App Store (VPP) apps: create policies for automatic install

[noahtalerman]

Goal

User story
As an IT admin,
I want to automatically install an App Store app without writing a policy
so that I can save time when installing apps across many hosts.

Key result

Fleer users can automatically install any software in Fleet w/o writing policies.

Original requests

• Automatically install and scope software within a team #21825
• Fleet UI: Add indicators to tell which apps are VPP or FMA #25337

Context

• Product designer: @noahtalerman

Changes

Product

• UI changes: Figma here
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• REST API changes: PRs:
  • [API design] App Store apps (VPP): create policies for automatic install #25976
  • [API design] App Store apps (VPP): create policies for automatic install #26449
• Fleet's agent (fleetd) changes: No changes
• Activity changes: No changes
• Permissions changes: No permissions changes. Software add/edit/remove permissions are already specified in the permissions guide.
• Changes to paid features or tiers: Available for Fleet Premium.
• First draft test plan
• Other reference documentation changes: No changes
• Once shipped, requester has been notified

Engineering

• Test plan is finalized
• Feature guide changes: TODO
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Test plan

• Head to Software > Add software > App store (VPP) and verify that new Self-service and Automatic install options appear. All hosts, under Target, should be selected by default.
• Verify that you can select both Self-service and Automatic install and click Add software. Verify that a loading state appears and then a success message appears when you're navigated to the Software page with the Available for install filter applied.
  • Verify that the software shows up on the Fleet Desktop > My device > Self service page.
  • Verify that a policy with the name "[Install software] <App store app name>" is automatically created.
  • Verify that you can see and navigate to this policy from the Software title page by clicking the "Automatic install" pill.
  • Verify that you can't delete the software on the Software title page by clicking Actions > Delete until you delete the policy first.
  • Verify that the software is automatically installed.
  • Verify that the install status (Verified, pending, failed) show up on the Self-service page and Host details page.
• On the Software title page, verify that the version of the App Store app displayed is updated to the current, latest version of the app on the App Store.
• Head to Software > Add software > App store (VPP) and verify that Add software gets disabled when you choose Custom, under Target, and don't select a label.
  • Choose an iOS/iPadOS app and verify that the Self-service and Automatic install options are disabled with no tooltip on hover.
  • Verify that you see an easy to understand empty state under Target if you select Custom and there are no labels in Fleet.
• Head to Software > Add software > Fleet-maintained, select an app, and verify that new Self-service and Automatic install options appear.
  • Verify that Add software gets disabled when you choose Custom, under Target, and don't select a label.
• Head to Software > Add software > Custom package and verify that new Self-service and Automatic install options appear.
  • Verify that Add software and Advanced options are disabled until you upload a package.

API Testing

• macOS apps can be added via the API with Self service, Install automatically, or neither
• macOS apps can be deleted via the API (test with and without associated policy automations)
• Try adding an iOS/iPadOS app via the API with self_service set to true and verify that you see an easy to understand error message.
• Try adding an iOS/iPadOS app via the API with automatic install and verify that you see an easy to understand error message.
• FMAs can be added via the API with install automatically

VPP creation timestamp testing

• VPP apps now have a created_at timestamp, corresponding to when they were added to a team
• Deleting a VPP app from a team and then re-adding it updates the created_at timestamp, such that it's different from whatever is in the vpp_apps table
• On 4.64, add some VPP apps to a team, then delete them, then re-add. Upgrade to current. VPP app team created_at should match the created_at on the VPP app (initial VPP app add).
• From the above state, run the query mentioned in the changelog. Created-at timestamps should now reflect when the apps were most recently added to the team.

Test with #25514 for non-happy-path error states

Testing notes

#24609 and #24989 are related and testing efforts should be made to test these together.

Am I able to add apps with automatic install via API or GitOps yet? Or is this UI only?
What happens if I change the teams on the VPP Token or delete it? Do the Policies also get deleted?

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[noahtalerman]

Hey @eugkuo, I chatted w/ Mike McNeil and he left us this feedback on the current Software > Add software UX. I think let's address this feedback while we're working on this user story:

• When choosing "Automatic", let's warn to let the user know that software is going to be installed everywhere it's missing. To let them know.
• Move self-service to below “Install”. Why is it below "Target"?
• Differentiate and make it explicit where app comes from (App store, fleet-maintained, uploaded package). Maybe some tooltip. The App Store icon isn't clear enough:

[eugkuo]

Comments from @jmwatts :

@jmwatts thought: I might suggest defaulting to “Custom” for the Target because if you’re automatically installing you probably want to make a conscious decision to scope it to specific devices only because this could install paid apps on devices with no way to pull the licenses if that is in error… just a thought

