Okta conditional access: Specify policies that have bypass option (currently all or nothing)

[rachaelshaw]

Goal

User story
As an IT admin,
I want to control which policies have a break-glass option
so that I can allow end users to get unblocked if they're not failing the most critical security checks.

Roadmap item

🛡️ Integration with Okta for conditional access on macOS

Original requests

• Okta device health #16236

Resources

None.

Changes

Product

• UI changes: Figma
• CLI (fleetctl) usage changes: No changes
• YAML changes: PR
• REST API changes: PR
• Fleet's agent (fleetd) changes: No changes
• Fleet server configuration changes: No changes
• Exposed, public API endpoint changes: No changes
• fleetdm.com changes: No changes
• GitOps generation changes: Include conditional_access_bypass_enabled on generated policies.
• Activity changes: No changes
• Permissions changes: No changes
• Changes to paid features or tiers: Fleet Premium
• My device and fleetdm.com/better changes: My device UI updates in Figma.
• Usage statistics: PR
• Other reference documentation changes: No changes
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Feature guide changes: Yes. See subtask.
• Database schema migrations: Okta conditional access: DB migration #39001
• This is a premium only feature: Yes

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires testing in a hosted environment: No
• Requires load testing: No
• Risk level: Low

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

1. Verify copy change in Settings > Integrations > Conditional access.
2. Upgrade a Fleet instance with Okta already configured, bypass enabled in global settings, and some policies with conditional access enabled.
   • Make sure existing conditional access policies have conditional_access_bypass_enabled set to true after upgrading
   • Make sure the policies show the additional checkbox in the "Manage automations" modal (checked)
3. Verify tooltip copy for additional checkbox in Manage automations > Conditional access.
4. Click the checkboxes for some additional policies in the conditional access modal.
   • Make sure additional checkbox appears (unchecked)
5. Test end user experience failing multiple conditional access policies, where one failing policy doesn't allow bypass.
   • Make sure there is no option to bypass conditional access
6. Test bypass endpoint when host is still failing multiple policies, whewre one failing policy doesn't allow bypass.
   • Make sure API errors
7. Test end user experience failing multiple conditional access policies, where every failing policy allows bypass.
   • On "My device" page, click an "Action required" policy. Make sure snooze option is available.
   • Snooze. Make sure banner text updates.
   • Make sure you can log in.
   • Refresh "My device" page. Make sure "snoozed" banner text goes away.
   • Log back out and try logging in a second time. Make sure you are blocked again.
8. Test generate-gitops and make sure per-policy bypass settings are correctly included in policy YAML.
9. Test enabling/disabling bypass per-policy via GitOps
10. Test migration
    • From version without the bypass feature
    • From version with the first iteration of the bypass feature
11. Test disabling bypass, make sure no option to configure bypass on policies, and make sure no bypass option for the end user
12. This is a Premium feature. Make sure it doesn't show up in Fleet free.

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.