- Fixed a crash on the "My device" page for Fleet Free instances. The page returned a 402 error when the host was assigned to a team because the device endpoint called a premium-only API, and also crashed when accessing undefined policies data.```
- Fixed policy creation failing when type was omitted.
- Fixed auth token not persisting when logging in via SSO.
- Fleet UI: Fixed infinite page loop pagination bug on software table page happening when viewing a subsequent page and then using the software filter dropdown to filter.
- Fleet UI: Fixed software table page number to be bookmarkable
- Updated host software library to always allow filtering.
- Added retry functionality when adding software installers to Fleet via GitOps.
- Added `fleetctl new` command to initialize a GitOps folder.
- Added support for `paths:` key under `reports:`, `labels:` and `policies:` in GitOps files.
- Added glob support for `configuration_profiles` in GitOps files.
- Added support for referencing `.sh` or `.ps1` script files directly in the GitOps `path` field for software packages.
- Implemented `webhooks_and_tickets_enabled` flag for policies in GitOps.
- Added server config for allowing all Apple MDM declaration types.
- Added ability to use `FLEET_JIT_USER_ROLE_FLEET_` as a prefix on SAML attributes.
- Added `fleet_name` and `fleet_id` columns to hosts CSV export.
- Added resend button in the OS settings modal for iOS and iPadOS hosts.
- Added patch policies for Fleet-maintained apps that automatically update when the app is updated.
### Security Engineers
- Added support for NDES CA for Windows hosts.
- Added vulnerability scanning support for Windows Server 2025 hosts.
- Added OTEL instrumentation to Fleet's internal HTTP client.
- Added Content-Type header to Smallstep authorization requests to prevent Cloudflare from blocking them.
- Added ability to omit `secrets:` in GitOps files to retain existing enroll secrets on server.
- Fixed python package false positives on Ubuntu, such as `python3-setuptools` on Ubuntu 24.04 with version 68.1.2-2ubuntu1.2.
- Fixed false positive vulnerabilities for Mattermost Desktop.
### Other improvements and bug fixes
- Most top-level keys can now be omitted from GitOps files in place of supplying them with an empty value.
- Improved host search to always match against host email addresses, not only when the query looks like an email.
- Prevented a 500 error on the host details page when an MDM command reference in `host_mdm_actions` pointed to a non-existent command (orphan reference).
- Allowed Fleet-maintained apps to be added if they have default categories configured that are not available in older builds from this point forward.
- Migrated to using Policy `critical` option when disallowing Okta conditional access bypass.
- Updated DEP enrollment flow to apply minimum macOS version check when specified.
- Updated GitOps to fail runs when unknown keys are detected in files.
- Updated default last opened time diff to 2m to increase the chances of updating the last opened time for software that is opened frequently.
- Updated the host results endpoint URL to be consistent with the other URLs.
- Added tooltip to batch run result host count to clarify that the count might include deleted hosts.
- Updated table heading and result filter styles.
- Reordered the columns on the Hosts page.
- Updated Fleet desktop to surface custom transparency links to the device user.
- Changed `PostJSONWithTimeout` to log response body in error case.
- Removedd unused and confusingly-named --mdm_apple_scep_signer_allow_renewal_days config.
- Refactored `NewActivity` functionality by moving it to the new activity bounded context.
- Modified Android certificate renewal logic to make it easier to test.
- Trimmed incoming `ABM` suffix for Arch Linux hosts so Arch OSs are grouped together in the database and UI.
- Updated determination process used for selecting which user email address to use when scheduling a maintenance event for a host failing policies.
- Added license checks for `fleet-free` targeting queries by label.
- Added APNs expiry banner in the UI for Fleet free users.
- Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
- Added Fleet-maintained app utilization to anonymous usage statistics collected by Fleet.
- Surfaced data constraints using the proper HTTP status code on the `/api/v1/fleet/scim/users` endpoint.
- Updated macOS device details UI to delay showing FileVault "action required" notifications banner during the first hour after MDM enrollment to allow sufficient time for Fleet to automatically escrow keys from ADE devices.
- Added an early return in the `PUT /hosts/{id}/device_mapping` endpoint so that setting the same IDP email that is already stored no longer triggers unnecessary database updates, activity log entries, or profile resends.
- Improved cleanup functionality so that when deleting a host record, Fleet will now clean up host issues, such as failing policies and critical vulnerabilities associated with the host.
- Improved the way we verify Windows profiles to no longer rely on osquery for faster verification.
- Improved body parsing validation by using `http.MaxBytesReader` and wrapping gzip decode output too.
- Improved rate-limiting on conditional access endpoints.
- Finished migrating code from go-kit/log to slog.
- Updated UI for disabling stored report results for clarity.
- Revised which versions Fleet tests MySQL against to 9.5.0 (unchanged), 8.4.8, 8.0.44, and 8.0.39, 8.0.44.
- Deprecated several configuration keys in favor of new names: `custom_settings` -> `configuration_profiles`, `macos_settings` -> `apple_settings`, `macos_setup` -> `setup_experience` and `macos_setup_assistant` -> `apple_setup_assistant`.
- Deprecated `setup_experience.bootstrap_package` in favor of `setup_experience.macos_bootstrap_package`.
- Deprecated `setup_experience.manual_agent_install` in favor of `setup_experience.macos_manual_agent_install`.
- Deprecated `setup_experience.enable_release_device_manually ` in favor of `setup_experience.apple_enable_release_device_manually`.
- Deprecated `setup_experience.script` in favor of `setup_experience.macos_script`.
- Fixed an issue where the MDM section on the integration page did not update correctly when Apple MDM is turned off.
- Fixed an issue where iOS/iPadOS hosts couldn't add app store apps from the host library page.
- Fixed inaccurate error message when clearing identity provider settings while end user authentication is enabled.
- Fixed Microsoft NDES CA not being selectable after deleting an existing NDES CA without a page refresh.
- Fixed an issue where Apple setup experience could get stuck, if the device was in the middle of a SCEP renewal, and then re-enrolled.
- Fixed `secure.OpenFile` to self-heal incorrect file permissions via `chmod` instead of returning a fatal error.
- Fixed an issue where personal iOS and iPadOS enrollments could see software in the self-service webclip.
- Fixed table footer rendering unexpectedly in the host targets search dropdown.
- Fixed a security issue where canceling a pending lock or wipe command permanently deleted the original `locked_host`/`wiped_host` activity from the audit log. The original activity is now preserved, and the subsequent cancellation activity serves as the follow-up record.
- Fixed dropdown rendering center of a row and from pushing down save button below open dropdown options.
- Fixed end user authentication form to allow saving cleared IdP settings.
- Fixed inconsistent link styling in UI.
- Fixed the error resend button overflowing over the edge of the os settings modal table.
- Fixed CPE matching failing for software names that sanitize to FTS5 reserved keywords (AND, OR, NOT).
- Fixed table shifting left when clicking the copy hash icon in host software inventory.
- Fixed a bug where vulnerability counts increased over time due to orphaned entries remaining in the database after hosts were removed.
- Fixed a bug where software installers could create titles with the wrong platform.
- Fixed a bug where Fleet maintained apps for Windows won't show as available in the list when they actually are.
- Fixed host search in live queries returning no results for observer users when many hosts on inaccessible teams matched the search term before accessible ones.
- Fixed live query host/team targeting to correctly scope `observer_can_run` to the query's own team, preventing observers from targeting hosts on other observed teams.
- Fixed alignment of tooltip text in the certificate details modal.
- Fixed a bug where a policy that links a software to install fails to apply when that software package uses an environment variable in its yaml definition.
- Fixed error message when deleting a certificate authority (that is referenced by a certificate template) to show a helpful message instead of a raw database error.
- Fixed observer query bypass by restricting live query/report team targeting to only teams where the user has sufficient permissions, including global observers who are now limited to the query's own team when `observer_can_run` is true.
- Fixed a bug where manage hosts page header button text would wrap and distort at certain widths.
- Fixed an issue where `$FLEET_SECRET` was being double encoded, if set via GitOps.
- Fixed editing reports on free tier failing due to `labels_include_any` triggering a premium license check.
- Fixed a bug where certain incorrect resolved-in versions were reported for certain vulnerable versions of Citrix Workspace.
- Fixed DigiCert CA UPN variable substitution so each host receives a certificate containing its own unique values instead of another host's substituted values.
- Fixed alignment and spacing of the "rolling" tooltip next to "Arch Linux" in the host vitals card.
- Fixed select-all header checkbox not selecting rows on partial pages where not all rows are selectable.
- Fixed an issue where it was possible to configure manual_agent_install without specifiying a bootstrap package via the API and GitOps.
- Fixed dead rows accumulating in software host counts tables by using an atomic table swap instead of in-place updates during the sync process.
- Fixed a bug where script packages (.sh, .ps1) incorrectly used the unsaved script size limit (10K characters) instead of the saved script limit (500K characters), preventing large scripts from being added as software packages.
- Fixed an issue where Windows MDM profiles could remain in pending if hosts acknowledged them too quickly after upload.
- Fixed an issue where users with the same ID as an invited user would be hidden from the users table, and fixed the users count to include invited users.
- Fixed the metadata extraction for `.pkg` macOS installers, which was introduced in `4.77.0` and could prevent updating some installers that were added in a previous Fleet version.
- **NOTE**: the fix may cause some installers that were added in Fleet `4.77.0` and later to fail to update with the message "The selected package is for different software". In this case, you will have to delete and re-add the installer. This will not only make it possible to update it successfully later, it will also create it with the correct metadata (name, version, bundle identifier).
- Fixed a crash on the "My device" page for Fleet Free instances. The page returned a 402 error when the host was assigned to a team because the device endpoint called a premium-only API, and also crashed when accessing undefined policies data.
- Stopped duplicate Fleet-maintained app entries from showing up in setup experience.
- Reduced database contention during the vulnerability cron.
- Added a secondary index on `host_software(software_id)` to improve query performance.
- Fixed an issue where the "add Fleet-maintained app" endpoint incorrectly added software to the Unassigned fleet.
- Muted deprecation warnings for body params when the "deprecated-field-names" topic is not enabled.
- Fixed custom app icons not getting set via GitOps when the same software title exists in multiple teams.
- Added support for enrolling fully managed Android hosts without a work profile.
- Added capability to uninstall Android apps on the device (and removal from self-service in the managed Google Play store) when an app is removed from Fleet.
- Added ability to allow or disallow end-users to bypass conditional access on a per-policy basis.
- Added filtering by platform and add status to the Software > Add Fleet-maintained apps table.
- Updated Android status reports to re-verify profiles that previously failed.
- Added ability to roll back to previously added versions of Fleet-maintained apps.
- Added new Technician role designed for help desk and IT support teams. Technicians can run scripts, view results, and install or uninstall software.
- Added support for JIT provisioning of the Technician role via SSO SAML attributes.
- Added automatic retries for failed software operations.
### Security Engineers
- Added ability to scan for kernel vulnerabilities on RHEL based hosts.
- Added AWS GovCloud RDS CA certificates to the RDS MySQL TLS bundle, enabling IAM authentication for Fleet deployments connecting to RDS in AWS GovCloud regions (us-gov-east-1, us-gov-west-1).
- Added CVE alias for python visual studio code extension.
- Added new activity for edited enroll secrets.
### Other improvements and bug fixes
- Renamed teams and queries to fleets and reports in the UI, API, CLI, and GitOps.
- Deprecated no-team.yml in GitOps in favor of unassigned.yml.
- Deprecated certain API field names to reflect the renaming of "teams" to "fleets" and "queries" to "reports".
- Updated Android MDM profiles to show up as pending on upload, the same as Apple MDM profiles.
- Improved the speed of a database query that runs every minute to avoid database locking.
- Added configurable body size limits for the `/api/osquery/log` and `/api/osquery/distributed/write` endpoints.
- Updated logic to trigger vulnerability webhook when on Fleet free tier.
- Updated storage of the auth token used in the UI.
- Dynamically alphabetized vitals on the host details page.
- Reworked how we handle server/worker delays to fix flaky tests.
- Disabled "Calendar" dropdown option in Policy > Manage automations for Unassigned.
- Added Go slog logging infrastructure and migrated a portion of the code from go-kit/log to slog.
- Added CTA to turn on Android MDM for Android software setup experience if MDM is not configured.
- Left-aligned "Critical" checkbox in Save policy form.
- Improved spacing on the Controls > OS Settings page.
- Updated to not allow editing Fleet-maintained app in the UI while GitOps mode is enabled.
- Updated to accept the previous device authentication token for up to one rotation cycle, so the My Device page URL remains valid after token refresh.
- Updated default macOS, iOS, and iPadOS update deadline time to 7PM (19:00) local time.
- Updated UI to enable adding/removing multiple Microsoft Entra tenant ids.
- Added additional logging for SCEP proxy requests and SCEP profile renewals.
- Added warning message on gitops label rename to clarify to users that renaming a label implies a delete operation.
- Added the ability to specify allowed Entra tenant IDs for enrollments.
- Updated the DEP syncer to properly reassign a profile when ABM unilaterally removes it.
- Increased the maximum script execution timeout from 1 hour (3600 seconds) to 5 hours (18000 seconds).
- Improved error handling on AWS DB failover. Fleet will now fail health check if the primary DB is read-only, or trigger graceful shutdown when write operations encounter read-only errors.
- Generated a server-side device token in the Okta conditional access flow when none exists or the current token is expired.
- Moved the copy button for text areas out of the text area itself and in line with its label.
- Removed unnecessary calls to `svc.ds.BulkSetPendingMDMHostProfiles` in `POST /api/latest/fleet/spec/fleets`.
- Internal refactoring: moved `/api/_version_/fleet/hosts/{id:[0-9]+}/activities` endpoint and `MarkActivitiesAsStreamed` to new server/activity bounded context.
- Added `logging.otel_logs_enabled` contributor config option to export server logs to OpenTelemetry.
- Added automatic tagging of prerelease/post-release versions on local build based on branch name.
- Added ability to enable/disable logs by topic.
- Improved detection of `DISPLAY` variable in X11 sessions.
- Updated the "Used by" column heading on the hosts page to "User email".
- Refactored query used for deleting host_mdm_apple_profiles in bulk to use Primary keys only.
- Added `team_id` to host details page param in URL to allow retaining team on refresh.
- Added help text on the software details page, below the installer status table, to explain the meanings of the counts.
- Added Country:US to new CA certs created by Fleet.
- Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
- Updated "Manage automations" button on the Queries and Policies pages to now always be visible, and disabled only when the current team has no queries of its own.
- Updated validation rules around the creation of labels to make sure only valid platforms are used.
- Improved host software inventory table's handling of long "Type" values.
- Updated expiration date of the auth token cookie to match the fleet session duration.
- Surfaced FMA version used and whether it's out of date in the UI.
- Updated nats-server dependency to resolve dependency vulnerabilities.
- Improved validation for host transfers.
- Fixed matching logic on App component for pages titles.
- Fixed adding Windows Fleet maintained apps failing when a software title with the same upgrade code already exists.
- Fixed an issue where GitOps would not respect the value set on `update_new_hosts` for macOS updates.
- Fixed an issue where duplicate kernels were reported in the OS versions API for RHEL-family distributions (RHEL, AlmaLinux, CentOS, Rocky, Fedora).
- Fixed issue where Windows Jetbrains products would not report the correct version number.
- Fixed a bug where custom software installer display names and icons were not used in the setup experience UI.
- Fixed a bug where the list activities API endpoint would fail with a database error when there were more than 65,535 activities and no pagination parameters were specified. The maximum `per_page` for activities endpoints is now 10,000.
- Fixed issue where MySQL IAM authentication could fail when a custom TLS CA/TLS config was set (for example GovCloud), by ensuring Fleet includes the configured TLS mode in IAM DSNs.
- Fixed styling issues for the UI when no enroll secret is present on a fleet.
- Fixed an issue where some UI users saw a blank gutter on the right side of parts of the UI.
- Fixed a bug where certain macOS app names could be ingested as empty strings due to incorrect ".app" suffix removal.
- Fixed install/uninstall tarballs package to skip recently updated status that is waiting for a change in software inventory
- Fixed a bug where software installers could create titles with the wrong platform.
- Fixed a bug where 2 vulnerability jobs can run in parallel if one is taking longer than 2 hours.
- Fixed issue with hosts incorrectly reporting policy failures after policy label targets changed.
- Fixed client-side errors being incorrectly reported as server errors in OTEL telemetry.
- Fixed issue where the status name was wrapping at smaller viewport widths on the mdm card on the Dashboard page.
- Fixed false negative CVE-2026-20841 on Windows Notepad.
- Fixed false positive CVE for Nextcloud Desktop.
- Fixed rare CPE error when software name sanitizes to empty (e.g. only special characters).
- Fixed Android enrollment to associate hosts with SCIM users, populating full name, groups, and department in host vitals.
- Fixed a hover style issue in the label filter close button.
- Fixed mismatches between disk encryption summary counts vs hosts displayed.
- Fixed truncation of certificate fields containing non-ASCII characters.
- Fixed an issue where policy automation settings in the Other Workflows modal reverted to stale values after saving when using a MySQL read replica.
- Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.
- Fixed DB lock contention during vulnerability cron's software cleanup that caused failures under load.
- Fixed pagination on the host software page incorrectly disabling the "Next" button when a software title has multiple installer versions.
- Fixed a bug where macOS systems previous enrolled in fleet wouldn't always go through setup experience after a wipe
- Fixed stale software titles list after adding a VPP or fleet-maintained app by invalidating the query cache on success.
- Fixed issue where Windows Jetbrains products would not report the correct version number.
- Added support for dynamic SCEP challenges for Okta certs.
- Added a feature to allow IT admins to specify non-atomic Windows MDM profiles.
- Added GitOps support to fleet yaml to apply display_name to software package.
- Added enrollment support for iPod touch.
- Added `hash_sha256` and `package_name` query parameters to the `GET /api/v1/fleet/software/titles` endpoint to allow checking if a custom software package already exists before uploading. Both parameters require `team_id` to be specified.
- Added ability to set default URL for Fleet Desktop.
- Added logic to skip setup experience for hosts that were enrolled > 1 day ago.
- Updated maximum software installer size to be configurable and bumped the default from 3 GB to 10 GiB.
- Added a check to fail any pending in-house app installs and cancel upcoming activities when unenrolling a host.
- Added `gzip_responses` server configuration option that allows the server to gzip API responses when the client indicates support through the `Accept-Encoding: gzip` request header.
- Allowed specifying an Apple Connect JWT for interacting directly with Apple APIs when retrieving VPP app metadata.
- Added logic to .pkg metadata extraction to match the root bundle identifier.
- Moved Windows automatic enrollment configuration instructions out of the UI and into the Windows MDM setup guide.
### Security Engineers
- Added `conditional_access.cert_serial_format` server option to allow specifying the Okta conditional access certificate serial format.
- Improved authentication of `POST /api/v1/osquery/carve/block` requests by parsing and validating `session_id` and `request_id` before processing `data`.
- Redirected users to device policy page when failing conditional access requirements.
- Limited disk encryption key escrowing when global or team setting enabled.
- Differentiated IMP and Integrative Modeling Platform (IMP) while running vulnerability scanning.
- Fixed false negative for Adobe Reader DC CVE-2025-54257 & CVE-2025-54255.
### Other improvements and bug fixes
- Added an environment variable to allow reverting to the old behavior of installing the bootstrap package during macOS MDM migration.
- Added `--with-table-sizes` option to `prepare` command to get approximate row counts of all database tables after a migration completes.
- Updated Fleet UI so that if software is detected as installed on software library page, hide any Fleet install/uninstall failures from page. Admin can view these failures from host details > activities.
- Updated Android certificate app to re-enroll if the host was deleted in Fleet.
- Updated `fleetctl generate-gitops` to output Fleet-maintained apps in a dedicated `fleet_maintained_apps` section of the YAML files.
- When a host is deleted, any associated VPP software installation records are also deleted.
- Updated so that global observers and maintainers can now officially read user details, which were already visible to them via the activity feed.
- Iru (Kandji's new name) added to the list of well-known MDM platforms.
- Improved error message when viewing disk encryption key fails because MDM has been turned off and the decryption certificate is no longer valid.
- Updated UI to show VPP version for adding software during setup.
- Updated user sessions and password reset tokens to now be cleared whenever a user's password is changed.
- Disallowed use of FLEET_DEV_* environment variables unless `--dev` is passed when serving Fleet.
- Handled the NotNow status from the device during DEP setup experience so it does not delay the release of the device.
- Allowed overriding individual configuration variables for MySQL and object storage when `--dev` is passed when serving Fleet.
- Updated DEP syncing code to use server-protocol-version 9 and handle THROTTLED responses.
- Updated UI styling to the Packs flow.
- Surfaced Google error message for Android profile failures after max retries instead of a generic error.
- Optimized recording of scheduled query results in the database.
- Improved API error message when adding profiles or software with non-existent labels.
- Ignored parenthesized build numbers in UI when comparing versions for update availability (e.g. 5.0 (build 3400)).
- Improved DEP process cooldowns, by limiting how many we process in a single as per Apple's recommendations.
- Improved OpenTelemetry tracing: added proper shutdown to flush pending spans, and added service name/version resource attributes for better trace identification.
- Improved OpenTelemetry error handling: client errors (4xx) no longer set span status to Error or appear in the Exceptions tab, following OTEL semantic conventions. Added separate metrics for client vs server errors (`fleet.http.client_errors`, `fleet.http.server_errors`) with error type attribution. Client errors are also no longer sent to APM/Sentry.
- Internal refactoring: introduced activity bounded context as part of modular monolith architecture. Moved /api/latest/fleet/activities endpoint to new server/activity/ packages.
- Removed a debug-level warning asserting that macOS devices were unauthenticated when enrolling to Fleet.
- Updated gitops related tests to validate that users can get/set the alternative browser hosts fleet desktop setting.
- Updated to Go 1.25.7.
- Fixed a bug with the `PATCH /software/titles/{id}/package` where the categories could not be updated by themselves, another field had to be updated for them to be modified.
- Fixed an issue setting the bootstrap package on teams created by the puppet plugin.
- Fixed an issue where enabling manual agent installation for macOS devices would incorrectly block the addition of setup experience software titles for all platforms.
- Fixed Smallstep CA integration to send Authorization header with first request.
- Fixed an issue where deleted Windows and Linux hosts could re-enroll without re-authenticating when End User Authentication was enabled.
- Fixed a permission issue on software installer custom icons where a team maintainer could not view, edit or delete a custom icon.
- Fixed bug where unfinished Entra Integration setup breaks the UI.
- Fixed SCEP proxy so that it uses standard base64 encoding for PKIOperation GET requests, ensuring compatibility with standard SCEP servers.
- Fixed an issue where queries with common table expressions (CTEs) were marked as having invalid syntax.
- Fixed a bug where installing Xcode via VPP apps on macOS resulted in a failure due to not being able to verify the install.
- Fixed a bug where non utf8 encodings caused an error in pkg metadata extraction.
- Improved error message where there is issue getting the enrollment token during ota enrollment.
- Fixed CVE false positive on ninxsoft/Mist.
- Fixed an issue where `last_install` details were not returned in the Host Software API for failed software installs, preventing users from viewing failure information.
- Fixed saving of policy automation in UI that triggers software installs and script runs.
- Fixed a bug where changes to scripts were causing custom software display names to be deleted.
- Fixed bug where custom icons were ignored for fleet maintained apps in GitOps files.
- Fixed panic in gRPC launcher API handler.
- Fixed a bug where installed software would not show up in the software inventory of an ADE-enrolled macOS host after a wipe and a re-enrollment.
- Fixed issue where MySQL read replicas were not using TLS.
- Fixed bug where `fleetctl gitops` was not sending software categories correctly in all cases.
- Fixed an issue in `fleetctl gitops` that would reset VPP token team assignment when using "All teams".
- Fixed bug in host activity card UI where activities related to MDM commands should be hidden when Apple MDM features are turned off in Fleet.
- Fixed unnecessary error logging when no CPE match is found for software items like VSCode extensions and JetBrains plugins.
- Fixed created_at and updated_at timestamps on API responses for Label and Team creation.
- Fixed issues where different variations of the same software weren't linked to the same software title.
- Added ability to automatically uninstall managed apps when iOS/iPadOS devices are unenrolled from MDM.
- Added ability to schedule automated software updates for iOS/iPadOS VPP apps via the Fleet admin interface.
- Added the ability to get and set auto-update schedule for VPP apps via the API.
- Added scheduled updates functionality to iOS/iPadOS managed devices.
- Added custom VPP apps to available VPP apps listing.
- Added support for in-house apps to use Cloudfront signed URLs in manifest if Cloudfront is configured.
### Security Engineers
- Added NATS as a logging destination.
- Updated NDES SCEP proxy to auto-detect response encoding, enabling compatibility with Okta CA and other UTF-8-based CAs.
- Implemented ingesting, persisting, and serving the sha256 hash and path for the CFBundleExecutable binaries of .app bundles on macOS.
### Other improvements and bug fixes
- Added validation and harmonized the error message displayed when an installer (FMA, custom package, VPP app, in-house app) conflicts with another one on the same team targeting the same platform.
- Randomized APNS query to ensure all pending Apple hosts gets a push notification.
- Updated macOS bootstrap package to no longer install during MDM migration, only initial setup.
- Updated script and software installer policy automations will retry up to three times if attempts to run them fail.
- Improved host status tag styles on host details page.
- Improved error message for user-scoped profiles on iOS/iPadOS hosts.
- Surfaced Queries within the Details tab on the Host Details page.
- Updated software ingestion of manually-enrolled (BYOD) iPhone/iPad devices to only ingest (and display in software inventory) Fleet-installed software.
- Omitted software `last_opened_at` in API responses when the data source does not support it. Return an empty string when the source does have support but there is no value.
- Updated UI for Controls > Setup experience > Install software > Android to fix inconsistent loading state.
- Updated UI to show a generic error message when attempting to delete setup experience software.
- Improved error message when trying to apply certificate authorities via gitops without the correct license.
- Added space trimming of `displayVersion` when processing VPP apps (found in some production apps).
- Updated software version search to now include results that match the software title name in addition to the version name.
- Adjusted the read-only SQL editor to appear non-interactive.
- Added information about auto-update configuration to the "edited_app_store_app" activity.
- Refactored common endpoint_utils package to support bounded contexts inside Fleet codebase. Moved it to server/platform/endpointer.
- Updated UI to inform admins of the need to accept terms and conditions for multiple Apple Business Manager accounts.
- Removed Queries tab from Host Details page.
- Revised software batch upload timeout to be 4 minutes, refreshed as every software package is downloaded from source or uploaded to object storage, from 24 hours, allowing for quicker detection of when a software batch fails due to the underlying server going offline.
- Added a tooltip to an expired ABM token and also correctly removes the banner when an expired ABM token is deleted.
- Updated error message to clarify that Fleet requires Apple (macOS, iOS, and iPadOS) configuration profiles have a unique identifier (PayloadIdentifier) and scope (PayloadScope) across teams.
- Renamed "Disk space" to "Disk space available" in Host details > Vitals.
- Truncated long strings (Operating system and Hardware model) in Host details > Vitals.
- Rolled back the change to ingest legacy Entra "device ID" from the keychain (for silent migrations) because it's not supported by Entra.
Refactored common_mysql package to support bounded contexts inside Fleet codebase. Moved it to server/platform/mysql.
- Updated Go to 1.25.6.
- Fixed an issue that allowed uploading invalid Android profiles.
- Fixed spacing and alignment for author on edit query and edit policy pages.
- Fixed an issue where VPP apps would fail with 9610 errors, by implementing a retry mechanism for VPP app installations.
- Fixed VPP versions refresh to update the latest version for all platforms of an Adam ID.
- Fixed a bug where failed software installs showed up in the host library page after transferring it to a team without that installer.
- Fixed `fleetctl` config get/set to show proper usage information when called without required arguments.
- Fixed cases where Fleet would show the wrong current VPP app version when app versions varied by platform.
- Added ability to view past and upcoming MDM commands for a host in Fleet.
- Added ability to apply Android app configurations.
- Added support for resending Windows MDM profiles.
- Added support for renewal of custom SCEP profiles for Windows.
- Added support for team-specific labels. Currently team-specific labels must be created via spec endpoints, used by GitOps.
- Implemented ability to create, list, and delete Android certs from the UI.
- Added Android agent application (automatically deployed via Android MDM) to support automated installation of SCEP certificates on Android hosts.
- Added messaging around Apple VPP update failures due to the application being open.
- Added ability to indicate that new MacOS hosts enrolling via ADE should be updated to the latest operating system version.
- Added ability to edit Android software config in UI.
### Security Engineers
- Added support for ingesting Windows certificates via osquery.
- Added activities for when certificates templates are created/deleted.
### Other improvements and bug fixes
- Implemented streaming for the `GET /hosts` ("list hosts") API to improve performance.
- Updated API and GitOps to support `AppleOSUpdateSettings.UpdateNewHosts`.
- Added ability to search teams in dropdown when transferring teams.
- Added pagination metadata to the `GET /mdm/commands` endpoint.
- Updated the `refresh_vpp_app_versions` cron job to only attempt to refresh versions for Apple app store apps.
- Improved edit VPP UX by disabling a form that hasn't been edited.
- Updated logic used for determining whether to update a macOS host during DEP enrollment based solely on UpdateNewHosts flag.
- Added note to descriptions on schema tables using "count" as column name.
- Aligned Android MDM unenrollment endpoint with the already existing endpoint, `DELETE /api/latest/fleet/hosts/{id}/mdm`, for consistency across MDM platforms.
- Added migration for adding `update_new_hosts` flag to both App and Team configs.
- Changed the host details page to hide builtin labels in-line with other areas such as the label filter.
- Changed iOS/iPadOS and Android enrollment links on Add hosts modal to monospaced font to improve readability.
- Improved software upload progress modal.
- Improved consistency of `gitops` output language.
- Added loading state to turn off Android modal UI.
- Updated the `migrate_to_per_host_policy` cron job to no-op if Android MDM is not enabled.
- Updated software table so that all teams selection will now remove any unsupported url params.
- Improved unclear error message when uploading an APNS certificate if the CSR was not downloaded.
- Refactored RDS IAM authentication logic into a dedicated `rdsauth` package.
- Modified the automatic enrollment profile verification logic to only verify with Apple when a profile changes
- Updated S3 username/password when running in dev mode to remove outdated mentions of MinIO.
- Hid option to transfer hosts to their current team.
- Updated setup experience links to point to add software page relevant to platform.
- Revised auth requirements for /debug endpoints.
- Added additional validation to URL parameter for MS MDM auth endpoint.
- Improved SOAP message validation on Windows MDM endpoints.
- Fixed host query report to display "Report clipped" when a query has reached the 1k result limit.
- Fixed UI error message regarding adding software to a team with a duplicate title.
- Fixed an issue where batch uploading .mobileconfig profiles failed due to display name checks.
- Fixed an issue where certificate details modal overflowed the screen.
- Fixed click area of edit software file button.
- Fixed an issue where GitOps would fail if `$FLEET_SECRET` contained XML characters in XML files, due to not escaping the value.
- Fixed query behind `fleetctl get mdm-commands` to correctly get completed Windows MDM commands.
- Fixed MDM install command output to correctly display UTF-8 characters in the UI.
- Fixed missing upgrade code persistence when adding Windows software to Fleet via GitOps.
- Fixed duplicate entry error when updating upgrade_code during software ingestion
- Fixed case sensitivity mismatches causing duplicate titles during software ingestion
- Fixed a bug where iOS and iPadOS hosts enrolling via ABM MDM Migration did not have VPP apps installed.
- Added support for Android setup experience software installation.
- Added support for Android self-service apps to `fleetctl gitops`.
- Added support for Android `systemUpdate` profiles.
- Added ability to create/view/delete Google Play Store software for Android in UI.
- Added `$FLEET_VAR_HOST_PLATFORM` for Apple platforms (`macos`, `ios`, `ipados`).
- Added support for installation of setup-experience VPP apps on manually-enrolled iOS/iPadOS devices.
