Prepare 4.29.0 (#10610)

2026-04-21 13:37:30 +00:00 · 2023-03-22 15:14:51 -05:00 · 2023-03-22 15:14:51 -05:00 · 547111d5b6
commit 547111d5b6
parent 4b0de73b40
47 changed files with 108 additions and 56 deletions
--- a/.github/workflows/dogfood-deploy.yml
+++ b/.github/workflows/dogfood-deploy.yml
@ -4,7 +4,7 @@ on:
  workflow_dispatch:
    inputs:
      DOCKER_IMAGE:
-        description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.28.1)'
+        description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.29.0)'
        required: true

 # This allows a subsequently queued workflow run to interrupt previous runs
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,105 @@
+## Fleet 4.29.0 (Mar 22, 2023)
+
+* Added implementation of Fleetd for Chrome.
+
+* Added the `mdm.macos_settings.enable_disk_encryption` option to the `fleetctl apply` configuration
+  files of "config" and "team" kind as a Fleet Premium feature.
+
+* Added `mdm.macos_settings.disk_encryption` and `mdm.macos_settings.action_required` status fields in the response for a single host (`GET /hosts/{id}` and `GET /device/{token}` endpoints).
+
+* Added MDM solution name to `host.mdm`in API responses.
+
+* Added support for fleetd to enroll a device using its serial number (in addition to its system
+  UUID) to help avoid host-matching issues when a host is first created in Fleet via the MDM
+  automatic enrollment (Apple Business Manager).
+
+* Added ability to filter data under the Hosts tab by the aggregate status of hosts' MDM-managed macos
+settings.
+
+* Added activity feed items for enabling and disabling disk encryption with MDM.
+
+* Added FileVault banners on the Host Details and My Device pages.
+
+* Added activities for when macOS disk encryption setting is enabled or disabled.
+
+* Added UI for fleet mdm managed disk encryption toggling and the disk encryption aggregate data.
+
+* Added support to update a team's disk encryption via the Modify Team (`PATCH /api/latest/fleet/teams/{id}`) endpoint.
+
+* Added a new API endpoint to gate access to an enrollment profile behind Okta authentication.
+
+* Added new configuration values to integrate Okta in the DEP MDM flow.
+
+* Added `GET /mdm/apple/profiles/summary` endpoint.
+
+* Updated API endpoints that use `team_id` query parameter so that `team_id=0`
+  filters results to include only hosts that are not assigned to any team.
+
+* Adjusted the `aggregated_stats` table to compute and store statistics for "no team" in addition to
+  per-team and for all teams.
+
+* Added MDM profiles status filter to hosts endpoints.
+
+* Added indicators of aggregate host count for each possible status of MDM-enforced mac settings
+  (hidden until 4.30.0).
+
+* As part of JIT provisioning, read user roles from SAML custom attributes.
+
+* Added Win 10 policies for CIS Benchmark 18.x.
+
+* Added Win 10 policies for CIS Benchmark 2.3.17.x.
+
+* Added Win 10 policies for CIS Benchmark 2.3.10.x.
+
+* Documented CIS Windows10 Benchmarks 9.2.x to cis policy queries.
+
+* Document CIS Windows10 Benchmarks 9.3.x to cis policy queries.
+
+* Added button to show query on policy results page.
+
+* Run periodic cleanup of pending `cron_stats` outside the `schedule` package to prevent Fleet outages from breaking cron jobs.
+
+* Added an invitation for users to upgrade to Premium when viewing the Premium-only "macOS updates"
+  feature.
+
+* Added an icon on the policy table to indicate if a policy is marked critical.
+
+* Added `"instanceID"` (aka `owner` of `locks`) to `schedule` logging (to help troubleshooting when
+  running multiple Fleet instances).
+
+* Introduce UUIDs to Fleet errors and logs.
+
+* Added EndeavourOS, Manjaro, openSUSE Leap and Tumbleweed to HostLinuxOSs.
+
+* Global observer can view settings for all teams.
+
+* Team observers can view the team's settings.
+
+* Updated translation rules so that Docker Desktop can be mapped to the correct CPE.
+
+* Pinned Docker image hashes in Dockerfiles for increased security.
+
+* Remove the `ATTACH` check on SQL osquery queries (osquery bug fixed a while ago in 4.6.0).
+
+* Don't return internal error information on Fleet API requests (internal errors are logged to stderr).
+
+* Fixed an issue when applying the configuration YAML returned by `fleetctl get config` with
+  `fleetctl apply` when MDM is not enabled.
+
+* Fixed a bug where `fleetctl trigger` doesn't release the schedule lock when the triggered run
+  spans the regularly scheduled interval.
