2021-08-16 14:30:19 +00:00
/* Config interface is a flattened version of the fleet/config API response */
2022-02-05 00:48:35 +00:00
import {
IWebhookHostStatus ,
IWebhookFailingPolicies ,
IWebhookSoftwareVulnerabilities ,
2024-05-28 20:18:02 +00:00
IWebhookActivities ,
2022-02-05 00:48:35 +00:00
} from "interfaces/webhook" ;
2024-03-20 20:53:34 +00:00
import { IGlobalIntegrations } from "./integration" ;
2016-10-21 23:13:41 +00:00
2022-11-18 16:25:39 +00:00
export interface ILicense {
tier : string ;
device_count : number ;
expiration : string ;
note : string ;
organization : string ;
2025-04-15 20:55:07 +00:00
// Whether the Fleet instance is managed by FleetDM
managed_cloud : boolean ;
2025-05-22 18:27:07 +00:00
allow_disable_telemetry : boolean ;
2022-11-18 16:25:39 +00:00
}
2024-12-10 20:13:15 +00:00
export interface IEndUserAuthentication {
2023-05-17 10:18:31 +00:00
entity_id : string ;
idp_name : string ;
issuer_uri : string ;
metadata : string ;
metadata_url : string ;
}
2023-05-17 16:32:55 +00:00
export interface IMacOsMigrationSettings {
enable : boolean ;
2023-06-08 15:15:31 +00:00
mode : "voluntary" | "forced" | "" ;
2023-05-17 16:32:55 +00:00
webhook_url : string ;
}
2024-06-11 12:23:30 +00:00
interface ICustomSetting {
path : string ;
labels_include_all? : string [ ] ;
labels_exclude_any? : string [ ] ;
}
2024-07-25 20:33:36 +00:00
export interface IAppleDeviceUpdates {
minimum_version : string ;
deadline : string ;
Add "update new hosts to latest" to OS Updates form for MacOS (#37103)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #36088
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
Saving this value currently results in a 400 response from the server
since it's not a valid key yet. We can keep this in draft until the
backend is merged if we want to e2e test with it.
### Controls -> OS Settings "Target" section
#### All platforms
- [X] Update success banner message to "Successfully updated."
<img width="200" alt="image"
src="https://github.com/user-attachments/assets/bc43ec79-41d1-4dd3-947c-8152051fd209"
/>
#### macOS / iOS / iPadOS
- [X] Update tooltip text for "Minimum version" to `Enrolled hosts are
updated to exactly this version.`
<img width="250" alt="Image"
src="https://github.com/user-attachments/assets/7d870224-395e-4bc9-937e-be599da57a97"
/>
- [X] Make "available from Apple" a link, replacing "Learn more", and
link to https://fleetdm.com/learn-more-about/apple-available-os-updates
<img width="250" height="363" alt="image"
src="https://github.com/user-attachments/assets/8191ec2d-bf0a-4cf6-9b1a-1272c0ff69b0"
/>
> Note - this URL is current a 404
- [X] Remove text referring to platform from "End user experience"
heading, i.e. it should just say "End user experience" for all platforms
where it appears, not e.g. "End user experience on macOS"
#### macOS Only
- [X] Add new "Update new hosts to latest" checkbox
<img width="316" height="406" alt="Image"
src="https://github.com/user-attachments/assets/71aec05a-b809-436d-8bfd-cd3e14b27ea1"
/>
- [X] Reflects the `macos_updates.update_new_hosts` setting for the team
or (for no team) global config (only testable via automated tests right
now)
- [X] Update End user experience text to "When a minimum version is
enforced, end users see a native macOS notification (DDM) once per day."
