Create policies automatically for Fleet-maintained apps

[noahtalerman]

Goal

User story
As an IT admin,
I want to install a Fleet-maintained app on all of my hosts that don't already have it
so that I can deploy a new productivity app to all my hosts w/o having to write a policy.

Objective

• Mission critical app management #22616

Context

• Product designer: @marko-lisica

Changes

Product

• Reference documentation changes: Docs changes covered by API changes below.
• UI changes: Figma link
• CLI (fleetctl) usage changes: No changes.
• YAML changes: No changes.
• REST API changes: [API design] Create policies automatically for Fleet-maintained apps #24413
• Fleet's agent (fleetd) changes: No changes.
• Activity changes: No changes.
• Permissions changes: No changes. Software add/edit/remove permissions are already specified in the permissions guide.
• Changes to paid features or tiers: Available for Fleet Premium.
• Other reference documentation changes: No changes.
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed
  • Issue: fleetdm/confidential#9214

Engineering

• Feature guide changes: Tracked in a bug here: Update docs/guides re: automatic install policies for Fleet-maintained apps (FMA) #24681
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: no
• Risk level: Low / High Low

Manual testing steps

Design/UI

• When adding FMA, Manual and Automatic install options are available. Tooltip for "missing this software" is shown.

• Self-service can be selected for either install method, there is a tooltip on "Self-service"

• Advanced options are available and editable, save on "Add software"

• When "Add software" is clicked, Add software modal appears with spinner.

• !!Existing Issue!! #23096 For upload failures, error message is displayed and policy is not created

• For successful uploads, user is redirected to /software/titles with the "Available for install" filter applied, and success message is shown

• For successful uploads but policy fails to be created, an error message is displayed

• On /software/titles page, correct Manual, Automatic, Automatic/Self Service, Manual/Self Service icons appear based on install method

• On /software/titles/:id page for FMA apps that were added with an automatic policy, "Automatic install" badge is shown.
• Hovering over badge gives instructions to click on it to see all policies that are tied to the software title
• Clicking the policy name takes you to the policy
• Policy displays correctly on /policies/ page. "---" appears under "Yes" and "No" results columns until computers have run the policy.
• Policy appears in "My Device" page for host in the team for which the policy was created.
• Learn more link redirects to the correct page

Functional

• Policy is automatically created when FMA software is added and "Automatic" install method is selected
• Policy runs on host and correctly detects whether or not software is installed
• Software install is triggered when policy fails, software installs on host
• Once the software has been installed, policy passes and software is not re-installed
• If software was already installed, policy passes and software is not re-installed
• Deleting the software on the host and re-running the policy triggers a new install, software is installed successfully

Role Based Access
Global Admin

1. Add/Edit/Delete FMA software

• Policy is automatically created when "Automatic" is selected
• Software may be edited after adding
• Policy may be edited after it is automatically added
• Software can not be deleted until Policy is deleted first

Global Maintainer

1. Add/Edit/Delete FMA software

• Policy is automatically created when "Automatic" is selected
• Software may be edited after adding
• Policy may be edited after it is automatically added
• Software can not be deleted until Policy is deleted first
• Note: Policy > Manage automations: maintainers can't turn on/off calendar automations for policies #23448

Global Observer +

1. View

• FMA software that has been added to any team
• FMA policy that was created on any team
• SHOULD be able to run policy on any team

Global Observer

1. View

• FMA software that has been added to any team
• FMA policy that was created on any team
• Should NOT be able to run Policy on any team

Team Admin
Add/Edit/Delete FMA software for the team(s) they are assigned to

• Policy is automatically created when "Automatic" is selected
• Software may be edited after adding
• Policy may be edited after it is automatically added
• Software can not be deleted until Policy is deleted first
• Should NOT be able to add/edit/delete software or policies not specific to their team

Team Maintainer
Add/Edit/Delete FMA software for the team(s) they are assigned to

• Policy is automatically created when "Automatic" is selected
• Software may be edited after adding
• Policy may be edited after it is automatically added
• Software can not be deleted until Policy is deleted first
• Should NOT be able to add/edit/delete software or policies not specific to their team

Team Observer +

1. View

• FMA software that has been added to the team(s) they are assigned to
• FMA policy that was created on the team(s) they are assigned to
• SHOULD be able to run policy on the team(s) they are assigned to

Team Observer

1. View

• FMA software that has been added to the team(s) they are assigned to
• FMA policy that was created on the team(s) they are assigned to
• SHOULD NOT be able to run policy on the team(s) they are assigned to

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@jmwatts & @PezHub): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @georgekarrv just giving you a reminder that this story is ready to spec. Please let us know if we can help get this ready for estimation.

cc @marko-lisica

[noahtalerman]

Hey @georgekarrv just giving you a ping! as a reminder that this story is ready to spec. Please let us know if we can help get this ready for estimation.

Note that the API design PR is a draft but it's ready for review. It's in draft b/c it's helping us remember that we want to wait for the 4.58 reference docs to merge it into main before we merge this PR into the 4.59 on the reference docs.

cc @marko-lisica

[noahtalerman]

Hey @georgekarrv, just giving you another reminder that this story is ready for specs. Please ping @marko-lisica if we can help get this ready for estimation.

[marko-lisica]

Hey @ghernandez345, I did small copy tweak here in case you started working on this.

[marko-lisica]

Hey @georgekarrv, I tried this query and it worked, it triggered installation on my host:

SELECT 1 FROM apps WHERE bundle_identifier = '<SOFTWARE_BUNDLE_IDENTIFIER>';

We already have bundle_identifier for each Fleet-maintained app in this file, but you mentioned yesterday that frontend don't have access to it.

I think we need a way for the frontend to know bundle_identifier, probably include it in Get Fleet-maintained app response.

@PezHub I also added note in QA section in the description that we should make sure that this query template works (triggers install) for each Fleet-maintained app.

[jmwatts]

@noahtalerman @marko-lisica

Suggestion for readability improvement. The error message currently says:

"Couldn't add automatic install policy. Software is successfully added. To try again delete software and add it again."

Could we change this to say something like:
"Couldn't add automatic install policy. Software is successfully added. To retry, delete software and add it again."
or
"Software added successfully, but automatic install policy couldn't be created. To retry, delete and re-add software."

[marko-lisica]

@jmwatts Thanks for the proposal. I like the first one:
"Couldn't add automatic install policy. Software is successfully added. To retry, delete software and add it again."
It's shorter and reads better.

I'll update Figma to match this. @jahzielv If we can make this change now would be great. Thanks!

[PezHub]

QA Notes:

Paired with @jmwatts to ensure all acceptance criteria was met and automatic policies for fleet-maintained apps behaved as expected. Additional results were tracked here.

[noahtalerman]

Hey @marko-lisica just giving you a ping! as a reminder to prioritize the remaining TODOs for this story in confirm and celebrate.

[fleet-release]

Apps deploy, hosts sync,
Fleet maintains, admin rests,
Tech harmony sings.