diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e87456657..f1f4dd2cee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,56 @@ +## Fleet 4.57.0 (Sep 23, 2024) + +**Endpoint Operations** + +- Added support for configuring policy installers via GitOps. +- Added support for policies in "No team" that run on hosts that belong to "No team". +- Added reserved team names: "All teams" and "No team". +- Added support the software status filter for 'No teams' on the hosts page. +- Enable 'No teams' funcitonality for the policies page and associated workflows. +- Added reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents. +- Added support for software installer packages, self-service flag, scripts, pre-install query, and self-service availability to be edited in-place rather than deleted and re-added. + +**Device Management (MDM)** + +- Added feature allowing automatic installation of software on hosts that fail policies. +- Added feature for end users to enroll BYOD devices into Fleet MDM. +- Added the ability to use Fleet to uninstall packages from hosts. +- Added an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts. +- Added protocol support for OTA enrollment and automatic team assignment for hosts. +- Added validation of Setup Assistant profiles on profile upload. +- Added validation to prevent installing software on a host with a pending installation. +- Allowed custom SCEP CA certificates with any kind of extendedKeyUsage attributes. +- Modified `POST /api/latest/fleet/software/batch` endpoint to be asynchronous and added a new endpoint `GET /api/latest/fleet/software/batch/{request_uuid}` to retrieve the result of the batch upload. + +**Vulnerability Management** + +- Fixed a false negative vulnerability for git. +- Fixed false positive vulnerabilities for minio. +- Fixed an issue where virtual box for macOS wasn't matching against the NVD product name. +- Fixed Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions. + +**Bug fixes and improvements** + +- Updated Go to go1.23.1. +- Removed validation of APNS certificate from server startup. +- Removed invalid node keys from server logs. +- Improved the UX of turning off MDM on an offline host. +- Improved clarity of GitOps VPP app ID type errors. +- Improved gitops error message about enabling windows MDM. +- Improved messaging for VPP token constraint errors. +- Improved loading state for UI tables when no data is present yet. +- Improved permissions so that hosts can no longer access installers that aren't directly assigned to them. +- Improved verification of premium license before uploading VPP tokens. +- Added "0 items" description on empty software tables for UI consistency. +- Updated the macos target minimum version tooltip. +- Fixed logic to properly catch and log APNs errors. +- Fixed UI overflow issues with OS settings table data. +- Fixed regression for checking email used to get a signed CSR. +- Fixed bugs on enrollment profiles when the organization name contains invalid XML characters. +- Fixed an issue with cron profiles delivery failing if a Windows VM is enrolled twice. +- Fixed issue where Fleet server could start when an expired ABM certificate was provided as server config. +- Fixed self-service checkbox appearing when iOS or iPadOS app is selected. + ## Fleet 4.56.0 (Sep 7, 2024) ### Endpoint operations diff --git a/CODEOWNERS b/CODEOWNERS index 5f1c7e9bca..153161e7ee 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -66,8 +66,8 @@ go.mod @fleetdm/go # # (see website/config/custom.js for DRIs of other paths not listed here) ############################################################################################## -/docs @rachaelshaw -/docs/REST\ API/rest-api.md @rachaelshaw # « REST API reference documentation +/docs @rachaelshaw @lukeheath +/docs/REST\ API/rest-api.md @rachaelshaw @lukeheath # « REST API reference documentation /docs/Contributing/API-for-contributors.md @lukeheath # « Advanced / contributors-only API reference documentation /schema @eashaw # « Data tables (osquery/fleetd schema) documentation /docs/Deploy/_kubernetes/ @dherder # « Kubernetes best practice diff --git a/articles/deploy-security-agents.md b/articles/deploy-security-agents.md deleted file mode 100644 index 20d6cd28ab..0000000000 --- a/articles/deploy-security-agents.md +++ /dev/null @@ -1,97 +0,0 @@ -# Deploy security agents - -![Deploy security agents](../website/assets/images/articles/deploy-security-agents-1600x900@2x.png) - -Fleet [v4.50.