(see above)
### Global activity feed
- [X] When "Update new hosts to latest" is enabled, activity should say
`[Actor's name] enabled OS updates for all new macOS hosts on the [team
name] team. macOS hosts will upgrade to the lastest version when they
enroll.`
- [X] When "Update new hosts to latest" is disabled, activity should say
`[Actor's name] disabled updates for all new macOS hosts on the [team
name] team.`
(tested via automated tests)
2025-12-12 17:46:07 +00:00
update_new_hosts? : boolean ;
2024-07-25 20:33:36 +00:00
}
2023-02-01 17:47:52 +00:00
export interface IMdmConfig {
2024-10-22 17:10:50 +00:00
/** Update this URL if you're self-hosting Fleet and you want your hosts to talk to a different URL for MDM features. (If not configured, hosts will use the base URL of the Fleet instance.) */
apple_server_url : string ;
2023-10-09 21:28:35 +00:00
enable_disk_encryption : boolean ;
2026-03-10 17:05:01 +00:00
enable_recovery_lock_password : boolean ;
2025-07-23 19:36:28 +00:00
windows_require_bitlocker_pin : boolean ;
2024-07-10 16:05:09 +00:00
/ * * ` e n a b l e d _ a n d _ c o n f i g u r e d ` o n l y t e l l s u s i f A p p l e s M D M h a s b e e n e n a b l e d a n d
configured correctly . The naming is slightly confusing but at one point we
only supported apple mdm , so thats why it ' s name the way it is . * /
2023-02-01 17:47:52 +00:00
enabled_and_configured : boolean ;
2023-06-08 15:15:31 +00:00
apple_bm_default_team? : string ;
2024-08-29 22:51:46 +00:00
/ * *
* @deprecated
* Refer to needsAbmTermsRenewal from AppContext instead of config . apple_bm_terms_expired .
* https : //github.com/fleetdm/fleet/pull/21043/files#r1705977965
* /
2023-02-01 17:47:52 +00:00
apple_bm_terms_expired : boolean ;
2023-04-27 15:10:41 +00:00
apple_bm_enabled_and_configured : boolean ;
2023-06-26 16:54:34 +00:00
windows_enabled_and_configured : boolean ;
2025-11-21 16:33:39 +00:00
enable_turn_on_windows_mdm_manually : boolean ;
2024-11-22 16:52:03 +00:00
windows_migration_enabled : boolean ;
2025-02-21 17:23:38 +00:00
android_enabled_and_configured : boolean ;
2023-05-17 10:18:31 +00:00
end_user_authentication : IEndUserAuthentication ;
2024-07-25 20:33:36 +00:00
macos_updates : IAppleDeviceUpdates ;
ios_updates : IAppleDeviceUpdates ;
ipados_updates : IAppleDeviceUpdates ;
2023-03-14 20:03:02 +00:00
macos_settings : {
2024-06-11 12:23:30 +00:00
custom_settings : null | ICustomSetting [ ] ;
2023-03-14 20:03:02 +00:00
enable_disk_encryption : boolean ;
} ;
2023-06-02 13:14:39 +00:00
macos_setup : {
bootstrap_package : string | null ;
enable_end_user_authentication : boolean ;
macos_setup_assistant : string | null ;
2024-03-26 14:46:33 +00:00
enable_release_device_manually : boolean | null ;
2025-04-29 14:29:21 +00:00
manual_agent_install : boolean | null ;
2025-10-08 16:51:52 +00:00
require_all_software_macos : boolean | null ;
2026-03-04 12:02:35 +00:00
lock_end_user_info : boolean | null ;
2023-06-02 13:14:39 +00:00
} ;
2023-05-17 16:32:55 +00:00
macos_migration : IMacOsMigrationSettings ;
2023-11-29 16:07:24 +00:00
windows_updates : {
deadline_days : number | null ;
grace_period_days : number | null ;
} ;
2026-02-19 13:19:52 +00:00
windows_entra_tenant_ids : string [ ] | null ;
2023-02-01 17:47:52 +00:00
}
2024-06-24 15:43:16 +00:00
// Note: IDeviceGlobalConfig is misnamed on the backend because in some cases it returns team config
// values if the device is assigned to a team, e.g., features.enable_software_inventory reflects the
// team config, if applicable, rather than the global config.
