iOS/iPadOS automatic (DEP) enrollment

[noahtalerman]

Goal

User story
As an endpoint operator,
I want my iOS and iPadOS hosts in Apple Business Manager to automatically enroll to Fleet w/ MDM features on
so that I can see these hosts in Fleet.

Context

• Product designer: @rachaelshaw

1. No manual (BYOD) enrollment for now
2. Soon, Fleet will add the ability to send custom MDM command, apply custom configuration profiles, and apply licenses through Apple's Volume Purchasing Program (VPP)

Changes

Product

• UI changes: TODO
• CLI usage changes: TODO
• REST API changes: TODO
• Permissions changes: TODO
• Outdated documentation changes: TODO
• Changes to paid features or tiers: TODO

Engineering

• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @rachaelshaw here's the first iOS/iPadOS story.

For designs, I think we want to think through what an iOS/iPadOS host looks like on the Hosts and Host details page.

Also, while the goal of this story is a read-only view of iOS/iPadOS hosts, I think we should also wireframe lock/wipe as part of this story. We can carve these out later.

Unless we find a way to install osquery (or something like it) on these hosts, I think Fleet will send the "Get Device Information" MDM command to get host vitals.

We can see the info we'd get back by looking at the list of properties here: https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command/queries

[noahtalerman]

Brock: Customer-preston might want BYOD as well. We don't know.

JD: If there's an enrollment profile, we "support" BYOD. It's a matter of whether we document this workflow or build dedicated UI for it.

[noahtalerman]

Marko: Declaration (DDM) profiles are supported on iOS 15+

This means we might be able to subscribe to a status channel to get read-only info that we want to display in the UI. Instead of MDM commands.

Advantage of status channel is the device sends updates to the Fleet server. Fleet server doesn't have to run a job to send an MDM commands.

[noahtalerman]

FYI @lucasmrod ^^

[lucasmrod]

@noahtalerman OK, so I will assume we will build iOS/iPadOS support leveraging DDM, correct?

[noahtalerman]

@lucasmrod I'm not sure but I think we'll want to leverage both DDM and the MDM v1 protocol.

We want to deliver MDM v1 profiles and DDM profiles.

We want to deliver MDM v1 commands (lock, wipe, etc.)

For the read-only information about the host (OS, software, etc.) what do we get from DDM v. the MDM v1 protocol?