macOS setup experience: Create a local admin account

[noahtalerman]

Resources:
AccountConfigurationCommand
Set Auto Admin Password

Goal

User story
As an IT admin,
I want Fleet to create a local, break-glass, admin account
so that my IT team can use this account to troubleshoot.

Changes

Product

• UI changes: Figma
• CLI (fleetctl) usage changes: No changes
• YAML changes: [YAML] Moving feature to setup experience #42824
• REST API changes:
  • Endpoints: [API] Endpoints for local managed account #42511
  • "enable_managed_local_account", "end_user_local_account_type": [API] Move local account settings to macos_setup #42826
• Fleet's agent (fleetd) changes: No changes
• GitOps mode UI changes: "Create a managed local account on macOS hosts" should be read-only in GitOps mode
• GitOps generation changes:
  • Make sure to export controls.enable_create_local_admin_account as part of fleetctl generate-gitops
• Activity changes:
  • Add new types
    • Created managed local account
    • Set managed local account password
    • Viewed managed local account
    • Enabled managed local account
    • Disabled managed local account
  • [Activity] Add activities for managed local account #41502
• Permissions changes: No changes
• Changes to paid features or tiers: No changes
• My device and fleetdm.com/better changes: No changes
• Usage statistics: [Usage stats] Update fleet-usage-statistics.md #41887
• Other reference documentation changes: No changes
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Contributor API changes: No changes
• Feature guide changes:
  • https://fleetdm.com/guides/setup-experience#setup-assistant
  • Document "next enrollment" for hosts that were already enrolled when feature is turned on. When host is wiped and goes through Setup Assistant again. During this phase, Fleet can send AccountConfiguration, which creates the managed local user account.
  • Document this feature is available to ADE only.
• Database schema migrations: New table host_managed_local_account_passwords
• Load testing/osquery-perf improvements: N/A
• This is a premium only feature: Yes

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires testing in a hosted environment: TODO
• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

• This feature is available to ADE only.

Controls > Setup experience > Users

• Confirm new URL is /controls/setup-experience/users
  • Confirm redirect to new url from old url: /controls/setup-experience/end-user-auth (in case it's been bookmarked)
• "End user authentication" section changed to "Users"
• "Turn on" option changed to "End user authentication" with helper text.
• Confirm new "Managed local account" appears as option
  • Disabled in GitOps mode
  • Has tooltip
  • Has helper text

If "Managed local account" enabled:

• After enabling, add a host to confirm that local admin account is created.
• Confirm managed local account is hidden from login window. (Note: account will still appear on first login window after restart, which is expected)
• If enabled, then disabled confirm we keep the managed account for each host where account has been created.
• Test moving host to another team—the account should persist.
• Hosts already enrolled before feature is turned on will not receive a local admin account. This can only be accomplished when they are re-enrolled/wiped and go through setup assistant.

Host details > Actions

• "Show managed account" appears in Actions dropdown on host details.
• If account still in process of being created, option should be disabled with tooltip.
• If host was already enrolled when they enabled create managed local account, menu option should be disabled with tooltip.
• On click "Show managed account" shows "managed account" modal:
  • Confirm generated default username ("_fleetadmin") and password.
  • Confirm password is viewable and copy function works.

Activity feeds

• When account is created or password is viewed, activity shows up in global and host level activity feed.

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.