[EDR Workflows][Device Control] Policy configuration

[szwarckonrad]

Follow up #229921

This PR adds support for Trusted Devices management in Endpoint policy settings, introducing new UI and backend capabilities gated by license and product feature checks.

Final card

Key Features

• Trusted Devices Privilege:
  Users can be assigned a "Trusted Devices" privilege, granting access to the Device Control panel within policy settings.

  📷 Screenshots

  

• Product Feature Flag:
  Adds the endpointTrustedDevice product feature, available as part of the Endpoint Complete Serverless PLI.

• Device Control Section:
  Policies now include a Device Control section, allowing users to enable/disable the feature and set the required protection level.

• Feature Flag Coverage:
  All UI and backend flows are orchestrated by a dedicated feature flag to ensure consistent enablement and rollout.

Supported Scenarios

• Exitsting Policy:
  When upgrading to this version, existing endpoint policies will display the Device Control section (disabled by default).

  📷 Screenshots

  

• New Policy Creation:
  New policies have Device Control enabled and set to "Block all" by default.

  📷 Screenshots

  

• Serverless Upsell:
  On Serverless, users without Endpoint Complete tier see an upsell component in place of Device Control.

  📷 Screenshots

  

• ESS Upsell:
  On ESS, users without an Enterprise license see an upsell component instead of Device Control.

  📷 Screenshots

  

• API Enforcement:
  All API endpoints for policy creation/modification are gated with PLI and license checks to prevent unauthorized use of Device Control.

• Compliance Task:
  A background task checks all policies for compliance with enabled features. Device Control is automatically disabled on non-compliant policies.

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[szwarckonrad]

@gergoabraham @paul-tavares

This feature is too large to land in a single PR, so I’ll be splitting the work into reasonably scoped chunks. This is the initial PR, which introduces the policy settings UI for Device Control. More importantly, it also lays down the internal logic for handling permission validation, license downgrades, and related mechanisms.

All texts should be treated as placeholders for now - final copy is still in progress.

Crucially, all changes are gated behind a feature flag. Please double-check that nothing unintentionally affects existing policy behavior when the flag is off (which will be the case after merge).

Thanks! :)

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[PhilippeOberti]

Left a comment, not a blocker just an fyi :)

[paul-tavares]

👍

[jen-huang]

Fleet auth changes LGTM

[gergoabraham]

looks great! added some small stuff, but no blockers 🚀 nice work!

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 3abead6

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	7813	7819	+6
securitySolutionServerless	143	144	+1
total			+7

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	10.3MB	10.3MB	+10.3KB
securitySolutionServerless	55.1KB	58.7KB	+3.6KB
total			+13.9KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	171.0KB	171.2KB	+278.0B
securitySolution	94.4KB	94.5KB	+68.0B
securitySolutionEss	30.6KB	30.7KB	+52.0B
securitySolutionServerless	44.2KB	44.5KB	+275.0B
total			+673.0B

Unknown metric groups

async chunk count

id	before	after	diff
securitySolutionServerless	18	19	+1

History

• 💚 Build #325916 succeeded ea3b746
• 💚 Build #325552 succeeded ae1b13d
• 💔 Build #325494 failed 14daca5
• 💚 Build #325442 succeeded a4c09d3
• 💛 Build #324769 was flaky ff25c0b
• 💔 Build #324752 failed 03a4d9e

cc @szwarckonrad