- Added ability to deploy user-scoped SCEP profiles for Windows hosts.
- Added a configuration option to require Windows users turn on MDM manually via work or school account, rather than have enrollment happen automatically.
- Added UI to allow Windows hosts to manually enroll into Fleet MDM.
- Added support for `$FLEET_VAR_HOST_HARDWARE_SERIAL` and `$FLEET_VAR_HOST_PLATFORM` in Windows profiles.
### Security Engineers
- Added ability to filter the activites on the dashboard page.
- Updated to regenerate FileVault profile when Apple MDM is turned on if the device's team has disk encryption enabled.
- Added Okta conditional access configuration to the Fleet UI under Settings -> Integrations -> Conditional access.
- Added endpoint for hosts to update certificate status.
- Added detail column to `host_certificate_template` table and added `certificate_templates` property with GitOps support.
- Updated `fleetd/certificates/<id>` and `fleetd/certificates/<id>/status` to authenticate using the orbit_node_key provided in the `Authentication` header.
- Updated MDM-enrolled Android devices to receive certificate templates in `managedConfigurations`.
### Other improvements and bug fixes
- Improved performance by making the `host_count` property optional in the `GET /labels` API endpoints.
- Improved performance by avoiding unneeded extra queries when fetching team information.
- Improved request validation by returning an informative error when trying to filter `software_titles` with `platform` without a `team_id`.
- Allowed users to save Fleet queries even if their SQL is deemed invalid by the Fleet UI.
- Added a new error UI for file uploaders, and applied it in the Okta Conditional Access modal.
- Returned pre-install query output in Install Details modal.
- Translated `idp` to `mdm_idp_accounts` on API responses.
- Added Mosyle to the list of well-known MDM platforms.
- Changed where `mdm_enrolled` activity is created so it occures after the inital Token Update command to allowa the webhook to fire after the host can recieve additonal commands from Fleet MDM.
- Improved MDM command result endpoint response for pending Windows commands.
- Switched configurations referencing Redis 5 to Redis 6. Fleet is no longer verified to work with Redis 5 or below.
- Redacted API tokens in `fleetctl config set` to prevent accidental logging.
- Updated error message when attempting to run software install script on host with scripts disabled to refer to `--enable-scripts` flag (instead of `--scripts-enabled`).
- Updated queries APIs that drive the OS Settings UI to include the status of host cert templates.
- Updated the layout and styling of file uploader buttons across the UI.
- Updated built-in SVG icons to avoid rendering issues when certain combinations of icons are on the same page.
- Added consistant spacing to UI elements on the MDM page.
- Updated Go to 1.25.5.
- Fixed an issue where using bitwise operators in a query incorrectly marked the query as invalid.
- Fixed issue where MDM profile retry limits were interfering with Smallstep SCEP proxy renewal attempts, particularly in cases of expired SCEP challenges.
- Fixed incorrect status code on failure to interpolate certificate template variables.
- Fixed Android configuration profiles downloading as unusable .xml files with content `[object Object]`. Android profiles now download correctly as .json files with properly formatted JSON content, matching what was originally uploaded.
- Fixed the tab order of elements in the login form.
- Fixed UI bug where the option to resend MDM profiles for macOS hosts was incorrectly presented to non-admin and non-maintainer users.
- Fixed an issue that prevented GitOps from saving multiple queries with the same label.
- Fixed an issue where "Exclude Any" label scoping did work properly for iOS, iPadOS and Android hosts.
- Fixed bug that prevented filtering by platform when listing hosts with failed profiles.
- Fixed software action buttons to disable immediately on click to prevent multiple clicks.
- Fixed an issue where newly-enrolled Windows or Linux hosts were not automatically linked with existing SCIM user account data.
- Fixed UI bug in OS settings modal that caused status tooltip to flicker when refetching host details.
- Fixed a race condition when resending Apple Profiles that would not truly resend the latest profile.
- Fixed a missing redirect to the Fleet website.
- Fixed the connect message on the controls end user auth page so that it is consistant with the other set up experience subsections.
- Fixed a bug where "installed" software sometimes showed up as "uninstalled" when certain other pieces of data were not also present.
- Added integration for Okta conditional access, where Fleet acts as a factor and blocks end users from logging into third-party apps, via Okta, if they are failing specific policies.
- Added activity log entries for: host deletion and expiration, updating or deleting host IdP mappings.
- Resolved multiple false positive vulnerability matches for the VSCode golang extension.
- Resolved false positive CVE matches for [`Logi Bolt.app`](https://support.logi.com/hc/en-us/articles/4418089333655-Logi-Bolt-App).
- Detected vulnerabilities in JetBrains IDE plugins.
### IT Admins
- Updated MDM enrollment flow for BYOD macOS hosts to enable end user authentication prior to downloading the MDM profile via the "My device" page.
- Added self-service install support for custom IPA apps on iOS and iPadOS.
- Added support for in-house (".ipa") apps to `fleetctl gitops`.
- Updated existing `POST /setup_experience/script` endpoint to allow updating the macOS setup experience script in-place, and modified GitOps to remove the `DELETE` call.
- Added support for Custom EST certificate authorities.
- Added ability to deploy certificates from Custom SCEP certificate authorities on Windows.
- Added status counts to batch script detail page tabs.
- Added `InstallAnywhere` as a self-extracting archive for PE metadata extraction.
- Added ingestion of `upgrade_code`s from Windows software, and provided to all relevant software endpoints.
### Other improvements and bug fixes
- Improved performance of `/api/latest/fleet/software/versions` API endpoint.
- Updated host expiry logic to not delete macOS hosts that checkin via MDM protocol but not via `fleetd`.
- Optimized the cleanup Apple host profiles query to reduce probability of DB locking.
- Implemented UI logic to call existing manual update IdP API functionality.
- Implemented UI logic and new DELETE endpoint to manually remove host IdP mappings.
- Added experimental `FLEET_MDM_ENABLE_CUSTOM_OS_UPDATES_AND_FILEVAULT` configuration to allow deploying custom OS settings including Filevault payloads and macOS and Windows update settings.
- Added ability to change software display names in the UI.
- Fixed table styling for selecting table rows.
- Simplified setup experience configuration UI.
- Added better error messages when using build-in labels on GitOps and on the LabelSpecs endpoint.
- Hid software host count and version table when no hosts have the software installed.
- Adjusted UI section headers and layout of Settings > Integrations in Fleet Free.
- Added vulnerability seeding and performance testing tools.
- Moved end user authentication SSO settings under Integrations > SSO in global settings.
- Removed the premium check for host OS settings in host summary UI.
- Reduced Android device reconciler frequency to 1 hour.
- Reduced Android API usage by listing devices instead of getting and checking Android Enterprise disconnects hourly.
- Set the order of software installed during the setup experience to alphanumeric.
- Updated Go to 1.25.3.
- Fixed a layout issue on the script batch details page.
- Fixed installer for Cisco Secure Client not showing as installed in inventory/library due to using the wrong bundle identifier. This application should show up correctly now in the software inventory.
- Fixed errors when trying to run the `apple_mdm_iphone_ipad_refetcher` cron job.
- Fixed bug that prevented users from editing custom EST certificates URLs.
- Fixed incorrect UI placeholder element by replacing it with it's actual value.
- Fixed issue where vulnerabilities would occasionally show as missing.
- Updated existing /setup_experience/script POST endpoint to allow updating the macOS setup experience script in-place, and modified gitops to remove the DELETE call.
- Added support for software inventory on Android hosts.
- Added support for npm packages in software inventory and vulnerability matching for macOS and Linux hosts.
- Added support for JetBrains inventory on hosts.
- Added vulnerbaility detection in JetBrains plugins.
- Added support for VSCode fork (Cursor, Windsurf, VSCodium, VSCodium Insiders, and Trae) extensions in software inventory.
- Added Santa tables to fleetd.
### IT Admins
- Added ability to install software for iOS and iPadOS hosts during the setup experience.
- Added ability to specify VPP apps for automatic installation during ADE iOS and iPadOS host enrollment.
- Added the ability to lock iOS and iPadOS devices through lost mode.
- Added support for locking and unlocking iOS and iPadOS devices from the UI.
- Added configuration option to setup experience for macOS hosts to halt if any software install fails.
- Added `gigs_all_disk_space` vital collection, storage, service, and UI rendering for Linux hosts.
- Added new server config flag for specifying the cleanup age for completed distributed targets.
### Other improvements and bug fixes
- Added link component shown in the host column to the host details page.
- Added flash warning when an unauthorized user tries to access teams settings.
- Added descriptive error in cases of manual MacOS profile download failure.
- Updated the MacOS setup experience to use the new web UI.
- Updated the UI for adding new scripts to the scripts library.
- Changed display logic for the organization logo component on the My Device page to prevent flickering.
- Improved performance of `/api/latest/fleet/os_versions` endpoint, especially for deployments with Linux hosts.
- Optimized MySQL queries on `/api/latest/fleet/vulnerabilities` and `/api/latest/fleet/software/versions` to improve performance for Fleet UI use cases.
- Optimized `/config` API endpoint to use the primary DB node for both persisting changes and fetching modified app config.
- Improved live query response times by adding a new server config flag for specifying the cleanup age for completed distributed targets.
- Improved query performance by using a lighter-weight query for checking if a team is enabled for conditional access.
- Changed license warning to only show one time during GitOps runs.
- Updated to allow setting an org support url to use the "file" protocol in the url.
- Changed the default name of Host Identity CA to 'Fleet Host Identity CA' to avoid conflict with Fleet's Apple MDM CA.
- Updated host details run script user flows to include a confirmation step.
- Applied singular word form to GitOps log messages when a single entity is referenced in the message.
- Updated the "Setting up your device" page to show status of setup script run.
- Deprecate `browser` in favor of `extension_for` in API responses and JSON/YAML outputs.
- Added migration to clear the `platform` field on all _builtin_ labels.
- Added migration to relink missing SCIM user data to hosts.
- Updated host certificate renewal flow for NDES, Smallstep, custom scep proxy CAs to support $FLEET_VAR_SCEP_RENEWAL_ID in the OU field rather than CN.
- Updated device mapping API to allow an "idp" source to manually set IDP user mappings.
- Updated styling to be more consistent in edit policies view for FireFox.
- Replaced outdated Firefox icon with a new one that follows brand guidelines.
- Allowed testing a new or edited policy query via live query while in GitOps Mode.
- Fixed missing "failed" VPP app install activities when installation is canceled due to MDM being turned off for a host.
- Fixed bug where uploading a software installer failed because it was "not found in the datastore".
- Fixed missing aboslute timestamp tooltips on script creation date in script list, query modification date in query list.
- Fixed bug with the ChangeManagement component where the GitOps checkbox local UI state was being reset due to GET request after PATCH request.
- Fixed MySQL deadlocks when multiple hosts are updating their certificates in host vitals at the same time.
- Fixed an issue where longer variable names ($FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART) with the same base ($FLEET_VAR_HOST_END_USER_IDP_USERNAME) was not processed in the right order.
- Fixed UI bug where "Show disk encryption key" option was incorrectly displayed for hosts enrolled with a third-party MDM solution.
- Fixed WhatsApp and VS Code icons not displaying correctly
- Fixed bad software ingestion debug message and added filter for invalid software with missing names.
- Fixed a bug where a software installer could be installed in the same team and same platform (macOS) where an App Store app already existed for the same software title, and vice-versa (App Store app added when a sofware package already existed, this one was only possible just via `fleetctl gitops`).
- Fixed listing hosts with `populate_software` not returning hash_sha256 for macos apps.
- Fixed bug where batch setting MDM profiles could cause a nil pointer dereference when processing an invalid profile (e.g., cannot parse mobileconfig because it is bad xml).
- Fixed bug hiding the UI elements post install script output in Software Install Details modal.
- Fixed software title host count mismatch that was caused by including software installers in the count.
- Fixed a scenario where a wiped Windows host re-enrolled as a distinct host row in Fleet and the previous host's page could not be loaded successfully.
- Fixed an issue where a host transfer on `mdm_enrolled` activity would be reversed by orbit enroll.
- Fixed a bug in live queries that caused `livequery:{$CAMPAIGN_ID}` Redis keys to not be cleaned up or expire.
- Fixed inconsistency in GitOps for App store apps if no VPP token was found, so that both dry run and actual run fails.
- Fixed the software title counts by status to be consistent with the status reported in the host's software list and filter by status.
- Fixed outdated tooltip on dark background logo URL field in Organization info settings.
- Fixed `fleetctl generate-gitops` when MDM is not turned on.
- Added support for Smallstep certificate authority.
- Added false-positive filtering for Linux vulnerability scanning.
- Added support for Arch Linux hosts.
- Added software inventory ingestion from Arch Linux hosts.
- Added new rate limiting implementation for Fleet Desktop API endpoints to support all/many hosts of a deployment behind NAT (single IP).
- Added support for reading server `private_key` from AWS Secrets Manager.
- Added support for vulnerabilities feed CPE translation JSON to override `sw_edition` field.
- Added filter for removing duplicate RPM python packages and renaming pip packages to match OVAL definitions (same as Ubuntu).
- Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
- Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.
### IT Admins
- Added configuration profile support for Android hosts.
- Added activity logging for Android profile creation, modification, and deletion.
- Added support for software installation during Windows setup experience.
- Added support for Arch Linux hosts.
- Added software inventory ingestion from Arch Linux hosts.
- Added support to `fleetctl` to generate `fleetd` installers for Arch Linux (`.pkg.tar.zst`).
- Added software name into checksum calculation for macOS apps.
- Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
- Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.
- Added OpenTelemetry instrumentation to scheduled jobs and several API endpoints.
- Added CRON job to reconcile Android profiles.
- Added retries with backoff when Apple's assets API fails with a timeout error.
- Added ability to unenroll personal iOS/iPadOS devices from Fleet.
- Added support for assigning host labels based on idP attributes for iOS and iPadOS hosts.
- Added ability to turn off MDM for iOS and iPadOS devices when refetcher returns device token is inactive.
> Note: The package will need to be updated out-of-band once, because the pre-removal script from previously-generated packages is called upon an upgrade. The old pre-removal script stopped Orbit unconditionally.
- Added support for hosts enrolled with Company Portal using the legacy SSO extension (for Entra's conditional access).
- Updated DEB and RPM packages generated by `fleetctl package` to now be safe to upgrade in-band through the Software page.
- Updated to return count in list host certificates API response, and use it in the certificate table.
- Updated setup experience to try software installs up to 3 times by default in case of intermittent failures.
- Modified the Apple profile reconciliation CRON logic to query for installs and removals within a transaction to avoid race conditions around team or label changes.
- Fixed inconsistent spacing in Controls OS settings headers.
- Validated setting `manual_agent_install` option on the server.
- Ignore warning when LastOpenedAt for software is nil on macOS.
- Improved install action tooltips and modals including timestamps to VPP successful installs.
- Changed the response code for UserAuthenticate checkin messages, which are unsupported, from a 5XX to "410 Gone" as specified in the Apple MDM protocol docs for servers that do not implement this method.
- Ensured UI consistency by adding a border to the empty state of End User Authentication section.
- Added easy to understand error messages when configuring Entra conditional access in Fleet.
- Updated docs for the `pwd_policy` table to better reflect the meaning of `days_to_expiration`.
- Improved the layout of the IdP-driven label form.
- Updated Hosts table > hostname column to truncate overflowing hostnames and place the full name in a tooltip on hover.
- Removed duplicate tar.gz copies of osqueryd and Fleet Desktop from built packages (DEB/RPM/PKG).
- Extended the number of errors Fleet looks for when determining whether we should invalidate the prepared statements cache.
- Updated instructions in Linux key escrow modal.
- Adjusted log level to "info" instead of "error" when Windows MDM endpoints generate client errors (e.g. empty binary security token).
- Disabled debug logging by default in `fleetctl preview` and reformatted login information.
- Improved handling of host details page label pills for labels with very long names.
- Modified Controls > OS settings > Custom settings so profile upload time is based on `updated_at` instead of `created_at`.
- Added check to GitOps command to throw error if positional arguments are detected.
- Added an error message when software is defined in a package YAML file in GitOps but some fields expected in that file were set at the team level. Previously, GitOps would silently ignore the fields set at the team level in this case.
- Updated the OS updates current versions empty state to match consistancy with other empty states.
- Updated message shown in the 'Delete Script' modal.
- Added a delay to the platform compatibility tooltip showing when creating or editing a query.
- Added error when uploading signed profiles instead of when trying to deliver them.
- Updated old end user migration workflow preview, and switch to video for product consistency.
- Replaced outdated Firefox icon with a new one that follows brand guidelines.
- Updated UI to make policy pass/fail icons and copy consistent across host details, my device, and manage policies tables.
- Removed the software renaming fix introduced in 4.73.3 due to MySQL DB performance issues.
- Optimized software ingestione rename functionality to generate less lock contention during high concurrency.
- Optimized ingestion of software names on macOS apps when vendor-supplied bundle executable names are unclear.
- Optimized software title reconciliation in vulnerabilities cron job.
- Revised macOS software ingestion to correctly show application names for Steam games instead of `run.sh`.
- Added logic to detect and fix migration issues caused by improperly published Fleet v4.73.2 Linux binary.
- Updated go to 1.25.1.
- Fixed inconsistent subtitle text style in Custom Settings.
- Fixed required query parameters using field name instead of parameter name in error messages
- Fixed a bug where blocking of VPP installs on personally enrolled Apple devices was not in place.
- Fixed edit teams action in VPP table dropdown not being blocked when Fleet is in GitOps mode.
- Fixed certificate ingest parser to no longer break on multiple equal signs in certificate key pair values.
- Fixed certificate ingest parser to allow for only multiple relative distinguished names separated by `+`.
- Fixed 422 error when hitting `/api/v1/fleet/commands` endpoint with team filter.
- Fixed deletion of conditional access integration by adding a spinner and clearing the tenant ID after the deletion.
- Fixed an issue on ChromeOS and Windows where the cursor in the SQL editor is misaligned.
- Fixed issue where "Controls" link in the top nav didn't always go to the default controls page.
- Fixed cases where Firefox ESR installations would have false-positive vulnerabilities reported that were backported to the ESR.
- Fixed clicking the currently selected navbar item would cause a full-page rerender.
- Fixed EULA path to be relative to the YAML file in `fleetctl gitops`, as it is for other settings.
- Fixed bundle identifier for privileges macos software pkg and fixed existing software installers to use corrected software title. The privileges application should show the correct status in software inventory.
- Fixed the reported version of fleetd on the Software tab for Linux hosts.
- Fixed invalid GET and DELETE requests that incorrectly included request bodies in client code, ensuring HTTP compliance.
- Added support for Hydrant as a Certificate Authority and added an experimental API that can be used to have Fleet request a certificate from a Hydrant.
- Added a check to disallow FLEET_SECRET variables in Apple configuration profile `<PayloadDisplayName>` fields for security.
- Added `/batch/{batch_execution_id:[a-zA-Z0-9-]+}/host-results` API endpoint to list hosts targeted in batch.
- Added `POST /api/v1/fleet/configuration_profiles/batch` API endpoint to batch modify MDM configuration profiles.
- Added a new page in the UI for batch script run details.
- Added support for AWS RDS (MySQL) IAM authentication.
- Added support for AWS ElastiCache (Redis) IAM authentication.
- Added setup experience software items for Linux devices.
- Added API endpoints for Linux setup experience.
- Device API endpoints for fleetd: `POST /api/fleet/orbit/setup_experience/init` and `POST /api/v1/fleet/device/{token}/setup_experience/status`.
-`PUT /api/v1/fleet/setup_experience/software` and `GET /api/v1/fleet/setup_experience/software` now have a `platform` argument (`linux` or `macos`, defaults to `macos`).
- Added IdP `fullname` attribute as a valid Fleet variable for Apple configuration profiles.
- Added the username of the managed user account user-scoped profiles are delivered to for macOS hosts.
- Enabled configuring webhook and ticket policy (Jira/Zendesk) automations for "No team".
- Added support for writing multiple packages in a single GitOps YAML file included under `software.packages`.
- Moved `self_service`, `labels_include_any`, `labels_exclude_any`, `categories`, and `setup_experience` declarations to team level for software in GitOps; `setup_experience` can now be set on a software package, Fleet Maintained App, or App Store app.
- Changed `GET /host/:id` to return an empty array for `software` field when `exclude_software=true`.
- Updated `generate-gitops` command to output filenames with emojis and other special characters where applicable.
- Added a Fleet-maintained app for macOS: Omnissa Horizon Client.
- Added opening instructions to self-service macOS apps and Windows programs.
### Other improvements and bug fixes
- Added index to `distributed_query_campaign_targets` table to speed up DB performance for live queries.
> **WARNING:** For deployments with millions of rows in `distributed_query_campaign_targets`, the database migration to add the index may take significant time. We recommend testing migration duration in a staging environment first. The initial cleanup of old campaign targets will occur progressively over multiple hours to avoid database overload.
- Added clean up of live query campaign targets 24 hours after campaign completion. This keeps the DB size in check for performance of large and frequent live query campaigns.
- Improved OpenTelemetry integration to add tracing to async tasks (host seen, labels, policies, query stats) and improve HTTP span naming, enabled gzip compression, reduced batch size to prevent gRPC errors.
- Updated output from `packages_only=true` so that it only returns software with available installers.
- Added tarballs summary card back into UI.
- Improved the sorting of batch scripts in the Batch Progress UI. Batches in the "started" state now sort by started date, and batches in the "finished" state now sort by the finished date.
- Removed inaccurate host count timestamp on the software version details page.
- Downgraded "distributed query is denylisted" error to a warning on the Fleet server since this message indicates a likely issue on the host and not the server. We will surface this issue in the UI in the future.
- Improved performance for YARA rules: when modifying config (`PATCH /api/latest/fleet/config`) with a large number of yara rules and when large numbers of hosts fetch rules via /api/osquery/yara/{name} endpoint.
- Improved performance when updating multiple policies in the UI. The policies are now updated in series to reduce server/DB load.
- Added user icon to OS settings custom profiles on host details page if they are user scoped.
- Added clearer error messages when a new password doesn't meet the password criteria.
- Removed extra spacing from under disk encryption table.
- Updated `fleetctl get mdm-command-results` to show output in a vertical format instead of a table.
- Refactored ApplyQueries DS method so that queries are upserted in batches, this was done to avoid deadlocks during large gitops runs.
- Refactored the way failing policies are computed on host details endpoint to avoid discrepancies due to read replica delays and async computation.
- Refactored PATH fleet/config endpoint to use the primary DB node for both persisting changes and fetching modified App Config.
- Fixed missing ticket integration options in Policies -> Other workflows modal for teams.
- Fixed deduplicating bug in UI to only count unique vulns when counting software title vulnerabilities across versions in various software title vulnerabilities count, and host software title vulnerabilities count.
- Fixed cases where the default auto-install policy for .deb packages would treat installed-then-uninstalled software as still installed.
- Fixed the message rendered from user_failed_login global activities on the Activity feed if the email is not specified.
- Fixed fleetctl printing binary data to terminal in debug mode.
- Fixed a bug where incorrect CVEs were received from MSRC feed.
- Fixed Fleet-installed host count not updating after software is installed over an older version.
- Fixed UI issue in the Dashboard page. The software card is now rendered while content is been fetched to avoid the layout to jump around.
- Fixed error when updating a script to exactly match the contents of another script.
- Fixed an issue where string concatenations in a LIKE expression caused a syntax error in the query editor.
- Fixed `fleetctl gitops` issue uploading an Apple configuration profile with a FLEET_SECRET in a `<data>` field.
- Fixed Linux lock script on Ubuntu with GDM to now switch UI to text mode to work around GUI issues.
- Fixed Google Cloud Storage (GCS) support broken since Fleet 4.71.0 by implementing a workaround for AWS Go SDK v2 signature compatibility issues with GCS endpoints.
- Fixed banner link colors in UI.
- Fixed an alignment issue on the My device page.
- Fix deadlocks when updating automations for 10+ policies at one time.
- Changed MDM Enrollment logic so that devices identified as having a Migration deadline by ABM will not run Setup Experience on the next enrollment(the migration) but will on subsequent enrollments.
- Added new detail query, only executed if TPM PIN enforcement is required, for determining whether a BitLocker PIN is set.
- Added host identity certificate renewal support for TPM-backed certificates (Linux-only). When a certificate is within 180 days of expiration, orbit will automatically renew it using proof-of-possession with the existing certificate's private key.
- Added new global activity created when a new disk encryption key is escrowed.
- Added issuer and issued cells to the host details and my device page certificates table.
- Allowed filtering host and team software by minimum and maximum CVSS score in the Fleet UI.
- Updated UI to display kernel vulnerabilities in the operating system details page for Linux systems.
- Updated macOS 13 CIS policies to align with CIS Benchmark v3.1.0 (from v3.0.0).
- Updated macOS 14 CIS policies to align with CIS Benchmark v2.1.0 (from v2.0.0).
- Updated macOS 15 CIS policies to align with CIS Benchmark v1.1.0 (from v1.0.0).
- Updated Fleet's certificate ingestion to accept non-standard country codes of longer than 2 characters. In addition, updated ingestion of other fields to truncate long values and log an error instead of failing.
### IT Admins
- Added API endpoints for adding, deleting and listing secret variables.
- Added ability to add and delete custom variables in the UI.
- Added APIendpoints to get and list batch scripts.
- Added cron job to launch scheduled batch scripts.
- Added API endpoint to cancel scheduled batch script run.
- Added the ability to cancel batch script runs directly from the UI summary modal.
- Added ability to schedule batch script runs in advance to the "Run scripts" modal.
- Added the ability to filter the hosts list to those hosts that were incompatible with the script in a batch run.
- Added side navigation on the Controls > Scripts page, with the previous Scripts page content under the "Library" tab and a new "Batch progress" tab containing details about started, scheduled, and finished scripts.
- Added batch execution IDs to script run activities.
- Added IdP SSO authentication to the BYOD mobile devices enrollment if that option is enabled for the team.
- Allowed overriding install/uninstall scripts, and specifying pre-install queries and post-install scripts, for Fleet-maintained apps in GitOps.
- Added support of `$FLEET_VAR_HOST_UUID` in Windows MDM configuration profiles.
- Added additional logging information for Windows MDM discovery endpoint when errors occur.
- Added support for last opened time for Linux software (DEB & RPM packages).
- NOTE: Package will need to be updated out-of-band once, because the pre-removal script from previously-generated packages is called upon an upgrade. The old pre-removal script stopped Orbit unconditionally. `fleet-osquery` can safely be updated through the Software page only _after_ a new package generated with this version of fleetctl has been installed through other means.
- Added indication of whether software on a host was never opened, vs. being a software type where last opened time collection is not supported.
- Added automatic install policies into host software responses.
### Other improvements and bug fixes
- Added permissions to OS updates page so that only global admins and the team admin can see the page.
- Cleared label membership when label platform changes (via GitOps).
- Improved public IP extraction for Fleet Desktop requests.
- Marked DDM profiles as failed if response comes back with Unknown Declaration Type error, and improve upload validation for declaration type.
- Modified `PUT /api/v1/fleet/spec/secret_variables` endpoint to only accept secret variables with uppercase letters, numbers and underscores.
- Updated software inventory so that when multiple version of a software are installed the last used timestamp for each version is properly returned.
- Revised stale vulnerabilities deletion (for false positive cleanup) to clear vulnerabilities touched before the current vulnerabilities run, instead of using a hard-coded threshold based on how often the vulns cron runs.
- Removed unintended broken sort on Fleet Desktop > Software > type column.
- Validated Gitops mode URL on frontend and backend.
- Updated to not log an error if EULA is missing for the `/setup_experience/eula/metadata` endpoint.
- Loosened validation during GitOps dry runs for software installer install/uninstall scripts that contain Fleet secrets.
- Added missing checks for invalid values before trying to store them in DB.
- Updated styles for turn on MDM info banner button.
- Updated so that DEB and RPM packages generated by `fleetctl package` to now be safe to upgrade in-band through the Software page.
- Updated so that individual script executions from batch jobs are now hidden from the global feed.
- Updated to attest the signed Windows Orbit binary instead of the unsigned one.
- Updated both Fleet desktop and osquery for macOS and Windows artifacts to attest the binaries inside archives.
- Made sure that if disk encryption is enabled and a TPM PIN is required, the user is able to set a TPM PIN protector.
- Removed `DeferForceAtUserLoginMaxBypassAttempts` from FileVault profile, to use default value of 0 to indicate the FileVault enforcement can not be deferred on next login.
- Updated go to 1.24.6.
- Fixed cases where the uninstall script population job introduced in Fleet 4.57.0 would attempt to extract package IDs on software that we don't generate uninstall scripts for, causing errors in logs and retries of the job.
- Fixed potential panic in error handler when Redis is down.
- Fixed a potential race condition issue, where a host might get released because no profiles has been sent for installation before releasing the device, by checking the currently installed profiles against what is expected.
- Fixed invalid rate limiting applied on Fleet Desktop requests for which a public IP could not be determined.
- Fixed VPP token dropdown to allow user to choose "All teams" selection.
- Fixed an issue where Windows configuration profiles fails to validate due to escaping data sequence with `<![CDATA[...]]>` and profile verifier not stripping this away.
- Fixed an issue where a host could be stuck with a "Unlock Pending" label even if the unlock script was canceled.
- Fixed 5XX errors on `/api/v1/fleet/calendar/webhook/*` endpoint due to missing authorization checks.
- Fixed server panic when listing software titles for "All teams" with page that contains a software title with a policy automation in "No team".
- Fixed operating system icons from bleeding into software icons.
## Fleet 4.72.1 (Aug 27, 2025)
### Bug fixes
- Fixed a potential race condition issue, where a host might get released because no profiles has been sent for installation before releasing the device, by checking the currently installed profiles against what is expected.
- Added support for issuing host identity certificates through SCEP (Simple Certificate Enrollment Protocol) that `fleetd` can use with TPM 2.0 hardware to cryptographically sign all HTTP requests.
- Added flag `--fleet-managed-host-identity-certificate` to generate `fleetd` packages for linux that use TPMs to sign HTTP requests.
- Added `sso_server_url` configuration option to support SSO setups with separate URLs for admin access vs agent/API access. When set, SSO authentication will only work from the specified URL. This fixes SSO authentication errors for organizations using dual URL configurations.
### IT Admins
- Added support for Apple Account Driven User Enrollment for iOS/iPadOS when end user authentication is configured.
- Added support for MS-MDE2 v7.0 Windows MDM Enrollments.
- Added the following Fleet-maintained apps for macOS: iTerm2, Yubikey Manager, VNC Viewer, Beyond Compare.
- On the host details > software > library page and Fleet Desktop > Self-service page, show installer status and installer actions based on what software is detected in software inventory.
- On the host details > software > library page and Fleet Desktop > Self-service page, show user's when a software can be updated, allowing users to easily trigger a software update and see fresh data after an update completes.
- Updated VPP apps reported by osquery to retain their last install information when viewed in host software library.
- Switched to more comprehensive `UpgradeCode` based uninstall scripts when an `UpgradeCode` can be extracted from an MSI custom package.
### Other improvements and bug fixes
- Added support for `fleetd` TUF extensions on Linux arm64 and Windows arm64 devices.
- Added a fallback to package install path for extracting app names from uploaded PKG packages.
- Added special handling for version extraction of Fleet-maintained app manifests that reference a download URL that isn't version-pinned.
- Improved `fleetctl gitops` type error mesages.
- Improved accuracy of auto-install queries for custom MSI packages by using a better identifier.
- Label created_at no longer factored in when scoping software packages by "exclude any" manual labels.
- Refactored `AddHostsToTeam` method to fix race condition introduced by global var.
- Changed `enable_software_inventory` to default to true if missing from gitops config.
- Modified backend for `GET /api/v1/fleet/commands` when filtering by `host_identifier` to address performance concerns and exhausting database connections when API is called concurrently for many hosts.
- Allowed users of Fleet in Primo mode to access Software automations and failing policy ticket & webhook automations.
