Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto-heal Wi-Fi while Macs are offline #19877

Open
dherder opened this issue Jun 19, 2024 · 7 comments
Open

Auto-heal Wi-Fi while Macs are offline #19877

dherder opened this issue Jun 19, 2024 · 7 comments
Labels
~customer promise A feature request from a Fleet customer that Fleet has contractually agreed to deliver ~customer request A prioritized, customer feature request. Has ≥ 1 customer codename label(s) customer-leiden customer-mozartia customer-numa ~feature fest Will be reviewed at next Feature Fest #g-mdm MDM product group

Comments

@dherder
Copy link
Contributor

dherder commented Jun 19, 2024

  • prospect-numa: No Gong snippet.
  • @noahtalerman: numa requested this because they want to run this script to re-connect end users to corporate Wi-Fi interface when certificates are being swapped out and something goes wrong. Offline script would be needed in order to remediate.
    • @nonpunctual: At one of my previous job's as an IT admin, if the device went offline, it ran an offline policy in Jamf which did some checking of local DNS & gateways to determine if the computer was trying to connect to an internal network & configured the local proxy settings. If all that passed, then, the idea was that assuming the device already had some cert installed to get authenticated to an 802.1x network, it would recover from being unable to join because of the block at the proxy
    • @allenhouchins: Instead of running this script, we think numa could be delivering the new certificate ahead of the old certificate expiring (aka prestaging). Then write a policy that runs a script on policy failure to delete the old certificate (if needed, no harm in it just staying on the device). If for whatever reason the new cert failed to deliver, the script could check this and deploy a new certificate. Today, when numa checks if the new cert failed to deliver, they're adding this device to a smart group which we think this smart group has some Jamf policy to retry deploying the new certificate. In Fleet, we'd write a policy that looks for the old certificate and then automate this script. If they're deploying the certificate with a .pkg, they could use Fleet's pre-install query to check if the the new certificate is missing. If it is, then the install proceeds.
      • @allenhouchins: customer-numa isn't the only Jamf user that is used using the "recon" feature (akin to refetch in Fleet) to make sure host vitals are up to date so a host gets put in the right smart group so that the right Jamf policy is triggered for the host. Instead if they wrote a Fleet policy, they wouldn't have to worry about a refetch because the policy would check for the host vital.
      • @noahtalerman: Is this the cert that comes from NDES? @allenhouchins: We're not sure
  • @noahtalerman: numa requested this because they want to enforce an denylist of applications. Policy checks for the app and script removes the app. If the user installs the app and then goes offline then the remediation still occurs. We're assuming there's malicious intent in this use case. This means we want the application to be installed for as little time as possible.
    • @noahtalerman: In the interim numa would deploy a launch daemon that is watching specific file paths (or some other event/artifact on the device). They would also deploy the script to the device. If the file path is modified, the launch daemon immediately triggers the script. Device doesn't need to be online.
    • @allenhouchins: In the interim numa would deploy the new certificate prior to removing the old one. This is the best practice.
    • @allenhouchins: In the interim numa could deploy a macOS configuration profile: ParentalControlsApplicationRestrictions. pathBlackList is deprecated.
  • @ddribeiro: Probably looking for something similar to offline policies in Jamf. Host will run these once a day whether it's online or not.
    • @ddribeiro: For example, professors would go on a sabbatical and be off internet for 6 months. We would want to clean up sensitive files (ex. 1Password recovery kit) in the downloads folder.
    • @noahtalerman: We learned that numa doesn't use offline policies in Jamf.
  • prospect-mozartia: TODO: include Gong link
  • prospect-leiden: gong link
  • @nonpunctual Users will expect when a Mac can't connect to a corporate wifi, this can be detected and fixed automatically.
    • @nonpunctual e.g., at an organization with explicit enterprise network / proxy / vpn settings an offline policy could ensure that network settings are correct. The need for remediating this offline is: if the config is not correct prior to connecting to the corporate network the device will be blocked from joining. This may result in having to contact the help desk to access corporate resources like email, SaaS apps, logins, etc.
    • @mikermcneil: Eventually Let's say there's a work computer that goes offline, and then travels to the north pole, where it remains offline, because one of our end users is actually Saint Nicholas. But let's say St. Nick is not supposed to be able to change his desktop background (TODO: think of better example). Well, when he tries to change it, even though he's offline, the policy could detect the failure and the associated script could automatically run. How? Because Fleet could ship down a manifest of all of the policy automations that are pointed at scripts to run on failure (or possibly let you pick which ones are offline-enforced- but do we need to let you pick? Or should they all just be offline, if they're using the "run a script" type of automation? Whatever is simpler, seems like.) e.g. In the help text for setting up a policy automation to trigger a script directly, there's something that says "Since this policy is configured to trigger a local script on failure, it will apply offline."

User stories

@dherder dherder added :product Product Design department (shows up on 🦢 Drafting board) ~feature fest Will be reviewed at next Feature Fest customer-numa labels Jun 19, 2024
@noahtalerman
Copy link
Member

Hey @dherder, @kennyb-222, and @williamtheaker what's an example of one of these scripts? As a guess, I'm thinking these are scripts that set and keep a host in a desired state. As an example script: "Linux - Turn Firewall on"

So, I'm guessing the expected behavior here is the CPE adds this script to Fleet and every 30 minutes the host runs the script w/o checking into the Fleet server.

Currently, the host has to checkin with the fleet server in order to get the instruction to run the script

@dherder the host has to checkin at least once to get the script it should run, right? And checkin at some interval to see if the script(s) changed.

