fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Downloadable, hosted agents (fleetd) with IdP authentication

Open Patagonia121 opened this issue 1 year ago • 1 comments

  • customer-mozartia Gong snippet: https://us-65885.app.gong.io/call?id=6719433018862554186&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A817%2C%22to%22%3A1077%7D%5D
  • customer-pingali Gong snippet: TODO
  • @noahtalerman: User requested this because they're asking their end users to go to Google Drive to download/install the Fleet agent (fleetd). When the end user downloads fleetd for Windows, they see these warnings which is a bad user experience:
Image

Image

Image

Image

  • @noahtalerman: In the interim the IT admin could add fleetd to an S3 bucket and point their end users to the S3 URL. This way, end users wouldn't see a scary message.
  • @noahtalerman: Eventually Fleet could provide a URL to point end users to. Maybe the end user logs in with their Identity provider and this tells Fleet what Fleet instance the agent should be configured to talk to.
    • @noahtalerman: Fleet could also support the other way to enroll on Windows which is logging in with your work email under the System Settings equivalent on Windows.

User stories

  • #27481

Patagonia121 avatar Jan 22 '25 21:01 Patagonia121

Problem

noahtalerman avatar Feb 03 '25 19:02 noahtalerman

Potential solution for Apple devices proposed in https://github.com/fleetdm/fleet/issues/29747

Here's the original issue description:

Problem

I don't have a management system in place today or a way to easily deploy enrollment packages. I want to be able to send my users to an enrollment URL (ex: dogfood.fleetdm.com/enroll/teamid) to enroll their devices. I also want this URL to be simple (unlike our 32 character URLs today) and also behind authentication so only authorized users are enrolling devices. This should be supported for all device types, not limited to just iOS/iPadOS.

This is another reason why we need to adopt different terminology (like user-initiated enrollment) and stop using BYOD except in the cases of devices going through Apple User Enrollment or using Android Work profiles.

What have you tried?

N/A

Potential solutions

Phase 1 of this is already possible today by using the iOS/iPadOS enrollment workflow and changing your browser's user agent to iOS, essentially tricking Fleet into thinking you are connecting from an iOS device. You can then download the enrollment profile and become managed by Fleet. With some simple changes to messaging (like saying you must do this on an iOS device), updates to the Add hosts modal, and removing the requirement to be on a mobile device when you go that URL, this could be an easy win. UI changes, as well as shortening up the enrollment URLs are all that is really required to support this workflow.

Phase 2, and as equally if not more important, would be to add authentication on this URL to prevent unauthorized people/devices from enrolling.

This is a way simpler method than enrollment packages. Enrollment packages should really be limited to when Fleet is running as a companion app (pre-MDM migration) or strictly observability/non-MDM deployments.

What is the expected workflow as a result of your proposal?

I can easily enroll non-ADE devices without having to distribute an enrollment package.

ambrusps avatar Jun 11 '25 22:06 ambrusps