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.50.0) introduced the ability to upload and deploy security agents to your hosts. Beyond a [bootstrap package](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#bootstrap-package) at enrollment, deploying security agents allows you to specify and verify device configuration using a pre-enrollment osquery query and customization of the install and post-install scripts, allowing for key and license deployment and configuration. This guide will walk you through the steps to upload, configure, and install a security agent to hosts in your fleet. - -## Prerequisites - -* Fleet [v4.50.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.50.0). -* `fleetd` 1.25.0 deployed via MDM or built with the `--scripts-enabled` flag. -* An S3 bucket [configured](https://fleetdm.com/docs/configuration/fleet-server-configuration#s-3-software-installers-bucket) to store the installers. -* Increase any load balancer timeouts to at least 5 minutes for the following endpoints: - * [Add software](https://fleetdm.com/docs/rest-api/rest-api#add-software). - * [Batch-apply software](https://fleetdm.com/docs/rest-api/rest-api#add-software). - -## Step-by-step instructions - -### Access security agent installers - -To access and manage security agents in Fleet: - -* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu. -* **Select a team**: Click on the dropdown at the top left of the page. -* **Find your software**: using the filters on the top of the table, you can choose between: - * “Available for install” filters software that can be installed on your hosts. - * “Self-service” filters software that end users can install from Fleet Desktop. -* **Select security agent installer**: Click on a software package to view details and access additional actions for the agent installer. - -### Add a security agent to a team - -* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu. -* **Select a team**: Select a team or the "No team" team to add a security agent. - -> Security agents cannot be added to "All teams" - -* Click the “Add Software” button in the top right corner, and a modal will appear. -* Choose a file to upload. `.pkg`, `.msi`, `.exe`, or `.deb` files are supported. -* After selecting a file, a default install script will be pre-filled. If the security agent requires a custom installation process, this script can be edited. -* To allow users to install the software from Fleet Desktop, check the “Self-service” checkbox. -* To customize the conditions, click on “Advanced options”: - * **Pre-install condition**: A pre-install condition is a valid osquery SQL statement that will be evaluated on the host before installing the software. If provided, the installation will proceed only if the query returns any value. - * **Post-install script** A post-install script will run after the installation is complete, allowing you to configure the security agent right after installation. If this script returns a non-zero exit code, the installation will fail, and `fleetd` will attempt to uninstall the software. - -### Install a security agent on a host - -After an installer is added to a team, it can be installed on hosts via the UI. - -* **Navigate to the Hosts page**: Click on the "Hosts" tab in the main navigation menu. -* **Navigate to the Host details page**: Click the host you want to install the security agent. -* **Navigate to the Host software tab**: In the host details, search for the tab named “Software” -* **Find your security agent**: Use the search bar and filters to search for your security agent. -* **Install the security agent on the host**: In the leftmost row of the table, click on “Actions” > “Install.” -* **Track installation status**: by either - * Checking the “Install status” in the host software table. - * Navigate to the “Details” tab on the host details page and check the activity log. - -### Edit a security agent - -Security agent installers can’t be edited via the UI. To modify an installer, remove it from the UI and add a new one. - -### Remove a security agent from a team - -* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu. -* **Select a team**: Select a team or the "No team" team to add a security agent. -* **Find your software**: using the filters on the top of the table, you can choose between: - * “Available for install” filters software can be installed on your hosts. - * “Self-service” filters software that users can install from Fleet Desktop. -* **Select security agent installer**: Click on a software package to view details. -* **Remove security agent installer**: From the Actions menu, select "Delete." Click the "Delete" button on the modal. - -> Removing a security agent from a team will not uninstall the agent from the existing host(s). - -### Manage security agents with the REST API - -Fleet also provides a REST API for managing software programmatically. The API allows you to add, update, retrieve, list, and delete software. Detailed documentation on Fleet's [REST API is available](https://fleetdm.com/docs/rest-api/rest-api#software). - -### Manage security