Add enable_release_device_manually setting to team and no-team

[mna]

#17401

Checklist for submitter

• Changes file added for user-visible changes in changes/ or orbit/changes/.
  See Changes files for more information.
• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)
• Added/updated tests

[codecov]

Codecov Report

Attention: Patch coverage is 90.90909% with 5 lines in your changes are missing coverage. Please review.

Project coverage is 65.62%. Comparing base (aef64e3) to head (be407ac).

Files	Patch %	Lines
ee/server/service/mdm.go	50.00%	4 Missing and 1 partial ⚠️

Additional details and impacted files

@@                      Coverage Diff                      @@
##           feat-prefill-account-name   #17698      +/-   ##
=============================================================
- Coverage                      65.67%   65.62%   -0.06%     
=============================================================
  Files                           1193     1193              
  Lines                         108026   108077      +51     
  Branches                        2574     2574              
=============================================================
- Hits                           70947    70926      -21     
- Misses                         31709    31768      +59     
- Partials                        5370     5383      +13     

Flag	Coverage Δ
backend	66.63% <90.90%> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mna]

This implements setting the new enable_release_device_manually config option and validating that await_device_configured cannot be provided in a macOS setup assistant. It doesn't implement sending the MDM command to release the device, this will be in a subsequent PR. This PR should unblock finishing wiring up the UI (@ghernandez345 FYI), the rest of the work should be backend only.

[mna]

@noahtalerman @roperzh This is the settings used when creating a new team from a Puppet run (the preassignment step), it already copies the MacOS Setup Assistant and End-user authentication settings from the no-team (global) config. Should it also copy the new EnableReleaseDeviceManually global setting?

Note that ModifyTeam (called next) only supports the end-user authentication update, not the macos_setup_assistant, so I don't think this really copies that path information unless I'm missing something. It would need to call "Apply Team Specs" to do so.

[roperzh]

For the usage the customer is doing I think it should mirror it as well 👍 . They want to:

1. Define the ABM settings in the "default ABM team"
2. Make sure that hosts still have those settings, even after the Puppet module reassigns the host to a different team.

[mna]

Gotcha, thanks! I think this will require switching from ModifyTeam to ApplyTeamSpecs so that the whole range of settings can be updated.

[roperzh]

damn, sorry about that! I remember we do special handling for the bootstrap package, maybe for this same reason.

[mna]

Quite possibly. Yeah this is very error-prone, the fact that ModifyTeam only handles few if any configs (it was none at first I think, but disk encryption was moved and was added there).

[mna]

So as mentioned in standup, if you don't mind I'll address that change in a future PR, so we can land this in the feature branch and Gabe can integrate the UI with the API changes.

[roperzh]

absolutely! makes sense!