Feature branch: Windows MDM migration (#24262)

Feature branch for the #22075
story.

changes/22896-ui-windows-automatic-migration

@@ -0,0 +1 @@
+- add UI changes for windows mdm page and allow for automatic migration for windows hosts.

changes/22897-add-windows-migration-enabled-setting

@@ -0,0 +1 @@
+* Added support for the new `windows_migration_enabled` setting (can be set via `fleetctl`, the `PATCH /api/latest/fleet/config` API endpoint and the UI). Requires a premium license.

cmd/fleetctl/gitops_test.go

@@ -3231,6 +3231,31 @@ software:
 	}
 }
 
+func TestGitOpsWindowsMigration(t *testing.T) {
+	cases := []struct {
+		file    string
+		wantErr string
+	}{
+		// booleans are Windows MDM enabled and Windows migration enabled
+		{"testdata/gitops/global_config_windows_migration_true_true.yml", ""},
+		{"testdata/gitops/global_config_windows_migration_false_true.yml", "Windows MDM is not enabled"},
+		{"testdata/gitops/global_config_windows_migration_true_false.yml", ""},
+		{"testdata/gitops/global_config_windows_migration_false_false.yml", ""},
+	}
+	for _, c := range cases {
+		t.Run(filepath.Base(c.file), func(t *testing.T) {
+			setupFullGitOpsPremiumServer(t)
+
+			_, err := runAppNoChecks([]string{"gitops", "-f", c.file})
+			if c.wantErr == "" {
+				require.NoError(t, err)
+			} else {
+				require.ErrorContains(t, err, c.wantErr)
+			}
+		})
+	}
+}
+
 type memKeyValueStore struct {
 	m sync.Map
 }

cmd/fleetctl/testdata/expectedGetConfigAppConfigJson.json

@@ -118,6 +118,7 @@
 				"deadline_days": 7,
 				"grace_period_days": 3
 			},
+			"windows_migration_enabled": false,
 			"macos_migration": {
 				"enable": false,
 				"mode": "",

cmd/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml

@@ -27,6 +27,7 @@ spec:
     volume_purchasing_program: null
     windows_enabled_and_configured: false
     enable_disk_encryption: false
+    windows_migration_enabled: false
     macos_migration:
       enable: false
       mode: ""

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json

@@ -70,6 +70,7 @@
 				"deadline_days": 7,
 				"grace_period_days": 3
 			},
+			"windows_migration_enabled": false,
 			"macos_migration": {
 				"enable": false,
 				"mode": "",

cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml

@@ -27,6 +27,7 @@ spec:
     enabled_and_configured: false
     windows_enabled_and_configured: false
     enable_disk_encryption: false
+    windows_migration_enabled: false
     macos_migration:
       enable: false
       mode: ""

cmd/fleetctl/testdata/gitops/global_config_windows_migration_false_false.yml

@@ -0,0 +1,75 @@
+controls:
+  macos_settings:
+  windows_settings:
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: false
+  windows_migration_enabled: false
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    decorators:
+      load:
+        - SELECT uuid AS host_uuid FROM system_info;
+        - SELECT hostname AS hostname FROM system_info;
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+  sso_settings:
+  integrations:
+  mdm:
+    end_user_authentication:
+  webhook_settings:
+  fleet_desktop: # Applies to Fleet Premium only
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings: # Applies to all teams
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features: # Features added to all teams
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets: # These secrets are used to enroll hosts to the "All teams" team
+    - secret: SampleSecret123
+    - secret: ABC
+software:

cmd/fleetctl/testdata/gitops/global_config_windows_migration_false_true.yml

@@ -0,0 +1,75 @@
+controls:
+  macos_settings:
+  windows_settings:
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: false
+  windows_migration_enabled: true
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    decorators:
+      load:
+        - SELECT uuid AS host_uuid FROM system_info;
+        - SELECT hostname AS hostname FROM system_info;
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+  sso_settings:
+  integrations:
+  mdm:
+    end_user_authentication:
+  webhook_settings:
+  fleet_desktop: # Applies to Fleet Premium only
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings: # Applies to all teams
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features: # Features added to all teams
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets: # These secrets are used to enroll hosts to the "All teams" team
+    - secret: SampleSecret123
+    - secret: ABC
+software:

cmd/fleetctl/testdata/gitops/global_config_windows_migration_true_false.yml

@@ -0,0 +1,75 @@
+controls:
+  macos_settings:
+  windows_settings:
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: true
+  windows_migration_enabled: false
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    decorators:
+      load:
+        - SELECT uuid AS host_uuid FROM system_info;
+        - SELECT hostname AS hostname FROM system_info;
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+  sso_settings:
+  integrations:
+  mdm:
+    end_user_authentication:
+  webhook_settings:
+  fleet_desktop: # Applies to Fleet Premium only
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings: # Applies to all teams
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features: # Features added to all teams
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets: # These secrets are used to enroll hosts to the "All teams" team
+    - secret: SampleSecret123
+    - secret: ABC
+software:

cmd/fleetctl/testdata/gitops/global_config_windows_migration_true_true.yml

@@ -0,0 +1,75 @@
+controls:
+  macos_settings:
+  windows_settings:
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: true
+  windows_migration_enabled: true
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    decorators:
+      load:
+        - SELECT uuid AS host_uuid FROM system_info;
+        - SELECT hostname AS hostname FROM system_info;
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+  sso_settings:
+  integrations:
+  mdm:
+    end_user_authentication:
+  webhook_settings:
+  fleet_desktop: # Applies to Fleet Premium only
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings: # Applies to all teams
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features: # Features added to all teams
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets: # These secrets are used to enroll hosts to the "All teams" team
+    - secret: SampleSecret123
+    - secret: ABC
+software:

cmd/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml

@@ -27,6 +27,7 @@ spec:
     enabled_and_configured: true
     windows_enabled_and_configured: false
     enable_disk_encryption: false
+    windows_migration_enabled: false
     macos_migration:
       enable: false
       mode: ""

cmd/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml

@@ -27,6 +27,7 @@ spec:
     enabled_and_configured: true
     windows_enabled_and_configured: false
     enable_disk_encryption: false
+    windows_migration_enabled: false
     macos_migration:
       enable: false
       mode: ""