agents with GitOps - -Installers for security agents can be managed via `fleetctl` using [GitOps](https://fleetdm.com/docs/using-fleet/gitops). - -Please refer to the documentation specific to [managing software with GitOps](https://fleetdm.com/docs/using-fleet/gitops#software). For a real-world example, [see how we manage software at Fleet](https://github.com/fleetdm/fleet/tree/main/it-and-security/teams). - - -## Conclusion - -Deploying security agents with Fleet is straightforward and ensures your hosts are protected with the latest security measures. This guide has shown you how to access, add, and install security agents, as well as manage them using the REST API and `fleetctl`. Following these steps can effectively equip your fleet with the necessary security tools. - -See Fleet's [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides) for more details on advanced setups, software features, and vulnerability detection. - - - - - - - - - diff --git a/articles/deploy-software-packages.md b/articles/deploy-software-packages.md new file mode 100644 index 0000000000..92aa0901cc --- /dev/null +++ b/articles/deploy-software-packages.md @@ -0,0 +1,177 @@ +# Deploy software packages + +![Deploy software](../website/assets/images/articles/deploy-security-agents-1600x900@2x.png) + +Fleet [v4.50.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.50.0) introduced the ability to upload and deploy software to your hosts. Fleet [v4.57.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0) added the ability to include an uninstall script and edit software details. Beyond a [bootstrap package](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#bootstrap-package) at enrollment, deploying software allows you to specify and verify device configuration using a pre-install query and customization of the install, post-install, and uninstall scripts, allowing for key and license deployment and configuration. Admins can modify these options and settings after the initial upload. This guide will walk you through the steps to upload, configure, install, and uninstall a software package to hosts in your fleet. + +## Prerequisites + +* Fleet [v4.57.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0). + +* `fleetd` 1.25.0 deployed via MDM or built with the `--scripts-enabled` flag. + +> `fleetd` prior to 1.33.0 will use a hard-coded uninstall script to clean up from a failed install. As of 1.33.0, the (default or customized) uninstall script will be used to clean up failed installs. + +* An S3 bucket [configured](https://fleetdm.com/docs/configuration/fleet-server-configuration#s-3-software-installers-bucket) to store the installers. + +* Increase any load balancer timeouts to at least 5 minutes for the [Add software](https://fleetdm.com/docs/rest-api/rest-api#add-software) endpoint. + +## Step-by-step instructions + +### Access software packages + +To access and manage software in Fleet: + +* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu. + +* **Select a team**: Click on the dropdown at the top left of the page. + +> Software packages are tied to a specific team. This allows you to, for example, test a newer release of an application within your IT team before rolling it out to the rest of your organization, or deploy the appropriate architecture-specific installer to both Intel and Apple Silicon Macs. + +* **Find your software**: using the filters on the top of the table, you can choose between: + + * “Available for install” filters software that can be installed on your hosts. + + * “Self-service” filters software that end users can install from Fleet Desktop. + +* **Select software package**: Click on a software package to view details and access additional actions for the software. + +### Add a software package to a team + +* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu. + +* **Select a team**: Select a team "No team" to add a software package. + +> Software cannot be added to "All teams." + +* Click the “Add Software” button in the top right corner, and a dialog will appear. + +* Choose a file to upload. `.pkg`, `.msi`, `.exe`, and `.deb` files are supported. + +> Software installer uploads will fail if Fleet is unable to extract information from the installer package such bundle ID and version number. + +* To allow users to install the software from Fleet Desktop, check the “Self-service” checkbox. + +* To customize installer behavior, click on “Advanced options.” + +> After the initial package upload, all options can be modified, including the self-service setting, pre-install query, scripts, and even the software package file. When replacing an installer package, the replacement package must be the same type and for the same software as the original package. + +#### Pre-install query + +A pre-install query is a