Add multiple Apple Business Manager and Volume Purchasing Program connections

[zwass]

Goal

User story
As an administrator at an MSP that offers a white-label MDM solution built on top of Fleet,
I want to add multiple Apple Business Manager (ABM) and Volume Purchasing Program (VPP) connections in Fleet
so that I can use one Fleet server to build automatic enrollment and App Store app workflows for all my clients' macOS, iOS, and iPadOS hosts.

Context

• Product designer: @marko-lisica

Changes

Product

• Reference documentation changes: Changes are in the CLI/API design PR here.
• UI changes: Figma wireframes are here.
• CLI usage changes: CLI design PR is here
  • Maintain support for fleetctl get apple-bm if there's one ABM token. Wireframes are in Figma here.
• REST API changes: API design PR is here
• Fleet's agent (fleetd) changes: No fleetd changes.
• Permissions changes: Only global admins and GitOps users can modify ABM and VPP options.
  • Permissions PR is here: Permissions guide: Apple Business Manager and Volume Purchasing Program #22336
• Changes to paid features or tiers: ABM and VPP are Fleet Premium only.
  • PR to pricing page: Update pricing-features-table.yml #22049

Engineering

• Contributor API endpoints to support best practice GitOps (fleetctl gitops) and backwards compatibility GitOps (fleetctl apply). Please add these to the existing reference docs PR here.
• Feature guide changes: Update feature guides that walkthrough mdm settings (UI changes)
• Database schema migrations: Subtask
• Load testing: No

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

@noahtalerman:

• Be aware of a similar bug for this multiple ABM/VPP connections story: Configuration profiles have old label name #21163
  • I think let's make sure to test that the team name change is reflected because we have made similar mistakes in the past.
• Test generic error state in Figma here. We don't want this error state to block the user (showing error state) if they need to renew APNs, ABM, or VPP. Or accept new terms for ABM.
  • We've had a bug w/ blocking the user in the error state in the past: Apple Business Manager connection is broken/uneditable after ABM user is deleted #20090

added by @mna:

• Important to test migrating from previous version with an existing ABM and VPP token, using the same process as our users. The migration of existing tokens is a two-step process, one during the DB migration, and one soon (seconds) after the fleet server restart.

added by @PezHub:

Confirm all copy -

• Empty state for ABM and VPP
• Navigate directly to /settings/integrations/mdm/abm shows correct page
• Once MDM is turned on

End User Authentication -

• Remove Default Team option (it moved to ABM page)
• Confirm updated copy once enabled

ABM -

• Confirm empty states, uploads, renewals
• Try to upload existing token + invalid token and confirm error
• Ensure all teams are set to “no team” upon creation
• When more than one org, list Alphabetically
• Test actions items all function - Edit, Renew, Delete
• Tooltips over Teams Tabs show correct hover display
• Verify Team behavior for ABM

VPP -

• Empty state for adding apps when none are available in ABM (could not test since Apple makes it near impossible to remove software titles from Apps & Books in ABM once they are added.)
• Verify Team behavior for VPP
• Verify copy and hover tooltips
• Can only assign 1 team per token
• Can’t assign any teams if “all teams” is linked to another VPP org

Banners VPP & ABM -

• Renew
• Expired
• ABM accept new terms banner
• Banners display one at a time in the correct priority
• Redirect link to page works
• Orange, red, green dots next to org names reflect expire dates

GitOps

Miscellaneous -

• Free version - confirmed MABM not available without Premium subscription
• Test team name changes are reflected for both ABM and VPP pages (per Noah’s suggestion above)
• Test deleting a team from the UI - ensure it reverts to “no team” for ABM and gets removed for VPP

End-to-end Tests -

• Ensure ADE devices enroll to the assigned team listed in ABM
• Test Host page team assignment (transfer option for those awaiting enrollment) vs ABM page ADE team assignment
• make sure manual assignment on host page overrides ABM page
• Ensure VPP apps install from the correct Org/Token
• Ensure VPP apps work from SS and are removed from fleetd when host moves teams
• Test migrating from 4.55 to 4.56 with an ABM and VPP token configured prior. Make sure no renewal banners show (per Martin’s suggestion above)
• VPP apps are removed from host when Token is moved, changed or deleted

[marko-lisica]

@zayhanlon @zwass We didn't get to this one in the current design sprint. Adding it to feature fest.

[noahtalerman]

Hey @dherder, heads up, we didn't have room to take this one in the current design sprint (4.48).

[phtardif1]

We now also have a European MSP (confidential) that requires same set of features and willing to work with us on developing and bringing to market

[noahtalerman]

@rachaelshaw I passed this one to you during confirm and celebrate. Can you please own closing the remaining checkboxes? Thanks :)

[noahtalerman]

Hey @rachaelshaw, I just noticed that the reference docs PR has conflicts. Please let me know how/if I can help resolve those. Happy to help!

Getting reference docs merged is last item before we can call this story done.

[noahtalerman]

Hey @rachaelshaw, I resolved the conflicts for the reference doc PR.

I left a question for Dante here but I think we can go ahead and merge if everything looks good. Then address any fixes to the redirect a follow up PR.

[noahtalerman]

Hey @rachaelshaw, just following up w/ another ping!

Please let me know if/how I can help get the reference doc PR across the finish line so we can call this story shipped.

[noahtalerman]

Updates to the permissions guide are in a PR here: Permissions PR is here: #22336

Waiting to closet this story until that is merged.

[noahtalerman]

Hey @zayhanlon and @dherder heads up that this story w/ customer/prospect labels attached was shipped in 4.56 🚀

We're missing the guide. I filed a bug for this here: #22339

I think let's leave this story open until we ship the guide.

[roperzh]

hey @noahtalerman the guide was already updated here #21627

[noahtalerman]

hey @noahtalerman the guide was already updated here #21627

Followed up here: #22339 (comment)

[noahtalerman]

PR to the guides is up here: #22458

[noahtalerman]

Closing this story now that we shipped the best practice in a guide here: https://fleetdm.com/guides/macos-mdm-setup#best-practice

[fleet-release]

Apple workflows bloom,
In clouds, multiple hosts thrive,
Ease for admins, hived.

[mikermcneil]

@noahtalerman Where is the UI for this? I just tried to demo it to a partner and failed to do it, because I couldn't find the option in the UI. I later found it here: /settings/integrations/mdm/abm

How can we make it more visible?

[noahtalerman]

I just tried to demo it to a partner and failed to do it, because I couldn't find the option in the UI. I later found it here: /settings/integrations/mdm/abm

@mikermcneil maybe we add more "Apple Business Manager" language here in Settings > Integrations > MDM?

Clicking the pencil icon is how you get to the ABM page: