People have asked about creating profiles using a model similar to OOP class inheritance.
I want to discuss another idea which is to create and deliver profiles via payload composition.
Payloads vs Profiles
As you know, profiles are the "container" for one or many payloads. They represent a chunk of configuration. Payloads on the other hand cover a single topic of configuration, which seems to me like a great place to draw a line when you are attempting to slice this problem into a lower level abstraction.
From what I can see, there are two approaches to configuration management via profiles. More commonly people will use a single payload per profile to deal with that piece of configuration individually. If you're using Profile Manager (why?) you might be dealing with a whole chunk of configuration for a single user or device.
The first use case really highlights the fact that most of the time you are using profiles as a wrapper for the most atomic level of configuration available, which is a payload. But you might recognise that there are problems with composition if you have two of the same payload.
I propose that we deal exclusively with payloads as the primary unit of config within the system, and there are a few problems that come along with this approach. I think that the problem of creating a profile inheritance hierarchy can be solved via composition instead.
Payload Editing and Composition
Ok, so the payload is the basic unit of configuration. This simplifies UI layouts for payload editing because you only need to focus on a single PayloadType for each "editor" UI.
The composition comes in when it is time to generate a profile. First of all you have the flexibility to define many payloads outside of a profile. This means that you can re-use an element of configuration (payload) in many different profiles.
This also means that you can change details within a single payload and have all dependent profiles updated to include the new information.
The end user would generate a payload for each item of configuration they wanted to manage (maybe several payloads of the same type if they differ for different departments). The system would then provide a way of generating a profile based upon a given collection of payload UUIDs.
This model could be extended to support a kind of inheritance via composition if groups of payloads could include nested groups of payload within themselves.
In this way you can abstract out the common payload elements and then create new compositions that articulate settings that are catered to a specific group.
Problems
Problems occur with this abstraction when functionality depends on the top-level Profile keys.
Largely this isn't a problem except for PayloadIdentifier
.
PayloadIdentifier is the single field responsible for identifying whether a profile should be entirely replaced, or a new one added.
There are two approaches to solving this issue:
- Every composition of payloads is assigned an identifier for its resulting profile OR
- The
PayloadIdentifier
field is generated based upon the composition of payloads within the profile. One algorithm might be joining all of the UUIDs present in the profile, sorted lexicographically.
The advantage of the second approach is that the composition of two profiles with the same content results in the same identifier, so it isn't necessary to store a one-many or many-many relationship of profile IDs to payloads.
I'm still not absolutely sure about the functionality of PayloadIdentifier
within individual payloads and whether an identical value there causes the domain plugin to skip over the payload. I would propose that a hash of the payload content be used to generate each payload identifier so that any change in the content is reflected if that's the case.
Tidbits
It could be possible to provide an endpoint that generates a profile based on payload UUIDs like so:
https://micromdm.dev/payloads/profile/{uuid1},{uuid2},{uuid3}
.
This could be handy for downloading composed profiles on the fly, and the profile identifier is guaranteed to be the same which means the profile is replaced each time you download and install it.
That's all for now! I hope that generates some ideas or questions in any case.
m