valid osquery SQL statement that will be evaluated on the host before installing the software. If provided, the installation will proceed only if the query returns any value. + +#### Install script + +After selecting a file, a default install script will be pre-filled. If the software package requires a custom installation process (for example, if [an EXE-based Windows installer requires custom handling](https://fleetdm.com/learn-more-about/exe-install-scripts)), this script can be edited. When the script is run, the `$INSTALLER_PATH` environment variable will be set by `fleetd` to where the installer is being run. + +#### Post-install script + +A post-install script will run after the installation, allowing you to, for example, configure the security agent right after installation. If this script returns a non-zero exit code, the installation will fail, and `fleetd` will attempt to uninstall the software. + +#### Uninstall script + +An uninstall script will run when an admin chooses to uninstall the software from the host on the host details page, or if an install fails for hosts running `fleetd` 1.33.0 or later. Like the install script, a default uninstall script will be pre-filled after selecting a file. This script can be edited if the software package requires a custom uninstallation process. + +In addition to the `$INSTALLER_PATH` environment variable supported by install scripts, you can use `$PACKAGE_ID` in uninstall scripts as a placeholder for the package IDs (for .pkg files), package name (for Linux installers), product code (for MSIs), or software name (for EXE installers). The Fleet server will substitute `$PACKAGE_ID` on upload. + +### Install a software package on a host + +After a software package is added to a team, it can be installed on hosts via the UI. + +* **Navigate to the Hosts page**: Click on the "Hosts" tab in the main navigation menu. + +* **Navigate to the Host details page**: Click the host you want to install the software package. + +* **Navigate to the Host software tab**: In the host details, search for the tab named “Software.” + +* **Find your software package**: Use the dropdown to select software “Available for install” or use the search bar to search for your software package by name. + +* **Install the software package on the host**: In the rightmost column of the table, click on “Actions” > “Install.” Installation will happen automatically or when the host comes online. + +* **Track installation status**: by either + + * Checking the status column in the host software table. + + * Navigate to the “Details” tab on the host details page and check the activity log. + +### Edit a software package + +* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu. + +* **Select a team**: Select a team (or "No team") to switch to the team whose software you want to edit. + +* **Find your software**: using the filters on the top of the table, you can choose between: + + * “Available for install” filters software can be installed on your hosts. + + * “Self-service” filters software that users can install from Fleet Desktop. + +* **Select software package**: Click on a software package to view details. + +* **Edit software package**: From the Actions menu, select "Edit." + +> Editing the pre-install query, install script, post-install script, or uninstall script cancels all pending installations and uninstallations for that package, except for installs and uninstalls that are currently running on a host. If a new software package is uploaded, in addition to canceling pending installs and uninstalls, host counts (for installs and pending and failed installs and uninstalls) will be reset to zero, so counts reflect the currently uploaded version of the package. + +### Uninstall a software package on a host + +After a software package is installed on a host, it can be uninstalled on the host via the UI. + +* **Navigate to the Hosts page**: Click on the "Hosts" tab in the main navigation menu. + +* **Navigate to the Host details page**: Click the host you want to uninstall the software package. + +* **Navigate to the Host software tab**: In the host details, search for the tab named “Software.” + +* **Find your software package**: Use the dropdown to select software “Available for install” or use the search bar to search for your software package by name. + +* **Uninstall the software package from the host**: In the rightmost column of the table, click on “Actions” > “Uninstall.” Uninstallation will happen automatically or when the host comes online. + +* **Track uninstallation status**: by either + + * Checking the status column in the host software table. + + * Navigate to the “Details” tab on the host details page and check the activity log. + +### Remove a software package from a team + +* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu. + +* **Select a team**: Select a team (or "No team") to switch to the team whose software you want to remove. + +* **Find your software**: using the filters on the top of the table, you can choose between: + + * “Available for install” filters software can be installed on your hosts. + + * “Self-service” filters software that users can install from Fleet Desktop. + +* **Select software package**: Click on a software package to view details. + +* **Remove software package**: From the Actions menu, select "Delete." Click the "Delete" button on the dialog. + +> Removing a software package from a team will cancel pending installs for hosts that are not in the middle of installing the software but will not uninstall the software from hosts where it is already installed. + +### Manage software with the REST API + +Fleet also provides a REST API for managing software programmatically. The API allows you to add, update, retrieve, list, and delete software. Detailed documentation on Fleet's [REST API is available]([https://fleetdm.com/docs/rest-api/rest-api#software](https://fleetdm.com/docs/rest-api/rest-api#software)), including endpoints for installing and uninstalling packages. + +### Manage software with GitOps + +Software packages can be managed via `fleetctl` using [GitOps](https://fleetdm.com/docs/using-fleet/gitops). + +Please refer to the documentation for [managing software with GitOps](https://fleetdm.com/docs/using-fleet/gitops#software), for a real-world example, [see how we manage software at Fleet](https://github.com/fleetdm/fleet/tree/main/it-and-security/teams). + +> When managing software installers via GitOps, the Fleet server receiving GitOps requests (**not** the machine running fleetctl as part of the GitOps workflow) will download installers from the specified URLs directly. + +## Conclusion + +Managing software with Fleet is straightforward and ensures your hosts are equipped with the latest tools. This guide has outlined how to access, add, edit, and remove software packages from a team, install and uninstall from specific hosts, and use the REST API and `fleetctl` to manage software packages. By following these steps, you can effectively maintain software packages across your fleet. + +For more information on advanced setups and features, explore Fleet’s [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides). + + + + + + + + diff --git a/articles/enable-okta-verify-on-macOS-with-configuration-profile.md b/articles/enable-okta-verify-on-macOS-with-configuration-profile.md new file mode 100644 index 0000000000..19bd9c5c9e --- /dev/null +++ b/articles/enable-okta-verify-on-macOS-with-configuration-profile.md @@ -0,0 +1,130 @@ +# Enable Okta Verify on macOS using configuration profile + +## Introduction + +This guide will show you how to install [Okta Verify](https://help.okta.com/en-us/content/topics/mobile/okta-verify-overview.htm) on your macOS hosts and set them as managed by issuing a SCEP certificate via a configuration profile [managed through Fleet](https://fleetdm.com/guides/custom-os-settings). + +By following these steps, you can automate the deployment of Okta Verify across your devices. This will allow you to enforce multifactor authentication policies, improve device security, and manage user access seamlessly. + +## Prerequisites + +* MDM enabled and configured + +## Step-by-Step Instructions + +### **Step 1: Install Okta Verify on your hosts** + +Okta Verify can be installed: + +* As a Volume Purchasing Program (VPP) application, follow [these steps to install VPP apps](https://fleetdm.com/guides/install-vpp-apps-on-macos-using-fleet). +* As a *.pkg *file download the [installer from Okta](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/ov-install-options-macos.htm) and [deploy the installer using Fleet](https://fleetdm.com/guides/deploy-security-agents). + +After installing Okta Verify on the host, the device will be registered in Okta. + +### **Step 2: Issue a SCEP certificate for management attestation** + +The next step to ensure Okta detects the device as managed is to issue a SCEP certificate. + +* Follow the instructions on the Okta documentation to [configure a certificate authority](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/configure-ca-main.htm) using a **static** SCEP challenge. +* In your text editor, copy and paste the following configuration profile and edit the relevant values: + * `[REPLACE_WITH_CHALLENGE] `with the SCEP challenge you generated in the previous step. + * `[REPLACE_WITH_URL]`with the URL to your SCEP server. + * Adjust the `CN `value according to your organization's needs. You can use any of the [profile variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0) to uniquely identify your device. In the