Add a new timestamp for MDM turned on and MDM check-in

[pintomi1989]

Goal

User story
As a Fleet user,
I want to hit Fleet API to get a timestamp for when a specific has MDM turned on and checks in to Fleet via the MDM protocol before the host enrolls
so that I can use the first timestamp as a heuristic to say "yes, we can deliver a certificate" to this host and the second timestamp for debugging.

Key result

None. Prioritized to unlock starchik's macOS MDM migration.

Original requests

None. We updated the original request into a story. See original issue description here: #17710 (comment)

Context

• Product Designer: @noahtalerman

Changes

Product

• UI changes: No changes
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• REST API changes: PR here.
  • @noahtalerman: Original PR made to 4.69.0 docs but the feature was shipped in 4.68. New PR is here: [API design] Add a new timestamp for MDM check-in #29467
• Fleet's agent (fleetd) changes: No changes
• GitOps mode changes: No changes
• Activity changes: No changes
• Permissions changes: No changes
• Changes to paid features or tiers: Fleet Premium and Fleet Free
• My device and fleetdm.com/better changes: No changes
• First draft of test plan added
• Other reference documentation changes: No changes
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed: @noahtalerman: No dogfooding issue needed. Verified in dogfood by hitting a Host details page.

Engineering

• Test plan is finalized
• Contributor API changes: No changes
• Feature guide changes: No changes
• Database schema migrations: Add and populate last_mdm_enrolled_at
• Load testing: No loadtesting

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: no
• Risk level: Low

Test plan

• Enroll a macOS host to Fleet. Turn on MDM for that host. Then, turn off MDM for that host and re-turn on MDM. Verify that the last_enrolled_at is not the same as the last_mdm_enrolled_at
• Automatically enroll a macOS host to Fleet via Apple Business Manager. Verify that last_mdm_enrolled_at is set.
• Repeat the tests for Windows.
• Enroll a host to Fleet. Verify that last_mdm_enrolled_at is null. Turn on MDM for that host manually. Verify that last_mdm_enrolled_at is set.
• Repeat automatic and manual enrollment steps for an iOS, iPadOS, and Android host. last_enrolled_at and last_mdm_enrolled_at should always be the same timestamp.
• Wipe a macOS host (Erase all contents and settings) that has MDM turned on in Fleet. Automatically enroll this macOS host to Fleet. Verify that the last_mdm_enrolled_at is updated.
• Verify that the last_mdm_checked_in_at is updated every time the host checks in via the MDM protocol.
• Verify the new flags are updated in the scenarios documented here: https://github.com/fleetdm/fleet/pull/28940/files#r2078518201

Testing notes

• Tested running silent migrations,sudo profiles renew -type enrollment, and SCEP renewal with positive results

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[valentinpezon-primo]

Hi, typically it could corresspond to

MacOS:

• mdm_turned_on_at: set whenever the profile is installed

Windows :

• mdm_turned_on_at: set whenever Fleet is connected and activated in the "Work or school account"

[JoStableford]

Related to a Slack conversation

[nonpunctual]

Please see https://fleetdm.com/docs/rest-api/rest-api#default-response30 json example to view the key / value that is being requested for changes. Thanks.

[JoStableford]

Related to a Slack conversation

[nonpunctual]

Whatever we call things works behind the scenes if customers are only using Fleet UI. I think once people are building integrations with the API, disambiguating the fields becomes more critical so maybe we need to revisit?

[noahtalerman]

Hey @pintomi1989, heads up, we brought this into the upcoming design sprint (4.49).