- Update UI to support personally enrolled MDM devices.
- Removed DEB and RPM installers from installable software lists on hosts with incompatible Linux distributions (e.g. Ubuntu for an RPM).
- Revised MSI uninstall scripts to wait for an uninstall to complete before returning and avoid restarting after an uninstall.
- Added back software mutation on ingestion to fix non-semver-compliant software versions, starting with DCV Viewer.
- Increased timeouts on `/fleet/mdm/profiles/batch` to better support customer workflows with large numbers of profiles.
- Made consistent and update the Install and Uninstall detail modals for VPP and non-VPP apps across the Fleet UI.
- Updated go to 1.24.6.
- Fixed issue with package ids ordering causing software installers' scripts to be inconsistently generated.
- Fixed incorrectly displayed status in controls OS Settings page, if a host was only pending or failing on declaration for removal.
- Fixed bug where a certificate Distinguished Name (DN) parser did not allow forward slashes in the value which resulted in parsing error.
- Fixed an issue where the detected date for software vulnerabilities was not being pulled correctly from the database.
- Fixed missing empty host lists on manual labels in gitops.
- Fixed an issue where two banners would sometimes be displayed on the host details page.
- Fixed missing webhook url in automations tooltip.
- Fixed an issue where using `ESCAPE` in a `LIKE` clause caused SQL validation to fail.
- Fixed error when trying to escrow a linux disk key multiple times.
- Fixed silent failure when passing flags after arguments in `fleetctl`.
- Fixed wrongly formatted URL for EULA when accessing from Fleet UI and when shown in the iFrame for SSO callback.
- Fixed stale pending remove apple declarations, if the host was offline while adding and removing the same declaration.
- Fixed a case where a vulnerability would show up twice for a given operating system.
- Fixed specification of policy software automations via GitOps when referring to software by hash from a software YAML file.
- Fixed cases where the vulnerabilities list endpoint would count the same CVE multiple times for the `count` field returned with a result set.
- Fixed an issue where SSO URLs with trailing slashes would cause authentication failures due to double slashes in the ACS URL. Both regular SSO and MDM SSO URLs now properly handle trailing slashes.
- Fixed an issue during the DEP sync where errors such as 404 from the DEP API could result in devices never being assigned a cloud configuration profile.
- Fixed server panic when listing software titles for "All teams" with page that contains a software title with a policy automation in "No team".
- Added `sso_server_url` configuration option to support SSO setups with separate URLs for admin access vs agent/API access. When set, SSO authentication will only work from the specified URL. This fixes SSO authentication errors for organizations using dual URL configurations.
- Fixed an issue where SSO URLs with trailing slashes would cause authentication failures due to double slashes in the ACS URL. Both regular SSO and MDM SSO URLs now properly handle trailing slashes.
- Added support for MS-MDE2 v7.0 Windows MDM Enrollments
- Updated CIS benchmarks for Windows 10 to version 3.
- Added support for IdP-based labels.
- Added last opened time for Windows applications.
- Updated `GET /hosts/:id/encryption_key` to return most recently archived encryption key if current key is not available.
- Added support for ingesting user's "Department" via SCIM and added support to set the `FLEET_VAR_HOST_END_USER_IDP_DEPARTMENT` variable on configuration profiles.
- Cleaned up false-positive vulnerabilities on Amazon Linux 2 hosts reported in Fleet <= 4.55.
### IT Admins
- Added the verification of user-scoped profiles on macOS.
- Added last opened time for Windows applications.
- Updated Windows Custom OS Settings including Win32/Desktop Bridge ADMX policies to now be marked verified after the host has acknowledged the MDM install command.
- Added support for "Host Vitals" label, starting with IdP-based labels which update automatically including after software installs.
- Displayed VPP apps installed on a host in the UI after command is acknowledged.
- Updated `GET /hosts/:id/encryption_key` to return most recently archived encryption key if current key is not available.
- Increased how often Fleet checks for new Fleet-maintained apps, from once per day to once per hour.
- Improved GitOps speed when managing software with hashes on a large number of teams.
- Separated host details software list into two separate sections: Inventory (software installed on a host) and Library (software available for installation on a host).
- Updated Apple profile verification code to disallow uploading profiles with the same identifier but differing PayloadScopes.
- Recorded installer URL when a Fleet-maintained app is added via the web UI or REST API.
- Added support for ingesting user's "Department" via SCIM and added support to set the `FLEET_VAR_HOST_END_USER_IDP_DEPARTMENT` variable on configuration profiles.
- Added support for the Apple MDM user channel. When a mobileconfig with a payloadscope of User is targeted for a host with a user channel connection, it will now be sent to the user channel.
- Added ability to add EULA end user sees during setup experience via gitops.
### Other improvements and bug fixes
- Added user property `api_only` to backend activity details.
- Replaced email with user full name for login activity.
- Added a new avatar for API-only users in the activity feed.
- Updated side navigation styles across the app.
- Added premium tier messaging to the certificates section on the integrations page.
- Removed ability to upload a EULA in the UI if gitops is enabled.
- Migrated from `aws-sdk-go` v1 to `aws-sdk-go-v2`.
- Optimized database queries for MDM enrollment checks when one host is being checked at a time.
- Replaced own SAML implementation with https://github.com/crewjam/saml.
- Increased page size for software versions shown on the software view page from 5 to 10.
- Added retries in `PATCH` policies API requests to fix deadlock errors in "Manage automations" page.
- Added missing team_name property on `/api/v1/fleet/hosts/identifier/:id` endpoint.
- Added missing "url" parameter when exporting YAML on software packages that have a URL specified (thanks @drvcodenta!)
- Improved performance when pulling team settings on osquery config and distributed read endpoints.
- Allowed team selection and name updates when saving a copy of an existing query as a new query.
- Updated Fleet maintained apps uninstall script to use `pkgutil` to remove applications files.
- Added functionality for verifying installation of VPP apps.
- Moved the SSO and Host status webhook settings from Settings > Organization to Settings > Integrations.
- Updated software installed activities created during setup experience correctly categorized as from automation.
- Fixed cases where valid operating system vulnerabilities would be periodically incorrectly purged.
- Fixed details not showing when the device page URL was edited.
- Fixed an issue where the `fleetctl` codesignature requirements couldn't be used to verify the codesignature of `fleetctl`.
- Fixed issue where IdP integration page did not show the premium feature message.
- Fixed bug present on gitops cmd when importing no-team.yml with scripts without default.yml.
- Fixed a bug where Fleet-maintained app updates via GitOps wouldn't pull the latest version of Google Chrome on each run, and would display an invalid SHA256 hash in the UI and API.
- Fixed host API to returns empty array (instead of 404) if software title or version is not found on hosts on that team consistent with other host filters.
- Fixed bug with the run script modal on the Hosts page when running under FreeTier due to invalid teamId filter.
- Fixed a case where host software counts wouldn't be updated if the host_software database table included one or more rows with a zero `software_id`.
- Fixed issue where attempting to lock an MDM-unenrolled macOS host was not returning the expected error.
- Fixed error when deleting a calendar event for a Google Workspace user that no longer exists.
- Fixed `fleetctl` panic caused by missing SSO settings during gitops generate.
- Fixed software title ID + installer status filters to return an empty array with 0 count instead of 404 when an installer is not present on a team.
- Fixed issue where iOS devices were not refetching at the expected cadence when re-enrolled without first deleting the host.
- Fixed cases where valid operating system vulnerabilities would be periodically incorrectly purged.
- Fixed bug with calendar/webhook endpoint that caused an error if the calendar event relates to a deleted host.
- Fixed host details > MDM OS settings tooltips from flashing during a host refetch.
- Fixed an issue where `macos_setup` would not always be exported by `fleetctl generate-gitops` when it should have been.
- Fixed host certificate source recording (including associated performance/database load issues) when multiple hosts share the same certificate on user keychains with differing usernames.
- Fixed software package version output in generated GitOps YAML.
- Fixed truncation of the MDM server url value on the about card on host details page.
- Fixed a bug that prevented users from adding VPP apps to macOS setup experience if the iOS version of the app was also added to their team software library.
- Fixed cases where installed-then-uninstalled software would show up in software inventory.
- Fixed automation tooltip not showing the correct filesystem log destination.
- Fixed SSO settings page returning 500 when SSO settings are undefined.
- Fixed the linux uninstall script.
- Fixed broken macOS users causing errors during query ingestion.
- Fixed host certificate source recording (including associated performance/database load issues) when multiple hosts share the same certificate on user keychains with differing usernames.
- Updated vulnerabilities feed to fall back to non-primary CVSSv2/v3 sources when primary (NVD) data is not available, instead of omitting scores entirely.
- Updated custom SCEP proxy implementation to include one-time challenges.
- Added the `source` and `username` fields for host certificates, reporting 'system' or 'user' based on which keychain it was from (for `macOS`, it will be 'user' if coming from the "login" keychain), and the corresponding `username` if the source is 'user'.
- Updated certificates card on the host details and my device page to show a new keychain column.
### IT Admins
- Enabled Android MDM support. The functionality is limited to turning on Android MDM and enrolling a BYOD device.
> **NOTE:** If your server was already using Android via the experimental DEV_ANDROID_ENABLED=1 flag, please turn off Android MDM before updating your Fleet server.
- Added support for filtering the hosts page for hosts with any of the 3 batch script execution statuses.
- Extended `POST /api/v1/fleet/hosts/:id/wipe` endpoint to allow users to specify the type of remote wipe for windows hosts.
- Improved releasing a macOS device during ADE enrollment, by increasing the frequency of checks for readiness.
- Added an audit log activity item for automatic install policy creation.
### Other improvements and bug fixes
- Updated the Open Policy Agent (OPA) dependency to v1.4.2.
> **NOTE**: This upgrade drops support for YAML 1.1 in configuration files. If you use the `-c` option to specify a configuration file when starting the Fleet server, you will need to update any `yes` or `on` values in the file to `true`, and any `no` or `off` values to `false`.
- Improved error and loading state for self-service page.
* Implemented searching the teams dropdown.
- Removed sort column buttons for host software columns that do not support sorting.
- Updated migrations to use the `utf8mb4_unicode_ci` collation across all tables and added a test to validate that new migrations use this collation.
- Added new optional parameter `--outfile` to fleetctl package to override the filename being generated.
- Updated software detection so that a new installer uploaded over an FMA app does not report as an FMA app.
- Improved error when trying to apply builtin labels.
- Updated copy and remove platform callout in manage automations modal.
- Update UI references to "Frequency" to now say "Interval".
- Prevented editing the UI MDM > End user migration section when GitOps mode is enabled, since this is GitOps-configurable.
- Made the gap between characters in password fields consistent.
- Updated to consistent 14px font size across all input and dropdown fields.
- Removed username requirements for certain MDM CIS policies.
- Added macOS redis cluster support.
- Changed to using DeleteObject S3 api for GCP interoperability.
- Updated to use the Source Code Pro font in the Disk encryption key modal for clear differentiation betweenvthe letter oh and the number zero.
- Updated go to 1.24.4
- Fixed result count shown when running a policy.
- Fixed bug with the 'Observers can run this query' tooltip due to missing styling rules.
- Fixed possible user invite race condition.
- Fixed issue where NDES SCEP admin page was parsed using wrong UTF16 endianness.
- Fixed manual labels in gitops not selecting hosts by hardware serial or uuid.
- Fixed a database bug where the `host_uuid` column was too small in some secondary tables related to ADE-enrollment and IdP accounts.
- Fixed missing CORS header check for JSON requests.
- Fixed bug when listing software titles for 'All teams' which caused duplicated entries.
- Fixed a bug that caused custom OS settings targeted using "include any" label rules to never verify on hosts that only included a subset of the targeted labels
- Fixed the Docker Fleet-maintained app install script to prevent a successful install from showing
up as a failure due to directory existence checks (live as of 2025-06-13 FMA update).
- Fixed issue causing a 500 error when clicking "Manage Automations" from the Queries page when osquery logging has certain configurations.
- Fixed issue where you could not delete a bootstrap package.
- Fixed policy autofill using incorrect media-type for query.
- Fleet Free: Removed the installer dropdown (Premium-only) from the Software page and Host details > Software tab as installer filtering isn’t applicable on the Free tier.
- Fixed issue where users were not able to reenable end user migration in the UI.
- Added vulnerability detection via OVAL for Ubuntu 24.10 and 25.04.
- Added ability to sync end user's IdP information with Microsoft Entra ID using SCIM protocol.
- Added ability to sync end user's IdP information with Authentik using SCIM protocol.
- Updated Windows 11 Enterprise CIS policies to version 4.0.
- Added new Detail Query 'luks_verify' used to verify if the stored LUKS key is valid.
- Added additional checks to vulnerability feed validation to prevent deploying an un-enriched NVD feed.
- Added SHA256 hash of Mac applications to signature information in host software response.
- Added `FLEET_AUTH_SSO_SESSION_VALIDITY_PERIOD` environment variable for overriding how long end users have to complete SSO.
- Added ability to execute scripts on up to 5,000 hosts at a time using filters.
- Added ability to run a script on all hosts that match the current set of supported filters.
- Added a new API `GET /scripts/batch/summary/:batch_execution_id` endpoint for retrieving a summary of the current state of a batch script execution.
- Added the endpoint `POST /api/v1/fleet/configuration_profiles/resend/batch` to resend a profile to all hosts that satisfy the filter.
- Added a starter library that is automatically applied to all new Fleet instances during setup.
### IT Admins
- Added ability to execute scripts on up to 5,000 hosts at a time using filters.
- Added ability to run a script on all hosts that match the current set of supported filters.
- Added a new API `GET /scripts/batch/summary/:batch_execution_id` endpoint for retrieving a summary of the current state of a batch script execution.
- Added the endpoint `POST /api/v1/fleet/configuration_profiles/resend/batch` to resend a profile to all hosts that satisfy the filter.
- Added ability to uninstall software via Self-service tab of My device.
- Added a starter library that is automatically applied to all new Fleet instances during setup.
- Added `FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE` environment variable to allow increasing MDM SSO endpoint rate limit from 10 per minute. When supplied, this parameter also splits MDM SSO into its own rate limit bucket (default is shared with login endpoints).
- Added ability to sync end user's IdP information with Microsoft Entra ID using SCIM protocol.
- Added ability to sync end user's IdP information with Authentik using SCIM protocol.
- Updated Apple MDM enrollment to skip webview popup when end user authentication is disabled.
- Added SHA256 hash of Mac applications to signature information in host software response.
- Added UI to filter hosts by config profile status.
- Added UI for seeing custom profile status and to batch resend to hosts its failed on.
- Added filtering for hosts endpoints by MFM config profile and status.
- Added immediate cancellation of profile delivery when a profile is deleted; if it had already been installed then its removal will be pending.
- Added ability to turn off MDM for iPhone and iPad hosts on the hosts details page.
- Added ability for gitops mode to add a custom package on the software page to then copy/paste the YAML needed for packages that cannot be referenced with a URL.
### Other improvements and bug fixes
- Fixed issue where SSO settings, SMTP settings, Features and MDM end-user authentication settings would not be cleared if they were omitted from YAML files used in a GitOps run.
> **GITOPS USERS:** If you have these settings configured via the Fleet web application and you use GitOps to manage your configuration, be sure settings are present in your global YAML settings file before your next GitOps run.
- Added Neon to the list of platforms that are detected as Linux distributions.
- Updated scripts so that editing will now cancel queued executions.
- Warn users of consequences when updating script contents.
- Improved effectiveness of app-wide text-truncation-into-tooltip functionality.
- Prevented misleading UI when a saved script's contents have changed by only showing a run script activity's script contents if the script run was ad-hoc.
- Stopped policy automations from running on macOS hosts until after setup experience finishes so that Fleet doesn't attempt to install software twice.
- Added tooltip informing users a test email will be sent when SMTP settings are changed.
- Added copyable SHA256 hash to the software details page.
- Added device user API error state to replace generic Fleet UI error state in Fleet desktop.
- Revised PKG custom package parsing to pick the correct app name and bundle ID in more instances.
- Ensured consistent failing policies and total issues counts on the host details page by re-calculating these counts every time the API receives a request for that host.
- Allowed Fleet secret environment variables for the MacOS setup script.
- Validated uploaded bootstrap package to ensure that it is a Distribution package since that is required by Apple's InstallEnterpriseApplication MDM command.
- Modified the Windows MDM detection query to more accurately detect existing MDM enrollment details on hosts with multiple enrollments.
- Created consistent UI for the copy button of an input field.
- Updated the notes for the `disk_info` table to clarify usage in ChromeOS.
- Fixed an issue where the cursor on the SQL editor would sometimes become misaliged.
- Fixed slight style issues with the user menu.
- Fixed an issue where adding/updating a manual label had inconsistent results when multiple hosts shared a serial number.
- Fixed reading disk encryption key not showing up in host activities.
- Fixed a bug where a host that was wiped and re-enrolled without deleting the corresponding host row in Fleet had its old Google Chrome profiles (and other osquery-based data) showing for about an hour.
- Fixed an issue in the database migrations released in 4.68.0 where Apple devices with UDID values longer than 36 characters would cause a failure in the migration process; the `host_uuid` column for tables added by that migration has been increased to accommodate these longer UDID values.
- Fixed issue with GitOps command that prevented non-managed labels to be deleted if used by software installations.
- Fixed several corner cases with Apple DDM profile verification, including a migration to clear out "remove" operations with invalid status.
- Fixed a bug that caused a 500 error when searching for non-existent Fleet-maintained apps.
- Fixed a bug where global observers could access the "delete query" UX on the queries table.
- Fixed parsing of some MSI installer names.
- Fixed a bug where deleting an upcoming activity did not ensure the upcoming activities queue made progress in some cases.
- Fixed a CIS query (Ensure Show Full Website Address in Safari Is Enabled).
Added `FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE` environment variable to allow increasing MDM SSO endpoint rate limit from 10 per minute. When supplied, this parameter also splits MDM SSO into its own rate limit bucket (default is shared with login endpoints).
- Built Fleet integration with Microsoft Entra to conditionally prevent single sign-on for hosts failing policies.
- Added ability to set conditional access per policy, and update host policy UI to incorporate conditional access data.
- Added CVE ID as matching criteria for host software queries, in addition to software name. Also rebuild host software querying for better maintainability.
- Updated Fleet-managed DigiCert, NDES, and SCEP certificates to be renewed 30 days before expiry for those valid longer than 30 days or when half the validity period remains for certificates valid 30 days or less. Applies to certificates requested using this release or later.
- Added webhook as a logging configuration option.
- Added webhook query automation logging.
- Added shell and Powershell syntax highlighting when editing scripts.
- Added ability to run a script on a batch of hosts with a single user flow.
- Added download validation and existing-installer matching in GitOps via a new `hash_sha256` field in software YAML.
- Added `hash_sha256` field to the response for the `GET /software/titles` API.
- Added `fleetctl generate-gitops` command to generate gitops YAML files based on current Fleet configuration.
- Enabled saving Integrations > Advanced in GitOps mode.
### IT Admins
- Added ability to run a script on a batch of hosts with a single user flow.
- Added the ability to upload and install tarball archives (.tar.gz).
- Added support for Fleet-maintained apps in GitOps.
- Added ability to add FMA via `fleetctl` YAML files.
- Added shell and Powershell syntax highlighting when editing scripts.
- Added query ID to query automation logs.
- Added UI for the manual agent install of a bootstrap package.
- Added categorization for self-service software, including filtering on the "My device" page.
- Added number of policies triggering automatic install of software in software table.
- Added webhook as a logging configuration option.
- Added webhook query automation logging.
- Added download validation and existing-installer matching in GitOps via a new `hash_sha256` field in software YAML.
- Added `hash_sha256` field to the response for the `GET /software/titles` API.
- Added support for `FLEET_VAR_HOST_END_USER_IDP_USERNAME`, `FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART` and `FLEET_VAR_HOST_END_USER_IDP_GROUPS` fleet variables in macOS MDM configuration profiles.
- Added `last_mdm_enrolled_at` and `last_mdm_checked_in_at` to host detail endpoints to return the last time a host enrolled, or re-enrolled in MDM and the last time a host checked in via MDM, respectively.
- Added `fleetctl generate-gitops` command to generate gitops YAML files based on current Fleet configuration.
- Updated Fleet-managed DigiCert, NDES, and SCEP certificates to be renewed 30 days before expiry for those valid longer than 30 days or when half the validity period remains for certificates valid 30 days or less. Applies to certificates requested using this release or later.
- Updated host certificates with serial numbers below 2^63 will now display the decimal represntation of the serial number in addition to hex so that it is easier to match them up to what is displayed in the macOS keychain.
- Updated Install Status to correctly display available for self-service VPP apps.
- Logged invalid Windows MDM SOAP message and return 400 instead of 5XX. This change helps debug Windows MDM issues.
- Added `macos_setup.manual_agent_install` option in Mac setup experience to bypass fleetd install. Instead, fleetd should be installed via customer-customized bootstrap package.
- Allowed uploading VPP apps when GitOps mode is enabled.
- Allowed viewing the status details for an (un)install via the "My device" page.
- Updated Apple MDM enrollment flow to improve device-to-user mapping.
- Updated verification of Windows Wireless profiles to avoid resending already-applied profiles.
- Enabled saving Integrations > Advanced in GitOps mode.
### Other improvements and bug fixes
- Added hover cursors to checkbox and radio form elements.
- Added keyboard accessibility controls to activities on dashboard and host details pages.
- Added an additional statistic item to count ABM pending hosts.
- Added truncation and a conditional tooltip for long host names on the host details page.
- Updated the parser used when editing SQL in the UI to handle modern expressions like window functions.
- Updated "My device" page layout.
- Updated Google Calendar event bodies and relevant previews in the Fleet UI.
- Updated error message and related documentation for Windows MDM configuration.
- Updated UI to show the premium feature message when viewing the GitOps mode toggle page on Fleet free.
- Cleaned up various empty and configured states on the settings pages.
- Improved performance on database migration from 4.66 and earlier for instances with large macOS host counts.
- Removed Apple MDM profile validation checks for com.apple.MCX keys (dontAllowFDEDisable and dontAllowFDEEnable) due to customer feedback.
- Removed Fleet config no team settings when the `no-team.yml` file is removed via GitOps.
- Updated Go to 1.24.2.
- Fixed an issue where the upcoming host activities showed the incorrect created at date in the tooltip.
- Fixed bug where Fleet failed to restore some "pending" hosts (i.e. hosts that remained assigned to Fleet in Apple Business Manager) when multiple hosts are deleted from Fleet.
- Fixed an issue with how names for macOS software titles were calculated and prevents duplicate entries being created if the software is renamed by end users.
- Fixed issue when Apple device was removed/re-added to ABM, it was not getting an enrollment profile.
- Fixed issue where `fleetctl gitops --dry-run` would sometimes fail when creating and using labels in the same run.
- Fixed a small bug with the way live policy result percentages were being rounded.
- Fixed an issue where selections made on the Queries page were cleared a few seconds after page load.
- Fixed an issue with the gitops command caused when trying to interpolate variables inside the 'description'/'remediation' sections.
- Fixed `fleetctl gitops` issue where creating a new team containing VPP apps caused an error.
- Fixed issue where GitOps may fail to apply new queries due to deadlocks.
- Fixed spurious install/uninstall script errors on EXE software edits when install and uninstall scripts were specified.
- Fixed issue where the host expiry window caused MDM devices assigned to Fleet in Apple Business Manager (ABM) to be repeatedly deleted and re-added to Fleet, which in some cases also caused the device to revert to the default team.
- Removed error caused by macOS electron helper apps during ingestion.
- Added a temporary index during macOS software names migration to speed up host software installed paths cleanup introduced in 4.67.2. This change only affects upgrades from pre-4.67.0 versions.
- Fixed software deduplication when migrating from <4.67.0forcaseswhereexactlytwosoftwareentrieswouldbemergedintoone,andforcaseswherethesamebundleIDhasmorethanoneversion,eachwithmorethanonethatneedstobeconvertedintoasinglesoftwareentry.
- Included host software installed paths migration in the above database migration, instead of waiting for software ingestion to repopulate/clean up affected rows.
## Fleet 4.67.1 (Apr 26, 2025)
- Removed updates of existing macOS software names on software ingestion to remediate a significant database performance regression introduced in 4.67.0.
- Added ability to set labels on policies via GitOps.
- Added backend support for labels on policies.
- Added ability to cancel upcoming host activities in the UI.
- Added the `DELETE /api/latest/fleet/hosts/:id/activities/upcoming/:activity_id` endpoint to cancel an upcoming activity for a host.
- Added support for native Windows ARM64 in fleetd (`fleetctl package --arch=arm64 --type=msi`).
### IT Admins
- Added SCIM integration, which allows IdP email, full name, and groups to be visible in host vitals. SCIM data is also used for getting the end user's full name during end user authentication of macOS setup flow, if needed. Currently, only Okta IdP is supported.
- Added a new IDP section to the integrations page where users can see their SCIM connection status.
- Added new users card on host details and my device page that shows host end user and IDP information.
- Added ability to set labels on policies via GitOps.
- Added backend support for labels on policies.
- Added ability to cancel upcoming host activities in the UI.
- Added the `DELETE /api/latest/fleet/hosts/:id/activities/upcoming/:activity_id` endpoint to cancel an upcoming activity for a host.
- Added support for native Windows ARM64 in fleetd (`fleetctl package --arch=arm64 --type=msi`).
- Added logging for invalid Windows MDM SOAP message and return 400 instead of 5XX to help debug Windows MDM issues.
- Removed Apple MDM profile validation checks for com.apple.MCX keys (dontAllowFDEDisable and dontAllowFDEEnable) due to customer feedback.
- Fixed a bug where BYOD iDevices deleted in Fleet but still enrolled in MDM were not re-created on the next MDM checkin.
- Fixed an issue with how names for macOS software titles were calculated and prevents duplicate entries being created if the software is renamed by end users.
### Other improvements and bug fixes
- Added support for `vmodule` hidden osquery flag to assist with debugging.
- Added an additional statistic item to count ABM pending hosts.
- Added a timeout so the desktop app retries if not displayed after 1 minute.
- Updated UI to allow adding labels when saving or editing polices.
- Included newly created host ids in activities generated when hosts enroll in fleet.
- Moved view all host link onto host count of software, OS, and vulnerability details pages
- Updated Go to v1.24.1.
- Updated UI tables to truncate with tooltips for software, query, and policy names and improved keyboard accessibility to those clickable elements.
- Updated to accept any "http://" or "https://" prefixed URL to allow for easier testing.
- Updated apmhttp package to fix upload of medium/big sized software packages in environments where APM tracing is enabled.
- Fixed UI Gitops Mode getting cleared when other settings are modified.
- Fixed invalid default serial numbers being displayed for some hosts.
- Fixed pagination resetting the platform filter on the operating system UI table.
- Fixed issue where `fleetctl gitops --dry-run` would sometimes fail when creating and using labels in the same run.
- Added integration with DigiCert Trust Lifecycle Manager. Fleet admins can now deploy DigiCert certificates to their macOS devices via configuration profiles.
- Updated activity log UI for new certificate authority features.
- Updated host details > software table to filter by vulnerability severity and known exploit.
- Return more granular data for live query and policy runs so it can be displayed to users.
- Allowed adding labels when saving or editing queries in the UI.
- Added support for queries with LabelsIncludeAny in backend.
- Added `author_id` to labels DB table to track who created a label.
- Removed duplicate download/delete attempts for MSRC bulletins when hosts are enrolled spanning multiple builds of the same version of Windows.
- Split up expired query deletion to avoid deadlocks in zero-trust flows.
- Moved software version transformations for vulnerability matching out of software ingestion to ensure software inventory versions match what osquery reports.
- Modified host software query to apply the vulnerability filter on VPP apps and latest software installs & uninstalls.
- Fixed false positive on macOS 15.3 by making sure we match the version format reported by Vulncheck.
- Fixed false positive for CVE-2024-6286 on non-Windows hosts.
### IT Admins
- Added support for Fleet-maintained apps for Windows.
- Added integration with a custom SCEP server. Fleet admins can now deploy certificates from their own SCEP server to their macOS devices via configuration profiles. The SCEP server will only see traffic from the Fleet server.
- Return more granular data for live query and policy runs so it can be displayed to users.
- Added support for queries with LabelsIncludeAny in backend.
- Allowed adding labels when saving or editing queries in the UI.
- Updated macOS setup experience to show an error if an App Store app installation fails due to lack of licenses.
- Added `platform` key to `software_package` and `app_store_app` keys throughout API.
- Improved error messages when Fleet admin tries to upload a FileVault (macOS) or a BitLocker (Windows) configuration profile.
- Ignored compatible Linux hosts in disk encryption statistics and filters if disk encryption is disabled.
- Allowed for any number of comments at the top of XML files for Windows MDM profile CSPs.
- Disabled unsupported automatic install option during add flow of .exe custom packages.
- Updated Fleet to treat software installer download errors as a failure for that installation attempt, which prevents the software installation from remaining in "pending".
- Added Apple Root Certificate for HTTP requests to https://gdmf.apple.com/v2/pmv. This solves the issue of minimum macOS version not being enforced at enrollment.
- Removed unreliable default (un)install scripts for .exe software packages; install and uninstall scripts are now required when adding .exe packages.
- Added software URL validation in GitOps to catch URL parse errors earlier.
### Other improvements
- Updated the empty states when choosing a label scope for new software, queries, and profiles.
- Clarified meanings of various types and fields involved in live query/policy infrastructure, document, and refactor for improved code clarity.
- Added configuration to Fleet server to enable H2C (forcing http2) to get around a limitation in GCP Cloud Run for upload file sizes.
- Added validation to both org logo URL fields, and accept data URIs as valid.
- Fixed an error when requesting `/fleet/software/titles` endpoint unpaginated with > 33k software titles by batching the policies by software title id query
- Fixed an issue where removing label conditions on configuration profiles (e.g. `labels_include_any`, `labels_include_all` or `labels_exclude_any`) did not clear the labels associated with the profile when applied via `fleetctl gitops`.
- Added UI for viewing certificate details on the host details and my device pages.
- Added new features to include certificates in host vitals for macOS, iOS, and iPadOS.
- Added the list host certificates (and list device's certificates) endpoints.
- Improved the copy for the delete and transfer host modal to be more clear about the disk encryption key behavior.
- Permit setting SSO metadata and metadata_url in gitops and UI.
- Fixed an issue where the Show Query modal would truncate large queries.
- Fixed Python for Windows software version mutation to avoid panics on software ingestion in some cases.
- Prevented an invalid `FLEET_VULNERABILITIES_MAX_CONCURRENCY` value from causing deadlocks during vulnerability processing.
- Updated default for vulnerabilities max concurrency from 5 to 1.
- Updated CPE generation to more closely align with CPEs use in vulnerability feeds.
- Changed software version CVE resolved in version parsing and comparison to use custom code rather than semver.
- Added new (as of 2025-03-07) archives page to data source for MS Mac Office vulnerability feed (applies to vulnerabilities feed rather than a specific Fleet release).
- Fixed an issue with Fleet's processing of Python versions to ensure that the correct CPEs are checked for vulnerabilities.
- Fixed an issue with increased resource usage during vulnerabilities processing by adding database indexes.
- Fixed false-positives on released PowerShell versions for CVE-2025-21171 and all PowerShell versions on CVE-2023-48795.
- Implemented GitOps mode that locks settings in the UI that are managed by GitOps.
- Allowed VPP apps to be automatically installed via a Fleet-created policy.
- Added ability for users to automatically install App Store Apps without writing a policy in the Fleet UI.
- Updated the UI for adding and editing software for a cleaner, cohesive experience.
- Added auto-install to FMA via the API, replacing a more brittle client-side implementation.
- Added pagination inside each of the Manage Automations modals for policies.
- Added script execution to the new `upcoming_activities` table.
- Added software installs to the new `upcoming_activities` table.
- Added vpp apps installs to the new `upcoming_activities` table.
