Policy automations: install App Store apps on macOS

[marko-lisica]

Goal

User story
As an IT admin,
I want to install App Store apps automatically when a macOS host fails a policy
so that I can deploy App Store apps to many hosts without having to use 3rd party automation tool (e.g. Tines).

Objective

Mission critical app management

Original requests

#22616

Context

• Product designer: @marko-lisica

Changes

Product

• UI changes: Figma link
• CLI (fleetctl) usage changes: No changes.
• YAML changes: [API design / YAML changes] Policy automations: install App Store apps on macOS #23435
• REST API changes: [API design / YAML changes] Policy automations: install App Store apps on macOS #23435
• Fleet's agent (fleetd) changes: No changes.
• Activity changes: Make sure that if App Store app install is triggered by policy actor_name is Fleet
• Permissions changes: No changes.
• Changes to paid features or tiers: Available in Fleet Premium only
• Other reference documentation changes: No changes.
• Once shipped, requester has been notified

Engineering

• Feature guide changes:
  • Update Automatic software install guide to reference App Store apps on macOS
  • Update Install App Store (VPP) apps guide to mention automatic install and link to guide above
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[sharon-fdm]

#23170 is a duplicate and was closed.

[ambrusps]

@noahtalerman adding some context here from customer-fourier: https://fleetdm.slack.com/archives/C07RX27HW4U/p1729724660779979

[marko-lisica]

@georgekarrv heads up, this is ready to spec.

[getvictor]

Rough engineering tasks:

Frontend

• Update the software titles page
• Update install software automation modal
• Update activity feed processing to show new Fleet user

Backend

• Add a join table for policy and adam_id. Since VPP apps are macOS-specific, we should use a join table. If the policy is deleted, cascade. As a side effect, this allows for a future one policy to many VPP installs feature.
• Update PATCH /api/v1/fleet/teams/:team_id/policies/:policy_id endpoint to accept a VPP app in software_title_id parameter.
• Add logic to install VPP app on policy failure. Use Policy automations: install software #19551 as a guide.
• Update policy and software title endpoints to return vpp/adam_id info.
• Add a check when deleting VPP app if it is linked to policy. If linked, fail the deletion.
• Update NewActivity to allow a generic Fleet user. Use ID=0 as a convention for this user.
• Update automatic VPP install activity feed to use Fleet user.
• Update GitOps to allow app_store_app_id in policies.

Other

• Update usage guides