empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ce56f1f6bc
fleet/articles/using-github-actions-to-apply-configuration-profiles-with-fleet.md
Eric fd1372c3b0
Website: Fix formatting issues in Github actions article (#12088) 
Changes:
- Replaced the double curly brackets in the Github action examples to
prevent the Fleet website from interpreting those examples as [Vue
templates](https://vuejs.org/guide/essentials/template-syntax.html#text-interpolation)
(Which causes Javascript errors and prevents the page from rendering)
- Updated the indentation of images in ordered lists and added newlines
to keep the formatting consistent.
2023-06-01 11:13:34 -05:00

9.9 KiB
Raw Blame History

Using GitHub Actions to apply configuration profiles with Fleet

Using GitHub Actions to apply configuration profiles with Fleet

In the ever-evolving realm of software management, automated workflows are an essential tool in maintaining system efficiency and security. At the heart of this drive towards automation is GitHub Actions, a powerful platform that enables developers to automate, customize, and execute software development workflows directly in their repositories. In this blog post, we focus on utilizing GitHub Actions with Fleet to apply the latest configuration profiles from your repository.

Fleet maintains a GitHub Action for this purpose, allowing you to call the action with parameters specific to your Fleet instance. This lets you maintain your systems with the latest updates, keeping them secure and operational. The process may sound daunting, but it is efficient and straightforward.

This post will detail two methods to achieve the same result - an automated workflow that applies the latest configuration profiles to your fleet. We will delve into the specifics of setting up an action file in your repository, mapping out the variables, creating encrypted secrets, and configuring your fleet with the Fleet gitops workflow.

By the end of this guide, you'll have a fully operational GitHub action set up within your Fleet instance. This automated system will ensure your fleet remains up-to-date and secure, maximizing efficiency and reliability in your operations. Welcome to a more streamlined approach to fleet management.

Create a GitHub action

Fleet maintains a GitHub Action for applying the latest configuration profiles in Fleet. You can call this action with parameters specific to your Fleet instance. We will outline two different methods that all lead to the same result.

  1. Overview:
    1. Create a .github/workflows directory in your repo if it does not already exist.
    2. Inside the .github/workflows directory, create a new file named fleetctl-team.yml
    3. In the fleetctl-team.yml, add the minimum recommended workflow:
name: Apply latest configuration profiles (example)
    on:
      push:
        branches:
          - main
        paths:
          - "path/to/**.mobileconfig"
      workflow_dispatch: # Manual

    # This allows a subsequently queued workflow run to interrupt previous runs
    concurrency:
      group: ${ github.workflow }-${ github.head_ref || github.run_id}
      cancel-in-progress: true

    defaults:
      run:
        # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
        shell: bash

    permissions:
      contents: read

    env:
      FLEET_API_TOKEN: ${ secrets.FLEET_API_TOKEN }
      FLEET_URL: ${ secrets.FLEET_URL }
      TOKEN_USED_BY_PROFILE: ${ secrets.TOKEN_USED_BY_PROFILE }

    jobs:
      apply-profiles:
        timeout-minutes: 5
        runs-on: ubuntu-latest
        steps:
          - name: Apply configuration profiles and updates
            uses: fleetdm/fleet-mdm-gitops@026ee84a69cb89c869fedbe27c969bf89def418b
            with:
              FLEET_API_TOKEN: $FLEET_API_TOKEN
              FLEET_URL: $FLEET_URL
              FLEET_TEAM_NAME: Workstations
              MDM_CONFIG_REPO: fleetdm/fleet
              MDM_CONFIG_DIRECTORY: mdm_profiles
              MAC_OS_MIN_VERSION: 13.3.2
              MAC_OS_VERSION_DEADLINE: 2023-06-15
              MAC_OS_ENABLE_DISK_ENCRYPTION: true

The example configuration profile action takes advantage of variables on workflow run. Learn more about Variables in GitHubActions.

  1. Using the GitHub UI:

    1. On GitHub.com, navigate to the main page of the repository.
    2. Under your repository name, click Actions.

    Click Actions under your GitHub repository name

    1. Create a new Action by either

      1. Following the link to set up a workflow yourself

      Get started with GitHub Actions, click "set up a workflow yourself"

      Or

      1. Clicking the add new button.

    2. Name your yaml file fleetctl-team.yml Name your yaml file.

    3. Under Marketplace in the right column, search for “Fleet.”
      Search for Fleet in the marketplace

    4. Click on Apply latest configuration profiles via Fleet to expand the listing.
      Expland the marketplace listing.

    5. Click the copy icon
      Click the copy icon.

    6. Paste into your yaml file, and set the variables
      Paste into your yaml file, and set the variables

    7. Click Commit changes…
      Click Commit changes…

What do these variables do?

FLEET_API_TOKEN: This is your Fleet API Token or an API-only user.

FLEET_URL: This is the URL of your Fleet instance.

FLEET_TEAM_NAME: Fleet team name to apply MDM configuration profiles to. The default is Workstations.

MDM_CONFIG_REPO: Repository containing MDM configuration profiles. The default is fleetdm/fleet.

MDM_CONFIG_DIRECTORY: Directory in the repo where MDM configuration files are stored. The default is mdm_profiles.

MAC_OS_MIN_VERSION: Minimum macOS version of hosts. The default is 13.3.1.

MAC_OS_VERSION_DEADLINE: Deadline for macOS version to be enforced. The default is 2023-05-15.

MAC_OS_ENABLE_DISK_ENCRYPTION: Enable disk encryption, also known as FileVault. The default is true.

Create encrypted secrets

  1. On GitHub.com, navigate to the main page of the repository.

  2. Under your repository name, click Settings.

  3. In the "Security" section of the sidebar, select Secrets and variables, then click Actions.

  4. Click the Secrets tab.
    Click the Secrets tab.

  5. Click New repository secret.

  6. In the Name field, enter FLEET_API_TOKEN as the name for your secret.

  7. In the Secret field, enter your Fleet API token as the value for your secret.
    Enter your Fleet API token

  8. Click Add secret.

  9. Repeat this process for the FLEET_URL secret.

Configure your fleet with Fleet gitops workflow

Now we can add configuration profiles to the mdm_profiles directory, create a pull request, and once merged, the Github action implemented above will automatically trigger to spin up and apply the profile using fleetctl based on the push paths defined in the action.

on:
  push:
    branches:
      - main
    paths:
      - "path/to/**.mobileconfig"

Conclusion

Setting up a GitHub action with Fleet is an efficient and straightforward process that allows you to apply the latest configuration profiles seamlessly. This method utilizes a yaml file within your repository to set specific parameters and create a robust automated workflow. The three methods we outlined all lead to the same result an automated system for managing your fleet.

With this in place, you need to trigger your GitHub action by adding configuration profiles to your repo and creating a pull request. It will automatically apply the profile using fleetctl, ensuring your Fleet instance remains current and secure. This makes managing your fleet significantly more efficient, taking full advantage of the power of automation. Through the steps outlined above, you can easily set up a streamlined, automated system for maintaining your fleet, with increased visibility and collaboration, improved security and compliance, version control, and ensuring maximum efficiency and reliability in your operations.