- Updated the list upcoming activities endpoint to use the new `upcoming_activities` table as source of truth.
- Added support to activate the next activity when one is enqueued or when one is completed.
- Added UI to the BYOD enrollment page to support enrolling Android devices into Fleet MDM.
- Added UI to turn on and off Android MDM.
- Added Android MDM activities.
> **NOTE:** Android features are currently experimental and disabled by default. To enable, set `ANDROID_FEATURE_ENABLED=1`.
- Updated UI for device user page with improved instructions for turning on MDM.
- Added `PATCH /api/latest/fleet/software/titles/:id/name` endpoint for cleaning up incorrect software titles for software that has a bundle ID.
- Added a daily job that keeps the App Store app version displayed in Fleet in sync with the actual latest version.
- Properly re-routed deleting a app on no team to no team software page insteal of all teams software page.
- Added a DB migration to migrate existing pending activities to the new unified queue.
- Added created_at timestamp for when a VPP app was added to a specific team.
> **NOTE:** The database migration for the above hydrates timestamps for existing VPP app team associations based on when the associated VPP apps were first added to the database. To hydrate more accurate timestamps by pulling from VPP app add/edit activities, you can run the following query manually. It is not included in migrations as it requires full table scans of the `activities` table, which may result in long migration times.
FROM activities WHERE activity_type = 'edited_app_store_app' GROUP BY adam_id, platform, team_id) ae ON
vat.global_or_team_id = ae.team_id AND vat.adam_id = ae.adam_id AND vat.platform = ae.platform
SET vat.created_at = COALESCE(added_at, vat.created_at), vat.updated_at = COALESCE(edited_at, added_at, vat.updated_at);
```
- Fixed an issue with assigning Windows MDM profiles to large numbers (> 65k) of hosts by batching the relevant database queries.
- Fixed policy software automation that falsely reported success in UI when updates actually failed. Users will now be properly notified of failed automation saves.
- Fixed a bug where uploading a macOS installer could prevent the software from being inventoried.
- Fixed a bug where target selector was present in a premature stage.
- Fixed a bug that caused macOS App Store apps to show up in Fleet as Windows apps if the Windows ersion of the app was already in Fleet.
- Fixed an issue where the ABM token teams were being reset when making updates to the app config.
- Fixed parsing of relative paths for MDM profiles in gitops `no-team.yml`.
- Fixed a bug where new `fleetd` could not install software from old fleet server.
- Fixed issue where `fleetctl gitops` was NOT deleting macOS setup experience bootstrap package and enrollment profile. GitOps should clear all settings that are not explicitly set in YAML config files.
- Fixed an issue where the ABM token teams were being reset when making updates to the app config.
## Fleet 4.64.0 (Feb 18, 2025)
## Device management (MDM)
- Included current host status and pending action in lock, unlock, and wipe API calls.
- Disk encryption keys are now archived when they are created or updated. They are never fully deleted from the database.
- Hosts that are restored from ABM no longer have old activities in their feed.
## Orchestration
- Added bash interpreter support for script execution.
- Updated the activities feed with new design.
- Added `fleetctl` on Linux ARM binary to releases.
- Added clearer error states to metadata-related fields in the SSO settings form.
- Enforced consistency of on-click behavior of table rows.
- Added gzip compression for static CSS and JS assets to decrease bundle download times.
- Added API endpoint for updating script contents.
- Implemented various UI improvements to the scripts list.
- Added option to populate users and labels on list hosts endpoint.
- Checked the server for validity of any Fleet invites on load.
- Updateed user form validation to require a password be present when switching a user from SSO to password authentication.
- Updated the way new manual labels are created to better support adding large numbers of hosts at one time.
- Replaced "Include Fleet desktop" with host type radio selection buttons when adding Windows or Linux hosts.
- Disabled webhooks if not present in gitops.
## Software
- Added ability to target app store apps with include/exclude labels.
- Added ability to edit targets or self service option for app store apps.
- Added details modal for add, edit, and delete app store app global activities.
- Added modal to edit script contents.
- Added download url for fleet maintained apps as `url` property on `fleet/software/fleet_maintained_apps/:id`.
- Added "exclude_fleet_maintained_apps" option to `GET /api/v1/fleet/software/titles`.
- Surfaced download URL for Fleet-maintained app when adding the software to Fleet.
- Surfaced cleaner errors when adding Fleet-maintained apps.
- Revised software installer package validation to mark installers with no version as "unknown" for version rather than rejecting them.
- Resolved false negatives on vulnerabilities for IntelliJ IDEA Community Edition on Windows.
- Resolved false-positives for the `pass` Homebrew package and `jira` Python package via a vulnerability feed update available to all Fleet versions on 2025-01-22.
- Fixed a false negative vulnerability reporting for iTerm2 (available to all recent Fleet releases as of January 17th via a vulnerability feed update).
## Bug fixes and improvements
- Removed duplicate Linux lock and wipe scripts from repository.
- Clarified text on the policies and queries pages when no policies/queries exist for the selected team (or All Teams).
- Updated the help text for 3 tabs of the Add hosts modal.
- Improved the look and feel of dropdowns in the UI.
- Improved look and feel of dashboard host count cards including hiding platforms with 0 count.
- Added util wrapper func around semver package to allow for custom preprocessing. Upgraded semver library to 3.3.1 and usage everywhere to version 3.
- Added link to information about installing fleetd when packages are generated.
- Optimized software ingestion queries to use existing DB indexes in the software titles table.
- Normalized padding spacing for list headers, lists, and help text across various modals.
- Removed the resend button for failed windows disk encryption profiles and add messaging that tells the user that Fleet with automatically retry this profile again.
- Refactored upstream error logic to allow disabling submit button when form errors are present.
- Improved the verified and verifying tooltips on the Profile Status on OS settings page.
- Improved settings context so that user's updates to the team agent options form when they navigate away and back again.
- Improved the teams dropdown so that it gracefully hides overflow from long team names.
- Updated the os settings Target form deadline input tooltip to make it more clear how the deadline works for hosts.
- Updated language in query comppatibility tooltip to clarify that compatibility is based only on tables.
- Optimized logging by ensuring illegal argument errors will no longer be logged at the ERROR level on the server. Since these are client errors, they will be logged at the DEBUG level instead. This will reduce the amount of noise in the server logs and help debugging other issues.
- Raised the frequency of sending anonymous statistics from every 24 hours to every 1 hour.
- Bumped Node.js version to 20.18.1.
- Bumped github cache action to 4.2.0.
- Added server debug logging for unexpected Apple DDM configuration status.
- Removed `fleetctl` binary from the `fleetdm/fleet` docker image.
- Removed erroneous "manage automations" link on dashboard for maintainers.
- Fixed window profiles error message being cut off in the OS settings modal.
- Fixed user page responsiveness to not overflow horizontally.
- Fixed case consistency for "Disk encryption" in host OS settings modal.
- Fixed styling for manage automation buttons and dropdown.
- Fixed a bug where query reports where not being recorded for hosts configured with `--logger_snapshot_event_type=true`.
- Fixed incorrect source value in device mapping REST API documentation.
- Fixed a bug in Fleet's handling of VPP token renewal requests.
- Fixed mail being sent with the incorrect SMTP Domain (thank you @mccormickt).
- Fixed filtering by vulnerable software for ios or ipad host.
- Fixed issue where some Windows MDM profiles were not being sent to hosts when hosts came back online.
- Fixed a bug where adding or removing a host with an identical name to/from a label caused the same action to be performed on other host(s) with the same name as well.
- Fixed Windows MDM issue where SessionID of 0 was not allowed.
- Fixed a bug with paginating team policies.
- Fixed a bug "software not found for checksum" in software ingestion transaction retries.
- Fixed issue with Windows disk encryption where status updates from "Verifying" to "Verified" were sometimes stuck in the "Verifying" state.
- Fixed a bug where server errors returned from the API were not successfully being incorporated into the user form error states.
- Fixed a bug where team admins are unable to enable or disable MFA for a user.
- Fixed a bug where only the first of multiple software titles with the same name and source but different bundle IDs would be successfully inserted into the database.
- Fixed issue verifying Windows CSP profiles that contain ADMX policies.
- Allowed the delivery of bootstrap packages and software installers using signed URLs from CloudFront CDN. To enable, configured the following server settings:
- Downgraded the expected or common "BootstrapPackage not found" server error to a debug message. This occurred when the UI or API checked if a bootstrap package existed.
- Removed the arrow icon from the MDM solution table on the dashboard page.
## Orchestration
- Added the ability to install VPP apps on policy failure.
- Implemented user-level settings and used them to persist a user's selection of which columns to display on the hosts table.
- Included a host's team-level queries when the user selected a query to target a specific host via the host details page.
- Included osquery pre-releases in the daily UI constant update GitHub Actions job.
- Displayed the correct path for agent options when a key was placed in the wrong object.
- When running a live query from the edit query form, considered the results of the run in calculating an existing query's performance impact if the user did not change the query from the stored version.
- Improved the validation workflow on the SMTP settings page.
- Clarified the expected behavior of policy host counts, dashboard controls software count, and controls OS updates versions count.
- Rendered the default empty value when a host had no UUID.
- Used an email logo compatible with dark modes.
- Improved readability of the success message on email update by never including the sender address.
## Software
- Added the ability to install VPP apps on policy failure.
- Allowed filtering of titles by "any of these platforms" in `GET /api/v1/fleet/software/titles`.
- Added VPP apps to the automatic installation dropdown for failed policies and included auto-install information on the VPP app details page.
- Updated Fleet-maintained app install scripts for non-PKG-based installers to allow the apps to be installed over an existing installation.
- Clarified that editing VPP teams would remove App Store apps available to the team, not uninstall apps from hosts.
- Pushed the correct paths to the URL on the "My device" page when self-service was not enabled for the host.
- Displayed command line installation instructions when a package was generated.
- Added a fallback for extracting the app name from `.pkg` installers that had default or incorrect title attributes in their distribution file.
- Stopped VPP apps from being removed from teams whenever the VPP token team assignment was updated.
- Improved software installation for failed policies by adding platform-specific filtering in the software dropdown so that only compatible software was displayed based on each policy's targeted platforms.
- Added a timestamp for the software, OS, and vulnerability detail pages for the host count last update time.
## Bug fixes and improvements
- Fixed an issue where the vulnerabilities cron failed in large environments due to large SQL queries.
- Fixed two broken links in the setup experience.
- Fixed a UI bug on the "My device" page where the "Software" tab included filter elements that did not match the expected design.
- Fixed a UI bug on the "Controls" page where incorrect timestamp information was displayed while the "Current versions" table was loading.
- Fixed an issue for batch upload of Apple DDM profiles with `fleetctl gitops` where the activity feed showed a change even when profiles did not actually change.
- Fixed a software name overflow in various modals.
- Fixed form validation behavior on the SSO settings form.
- Fixed MSI parsing for packages that included long interned strings (e.g., licenses for the OpenVPN Connect installer).
- Fixed a software actions dropdown styling bug.
- Fixed an issue where identical MDM commands were sent twice to the same device when the replica database was being used.
- Fixed a redirect when clicking on any column in the Fleet Maintained Apps table.
- Fixed an issue where deleted Apple config profiles were installed on devices because the devices were offline when the profile was added.
- Fixed a CVE-2024-10327 false positive on Fleet-supported platforms (the vulnerability was iOS-only and iOS vulnerability checking was not supported).
- Fixed missing capabilities in the UI for team admins when creating or editing a user by exposing more information from the API for team admins.
* Fixed issue verifying Windows CSP profiles that contain ADMX policies.
* Archived disk encryption keys when they were created or updated. They were never fully deleted from the database.
* Fixed issue where some Windows MDM profiles were not sent to hosts when hosts came back online.
* Removed the resend button for failed Windows disk encryption profiles and added messaging that tells the user that Fleet will automatically retry the profile again.
* Fixed bug where iOS devices were being removed prematurely by expiration policy.
* Removed request timeout on bootstrap package uploads for consistency with software package upload endpoints.
- Updated queries API to support above targeted platform filtering.
- Updated UI queries page to filter, sort, paginate, etc. via query params in call to server.
- Added searchable query targets and cleaner UI for uses with many teams or labels.
## Device management (MDM)
- Added ability to use secrets (`$FLEET_SECRET_YOURNAME`) in scripts and profiles.
- Added ability to scope Fleet-maintained apps and custom packages via labels in UI, API, and CLI.
- Added capability to automatically generate "trigger policies" for custom software packages.
- Added UI for scoping software via labels.
- Added validation to prevent label deletion if it is used to scope the hosts targeted by a software installer.
- Added ability to filter host software based on label scoping.
- Added support for Fleet secret validation in software installer scripts.
- Updated `fleetctl gitops` to support scope software installers by labels, with the `labels_include_any` or `labels_exclude_any` conditions.
- Updated `fleetctl gitops` to identify secrets in scripts and profiles and saves them on the Fleet server.
- Updated `fleetctl gitops` so that when it updates profiles, if the secret value has changed, the profile is updated on the host.
- Added `/fleet/spec/secret_variables` API endpoint.
- Added functionality for skipping automatic installs if the software is not scoped to the host via labels.
- Added the ability to click a software row on the my device page and see the details of that software's installation on the host.
- Allowed software uninstalls and script-based host lock/unlock/wipe to run while global scripts are disabled.
## Vulnerability management
- Added missing vulncheck data from NVD feeds.
- Fixed MSI parsing for packages including long interned strings (e.g. licenses for the OpenVPN Connect installer).
- Fixed a panic (and resulting failure to load CVE details) on new installs when OS versions have not been populated yet.
- Fixed CVE-2024-10004 false positive on Fleet-supported platforms (vuln is iOS-only and iOS vuln checking is not supported).
## Bug fixes and improvements
- Added license key validation on `fleetctl preview` if a license key is provided; fixes cases where an invalid license key would cause `fleetctl preview` to hang.
- Increased maximum length for installer URLs specified in GitOps to 4000 characters.
- Stopped older scheduled queries from filling logs with errors.
- Changed script upload endpoint (`POST /api/v1/fleet/scripts`) to automatically switch CRLF line endings to LF.
- Fleshed out server response from `queries` endpoint to include `count` and `meta` pagination information.
- Updated platform filtering on queries page to refer to targeted platforms instead of compatible platforms.
- Included osquery pre-releases in daily UI constant update GitHub Actions job.
- Updated to send alert via SNS when a scheduled "cron" job returns errors.
- SNS topic for job error alerts can be configured separately from the existing monitor alert by adding "cron_job_failure_monitoring" to sns_topic_arns_map, otherwise defaults to the using the same topic.
- Improved validation workflow on SMTP settings page.
- Allowed team policy endpoint (`PATCH /api/latest/fleet/teams/{team_id}/policies/{policy_id}`) to receive explicit `null` as a value for `script_id` or `software_title_id` to unset a script or software installer respectively.
- Aliased EAP versions of JetBrains IDEs to "last release version plus all fixes" (e.g. 2024.3 EAP -> 2024.2.99) to avoid vulnerability false positives.
- Removed server error if no private IP was found by detail_query_network_interface.
- Updated `fleetctl` dependencies that cause warnings.
- Added service annotation field to Helm Chart.
- Updated so that on policy deletion any associated pending software installer or scripts are deleted.
- Added fallback to FileVersion on EXE installers when FileVersion is set but ProductVersion isn't to allow more custom packages to be uploaded.
- Added Mastodon icon and URL to server email templates.
- Improved table text wrapper in UI.
- Added helpful tooltip for the install software setup experience page.
- Added offset to the tooltips on hover of the profile aggregate status indicators.
- Added the `software_title_id` field to the `added_software` activity details.
- Allow maintainers to manage install software or run scripts on policy automations.
- Removed duplicate software records from homebrew casks already reported in the osquery `apps` table to address false positive vulnerabilities due to lack of bundle_identifier.
- Added the `labels_include_any` and `labels_exclude_any` fields to the software installer activities.
- Updated the get host endpoint to include disk encryption stats for a linux host only if the setting is enabled.
- Updated Helm chart to support customization options such as the Google cloud_sql_proxy in the fleet-migration job.
- Updated example windows policies.
- Added a descriptive error when a GitOps file contains script references that are missing paths.
- Removed `invalid UUID` log message when validating Apple MDM UDID.
- Added validation Fleet secrets embedded into scripts and profiles on ingestion.
- Display the correct percentage of hosts online when there are no hosts online.
- Fixed bug when creating a label to preserve the selected team.
- Fixed export to CSV trimming leading zeros by treating those values as strings.
- Fixed reporting of software uninstall results after a host has been locked/unlocked.
- Fixed issue where minio software was not scanned for vulnerabilities correctly because of unexpected trailing characters in the version string.
- Fixed bug on the "Controls" page where incorrect timestamp information was displayed while the "Current versions" table was loading.
- Fixed policy truncation UI bug.
- Fixed cases where showing results of an inherited query viewed inside a team would include results from hosts not on thta team by adding an optional team_id parameter to queris report endpoint (`GET /api/latest/fleet/queries/{query_id}/report`).
- Fixed issue where deleted Apple config profiles were installing on devices because devices were offline when the profile was added.
- Fixed UI bug involving pagination of subsections within the "Controls" page.
- Fixed "Verifying" disk encryption status count and filter for macOS hosts to not include hosts where end-user action is required.
- Fixed a bug in determining sort type of query result columns by deducing that type from the data present in those columns.
- Added support to require email verification (MFA) on each login when setting up a Fleet user outside SSO.
- Extended Linux encryption key escrow support to Ubuntu 20.04.6.
- Added missing APM instrumentation for Fleet API routes.
- Improved label validation when running live queries. Previously, when passing label(s) that do not exist, the labels were ignored. Now, an error is returned indicating which labels were not found. This change affects both the API and `fleetctl query` command.
## Device management (MDM)
- Added functionality for creating an automatic install policy for Fleet-maintained apps.
- Replaced Zoom Fleet-maintained app with Zoom for IT, which does not open any windows during installation.
- Added support for the new `windows_migration_enabled` setting (can be set via `fleetctl`, the `PATCH /api/latest/fleet/config` API endpoint and the UI). Requires a premium license.
- Updated to only show the "follow instructions on My device" banner for Linux hosts whose disks are encrypted but for which Fleet hasn't escrowed a valid key.
- Added App Store app UI: Added different empty state when VPP token is not added at all vs. when it's not assigned to a team to prevent confusion.
- Allowed APNS key to be in unencrypted PKCS8 format, which may happen when migrating from another MDM.
- Allowed calling `/api/v1/fleet/software/fleet_maintained_apps` with no team ID to retrieve the full global list of maintained apps.
- Added UI changes for windows MDM page and allow for automatic migration for windows hosts.
- Bypassed the setup experience UI if there is no setup experience item to process (no software to install, no script to execute), so that releasing the device is done without going through that window.
## Vulnerability management
- Added `without_vulnerability_details` to software versions endpoint (/api/latest/fleet/software/versions) so CVE details can be truncated when on Fleet Premium.
- Fixed an issue where the github cli software name was not matching against the cpe vulnerability name.
## Bug fixes and improvements
- Updated Go version to 1.23.4.
- Update help text for policy automation Install software and run script modals.
- Updated to display Windows MDM WSTEP flags in `fleet --help`.
- Added language in email templates indicating that users should not reply to the automated emails.
- Added better information on what deleting a host does.
- Added a clearer error message when users attempt to turn MDM off on a Windows host.
- Improved side nav empty state UI under `/settings`.
- Added missing loading spinner for delete modals (delete configuration profile, delete script, delete setup script and delete software).
- Improved performance of updating the `nano_enrollments.last_seen_at` timestamp of Apple MDM devices by an order of magnitude under load.
- Improved MDM `SELECT FROM nano_enrollment_queue` MySQL query performance, including calling it on DB reader much of the time.
- Updated Inter font to latest version for woff2 files.
- Added better documentation around how the --label flag works in the fleetctl query command.
- Switched Twitter logo to X logo in Fleet-initiated automated emails.
- Removed duplicate indexes from the database schema..
- Added cleanup job to delete stuck pending Apple profiles, and requeue them.
- Exclude any custom sourced "users" from the host details "used by" display if Fleet doesn't have an email for them.
- Replaced the internal use of the deprecated `go.mozilla.org/pkcs7` package with the maintained fork `github.com/smallstep/pkcs7`.
- Switched email template font to Inter to match previous changes in the rest of the UI.
- Updated resend config profile API from `hosts/[hostid}/configuration_profiles/resend/{uuid}` to `hosts/{hostid}/configuration_profiles/{uuid}/resend`.
- Update nanomdm dependency with latest bug fixes and improvements.
- Updated documentation to include `firefox_preferences` table for Linux and Windows platforms.
- Restored the user's previous scroll, if any, when they change the filter on the host software table.
- Updated a link in the Fleet-maintained apps UI to point to the correct place.
- Removed image borders that are included in Apple's app store icons.
- Redirect when user provides an invalid URL param for fleet-maintained software id.
- Added additional statistics item for number of saved queries.
- Fixed a bug where the name of the setup experience script was not showing up in the activity for that script execution.
- Present a nicely formatted and more informative UI for log destination in two places.
- Fixed bug in `fleetdm/fleetctl` docker image where the `build` directory does not exist when generating deb/rpm packages.
- Fixed missing read permission for team maintainers and admins on Fleet maintained apps.
- Fixed a bug that would add "Fleet" to activities where it shouldn't be.
- Fixed ability to clear policy automation that empties webhook URL.
- Fixes a bug with pagination in the profiles and scripts lists.
- Fixed duplicate queries in query stats list in host details.
- Fixed zip and dmg automations showing null platform for installer
- Fixed a typo in the loading modal when adding a Fleet-maintained app.
- Fixed UI bug where "Actions" dropdown on host software page included "Install" and "Uninstall" options for software that is not able to be installed via Fleet.
- Fixed a bug where the HTTP client used for MDM APNs push notifications did not support using a configured proxy.
- Fixed potential deadlocks when deploying Apple configuration profiles.
- Fixed releasing a DEP-enrolled macOS device if mTLS is configured for `fleetd`.
- Fixed learn more about JIT provisioning link.
- Fixed an issue with the copy for the activity generated by viewing a locked macOS host's PIN.
- Fixed breaking with gitops user role running `fleetctl gitops` command when MDM is enabled.
- Added major improvements to keyboard accessibility throughout app (e.g. checkboxes, dropdowns, table navigation).
- Added activity item for `fleetd` enrollment with host serial and display name.
- Added capability for Fleet to serve YARA rules to agents over HTTPS authenticated via node key (requires osquery 5.14+).
- Added a query to allow users to turn on/off automations while being transparent of the current log destination.
- Updated UI to allow users to view scripts (from both the scripts page and host details page) without downloading them.
- Updated activity feed to generate an activity when activity automations are enabled, edited, or disabled.
- Cancelled pending script executions when a script is edited or deleted.
### Device management (MDM)
- Added better handling of timeout and insufficient permissions errors in NDES SCEP proxy.
- Added info banner for cloud customers to help with their windows autoenrollment setup.
- Added DB support for "include any" label profile deployment.
- Added support for "include any" label/profile relationships to the profile reconciliation machinery.
- Added `team_identifier` signature information to Apple macOS applications to the `/api/latest/fleet/hosts/:id/software` API endpoint.
- Added indicator of how fresh a software title's host and version counts are on the title's details page.
- Added UI for allowing users to install custom profiles on hosts that include any of the defined labels.
- Added UI features supporting disk encryption for Ubuntu and Fedora Linux.
- Added support for deb packages compressed with zstd.
### Vulnerability management
- Allowed skipping computationally heavy population of vulnerability details when populating host software on hosts list endpoint (`GET /api/latest/fleet/hosts`) when using Fleet Premium (`populate_software=without_vulnerability_descriptions`).
### Bug fixes and improvements
- Improved memory usage of the Fleet server when uploading a large software installer file. Note that the installer will now use (temporary) disk space and sufficient storage space is required.
- Improved performance of adding and removing profiles to large teams by an order of magnitude.
- Disabled accessibility via keyboard for forms that are disabled via a slider.
- Updated software batch endpoint status code from 200 (OK) to 202 (Accepted).
- Updated a package used for testing (msw) to improve security.
- Updated to reboot linux machine on unlock to work around GDM bug on Ubuntu 24.04.
- Updated GitOps to return an error if the deprecated `apple_bm_default_team` key is used and there are more than 1 ABM tokens in Fleet.
- Dismissed error flash on the my device page when navigating to another URL.
- Modified the Fleet setup experience feature to not run if there is no software or script configured for the setup experience.
- Set a more accurate minimum height for the Add hosts > ChromeOS > Policy for extension field, avoiding a scrollbar.
- Added UI prompt for user to reenter the password if SCEP/NDES url or username has changed.
- Updated ABM public key to download as as PEM format instead of CRT.
- Fixed issue with uploading macOS software packages that do not have a top level `Distribution.xml`, but do have a top level `PackageInfo.xml`. For example, Okta Verify.app.
- Fixed some cases where Fleet Maintained Apps generated incorrect uninstall scripts.
- Fixed a bug where a device that was removed from ABM and then added back wouldn't properly re-enroll in Fleet MDM.
- Fixed name/version parsing issue with PE (EXE) installer self-extracting archives such as Opera.
- Fixed a bug where the create and update label endpoints could return outdated information in a deployment using a mysql replica.
- Fixed the MDM configuration profiles deployment when based on excluded labels.
- Fixed gitops path resolution for installer queries and scripts to always be relative to where the query file or script is referenced. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. installers in a subdirectory referencing scripts elsewhere).
- Fixed issue where minimum OS version enforcement was not being applied during Apple ADE if MDM IdP integration was enabled.
- Fixed a bug where users would be allowed to attempt an install of an App Store app on a host that was not MDM enrolled.
- Updated OpenTelemetry libraries to latest versions. This includes the following changes when OpenTelemetry is enabled:
- MySQL spans outside of HTTPS transactions are now logged.
- Renamed MySQL spans to include the query, for easier tracking/debugging.
- Added capability for fleetd to report vital errors to Fleet server, such as when Fleet Desktop is unable to start.
### Device management (MDM)
- Added UI for adding a setup experience script.
- Added UI for the install software setup experience.
- Added software experience software title selection API.
- Added database migrations to support Setup Experience.
- Added support to `fleetctl gitops` to specify a setup experience script to run and software to install, for a team or no team.
- Added an Orbit endpoint (`POST /orbit/setup_experience/status`) for checking the status of a macOS host's setup experience steps.
- Added service to track install status.
- Added ability to connect a SCEP NDES proxy.
- Added SCEP proxy for Windows NDES (Network Device Enrollment Service) AD CS server, which allows devices to request certificates.
- Added error message on the My Device page when MDM is off for the host.
- Added a config field to the UI for custom MDM URLs.
- Added integration to queue setup experience software installation on automatic enrollment.
- Added a validation to prevent removing a software package or a VPP app from a team if that software is selected to be installed during the setup experience.
- Updated user permissions to allow gitops users to run MDM commands.
- Updated to remove a pending MDM device if it was deleted from current ABM.
- Updated to ensure details for a software installation run are available and accurate even after the corresponding installer has been edited or deleted.
- **NOTE:** The database migration included with this update backfills installer data into installation details based on the currently uploaded installer. If you want to backfill data from activities (which will be more comprehensive and accurate than the migration default, but may take awhile as the entire activities table will be scanned), run this database query _after_ running database migrations:
```sql
UPDATE host_software_installs i
JOIN activities a ON a.activity_type = 'installed_software'
AND i.execution_id = a.details->>"$.install_uuid"
SET i.software_title_name = COALESCE(a.details->>"$.software_title", i.software_title_name),
- The above query is optional, and is unnecessary if no software installers have been edited.
### Vulnerability management
- Added filtering Software OS view to show only OSes from a particular platform (Windows, macOS, Linux, etc.)
- Fixed issue where the vulnerabilities cron failed to complete due to a large temporary table creation when calculating host issue counts.
- Fixed Debian python package false positive vulnerabilities by removing duplicate entries for Debian python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
### Bug fixes and improvements
- Fixed the ADE enrollment release device processing for hosts running an old fleetd version.
- Fixed an issue with the BYOD enrollment page where it sometimes would show a 404 page.
- Fixed issue where macOS and Linux scripts failed to timeout on long running commands.
- Fixed bug in ABM renewal process that caused upload of new token to fail.
- Fixed blank install status when retrieving install details from the activity feed when the installer package has been updated or the software has since been removed from the host.
- Fixed the svg icon for Edge.
- Fixed frontend error when trying to view install details for an install with a blank status.
- Fixed loading state for the profile status aggregate UI.
- Fixed incorrect character set header on manual Mac enrollment config download.
- Fixed `fleetctl gitops` to support VPP apps, along with setting the VPP apps to install during the setup experience.
- Fixed bug where `PATCH /api/latest/fleet/config` was incorrectly clearing VPP token<->team associations.
- Fixed issue when trying to download the manual enrollment profile when device token is expired. We now show an error for this case.
- Fixed a bug where DDM declarations would remaing "pending" forever if they were deleted from Fleet before being sent to hosts.
- Fixed a bug where policy failures of a host were not being cleared in the host details page after configuring the host to not run any policies.
- Fixed iOS and iPadOS device release during the ADE enrollment flow.
- Ignored `--delete-other-teams` flag in `fleetctl gitops` command for non-Premium license users.
- Switched Nudge deadline time for OS upgrades on macOS pre-14 hosts from 04:00 UTC to 20:00 UTC.
- Added a more descriptive error message when install or uninstall details do not exist for an activity.
- Updated to allow FLEET_REDIS_ADDRESS to include a `redis://` prefix. Allowed formats are: `redis://host:port` or `host:port`.
- Documented that Microsoft enrollments have less fields filled in the `mdm_enrolled` activity due to how this MDM enrollment flow is implemented.
- Updated UI to make entire rows of the Disk encryption table clickable.
- Updated software install activities from policy automations to be authored by "Fleet", store policy ID and name on each activity.
- Updated tooltip for bootstrap package and VPP app statuses in UI.
- Added created_at/updated_at timestamps on user create endpoint.
- Updated UI notifications so that clicking in the horizontal dimension of a flash message, outside of the message itself, and always hide flash messages when changing routes.
- Filtered out VPP apps on non-MDM enrolled devices.
- Explicitly set line heights on "add profile" messages so they are consistent cross-browser.
- Deprecated the worker-based job to release macOS devices automatically after the setup experience, replace it with the fleetd-specific "/status" endpoint that is polled by the Setup Experience dialog controlled by Fleet during the setup flow.
- Improved UI feedback when user attempts and fails to reset password.
- Added builtin label for Fedora Linux. **Warning:** Migrations will fail if a pre-existing 'Fedora Linux' label exists. To resolve, delete the existing 'Fedora Linux' label.
- Added ability to trigger script run on policy failure.
- Updated GitOps script and software installer relative paths to now always relative to the file they're in. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. script paths declared in no-team.yml being relative to default.yaml one directory up).
- Improved performance for host details and Fleet Desktop, particularly in environments using high volumes of live queries.
- Updated activity cleanup job to remove all expired live queries to improve API performance in environment using large volumes of live queries. To note, the cleanup cron may take longer on the first run after upgrade.
- Added an event for when a policy automation triggers a script run in the activity feed.
- Updated UI to remove leading/trailing whitespace when creating or editing team or query names.
- Added UI improvements when selecting live query targets (e.g. styling, closing behavior).
- Updated API to return 409 instead of 500 when trying to delete an installer associated with a policy automation.
- Updated battery health definitions to be defined as cycle counts greater than 1000 or max capacity falling under 80% of designed capacity for macOS and Windows.
- Added information on how battery health is defined to the UI.
- Updated UI to surface duplicate label name error to user.
- Fixed software uninstaller script for `pkg`s to only remove '.app' directories installed by the package.
- Fixed "no rows" error when adding a software installer that matches an existing title's name and source but not its bundle ID.
- Fixed an issue with the migration adding support for multiple VPP tokens that would happen if a token is removed prior to upgrading Fleet.
- Fixed UI flow for observers to easily query hosts from the host details page.
