Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Observability + scripting, monitoring Software management + CVEs, usage, app library Integrations
Get started Built-in checks Raw data Tutorials & guides API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Puppet module

{{articleSubtitle}}

| The author's GitHub profile picture

Noah Talerman

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Puppet module

{{articleSubtitle}}

| The author's GitHub profile picture

Noah Talerman

Puppet module

Available in Fleet Premium

Use Fleet's Puppet module to automatically install custom configuration profiles on your macOS hosts based on host attributes you define in Puppet.

The module also includes functions for releasing a macOS host from Await Configuration and sending any custom MDM commands.

Setup

To set up the Puppet module, we will do the following steps:

  1. Install the Puppet module
  2. Configure Puppet to talk to Fleet using Hiera
  3. Set Fleet as a reporter

Step 1: install the Puppet module

Install Fleet's Puppet module. For more instructions on how to install Puppet modules, check out the Puppet docs here.

Step 2: configure Puppet to talk to Fleet using Heira

  1. In Fleet, create an API-only user with the GitOps role. Instructions for creating an API-only user are here.

  2. Set the fleetdm::token and fleetdm::host values to the API token of your API-only user and your Fleet server's URL, respectively. Here's an example of the Hiera YAML:

fleetdm::host: https://fleet.example.com
fleetdm::token: your-api-token

Puppet docs on configuring Hiera are here.

If you have staging and production Puppet environments, you can optionally set different values for each environment. This allows you to have your staging and production environments that talk to separate staging and production Fleet servers.

Step 3: set Fleet as a reporter

In your Puppet configuration, set http:fleetdm as the value for reports. Here's an example of the Puppet configuration:

reports = http,fleetdm

Puppet configuration reference docs are here.

Install configuration profiles

Using the Puppet module you can define the set of configuration profiles for each host (Puppet node) and Fleet will create a team with these profiles and assign the host to that team.

When a host is assigned to a team in Fleet, all configuration profiles for that team are installed on the host.

As an example, let's install one configuration profile on all hosts. Here's what your Puppet code will look like:

node default {
  fleetdm::profile { 'com.apple.payload.identifier':
    template => template('example-profile.mobileconfig'),
    group    => 'MacOS workstations',
  }
}

This will create a team called "MacOS workstations" with the example-profile.mobileconfig configuration profile and assign all hosts to this team.

Use the group parameter to define the team name in Fleet.

As another example, let's assign one configuration profile to all hosts and another configuration profile to only my M1 hosts. Here's what your Puppet code will look like:

node default {
  fleetdm::profile { 'com.apple.payload.identifier-1':
    template => template('example-profile.mobileconfig'),
    group    => 'MacOS workstations',
  }

  if $facts['architecture'] == 'intel' {
      fleetdm::profile { 'com.apple.payload.identifier-2':
        ensure => absent,
        template => template('m1-only.mobileconfig'),
        group    => 'Intel',
      }
  } else {
      fleetdm::profile { 'com.apple.example-2':
        template => template('com.apple.payload.identifier-2'),
        group    => 'MacOS workstations',
      }
  }
}

This will create two teams in Fleet:

  1. "MacOS workstations" with two configuration profiles: example-profile.mobileconfig and m1-only.mobileconfig.
  2. "MacOS workstations - Intel" with one configuration profile: example-profile.mobileconfig.

Set the ensure parameter to absent to create teams that exclude specific profiles.

For more examples check out the examples/ folder in Fleet's GitHub repository here.

An icon indicating that this section has important information

Note that all teams created by Puppet inherit the bootstrap package, macOS Setup Assistant settings, and end user authentication settings from "No team." Learn more about these here. In addition all teams automatically enable disk encryption. Learn more about disk encryption here.

Release host

If you set enable_release_device_manually to true in your macOS setup experience, you can use the fleetdm::release_device function to release the host from the Setup Assistant.

Here's what your Puppet code, with error handling, will look like:

$host_uuid = $facts['system_profiler']['hardware_uuid']
$response = fleetdm::release_device($host_uuid)
$err = $response['error']

if $err != '' {
  notify { "error releasing device: ${err}": }
}

Custom commands

You can use the fleetdm::command_xml function to send any custom MDM command to a host.

Here's what your Puppet code, with error handling, will look like:

$host_uuid = $facts['system_profiler']['hardware_uuid']
$command_uuid = generate('/usr/bin/uuidgen').strip

$xml_data = "<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'>
<plist version='1.0'>
<dict>
    <key>Command</key>
    <dict>
        <key>RequestType</key>
        <string>EnableRemoteDesktop</string>
    </dict>
    <key>CommandUUID</key>
    <string>${command_uuid}</string>
</dict>
</plist>"

$response = fleetdm::command_xml($host_uuid, $xml_data)
$err = $response['error']

if $err != '' {
  notify { "Error sending MDM command: ${err}": }
}

The above example includes the XML payload for the EnableRemoteDesktop MDM command. Learn more about creating the payload for other custom commands here.