2023-02-01 17:47:52 +00:00
export interface IDeviceGlobalConfig {
2025-10-08 16:51:52 +00:00
mdm : {
enabled_and_configured : boolean ;
require_all_software_macos : boolean | null ;
} ;
2026-01-29 23:10:07 +00:00
features : Pick <
IConfigFeatures ,
| "enable_software_inventory"
| "enable_conditional_access"
| "enable_conditional_access_bypass"
> ;
2023-02-01 17:47:52 +00:00
}
2022-06-11 17:23:02 +00:00
export interface IFleetDesktopSettings {
transparency_url : string ;
2026-01-19 20:25:22 +00:00
alternative_browser_host : string ;
2022-06-11 17:23:02 +00:00
}
2022-10-19 19:00:39 +00:00
export interface IConfigFeatures {
enable_host_users : boolean ;
enable_software_inventory : boolean ;
2026-01-29 23:10:07 +00:00
enable_conditional_access : boolean ;
enable_conditional_access_bypass : boolean ;
2022-10-19 19:00:39 +00:00
}
2024-01-29 14:37:54 +00:00
export interface IConfigServerSettings {
server_url : string ;
live_query_disabled : boolean ;
enable_analytics : boolean ;
deferred_save_host : boolean ;
query_reports_disabled : boolean ;
scripts_disabled : boolean ;
2024-04-24 14:08:30 +00:00
ai_features_disabled : boolean ;
2024-01-29 14:37:54 +00:00
}
2022-04-07 16:08:00 +00:00
export interface IConfig {
2022-01-21 17:06:58 +00:00
org_info : {
org_name : string ;
org_logo_url : string ;
2023-07-13 18:35:25 +00:00
org_logo_url_light_background : string ;
2023-06-08 15:15:31 +00:00
contact_url : string ;
2022-01-21 17:06:58 +00:00
} ;
2022-07-13 16:00:16 +00:00
sandbox_enabled : boolean ;
2024-01-29 14:37:54 +00:00
server_settings : IConfigServerSettings ;
2024-03-27 00:15:26 +00:00
smtp_settings ? : {
2022-01-21 17:06:58 +00:00
enable_smtp : boolean ;
2024-04-26 19:14:49 +00:00
configured? : boolean ;
2022-01-21 17:06:58 +00:00
sender_address : string ;
server : string ;
port? : number ;
authentication_type : string ;
user_name : string ;
password : string ;
enable_ssl_tls : boolean ;
authentication_method : string ;
domain : string ;
verify_ssl_certs : boolean ;
enable_start_tls : boolean ;
} ;
2025-07-08 20:14:03 +00:00
sso_settings ? : {
2022-01-21 17:06:58 +00:00
entity_id : string ;
2023-06-08 15:15:31 +00:00
issuer_uri : string ;
2022-01-21 17:06:58 +00:00
idp_image_url : string ;
metadata : string ;
metadata_url : string ;
idp_name : string ;
enable_sso : boolean ;
enable_sso_idp_login : boolean ;
2022-08-15 18:26:55 +00:00
enable_jit_provisioning : boolean ;
2023-06-08 15:15:31 +00:00
enable_jit_role_sync : boolean ;
2025-08-01 18:32:15 +00:00
sso_server_url? : string ;
2025-04-15 20:55:07 +00:00
} ;
// configuration details for conditional access. For enabled/disabled status per team, see
// subfields under `integrations`
conditional_access ? : {
2025-11-19 01:34:59 +00:00
// Microsoft Entra
2025-04-15 20:55:07 +00:00
microsoft_entra_tenant_id : string ;
microsoft_entra_connection_configured : boolean ;
2025-11-19 01:34:59 +00:00
// Okta
okta_idp_id : string ;
okta_assertion_consumer_service_url : string ;
okta_audience_uri : string ;
okta_certificate : string ;
2026-01-29 22:52:57 +00:00
// Bypass setting
bypass_disabled? : boolean ;
2022-01-21 17:06:58 +00:00
} ;
host_expiry_settings : {
host_expiry_enabled : boolean ;
2024-04-26 19:14:49 +00:00
host_expiry_window? : number ;
} ;
activity_expiry_settings : {
activity_expiry_enabled : boolean ;
activity_expiry_window? : number ;
2022-01-21 17:06:58 +00:00
} ;
2022-10-19 19:00:39 +00:00
features : IConfigFeatures ;
2024-04-26 19:14:49 +00:00
agent_options : unknown ; // Can pass empty object
2022-01-21 17:06:58 +00:00
update_interval : {
osquery_detail : number ;
osquery_policy : number ;
} ;
2022-11-18 16:25:39 +00:00
license : ILicense ;
2022-06-11 17:23:02 +00:00
