Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure END_USER_EMAIL, and FLEET_DESKTOP when installing base fleetd for Windows (.msi) #19219

Open
6 tasks
nonpunctual opened this issue May 23, 2024 · 8 comments
Open
6 tasks

Configure END_USER_EMAIL, and FLEET_DESKTOP when installing base fleetd for Windows (.msi) #19219

nonpunctual opened this issue May 23, 2024 · 8 comments
Assignees
@getvictor
Labels
~assisting g-mdm This is an MDM bug and the Endpoint ops team is assisting ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-eponym customer-preston #g-endpoint-ops Endpoint ops product group prospect-ibara :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~sc Request is a requirement in a presales opportunity story A user story defining an entire feature
Milestone
4.54.0

Comments

@nonpunctual
Copy link
Contributor

nonpunctual commented May 23, 2024
edited by getvictor
Loading

Goal

User story
As an IT admin,
I want to configure fleetd base installer for Windows
so that I can manage fleetd without additional dependencies.

Context

Customer-eponym feedback:

Screenshot 2024-05-22 at 8 41 24 PM

Having to maintain dependencies & resources for building Fleet install packages is non-optimal for customers who just want to run an installer to enroll a Host.

Customized Fleet install packages have dependencies on Wix, Wine, Docker. Enrolling hosts into known tenants that are cloud-managed should be easier.

Not all fleetctl package options need to be built into the installers but oft-requested options are the ability to toggle enabling / disabling scripts & enabling / disabling the Fleet Desktop app.

Changes

Product

  • Changes:

  • Add new parameter to enable/disable Fleet Desktop installation (FLEET_DESKTOP):

msiexec /i fleetd-base.msi FLEET_DESKTOP=true FLEET_URL="<target_url>" FLEET_SECRET="<secret_to_use>"
  • Add new parameter to enable users to supply end user email address (END_USER_EMAIL):
msiexec /i fleetd-base.msi  END_USER_EMAIL=<email> FLEET_URL="<target_url>" FLEET_SECRET="<secret_to_use>"
  • Docs changes: In article explains that install parameter overrides value that's added at package time
    • Note: Our fleetd-base.msi has Fleet desktop enabled by default. We must enable it by default to include the fleet-desktop executable in the package.

Engineering

  • Database schema migrations: TODO
  • Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Risk level: Low

Manual testing steps

  1. Use the TUF testing flow to build a Windows installer with fleet-desktop enabled. (It must be enabled to include the fleet-desktop executable in the MSI package.)
  2. Install the MSI package on windows
  • with FLEET_DESKTOP=false or FLEET_DESKTOP=1 or without (should be enabled by default)
  • with/without END_USER_EMAIL
  • example: msiexec /i fleet-osquery.msi FLEET_URL="https://host.docker.internal:8080" FLEET_SECRET="XXX" FLEET_DESKTOP=false END_USER_EMAIL="bozo@example.com"
  1. ensure hosts get enrolled with configs in place
  • Note: after custom email is applied to the host, it is not cleared automatically

Backward compatibility tests

  1. Using the new fleetctl, build MSI package using stable orbit 1.27.0 (or earlier) with/without --end-user-email option and make sure it can be installed.

Testing notes

Confirmation

  1. Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. QA (@____): Added comment to user story confirming successful completion of QA.
@nonpunctual nonpunctual added :product Product Design department (shows up on 🦢 Drafting board) customer-eponym ~feature fest Will be reviewed at next Feature Fest ~csa Issue was created by or deemed important by the Customer Solutions Architect. labels May 23, 2024
@nonpunctual nonpunctual changed the title Have complied installer packages available for all platforms on GitHub Have complied fleetd installer packages available for all platforms on GitHub May 23, 2024
@nonpunctual nonpunctual changed the title Have complied fleetd installer packages available for all platforms on GitHub Complied fleetd installer packages available for all platforms on GitHub that allow users to choose options during install May 23, 2024
@noahtalerman
Copy link
Member

Hey @nonpunctual, Fleet has a base fleetd for Windows here: https://download.fleetdm.com/fleetd-base.msi

Instructions for installing fleetd + hooking it up to Fleet are in this article: https://fleetdm.com/guides/config-less-fleetd-agent-deployment

Does the workflow described in the article work for customer-eponym? If we don't know, maybe we can tag them in this GitHub issue?

@noahtalerman noahtalerman removed the :product Product Design department (shows up on 🦢 Drafting board) label May 23, 2024
@nonpunctual
Copy link
Contributor Author

The base packages are not configurable. The request is for configurable base packages.

