Use host vitals from IdP as variables in configuration profiles

[Patagonia121]

• customer-reedtimmer: Gong snippets:
  • https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1526%2C%22to%22%3A1588%7D%5D
  • https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1907%2C%22to%22%3A2117%7D%5D
• customer-pingali: Gong snippet: https://us-65885.app.gong.io/call?id=1989192898666666867&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A3834%2C%22to%22%3A3935%7D%5D
  • @harrisonravazzolo: customer-pingali has the following asks for this feature request:
    1. Robust user association to both company-issued devices and BYOD allows admins to reliably identify all devices assigned to a user and take action on them in a single mechanism. i.e. automation at offboarding
    2. Allows the issuing of certs, which have user details attributed to them.
    3. Allows the customer to build device approval flows. When a user enrolls a new device into MDM, a notification is sent to users original device before it can be granted config profiles.
  • @harrisonravazzolo: customer-pingali would like to see this supported by the SCIM protocol. A workflow similar to this:
    1. User added to Okta
    2. The user and their attributes are populated in 'Users' section of Fleet
    3. For each host in Fleet, a user from the users directory can we assigned.
    4. From Fleets user section, a user can be selected and show their attributes synced from IdP i.e. department, title, location as well as all devices assigned to them.
• customer-flacourtia: Gong snippet: https://us-65885.app.gong.io/call?id=4611615615987162505&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1876%2C%22to%22%3A2020%7D%5D
• customer-sarahwu: The row labeled "IDENTITY: IdP data integration with Fleet Host records" in this document
  • Gong snippet: https://us-65885.app.gong.io/call?id=2045552602800541978&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1675%2C%22to%22%3A1995%7D%5D
• customer-nortia: Gong snippet: https://us-65885.app.gong.io/call?id=3659970139851900100&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A584%2C%22to%22%3A628%7D%5D
• customer-ramzel: Gong snippet: TODO
• @allenhouchins: Scope apps, config profiles, and scripts or user info in config profiles and scripts: "Users" table concept where a user, and associated data, can be tied to a specific device. Often this is for scoping, everyone in Product Management group gets this app. Scripting w/ variables like $USERNAME. Show me all the devices for a specific user. Show me all engineering devices. Syncing/updates is important.
• @mikermcneil: We've been calling this roadmap feature "foreign vitals". But what specifically are the minimally viable columns to start with? We'll handle them bespoke. (We will always have a tendency to piggyback multiple requests into a single issue. The problem is that it then devolves into "over-genericism" and it's hard to understand the problem. Instead of one or two separate deeply unerstood probems, we end up with 5 different shallowly-understood problems and some misunderstandings)

---

User stories

• Add end user's IdP information to host vitals #23236
• Automatically add labels based on end user's IdP information #23899
• Use end user's IdP info as variables in configuration profiles #23900

[noahtalerman]

Hey @dherder, ignoring the sync part, how did we solve this (w/o sync) w/ customer-rosner?

Are they using the Tines story you created?

cc @Patagonia121

[harrisonravazzolo]

Hey @noahtalerman - Resurfacing this one as customer-pingali considers an integration with their IdP and being able to tie users to a device(s) is a must-have in order to consider Fleet MDM.

[nonpunctual]

Related: #21849 Use WebClip profile for MyDevice page on iOS/iPadOS

[noahtalerman]

Hey @Patagonia121 and @harrisonravazzolo when you get the chance, can you please add the Gong snippet from the respective customers to the top of the issue description? Thanks :)

[harrisonravazzolo]

@noahtalerman hey Noah, Added comments, use case and Gong to the body of the issue.

[noahtalerman]

Moved the original issue description here for safekeeping:

Customer user story: As an admin, I want the MDM to integrate with Okta to synchronize attributes like department and role to the host’s device record based on the assigned user, dynamically scoping applications and configuration data to user personas.

As of July 2024, this is unsolved, due to the inability to set host attributes arbitrarily based on IdP data.

Additional feedback from customer: Something more like SimpleMDM's custom attributes: https://simplemdm.pdq.com/hc/en-us/articles/9355313240347-Attributes-Custom-Attributes
Or very specifically Jamf Pro's https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-10.39.0/page/Computer_Extension_Attributes.html

From Fleet CSA: When a device in Jamf updates its inventory (like refetch in Fleet) it refreshes the end user data via an integration with an organization's "directory" service which can be AD or a cloud IdP.

[noahtalerman]

@pintomi1989 @allenhouchins @phtardif1 can you please add Gong snippets for sarahwu, ramzel, and flacourtia? Thanks!

[nonpunctual]

@noahtalerman added gong snippets for customer-flacourtia & customer-sarahwu. @harrisonravazzolo could not find a reference in Gong for prospect-ramzel on this topic. Maybe in a doc?

[noahtalerman]

Hey @Patagonia121 and @harrisonravazzolo heads up, we peeled this user story off this request and brought it into the current design sprint.

Keep in mind that they user story will likely not address all aspects of this request. It's a small iterative piece.