example `%ComputerName%` `managementAttestation` `%HardwareUUID%,` the certificate Common Name (CN) will contain both the computer name and the hardware UUID. + +```xml + + + + + + PayloadVersion + 1 + PayloadType + Configuration + PayloadIdentifier + Ignored + PayloadUUID + Ignored + PayloadDisplayName + SCEP device attestation + PayloadContent + + + PayloadContent + + Key Type + RSA + Challenge + [REPLACE_WITH_CHALLENGE] + Key Usage + 1 + Keysize + 2048 + URL + [REPLACE_WITH_URL] + AllowAllAppsAccess + + KeyIsExtractable + + Subject + + + + O + Fleet + + + + + CN + %ComputerName% managementAttestation %HardwareUUID% + + + + + PayloadIdentifier + com.apple.security.scep.C2D94E67-4F1A-4A3C-8142-7523A8D35713 + PayloadType + com.apple.security.scep + PayloadUUID + 632289FA-C3E0-481A-A417-BF40012FB729 + PayloadVersion + 1 + + + + + +``` + +* Enforce the configuration profile on your hosts. You can follow [this guide on enforcing custom OS settings in Fleet](https://fleetdm.com/guides/custom-os-settings). +* You can optionally verify the issued certificate by opening Keychain Access on the device or by running a [live query](https://fleetdm.com/guides/get-current-telemetry-from-your-devices-with-live-queries): + +```sql +SELECT * FROM certificates where common_name like '%managementAttestation%'; +``` + +### **Step 3: Configure device management in Okta** + +With Okta Verify installed and an attestation certificate in place, all left is to configure Okta and the device for device management, useful links from the Okta documentation are: + +* [Managed devices](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/managed-main.htm) +* [Enable and configure Okta Verify](https://help.okta.com/en-us/content/topics/mobile/okta-verify-overview.htm) + +Make sure the device is properly set up in Okta and that the user has used Okta FastPass at least once to see it as managed on the Okta dashboard. + +## Conclusion + +This guide covered how to install Okta Verify on your macOS hosts, issue a SCEP certificate for management attestation, and configure device management in Okta. By automating this process through Fleet, you can enforce multi-factor authentication, improve device security, and ensure that devices accessing your organization’s resources are properly managed. + +For more detailed information on managing devices and using Okta Verify, explore the Okta documentation and Fleet’s guides to optimize your device management strategy further. + +See Fleet's [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides) for more details on advanced setups, software features, and vulnerability detection. + + + + + + + + diff --git a/articles/enforce-os-updates.md b/articles/enforce-os-updates.md index 3db4862a87..de3fdbc83d 100644 --- a/articles/enforce-os-updates.md +++ b/articles/enforce-os-updates.md @@ -2,7 +2,7 @@ _Available in Fleet Premium_ -In Fleet you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops). +In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops). Fleet UI: @@ -18,30 +18,22 @@ Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-ap ### macOS -When a minimum version is enforced, the end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes, and then every 10 minutes. +When a minimum version is enforced, the end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes. If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on. -For macOS devices that use Automated Device Enrollment (ADE), if the device is below the specified -minimum version, it will be required to update to the very latest OS version during ADE before -device setup and enrollment can proceed. +For macOS devices that use Automated Device Enrollment (ADE), if the device is below the specified minimum version, it will be required to update to the latest [available version](#available-macos-ios-and-ipados-versions) during ADE before device setup and enrollment can proceed. -### macOS (below version 14.0) +### iOS and iPadOS -End users are encouraged to update macOS (via [Nudge](https://github.com/macadmins/nudge)). - -![Nudge window](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/nudge-window.png) - -| | > 1 day before deadline | < 1 day before deadline | Past deadline | -| ------------------------------------ | ----------------------- | ----------------------- | --------------------- | -| Nudge window frequency | Once a day at 8pm GMT | Once every 2 hours | Immediately on login | -| End user can defer | ✅ | ✅ | ❌ | -| Nudge window is dismissible | ✅ | ✅ | ❌ | - -### iOS and iPadOS (version 17.0 and above) +End users will see a notification in their Notification Center after the deadline when a minimum version is enforced. They can’t use their iPhone or iPad until the OS update is installed. For iOS and iPadOS devices that use Automated Device