- Fixed bug with label display names always sentence casing.
- Fixed a bug where a profile wouldn't be removed from a host if it was deleted or if the host was moved to another team before the profile was installed on the host.
- Fixed a bug where removing a VPP or ABM token from a GitOps YAML file would leave the team assignments unchanged.
- Fixed host software filter bug that resets dropdown filter on table changes (pagination, order by column, etc).
- Fixed UI bug: Edit team name closes modal.
- Fixed UI so that switching vulnerability search types does not cause page re-render.
- Fixed UI policy automation truncation when selecting software to auto-install.
- Fixed UI design bug where software package file name was not displayed as expected.
- Fixed a small UI bug where a button overlapped some copy.
- Fixed Orbit configuration endpoint returning 500 for Macs running Rapid Security Response macOS releases that are enrolled in OS major version enforcement.
- Added support for configuring policy installers via GitOps.
- Added support for policies in "No team" that run on hosts that belong to "No team".
- Added reserved team names: "All teams" and "No team".
- Added support the software status filter for 'No teams' on the hosts page.
- Enable 'No teams' funcitonality for the policies page and associated workflows.
- Added reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents.
- Added support for software installer packages, self-service flag, scripts, pre-install query, and self-service availability to be edited in-place rather than deleted and re-added.
**Device Management (MDM)**
- Added feature allowing automatic installation of software on hosts that fail policies.
- Added feature for end users to enroll BYOD devices into Fleet MDM.
- Added the ability to use Fleet to uninstall packages from hosts.
- Added an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts.
- Added protocol support for OTA enrollment and automatic team assignment for hosts.
- Added validation of Setup Assistant profiles on profile upload.
- Added validation to prevent installing software on a host with a pending installation.
- Allowed custom SCEP CA certificates with any kind of extendedKeyUsage attributes.
- Modified `POST /api/latest/fleet/software/batch` endpoint to be asynchronous and added a new endpoint `GET /api/latest/fleet/software/batch/{request_uuid}` to retrieve the result of the batch upload.
**Vulnerability Management**
- Fixed a false negative vulnerability for git.
- Fixed false positive vulnerabilities for minio.
- Fixed an issue where virtual box for macOS wasn't matching against the NVD product name.
- Fixed Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
**Bug fixes and improvements**
- Updated Go to go1.23.1.
- Removed validation of APNS certificate from server startup.
- Removed invalid node keys from server logs.
- Improved the UX of turning off MDM on an offline host.
- Improved clarity of GitOps VPP app ID type errors.
- Improved gitops error message about enabling windows MDM.
- Improved messaging for VPP token constraint errors.
- Improved loading state for UI tables when no data is present yet.
- Improved permissions so that hosts can no longer access installers that aren't directly assigned to them.
- Improved verification of premium license before uploading VPP tokens.
- Added "0 items" description on empty software tables for UI consistency.
- Updated the macos target minimum version tooltip.
- Fixed logic to properly catch and log APNs errors.
- Fixed UI overflow issues with OS settings table data.
- Fixed regression for checking email used to get a signed CSR.
- Fixed bugs on enrollment profiles when the organization name contains invalid XML characters.
- Fixed an issue with cron profiles delivery failing if a Windows VM is enrolled twice.
- Fixed issue where Fleet server could start when an expired ABM certificate was provided as server config.
- Fixed self-service checkbox appearing when iOS or iPadOS app is selected.
- Added index to `query_results` DB table to speed up finding last query timestamp for a given query and host.
- Added a link in the UI to the error message when a CSR can't be downloaded due to missing private key.
- Added a disabled overlay to the Other Workflows modal on the policy page.
- Improved performance of live queries to accommodate for higher volumes when utilizing zero-trust workflows.
- Improved `fleetctl` gitops error message when trying to change team name to a team that already exists.
### Device management
- Added server support for multiple VPP tokens.
- Added new endpoints and updated existing endpoints for managing multiple Apple Business Manager tokens.
- Added support for S3 to store MDM bootstrap packages (uses the same bucket configuration as for software installers).
- Added support to UI for self service VPP software.
- Added backend and gitops support for self service VPP.
- Added ability for MDM migrations if the host is manually enrolled to a 3rd party MDM.
- Added an offline screen to the macOS MDM migration flow.
- Added new ABM page to Fleet UI.
- Added new VPP page to the fleet UI
- Added support to track the Apple Business Manager "terms expired" API error per token, as well as a global flag that gets set as soon as one token has its terms expired.
- Updated the instructions on "My device" for MDM migrations on pre-Sonoma macOS hosts.
- Updated to allow multiple teams to be assigned to the same VPP Token.
- Updated process so that deleting installed software or VPP app now makes it available for re-installation.
- Updated to enforce minimum OS version settings during Apple Automated Device Enrollment (ADE).
- Updated ABM ingestion so that deleted iOS/iPadOS host will continue to report to Fleet as long as host is in Apple Business Manager (ABM).
- Updated so that refetching an offline iOS/iPadOS host will not add new MDM commands to the queue if previous refetch has not completed yet.
- Updated UI so that downloading a software installer package now shows the browser's built-in progress bar.
- Updated relevant documentation to include references to multiple ABM and VPP tokens.
- Consolidated Automatic Enrollment and VPP settings under the MDM settings integration page.
- Cleared apps associated with a VPP token if it's moved off of a team.
### Vulnerability management
- Added ALAS bulletins as vulnerability source for Amazon Linux (instead of OVAL for Amazon Linux 2, and adds support for Amazon Linux 1, 2022, and 2023).
- Added matching rules for July and August Microsoft 365 security updates (https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates).
- Added the following filters to `/software/titles` and `/software/versions` API endpoints: `exploit: bool`, `min_cvss_score: float`, `max_cvss_score: float`.
- Updated software titles/versions tables to allow for filtering by vulnerabilities including severity and known exploit.
- Updated to use empty CVE description when the NVD CVE feed doesn't include description entries (instead of panicking).
- Updated matching software that is not installed by Fleet so that it shows up as 'Available for install' on host details page.
- Updated base images of `fleetdm/fleetctl`, `fleetdm/bomutils` and `fleetdm/wix` to fix critical vulnerabilities found by Trivy.
- Updated vulnerability scanning to use `macos` SW target for CPEs of homebrew packages.
- Updated vulnerability scanning to not ignore software with non-ASCII en dash and em dash characters.
- Updated `GET /api/v1/fleet/vulnerabilities/{cve}` endpoint to add validation of CVE format, and a 204 response. The 204 response indicates that the vulnerability is known to Fleet but not present on any hosts.
- Updated the UI to add new empty states for searching vulnerabilities: invalid CVE format searched, a known CVE serached but not present on hosts, not a known CVE searched, exploited vulnerability empty state, operating systems empty state, new icons.
### Bug fixes and improvements
- Added support for MySQL 8.4.2 LTS.
- Updated Go to go1.22.6.
- Updated Fleet server to now accept arguments via stdin. This is useful for passing secrets that you don't want to expose as env vars, in the command line, or in the config file.
- Updated text for "Turn on MDM" banners in UI.
- Updated ABM host tooltip copy on the manage host page to clarify when host vitals will be available to view.
- Updated copy on auotmatic enrollment modal on my device page.
- Updated host details activities tooltip and empty state copy to reflect recently added capabilities.
- Updated Fleet Free so users see a Premium feature message when clicking to add software.
- Updated usage reporting to report statistics on new AI features, maintenance window, and `fleetd`.
- Fixed bug where configuration profile was still showing the old label name after the name was updated.
- Fixed a bug when a cached prepared statement gets deleted in the MySQL server itself without Fleet knowing.
- Fixed a bug where the wrong API path was used to download a software installer.
- Fixed the failing_host_count so it is never 0. This count is normally updated once an hour during cleanups_then_aggregation cron job.
- Fixed CVE-2024-4030 in Vulncheck feed incorrectly targeting non-Windows hosts.
- Fixed a bug where the "Self-service" filter for the list of software and the list of host's software did not take App Store apps into account.
- Fixed a bug where the "My device" page in Fleet Desktop did not show the self-service software tab when App Store apps were available as self-install.
- Fixed a bug where a software installer (a package or a VPP app) that has been installed on a host still shows up as "Available for install" and can still be requested to be installed after the host is transferred to a different team without that installer (or after the installer is deleted).
- Fixed the "Available for install" filter in the host's software page so that installers that were requested to be installed on the host (regardless of installation status) also show up in the list.
- Fixed UI popup messages bleeding off viewport in some cases.
- Fixed an issue with the scheduling of cron jobs at startup if the job has never run, which caused it to be delayed.
- Fixed UI to display the label names in case-insensitive alphabetical order.
- Removed validation of APNS certificate from server startup. This was no longer necessary because we now allow for APNS certificates to be renewed in the UI.
- Fixed logic to properly catch and log APNs errors.
**NOTE:** Beginning with v4.55.0, Fleet no longer supports MySQL 5.7 because it has reached [end of life](https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-today/#:~:text=In%20October%202023%2C%20MySQL%205.7,to%20upgrade%20to%20MySQL%208.). The minimum version supported is MySQL 8.0.36.
- Added support for generating `fleetd` packages for Linux ARM64.
- Added new `fleetctl package` --arch flag.
- Updated `fleetctl package` command to remove the `--version` flag. The version of the package can be controlled by `--orbit-channel` flag.
- Updated maintenance window descriptions to update regularly to match the failing policy description/resolution.
- Updated maintenance windows using Google Calendar so that calendar events are now recreated within 30 seconds if deleted or moved to the past.
- Fleet server watches for potential changes for up to 1 week after original event time. If event is moved forward more than 1 week, then after 1 week Fleet server will check for event changes once every 30 minutes.
- **NOTE:** These near real-time updates may add additional load to the Google Calendar API, so it is recommended to use API usage alerts or other monitoring methods.
- Integrated [Escrow Buddy](https://github.com/macadmins/escrow-buddy) to add enforcement of FileVault during the MacOS Setup Assistant process for hosts that are
enrolled into teams (or no team) with disk encryption turned on. Thank you [homebysix](https://github.com/homebysix) and team!
- Updated `fleetd` to use [Escrow Buddy](https://github.com/macadmins/escrow-buddy) to rotate FileVault keys. Removed or modified internal API endpoints documented in the API for contributors.
- Added OS updates support to iOS/iPadOS devices.
- Added iOS and iPadOS device details refetch triggered with the existing `POST /api/latest/fleet/hosts/:id/refetch` endpoint.
- Added iOS and iPadOS user-installed apps to Fleet.
- Added iOS and iPadOS apps to be installed using Apple's VPP (Volume Purchase Program) to Fleet.
- Added support for VPP to GitOps.
- Added the `POST /mdm/apple/vpp_token`, `DELETE /mdm/apple/vpp_token` and `GET /vpp` endpoints and related functionality.
- Added new `GET /software/app_store_apps` and `POST /software/app_store_apps` endpoints and associated functionality.
- Added the associated VPP apps to the `GET /software/titles` and `GET /software/titles/:id` endpoints.
- Added the associated VPP apps to the `GET /hosts/:id/software` and `GET /device/:token/software` endpoints.
- Added support to delete a VPP app from a team in `DELETE /software/titles/:software_title_id/available_for_install`.
- Added `exclude_software` query parameter to "Get host by identifier" API.
- Added ability to add/remove/disable apps with VPP in the Fleet UI.
- Added a warning banner to the UI if the uploaded VPP token is about to expire/has expired.
- Added UI updates for VPP feature on host software and my device pages.
- Added global activity support for VPP-related activities.
- Added UI features for managing VPP apps for iPadOS and iOS hosts.
- Updated profile activities to include iOS and iPadOS.
- Updated Fleet UI to show OS version compliance on host details page.
- Added support for "No teams" on all software pages including adding software installers.
- Added DB migration to support VPP software features.
- Added DB migration to migrate older team configurations to the new version that includes both installers and App Store apps.
- Linux lock/unlock scripts now make use of pam_nologin to keep AD users locked out.
- Installed software list now includes Linux .deb packages that are 'on hold'.
- Added a special-case to properly name the Notion .exe Windows installer the same as how it will be reported by osquery post-install.
- Increased threshold to renew Apple SCEP certificates for MDM enrollments to 180 days.
- Fixed CVEs identified as 'Rejected' in NVD not matching against software.
- Fixed false negative vulnerabilities with IntelliJ IDEA CE and PyCharm CE installed via Homebrew.
### Bug fixes and improvements
- Dropped support for MySQL 5.7 and raised minimum required to MySQL 8.0.36.
- Updated software pre-install to use new GitOps format for query.
- Updated UI tooltips for pending OS settings.
- Fixed a styling issue in the controls > OS settings > disk encryption table.
- Fixed a bug in `fleetctl preview` that was causing it to fail if Docker was installed without support for the deprecated `docker-compose` CLI.
- Fixed an issue where the app-wide warning banners were not showing on the initial page load.
- Fixed a bug where the hosts page would sometimes allow excess pagination.
- Fixed a bug where software install results could not be retrieved for deleted hosts in the activity feed.
- Fixed path that was incorrect for the download software installer package endpoint `GET /software/titles/:software_title_id/package`.
- Fixed a bug that set `last_enrolled_at` during orbit re-enrollment, which caused osquery enroll failures when `FLEET_OSQUERY_ENROLL_COOLDOWN` is set.
- Fixed a bug where Fleet google calendar events generated by Fleet <= 4.53.0 were not correctly processed by 4.54.0.
- Fixed a bug where software install results could not be retrieved for deleted hosts in the activity feed.
- Fixed a bug where a software installer (a package or a VPP app) that has been installed on a host still shows up as "Available for install" and can still be requested to be installed after the host is transferred to a different team without that installer (or after the installer is deleted).
- Fixed a startup bug by performing an early restart of orbit if an agent options setting has changed.
- Implemented a small refactor of orbit subsystems.
- Removed the `--version` flag from the `fleetctl package` command. The version of the package can now be controlled by the `--orbit-channel` flag.
- Fixed a bug that set `last_enrolled_at` during orbit re-enrollment, which caused osquery enroll failures when `FLEET_OSQUERY_ENROLL_COOLDOWN` is set .
- In `fleetctl package` command, removed the `--version` flag. The version of the package can be controlled by `--orbit-channel` flag.
- Fixed a bug where Fleet google calendar events generated by Fleet <= 4.53.0 were not correctly processed by 4.54.0.
- Updated `fleetctl gitops` to be used to rename teams.
- **NOTE:** `fleetctl gitops` needs to have previously run with this Fleet/fleetctl version or later.
- The team name is changed if the YAML config is applied from the same filename as before.
- Updated `fleetctl query --hosts` to work with hostnames, host UUIDs, and/or hardware serial numbers.
- Added a host's upcoming scheduled maintenance window, if any, on the host details page of the UI and in host responses from the API.
- Added support to `fleetctl debug connection` to test TLS connection with the embedded certs.pem in
the fleetctl executable.
- Added host's display name to calendar event descriptions.
- Added .yml and .yaml file type validation and error message to `fleetctl apply`.
- Added a tooltip to truncated text and not to untruncated values.
### Device Management (MDM)
- Added iOS/iPadOS builtin manual labels.
- **NOTE:** Before migrating to this version, make sure to delete any labels with name "iOS" or "iPadOS".
- Added aggregation of iOS/iPadOS OS versions.
- Added change to custom profiles for iOS/iPadOS to go from 'pending' straight to 'verified' (skip 'verifying').
- Added support for renewing SCEP certificates with custom enrollment profiles.
- Added automatic install of `fleetd` when a host turns on MDM now uses the latest released `fleetd` version.
- Added support for `END_USER_EMAIL` and `FLEET_DESKTOP` parameters to Windows MSI install package.
- Added API changes to support the `labels_include_all` and `labels_exclude_any` fields (and accept the deprecated `labels` field as an alias for `labels_include_all`).
- Added `fleetctl gitops` and `fleetctl apply` support for `labels_include_all` and `labels_exclude_any` to configure a custom setting.
- Added UI for uploading custom profiles with a target of hosts that include all/exclude any selected labels.
- Added the database migrations to create the new `exclude` column for labels associated with MDM profiles (and declarations).
- Updated host script timeouts to be configurable via agent options using `script_execution_timeout`.
-`fleetctl` now uses a polling mechanism when running `run-script` to accommodate longer script timeout values.
- Updated the profile reconciliation logic to handle the new "exclude any" labels.
- Updated so that the `fleetd` cleanup script for macOS that will return completed when run from Fleet.
- Updated so that the `fleetd` uninstall script will return completed when run from Fleet.
- Updated script run permissions -- only admins and maintainers can run arbitrary or saved scripts (not observer or observer+).
- Updated `fleetctl get mdm_commands` to return 20 rows and support `--host``--type` filters to improve response time.
- Updated the instructions for manual MDM enrollment on the "My device" page to be clearer and align with Apple updates.
- Updated UI to allow device users to reinstall self-service software.
- Updated API to not return a 500 status code if a host sends a command response with an invalid command uuid.
- Increased the timeout of the upload software installer endpoint to 4 minutes.
- Disabled credential caching and reboot on Windows lock.
### Vulnerability Management
- Added "Vulnerable" filter to the host details software table.
- Fixed Microsoft Office June 2024 false negative vulnerabilities and added custom vulnerability matching.
- Fixed issue where some Windows applications were getting matched against Windows OS vulnerabilities.
### Bug fixes and improvements
- Updated Go version to go1.22.4.
- Updated to render only one banner on the my device page based on priority order.
- Updated software updated timestamp tooltip.
- Removed DB error message from the UI when showing a error response.
- Updated fleetctl get queries/labels/hosts descriptions.
- Reinstated ability to sort policies by passing count.
- Improved the accuracy of the heuristic used to deterimine if a host is connected to Fleet via MDM by using osquery data for hosts that didn't send a Checkout message.
- Improved the matching of `pkg` installer files to existing software.
- Improved extraction of application name from `pkg` installers.
- Clarified various help and error texts around host identifiers.
- Hid CTA on inherited queries/policies from team level users.
- Hid query delete checkboxes from team observers.
- Hid "Self-service" in Fleet Desktop and My device page if there is no self-service software available.
- Hid the host detail page's "Run script" action from Global and Team Observer/+s.
- Aligned the "View all hosts" links in the Software titles and versions tables.
- Fixed counts for hosts with with low disk space in summary page.
- Fixed allowing Observer and Observer+ roles to download software installers.
- Fixed crash in `fleetd` installer on Windows if there are registry keys with special characters on the system.
- Fixed `fleetctl debug connection` to support server TLS certificates with intermediates.
- Fixed macOS declarations being stuck in "to be removed" state indefinitely.
- Fixed link to `fleetd` uninstall instructions in "Delete device" modal.
- Fixed exporting CSVs with fields that contain commas to render properly.
- Fixed issue where the Fleet UI could not be used to renew the ABM token after the ABM user who created the token was deleted.
- Fixed styling issues with the target inputs loading spinner on the run live query/policy page.
- Fixed an issue where special characters in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall breaks the "installer_utils.ps1 -uninstallOrbit" step in the Windows MSI installer.
- Fixed a bug causing "No Team" OS versions to display the wrong number.
- Fixed various UI capitalizations.
- Fixed UI issue where "Script is already running" tooltip incorrectly displayed when the script is not running.
- Fixed the script details modal's error message on script timeout to reflect the newly dynamic script timeout limit, if hit.
- Fixed a discrepancy in the spacing between DataSet labels and values on Firefox relative to other browsers.
- Fixed bug that set `Added to Fleet` to `Never` after macOS hosts re-enrolled to Fleet via MDM.
- Updated fleetctl get queries/labels/hosts descriptions.
- Fixed exporting CSVs with fields that contain commas to render properly.
- Fixed link to fleetd uninstall instructions in "Delete device" modal.
- Rendered only one banner on the my device page based on priority order.
- Hidden query delete checkboxes from team observers.
- Fixed issue where the Fleet UI could not be used to renew the ABM token after the ABM user who created the token was deleted.
- Fixed an issue where special characters in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall broke the "installer_utils.ps1 -uninstallOrbit" step in the Windows MSI installer.
- Fixed counts for hosts with low disk space in summary page.
- Fleet UI fixes: Hide CTA on inherited queries/policies from team level users.
- Updated software updated timestamp tooltip.
- Fixed issue where some Windows applications were getting matched against Windows OS vulnerabilities.
- Fixed crash in `fleetd` installer on Windows if there are registry keys with special characters on the system.
* Fixed an issue where profiles larger than 65KB were being truncated when stored on MySQL 8.
* Fixed activity without public IP to be human readable.
* Made the rendering of empty text cell values consistent. Also rendered the '0' value as a number instead of the default value `---`.
* Fixed bug in `fleetctl preview` caused by creating enroll secrets.
* Disabled AI features on non-new installations upgrading from <4.50.Xto>= 4.51.X.
* Fixed various icon misalignments on the dashboard page.
* Used a "soft-delete" approach when deleting a host so that its script execution details are still available for the activities feed.
* Fixed UI bug where error detail was overflowing the table in "OS settings" modal in "My device" page UI.
* Fixed bug where MDM migration failed when attempting to renew enrollment profiles on macOS Sonoma devices.
* Fixed queries with dot notation in the column name to show results.
*`/api/latest/fleet/hosts/:id/lock` returns `unlock_pin` for Apple hosts when query parameter `view_pin=true` is set. UI no longer uses unlock pending state for Apple hosts.
* Improved the logic used by Fleet to detect if a host is currently MDM-managed.
* Fixed issue where the MDM ingestion flow would fail if an invalid enrollment reference was passed.
* Removed vscode false positive vulnerabilities.
* Fixed a code linter issue where a slice was created non-empty and appended-to, instead of empty with the required capacity.
* Fixed UI bug where Zoom icon was displayed for ZoomInfo.
* Error with 404 when the user attempts to delete team policies for a non-existent team.
* Fixed the Linux unlock script to support passwordless users.
* Fixed an issue with the Windows-specific `windows-remove-fleetd.ps1` script provided in the Fleet repository where running the script did remove `fleetd` but made it impossible to reinstall the agent.
* Fixed host details page and device details page not showing the latest software. Added `exclude_software` query parameter to the `/api/latest/fleet/hosts/:id` endpoint to exclude software from the response.
* Fixed the `/mdm/apple/mdm` endpoint so that it returns status code 408 (request timeout) instead of 500 (internal server error) when encountering a timeout reading the request body.
* Extended the timeout for the endpoint to upload a software installer (`POST /fleet/software/package`), and improved handling of the maximum size.
* Fixed issue where Windows-specific error message was displayed when failing to parse macOS configuration profiles.
* Fixed a panic (API returning code 500) when the software installer exists in the database but the installer does not exist in the storage.
## Fleet 4.51.1 (Jun 11, 2024)
### Bug fixes
* Added S3 config variables with a `carves_` and `software_installers` prefix, which were used to configure buckets for those features. The existing non-prefixed variables were kept for backwards compatibility.
- Added support for environment variables in configuration profiles for GitOps.
-`fleetctl gitops --dry-run` now errors on duplicate (or conflicting) global/team enroll secrets.
- Added `activities_webhook` configuration option to allow for a webhook to be called when an activity is recorded. This can be used to send activity data to external services. If the webhook response is a 429 error code, the webhook retries for up to 30 minutes.
- Added Tuxedo OS to the Linux distribution platform list.
### Device Management (MDM)
- **NOTE:** Added new required Fleet server config environment variable when MDM is enabled,
`FLEET_SERVER_PRIVATE_KEY`. This variable contains the private key used to encrypt the MDM
certificates and keys stored in Fleet. Learm more at
- Added query parameter `self_service` to filter the list of software titles and the list of a host's software so that only those available to install via self-service are returned.
- Added the device-authenticated endpoint `POST /device/{token}/software/install/{software_title_id}` to self-install software.
- Added new endpoints to configure ABM keypairs and tokens.
- Added `GET /fleet/mdm/apple/request_csr` endpoint, which returns the signed APNS CSR needed to activate Apple MDM.
- Added the ability to automatically log off and lock out `Administrator` users on Windows hosts.
- Added clearer error messages when attempting to set up Apple MDM without a server private key configured.
- Added UI for the global and host activities for self-service software installation.
- Updated UI to support new workflows for macOS MDM setup and credentials.
- Updated UI to support software self-service features.
- Updated UI controls page language and hid CTA button for users without access to turn on MDM.
### Vulnerability Management
- Updated the CIS policies for Windows 11 Enterprise from v2.0.0 (03-07-2023) to v3.0.0 (02-22-2024).
- Fleet now detects Ubuntu kernel vulnerabilities from the Canonical OVAL feed.
- Fleet now detects and reports vulnerabilities on Firefox ESR editions on macOS.
### Bug fixes and improvements
- Fixed a bug that might prevent enqueuing commands to renew SCEP certificates if the host was enrolled more than once.
- Prevented the `host_id`s field from being returned from the list labels endpoint.
- Improved software ingestion performance by deduplicating incoming software.
- Placed all form field label tooltips on top.
- Fixed a number of related issues with the filtering and sorting of the queries table.
- Added various optimizations to the rendering of the queries table.
- Fixed host query page styling bugs.
- Fixed a UI bug where "Wipe" action was not being hidden from observers.
- Fixed UI bug for builtin label names for selecting targets.
- Removed references to Administrator accounts in the comments of the Windows lock script.
* Restored missing tooltips when hovering over the disabled "Calendar events" manage automations dropdown option.
* Fixed an issue on Windows hosts enrolled in MDM via Azure AD where the command to install Fleetd on the device was sent repeatedly, even though `fleetd` had been properly installed.
* Improved handling of different scenarios and edge cases when hosts turned on/off MDM.
* Fixed issue with uploading of some signed Apple mobileconfig profiles.
* Added an informative flash message when the user tries to save a query with invalid platform(s).
* Fixed bug where Linux host wipe would repeat if the host got re-enrolled.
- Added integration with Google Calendar for policy compliance events.
- Added new API endpoints to add/remove manual labels to/from a host.
- Updated the `POST /api/v1/fleet/labels` and `PATCH /api/v1/fleet/labels/{id}` endpoints to support creation and update of manual labels.
- Implemented changes in `fleetctl gitops` for batch processing queries and policies.
- Enabled setting host status webhook at the team level via REST API and fleetctl apply/gitops.
### Device management (MDM)
- Added API functionality for creating DDM declarations, both individually and as a batch.
- Added creation or update of macOS DDM profile to enforce OS Updates settings whenever the settings are changed.
- Updated `fleetctl run-script` to include new `--team` and `--script-name` flags.
- Displayed disk encryption status in macOS as "verifying" while verifying the escrowed key.
- Added the `enable_release_device_manually` configuration setting for teams and no team, which controls the automatic release of a macOS DEP-enrolled device.
### Vulnerability management
- Ignored Valve Corporation's Steam client's vulnerabilities on Windows and macOS due to retrieval challenges of the true version.
- Updated the GET fleet/os_versions and GET fleet/os_versions/[id] to restrict team users from accessing os versions on hosts from other teams.
### Bug fixes and improvements
- Upgraded Golang version to 1.21.7.
- Added a minimum supported node version in the `package.json`.
- Made block_id mismatch errors more informative as 400s instead of 500s.
- Added Windows MDM support to the `osquery-perf` host-simulation command.
- Updated calendar events automations to not show error validation on enabling the feature.
- Migrated MDM-related endpoints to new paths while maintaining support for old endpoints indefinitely.
- Added a missing database index to the MDM Windows enrollments table to improve performance at scale.
- Added cross-platform check for duplicate MDM profiles names in batch set MDM profiles API.
- Fixed a bug where Microsoft Edge was not reporting vulnerabilities.
- Fixed an issue with the `20240327115617_CreateTableNanoDDMRequests` database migration.
- Fixed the error message to indicate if a conflict on uploading an Apple profile was caused by the profile's name or its identifier.
- Fixed license checks to allow migration and restoring DEP devices during trial.
- Fixed a 500 error in MySQL 8 and when DB user has insufficient privileges for `fleetctl debug db-locks` and `fleetctl debug db-innodb-status`.
- Fixed a bug where values not derived from "actual" fleetd-chrome tables were not being displayed correctly.
- Fixed a bug where values were not being rendered in host-specific query reports.
- Fixed an issue with automatic release of the device after setup when a DDM profile is pending.
- Fixed UI issues: alignment bugs, padding around empty states, tooltip rendering, and incorrect rendering of the global Host status expiry settings page.
- Fixed a bug where `null` or excluded `smtp_settings` caused a UI 500 error.
- Fixed an issue where a bad request response from a 3rd party MDM solution would result in a 500 error in Fleet during MDM migration.
- Fixed a bug where updating policy name could result in multiple policies with the same name in a team.
- Fixed potential server panic when events are created with calendar integration, but then global calendar integration is disabled.
- Fixed fleetctl gitops dry-run validation issues when enabling calendar integration for the first time.
- Fixed a bug where all Windows MDM enrollments were detected as automatic.
* Updated calendar webhook to retry if it receives response 429 "Too Many Requests". Webhook request will retry for 30 minutes with a 1 minute max delay between retries.
* Updated label endpoints and UI to prevent creating, updating, or deleting built-in labels.
* Fixed edge cases of team ID being lost in various flows.
* Fixed queries to correctly parse params for `GET` ...`policies/count`, `GET` ...`teams/:id/policies/count`, and `GET` ...`vulnerabilities`.
* Fixed 'GET` ...`labels` to return `400` when the non-supported `query` url param was included in the request. Previous behavior was to silently ignore that param and return `200`.
* Casted windows exit codes to signed integers to match windows interpreter.
* Fixed a bug where some scripts got stuck in "upcoming" activity permanently.
* Fixed a bug where the translate API returned "forbidden" instead of "bad request" for an empty JSON body.
* Fixed an uncaught bug where "forbidden" would be returned for invalid payload type, which should also be a bad request.
* Fixed an issue where applying Windows MDM profiles using `fleetctl apply` would cause Fleet to overwrite the reserved profile used to manage Windows OS updates.
* Fixed a bug where we were not ignoreing leading and trailing whitespace when filtering Fleet entities by name.
* Fixed a bug where query retrieving bitlocker info from windows server wouldn't return.
* Fixed MDM migration starting when the device didn't have the right ADE JSON profile already assigned.
* Fixed an issue with the `20240327115617_CreateTableNanoDDMRequests` database migration where it could fail if the database did not default to the `utf8mb4_unicode_ci` collation.
* Fixed an issue with automatic release of the device after setup when a DDM profile is pending.
- Reduced the number of 'Deadlock found' errors seen by the server when multiple hosts share the same UUID.
- Removed outdated tooltips from UI.
- Added hover states to clickable elements.
- Added cross-platform check for duplicate MDM profiles names in batch set MDM profiles API.
### Device management (MDM)
- Added Windows MDM support to the `osquery-perf` host-simulation command.
- Added a missing database index to the MDM Windows enrollments table that will improve performance at scale.
- Migrate MDM-related endpoints to new paths, deprecating (but still supporting indefinitely) the old endpoints.
- Adds API functionality for creating DDM declarations, both individually and as a batch.
- Added DDM activities to the fleet UI.
- Added the `enable_release_device_manually` configuration setting for a team and no team. **Note** that the macOS automatic enrollment profile cannot set the `await_device_configured` option anymore, this setting is controlled by Fleet via the new `enable_release_device_manually` option.
- Automatically release a macOS DEP-enrolled device after enrollment commands and profiles have been delivered, unless `enable_release_device_manually` is set to `true`.
### Vulnerability management
- Added Visual Studio extensions to Fleet's software inventory.
### Bug fixes
- Fixed a bug where valid MDM enrollments would show up as unmanaged (EnrollmentState 3).
- Fixed flash message from closing when a modal closes.
- Fixed a bug where OS version information would not get detected on Windows Server 2019.
- Fixed false negative vulnerabilities on macOS Homebrew python packages.
- Fixed styling of live query disabled warning.
- Fixed issue where Windows MDM profile processing was skipping `<Add>` commands.
