Improve device trust audit events when using Jamf sync

[zmb3]

When using Jamf to sync device inventory, the Device Updated audit events show up in the web UI as:

User [<LONG_GUID_HERE>.example.teleport.sh] has updated a device.

There are a few problems with this:

• It says "user" but this is more of system activity than user activity
• It's not clear what the UUID in the description refers to.
• The event description doesn't mention Jamf at all.

Clicking the details to see the raw audit event shows something like this:

{
  "cluster_name": "exampe.teleport.sh",
  "code": "TV001I",
  "device": {
    "asset_tag": "ABC123XYZ",
    "device_id": "5523db18-e72a-46e5-a123-e8f33d19d006",
    "device_origin": 2,
    "os_type": 2
  },
  "ei": 0,
  "event": "device.create",
  "success": true,
  "time": "2024-11-18T17:51:44.256Z",
  "uid": "41b15373-ff84-4aaf-8b52-e29c5f13fe01",
  "user": "9af86a59-1fda-4350-af3c-4b98e4e837b7.example.teleport.sh",
  "user_kind": 1
}

If you're not an expert in Teleport's source code you probably don't know that "device_origin": 2 means Jamf, nor do you know what os_type and user_kind are referring to.

Consider marshaling these enums with descriptive strings rather than numbers, and improving the summary description that shows up in the web UI.

[zmb3]

FYI @codingllama

[codingllama]

Fair enough, this took me a while to figure out too (although I did suspect UUID.example.teleport.sh was a service user).

Suggestions:

1. user: use "Jamf Service (UUID.example.teleport.sh)"
2. user_kind: this is part UserMetadata and technically how Teleport sees system users. I'd rather not touch it only for this.
3. device_origin and os_type: add device_origin_name and os_type_name fields with the human-friendly variants for those. (Best not to change the marshal format now.)

How does this sound?

[zmb3]

Sounds good.

We could at least use the user_kind value to format the event description.