Enrollment (ADE), if the device is below the specified -minimum version, it will be required to update to the very latest OS version during ADE before device setup and enrollment can proceed. +minimum version, it will be required to update to the latest [available version](#available-macos-ios-and-ipados-versions) during ADE before device setup and enrollment can proceed. + +### Available macOS, iOS, and iPadOS versions + +The Apple Software Lookup Service (available at [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv)) is the official resource for obtaining a list of publicly available updates, upgrades, and Rapid Security Responses. Make sure to use versions available in GDMF; otherwise, the update will not be scheduled. ### Windows @@ -55,9 +47,17 @@ If an end user was on vacation when the deadline passed, the end user is given a Fleet enforces OS updates for quality and feature updates. Read more about the types of Windows OS updates in the Microsoft documentation [here](https://learn.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates). -### iOS and iPadOS +### macOS (below version 14.0) -When a minimum version is enforced, end users will see a notification in their Notification Center after the deadline. They can’t use their iPhone or iPad until the OS update is installed. +End users are encouraged to update macOS (via [Nudge](https://github.com/macadmins/nudge)). + +![Nudge window](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/nudge-window.png) + +| | > 1 day before deadline | < 1 day before deadline | Past deadline | +| ------------------------------------ | ----------------------- | ----------------------- | --------------------- | +| Nudge window frequency | Once a day at 8pm GMT | Once every 2 hours | Immediately on login | +| End user can defer | ✅ | ✅ | ❌ | +| Nudge window is dismissible | ✅ | ✅ | ❌ | diff --git a/articles/enroll-byod-ios-ipados-hosts.md b/articles/enroll-byod-ios-ipados-hosts.md new file mode 100644 index 0000000000..31c070b2d5 --- /dev/null +++ b/articles/enroll-byod-ios-ipados-hosts.md @@ -0,0 +1,42 @@ +# Enroll BYOD iOS/iPadOS hosts + +This guide will walk you through the process of inviting BYOD (Bring Your Own Device) iPhones and iPads to enroll in Fleet. + +By enrolling BYOD iPhones and iPads in Fleet, IT admins can manage software installations, enforce settings, and ensure devices comply with company policies. By adding BYOD devices, you can monitor, enforce settings, and manage security on BYOD iPhones and iPads in real-time, providing enhanced control without compromising user autonomy. This helps secure access to organizational resources while maintaining control over device configurations. + +## Prerequisites + +* Fleet [v4.57.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0). +* [MDM enabled and configured](https://fleetdm.com/guides/macos-mdm-setup) + +## Enrolling BYOD iPad/iOS devices in Fleet + +* **Step 1: Navigate to the manage hosts page** + * Click “Hosts” in the top navigation bar +* **Step 2: Choose the team** + * Select the desired [team](https://fleetdm.com/guides/teams) from the menu at the top of the screen +* **Step 3: Get a link to share with your end users** + * Click on “Add hosts.” + * In the modal, select the **iOS & iPadOS** tab. + * Copy the link to enroll hosts. +* **Step 4: Distribute the link** + * Share the link with your end users using an introductory email or message. + * The link provides instructions to guide users through downloading and installing Fleet’s enrollment profile. + +> Each team has a unique URL that includes the team's enrollment secret. This enrollment secret ensures that devices are assigned to the correct team during enrollment. When an incorrect enroll secret is provided, users can still download the enrollment profile, but the enrollment itself will fail (403 error). + +## Conclusion + +This guide covered how to invite and enroll BYOD iPhones and iPads into Fleet. This allows IT admins to manage software, enforce settings, and ensure compliance with organizational policies. Streamlining the enrollment process will enable you to secure access to company resources while maintaining control over end-user devices. + +For more information on device management and other features, explore Fleet’s documentation and guides to optimize your setup and keep your devices fully secure. + +See Fleet's [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides) for more details on advanced setups, software features, and vulnerability detection. + + + + + + + + diff --git a/articles/fleet-4.57.0.md b/articles/fleet-4.57.0.md new file mode 100644 index 0000000000..4c9f959f9a --- /dev/null +++ b/articles/fleet-4.57.0.md @@ -0,0 +1,97 @@ +# Fleet 4.57.0 | Software improvements, policy automation, GitLab support. + +![Fleet 4.57.0](../website/assets/images/articles/fleet-4.57.0-1600x900@2x.png) + +Fleet 4.57.