- Fixed UI's ability to bulk delete hosts when "All teams" is selected.
- Fixed error state rendering on the global Host status expiry settings page, fix error state alignment for tooltip-wrapper field labels across organization settings.
- Fixed `GET fleet/os_versions` and `GET fleet/os_versions/[id]` so team users no longer have access to os versions on hosts from other teams.
-`fleetctl gitops` now batch processes queries and policies.
- Fixed UI bug to render the query platform correctly for queries imported from the standard query library.
* Fixed a bug where the pencil icons next to the edit query name and description fields were inconsistently spaced.
* Fixed an issue with `mdm.enable_disk_encryption` where a `null` JSON value caused issues with MDM profiles in the `PATCH /api/v1/fleet/config` endpoint.
* Displayed disk encryption status in macOS as "verifying" while Fleet verified if the escrowed key could be decrypted.
* Fixed UI styling of loading state for automatic enrollment settings page.
- Query campaign not clearing from Redis after timeout
* Added logging when a Redis connection is blocked for a long time waiting for live query results.
* Added support for the `redis.conn_wait_timeout` configuration setting for Redis standalone (it was previously only supported on Redis cluster).
* Added Redis cleanup of inactive queries in a cron job, so temporary Redis failures to stop a live query doesn't leave such queries around for a long time.
* Fixed orphaned live queries in Redis when client terminates connection
* Added --server_frequent_cleanups_enabled (FLEET_SERVER_FREQUENT_CLEANUPS_ENABLED) flag to enable cron job to clean up stale data running every 15 minutes. Currently disabled by default.
* Fixed issues with how errors were captured in Sentry:
- The stack trace is now more precise.
- More error paths were captured in Sentry.
- **Note: Many more entries could be generated in Sentry compared to earlier Fleet versions. Sentry capacity should be planned accordingly.**
- User settings/profile page officially renamed to account page
- UI Edit team more properly labeled as rename team
- Fixed issue where the "Type" column was empty for Windows MDM profile commands when running `fleetctl get mdm-commands` and `fleetctl get mdm-command-results`.
- Upgraded Golang version to 1.21.7
- Updated UI's empty policy states
* Automatically renewed macOS identity certificates for devices 30 days prior to their expiration.
* Fixed bug where updating policy name could result in multiple policies with the same name in a team.
- This bug was introduced in Fleet v4.44.1. Any duplicate policy names in the same team were renamed by adding a number to the end of the policy name.
- Fixed an issue where some MDM profile installation errors would not be shown in Fleet.
- Deleting a policy updated the policy count
- Moved show query button to show in report page even with no results
- Updated page description styling
- Fixed UI loading state for software versions and OS for the initial request.
* Fixed a bug where long enrollment secrets would overlap with the action buttons on top of them.
* Fixed a bug that caused OS Settings to never be verified if the MySQL config of Fleet's database had 'only_full_group_by' mode enabled (enabled by default).
* Ensured policy names are now unique per team, allowing different teams to have policies with the same name.
* Fixed the visual display of chevron right icons on Chrome.
* Renamed the 'mdm_windows_configuration_profiles' and 'mdm_apple_configuration_profiles' 'updated_at' field to 'uploaded_at' and removed the automatic setting of the value, setting it explicitly instead.
* Improved the validation of Windows profiles to prevent errors when delivering the profiles to the hosts. If you need to embed a nested XML structure (for example, for Wi-Fi profiles), you can either:
- Escape the XML.
- Use a wrapping `<![CDATA[ ... ]]>` element.
* Fixed an issue where an inaccurate message was returned after running an asynchronous (queued) script.
* Fixed URL query parameters to reset when switching tabs.
* Fixed the vulnerable software dropdown from switching back to all teams.
* Added fleetctl gitops command:
- Synchronize Fleet configuration with the provided file. This command is intended to be used in a GitOps workflow.
* Updated the response for 'GET /api/v1/fleet/hosts/:id/activities/upcoming' to include the count of all upcoming activities for the host.
- Removed rate-limiting from `/api/fleet/orbit/ping` and `/api/fleet/device/ping` endpoints.
- For Windows hosts, fleetd now uses Windows Credential Manager for enroll secret.
- For macOS hosts, fleetd stores and retrieves enroll secret from macOS keychain for non-MDM flow.
- Query reports feature now supports a custom `pack_delimiter` in agent settings.
- Packaged `fleetctl` for macOS as a universal binary (native support for both amd64 and arm64 architectures).
- Added new flow for `fleetctl package --type=msi` on macOS using arm64 processor.
- Teams can now configure their own host expiry settings.
- Added UI for host details activity card.
- Added `host_count_updated_at` to policy API responses.
- Added "Run script" action to host details page.
- Created the "script ran" activity linked to its host.
- Updated host details page and `GET /api/v1/fleet/hosts/:id` endpoint so that failing policies are listed first.
* **Device management (MDM)**:
- Added new endpoints `GET /api/v1/fleet/mdm/manual_enrollment_profile` and scripts related endpoints (`/hosts/:id/activity`, `/hosts/:id/activity/upcoming`).
- Added support for label-based MDM profiles reconciliation.
- Improved MDM migration puppet module.
- Added Windows scripts for MDM unenrollment and fleetd removal.
- Added the profile's `labels` object to MDM profiles response payload.
- Updated UI with ability to target MDM profiles by label.
- Added ability to configure custom `configuration_web_url` values in DEP profile.
- Fixed a bug causing MDM SSO to fail with certain configurations.
- Fixed queries reporting inconsistent MDM enrollment status in Windows.
* **Vulnerability management**:
- Added support for detecting operating system vulnerabilities for macOS and Windows.
- Corrected Windows OS false negative for multiple OS build remediations.
- Fixed issue with incorrect `resolved_in_version` for vulnerabilities.
### Bug fixes and improvements
- Added "No report" text for query results not saved in Fleet.
- Updated forms across the UI for consistent styling.
- Improved UX for globally enabling/disabling SSO.
- Added new consistent header styling across the app.
- Clearer browser page titles and CTAs for Observer+.
- Updated logging destination failure response to return a 4xx error instead of 500.
- Addressed issues with query reports and host expiry settings.
- Resolved platform compatibility checker issues with deprecated osquery tables.
- Updated Go to version 1.21.6.
- osquery flag validation updated for osquery 5.11.
- Fixed validation and error handling for `/api/fleet/orbit/device_token` and other endpoints.
- Fixed UI bugs in script functionality, side navigation content headers, and premium message alignment.
- Fixed a bug in searching for hosts by email addresses.
- Fixed issues with sticky errors in fleetd-chrome after querying privacy_preferences table.
- Fixed a bug where Munki issues section was incorrectly displayed.
- Fixed OS compatibility calculation for certain queries.
- Fixed a bug where capital characters would not match labels containing them.
- Fixed bug in manage hosts UI where changing the dropdown filter did not clear OS settings filter.
- Fixed a bug in `fleetctl` where `--context` and `--debug` flags were not allowed after certain commands.
- Fixed a bug where the UUID for Windows updates profiles was missing the `"w"` prefix.
- Fixed a UI bug on the controls page in team targeting forms.
- Added new `POST /api/v1/fleet/queries/:id/run` endpoint for synchronous live queries.
- Added `PUT /api/fleet/orbit/device_mapping` and `PUT /api/v1/fleet/hosts/{id}/device_mapping` endpoints for setting or replacing custom email addresses.
- Added experimental `--end-user-email` flag to `fleetctl package` for `.msi` installer bundling.
- Added `host_count_updated_at` to policy API responses.
- Added ability to query by host display name via list hosts endpoint.
- Added `gigs_total_disk_space` to host endpoint responses.
- Added ability to remotely configure `fleetd` update channels in agent options (Fleet Premium only, requires `fleetd` >= 1.20.0).
- Improved error message for osquery log write failures.
- Protect live query performance by limiting results per live query.
- Improved error handling and validation for `/api/fleet/orbit/device_token` and other endpoints.
* **Device management (MDM)**:
- Added check for custom end user email fields in enrollment profiles.
- Modified hosts and labels endpoints to include only user-defined Windows MDM profiles.
- Improved profile verification logic for 'pending' profiles.
- Updated enrollment process so that `fleetd` auto-installs on Apple hosts enabling MDM features manually.
- Extended script execution timeout to 5 minutes.
- Extended Script disabling functionality to various script endpoints and `fleetctl`.
### Bug fixes and improvements
- Fix profiles incorrectly being marked as "Failed".
- **NOTE**: If you are using MDM features and have already upgraded to v4.42.0, you will need to take manual steps to resolve this issue. Please [follow these instructions](https://github.com/fleetdm/fleet/issues/15725) to reset your profiles.
- Added tooltip to policies page stating when policy counts were last updated.
- Added bold styling to profile name in custom profile activity logs.
- Implemented style tweaks to the nudge preview on OS updates page.
- Updated sort query results and reports case sensitivity and default to sorting.
- Added disk size indication when disk is full.
- Replaced 500 error with 409 for token conflicts with another host.
- Fixed script output text formatting.
- Fixed styling issues in policy automations modal and nudge preview on OS updates page.
- Fixed loading spinner not appearing when running a script on a host.
- Fixed duplicate view all hosts link in disk encryption table.
- Fixed tooltip text alignment UI bug.
- Fixed missing 'Last restarted' values when filtering hosts by label.
- Fixed broken link on callout box on host details page.
- Fixed bugs in searching hosts by email addresses and filtering by labels.
- Fixed a bug where the host details > software > munki issues section was sometimes displayed erroneously.
- Fixed a bug where OS compatibility was not correctly calculated for certain queries.
- Fixed issue where software title aggregation was not running during vulnerability scans.
- Fixed an error message bug for password length on new user creation.
- Fixed a bug causing misreporting of vulnerability scanning status in analytics.
- Fixed issue with query results reporting after discard data is enabled.
- Fixed a bug preventing label selection while the label search field was active.
- Fixed bug where `fleetctl` did not allow placement of `--context` and `--debug` flags following certain commands.
- Fixed a validation bug allowing `overrides.platform` to be set to `null`.
- Fixed `fleetctl` issue with creating a new query when running a query by name.
- Fixed a bug that caused vulnerability scanning status to be misreported in analytics.
- Fixed CVE tooltip bullets on the software page.
- Fixed a bug that didn't allow enabling team disk encryption if macOS MDM was not configured.
- New tables added to the fleetd extension: app_icons, falconctl_options, falcon_kernel_check, cryptoinfo, cryptsetup_status, filevault_status, firefox_preferences, firmwarepasswd, ioreg, and windows_updates.
* Added ability to store results of scheduled queries:
- Will store up to 1000 results for each scheduled query.
- If the number of results for a scheduled query is below 1000, then the results will continuously get updated every time the hosts send results to Fleet.
- Introduced `server_settings.query_reports_disabled` field in global configuration to disable this feature.
- New API endpoint: `GET /api/_version_/fleet/queries/{id}/report`.
- New field `discard_data` added to API queries endpoints for toggling report storage for a query. For yaml configurations, use `discard_data: true` to disable result storage.
- Enhanced osquery result log validation.
- **NOTE:** This feature enables storing more query data in Fleet. This may impact database performance, depending on the number of queries, their frequency, and the number of hosts in your Fleet instance. For large deployments, we recommend monitoring your database load while gradually adding new query reports to ensure your database is sized appropriately.
* Added scripts tab and table for host details page.
* Added support to return the decrypted disk encryption key of a Windows host.
* Added `GET /hosts/{id}/scripts` endpoint to retrieve status details of saved scripts for a host.
* Added `mdm.os_settings` to `GET /api/v1/hosts/{id}` response.
* Added `POST /api/fleet/orbit/disk_encryption_key` endpoint for Windows hosts to report bitlocker encryption key.
* Added activity logging for script operations (add, delete, edit).
* Added UI for scripts on the controls page.
* Added API endpoints for script management and updated existing ones to accommodate saved script ID.
* Added `GET /mdm/disk_encryption/summary` endpoint for disk encryption summaries for macOS and Windows.
* Added `os_settings` and `os_settings_disk_encryption` filters to various `GET` endpoints for host filtering based on OS settings.
* Enhanced `GET hosts/:id` API response to include more detailed disk encryption data for device client errors.
* Updated controls > disk encryption and host details page to include Windows bitlocker information.
* Improved styling for host details/device user failing policies display.
* Disabled multicursor editing for SQL editors.
* Deprecated `mdm.macos_settings.enable_disk_encryption` in favor of `mdm.enable_disk_encryption`.
* Updated Go version to 1.21.3.
### Bug fixes
* Fixed script content and output formatting issues on the scripts detail modal.
* Fixed a high database load issue in the Puppet match endpoint.
* Fixed setup flows background not covering the entire viewport when resized to some sizes.
* Fixed a bug affecting OS settings information retrieval regarding disk encryption status for Windows hosts.
* Fixed SQL parameters used in the `/api/latest/fleet/labels/{labelID}/hosts` endpoint for certain query parameters, addressing issue 13809.
* Fixed Python's CVE-2021-42919 false positive on macOS which should only affect Linux.
* Fixed a bug causing DEP profiles to sometimes not get assigned correctly to hosts.
* Fixed an issue in the bulk-set of MDM Apple profiles leading to excessive placeholders in SQL.
* Fixed max-height display issue for script content and output in the script details modal.
* Updated MDM profile verification so that an install profile command will be retried once if the command resulted in an error or if osquery cannot confirm that the expected profile is installed.
* Ensured post-enrollment commands are sent to devices assigned to Fleet in ABM.
* Ensured hosts assigned to Fleet in ABM come back to pending to the right team after they're deleted.
* Added `labels` to the fleetd extensions feature to allow deploying extensions to hosts that belong to certain labels.
* Changed fleetd Windows extensions file extension from `.ext` to `.ext.exe` to allow their execution on Windows devices (executables on Windows must end with `.exe`).
* Surfaced chrome live query errors to Fleet UI (including errors for specific columns while maintaining successful data in results).
* Fixed delivery of fleetd extensions to devices to only send extensions for the host's platform.
* (Premium only) Added `resolved_in_version` to `/fleet/software` APIs pulled from NVD feed.
* Added database migrations to create the new `scripts` table to store saved scripts.
* Allowed specifying `disable_failing_policies` on the `/api/v1/fleet/hosts/report` API endpoint for increased performance. This is useful if the user is not interested in counting failed policies (`issues` column).
* Added the option to use locally-installed WiX v3 binaries when generating the Fleetd installer for Windows on a Windows machine.
* Added CVE descriptions to the `/fleet/software` API.
* Restored the ability to click on and select/copy text from software bundle tooltips while maintaining the abilities to click the software's name to get more details and to click anywhere else in the row to view all hosts with that software installed.
* Stopped 1password from overly autofilling forms.
* Upgraded Go version to 1.21.1.
### Bug Fixes
* Fixed vulnerability mismatch between the flock browser and the discoteq/flock binary.
* Fixed v4.37.0 performance regressions in the following API endpoints:
*`/api/v1/fleet/hosts/report`
*`/api/v1/fleet/hosts` when using `per_page=0` or a large number for `per_page` (in the thousands).
* Fixed script content and output formatting on the scripts detail modal.
* Fixed wrong version numbers for Microsoft Teams in macOS (from invalid format of the form `1.00.XYYYYY` to correct format `1.X.00.YYYYY`).
* Fixed false positive CVE-2020-10146 found on Microsoft Teams.
* Fixed CVE-2013-0340 reporting as a valid vulnerability due to NVD recommendations.
* Fixed save button for a new policy after newly creating another policy.
* Fixed empty query/policy placeholders.
* Fixed used by data when filtering hosts by labels.
* Fixed small copy and alignment issue with status indicators in the Queries page Automations column.
* Fixed strict checks on Windows MDM Automatic Enrollment.
* Fixed software vulnerabilities time ago column for old CVEs.
* Added `/scripts/run` and `scripts/run/sync` API endpoints to send a script to be executed on a host and optionally wait for its results.
* Added `POST /api/fleet/orbit/scripts/request` and `POST /api/fleet/orbit/scripts/result` Orbit-specific API endpoints to get a pending script to execute and send the results back, and added an Orbit notification to let the host know it has scripts pending execution.
* Improved performance at scale when applying hundreds of policies to thousands of hosts via `fleetctl apply`.
- IMPORTANT: In previous versions of Fleet, there was a performance issue (thundering herd) when applying hundreds of policies on a large number of hosts. To avoid this, make sure to deploy this version of Fleet, and make sure Fleet is running for at least 1h (or the configured `FLEET_OSQUERY_POLICY_UPDATE_INTERVAL`) before applying the policies.
* Added pagination to the policies API to increase response time.
* Added policy count endpoints to support pagination on the frontend.
* Added an endpoint to report `fleetd` errors.
* Added logic to report errors during MDM migration.
* Added support in fleetd to execute scripts and send back results (disabled by default).
* Added an activity log when script execution was successfully requested.
* Automatically set the DEP profile to be the same as "no team" (if set) for teams created using the `/match` endpoint (used by Puppet).
* Added JumpCloud to the list of well-known MDM solutions.
* Added `fleetctl run-script` command.
* Made all table links right-clickable.
* Improved the layout of the MDM SSO pages.
* Stored user email when a user turned on MDM features with SSO enabled.
* Updated the copy and image displayed on the MDM migration modal.
* Upgraded Go to v1.19.12.
* Updated the macadmins/osquery-extension to v0.0.15.
* Updated nanomdm dependency.
### Bug Fixes
* Fixed a bug where live query UI and export data tables showed all returned columns.
* Fixed a bug where Jira and/or Zendesk integrations were being removed when an unrelated setting was changed.
* Fixed software ingestion to not re-insert software when incoming fields from hosts were longer than what Fleet supports. This bug caused some CVEs to be reported every time the vulnerability cron ran.
- IMPORTANT: After deploying this fix, the vulnerability cron will report the CVEs one last time, and subsequent cron runs will not report the CVE (as expected).
* Fixed duplicate policy names in `ee/cis/win-10/cis-policy-queries.yml`.
* Fixed typos in policy queries in the Windows CIS policies YAML (`ee/cis/win-10/cis-policy-queries.yml`).
* Fixed a bug where query stats (aka `Performance impact`) were not being populated in Fleet.
* Added validation to `fleetctl apply` for duplicate policy names in the YAML file and attempting to change the team of an existing policy.
* Optimized host queries when using policy statuses.
* Changed the authentication method during Windows MDM enrollment to use `LoadHostByOrbitNodeKey` instead of `HostByIdentifier`.
* Fixed alignment on long label names on host details label filter dropdown.
* Added UI for script run activity and script details modal.
* Fixed queries navigation bar bug where if in query detail, you could not navigate back to the manage queries table.
* Made policy resolutions that include URLs clickable in the UI.
* Fixed Fleet UI custom query frequency display.
* Fixed live query filter icon and various other live query icons.
* Fixed Fleet UI tabs highlight while tabbing but not on multiple clicks.
* Added the `fleetctl upgrade-packs` command to migrate 2017 packs to the new combined schedule and query concept.
* Updated `fleetctl convert` to convert packs to the new combined schedule and query format.
* Updated the `POST /mdm/apple/profiles/match` endpoint to set the bootstrap package and enable end user authentication settings for each new team created via the endpoint to the corresponding values specified in the app config as of the time the applicable team is created.
* Added enroll secret for a new team created with `fleetctl apply` if none is provided.
* Improved SQL autocomplete with dynamic column, table names, and shown metadata.
* Cleaned up styling around table search bars.
* Updated MDM profile verification to fix issue where profiles were marked as failed when a host
is transferred to a newly created team that has an identical profile as an older team.
* Added windows MDM automatic enrollment setup pages to Fleet UI.
* (Beta) Allowed configuring Windows MDM certificates using their contents.
* Updated the icons on the dashboard to new grey designs.
* Ensured DEP profiles are assigned even for devices that already exist and have an op type = "modified".
* Disabled save button for invalid query or policy SQL & missing name.
* Users with no global or team role cannot access the UI.
* Text cells truncate with ellipses if longer than column width.
**Bug Fixes:**
* Fixed styling issue of the active settings tab.
* Fixed response status code to 403 when a user cannot change their password either because they were not requested to by the admin or they have Single-Sign-On (SSO) enabled.
* Fixed issues with end user migration flow.
* Fixed login form cut off when viewport is too short.
* Fixed bug where `os_version` endpoint returned 404 for `no teams` on controls page.
* Fixed delays applying profiles when the Puppet module is used in distributed scenarios.
* Fixed a style issue in the filter host by status dropdown.
* Fixed an issue when a user with `gitops` role was used to validate a configuration with `fleetctl apply --dry-run`.
* Fixed jumping text on the host page label filter dropdown at low viewport widths.
* Fixed a migration to account for columns with NULL values as a result of either creating schedules via the API without providing all values or by a race condition with database replicas.
* Fixed a bug that occurred when a user tried to create a custom query from the "query" action on a host's details page.
* Combined the query and schedule features to provide a single interface for creating, scheduling, and tweaking queries at the global and team level.
* Merged all functionality of the schedule page into the queries page.
* Updated the save query modal to include scheduling-related fields.
* Updated queries table schema to allow storing scheduling information and configuration in the queries table.
* Users now able to manage scheduled queries using automations modal.
* The `osquery/config` endpoint now includes scheduled queries for the host's team stored in the `queries` table.
* Query editor now includes frequency and other advanced options.
* Updated macOS MDM setup UI in Fleet UI.
* Changed how team assignment works for the Puppet module, for more details see the [README](https://github.com/fleetdm/fleet/blob/main/ee/tools/puppet/fleetdm/README.md).
* Allow the Puppet module to read different Fleet URL/token combinations for different environments.
* Updated server logging for webhook requests to mask URL query values if the query param name includes "secret", "token", "key", "password".
* Added support for Azure JWT tokens.
* Set `DeferForceAtUserLoginMaxBypassAttempts` to `1` in the default FileVault profile installed by Fleet.
* Added dark and light mode logo uploads and show the appropriate logo to the macOS MDM migration flow.
* Added MSI installer deployement support through MS-MDM.
* Added support for Windows MDM STS Auth Endpoint.
* Added support for installing Fleetd after enrolling through Azure account.
* Added support for MDM TOS endpoint.
* Updated the "Platforms" column to the more explicit "Compatible with".
* Improved delivery of Apple MDM profiles by not re-sending `InstallProfile` commands if a host switches teams but the profile contents are the same.
* Improved error handling and messaging of SSO login during AEP(DEP) enrollments.
* Improved the reporting of the Puppet module to only report as changed profiles that actually changed during a run.
* Updated ingestion of host detail queries for MDM so hosts that report empty results are counted as "Off".
* Upgraded Go version to v1.19.11.
* If a policy was defined with an invalid query, the desktop endpoint now counts that policy as a failed policy.
* Fixed issue where Orbit repeatedly tries to launch Nudge in the event of a launch error.
* Fixed Observer + should be able to run any query by clicking create new query.
* Fixed the styling of the initial setup flow.
* Fixed URL used to check Gravatar network availability.
* Added execution of programmatic Windows MDM enrollment on eligible devices when Windows MDM is enabled.
* Microsoft MDM Enrollment Protocol: Added support for the RequestSecurityToken messages.
* Microsoft MDM Enrollment Protocol: Added support for the DiscoveryRequest messages.
* Microsoft MDM Enrollment Protocol: Added support for the GetPolicies messages.
* Added `enabled_windows_mdm` and `disabled_windows_mdm` activities when a user turns on/off Windows MDM.
* Added support to enable and configure Windows MDM and to notify devices that are able to programmatically enroll.
* Added ability to turn Windows MDM on and off from the Fleet UI.
* Added enable and disable Windows MDM activity UI.
* Updated MDM detail query ingestion to switch MDM profiles from "verifying" or "verified" status to "failed" status when osquery reports that this profile is not installed on the host.
* Added notification and execution of programmatic Windows MDM unenrollment on eligible devices when Windows MDM is disabled.
* Added the `FLEET_DEV_MDM_ENABLED` environment variable to enable the Windows MDM feature during its development and beta period.
* Added the `mdm_enabled` feature flag information to the response payload of the `PATCH /config` endpoint.
* When creating a PolicySpec, return the proper HTTP status code if the team is not found.
* Added CPEMatchingRule type, used for correcting false positives caused by incorrect entries in the NVD dataset.
* Optimized macOS CIS query "Ensure Appropriate Permissions Are Enabled for System Wide Applications" (5.1.5).
* Updated macOS CIS policies 5.1.6 and 5.1.7 to use a new fleetd table `find_cmd` instead of relying on the osquery `file` table to improve performance.
* Implemented the privacy_preferences table for the Fleetd Chrome extension.
* Warnings in fleetctl now go to stderr instead of stdout.
* Updated UI for transferred hosts activity items.
* Added Organization support URL input on the setting page organization info form.
* Added improved ABM 400 error message to the UI.
* Hide any osquery tables or columns from Fleet UI that has hidden set to true to match Fleet website.
* Ignore casing in SAML response for display name. For example the display name attribute can be provided now as `displayname` or `displayName`.
* Provide feedback to users when `fleetctl login` is using EMAIL and PASSWORD environment variables.
* Added a new activity `transferred_hosts` created when hosts are transferred to a new team (or no team).
* Added milliseconds to the timestamp of auto-generated team name when creating a new team in `GET /mdm/apple/profiles/match`.
* Improved dashboard loading states.
* Improved UI for selecting targets.
* Made sure that all configuration profiles and commands are sent to devices if MDM is turned on, even if the device never turned off MDM.
* Fixed bug when reading filevault key in osquery and created new Fleet osquery extension table to read the file directly rather than via filelines table.
* Fixed UI bug on host details and device user pages that caused the software search to not work properly when searching by CVE.
* Fixed not validating the schema used in the Metadata URL.
* Fixed improper HTTP status code if SMTP is invalid.
* Fixed false positives for iCloud on macOS.
* Fixed styling of copy message when copying fields.
* Fixed a bug where an empty file uploaded to `POST /api/latest/fleet/mdm/apple/setup/eula` resulted in a 500; now returns a 400 Bad Request.
* Fixed vulnerability dropdown that was hiding if no vulnerabilities.
* Fixed scroll behavior with disk encryption status.
* Fixed empty software image in sandbox mode.
* Fixed improper HTTP status code when `fleet/forgot_password` endpoint is rate limited.
* Fixed MaxBurst limit parameter for `fleet/forgot_password` endpoint.
* Fixed a bug where reading from the replica would not read recent writes when matching a set of MDM profiles to a team (the `GET /mdm/apple/profiles/match` endpoint).
* Fixed an issue that displayed Nudge to macOS hosts if MDM was configured but MDM features weren't turned on for the host.
* Fixed tooltip word wrapping on the error cell in the macOS settings table.
* Fixed extraneous loading spinner rendering on the software page.
* Fixed styling bug on setup caused by new font being much wider.
* Added instructions to inform users how to add ChromeOS hosts.
* Added ChromeOS details to the dashboard, manage hosts, and host details pages.
* Added ability for users to create policies that target ChromeOS.
* Added built-in label for ChromeOS.
* Added query to fill in `device_mapping` from ChromeOS hosts.
* Improved the performance of live query results rendering to address usability issues when querying tens of thousands of hosts.
* Reduced size of live query websocket message by removing unused host data.
* Added the `POST /fleet/mdm/apple/profiles/preassign` endpoint to store profiles to be assigned to a host for subsequent matching with an existing (or new) team.
* Added the `POST /fleet/mdm/apple/profiles/match` endpoint to match pre-assigned profiles to an existing team or create one if needed, and assign the host to that team.
* Updated `GET /mdm/apple/profiles` endpoint to return empty array instead of null if no profiles are found.
* Improved ingestion of MDM devices from ABM:
- If a device's operation_type is `modified`, but the device doesn't exist in Fleet yet, a DEP profile will be assigned to the device and a new record will be created in Fleet.
- If a device's operation_type is `deleted`, the device won't be prompted to migrate to Fleet if the feature has been configured.
* Added "Verified" profile status for profiles verified with osquery.
* Added "Action required" status for disk encryption profile in UI for host details and device user pages.
* Added UI for the end user authentication page for MDM macos setup.
* Added new host detail query to verify MDM profiles and updated API to include verified status.
* Added documentation in the guide for `fleetctl get mdm-commands`.
* Moved post-DEP (automatic) MDM enrollment to a worker job for increased resiliency with retries.
* Added better UI error for manual enroll MDM modal.
* Updated `GET /api/_version_/fleet/config` to now omits fields `smtp_settings` and `sso_settings` if not set.
* Added a response payload to the `POST /api/latest/fleet/spec/teams` contributor API endpoint so that it returns an object with a `team_ids_by_name` key which maps team names with their corresponding id.
* Ensure we send post-enrollment commands to MDM devices that are re-enrolling after being wiped.
* Added error message to UI when Redis disconnects during a live query session.
* Optimized query used for listing activities on the dashboard.
* Added ability for users to delete multiple pages of hosts.
* Added ability to deselect label filter on host table.
* Added support for value `null` on `FLEET_JIT_USER_ROLE_GLOBAL` and `FLEET_JIT_USER_ROLE_TEAM_*` SAML attributes. Fleet will accept and ignore such `null` attributes.
* Deprecate `enable_jit_role_sync` setting and only change role for existing users if role attributes are set in the `SAMLResponse`.
* Improved styling in sandbox mode.
* Patched a potential security issue.
* Improved icon clarity.
* Fixed issues with the MDM migration flow.
* Fixed a bug with applying team specs via `fleetctl apply` and updating a team via the `PATCH /api/latest/fleet/mdm/teams/{id}` endpoint so that the MDM updates settings (`minimum_version` and `deadline`) are not cleared if not provided in the payload.
* Fixed table formatting for the output of `fleetctl get mdm-command-results`.
* Fixed the `/api/latest/fleet/mdm/apple_bm` endpoint so that it returns 400 instead of 500 when it fails to authenticate with Apple's Business Manager API, as this indicates a Fleet configuration issue with the Apple BM certificate or token.
* Fixed a bug that would show MDM URLs for the same server as different servers if they contain query parameters.
* Fixed an issue preventing a user with the `gitops` role from applying some MDM settings via `fleetctl apply` (the `macos_setup_assistant` and `bootstrap_package` settings).
* Fixed `GET /api/v1/fleet/spec/labels/{name}` endpoint so that it now includes the label id.
* Fixed Observer/Observer+ role being able to see team secrets.
* Fixed UI bug where `inherited_page=0` was incorrectly added to some URLs.
* Fixed misaligned icons in UI.
* Fixed tab misalignment caused by new font.
* Fixed dashed line styling on multiline activities.
* Fixed a bug in the users table where users that are observer+ for all of more than one team were listed as "Various roles".
* Fixed 500 error being returned if SSO session is not found.
* Fixed issue with `chrome_extensions` virtual table not returning a path value on `fleetd-chrome`, which was breaking software ingestion.
* Fixed bug with page navigation inside 'My Device' page.
* Fixed a styling bug in the add hosts modal in sandbox mode.
* Added `gitops` user role to Fleet. GitOps users are users that can manage configuration.
* Added the `fleetctl get mdm-commands` command to get a list of MDM commands that were executed. Added the `GET /api/latest/fleet/mdm/apple/commands` API endpoint.
* Added Fleet UI flows for uploading, downloading, deleting, and viewing information about a Fleet MDM
bootstrap package.
* Added `apple_bm_enabled_and_configured` to app config responses.
* Added support for the `mdm.macos_setup.macos_setup_assistant` key in the 'config' and 'team' YAML
payloads supported by `fleetctl apply`.
* Added the endpoints to set, get and delete the macOS setup assistant associated with a team or no team (`GET`, `POST` and `DELETE` methods on the `/api/latest/fleet/mdm/apple/enrollment_profile` path).
* Added functionality to gate Apple MDM login behind SAML authentication.
* Added new "verifying" status for MDM profiles.
* Migrated MDM status values from "applied" to "verifying" and updated associated endpoints.
* Updated macOS settings status filters and aggregate counts to more accurately reflect the status of
FileVault settings.