+
+* Fixed a bug that prevented starting the Fleet server with MDM features if Apple Business Manager
+  (ABM) was not configured.
+
+* Fixed incorrect MDM-related settings documentation and payload response examples.
+
+* Fixed bug to keep team when clicking on policy tab twice.
+
+* Fixed software table links that were cutting off tooltip.
+
+* Fixed authorization action used on host/search endpoint.
+
 ## Fleet 4.28.1 (March 14, 2023) 

 * Fixed a bug that prevented starting the Fleet server with MDM features if Apple Business Manager (ABM) was not configured.
--- a/changes/10137-show-query-policy-results
+++ b/changes/10137-show-query-policy-results
@ -1 +0,0 @@
- Add button to show query on policy results page
--- a/changes/10138-cis-win10-9-3-x
+++ b/changes/10138-cis-win10-9-3-x
@ -1 +0,0 @@
- Document CIS Windows10 Benchmarks 9.3.x to cis policy queries
--- a/changes/10147-cis-win-10-18.x.x
+++ b/changes/10147-cis-win-10-18.x.x
@ -1 +0,0 @@
- Add Win 10 policies for CIS Benchmark 18.x
--- a/changes/10228-okta-config-values
+++ b/changes/10228-okta-config-values
@ -1 +0,0 @@
-* Added new configuration values to integrate Okta in the DEP MDM flow.
--- a/changes/10271-dep-okta
+++ b/changes/10271-dep-okta
@ -1 +0,0 @@
-* Added a new API endpoint to gate access to an enrollment profile behind Okta authentication.
--- a/changes/10324-upsell-state
+++ b/changes/10324-upsell-state
@ -1,2 +0,0 @@
- Add an invitation for users to upgrade to Premium when viewing the Premium-only "macOS updates"
-  feature.
--- a/changes/10378-remove-attach-check
+++ b/changes/10378-remove-attach-check
@ -1 +0,0 @@
-* Remove the `ATTACH` check on SQL osquery queries (osquery bug fixed a while ago in 4.6.0)
--- a/changes/10441-collations
+++ b/changes/10441-collations
@ -1 +0,0 @@
-* Added a migration to ensure all tables in the database use the same collation (`utf8mb4_unicode_ci`)
--- a/changes/10456-add-more-distros-to-hostlinuxoss
+++ b/changes/10456-add-more-distros-to-hostlinuxoss
@ -1 +0,0 @@
-* Added EndeavourOS, Manjaro, openSUSE Leap and Tumbleweed to HostLinuxOSs.
--- a/changes/10631-updated-action-on-host-search
+++ b/changes/10631-updated-action-on-host-search
@ -1 +0,0 @@
-Bug: Updated authorization action used on host/search endpoint
--- a/changes/8129-fleet-errors-uuid-and-internal
+++ b/changes/8129-fleet-errors-uuid-and-internal
@ -1,2 +0,0 @@
-* Introduce UUIDs to Fleet errors and logs.
-* Don't return internal error information on Fleet API requests (internal errors are logged to stderr).
--- a/changes/8186-fix-bug-with-docker-false-positive
+++ b/changes/8186-fix-bug-with-docker-false-positive
@ -1 +0,0 @@
-Updated translation rules so that Docker Desktop can be mapped to the correct CPE.
--- a/changes/8411-jit-provisioning-roles
+++ b/changes/8411-jit-provisioning-roles
@ -1 +0,0 @@
-* As part of JIT provisioning, read user roles from SAML custom attributes.
--- a/changes/9106-critical-icon-policy-table
+++ b/changes/9106-critical-icon-policy-table
@ -1 +0,0 @@
- Add an icon on the policy table to indicate if a policy is marked critical
--- a/changes/9132-orbit-enroll-set-osquery-db-to-retrieve-uuid
+++ b/changes/9132-orbit-enroll-set-osquery-db-to-retrieve-uuid
@ -1 +0,0 @@
-* Orbit enroll API to include `hostname` and `platform` (to ease troubleshooting and prevent empty/ghost host entries).
--- a/changes/9406-disk-encryption-activity-items
+++ b/changes/9406-disk-encryption-activity-items
@ -1 +0,0 @@
-* Add activity feed items for enabling and disabling disk encryption with MDM
--- a/changes/9414-disk-encryption-banners
+++ b/changes/9414-disk-encryption-banners
@ -1,3 +0,0 @@
- Add information banners on the Host Details and My Device pages that appear when the user must
-  either reset their encryption (FileVault on macOS) key, or logout/restart, to enable disk
-  encryption.
