Enroll personally owned (BYOD) iOS/iPadOS devices with work email (Managed Apple Account)

[marko-lisica]

Goal

User story
As an IT admin,
I want my end users to enroll their personal iPhones and iPads through the Settings app by signing in with my work email (same as IdP)
so that I can enforce settings necessary to access organization resources/tools.

Key result

Account-based user enrollment for personal Apple devices (BYOD)

Original requests

• Enroll personally owned BYOD iOS/iPadOS hosts using account-based (Apple) user enrollment #19329

Context

• Product Designer: @marko-lisica

Changes

Product

• UI changes: Figma link
• CLI (fleetctl) usage changes: No changes.
• YAML changes: [API/YAML] Enroll personally owned (BYOD) iOS/iPadOS devices with work email (Managed Apple Account) #30176
• REST API changes: [API/YAML] Enroll personally owned (BYOD) iOS/iPadOS devices with work email (Managed Apple Account) #30176
• Fleet's agent (fleetd) changes: No changes.
• GitOps mode changes: Changes specified in Figma link above.
• Activity changes: [Activity changes] Enroll personally owned (BYOD) iOS/iPadOS devices with work email (Managed Apple Account) #30186
• Permissions changes: Admin only. Covered by "View, edit, and delete Apple Business Manager (ABM) connections" row in the permissions guide.
• Changes to paid features or tiers: Fleet Premium only (requires ABM integration)
• Transparency changes: TODO
• First draft of test plan added
• Other reference documentation changes: No changes.
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Contributor API changes: Specified in [API/YAML] Enroll personally owned (BYOD) iOS/iPadOS devices with work email (Managed Apple Account) #30176
• Feature guide changes: TODO
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

• Make sure that if the user enables ABM integration (add ABM token) in Fleet settings, connect domain used for work email in ABM, and sets Fleet as the MDM server for iOS and iPad in ABM (ABM > account name > Preferences > Management Assignment > select Fleet server for iPad and iPhone), the user should be able to do BYOD enrollment.
• Make sure that if the user hosts service discovery JSON (.well-known resource) on their own, on domain used for work email and JSON is proper format, that BYOD enrollment still works.

UI

• Make sure that user can select default team for personal iPhones and iPads on /settings/integrations/mdm/abm page, when editing ABM integrations.
• Make sure that copy and cards on the /settings/integrations/mdm are updated.
• Make sure that "iOS & iPadOS" tab in "Add hosts" modal on /hosts page is updated as specified in Figma.
• Make sure to show states in "iOS & iPadOS" tab when Apple MDM is turned off or when ABM isn't connected, as specified in Figma.
• Make sure that iPhones and iPads enrolled with Apple Managed Accounts, have MDM status -> On (personal). Status should be added to dashboard > MDM card > status tab and on the host details. Make sure that tooltips on hover match Figma.
• Make sure that personal (BYOD) iPhones and iPads don't show serial number on host details and hosts list page, but "Enrollment ID" instead.
• Make sure that when GitOps mode is enabled in settings, to disable Renew and Delete actions on /settings/integrations/mdm/abm page when user clicks actions in the table where all ABM connections are listed.
• Make sure that when user select to "Edit teams" in table above, to show selected teams and disable "Save" button if GitOps mode is enabled.
• Make sure to display activity when personal iOS/iPadOS host is enrolled and to add "(personal)" flag to activity copy.

API

• Make sure that GET /api/v1/fleet/hosts/summary/mdm endpoint returns the new status count: enrolled_personal_hosts_count
• Make sure that GET /api/v1/fleet/abm_tokens endpoint returns teams for personal iPhones and iPads
• Make sure that PATCH /api/v1/fleet/abm_tokens/:id/teams endpoint accepts ios_team_for_personal_hosts_id and ipados_team_for_personal_hosts_id to set default team for personal iPhones and iPads.

GitOps

• Make sure that user can specify ios_team_for_personal_hosts and ipados_team_for_personal_hosts under org_settings.mdm.apple_business_manager to set default team for personal iPhones and iPads

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.