macOS/Windows hosts show "Pending" disk encryption status when MDM is turned off

[iansltx]

Goal

User story
As an IT admin enforcing disk encryption on only Linux workstations,
I want to see empty counts for macOS and Windows hosts on the Controls > OS settings > Disk encryption page
so that I know Fleet is only enforcing disk encryption on Linux hosts.

Key result

Small UX improvements

Original requests

None.

Context

• Product designer: @marko-lisica

Original issue description: #24119 (comment)

Changes

Product

• UI changes: Figma here.
• CLI (fleetctl) usage changes: No changes.
• YAML changes: No changes.
• REST API changes: [API design] macOS/Windows hosts show "Pending" disk encryption status when MDM is turned off #27271
  • If MDM isn't turned on for Apple or Windows, than count for respective platform should return null
• Fleet's agent (fleetd) changes: No changes.
• GitOps mode changes: No changes.
• Activity changes: No changes.
• Permissions changes: No changes.
• Changes to paid features or tiers: Disk encryption is Fleet Premium only
• Transparency changes: No changes.
• First draft of test plan added
• Other reference documentation changes: No changes.
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Feature guide changes: TODO
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Test plan

UI

• With macOS and Windows MDM turned off, enroll a Linux host and turn on disk encryption. On the Controls > OS settings > Disk encryption page and verify that all host counts for the macOS and Windows hosts display ---.
• Turn on macOS MDM. On the Controls > OS settings > Disk encryption page and verify that the host counts for Windows hosts display ---. Now turn off macOS MDM and turn on Windows MDM. Verify that the macOS host counts display ---.

API

• With macOS and Windows MDM turned off, enroll a Linux host and turn on disk encryption. Hit the Get disk encryption statistics API endpoint and verify that all host counts for the macOS and Windows hosts return null.
• Turn on macOS MDM. Get disk encryption statistics API endpoint and verify that the host counts for Windows hosts return null. Now turn off macOS MDM and turn on Windows MDM. Verify that the macOS host counts are reset to null.
• For each of these tests, also hit the Get host API endpoint and verify that the mdm.os_settings.disk_encryption status is correct. For example, when macOS MDM is turned off, the status should be empty.

Testing notes

Sarah: What if MDM is on for macOS but turned off for Windows and you have both hosts on the same team with encryption turned on?
Gabe: tested and verified when mdm is off for windows and I move the host to a team with Encryption on it doesn't show up as pending. The minute I turn Windows MDM on and the host checks in it does get added to the pending count

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.

[noahtalerman]

If I have a fleet of Macs and enable encryption without setting up MDM, I should see a warning on the disk encryption page indicating that I need to set MDM up to proceed.

@iansltx I think we have this warning. Check out the screenshot from the Controls > OS settings > Disk encryption tab:

Are you thinking about something else? If yes, can you please record a quick Loom that shows us?

[iansltx]

Yeah, was thinking of something with more visibility, as my assumption is that people won't hit tooltips unless there's a CTA (e.g. an error icon) encouraging them to do so.

Let me see if I can throw together a screenshot.

[iansltx]

Super rough screenshot because I couldn't quickly find a ⚠️ SVG in the UI that was on-brand, and throwing together tooltips are nontrivial:

Most important part of the above is upper-right (positioning the warning icon next to the column header).

The warning icon would only show up if there are hosts and a global/team configuration issue prevents hosts of that platform from making it all the way to verified. Hover would provide a tooltip of what's wrong config-wise for that platform, e.g. "Apple MDM must be set up to enforce disk encryption on macOS."

This is in contrast to existing tooltips that don't indicate why someone would want to hover them.

[iansltx]

@noahtalerman Just ran into this while testing #25191. My Fleet instance has a private key but I haven't set up Windows MDM. I turned on disk encryption for a team that only has a Windows host on it, and I'm just seeing my Windows VM listed as pending iwth no indication that nothing will be done due to missing required Windows encryption setup.

[iansltx]

Also seems like we're missing a "Learn More" link on turning on Windows MDM for configuring cert/key pair (should go to https://fleetdm.com/guides/windows-mdm-setup), though that's a separate issue.

[noahtalerman]

My Fleet instance has a private key but I haven't set up Windows MDM. I turned on disk encryption for a team that only has a Windows host on it, and I'm just seeing my Windows VM listed as pending iwth no indication that nothing will be done due

@iansltx good catch. I think the expected behavior was to not include any Windows hosts in the counts if Windows MDM is turned off. Same for maOS.

That said, I'm looking at the Figma here and we didn't call it out.

@rachaelshaw please let me know if that doesn't sound right.

This is a small UX improvement I think we want to weigh for prioritization. I'll add it to feature fest.