Create the DDM profile for macOS updates

2026-05-23 17:08:53 +00:00 · 2024-04-03 09:50:30 -04:00 · 2024-04-03 09:50:30 -04:00 · c28bd8fc3a
commit c28bd8fc3a
parent 1dec23cd08
4 changed files with 50 additions and 11 deletions
--- a/ee/server/service/mdm.go
+++ b/ee/server/service/mdm.go
@ -1056,17 +1056,37 @@ func (svc *Service) GetMDMDiskEncryptionSummary(ctx context.Context, teamID *uin
 }

 func (svc *Service) mdmAppleEditedMacOSUpdates(ctx context.Context, teamID *uint, updates fleet.MacOSUpdates) error {
-	// TODO: must do the equivalent, more or less, of svc.NewMDMAppleDeclaration
-	// (avoiding the validation that prevents the declaration type, and without
-	// the activity as we want to leave this Software Updates profile hidden,
-	// like an internal implementation detail of how Fleet manages those update
-	// requirements).
+	// TODO: is there a notion of "DDM enabled" or not, where the DDM profile
+	// should not be created?

 	if updates.MinimumVersion.Value == "" {
 		// TODO: OS updates disabled, remove the profile
 		return nil
 	}
 	// TODO: OS updates enabled and modified, create or update the profile
+
+	const macOSSoftwareUpdateType = `com.apple.configuration.softwareupdate.enforcement.specific`
+	ident := uuid.NewString()
+	// TODO(mna): is that correct payload? Identifier is a uuid?
+	rawDecl := []byte(fmt.Sprintf(`{
+	"Identifier": %q,
+	"Type": %q,
+	"Payload": {
+		"TargetOSVersion": %q,
+		"TargetLocalDateTime ": "2024-03-01T12:00:00,"
+	}
+}`, ident, macOSSoftwareUpdateType, updates.MinimumVersion.Value))
+	d := fleet.NewMDMAppleDeclaration(rawDecl, teamID, mdm.FleetMacOSUpdatesProfileName, macOSSoftwareUpdateType, ident)
+	// TODO(mna): create hidden label targeting macOS >= 14
+	//d.Labels = validatedLabels
+	decl, err := svc.ds.NewMDMAppleDeclaration(ctx, d)
+	if err != nil {
+		return err
+	}
+
+	if err := svc.ds.BulkSetPendingMDMHostProfiles(ctx, nil, nil, []string{decl.DeclarationUUID}, nil); err != nil {
+		return ctxerr.Wrap(ctx, err, "bulk set pending host declarations")
+	}
 	return nil
 }

--- a/server/datastore/mysql/apple_mdm.go
+++ b/server/datastore/mysql/apple_mdm.go
@ -3379,6 +3379,8 @@ WHERE h.uuid = ?
 }

 func (ds *Datastore) batchSetMDMAppleDeclarations(ctx context.Context, tx sqlx.ExtContext, tmID *uint, incomingDeclarations []*fleet.MDMAppleDeclaration) ([]*fleet.MDMAppleDeclaration, error) {
+	// TODO(mna): batch-set should not delete the reserved OS updates DDM.
+
 	const insertStmt = `
 INSERT INTO mdm_apple_declarations (
 	declaration_uuid,
--- a/server/datastore/mysql/mdm.go
+++ b/server/datastore/mysql/mdm.go
@ -168,7 +168,7 @@ FROM (
 	WHERE
 		team_id = ? AND
 		name NOT IN (?)
-	
+
 	UNION

 	SELECT
@ -185,6 +185,8 @@ FROM (
 ) as combined_profiles
 `

+	// TODO(mna): filter-out the reserved OS updates DDM
+
 	var globalOrTeamID uint
 	if teamID != nil {
 		globalOrTeamID = *teamID
@ -268,7 +270,7 @@ FROM
 WHERE
 	mcpl.apple_profile_uuid IN (?) OR
 	mcpl.windows_profile_uuid IN (?)
-UNION ALL 
+UNION ALL
 SELECT
 	apple_declaration_uuid as profile_uuid,
 	label_name,
--- a/server/mdm/mdm.go
+++ b/server/mdm/mdm.go
@ -82,24 +82,31 @@ func GuessProfileExtension(profile []byte) string {
 }

 const (
-
 	// FleetdConfigProfileName is the value for the PayloadDisplayName used by
 	// fleetd to read configuration values from the system.
 	FleetdConfigProfileName = "Fleetd configuration"

 	// FleetdFileVaultProfileName is the value for the PayloadDisplayName used
 	// by Fleet to configure FileVault and FileVault Escrow.
-	FleetFileVaultProfileName        = "Disk encryption"
+	FleetFileVaultProfileName = "Disk encryption"
+
+	// FleetWindowsOSUpdatesProfileName is the name of the profile used by Fleet
+	// to configure Windows OS updates.
 	FleetWindowsOSUpdatesProfileName = "Windows OS Updates"
+
+	// FleetMacOSUpdatesProfileName is the name of the DDM profile used by Fleet
+	// to configure macOS OS updates.
+	FleetMacOSUpdatesProfileName = "Fleet macOS OS Updates"
 )

-// FleetReservedProfileNames returns a map of PayloadDisplayName strings
-// that are reserved by Fleet.
+// FleetReservedProfileNames returns a map of PayloadDisplayName or profile
+// name strings that are reserved by Fleet.
 func FleetReservedProfileNames() map[string]struct{} {
 	return map[string]struct{}{
 		FleetdConfigProfileName:          {},
 		FleetFileVaultProfileName:        {},
 		FleetWindowsOSUpdatesProfileName: {},
+		FleetMacOSUpdatesProfileName:     {},
 	}
 }

@ -108,3 +115,11 @@ func FleetReservedProfileNames() map[string]struct{} {
 func ListFleetReservedWindowsProfileNames() []string {
 	return []string{FleetWindowsOSUpdatesProfileName}
 }
+
+// ListFleetReservedAppleDDMProfileNames returns a list of profile names that
+// are reserved by Fleet for Apple DDM declarations.
+func ListFleetReservedAppleDDMProfileNames() []string {
+	return []string{FleetMacOSUpdatesProfileName}
+	// TODO(mna): use this to filter-out those reserved profiles from status
+	// summaries/filters.
+}