Enroll Android

[noahtalerman]

Goal

User story
As an IT admin,
I want to invite end-users to enroll BYOD Android hosts
so that I can enforce settings on end-user devices that can access organization resources/tools.

Key results

Deliver Android MDM customer promise

Original requests

• Enroll and manage Android hosts #19986

Context

• Product designer: @marko-lisica

Changes

Product

• Feature flag changes: Add a new DEV_ANDROID_ENABLED server configuration option. When turned on, the Fleet UI shows Android features. We used the same strategy for Windows MDM here.
• UI changes: Figma link
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• REST API changes: [API design] Enroll Android #26285
• Fleet's agent (fleetd) changes: No changes
• GitOps mode changes: No changes
• Activity changes: Link to PR
• Permissions changes: Only admin can connect Android Enterprise. Changes to permission guide.
• Changes to paid features or tiers: Fleet Free and Premium
• Transparency changes: No changes. We don't mention specific platforms on this page.
• First draft of test plan added
• Other reference documentation changes: No changes
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Feature guide changes: @marko-lisica: I'll write this feature guide, as I already investigated different options for admins when creating Android Enterprise, so I want to cover that in user guide
• Database schema migrations: Android: DB Schema Changes #26208
• Load testing: Android: Load testing #26225

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: Yes
• Risk level: Low / High: High
• Risk description: Fleet is introducing support for a brand new platform. We want to ensure newly enrolled devices work at scale and ensure no regression occurs with existing functionality.

Test plan

• Make sure that the user can turn on Android MDM by connecting Android Enterprise on /settings/integrations/mdm/android.
• Make sure that we display "Fleet" in Google's wizard for Android Enterprise creation, when user is asked to Allow binding to Fleet.
• Make sure that we change state of the Android MDM card on /settings/integrations/mdm page if Android MDM is turned on without reloading the page (automatically after it's turned on).
• Make sure that user can turn off Android MDM on /settings/integrations/mdm/android when Android MDM is turned on.
• Make sure that activities in global feed are generated when user turn on and turn off Android MDM.
• Make sure when user turns off Android MDM, Android hosts aren't deleted from Fleet, but the hosts' MDM status is changed to "Off".
• Make sure if the user deleted Android Enterprise from the Google Admin console that once user connects Android Enterprise again it binds existing AE to Fleet and hosts can be managed again without re-enrolling (MDM status on Android hosts is changed to On (manual)).
• Make sure that user sees the banner on every page when user deletes Android Enterprise in Google Admin console and that Android MDM card on /settings/integrations/mdm page is reset to default (turn on button visible).
• Make sure that there's new "Android" tab in Add hosts modal and it shows URL that should be sent to the end user (URL should be the same as one in iOS&iPadOS tab).
• Make sure to show empty state if MDM isn't turned on in the Add hosts modal for iOS&iPadOS and Android tabs as specified in Figma.
• Make sure that when end user opens /enroll page on the Android host sees correct instructions specified in Figma.
• Make sure that when end user on Android host opens /enroll page, and select "Enroll" button, enrollment process starts on the host and host is enrolled to correct team (based on enroll secret)
• Make sure that if enroll secret is invalid or not present in the URL (/enroll?enrol_secret=<enroll_secret>) that error is displayed as specified in Figma.
• Make sure the token expires after 1hr (TBD) if the user doesn't enroll
• Make sure that instructions for iPad and Android device follow new specs in Figma (max-width of 800px on larger screens).
• Make sure that we adjust the content of /enroll page if device isn't Android, iPhone, iPad as specified in Figma.
• Make sure that error is displayed on /enroll page if MDM is turned off. Make sure that we display different copy for Android, iPhone and iPad, as specified in Figma.
• Make sure that new 'Android' platform is added to dashboard, and card on the top of dashboard is displayed. The card should be linked to open hosts page with android filter.
• Make sure that "Android" platform is added to filter on top of dashboard page.
• Make sure to count Android hosts to solutions under MDM card on dashboard
• Make sure that server URL is same as server_url of the Fleet instance
• Make sure that Android hosts with MDM turned off (either admin turned MDM for all Android hosts or end user turned off MDM) are taken into account in Dashboard > MDM card > Status tab > Off.
• Make sure that when "Android" is selected in platform filter on dashboard that only Android card is displayed and in MDM card only Android server URL is present.
• Make sure that new builtin label android is added and it's available on Hosts page when user selects "Filter by platform or label".
• Make sure that columns in Hosts table that are not available, has "Not supported" label, as specified in Figma. *These may change as we do further testing.
• Make sure that on Host details page we show all host vitals that are specified in Figma. *These may change as we do further testing.
• Make sure that on Host details page we show MDM status and if admin turns off MDM for all hosts it shows "Off" or if the end user turn off MDM on their host.
• Make sure that on Host details page user can transfer host to a different team and delete it form Fleet.
• Make sure that on Host details page if MDM is turned off "MDM server URL" value is "---".
• Ensure the new Android built-in filter works as expected (shows all enrolled devices and only Android platform)
• Ensure that the Feature Flag is working as intended when ON/OFF

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[noahtalerman]

@georgekarrv heads up, chatted with @lukeheath and @marko-lisica and we decided to give these Android stories P2 so that we can work on them first next sprint:

• Enroll Android #23231
• Configuration profiles for Android #25557
• Run MDM commands on Android #23232

We think we need to work on these next sprint in order to hit our Q1 Android BYOD objective.

[lukeheath]

@noahtalerman Agreed.

[noahtalerman]

@marko-lisica in this video here, I made some copy tweaks and left you some feedback on the wires.

Sorry about the poor video quality. Still trying to find a good Loom alternative...

[noahtalerman]

Actions items from user story review:

• DONE @marko-lisica: In test plan be explicit about testing what happens to Android hosts when you turn Android MDM off: the hosts still show up on Hosts page. The hosts all have MDM status set to Off.
• DONE @marko-lisica: Call out Google "soft delete" flow in test plan and be explicit about testing that hosts have MDM status set back to On (manual)
• DONE @marko-lisica: Activity feed items for turning Android MDM on/off
• DONE @marko-lisica: YAML file changes for turning Android MDM on/off. Consider GitOps mode
  • @noahtalerman: We can't have a simple on/off because of the "OAuth-like" setup flow. The user is going to this flow in the Fleet UI.

[marko-lisica]

@PezHub Noah, George, and I went over draft test plan during user story review. Could you check it when you get back? I walked George through each feature for more context, so if you want you can check Gong recording for more details

[noahtalerman]

@georgekarrv just a reminder that we want to prioritize this user story in the upcoming sprint.

Can you please complete the TODOs in the "Engineering" section so we can estimate with the team during #g-mdm sprint kickoff?

[getvictor]

@marko-lisica Some questions:

• Are Google service credentials supplied as a server setting?
  • Will customers need to get their own service credentials or will we provide them?
• What if the Google account already has an enterprise?
• Are we restricting Fleet to only 1 enterprise? If admin generated multiple enterprise tokens, we will only accept the first one?
• Have you tested deleting enterprise? Is the work profile automatically removed from Android device?
• The device enrollment token should be multi-use and have no expiration, correct? What if Fleet admin wants to rotate the enrollment token? For rotation, we can build it such that admin would just need to delete the relevant row in the MySQL DB, and Fleet will get a new token next time it is requested.

[noahtalerman]

@georgekarrv just checking, what's left to before we move this story to the sprint board (:release)?