Auto-uninstall managed apps when personally-owned profile-enrolled (BYOD) iOS/iPadOS unenroll

[noahtalerman]

Goal

User story
As an IT admin,
I want Fleet to automatically uninstall all managed apps (App Store and .ipa) when BYOD iPhones/iPads unenroll
so that I can make sure contributors can't access company data when they leave.

Roadmap item

None.

Original requests

• Auto-install software at host enrollment for iOS/iPadOS hosts #27015

Resources

None.

Changes

Product

• UI changes:
  • Change copy in Unenroll modal. (Host details > Actions > Unenroll)
  • Copy for company-owned iOS/iPadOS hosts:
    
  • Copy for manually enrolled iOS/iPadOS hosts:
    
• CLI (fleetctl) usage changes: No changes.
• YAML changes: No changes.
• REST API changes: No changes.
• Fleet's agent (fleetd) changes: No changes.
• GitOps mode UI changes: No changes.
• GitOps generation changes: No changes.
• Activity changes: No changes.
• Permissions changes: No changes.
• Changes to paid features or tiers: Fleet Premium only (software is Premium feature)
• My device and fleetdm.com/better changes: No changes.
• Usage statistics: No changes.
• Other reference documentation changes: No changes.
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed. @marko-lisica: I saw this and can confirm it removed managed app.

Engineering

• Test plan is finalized
• Contributor API changes: No changes
• Feature guide changes:
  • Add info that managed iOS/iPadOS apps are deleted when the host is unenrolled to Install App Store (VPP) apps
  • Add info to Deploy software that .ipa in-house apps would be deleted when the host unenrolls.
  • Write a solution for existing enrollments prioir this change. Script that sends custom MDM command to add management flags.
  • Document what happens with VPP licenses, are they revoked when app is uninstalled during unenrollment.
• Database schema migrations: None
• Load testing: None
• Load testing/osquery-perf improvements: None
• This is a premium only feature: Yes

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Risk level: Low

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

• Add VPP app to the team and install it on your iOS or iPadOS host.
• Unenroll the host and make sure that app is uninstalled from it.
• Add .ipa app to the team and install it on your iOS or iPadOS host.
• Unenroll the host and make sure that .ipa app is uninstalled from it.
• Verify that specified copy changes are implemented.
• Send custom MDM command (InstallApplication) to install VPP app. Use the command that the Fleet server sends when installing VPP apps with ManagementFlags set to 0(as it was before tihs feature). Then send same command again, but set ManagementFlags to 1. After command is acknowledged, unenroll host and check if installed app was removed during unenrollment.
• Install a VPP app on a macOS host. Remove its enrollment profile. Verify that the app is not removed
• Check if, when Apple removes the VPP app, the used license number decreases or available number increases. We are unsure if we get the license back in this case. Document what happens and tag Marko with the results

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[noahtalerman]

@marko-lisica can you please help us get this ready to estimate and bring into the next sprint? Learned from pingali during the offsite that this is the expected behavior.

To keep the changes small, I think we can make this behavior the default. Later Fleet could make this configurable.

FYI @sgress454