--- a/changes/9415-aggregate-mac-settings-indicators
+++ b/changes/9415-aggregate-mac-settings-indicators
@ -1,2 +0,0 @@
-* Add indicators of aggregate host count for each possible status of MDM-enforced mac settings ("Latest", "Pending," "Failing") to
-the Controls > macOS settings > Custom settings page.
--- a/changes/9486-pending-jobs-not-clearing-after-outage
+++ b/changes/9486-pending-jobs-not-clearing-after-outage
@ -1 +0,0 @@
-* Run periodic cleanup of pending `cron_stats` outside the `schedule` package to prevent Fleet outages from breaking cron jobs.
--- a/changes/9515-log-instance-id
+++ b/changes/9515-log-instance-id
@ -1 +0,0 @@
-* Add `"instanceID"` (aka `owner` of `locks`) to `schedule` logging (to help troubleshooting when running multiple Fleet instances).
--- a/changes/9567-macos_settings-hosts-filter
+++ b/changes/9567-macos_settings-hosts-filter
@ -1,3 +0,0 @@
-* Add ability to filter data under the Hosts tab by the aggregate status of hosts' MDM-managed macos
-settings. This filter is used when clicking Controls > macOS settings > "# hosts" under Latest,
-Pending, or Failing.
--- a/changes/9753-fix-bug-software-link-tooltip
+++ b/changes/9753-fix-bug-software-link-tooltip
@ -1 +0,0 @@
-* Fix software table links that were cutting off tooltip
--- a/changes/9921-cis-win-10-2.3.10.x
+++ b/changes/9921-cis-win-10-2.3.10.x
@ -1 +0,0 @@
- Add Win 10 policies for CIS Benchmark 2.3.10.x
--- a/changes/9924-cis-win-10-2.3.17.x
+++ b/changes/9924-cis-win-10-2.3.17.x
@ -1 +0,0 @@
- Add Win 10 policies for CIS Benchmark 2.3.17.x
--- a/changes/9984-global-and-team-observers-can-view-team
+++ b/changes/9984-global-and-team-observers-can-view-team
@ -1,2 +0,0 @@
-* Global observer can view settings for all teams.
-* Team observers can view the team's settings.
--- a/changes/bugfix-mdm-settings-documentation
+++ b/changes/bugfix-mdm-settings-documentation
@ -1 +0,0 @@
-* Fixed incorrect MDM-related settings documentation and payload response examples.
--- a/changes/bugfix-trigger-release-lock
+++ b/changes/bugfix-trigger-release-lock
@ -1 +0,0 @@
- Fixed a bug where `fleetctl trigger` doesn't release the schedule lock when the triggered run spans the regularly scheduled interval. This can prevent a second Fleet instance from using `fleetctl trigger` until the lock expires. This issue occurs infrequently under normal use. When it does occur, it resolves on its own in time; however, it may last up one full interval.
--- a/changes/fleetd-chrome
+++ b/changes/fleetd-chrome
@ -1 +0,0 @@
-* Add implementation of Fleetd for Chrome. (This probably deserves a full separate blog article that is linked from the release notes)
--- a/changes/issue-10136-cis-win-10-9-2-x
+++ b/changes/issue-10136-cis-win-10-9-2-x
@ -1 +0,0 @@
- Document CIS Windows10 Benchmarks 9.2.x to cis policy queries
--- a/changes/issue-10409-no-team-filter
+++ b/changes/issue-10409-no-team-filter
@ -1,2 +0,0 @@
- Updated API endpoints that use `team_id` query parameter so that `team_id=0`
-  filters results to include only hosts that are not assigned to any team.
--- a/changes/issue-10409-support-no-teams-in-aggregated-stats
+++ b/changes/issue-10409-support-no-teams-in-aggregated-stats
@ -1 +0,0 @@
-* Adjusted the `aggregated_stats` table to compute and store statistics for "no team" in addition to per-team and for all teams.
--- a/changes/issue-9124-orbit-enroll-match-by-serial
+++ b/changes/issue-9124-orbit-enroll-match-by-serial
@ -1 +0,0 @@
-* Added support for fleetd to enroll a device using its serial number (in addition to its system UUID) to help avoid host-matching issues when a host is first created in Fleet via the MDM automatic enrollment (Apple Business Manager).
--- a/changes/issue-9400-add-disk-encryption-fleetctl-apply
+++ b/changes/issue-9400-add-disk-encryption-fleetctl-apply
@ -1 +0,0 @@
-* Added the `mdm.macos_settings.enable_disk_encryption` option to the `fleetctl apply` configuration files of "config" and "team" kind as a Fleet Premium feature.