@nonpunctual nonpunctual mentioned this issue May 29, 2024
Open
6 tasks
@nonpunctual
Copy link
Contributor Author

#17528

@dherder dherder added prospect-ibara ~sc Request is a requirement in a presales opportunity labels May 29, 2024
@noahtalerman noahtalerman changed the title Complied fleetd installer packages available for all platforms on GitHub that allow users to choose options during install Configure --enable-scripts, --end-user-email, and --fleet-desktop when installing base fleetd for Windows (.msi) May 30, 2024
@noahtalerman noahtalerman mentioned this issue May 30, 2024
Closed
@noahtalerman noahtalerman added :product Product Design department (shows up on 🦢 Drafting board) story A user story defining an entire feature #g-mdm MDM product group and removed ~feature fest Will be reviewed at next Feature Fest labels May 31, 2024
@noahtalerman
Copy link
Member

What happens if you set an option at package time (for ex. enroll secret) and then you pass as a parameter at install time? What’s the behavior today? Does it make sense?
What happens if you install w/o required options? Is there an error message? What are required options?
I think it’s enroll secret and server URL

cc @marko-lisica @noahtalerman

@noahtalerman noahtalerman changed the title Configure --enable-scripts, --end-user-email, and --fleet-desktop when installing base fleetd for Windows (.msi) Configure --end-user-email, and --fleet-desktop when installing base fleetd for Windows (.msi) Jun 12, 2024
@marko-lisica marko-lisica changed the title Configure --end-user-email, and --fleet-desktop when installing base fleetd for Windows (.msi) Configure END_USER_EMAIL, and FLEET_DESKTOP when installing base fleetd for Windows (.msi) Jun 13, 2024
@marko-lisica marko-lisica changed the title Configure END_USER_EMAIL, and FLEET_DESKTOP when installing base fleetd for Windows (.msi) Configure END_USER_EMAIL, and FLEET_DESKTOP when installing base fleetd for Windows (.msi) Jun 13, 2024
@marko-lisica
Copy link
Member

What happens if you install w/o required options? Is there an error message? What are required options?

Hey @dantecatalfamo, I'm trying to answer this question. I've installed fleetd-base.msi on my VM and it went through, even though it can't work without SERVER_URL and ENROLL_SECRET. Is it possible at all for msiexec to throw an error if some params are missing?

@dantecatalfamo
Copy link
Member

dantecatalfamo commented Jun 13, 2024
edited
Loading

What happens if you install w/o required options? Is there an error message? What are required options?

Hey @dantecatalfamo, I'm trying to answer this question. I've installed fleetd-base.msi on my VM and it went through, even though it can't work without SERVER_URL and ENROLL_SECRET. Is it possible at all for msiexec to throw an error if some params are missing?

That's a good question, I don't know

@marko-lisica
Copy link
Member

What happens if you set an option at package time (for ex. enroll secret) and then you pass as a parameter at install time? What’s the behavior today? Does it make sense?

@noahtalerman I tested this. I generated .msi installer with package command with server URL and enroll secret baked in. At install time I passed enroll secret for another team and it overwritten one that was added at package time.

What happens if you install w/o required options? Is there an error message? What are required options?
I think it’s enroll secret and server URL

Tested this as well. I was able to install fleetd-base.msi without any parameters. Installation was successful and host wasn't enrolled. Still figuring out if it's possible to have required parameters when installing with msiexec

@georgekarrv
Copy link
Member

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @mna @roperzh

@georgekarrv georgekarrv added #g-endpoint-ops Endpoint ops product group ~assisting g-mdm This is an MDM bug and the Endpoint ops team is assisting and removed #g-mdm MDM product group labels Jun 24, 2024
@sharon-fdm sharon-fdm added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. and removed :product Product Design department (shows up on 🦢 Drafting board) labels Jun 24, 2024
@sharon-fdm sharon-fdm added this to the 4.54.0-tentative milestone Jun 24, 2024
@getvictor getvictor mentioned this issue Jun 26, 2024
Merged
4 tasks
getvictor added a commit that referenced this issue Jun 26, 2024
@getvictor
Added support for END_USER_EMAIL and FLEET_DESKTOP parameters to Wind…
34ee254 
…ows MSI (#20021)

#19219
Added support for END_USER_EMAIL and FLEET_DESKTOP parameters to Windows
MSI

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Added/updated tests
- [x] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
@getvictor getvictor mentioned this issue Jun 29, 2024
Merged
1 task
getvictor added a commit that referenced this issue Jul 1, 2024
@getvictor
Fix backward compatibility bug with Windows MSI END_USER_EMAIL (#20116)
02ca4be 
#19219
Fix unreleased backward compatibility bug with Windows MSI
END_USER_EMAIL
# Checklist for submitter

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Manual QA for all new/changed functionality
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@getvictor getvictor

Labels
~assisting g-mdm This is an MDM bug and the Endpoint ops team is assisting ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-eponym customer-preston #g-endpoint-ops Endpoint ops product group prospect-ibara :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~sc Request is a requirement in a presales opportunity story A user story defining an entire feature
Projects
None yet
Milestone
4.54.0
Development

No branches or pull requests
8 participants
@georgekarrv @getvictor @dherder @dantecatalfamo @noahtalerman @marko-lisica @sharon-fdm @nonpunctual