Fleet-maintained apps for Windows

[marko-lisica]

Goal

User story
As an IT admin,
I want to select a Fleet-maintained app from Fleet's list Windows apps
so that I can install the app on my Windows hosts w/o having to upload a package on my own.

Key result

Launch first set of Fleet-maintained apps for Windows

Original requests

• Fleet-maintained apps for Windows #22369

Context

• Product designer: @noahtalerman
  • @noahtalerman: We decided to push Microsoft Excel and Microsoft Word to a separate, follow-up user story (iteration) because, currently, Fleet doesn't include these apps in software inventory which means Fleet can't show the versions of these apps already installed on hosts.

Changes

Product

• Add the following Windows apps as Fleet-maintained apps:
  • 1Password
  • Adobe Acrobat Reader
  • Box Drive
  • Brave
  • Cloudflare WARP
  • Docker Desktop
  • Figma
  • Mozilla Firefox
  • Google Chrome
  • Microsoft Edge
  • Microsoft Teams
  • Notion
  • Postman
  • Slack
  • Teamviewer
  • Visual Studio Code
  • Zoom
• UI changes: Figma here
• CLI (fleetctl) usage changes: No changes.
• YAML changes: No changes.
• REST API changes: PR here.
• Fleet's agent (fleetd) changes: No changes.
• Activity changes: Same activity as Fleet-maintained apps for macOS. When user adds a Fleet-maintained app, an the global added_software activity is created.
• Permissions changes: Same permissions as all other software. Admins and maintainers (global and team) can add software.
• Changes to paid features or tiers: Fleet Premium only
• First draft of test plan added
• Other reference documentation changes: No changes.
• Once shipped, requester has been notified

Engineering

• Test plan is finalized
• Feature guide changes: Update the Fleet-maintained app guide:
  • @noahtalerman: Also, make sure we document in this guide which apps are user-scoped (when installed by the end user on their own) and what the consequences are for a machine-scoped install happening over the user-scoped install.
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

Happy path:

• Head to Software > Add software and add a Fleet-maintained app for Windows. Go the Software title details page for the new app, edit it's target, and click Save. Verify that you see the Save changes confirmation modal that tells you pending installs and uninstalls will be canceled. Click Save and verify that the "Pending" count is updated according to the new targets. Go a Host details page that previously had the install pending (in upcoming) and verify that the activity is removed from Activity > Upcoming.
• Verify that a global activity is created when the software is added. Same UI as we have for all software (separate Figma here).
• Via the Add Fleet-maintained app API, add the same Windows app and verify that you get an easy to understand error message that tells you that you already added this software.

Testing all installs:

• Install all the apps manually and verify that the install works on Windows workstations with 64-bit architecture. Verify that the installs are all silent meaning the end user never sees an popups or notifications that the app is installed
  • Verify the Windows apps only appear on the Host details page for Windows workstations within the software's target. The app never appears for hosts with non-Windows platforms.
• Install all apps automatically and verify that the automatically created policy works correctly: the app is only installed if the host is missing the software. The app is not installed if the host already has any version of the software installed.
  • Verify the policies page for automatically created policies show the app name and a link to the software title page. Same UI as we have for all software (separate Figma here)
  • Verify the Policies > Manage automations modal shows that the app is connected to the automatically created policy.
• Install all apps via Fleet Desktop > My device > Self-service and verify that the install works.
  • Verify Windows apps only appear on the My device page for Windows workstations within the software's target. The app never appears for hosts with non-Windows platforms.
• Head to the Software > Add software and click on each app. Verify that the version shown in the UI for the Windows app matches the latest version available in winget.