So, I'm guessing the host should check in to the server every 30 minutes to see if the script changed or there are new scripts to run.

Does that sounds right?

@noahtalerman noahtalerman removed the :product Product Design department (shows up on 🦢 Drafting board) label Jun 20, 2024
@noahtalerman noahtalerman changed the title Run scripts against hosts and teams declaratively Run policies and scripts offline Jun 25, 2024
@noahtalerman
Copy link
Member

Hey @dherder heads up, I updated this issue to user story format and moved your original issue description below.


Problem

As a CPE, I want to declare a group of actions to run on hosts or groups of hosts (teams). Currently, the host has to checkin with the fleet server in order to get the instruction to run the script, which is not ideal. Similar to how we are planning to declare which version of software to pin on a host, declaring the list of scripts to run on a host is desired.

@noahtalerman noahtalerman removed the ~feature fest Will be reviewed at next Feature Fest label Jul 1, 2024
@mikermcneil mikermcneil changed the title Run policies and scripts offline Offline policy enforcement, beyond what is already supported by OS setting controls Sep 20, 2024
@mikermcneil mikermcneil changed the title Offline policy enforcement, beyond what is already supported by OS setting controls Enforce policies offline with scripts Sep 20, 2024
@noahtalerman noahtalerman added Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. and removed Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. labels Oct 3, 2024
@randy-fleet
Copy link
Contributor

aka "Run policies and scripts offline"
aka "Offline policy enforcement, beyond what is already supported by OS setting controls"

User story: As an IT customer excited about expanding Fleet from MDM to configuration management, if a workstation is on an airplane and it goes out of configuration, I want a script to run on policy failure so that the device is always in compliance

Goal

User story
As a Client Platform Engineer,
I want hosts to evaluate policies and run scripts if they're failing policies
so that I can ensure my hosts are compliant even when they're not connected to the internet.

Context

Changes

Product

  • UI changes: TODO
  • CLI usage changes: TODO
  • REST API changes: TODO
  • Permissions changes: TODO
  • Outdated documentation changes: TODO
  • Changes to paid features or tiers: TODO

Engineering

  • Database schema migrations: TODO
  • Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. QA (@____): Added comment to user story confirming successful completion of QA.

@randy-fleet randy-fleet changed the title Enforce policies offline with scripts Auto-heal wifi while offline Oct 8, 2024
@randy-fleet
Copy link
Contributor

@AnthonySnyder8 @ambrusps Could you edit the description and add Gong links? Thanks!

@noahtalerman noahtalerman changed the title Auto-heal wifi while offline Auto-heal wifi while Macs are offline Oct 8, 2024
@dherder
Copy link
Contributor Author

dherder commented Oct 9, 2024

@randy-fleet while the title "Auto-deal wifi while offline" is an example of a use case that can be solved with this feature, it is a very narrow example. I want to ensure that the scope of the intent for the original ask "Enforce policies offline with scripts" is not lost.

@AnthonySnyder8
Copy link
Contributor

@noahtalerman updated for prospect-numa

@noahtalerman noahtalerman added the ~feature fest Will be reviewed at next Feature Fest label Oct 24, 2024
@noahtalerman noahtalerman changed the title Auto-heal wifi while Macs are offline Auto-heal Wi-Fi while Macs are offline Oct 24, 2024
@noahtalerman noahtalerman removed the ~feature fest Will be reviewed at next Feature Fest label Oct 25, 2024
@noahtalerman noahtalerman added ~customer request A prioritized, customer feature request. Has ≥ 1 customer codename label(s) ~customer promise A feature request from a Fleet customer that Fleet has contractually agreed to deliver ~feature fest Will be reviewed at next Feature Fest and removed ~feature fest Will be reviewed at next Feature Fest labels Nov 11, 2024
@noahtalerman noahtalerman added the :product Product Design department (shows up on 🦢 Drafting board) label Nov 20, 2024
@noahtalerman noahtalerman self-assigned this Nov 21, 2024
@noahtalerman noahtalerman removed the :product Product Design department (shows up on 🦢 Drafting board) label Nov 22, 2024
@noahtalerman noahtalerman removed their assignment Dec 3, 2024
@noahtalerman noahtalerman added the ~feature fest Will be reviewed at next Feature Fest label Dec 5, 2024
@nonpunctual
Copy link
Contributor

#15530 (comment)

@noahtalerman noahtalerman added :product Product Design department (shows up on 🦢 Drafting board) and removed :product Product Design department (shows up on 🦢 Drafting board) labels Dec 10, 2024
@noahtalerman noahtalerman changed the title Auto-heal Wi-Fi while Macs are offline Run policies and scripts offline Dec 10, 2024
@noahtalerman noahtalerman removed the ~feature fest Will be reviewed at next Feature Fest label Dec 10, 2024
@noahtalerman noahtalerman changed the title Run policies and scripts offline Auto-heal Wi-Fi while Macs are offline Dec 11, 2024
@noahtalerman noahtalerman added ~feature fest Will be reviewed at next Feature Fest #g-mdm MDM product group labels Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
~customer promise A feature request from a Fleet customer that Fleet has contractually agreed to deliver ~customer request A prioritized, customer feature request. Has ≥ 1 customer codename label(s) customer-leiden customer-mozartia customer-numa ~feature fest Will be reviewed at next Feature Fest #g-mdm MDM product group
Development

No branches or pull requests

6 participants