Policy automations: install software

[nonpunctual]

Goal

User story
As an IT admin,
I want to install software automatically when a host fails a policy
so that I can deploy software to many hosts without having to use 3rd party automation tool (e.g. Tines).

Context

• Requestor(s): @nonpunctual
• Product designer: @marko-lisica

Changes

Product

• UI changes: Figma link
• CLI usage changes: Figma link
• REST API changes: API design: Policy automations: install software #22315
• Reference documentation changes: TODO (Document changes about new "No team" file and how policies and software for No team is specified in it.)
• Changes to paid features or tiers: Available to Fleet Premium users

Engineering

• Usage documentation changes: How/where Fleet extracts name and version from packages. This way, if the IT admin hits this error they can understand why Fleet can't get the version and know how to fix their package.
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

@noahtalerman:

• If an App Store app is installed and then later uninstalled on an iOS/iPadOS host, check to make sure it doesn't show up on that Host's host details page anymore and the software counts are updated accordingly.

Load test

The osquery-perf agents are able to simulate software installation. They have a 5% fail rate by default. See cmd/osquery-perf/README.md how to adjust pre/install/post fail probabilities. Once installed, the software will show up on the host with the next refetch.

Given a ~100 MB install package, try to automatically install software on 100,000 hosts.

Demo

https://www.loom.com/share/38e17e4ab76b40e6a8cd6515b5f1e015

[valentinpezon-primo]

Hi @noahtalerman @nonpunctual ,

No much to add to this one, for context :

• We will use labels to group hosts
• We would like to upload software without any teams related to it, aka "no team"
• We would like to be able to say :
  "I want the hosts that have this labels to have access to this list of app"

Since we are the source of truth for labels, A workaround could be to use your API to do software installs based on our internal labels

[noahtalerman]

Contributes to parity with Jamf

[noahtalerman]

Thanks @valentinpezon-primo for the info!

[marko-lisica]

Converting this issue to story format and moving original description here:

Organizations may have the need to install applications based on:

• role
• persona
• job title
• department
• organizational unit
• LDAP group
• etc...

i.e., a grouping of Hosts or end users that does not align to a Team in Fleet.

Scenario:

• Customer-preston does not or can't use Teams in Fleet
  • They would like applications to be assigned to "No Team"
  • (see: Add software to "No Team" #19550)

If we do this, the only options for application install in the case where a customer does not use Teams would be:

• install apps for every device in the fleet (i.e., "No Team")
• install apps for 0 devices in the fleet (i.e., applications would not be assignable)

Problem

• If applications can only be assigned to a Team, multiple Teams, "All Teams" or "No Team", how would a Fleet customer make an application assignment from the list above that is not aligned with a Team?

Potential solutions

1. Allow applications to be assigned to Hosts that match a Label.

[noahtalerman]

For checking a host's version using osquery queries:

• Noah: Might need to use some CAST(“bundle_identifer” AS INT)
  • Query doesn't work for CIS policy: Ensure an Inactivity Interval of 20 Minutes Or Less for the Screen Saver Is Enabled (MDM Required) #15962
  • Add version collate functions osquery/osquery#8168
    Marko: I found these as well:
  • https://osquery.readthedocs.io/en/stable/introduction/sql/#:~:text=Collations-,version,-%3A
  • Version compare function

[noahtalerman]

If you find some time you can record feedback on the UI that we didn't look at (labels badge on software details and advanced options modal). I would like to hear more, why do you think we want to split pending status to pending to install and pending "verification".

I believe it would be a better experience if we could manage to refetch host info if online and know right away if the host has software + if we can update software inventory together with host refetch, so counts are matching.

Hey @marko-lisica, I recorded a Loom video w/ feedback and thoughts on the above here (internal).

[sharon-fdm]

QA DRI - @jacobshandling

[noahtalerman]

@sharon-fdm just checking, was this story pushed? Is it supposed to have the ~pushed label?

[sharon-fdm]

@noahtalerman it's part of 4.57.0

[noahtalerman]

@noahtalerman it's part of 4.57.0

@sharon-fdm got it! Do you know why it has the ~pushed label? Was it pushed out of 4.56?

[sharon-fdm]

It was pushed 1 sprint (Fro 4.56 to 4.57). I probably forgot to remove it.
Removing now.

[fleet-release]

Software flows like streams,
Automations ease the work,
Fleet in clouds, it gleams.

[noahtalerman]

Hey @zayhanlon and @dherder I forgot to add the ~experimental label to this story. Currently, all user stories that contribute to the mission critical app management objective are experimental: https://fleetdm.com/handbook/company/product-groups#experimental-features