VPP app install retry on 9610

[MagnusHJensen]

Related issue: Resolves #36724

This PR updates the VPP Software installation (Apple association) to use the V1 API which is non-async.
It also retries VPP apps if we receive a 9610 error 3 times.

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

[codecov]

Codecov Report

❌ Patch coverage is 77.98742% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.86%. Comparing base (9f29fd1) to head (a701134).

Files with missing lines	Patch %	Lines
server/datastore/mysql/vpp.go	81.20%	13 Missing and 12 partials ⚠️
...igrations/tables/20260108214732_AddHostVPPRetry.go	66.66%	3 Missing and 1 partial ⚠️
server/service/apple_mdm.go	63.63%	2 Missing and 2 partials ⚠️
server/datastore/mysql/activities.go	33.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #38008      +/-   ##
==========================================
- Coverage   65.87%   65.86%   -0.01%     
==========================================
  Files        2392     2392              
  Lines      190799   190739      -60     
  Branches     8364     8310      -54     
==========================================
- Hits       125689   125638      -51     
+ Misses      53690    53673      -17     
- Partials    11420    11428       +8     

Flag	Coverage Δ
backend	67.70% <77.98%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[iansltx]

Erm, why are we adding use of a deprecated API? Seems like we'll have to back this out sooner rather than later.

[MagnusHJensen]

That is a good question, we decided to do that since the move to V2 is not actually fully supported by us.
We moved, and started using batch/async endpoints but never implemented the notifications service that actually gets the response of those calls.

The async nature of that, plus no validation lead us to wanting to do it in a sync manner (V1), until we can prioritize the story to build out the Apple Notifications Service integration.

We followed it up with 3 retries, but since they are pretty close to the actual call, we weren't certain it is enough and we don't have a good/reliable way to reproduce this locally, as we think it stems from large orgs that hit apple API's a lot, therefore Apple might be slower in their envs.

[JordanMontgomery]

I think using this seems fine as Apple has deprecated it but doesn't seem to be saying they're going to stop supporting it yet. I think we should add a caveat here to make callers aware of this limitation. We probably don't want to change tihs to ever do multi-assignment without more work

[gillespi314]

We probably don't want to change tihs to ever do multi-assignment without more work

Given this concern, maybe we should change the function signature so that we only allow a single serial number rather than a slice as currently contemplated by the type of AssociateSerialNumbers?

[MagnusHJensen]

As per our MDM stand-up, we reverted the v1 change, and kept the 3 times retry

[gillespi314]

Does the retry count ever get reset? If the cap is reached, does that prevent the admin/end user from trying to install again later?

[JordanMontgomery]

From my understanding(and testing on my local fleet server) re-running a VPP install creates a new row(and as such a new counter) in host_vpp_software_installs

[JordanMontgomery]

I think this looks good, would still like to see what software says