fleet_desktop : IFleetDesktopSettings ;
2022-02-08 00:52:55 +00:00
vulnerabilities : {
2022-01-21 17:06:58 +00:00
databases_path : string ;
2022-02-08 00:52:55 +00:00
periodicity : number ;
cpe_database_url : string ;
cve_feed_prefix_url : string ;
current_instance_checks : string ;
disable_data_sync : boolean ;
2022-04-13 18:45:50 +00:00
recent_vulnerability_max_age : number ;
2022-01-21 17:06:58 +00:00
} ;
2022-06-13 23:21:24 +00:00
webhook_settings : IWebhookSettings ;
2024-03-20 20:53:34 +00:00
integrations : IGlobalIntegrations ;
2025-05-02 16:04:05 +00:00
logging : ILoggingConfig ;
2023-04-07 20:32:08 +00:00
email ? : {
backend : string ;
config : {
region : string ;
source_arn : string ;
} ;
} ;
2023-02-01 17:47:52 +00:00
mdm : IMdmConfig ;
UI - GitOps Mode: Core abstractions, first batch of applications (#26401)
## For #26229 – Part 1
- This PR contains the core abstractions, routes, API updates, and types
for GitOps mode in the UI. Since this work will touch essentially every
part of the Fleet UI, it is ripe for merge conflicts. To mitigate such
conflicts, I'll be merging this work in a number of iterative PRs. ~To
effectively gate any of this work from showing until it is all merged to
`main`, [this commit](feedbb2d4c25ec2e304e1f18d409cee62f6752ed) hides
the settings section that allows enabling/disabling this setting,
effectively feature flagging the entire thing. In the last of these
iterative PRs, that commit will be reverted to engage the entire
feature. For testing purposes, reviewers can `git revert
feedbb2d4c25ec2e304e1f18d409cee62f6752ed` locally~ The new settings
section for this feature is feature flagged until all PRs are merged -
to show the setting section while testing, run `ALLOW_GITOPS_MODE=true
NODE_ENV=development yarn run webpack --progress --watch` in place of
`make generate-dev`
- Changes file will be added and feature flag removed in the last PR
- [x] Settings page with routing, form, API integration (hidden until
last PR)
- [x] Activities
- [x] Navbar indicator
- Apply GOM conditional UI to:
- [x] Manage enroll secret modal: .5
- Controls >
- [x] Scripts:
- Setup experience >
- [x] Install software > Select software modal
- [x] OS Settings >
- [x] Custom settings
- [x] Disk encryption
- [x] OS Updates
2/18/25, added to this PR:
- [x] Controls > Setup experience > Run script
- [x] Software >
- [x] Manage automations modal
- [x] Add software >
- [x] App Store (VPP)
- [x] Custom package
- [x] Queries
- [x] Manage
- [x] Automations modal
- [x] New
- [x] Edit
- [x] Policies
- [x] Manage
- [x] New
- [x] Edit
- Manage automations
- [x] Calendar events
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2025-02-20 16:41:07 +00:00
gitops : IGitOpsModeConfig ;
2025-05-12 20:36:38 +00:00
partnerships? : IFleetPartnerships ;
}
interface IFleetPartnerships {
enable_primo : boolean ;
2021-05-18 15:08:48 +00:00
}
2022-06-13 23:21:24 +00:00
export interface IWebhookSettings {
failing_policies_webhook : IWebhookFailingPolicies ;
2024-03-12 18:39:35 +00:00
host_status_webhook : IWebhookHostStatus | null ;
2022-06-13 23:21:24 +00:00
vulnerabilities_webhook : IWebhookSoftwareVulnerabilities ;
2024-05-28 20:18:02 +00:00
activities_webhook : IWebhookActivities ;
2022-06-13 23:21:24 +00:00
}
export type IAutomationsConfig = Pick <
IConfig ,
"webhook_settings" | "integrations"
> ;
2022-10-19 19:00:39 +00:00
2025-05-02 16:04:05 +00:00
export type LogDestination =
| "filesystem"
| "firehose"
| "kinesis"
| "lambda"
| "pubsub"
2026-01-06 12:10:32 +00:00
| "kafka"
| "nats"
2025-05-02 16:04:05 +00:00
| "stdout"
| "webhook"
| "" ;
export interface ILoggingConfig {
debug : boolean ;
json : boolean ;
result : {
plugin : LogDestination ;