@jmwatts thought: This will need to be tested with paid apps and make sure that any macOS apps that are installed are actually using the license, not just installing a free app that doesn’t need a license. Also what happens if we have an automatic install policy but we don’t have enough licenses? Does it still install the app without the license? Does it fail to install the app?
=> Noah: Great point! I think let’s make sure to get that in the test plan. FYI Eugene

@jmwatts thought: Probably late to be having this thought but does it make sense to handle VPP apps the same way as other packages, especially when:

1. Our VPP implementation is not complete. A truly complete VPP feature would have a way to see the total number of licenses purchased, how many available licenses are left and give you a way to revoke licenses (hopefully from specific hosts not just everyone).
   1. => Noah: IT admin can see these counts in Apple Business Manager (ABM)
   2. =>Janis: The Fleet admin may not have access to ABM
   3. Tim: this might be easier to grok if we ran through the user flow. Ie what happens when the admin uses auto install and over-provisions an app? Can they fix it? Are they stuck? If the experience is bad, that may put more on CS.
2. There are also other ways to assign VPP apps (assign to users vs to devices) and we may want to implement that in the future (this can be done, regardless of device type). Should we be considering automated installs for VPP apps separately from the policy-failure workflow?
   1. One device per user
3. VPP apps can go to Macs, iPads or iPhones only, and the hosts have to be managed to be installed by an MDM provider. Adding an automatic install policy means it will run regardless of whether or not the host has MDM enabled. It will fail to install on hosts that don’t have it enabled, and now they’re in a state where they would have to remediate the policy in order to get it to trigger an install later after the host has MDM enabled.
4. We call it “App Store apps” but I don’t see a way to add an App Store app if it’s not VPP. So basically we are just talking about VPP app management for macOS, and I’m not sure it makes sense to handle it the same way as packages because it’s triggering an App Store install, and associating a license to it. These are not packages we have control over and it’s going to get really messy when we couple the way we’re implementing automatic installs (using policy failures as the trigger, and all the complexity that goes with that) with the way we have VPP implemented right now.
5. There needs to be an obvious way to distinguish between VPP apps and Fleet maintained apps. Right now on the software/titles page they all go together and I can’t tell which is which and I can’t sort out just VPP apps. One will install successfully on a mac host without MDM enabled, one will not.

@jmwatts Tim asked if ‘Self service’ is an install method and I think it is, but you CAN edit whether or not it’s available in Self service after saving, you can NOT edit automatically/manual after saving.

[noahtalerman]

FYI @eugkuo, Marko started some designs for the simplified add software experience here: https://www.figma.com/design/L2KLDw5WzIHRCvHT0T6RWd/%2323118-Fleet-maintained-apps-for-Windows?node-id=21-22

[eugkuo]

I've updated this ticket with designs at the various breakpoints:

• App Store apps
  - 1440
  - 990
  - 880
  - 768
  - 650
  - 576
  - 480
  - 320

• FMA
  - 1440
  - 990
  - 880
  - 768
  - 650
  - 576
  - 480
  - 320

• Custom packages
  - 1440
  - 990
  - 880
  - 768
  - 650
  - 576
  - 480
  - 320

@mostlikelee Could you check to see whether the REST API information is correct in the ticket? If so, I'm going to move this to User story review. Thanks!

FYI @noahtalerman

[noahtalerman]

DONE @noahtalerman: Add the "Show schema" button to wireframes

DONE @noah: Open a PR with this text change: #26166

[noahtalerman]

@mostlikelee just a reminder that we want to prioritize this user story in the next sprint. Can you please complete the TODOs in the "Engineering" section so that we can estimate with the team during #g-software sprint kickoff?

[mostlikelee]

did not have enough space to get the full story (13pts) into the sprint, but we are pulling in a subtask to get ahead.
disregard, wrong story

[RachelElysia]

did not have enough space to get the full story (13pts) into the sprint, but we are pulling in a subtask to get ahead.

@mostlikelee is this accurate? @iansltx just pulled me into a chat because we're worried this is a wire getting crossed

[mostlikelee]

@RachelElysia @iansltx great catch! that was a comment for the wrong story, please disregard!

[iansltx]

@jmwatts Added the following to the test plan, corresponding to how I tested #26442:

• VPP apps now have a created_at timestamp, corresponding to when they were added to a team
• Deleting a VPP app from a team and then re-adding it updates the created_at timestamp, such that it's different from whatever is in the vpp_apps table

Also added this for FMAs:

• FMAs can be added via the API with install automatically

[iansltx]

Note to self: need to add #26442 (comment) back, but with a query that actually works for no-team

[iansltx]

@jmwatts Added coverage of the optional manual query (see changes file) in the test plan.