* Filter out non-`observer_can_run` queries for observers in `fleetctl get queries` to match the UI behavior.
* Fall back to a previous NVD release if the asset we want is not in the latest release.
* Users can now click back to software to return to the filtered host details software tab or filtered manage software page.
* Users can now bookmark software table filters.
* Added a maximum height to the teams dropdown, allowing the user to scroll through a large number of
teams.
* Present the 403 error page when a user with no access logs in.
* Back to hosts and back to software in host details and software details return to previous table
state.
* Bookmarkable URLs are now the source of truth for Manage Host and Manage Software table states.
* Removed old Okta configuration that was only documented for internal usage. These configs are being replaced for a general approach to gate profiles behind SSO.
* Removed any host's packs information for observers and observer plus in UI.
* Added `changed_macos_setup_assistant` and `deleted_macos_setup_assistant` activities for the macOS setup assistant setting.
* Hide reset sessions in user dropdown for current user.
* Added a suite of UI logic for premium features in the Sandbox environment.
* In Sandbox, added "Premium Feature" icons for premium-only option to designate a policy as "Critical," as well
as copy to the tooltip above the icon next to policies designated "Critical" in the Manage policies table.
* Added a star to let a sandbox user know that the "Probability of exploit" column of the Manage
Software page is a premium feature.
* Added "Premium Feature" icons for premium-only columns of the Vulnerabilities table when in
Sandbox mode.
* Inform prospective customers that Teams is a Premium feature.
* Fixed animation for opening edit user modal.
* Fixed nav bar buttons not responsively resizing when small screen widths cannot fit default size nav bar.
* Fixed a bug with and improved the overall experience of tabbed navigation through the setup flow.
* Fixed `/api/_version/fleet/logout` to return HTTP 401 if unauthorized.
* Fixed endpoint to return proper status code (401) on `/api/fleet/orbit/enroll` if secret is invalid.
* Fixed a bug where a white bar appears at the top of the login page before the app renders.
* Fixed bug in manage hosts table where UI elements related to row selection were displayed to a team
observer user when that user was also a team and maintainer or admin on another team.
* Fixed bug in add policy UI where a user that is team maintainer or team admin cannot access the UI
to save a new policy if that user is also an observer on another team.
* Fixed UI bug where dashboard links to hosts filtered by platform did not carry over the selected
team filter.
* Fixed not showing software card on dashboard when clicking on vulnerabilities.
* Fixed a UI bug where fields on the "My account" page were cut off at smaller viewport widths.
* Fixed software table to match UI spec (responsively hidden vulnerabilities/probability of export column under 990px width).
* Fixed a bug where bundle information displayed in tooltips over a software's name was mistakenly
hidden.
* Fixed an HTTP 500 on `GET /api/_version_/fleet/hosts` returned when `mdm_enrollment_status` is invalid.
* Removed both `FLEET_MDM_APPLE_ENABLE` and `FLEET_DEV_MDM_ENABLED` feature flags.
* Automatically send a configuration profile for the `fleetd` agent to teams that use DEP enrollment.
* DEP JSON profiles are now automatically created with default values when the server is run.
* Added the `--mdm` and `--mdm-pending` flags to the `fleetctl get hosts` command to list hosts enrolled in Fleet MDM and pending enrollment in Fleet MDM, respectively.
* Added support for the "enrolled" value for the `mdm_enrollment_status` filter and the new `mdm_name` filter for the "List hosts", "Count hosts" and "List hosts in label" endpoints.
* Added the `fleetctl mdm run-command` command, to run any of the [Apple-supported MDM commands](https://developer.apple.com/documentation/devicemanagement/commands_and_queries) on a host.
* Added the `fleetctl get mdm-command-results` sub-command to get the results for a previously-executed MDM command.
* Added API support to filter the host by the disk encryption status on "GET /hosts", "GET /hosts/count", and "GET /labels/:id/hosts" endpoints.
* Added API endpoint for disk encryption aggregate status data.
* Automatically install `fleetd` for DEP enrolled hosts.
* Updated hosts' profiles status sync to set to "pending" immediately after an action that affects their list of profiles.
* Updated FileVault configuration profile to disallow device user from disabling full-disk encryption.
* Updated MDM settings so that they are consistent, and updated documentation for clarity, completeness and correctness.
* Added `observer_plus` user role to Fleet. Observers+ are observers that can run any live query.
* Added a premium-only "Published" column to the vulnerabilities table to display when a vulnerability was first published.
* Improved version detection for macOS apps. This fixes some false positives in macOS vulnerability detection.
* If a new CPE translation rule is pushed, the data in the database should reflect that.
* If a false positive is patched, the data in the database should reflect that.
* Include the published date from NVD in the vulnerability object in the API and the vulnerability webhooks (premium feature only).
* User management table informs which users only have API access.
* Added configuration option `websockets_allow_unsafe_origin` to optionally disable the websocket origin check.
* Added new config `prometheus.basic_auth.disable` to allow running the Prometheus endpoint without HTTP Basic Auth.
* Added missing tables to be cleared on host deletion (those that reference the host by UUID instead of ID).
* Introduced new email backend capable of sending email directly using SES APIs.
* Upgraded Go version to 1.19.8 (includes minor security fixes for HTTP DoS issues).
* Uninstalling applications from hosts will remove the corresponding entry in `software` if no more hosts have the application installed.
* Removed the unused "Issuer URI" field from the single sign-on configuration page of the UI.
* Fixed an issue where some icons would appear clipped at certain zoom levels.
* Fixed a bug where some empty table cells were slightly different colors.
* Fixed e-mail sending on user invites and user e-mail change when SMTP server has credentials.
* Fixed logo misalignment.
* Fixed a bug where for certain org logos, the user could still click on it even outside the navbar.
* Fixed styling bugs on the SelectQueryModal.
* Fixed an issue where custom org logos might be displayed off-center.
* Fixed a UI bug where in certain states, there would be extra space at the right edge of the Manage Hosts table.
* Fixed a migration that was causing `fleet prepare db` to fail due to changes in the collation of the tables. IMPORTANT: please make sure to have a database backup before running migrations.
* Fixed an issue where users would see the incorrect disk encryption banners on the My Device page.
* Added the `mdm.macos_settings.enable_disk_encryption` option to the `fleetctl apply` configuration
files of "config" and "team" kind as a Fleet Premium feature.
* Added `mdm.macos_settings.disk_encryption` and `mdm.macos_settings.action_required` status fields in the response for a single host (`GET /hosts/{id}` and `GET /device/{token}` endpoints).
* Added MDM solution name to `host.mdm`in API responses.
* Added support for fleetd to enroll a device using its serial number (in addition to its system
UUID) to help avoid host-matching issues when a host is first created in Fleet via the MDM
automatic enrollment (Apple Business Manager).
* Added ability to filter data under the Hosts tab by the aggregate status of hosts' MDM-managed macos
settings.
* Added activity feed items for enabling and disabling disk encryption with MDM.
* Added FileVault banners on the Host Details and My Device pages.
* Added activities for when macOS disk encryption setting is enabled or disabled.
* Added UI for fleet mdm managed disk encryption toggling and the disk encryption aggregate data.
* Added support to update a team's disk encryption via the Modify Team (`PATCH /api/latest/fleet/teams/{id}`) endpoint.
* Added a new API endpoint to gate access to an enrollment profile behind Okta authentication.
* Added new configuration values to integrate Okta in the DEP MDM flow.
* Added logic to ingest and decrypt FileVault recovery keys on macOS if Fleet's MDM is enabled.
* Create activity feed types for the creation, update, and deletion of macOS profiles (settings) via
MDM.
* Added an API endpoint to retrieve a host disk encryption key for macOS if Fleet's MDM is enabled.
* Added UI implementation for users to upload, download, and deleted macos profiles.
* Added activity feed types for the creation, update, and deletion of macOS profiles (settings) via
MDM.
* Added API endpoints to create, delete, list, and download MDM configuration profiles.
* Added "edited macos profiles" activity when updating a team's (or no team's) custom macOS settings via `fleetctl apply`.
* Enabled installation and auto-updates of Nudge via Orbit.
* Added support for providing `macos_settings.custom_settings` profiles for team (with Fleet Premium) and no-team levels via `fleetctl apply`.
* Added `--policies-team` flag to `fleetctl apply` to easily import a group of policies into a team.
* Remove requirement for Rosetta in installation of macOS packages on Apple Silicon. The binaries have been "universal" for a while now, but the installer still required Rosetta until now.
* Added max height on org logo image to ensure consistent height of the nav bar.
* Parse the Mac Office release notes and use that for doing vulnerability processing.
* Only set public IPs on the `host.public_ip` field and add documentation on how to properly configure the deployment to ingest correct public IPs from enrolled devices.
* Added tooltip with link to UI when Public IP address cannot be determined.
* Update to better URL validation in UI.
* Set policy platforms using the platform checkboxes as a user would expect the options to successfully save.
* Standardized on a default value for empty cells in the UI.
* Added link to query table in UI source (fleetdm.com/tables/table_name).
* Added live query distributed interval warnings on select targets picker and live query result page.
* Added a macOS settings indicator and modal on the host details and device user pages.
* Added configuration parameters for the filesystem logging destination -- max_size, max_age, and max_backups are now configurable rather than hardcoded values.
* Live query/policy selecting "All hosts" is mutually exclusive from other filters.
* Minor server changes to support Fleetd for ChromeOS (to be released soon).
* Fixed `network_interface_unix` and `network_interface_windows` to ingest "Private IPs" only
(filter out "Public IPs").
* Fixed how the Fleet MDM server URL is generated when stored for hosts enrolled in Fleet MDM.
* Fixed a panic when loading information for a host enrolled in MDM and its `is_server` field is
`NULL`.
* Fixed bug with host count on hosts filtered by operating system version.
* Fixed permissions warnings reported by Suspicious Package in macos pkg installers. These warnings
appeared to be purely cosmetic.
* Fixed UI bug: Long words in activity feed wrap within the div.
* Fixed "Turn off MDM" button appearing on host details without Fleet MDM enabled.
* Upgrade Go to 1.19.6 to remediate some low severity [denial of service vulnerabilities](https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E/m/CnYKgKwBBQAJ) in the standard library.
* Added API endpoint to unenroll a host from Fleet's MDM.
* Added Request CSR and Change default MDM BM team modals to Integrations > MDM.
* Added a `notifications` object to the response payload of `GET /api/fleet/orbit/config` that includes a `renew_enrollment_profile` field to indicate to fleetd that it needs to run a command on the device to renew the DEP enrollment profile.
* Added modal for automatic enrollment of a macOS host to MDM.
* Integrated with CSR request endpoint in fleet UI.
* Updated `Select targets` UI so that `Platforms`, `Teams`, and `Labels` become `AND` filters. Selecting 2 or more `Platforms`, `Teams`, and `Labels` continue to behave as `OR` filters.
* Added new activities to the activities API when a host is enrolled/unenrolled from Fleet's MDM.
* Implemented macOS update version content panel.
* Added an activity `edited_macos_min_version` when the required minimum macOS version is updated.
* Added the `GET /device/{token}/mdm/apple/manual_enrollment_profile` endpoint to allow downloading the manual MDM enrollment profile from the "My Device" page in Fleet Desktop.
* Run authorization checks before processing policy specs.
* Implemented the new Controls page and updated styling of the site-level navigation.
* Made `fleetctl get teams --yaml` output compatible with `fleetctl apply -f`.
* Added the `POST /api/v1/fleet/mdm/apple/request_csr` endpoint to trigger a Certificate Signing Request to fleetdm.com and return the associated APNs private key and SCEP certificate and key.
* Added mdm enrollment status and mdm server url to `GET /hosts` and `GET /hosts/:id` endpoint
responses.
* Added keys to the `GET /config` and `GET /device/:token` endpoints to inform if Fleet's MDM is properly configured.
* Add edited min macos version activity.
* User can hover over host UUID to see and copy full ID string.
* Made the 'Back to all hosts' link on the host details page fall back to the default path to the
manage hosts page. This addresses a bug in this functionality when the user navigates directly
with the URL.
* Implemented the ability for an authorized user to unenroll a host from MDM on its host details page. The host must be enrolled in MDM and online.
* Added nixos to the list of platforms that are detected at linux distributions.
* Allow to configure a minimum macOS version and a deadline for hosts enrolled into Fleet's MDM.
* Added license expiry to account information page for premium users.
* Removed stale time from loading team policies/policy automation so users are provided accurate team data when toggling between teams.
* Updated to software empty states and host details empty states.
* Changed default hosts per page from 100 to 50.
* Support `CrOS` as a valid platform string for customers with ChromeOS hosts.
* Clean tables at smaller screen widths.
* Log failed login attempts for user+pw and SSO logins (in the activity feed).
* Added `meta` attribute to `GET /activities` endpoint that includes pagination metadata. Fixed edge case
on UI for pagination buttons on activities card.
* Fleet Premium shows pending hosts on the dashboard and manage host page.
* Use stricter file permissions in `fleetctl updates add` command.
* When table only has 1 host, remove bulky tooltip overflow.
* Documented the Apple Push Notification service (APNs) and Apple Business Manager (ABM) setup and renewal steps.
* Added new activity that records create/edit/delete user roles.
* Log all successful logins as activity and all attempts with ip in stderr.
* Added API endpoint to generate DEP public and private keys.
* Added ability to mark policy as critical with Fleet Premium.
* Added ability to mark policies run automation for all already failing hosts.
* Added `fleet serve` configuration flags for Apple Push Notification service (APNs) and Simple
Certificate Enrollment Protocol (SCEP) certificates and keys.
* Added `fleet serve` configuration flags for Apple Business Manager (BM).
* Added `fleetctl trigger` command to trigger an ad hoc run of all jobs in a specified cron
schedule.
* Added the `fleetctl get mdm_apple` command to retrieve the Apple MDM configuration information. MDM features are not ready for production and are currently in development. These features are disabled by default.
* Added the `fleetctl get mdm_apple_bm` command to retrieve the Apple Business Manager configuration information.
* Added `fleetctl` command to generate APNs CSR and SCEP CA certificate and key pair.
* Add `fleetctl` command to generate DEP public and private keys.
* Windows installer now ensures that the installed osquery version gets removed before installing Orbit.
* Build on Ubuntu 20 to resolve glibc changes that were causing issues for older Docker runtimes.
* During deleting host flow, inform users how to prevent re-enrolling hosts.
* Added functionality to report if a carve failed along with its error message.
* Added the `redis.username` configuration option for setups that use Redis ACLs.
* Windows installer now ensures that no files are left on the filesystem when orbit uninstallation
process is kicked off.
* Improve how we are logging failed detail queries and windows os version queries.
* Spiffier UI: Add scroll shadows to indicate horizontal scrolling to user.
* Add counts_update_at attribute to GET /hosts/summary/mdm response. update GET /labels/:id/hosts to
filter by mdm_id and mdm_enrollment_status query params. add mobile_device_management_solution to
response from GET /labels/:id/hosts when including mdm_id query param. add mdm information to UI for
windows/all dashboard and host details.
* Fixed `fleetctl query` to use custom HTTP headers if configured.
* Fixed how we are querying and ingesting disk encryption in linux to workaround an osquery bug.
* Fixed buggy input field alignments.
* Fixed to multiselect styling.
* Fixed bug where manually triggering a cron run that preempts a regularly scheduled run causes
an unexpected shift in the start time of the next interval.
* Fixed an issue where the height of the label for some input fields changed when an error message is displayed.
* Fixed the alignment of the "copy" and "show" button icons in the manage enroll secrets and get API
* Improve live query activity item in the activity feed on the Dashboard page. Each item will include the user’s name, as well as an option to show the query. If the query has been saved, the item will include the query’s name.
* Improve navigation on Host details page and Dashboard page by adding the ability to navigate back to a tab (ex. Policies) and filter (ex. macOS) respectively.
* Improved performance of the Fleet server by decreasing CPU usage by 20% and memory usage by 3% on average.
* Added tooltips and updated dropdown choices on Hosts and Host details pages to clarify the meanings of "Status: Online" and "Status: Offline."
* Added “Void Linux” to the list of recognized distributions.
* Added clickable rows to software tables to view all hosts filtered by software.
* Added support for more OS-specific osquery command-line flags in the agent options.
* Added links to evented tables and columns that require user context in the query side panel.
* Improved CPU and memory usage of Fleet.
* Removed the Preview payload button from the usage statistics page, as well as its associated logic and unique styles. [See the example usage statistics payload](https://fleetdm.com/docs/using-fleet/usage-statistics#what-is-included-in-usage-statistics-in-fleet) in the Using Fleet documentation.
* Removed tooltips and conditional coloring in the disk space graph for Linux hosts.
* Reduced false negatives for the query used to determine encryption status on Linux systems.
* Fixed long software name from aligning centered.
* Fixed a discrepancy in the height of input labels when there’s a validation error.
* Added preview screenshots for Jira and Zendesk vulnerability tickets for Premium users.
* Improve host detail query to populate primary ip and mac address on host.
* Add option to show public IP address in Hosts table.
* Improve ingress resource by replacing the template with a most recent version, that enables:
- Not having any annotation hardcoded, all annotations are optional.
- Custom path, as of now it was hardcoded to `/*`, but depending on the ingress controller, it can require an extra annotation to work with regular expressions.
- Specify ingressClassName, as it was hardcoded to `gce`, and this is a setting that might be different on each cluster.
* Added ingestion of host orbit version from `orbit_info` osquery extension table.
* Added number of hosts enrolled by orbit version to usage statistics payload.
* Added number of hosts enrolled by osquery version to usage statistics payload.
* Added arch and linuxmint to list of linux distros so that their data is displayed and host count includes them.
* When submitting invalid agent options, inform user how to override agent options using fleetctl force flag.
* Exclude Windows Servers from mdm lists and aggregated data.
* Activity feed includes editing team config file using fleetctl.
* Update Go to 1.19.3.
* Host details page includes information about the host's disk encryption.
* Information surfaced to device user includes all summary/about information surfaced in host details page.
* Support low_disk_space filter for endpoint /labels/{id}/hosts.
* Select targets pages implements cleaner icons.
* Added validation of unknown keys for the Apply Teams Spec request payload (`POST /spec/teams` endpoint).
* Orbit MSI installer now includes the necessary manifest file to use windows_event_log as a logger_plugin.
* UI allows for filtering low disk space hosts by platform.
* Add passed policies column on the inherited policies table for teams.
* Use the MSRC security bulletins to scan for Windows vulnerabilities. Detected vulnerabilities are inserted in a new table, 'operating_system_vulnerabilities'.
* Added vulnerability scores to Jira and Zendesk integrations for Fleet Premium users.
* Improve database usage to prevent some deadlocks.
* Added ingestion of disk encryption status for hosts, and added that flag in the response of the `GET /hosts/{id}` API endpoint.
* Trying to add a host with 0 enroll secrets directs user to manage enroll secrets.
* Detect Windows MDM solutions and add mdm endpoints.
* Styling updates on login and forgot password pages.
* Add UI polish and style fixes for query pages.
* Update styling of tooltips and modals.
* Update colors, issues icon.
* Cleanup dashboard styling.
* Add tooling for writing integration tests on the frontend.
* Fixed host details page so munki card only shows for mac hosts.
* Fixed a bug where duplicate vulnerability webhook requests, jira, and zendesk tickets were being
made when scanning for vulnerabilities. This affected ubuntu and redhat hosts that support OVAL
vulnerability detection.
* Fixed bug where password reset token expiration was not enforced.
* Fixed a bug in `fleetctl apply` for teams, where a missing `agent_options` key in the YAML spec
file would clear the existing agent options for the team (now it leaves it unchanged). If the key
is present but empty, then it clears the agent options.
* Fixed bug with our CPE matching process. UTM.app was matching to the wrong CPE.
* Fixed an issue where fleet would send invalid usage stats if no hosts were enrolled.
* Fixed an Orbit MSI installer bug that caused Orbit files not to be removed during uninstallation.
* Added usage statistics for the weekly count of aggregate policy violation days. One policy violation day is counted for each policy that a host is failing, measured as of the time the count increments. The count increments once per 24-hour interval and resets each week.
* Fleet Premium: Add ability to see how many and which hosts have low disk space (less than 32GB available) on the **Home** page.
* Fleet Premium: Add ability to see how many and which hosts are missing (offline for at least 30 days) on the **Home** page.
* Improved the query console by indicating which columns are required in the WHERE clause, indicated which columns are platform-specific, and adding example queries for almost all osquery tables in the right sidebar. These improvements are also live on [fleetdm.com/tables](https://fleetdm.com/tables)
* Added a new display name for hosts in the Fleet UI. To determine the display name, Fleet uses the `computer_name` column in the [`system_info` table](https://fleetdm.com/tables/system_info). If `computer_name` isn't present, the `hostname` is used instead.
* Added functionality to consider device tokens as expired after one hour. This change is not compatible with older versions of Fleet Desktop. We recommend to manually update Orbit and Fleet Desktop to > v1.0.0 in addition to upgrading the server if:
* You're managing your own TUF server.
* You have auto-updates disabled (`fleetctl package [...] --disable-updates`)
* You have channels pinned to an older version (`fleetctl package [...] --orbit-channel 1.0.0 --desktop-channel 1.1.0`).
* Added security headers to HTML, CSV, and installer responses.
* Added validation of the `command_line_flags` object in the Agent Options section of Organization Settings and Team Settings.
* Added logic to clean up irrelevant policies for a host on re-enrollment (e.g., if a host changes its OS from linux to macOS or it changes teams).
* Added the `inherited_policies` array to the `GET /teams/{team_id}/policies` endpoint that lists the global policies inherited by the team, along with the pass/fail counts for the hosts on that team.
* Added a new UI state for when results are coming in from a live query or policy query.
* Added better team name suggestions to the Create teams modal.
* Clarified last seen time and last fetched time in the Fleet UI.
* Translated technical error messages returned by Agent options validation to be more user-friendly.
* Renamed machine serial to serial number and IPv4 properly to private IP address.
* Fleet Premium: Updated Fleet Desktop to use the `/device/{token}/desktop` API route to display the number of failing policies.
* Made host details software tables more responsive by adding links to software details.
* Fixed a bug in which a user would not be rerouted to the Home page if already logged in.
* Fixed a bug in which clicking the select all checkbox did not select all in some cases.
* Fixed a bug introduced in 4.21.0 where a Windows-specific query was being sent to non-Windows hosts, causing an error in query ingestion for `directIngestOSWindows`.
* Fixed a bug in which uninstalled software (DEB packages) appeared in Fleet.
* Fixed a bug in which a team that didn't have `config.features` settings was edited via the UI, then both `features.enable_host_users` and `features.enable_software_inventory` would be false instead of the global default.
* Fixed a bug that resulted in false negatives for vulnerable versions of Zoom, Google Chrome, Adobe Photoshop, Node.js, Visual Studio Code, Adobe Media Encoder, VirtualBox, Adobe Premiere Pro, Pip, and Firefox software.
* Fixed bug that caused duplicated vulnerabilities to be sent to third-party integrations.
* Fixed panic in `ingestKubequeryInfo` query ingestion.
* Fixed a bug in which `host_count` and `user_count` returned as `0` in the `teams/{id}` endpoint.
* Fixed a bug in which tooltips for Munki issue would be cut off at the edge of the browser window.
* Fixed a bug in which tooltips for Munki issue would be cut off at the edge of the browser window.
* Fixed a bug in which running `fleetctl apply` with the `--dry-run` flag would fail in some cases.
* Fixed a bug in which **Hosts** table displayed 20 hosts per page.
* Fixed a server panic that occured when a team was edited via YAML without an `agent_options` key.
* Fixed an bug where Pop!\_OS hosts were not being included in the linux hosts count on the hosts dashboard page.
* Fleet Premium: Added the ability to know how many hosts and which hosts, on a team, are failing a global policy.
* Added validation to the `config` and `teams` configuration files. Fleet can be managed with [configuration files (YAML syntax)](https://fleetdm.com/docs/using-fleet/configuration-files) and the fleetctl command line tool.
* Added the ability to manage osquery flags remotely. This requires [Orbit, Fleet's agent manager](https://fleetdm.com/announcements/introducing-orbit-your-fleet-agent-manager). If at some point you revoked an old enroll secret, this feature won't work for hosts that were added to Fleet using this old enroll secret. To manage osquery flags on these hosts, we recommend deploying a new package. Check out the instructions [here on GitHub](https://github.com/fleetdm/fleet/issues/7377).
* Added a `/api/v1/fleet/device/{token}/desktop` API route that returns only the number of failing policies for a specific host.
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-fleetd-installers).
* **Security**: Upgrade Go to 1.19.1 to resolve a possible HTTP denial of service vulnerability ([CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664)).
* Fixed a bug in which [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) sent duplicate webhooks.
* Fixed a bug in which logging in with single sign-on (SSO) did not work after a failed authorization attempt.
* Fixed a migration error. This only affects Fleet instances that use MariaDB. MariaDB is not [officially supported](https://fleetdm.com/docs/deploying/faq#what-mysql-versions-are-supported). Future issues specific to MariaDB may not be fixed quickly (or at all). We strongly advise migrating to MySQL 8.0.19+.
* Add ability to know how many hosts, and which hosts, have Munki issues. This information is presented on the **Home > macOS** page and **Host details** page. This information is also available in the [`GET /api/v1/fleet/macadmins`](https://fleetdm.com/docs/using-fleet/rest-api#get-aggregated-hosts-mobile-device-management-mdm-and-munki-information) and [`GET /api/v1/fleet/hosts/{id}/macadmins`](https://fleetdm.com/docs/using-fleet/rest-api#get-hosts-mobile-device-management-mdm-and-munki-information) and API routes.
* Fleet Premium: Added ability to test features, like software inventory, on canary teams by adding a [`features` section](https://fleetdm.com/docs/using-fleet/configuration-files#features) to the `teams` YAML document.
* Improved vulnerability detection for macOS hosts by improving detection of Zoom, Ruby, and Node.js vulnerabilities. Warning: For users that download and sync Fleet's vulnerability feeds manually, there are [required adjustments](https://github.com/fleetdm/fleet/issues/6628) or else vulnerability processing will stop working. Users with the default vulnerability processing settings can safely upgrade without adjustments.
* Fleet Premium: Improved the vulnerability automations by adding vulnerability scores (EPSS probability, CVSS scores, and CISA-known exploits) to the webhook payload. Read more about vulnerability automations on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations).
* Renamed the `host_settings` section to `features` in the the [`config` YAML file](https://fleetdm.com/docs/using-fleet/configuration-files#features). But `host_settings` is still supported for backwards compatibility.
* Improved the activity feed by adding the ability to see who modified agent options and when modifications occurred. This information is available on the Home page in the Fleet UI and the [`GET /activites` API route](https://fleetdm.com/docs/using-fleet/rest-api#activities).
* Improved the [`config` YAML documentation](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings).
* Improved the **Hosts** page for smaller screen widths.
* Improved the building of osquery installers for Windows (`.msi` packages).
* Added a **Show query** button on the **Schedule** page, which adds the ability to quickly see a query's SQL.
* Improved the Fleet UI by adding loading spinners to all buttons that create or update entities in Fleet (e.g., users).
* Fixed a bug in which a user could not reach some teams in the UI via pagination if there were more than 20 teams.
* Fixed a bug in which a user could not reach some users in the UI via pagination if there were more than 20 users.
* Fixed a bug in which duplicate vulnerabilities (CVEs) sometimes appeared on **Software details** page.
* Fixed a bug in which the count in the **Issues** column (exclamation tooltip) in the **Hosts** table would sometimes not appear.
* Fixed a bug in which no error message would appear if there was an issue while setting up Fleet.
* Fixed a bug in which no error message would appear if users were creating or editing a label with a name or description that was too long.
* Fixed a big in which the example payload for usage statistics included incorrect key names.
* Fixed a bug in which the count above the **Software** table would sometimes not appear.
* Fixed a bug in which the **Add hosts** button would not be displayed when search returned 0 hosts.
* Fixed a bug in which modifying filters on the **Hosts** page would not return the user to the first page of the **Hosts** table.
* Warning: Please upgrade to 4.19.1 instead of 4.19.0 due to a migration error included in 4.19.0. Like all releases, Fleet 4.19.1 includes all changes included in 4.19.0.
* Fleet Premium: De-anonymize usage statistics by adding an `organization` property to the usage statistics payload. For Fleet Free instances, organization is reported as "unknown". Documentation on how to disable usage statistics, can be found [here on fleetdm.com](https://fleetdm.com/docs/using-fleet/usage-statistics#disable-usage-statistics).
* Fleet Premium: Added support for Just-in-time (JIT) user provisioning via SSO. This adds the ability to
automatically create Fleet user accounts when a new users attempts to log in to Fleet via SSO. New
Fleet accounts are given the [Observer role](https://fleetdm.com/docs/using-fleet/permissions#user-permissions).
* Improved performance for aggregating software inventory. Aggregate software inventory is displayed on the **Software page** in the Fleet UI.
* Added the ability to see the vendor for Windows programs in software inventory. Vendor data is available in the [`GET /software` API route](https://fleetdm.com/docs/using-fleet/rest-api#software).
* Added a **Mobile device management (MDM) solutions** table to the **Home > macOS** page. This table allows users to see a list of all MDM solutions their hosts are enrolled to and drill down to see which hosts are enrolled to each solution. Note that MDM solutions data is updated as hosts send fresh osquery results to Fleet. This typically occurs in an hour or so of upgrading.
* Added a **Operating systems** table to the **Home > Windows** page. This table allows users to see a list of all Windows operating systems (ex. Windows 10 Pro 21H2) their hosts are running and drill down to see which hosts are running which version. Note that Windows operating system data is updated as hosts send fresh osquery results to Fleet. This typically occurs in an hour or so of upgrading.
* Added a message in `fleetctl` to that notifies users to run `fleet prepare` instead of `fleetctl prepare` when running database migrations for Fleet.
* Improved the Fleet UI by maintaining applied, host filters when a user navigates back to the Hosts page from an
individual host's **Host details** page.
* Improved the Fleet UI by adding consistent styling for **Cancel** buttons.
* Improved the **Queries**, **Schedule**, and **Policies** pages in the Fleet UI by page size to 20
items.
* Improve the Fleet UI by informing the user that Fleet only supports screen widths above 768px.
* Added support for asynchronous saving of the hosts' scheduled query statistics. This is an
experimental feature and should only be used if you're seeing performance issues. Documentation
for this feature can be found [here on fleetdm.com](https://fleetdm.com/docs/deploying/configuration#osquery-enable-async-host-processing).
* Fixed a bug in which the **Operating system** and **Munki versions** cards on the **Home > macOS**
page would not stack vertically at smaller screen widths.
* Fixed a bug in which multiple Fleet Desktop icons would appear on macOS computers.
* Fixed a bug that prevented Windows (`.msi`) installers from being generated on Windows machines.
* Added a Call to Action to the failing policy banner in Fleet Desktop. This empowers end-users to manage their device's compliance.
* Introduced rate limiting for device authorized endpoints to improve the security of Fleet Desktop.
* Improved styling for tooltips, dropdowns, copied text, checkboxes and buttons.
* Fixed a bug in the Fleet UI causing text to be truncated in tables.
* Fixed a bug affecting software vulnerabilities count in Host Details.
* Fixed "Select Targets" search box and updated to reflect currently supported search values: hostname, UUID, serial number, or IPv4.
* Improved disk space reporting in Host Details.
* Updated frequency formatting for Packs to match Schedules.
* Replaced "hosts" count with "results" count for live queries.
* Replaced "Uptime" with "Last restarted" column in Host Details.
* Removed vulnerabilities that do not correspond to a CVE in Fleet UI and API.
* Added standard password requirements when users are created by an admin.
* Updated the regexp we use for detecting the major/minor version on OS platforms.
* Improved calculation of battery health based on cycle count. “Normal” corresponds to cycle count <1000and“Replacementrecommended”correspondstocyclecount>= 1000.
* Fixed an issue with double quotes usage in SQL query, caused by enabling `ANSI_QUOTES` in MySQL.