2025-06-19 19:51:49 +00:00
config ? : {
2025-05-02 16:04:05 +00:00
status_log_file : string ;
result_log_file : string ;
enable_log_rotation : boolean ;
enable_log_compression : boolean ;
status_url? : string ;
result_url? : string ;
} ;
} ;
2025-06-19 19:51:49 +00:00
status ? : {
2025-05-02 16:04:05 +00:00
plugin : string ;
config : {
status_log_file : string ;
result_log_file : string ;
enable_log_rotation : boolean ;
enable_log_compression : boolean ;
} ;
} ;
audit ? : {
plugin : string ;
config : any ;
} ;
}
2022-10-19 19:00:39 +00:00
export const CONFIG_DEFAULT_RECENT_VULNERABILITY_MAX_AGE_IN_DAYS = 30 ;
2025-01-09 18:53:43 +00:00
export interface IUserSettings {
hidden_host_columns : string [ ] ;
}
UI - GitOps Mode: Core abstractions, first batch of applications (#26401)
## For #26229 – Part 1
- This PR contains the core abstractions, routes, API updates, and types
for GitOps mode in the UI. Since this work will touch essentially every
part of the Fleet UI, it is ripe for merge conflicts. To mitigate such
conflicts, I'll be merging this work in a number of iterative PRs. ~To
effectively gate any of this work from showing until it is all merged to
`main`, [this commit](feedbb2d4c25ec2e304e1f18d409cee62f6752ed) hides
the settings section that allows enabling/disabling this setting,
effectively feature flagging the entire thing. In the last of these
iterative PRs, that commit will be reverted to engage the entire
feature. For testing purposes, reviewers can `git revert
feedbb2d4c25ec2e304e1f18d409cee62f6752ed` locally~ The new settings
section for this feature is feature flagged until all PRs are merged -
to show the setting section while testing, run `ALLOW_GITOPS_MODE=true
NODE_ENV=development yarn run webpack --progress --watch` in place of
`make generate-dev`
- Changes file will be added and feature flag removed in the last PR
- [x] Settings page with routing, form, API integration (hidden until
last PR)
- [x] Activities
- [x] Navbar indicator
- Apply GOM conditional UI to:
- [x] Manage enroll secret modal: .5
- Controls >
- [x] Scripts:
- Setup experience >
- [x] Install software > Select software modal
- [x] OS Settings >
- [x] Custom settings
- [x] Disk encryption
- [x] OS Updates
2/18/25, added to this PR:
- [x] Controls > Setup experience > Run script
- [x] Software >
- [x] Manage automations modal
- [x] Add software >
- [x] App Store (VPP)
- [x] Custom package
- [x] Queries
- [x] Manage
- [x] Automations modal
- [x] New
- [x] Edit
- [x] Policies
- [x] Manage
- [x] New
- [x] Edit
- Manage automations
- [x] Calendar events
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2025-02-20 16:41:07 +00:00
export interface IGitOpsModeConfig {
gitops_mode_enabled : boolean ;
repository_url : string ;
}
2025-12-18 16:37:47 +00:00
/** Check if Okta conditional access is configured (all 4 fields must be present) */
export const isOktaConditionalAccessConfigured = (
config : IConfig | null | undefined
) : boolean = > {
const ca = config ? . conditional_access ;
return ! ! (
ca ? . okta_idp_id &&
ca ? . okta_assertion_consumer_service_url &&
ca ? . okta_audience_uri &&
ca ? . okta_certificate
) ;
} ;
/** Check if Microsoft Entra conditional access is configured */
export const isEntraConditionalAccessConfigured = (
config : IConfig | null | undefined
) : boolean = > {
return (
config ? . conditional_access ? . microsoft_entra_connection_configured ? ? false
) ;
} ;
/** Check if any conditional access provider is configured (Okta or Entra) */
export const isConditionalAccessConfigured = (
config : IConfig | null | undefined
) : boolean = > {
return (
isOktaConditionalAccessConfigured ( config ) ||
isEntraConditionalAccessConfigured ( config )
) ;
} ;
