for this request?

It looks like we have one Gong recording (see issue description) but 9 customers/prospects attached.

Oct 07 '24 13:10 noahtalerman

hey @noahtalerman - this is an offshoot of #19551 before that issue was changed. i'm not sure if we'll have recordings for all of them but i can try to dig some things up.

Oct 07 '24 14:10 zayhanlon

Hey @marko-lisica what user story (or stories) do you think we should peel off this design sprint?

Oct 08 '24 15:10 noahtalerman

Hey @marko-lisica, I jumped the gun! Sorry. I think we need Gong snippets first. Without Gong snippets I don't think we can make a decision on what user story to peel off.

Oct 08 '24 17:10 noahtalerman

@pintomi1989 @zayhanlon @Patagonia121 can you add the best private Gong snippet links for schur, rosner, and easterwood's use cases above? (issue description)

@pauldittmer2 @AnthonySnyder8 @ambrusps can you add the best private Gong snippet links for disa, gispen, mozartia, numa, and salix's use cases above? (issue description)

(Once we have the links, we can shape this the rest of the way, verify our hypotheses, and create user stories.) Thank you!

Oct 08 '24 17:10 noahtalerman

@noahtalerman added a written statement instead of Gong snippet for prospect-mozartia above

Oct 10 '24 20:10 ambrusps

Hey @ambrusps thanks! does that statement come from a Slack thread? If yes, can you please share a link to the thread?

Oct 11 '24 13:10 noahtalerman

@pintomi1989 @zayhanlon @Patagonia121 just giving you another ping! (toast notification) can you please add the best private Gong snippet links for schur, rosner, and easterwood's use cases above? (issue description)

@phtardif1 @AnthonySnyder8 just giving you another ping! (toast notification) can you please add the best private Gong snippet links for disa, gispen, and salix's use cases above? (issue description)

Oct 11 '24 13:10 noahtalerman

@noahtalerman i'm taking rosner off the list. going with munki

Oct 11 '24 18:10 zayhanlon

@noahtalerman updated prospect-gispen in the description

Oct 11 '24 19:10 AnthonySnyder8

@nonpunctual I noticed you added customer-easterwood's tag to this issue, do you recall when you heard they wanted this?

Oct 11 '24 22:10 Patagonia121

Hey @noahtalerman,

I'm having difficulty digging up which call this ask from customer-schur came from. I did not add their tag to this issue - Tagging @nonpunctual here since he may have more context.

Oct 14 '24 20:10 pintomi1989

@noahtalerman added link to Gong call where customer-easterwood mentions scoping software within a team.

Oct 16 '24 15:10 nonpunctual

Hey @noahtalerman,

Removing customer-preston tag from this, keeping on https://github.com/fleetdm/fleet/issues/22813

Oct 17 '24 13:10 pintomi1989

Hey @pintomi1989, I think we want to leave customer-preston on this issue. I added them back. This issue is the customer request issue. #22813 is a user story that we peeled off of this request.

A user story is not guaranteed to address all aspects of the customer's problem(s). The story might ship a piece of it. This way we can move quickly and iterate.

Using feedback from a customer, we might peel more user stories off of the same request and ship them in later iterations.

Oct 17 '24 17:10 noahtalerman

Hi @noahtalerman !

Ok make sense

it means the #22813 does not include the "automatic install" but only the scope install by label? :/ It means the "automatic install" is gonna be tackled in #22077 ?

cc @zayhanlon for visibility

Oct 18 '24 08:10 valentinpezon-primo

it means the https://github.com/fleetdm/fleet/issues/22813 does not include the "automatic install" but only the scope install by label? :/ It means the "automatic install" is gonna be tackled in https://github.com/fleetdm/fleet/issues/22077 ?

Hey @valentinpezon-primo! Yes, that's the current plan.

Oct 23 '24 16:10 noahtalerman

it means the #22813 does not include the "automatic install" but only the scope install by label? :/ It means the "automatic install" is gonna be tackled in #22077 ?

Hey @valentinpezon-primo! Yes, that's the current plan.

Sorry it's was https://github.com/fleetdm/fleet/issues/21825 and not https://github.com/fleetdm/fleet/issues/22077 , since it's custom package

Oct 24 '24 15:10 valentinpezon-primo

Hey @pintomi1989 heads up, we're working on a user story for this request in the current design sprint:

#22813

Reminder that this user story might not address the request in it's entirety. It's a small iterative piece.

Oct 25 '24 14:10 noahtalerman

Moving this out of the issue description here for safekeeping:

Re-creating the original issue per customer-preston request as https://github.com/fleetdm/fleet/issues/19551 was de-scoped

Organizations may have the need to install applications based on:

role

persona

job title

department

organizational unit

LDAP group

etc...

i.e., a grouping of Hosts or end users that does not align to a Team in Fleet.

Scenario:

Customer-preston does not or can't use Teams in Fleet

They would like applications to be assigned to "No Team"

(see: https://github.com/fleetdm/fleet/issues/19550)

If we do this, the only options for application install in the case where a customer does not use Teams would be:

install apps for every device in the fleet (i.e., "No Team")

install apps for 0 devices in the fleet (i.e., applications would not be assignable)

Problem

If applications can only be assigned to a Team, multiple Teams, "All Teams" or "No Team", how would a Fleet customer make an application assignment from the list above that is not aligned with a Team?

Potential solutions

Allow applications to be assigned to Hosts that match a Label.

Nov 14 '24 23:11 noahtalerman

Hey @pintomi1989, soon we're planning on building a piece of this request: "Create policies automatically for custom packages" (#23344).

Can you please show preston these Figma wireframes and collect their feedback?

Dec 09 '24 14:12 noahtalerman

Hey @noahtalerman - Will do. I will show these to the customer-preston team during our meeting this week, and let you know what their feedback is

Dec 09 '24 14:12 pintomi1989

Checked with @valentinpezon-primo, looks good on our end 👌

Dec 09 '24 15:12 martinpannier