Edge cases:

• As an end user, install 1Password via the 1Password website. Add some passwords. Now install 1Password via Fleet over the existing install. Verify that your passwords are still in Password and you can use 1Password as expected. This test assumes installing 1Password via the website installs 1Password as a user-scoped app and Fleet installs 1Password as a machine-scoped app
  • Repeat the same steps for Figma, VS Code, Brave, and Slack
• Open a Windows computer but don't login. Manually install Notion, Teams, and Postman (user-scoped installs) via Host details page. Verify that the Install status is "Pending." Then, login to the computer before the configured script timeout and verify that the app gets installed and the install status in Fleet is updated to "Installed."
  • Remove Notion, Teams, and Postman from the computer. Open the computer again but don't login. Manually install Notion, Teams, Postman (user-scoped installs) via Host details page. Verify that the Install status is "Pending." Wait for the duration of the configured script timeout. Verify that the app isn't install and the install status in Fleet is updated to "Failed."
• Open a Windows computer but don't login. Automatically install Notion, Teams, and Postman (user-scoped installs). Verify that the policies are passing and install statuses aren't yet at "Pending." Login to the computer, do a refetch on the Host details page, and verify that policies now fail and the install statuses are set to "Pending."
• Multiple local users on the computer: add more than one local user account on a Windows computer. Manually install Notion and Postman (user-scoped installs) via Host details page. Verify that the Install status is "Pending." Login with one of the user accounts, verify that the app is installed for that user, and the install status in Fleet is updated to "Installed." Verify that the app isn't installed for the other local users.

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[dherder]

@noahtalerman @marko-lisica looks to be a duplicate of #22369

[noahtalerman]

@dherder this issue is a user story.

#22369 is the original feature request. It's likely that this user story will only address a piece of the feature request.

[iansltx]

Heads-up: there's significant cleanup we should do on the existing FMA infrasturcture to ensure a solid foundation for adding apps and platforms, and to ensure we can deliver a high-quality, predictable experience to folks over an increasing number of platforms and titles. @jahzielv and I are working on what that should look like, with a working session scheduled for this coming Monday (the 20th). At the very least we should build Windows FMA on top of that new architecture, and it may make sense to migrate macOS infrastructure over at the same time.

One big highlight would be providing a version-controlled Fleet-maintained buffer in between Fleet servers and Homebrew (and other package repositories in the future), so we have full visibility into what gets delivered when a Fleet server pulls apps. This buffer would operate similar to our vulnerabilities feed: artifact generation code checked into the monorepo, with artifacts themselves tagged via CI in a separate repo. One significant advantage of this is the ability to ship configuration updates (including new apps) independent of Fleet releases.

We'll have more information on this after Monday. I think we can make this swap while maintaining HTTP API compatibility, though implementation details for crons/database will be completely different prior to the point that a Fleet-maintained app has been "imported" for a given customer (installer package pulled onto a team).

[mostlikelee]

I added a few comments and notes to the research doc. Most notably a reduction of scope for some possibly difficult items:

• suggest we remove user space installed apps from MVP
• suggest we remove office apps from MVP

[noahtalerman]

Action items design review doc (2025-02-17):

• DONE: Noah: Some affordance to head to the software title page if the app is already added
• DONE: Noah: Wireframe only one platform case. Tabs go away. Only show “macOS” or “Windows”
• DONE: Noah: Should we show whether just macOS/Windows has been added in the list view?
  • Noah: No, let’s just make it easy to click on the software

[noahtalerman]

• @noahtalerman: We decided to push Microsoft Excel and Microsoft Word to a separate, follow-up user story (iteration) because, currently, Fleet doesn't include these apps in software inventory which means Fleet can't show the versions of these apps already installed on hosts.

Moved these edge cases out of the test plan and put them here for safekeeping:

• Head to Software > Add software and click on Microsoft Excel. Verify that the version you see is the latest version listed by Microsoft here (TODO). Repeat this check for Microsoft Word.
• Install Word and then install Excel. Use a license key for Word and create a doc in Word. Verify that both installs are silent (end user doesn't see any popups, warnings, etc.) and you can open both apps. Verify you don't need to enter the license key for word again. This test assumes Fleet will install the Office deployment tool, under the hood, each time the user installs an office app.