See if scripts are enabled/disabled on Host details page

[Patagonia121]

Goal

User story
As an IT admin on the Host details page,
I want to see if scripts are enabled/disabled
so that I can know I have to deploy a new fleetd w/ scripts enabled if I want to run scripts on this host.

Context

• Product designer: @rachaelshaw

1. Currently, when a user runs a script on a host w/ scripts disabled, the user has to wait for the host to respond to know scripts are disabled. If we add an enabled/disabled flag in the API, we can improve this UX so that the user doesn't have to wait for a host to respond (i.e. disable run script button)

Changes

Product

• UI changes: Figma
• CLI usage changes: In Figma
• REST API changes:
  • Get host: Draft PR
  • Run script: Add validation (error message in Figma)
  • Run live script: Add validation (error message in Figma)

Engineering

• Database schema migrations: host_orbit_info.scripts_enabled

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Risk level: Low

Manual testing steps

• Platform testing matrix: linux, darwin, windows
• Orbit testing matrix: previous orbit version with scripts enabled, new orbit with scripts disabled, new orbit with scripts enabled
• Lock/unlock fleetctl command should be tested on linux and windows
• Wipe fleetctl command should be tested on linux
• Running scripts via API should be tested on linux, darwin, windows

Testing notes

The previous orbit version with scripts enabled should function the same as before -- none of the changes in this story should apply to it.

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @Patagonia121 heads up, this story was prioritized during feature fest.

Aiming to ship an improvement in the next 6 weeks.

[noahtalerman]

Hey @rachaelshaw! I think I may have brought us down the wrong direction.

• Instead of adding a new item to the Host details page, I think let's disable the "Run scripts" when scripts are disabled.
  • We can show an easy to understand tooltip: To run scripts on this host, deploy the fleetd agent with --enable-scripts.
  • If scripts are disabled at the org level, I think let's hide the "Run scripts" option.
• Now that we're storing whether scripts are enabled in the DB, I think we want to take the opportunity to improve the API/CLI experience. Now, we can return an error right away if a host has scripts disabled. Instead of returning that error in the script results.

I go into more detail in the Loom video here.

[sharon-fdm]

Agent: We will need to have this information available. (Maybe in a table)
Backend: Will need to fetch and store in DB
Frontend: Display according Figma.

Estimations:
Agent + BE : 5
FE: 2

[getvictor]

@rachaelshaw On macOS agents, scripts can be enabled with MDM config profile. But the server/UI won't see this until a detail query occurs (once every hour). So, the server could be blocking scripts for up to 1 hour.

The end user could speed this up by manually refetching the host.

I assume this is OK. Adding :product label to confirm.

UPDATE: Another question.
2. Wanted to confirm that Windows wipe/lock/unlock requires scripts. In the code, I see this done via MDM commands.

[getvictor]

@RachelElysia scripts_enabled == null means this agent is not an orbit agent, or this agent is version <=1.23.0 which is not collecting the scripts enabled info

[rachaelshaw]

On macOS agents, scripts can be enabled with MDM config profile. But the server/UI won't see this until a detail query occurs (once every hour). So, the server could be blocking scripts for up to 1 hour.

The end user could speed this up by manually refetching the host.

@noahtalerman do you foresee this being a problem?

Wanted to confirm that Windows wipe/lock/unlock requires scripts. In the code, I see this done via MDM commands.

I believe it does require scripts— recently tested lock on Noah's Windows machine and it failed because scripts weren't enabled.

[noahtalerman]

On macOS agents, scripts can be enabled with MDM config profile. But the server/UI won't see this until a detail query occurs (once every hour). So, the server could be blocking scripts for up to 1 hour.

The end user could speed this up by manually refetching the host.

@rachaelshaw and @getvictor I think this is ok.

Victor, there's the same potential delay for macOS (no MDM), Windows, and Linux hosts right?

If it's the same for all platforms, maybe we update the tooltip copy/error messages. Something like this: "To run scripts on this host, deploy the fleetd agent with --enable-scripts and refetch host vitals."

Rachael, what do you think?

[noahtalerman]

Wanted to confirm that Windows wipe/lock/unlock requires scripts. In the code, I see this done via MDM commands.

@getvictor Windows wipe is an MDM command. Lock/unlock are scripts.

@rachaelshaw I totally forgot that Windows wipe is an MDM command. I don't think we should disable Wipe if a Windows host doesn't have scripts enabled. What do you think?

[rachaelshaw]

@noahtalerman makes sense, I'll update the Figma 👍

[noahtalerman]

Doc changes for obit_info table: #18135

Heads up, the doc changes are live on fleetdm.com/tables however, the feature hasn't been shipped.

[noahtalerman]

@getvictor and @rachaelshaw re "Run scripts," "Lock," and "Wipe," buttons are available if the host has plain osquery installed.

What happens when we run a script against a host w/ plain osquery, does the user see an error?

I think up to @rachaelshaw on whether we decide to make changes and timing (now or file a story to bring through feature fest).

cc @RachelElysia @jacobshandling

[xpkoala]

@noahtalerman I'm testing this scenario right now. As far as I can tell the script execution stays stuck in the "pending" state for plain osquery hosts. We actually are showing an error message, I was interacting with the wrong host when I first outlined the behavior.

[noahtalerman]

We actually are showing an error message, I was interacting with the wrong host when I first outlined the behavior.

Ah, nice.

I think that's an acceptable UX.

FYI @rachaelshaw

[rachaelshaw]

@Patagonia121 this was shipped in v4.49.0

[fleet-release]

Script status shown,
Admins in cloud city,
Effort overthrown.