* Added the number of hosts enrolled by operating system (OS) and its version to usage statistics. Also added the weekly active users count to usage statistics.
Documentation on how to disable usage statistics, can be found [here on fleetdm.com](https://fleetdm.com/docs/using-fleet/usage-statistics#disable-usage-statistics).
* Fleet Premium and Fleet Free: Fleet desktop is officially out of beta. This application shows users exactly what's going on with their device and gives them the tools they need to make sure it is secure and aligned with policies. They just need to click an icon in their menu bar.
* Fleet Premium and Fleet Free: Fleet's osquery installer is officially out of beta. Orbit is a lightweight wrapper for osquery that allows you to easily deploy, configure and keep osquery up-to-date across your organization.
* Added native support for M1 Macs.
* Added battery health tracking to **Host details** page.
* Improved reporting of error states on the health dashboard and added separate health checks for MySQL and Redis with `/healthz?check=mysql` and `/healthz?check=redis`.
* Improved SSO login failure messaging.
* Fixed osquery tables that report incorrect platforms.
* Added `docker_container_envs` table to the osquery table schema on the **Query* page.
* Updated Fleet host detail query so that the `os_version` for Ubuntu hosts reflects the accurate patch number.
* Fleet Premium: Added the ability to set a Custom URL for the "Transparency" link included in Fleet Desktop. This allows you to use custom branding, as well as gives you control over what information you want to share with your end-users.
* Fleet Premium: Added scoring to vulnerability detection, including EPSS probability score, CVSS base score, and known exploits. This helps you to quickly categorize which threats need attention today, next week, next month, or "someday."
* Added a ticket-workflow for policy automations. Configured Fleet to automatically create a Jira issue or Zendesk ticket when one or more hosts fail a specific policy.
* Added [Open Vulnerability and Assement Language](https://access.redhat.com/solutions/4161) (`OVAL`) processing for Ubuntu hosts. This increases the accuracy of detected vulnerabilities.
* Added software details page to the Fleet UI.
* Improved live query experience by saving the state of selected targets and adding count of visible results when filtering columns.
* Fixed an issue where the **Device user** page redirected to login if an expired session token was present.
* Fixed an issue that caused a delay in availability of **My device** in Fleet Desktop.
* Added support for custom headers for requests made to `fleet` instances by the `fleetctl` command.
* Updated to an improved `users` query in every query we send to osquery.
* Fixed `no such table` errors for `mdm` and `munki_info` for vanilla osquery MacOS hosts.
* Fixed data inconsistencies in policy counts caused when a host was re-enrolled without a team or in a different one.
* Fixed a bug affecting `fleetctl debug``archive` and `errors` commands on Windows.
* Added `/api/_version_/fleet/device/{token}/policies` to retrieve policies for a specific device. This endpoint can only be accessed with a premium license.
* Added `POST /targets/search` and `POST /targets/count` API endpoints.
* Updated `GET /software`, `GET /software/{:id}`, and `GET /software/count` endpoints to no include software that has been removed from hosts, but not cleaned up yet (orphaned).
* Expanded beta support for vulnerability reporting to include both Zendesk and Jira integration. This allows users to configure Fleet to automatically create a Zendesk ticket or Jira issue when a new vulnerability (CVE) is detected on your hosts.
* Expanded beta support for Fleet Desktop to Mac and Windows hosts. Fleet Desktop allows the device user to see
information about their device. To add Fleet Desktop to a host, generate a Fleet-osquery installer with `fleetctl package` and include the `--fleet-desktop` flag. Then, open this installer on the device.
* Added the ability to see when software was last used on Mac hosts in the **Host Details** view in the Fleet UI. Allows you to know how recently an application was accessed and is especially useful when making decisions about whether to continue subscriptions for paid software and distributing licensces.
* Improved security by increasing the minimum password length requirement for Fleet users to 12 characters.
* Added Policies tab to **Host Details** page for Fleet Premium users.
* Added `device_mapping` to host information in UI and API responses.
* Deprecated "MIA" host status in UI and API responses.
* Added CVE scores to `/software` API endpoint responses when available.
* Added `all_linux_count` and `builtin_labels` to `GET /host_summary` response.
* Added the ability to select columns when exporting hosts to CSV.
* Improved the output of `fleetclt debug errors` and added the ability to print the errors to stdout via the `-stdout` flag.
* Added support for Docker Compose V2 to `fleetctl preview`.
* Added experimental option to save responses to `host_last_seen` queries to the database in batches as well as the ability to configure `enable_async_host_processing` settings for `host_last_seen`, `label_membership` and `policy_membership` independently.
* Expanded `wifi_networks` table to include more data on macOS and fixed compatibility issues with newer MacOS releases.
* Added `basic_auth.username` and `basic_auth.password` [Prometheus configuration options](https://fleetdm.com/docs/deploying/configuration#prometheus). The `GET
/metrics` API route is now disabled if these configuration options are left unspecified.
* Fleet Premium: Add ability to specify a team specific "Destination URL" for policy automations.
This allows the user to configure Fleet to send a webhook request to a unique location for
policies that belong to a specific team. Documentation on what data is included the webhook
request and when the webhook request is sent can be found here on [fleedm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations)
**Home > macOS** page. This information is also available via the [`GET /os_versions` API route](https://fleetdm.com/docs/using-fleet/rest-api#get-host-os-versions).
* Added a "Vulnerabilities" column to **Host details > Software** page. This allows the user see and search for specific vulnerabilities (CVEs) detected on a specific host.
before use. Documentation on how to use API-only users can be found here on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/fleetctl-cli#using-fleetctl-with-an-api-only-user).
* Fixed a bug in which a user could not log in with basic authentication. This only affects Fleet deployments that use a [MySQL read replica](https://fleetdm.com/docs/deploying/configuration#mysql).
* Added [`database_path` GeoIP configuration option](https://fleetdm.com/docs/deploying/configuration#database-path) to specify a GeoIP database. When configured,
* Added instructions and materials needed to add hosts to Fleet using [plain osquery](https://fleetdm.com/docs/using-fleet/adding-hosts#plain-osquery). These instructions
* Added instructions for using plain osquery to add hosts to Fleet in the Fleet View these instructions by heading to **Hosts > Add hosts > Advanced**.
* Upgraded Go to 1.17.7 with security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). These are not likely to be high impact in Fleet deployments, but we are upgrading in an abundance of caution.
found on at least one host. Documentation on what data is included the webhook
request and when the webhook request is sent can be found here on [fleedm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations).
* **Security**: Fixed a vulnerability in Fleet's SSO implementation that could allow a malicious or compromised SAML Service Provider (SP) to log into Fleet as an existing Fleet user. See https://github.com/fleetdm/fleet/security/advisories/GHSA-ch68-7cf4-35vr for details.
* Improved the [live query API route (`GET /api/v1/queries/run`)](https://fleetdm.com/docs/using-fleet/rest-api#run-live-query) so that it successfully return results for Fleet
* Added a `disable_failing_policies` parameter to the [`GET /hosts` API route](https://fleetdm.com/docs/using-fleet/rest-api#list-hosts) to allow the API request to respond faster if failing policies count information is not needed.
* Fleet Premium: Added ability to filter aggregate host data such as platforms (macOS, Windows, and Linux) and status (online, offline, and new) the **Home** page. The aggregate host data is also available in the [`GET /host_summary API route`](https://fleetdm.com/docs/using-fleet/rest-api#get-hosts-summary).
* Fleet Premium: Added `fleetctl updates rotate` command for rotation of keys in the updates system. The `fleetctl updates` command provides the ability to [self-manage an agent update server](https://fleetdm.com/docs/deploying/fleetctl-agent-updates).
* Enabled the software inventory by default for new Fleet instances. The software inventory feature can be turned on or off using the [`enable_software_inventory` configuration option](https://fleetdm.com/docs/using-fleet/vulnerability-processing#configuration).
* Updated the JSON payload for the host status webhook by renaming the `"message"` property to `"text"` so that the payload can be received and displayed in Slack.
* Added instructions in the Fleet UI for generating an osquery installer for macOS, Linux, or Windows. Documentation for generating an osquery installer and distributing the installer to your hosts to add them to Fleet can be found here on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/adding-hosts)
* Added ability to see all the software, and filter by vulnerable software, installed across all your hosts on the **Home** page. Each software's `name`, `version`, `hosts_count`, `vulnerabilities`, and more is also available in the [`GET /software` API route](https://fleetdm.com/docs/using-fleet/rest-api#software) and `fleetctl get software` command.
* Added ability to see all of the queries scheduled to run on a specific host on the **Host details** page immediately after a query is added to a schedule or pack.
* Clarified that a policy in Fleet is a yes or no question you can ask about your hosts by replacing "Passing" and "Failing" text with "Yes" and "No" respectively on the **Policies** page and **Host details** page.
* Improved the UI for the "Software" table and "Policies" table on the **Host details** page so that it's easier to pivot to see all hosts with a specific software installed or answering "No" to a specific policy.
* Fleet Premium: Added a Team admin user role. This allows users to delegate the responsibility of managing team members in Fleet. Documentation for the permissions associated with the Team admin and other user roles can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/permissions).
* Added Apache Kafka logging plugin. Documentation for configuring Kafka as a logging plugin can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#kafka-rest-proxy-logging). Thank you to Joseph Macaulay for adding this capability.
* Added support for [MinIO](https://min.io/) as a file carving backend. Documentation for configuring MinIO as a file carving backend can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/fleetctl-cli#minio). Thank you to Chandra Majumdar and Ben Edwards for adding this capability.
* Improved the performance of vulnerability processing by making the process consume less RAM. Documentation for the vulnerability processing feature can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/vulnerability-processing).
* Added the ability to run a live query and receive results using only the Fleet REST API with a `GET /api/v1/fleet/queries/run` API route. Documentation for this new API route can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/rest-api#run-live-query).
* Added ability to see whether a specific host is "Passing" or "Failing" a policy on the **Host details** page. This information is also exposed in the `GET api/v1/fleet/hosts/{id}` API route. In Fleet, a policy is a "yes" or "no" question you can ask of all your hosts.
* Added the ability to quickly see the total number of "Failing" policies for a particular host on the **Hosts** page with a new "Issues" column. Total "Issues" are also revealed on a specific host's **Host details** page.
* Added the ability to see which platforms (macOS, Windows, Linux) a specific query is compatible with. The compatibility detected by Fleet is estimated based on the osquery tables used in the query.
* Added the ability to see whether your queries have a "Minimal," "Considerable," or "Excessive" performance impact on your hosts. Query performance information is only collected when a query runs as a scheduled query.
* Added the ability to see a list of hosts that have a specific software version installed by selecting a software version on a specific host's **Host details** page. Software inventory is currently under a feature flag. To enable this feature flag, check out the [feature flag documentation](https://fleetdm.com/docs/deploying/configuration#feature-flags).
* Added the ability to see all vulnerable software detected across all your hosts with the `GET /api/v1/fleet/software` API route. Documentation for this new API route can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/rest-api#software).
* Added the ability to see the exact number of hosts that selected filters on the **Hosts** page. This ability is also available when using the `GET api/v1/fleet/hosts/count` API route.
* Added ability to connect to Redis with TLS. Documentation for configuring Fleet to use a TLS connection to the Redis server can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-use-tls).
* Added `cluster_read_from_replica` Redis to specify whether or not to prefer readying from a replica when possible. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-cluster-read-from-replica).
* Fixed a bug in which users with the global maintainer role could not edit or save queries. In, Fleet 4.0.0, the Admin, Maintainer, and Observer user roles were introduced. Documentation for the permissions associated with each role can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/permissions).
* Fixed a bug in which policies were checked about every second and add a `policy_update_interval` osquery configuration option. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#osquery-policy-update-interval).
* Added `fleetctl get software` command to list all software and the detected vulnerabilities. The Vulnerable software feature is currently in Beta. For information on how to configure the Vulnerable software feature and how exactly Fleet processes vulnerabilities, check out the [Vulnerability processing documentation](https://fleetdm.com/docs/using-fleet/vulnerability-processing).
* Added `disable_data_sync` vulnerabilities configuration option to avoid downloading the data streams. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#disable-data-sync).
* Only shows observers the queries they have permissions to run on the **Queries** page. In, Fleet 4.0.0, the Admin, Maintainer, and Observer user roles were introduced. Documentation for the permissions associated with each role can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/permissions).
* Added `connect_retry_attempts` Redis configuration option to retry failed connections. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-connect-retry-attempts).
* Added `cluster_follow_redirections` Redis configuration option to follow cluster redirections. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-cluster-follow-redirections).
* Added `max_jitter_percent` osquery configuration option to prevent all hosts from returning data at roughly the same time. Note that this improves the Fleet server performance, but it will now take longer for new labels to populate. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#osquery-max-jitter-percent).
* MariaDB compatibility fixes: add explicit foreign key constraint and on cascade delete for host_software to allow for hosts with software to be deleted.
* Fixed a bug in which some new Fleet deployments don't include the default global [agent options](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options).
* Improved how a host's `users` are stored in MySQL to prevent deadlocks. This information is available in the "Users" table on each host's **Host details** page and in the `GET /api/v1/fleet/hosts/{id}` API route.
* Added "-o" flag to fleetctl convert command to ensure consistent output rather than relying on shell redirection (this was causing issues with file encodings).
* When a connection from a live query websocket is closed, Fleet now timeouts the receive and handles the different cases correctly to not hold the connection to Redis.
* Added the ability to create a Team schedule in Fleet. The Schedule feature was released in Fleet 4.1.0. For more information on the new Schedule feature, check out the [Fleet 4.1.0 release blog post](https://blog.fleetdm.com/fleet-4-1-0-57dfa25e89c1). *Available for Fleet Basic customers*.
* Added Beta Vulnerable software feature which surfaces vulnerable software on the **Host details** page and the `GET /api/v1/fleet/hosts/{id}` API route. For information on how to configure the Vulnerable software feature and how exactly Fleet processes vulnerabilities, check out the [Vulnerability processing documentation](https://fleetdm.com/docs/using-fleet/vulnerability-processing).
* Added the ability to see which logging destination is configured for Fleet in the Fleet UI. To see this information, head to the **Schedule** page and then select "Schedule a query." Configured logging destination information is also available in the `GET api/v1/fleet/config` API route.
* Added the ability to modify scheduled queries in your Schedule in Fleet. The Schedule feature was released in Fleet 4.1.0. For more information on the new Schedule feature, check out the [Fleet 4.1.0 release blog post](https://blog.fleetdm.com/fleet-4-1-0-57dfa25e89c1).
* Added the ability to disable the Users feature in Fleet by setting the new `enable_host_users` key to `true` in the `config` yaml, configuration file. For documentation on using configuration files in yaml syntax, check out the [Using yaml files in Fleet](https://fleetdm.com/docs/using-fleet/configuration-files#using-yaml-files-in-fleet) documentation.
* Improved performance of the Software inventory feature. Software inventory is currently under a feature flag. To enable this feature flag, check out the [feature flag documentation](https://fleetdm.com/docs/deploying/configuration#feature-flags).
* Improved performance of inserting `pack_stats` in the database. The `pack_stats` information is used to display "Frequency" and "Last run" information for a specific host's scheduled queries. You can find this information on the **Host details** page.
Scheduled lets you add queries which are executed on your devices at regular intervals without having to understand or configure osquery query packs. For experienced Fleet and osquery users, the ability to create new, and modify existing, query packs is still available in the Fleet UI and fleetctl command-line tool. To reach the **Packs** page in the Fleet UI, head to **Schedule > Advanced**.
Activity feed adds the ability to observe when, and by whom, queries are changes, packs are created, live queries are run, and more. The Activity feed feature is located on the new Home page in the Fleet UI. Select the logo in the top right corner of the Fleet UI to navigate to the new **Home** page.
* Added ability to create teams and update their respective agent options and enroll secrets using the new `teams` yaml document and fleetctl. Available in Fleet Basic.
* Added a "Users" table on the **Host details** page. The `username` information displayed in the "Users" table, as well as the `uid`, `type`, and `groupname` are available in the Fleet REST API via the `/api/v1/fleet/hosts/{id}` API route.
* Added ability to create a user without an invitation. You can now create a new user by heading to **Settings > Users**, selecting "Create user," and then choosing the "Create user" option.
* Improved performance of the Software inventory feature by reducing the amount of inserts and deletes are done in the database when updating each host's
* Fixed an issue in which it was not possible to clear host settings by applying the `config` yaml document. This allows users to successfully remove the `additional_queries` property after adding it.
The primary additions in Fleet 4.0.0 are the new Role-based access control (RBAC) and Teams features.
RBAC adds the ability to define a user's access to features in Fleet. This way, more individuals in an organization can utilize Fleet with appropriate levels of access.
* Check out the [permissions documentation](https://github.com/fleetdm/fleet/blob/2f42c281f98e39a72ab4a5125ecd26d303a16a6b/docs/1-Using-Fleet/9-Permissions.md) for a breakdown of the new user roles.
Teams adds the ability to separate hosts into exclusive groups. This way, users can easily act on consistent groups of hosts.
* Read more about the Teams feature in [the documentation here](https://github.com/fleetdm/fleet/blob/2f42c281f98e39a72ab4a5125ecd26d303a16a6b/docs/1-Using-Fleet/10-Teams.md).
* Added the ability to separate hosts into exclusive groups with the Teams feature. The Teams feature is available for Fleet Basic customers. Check out the list below for the new functionality included with Teams:
* Added the ability to create an API-only user. API-only users cannot access the Fleet UI. These users can access all Fleet API endpoints and `fleetctl` features. Available in Fleet Core.
Fleet 4.0.0 is a major release and introduces several breaking changes and database migrations. The following sections call out changes to consider when upgrading to Fleet 4.0.0:
* The structure of Fleet's`.tar.gz` and`.zip` release archives have changed slightly. Deployments that use the binary artifacts may need to update scripts or tooling. The `fleetdm/fleet` Docker container maintains the same API.
* Use strictly `fleet` in Fleet's configuration, API routes, and environment variables. Users must update all usage of `kolide` in these items (deprecated since Fleet 3.8.0).
* Replaced the use of the `api/v1/fleet/spec/osquery/options` with `api/v1/fleet/config`. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the `api/v1/fleet/config` API endpoint.
* Enrolled secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.
* JWT encoding is no longer used for session keys. Sessions now default to expiring in 4 hours of inactivity. `auth_jwt_key` and `auth_jwt_key_file` are no longer accepted as configuration.
* The `username` artifact has been removed in favor of the more recognizable `name` (Full name). As a result the `email` artifact is now used for uniqueness in Fleet. Upon upgrading to Fleet 4.0.0, existing users will have the `name` field populated with `username`. SAML users may need to update their username mapping to match user emails.
* As of Fleet 4.0.0, Fleet Device Management Inc. periodically collects [anonymous information about your instance](https://github.com/fleetdm/fleet/blob/2f42c281f98e39a72ab4a5125ecd26d303a16a6b/docs/1-Using-Fleet/11-Usage-statistics.md). Sending usage statistics is turned off by default for users upgrading from a previous version of Fleet.
The primary additions in Fleet 4.0.0 are the new Role-based access control (RBAC) and Teams features.
RBAC adds the ability to define a user's access to features in Fleet. This way, more individuals in an organization can utilize Fleet with appropriate levels of access.
* Check out the [permissions documentation](https://github.com/fleetdm/fleet/blob/5e40afa8ba28fc5cdee813dfca53b84ee0ee65cd/docs/1-Using-Fleet/8-Permissions.md) for a breakdown of the new user roles.
Teams adds the ability to separate hosts into exclusive groups. This way, users can easily act on consistent groups of hosts.
* Read more about the Teams feature in [the documentation here](https://github.com/fleetdm/fleet/blob/5e40afa8ba28fc5cdee813dfca53b84ee0ee65cd/docs/1-Using-Fleet/9-Teams.md).
* Added the ability to separate hosts into exclusive groups with the Teams feature. The Teams feature is available for Fleet Basic customers. Check out the list below for the new functionality included with Teams:
* Added the ability to create an API-only user. API-only users cannot access the Fleet UI. These users can access all Fleet API endpoints and `fleetctl` features. Available in Fleet Core.
Fleet 4.0.0 is a major release and introduces several breaking changes and database migrations.
* Use strictly `fleet` in Fleet's configuration, API routes, and environment variables. Users must update all usage of `kolide` in these items (deprecated since Fleet 3.8.0).
* Replaced the use of the `api/v1/fleet/spec/osquery/options` with `api/v1/fleet/config`. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the `api/v1/fleet/config` API endpoint.
* Enrolled secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.
*`auth_jwt_key` and `auth_jwt_key_file` are no longer accepted as configuration.
* JWT encoding is no longer used for session keys. Sessions now default to expiring in 4 hours of inactivity.
### Known issues
There are currently no known issues in this release. However, we recommend only upgrading to Fleet 4.0.0-rc2 for testing purposes. Please file a GitHub issue for any issues discovered when testing Fleet 4.0.0!
RBAC adds the ability to define a user's access to information and features in Fleet. This way, more individuals in an organization can utilize Fleet with appropriate levels of access. Check out the [permissions documentation](https://fleetdm.com/docs/using-fleet/permissions) for a breakdown of the new user roles and their respective capabilities.
Teams adds the ability to separate hosts into exclusive groups. This way, users can easily observe and apply operations to consistent groups of hosts. Read more about the Teams feature in [the documentation here](https://fleetdm.com/docs/using-fleet/teams).
There are several known issues that will be fixed for the stable release of Fleet 4.0.0. Therefore, we recommend only upgrading to Fleet 4.0.0 RC1 for testing purposes. Please file a GitHub issue for any issues discovered when testing Fleet 4.0.0!
* Added the ability to separate hosts into exclusive groups with the Teams feature. The Teams feature is available for Fleet Basic customers. Check out the list below for the new functionality included with Teams:
* Used strictly `fleet` in Fleet's configuration, API routes, and environment variables. This means that you must update all usage of `kolide` in these items. The backwards compatibility introduced in Fleet 3.8.0 is no longer valid in Fleet 4.0.0.
* Replaced the use of the `api/v1/fleet/spec/osquery/options` with `api/v1/fleet/config`. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the `api/v1/fleet/config` API endpoint.
* Enrolled secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.
* Improved performance of the `additional_queries` feature by moving `additional` query results into a separate table in the MySQL database. Please note that the [`/api/v1/fleet/hosts` API endpoint](https://github.com/fleetdm/fleet/blob/06b2e564e657492bfbc647e07eb49fd4efca5a03/docs/1-Using-Fleet/3-REST-API.md#list-hosts) now only returns the requested `additional` columns.
* Improved `fleetctl preview` experience by adding the `fleetctl preview reset` and `fleetctl preview stop` commands to reset and stop simulated hosts running in Docker.
* Added scheduled queries to the _Host details_ page. Surface the "Name", "Description", "Frequency", and "Last run" information for each query in a pack that apply to a specific host.
* Added ability to duplicate live query results in Redis. When the `redis_duplicate_results` configuration option is set to `true`, all live query results will be copied to an additional Redis Pub/Sub channel named LQDuplicate.
* Added ability to controls the server-side HTTP keepalive property. Turning off keepalives has helped reduce outstanding TCP connections in some deployments.
* Improved Fleet performance by batch updating host seen time instead of updating synchronously. This improvement reduces MySQL CPU usage by ~33% with 4,000 simulated hosts and MySQL running in Docker.
* Added support for software inventory, introducing a list of installed software items on each host's respective _Host details_ page. This feature is flagged off by default (for now). Check out [the feature flag documentation for instructions on how to turn this feature on](https://fleetdm.com/docs/deploying/configuration#software-inventory).
* Added Windows support for `fleetctl` agent autoupdates. The `fleetctl updates` command provides the ability to self-manage an agent update server. Available for Fleet Basic customers.
* Fixed a frontend bug that prevented the "Pack" page and "Edit pack" page from rendering in the Fleet UI. This issue occurred when the `platform` key, in the requested pack's configuration, was set to any value other than `darwin`, `linux`, `windows`, or `all`.
* Improved logging. All errors are logged regardless of log level, some non-errors are logged regardless of log level (agent enrollments, runs of live queries etc.), and all other non-errors are logged on debug level.
* Improved `fleetctl preview` to ensure the latest version of Fleet is fired up on every run. In addition, the Fleet UI is now accessible without having to click through browser security warning messages.
* Added configurable host identifier to help with duplicate host enrollment scenarios. By default, Fleet's behavior does not change (it uses the identifier configured in osquery's `--host_identifier` flag), but for users with overlapping host UUIDs changing `--osquery_host_identifier` to `instance` may be helpful.
* Made cool-down period for host enrollment configurable to control load on the database in scenarios in which hosts are using the same identifier. By default, the cooldown is off, reverting to the behavior of Fleet <=3.4.0. The cooldown can be enabled with `--osquery_enroll_cooldown`.
* Deprecated `KOLIDE_` environment variable prefixes in favor of `FLEET_` prefixes. Deprecated prefixes continue to work and the Fleet server will log warnings if the deprecated variable names are used.
* Deprecated `/api/v1/kolide` routes in favor of `/api/v1/fleet`. Deprecated routes continue to work and the Fleet server will log warnings if the deprecated routes are used.
* Changed the default `--server_tls_compatibility` to `intermediate`. The new settings caused TLS connectivity issues for users in some environments. This new default is a more appropriate balance of security and compatibility, as recommended by Mozilla.
* **Security**: Fixed a vulnerability in which a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. See https://github.com/fleetdm/fleet/security/advisories/GHSA-xwh8-9p3f-3x45 and the linked content within that advisory.
* Improved the `fleetctl preview` experience to include adding containerized osquery agents, displaying login information, creating a default directory, and checking for Docker daemon status.
* **Security**: Introduced XML validation library to mitigate Go stdlib XML parsing vulnerability effecting SSO login. See https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx and the linked content within that advisory.
* **Security**: Prevents new queries from using the SQLite `ATTACH` command. This is a mitigation for the osquery vulnerability https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8.
Follow up: Audit existing saved queries and logs of live query executions for possible malicious use of `ATTACH`. Upgrade osquery to 4.6.0 to prevent `ATTACH` queries from executing.
* Update icons and fix hosts dashboard for wide screen sizes.
* Added capability to collect "additional" information from hosts. Additional queries can be set to be updated along with the host detail queries. This additional information is returned by the API.
* Removed extraneous network interface information to optimize server performance. Users that require this information can use the additional queries functionality to retrieve it.
* Added `--server_url_prefix` flag to configure a URL prefix to prepend on all Fleet URLs. This can be useful to run fleet behind a reverse-proxy on a hostname shared with other services.
* Added option to automatically expire hosts that have not checked in within a certain number of days. Configure this in the "Advanced Options" of "App Settings" in the browser UI.
* Added capability to export packs, labels, and queries as yaml in `fleetctl get` with the `--yaml` flag. Include queries with a pack using `--with-queries`.
* Modified email templates to load image assets from Github CDN rather than Fleet server (fixes broken images in emails when Fleet server is not accessible from email clients).
* Server and browser performance improved to reduced loading of hosts in frontend. Host status will only update on page load when over 100 hosts are present.
* Utilized details sent by osquery in enrollment request to more quickly display details of new hosts. Also fixes a bug in which hosts could not complete enrollment if certain platform-dependent options were used.
* Added capability to log osquery status and results to AWS Firehose. Note that this deprecated some existing logging configuration (`--osquery_status_log_file` and `--osquery_result_log_file`). Existing configurations will continue to work, but will be removed at some point.
* Fixed a bug where duplicate queries were being created in the same pack but only one was ever delivered to osquery. A migration was added to delete duplicate queries in packs created by the UI.
* It is possible to schedule the same query with different options in one pack, but only via the CLI.
* If you thought you were relying on this functionality via the UI, note that duplicate queries will be deleted when you run migrations as apart of a cleanup fix. Please check your configurations and make sure to create any double-scheduled queries via the CLI moving forward.
The primary new addition in Fleet 2 is the new `fleetctl` CLI and file-format, which dramatically increases the flexibility and control that administrators have over their osquery deployment. The CLI and the file format are documented [in the Fleet documentation](https://fleetdm.com/docs/using-fleet/fleetctl-cli).
* New `fleetctl` CLI for managing your entire osquery workflow via CLI, API, and source controlled files!
* You can use `fleetctl` to manage osquery packs, queries, labels, and configuration.
* In addition to the CLI, Fleet 2.0.0 introduces a new file format for articulating labels, queries, packs, options, etc. This format is designed for composability, enabling more effective sharing and re-use of intelligence.
```yaml
apiVersion: v1
kind: query
spec:
name: pending_updates
query: >
select value
from plist
where
path = "/Library/Preferences/ManagedInstalls.plist" and
key = "PendingUpdateCount" and
value > "0";
```
* Run live osquery queries against arbitrary subsets of your infrastructure via the `fleetctl query` command.
* Use `fleetctl setup`, `fleetctl login`, and `fleetctl logout` to manage the authentication life-cycle via the CLI.
* Use `fleetctl get`, `fleetctl apply`, and `fleetctl delete` to manage the state of your Fleet data.
* Manage any osquery option you want and set platform-specific overrides with the `fleetctl` CLI and file format.
* Managing osquery options via the UI has been removed in favor of the more flexible solution provided by the CLI. If you have customized your osquery options with Fleet, there is [a database migration](./server/datastore/mysql/migrations/data/20171212182458_MigrateOsqueryOptions.go) which will port your existing data into the new format when you run `fleet prepare db`. To download your osquery options after migrating your database, run `fleetctl get options > options.yaml`. Further modifications to your options should occur in this file and it should be applied with `fleetctl apply -f ./options.yaml`.
* Added feature that allows users to import existing Osquery configuration files using the [configimporter](https://github.com/kolide/configimporter) utility.
The Kolide server now tracks the `distributed_interval` and `config_tls_refresh` values for each individual host (these can be different if they are set via flagfile and not through Kolide), to ensure that online status is represented as accurately as possible.
* Log rotation is no longer the default setting for Osquery status and results logs. To enable log rotation use the `--osquery_enable_log_rotation` flag.
When `kolide serve --debug` is used, additional handlers will be started to provide access to profiling tools. These endpoints are authenticated with a randomly generated token that is printed to the Kolide logs at startup. These profiling tools are not intended for general use, but they may be useful when providing performance-related bug reports to the Kolide developers.
Osquery 2.3.2 incorrectly reports an empty value for `platform` on CentOS6 hosts. We added a workaround to properly detect platform in Kolide, and also [submitted a fix](https://github.com/facebook/osquery/pull/3071) to upstream osquery.
Previously this item was visible to non-admin users and if selected, a blank options page would be displayed since server side authorization constraints prevent regular users from viewing or changing options.
In an effort to provide a more resilient web server, timeouts are more strictly enforced by the Kolide HTTP server (regardless of whether or not you're using the built-in TLS termination).
For customers using Kolide's built-in TLS server (if the `server.tls` configuration is `true`), the server was hardened to only accept modern cipher suites as recommended by [Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility).
* Improve the mechanism used to calculate whether or not hosts are online.
Previously, hosts were categorized as "online" if they had been seen within the past 30 minutes. To make the "online" status more representative of reality, hosts are marked "online" if the Kolide server has heard from them within two times the lowest polling interval as described by the Kolide-managed osquery configuration. For example, if you've configured osqueryd to check-in with Kolide every 10 seconds, only hosts that Kolide has heard from within the last 20 seconds will be marked "online".
Customers running Kolide behind a web balancer lacking support for websockets were unable to use the distributed query feature. Also, in certain circumstances, Safari users with a self-signed cert for Kolide would receive an error. This release add a fallback mechanism from websockets using SockJS for improved compatibility.
Previously Kolide was determining platform based on the OS of the system osquery was built on instead of the OS it was running on. Please note: Offline hosts may continue to report an erroneous platform until they check-in with Kolide.
* Now support MySQL client certificate authentication. More details can be found in the [Configuring the Fleet binary docs](./docs/infrastructure/configuring-the-fleet-binary.md).