--- a/changes/issue-9402-9409-implement-UI-for-disk-encryption-on-mdm
+++ b/changes/issue-9402-9409-implement-UI-for-disk-encryption-on-mdm
@ -1 +0,0 @@
- add UI for fleet mdm managed disk encryption toggling and the disk encryption aggregate data.
--- a/changes/issue-9433-support-modify-team-disk-encryption
+++ b/changes/issue-9433-support-modify-team-disk-encryption
@ -1 +0,0 @@
-* Added support to update a team's disk encryption via the Modify Team (`PATCH /api/latest/fleet/teams/{id}`) endpoint.
--- a/changes/issue-9435-disk-encryption-activities
+++ b/changes/issue-9435-disk-encryption-activities
@ -1,2 +0,0 @@
-* Added activities for when macOS disk encryption setting is enabled or disabled.
-* Fixed an issue when applying the configuration YAML returned by `fleetctl get config` with `fleetctl apply` when MDM is not enabled.
--- a/changes/issue-9437-add-host-disk-encryption-status
+++ b/changes/issue-9437-add-host-disk-encryption-status
@ -1 +0,0 @@
-* Added `mdm.macos_settings.disk_encryption` and `mdm.macos_settings.action_required` status fields in the response for a single host (`GET /hosts/{id}` and `GET /device/{token}` endpoints).
--- a/changes/issue-9591-mdm-profiles-summary
+++ b/changes/issue-9591-mdm-profiles-summary
@ -1 +0,0 @@
- Added `GET /mdm/apple/profiles/summary` endpoint.
--- a/changes/issue-9596-mdm-profile-filter
+++ b/changes/issue-9596-mdm-profile-filter
@ -1 +0,0 @@
-* Added mdm profiles status filter to hosts endpoints.
--- a/changes/pin-dockerfiles
+++ b/changes/pin-dockerfiles
@ -1 +0,0 @@
- Pin Docker image hashes in Dockerfiles for increased security.
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@ -8,4 +8,4 @@ version: v5.0.0
 home: https://github.com/fleetdm/fleet
 sources:
  - https://github.com/fleetdm/fleet.git
-appVersion: v4.28.1
+appVersion: v4.29.0
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.28.1 # Version of Fleet to deploy
+imageTag: v4.29.0 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:
--- a/infrastructure/dogfood/terraform/aws/variables.tf
+++ b/infrastructure/dogfood/terraform/aws/variables.tf
@ -56,7 +56,7 @@ variable "database_name" {

 variable "fleet_image" {
  description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.28.1"
+  default     = "fleetdm/fleet:v4.29.0"
 }

 variable "software_inventory" {
--- a/infrastructure/dogfood/terraform/gcp/variables.tf
+++ b/infrastructure/dogfood/terraform/gcp/variables.tf
@ -68,5 +68,5 @@ variable "redis_mem" {
 }

 variable "image" {
-  default = "fleet:v4.28.1"
+  default = "fleet:v4.29.0"
 }
--- a/tools/fleetctl-npm/package.json
+++ b/tools/fleetctl-npm/package.json
@ -1,6 +1,6 @@
 {
  "name": "fleetctl",
-  "version": "v4.28.1",
+  "version": "v4.29.0",
  "description": "Installer for the fleetctl CLI tool",
  "bin": {
    "fleetctl": "./run.js"
				`@ -1 +0,0 @@`
				`- Add button to show query on policy results page`
				`@ -1 +0,0 @@`
				`- Document CIS Windows10 Benchmarks 9.3.x to cis policy queries`
				`@ -1 +0,0 @@`
				`- Add Win 10 policies for CIS Benchmark 18.x`
				`@ -1 +0,0 @@`
				`* Added new configuration values to integrate Okta in the DEP MDM flow.`
				`@ -1 +0,0 @@`
				`* Added a new API endpoint to gate access to an enrollment profile behind Okta authentication.`
				`@ -1 +0,0 @@`
				* Remove the `ATTACH` check on SQL osquery queries (osquery bug fixed a while ago in 4.6.0)
				`@ -1 +0,0 @@`
				* Added a migration to ensure all tables in the database use the same collation (`utf8mb4_unicode_ci`)
				`@ -1 +0,0 @@`
				`* Added EndeavourOS, Manjaro, openSUSE Leap and Tumbleweed to HostLinuxOSs.`
				`@ -1 +0,0 @@`
				`Bug: Updated authorization action used on host/search endpoint`
				`@ -1 +0,0 @@`
				`Updated translation rules so that Docker Desktop can be mapped to the correct CPE.`