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0) or continue reading to get the highlights. +For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs. + +## Highlights +* Software improvements +* Policy automation: install software +* iPhone/iPad BYOD +* GitLab pipelines for GitOps + +### Software improvements + +Fleet allows admins to edit software items directly, offering greater control over software management across hosts. This feature allows IT teams to modify details such as software names or versions, ensuring the software inventory remains accurate and aligned with organizational needs. Additionally, Fleet has introduced the option to uninstall software from hosts, simplifying the removal of unwanted or outdated applications. + +For most cases, Fleet handles the uninstall process automatically, with the uninstall script conveniently located under “Advanced options.” However, Fleet stands out by allowing administrators to view and tweak the script if needed. This flexibility is beneficial when a host is in a unique state or the automatic uninstall process encounters issues. Fleet strives to provide full transparency into what’s under the hood, enabling IT teams to make necessary adjustments for specific scenarios. These updates enhance the efficiency of software management while maintaining flexibility, reflecting Fleet’s commitment to providing user-centric and adaptable solutions. + +### Policy automation: install software + +Admins can automatically trigger software installations when a policy fails, adding a proactive approach to maintaining compliance and security. This feature is handy when a device is found to have a vulnerable version of software installed. If a policy detects this vulnerability, Fleet can automatically install a secure, updated version of the software to remediate the issue and bring the host back into compliance. This automation helps IT teams address vulnerabilities quickly and efficiently, without manual intervention, ensuring that devices across the fleet remain secure and up-to-date. It highlights Fleet’s commitment to streamlining device management and enhancing security through automation. + +### iPhone/iPad BYOD + +Fleet now supports Bring Your Own Device (BYOD) enrollment for iPhone (iOS) and iPad (iPadOS) devices, providing organizations with a more flexible approach to managing employee-owned devices. This feature allows employees to enroll personal iPhones and iPads into Fleet’s Mobile Device Management (MDM) system, enabling IT teams to enforce security policies, manage configurations, and ensure compliance without needing complete control over the entire device. With BYOD enrollment, companies can balance security and privacy, seamlessly managing work-related configurations on personal devices while respecting the end user’s control over their personal data. This update enhances Fleet’s capabilities for managing various devices and supports organizations with modern, flexible workforce environments. + +### GitLab pipelines for GitOps + +Fleet now supports GitLab pipelines for its [GitOps integration](https://github.com/fleetdm/fleet-gitops), expanding the flexibility of how organizations manage their device configurations and policies through version control. With GitLab pipelines, IT teams can automate the deployment and management of Fleet configurations directly from their GitLab repositories, streamlining workflows and ensuring that changes are tracked, tested, and deployed consistently across their fleet. This integration enhances the automation and reliability of device management, enabling teams to adopt a more scalable and auditable approach to managing their Fleet environment. By supporting both GitLab and existing CI/CD tools, Fleet continues to empower organizations to implement modern, efficient workflows for managing configurations and policies. + +## Changes + +**NOTE:** Beginning with Fleet v4.55.0, Fleet no longer supports MySQL 5.7 because it has reached [end of life](https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-today/#:~:text=In%20October%202023%2C%20MySQL%205.7,to%20upgrade%20to%20MySQL%208.). The minimum version supported is MySQL 8.0.36. + +**Endpoint Operations** + +- Added support for configuring policy installers via GitOps. +- Added support for policies in "No team" that run on hosts that belong to "No team". +- Added reserved team names: "All teams" and "No team". +- Added support the software status filter for 'No teams' on the hosts page. +- Enable 'No teams' funcitonality for the policies page and associated workflows. +- Added reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents. +- Added support for software installer packages, self-service flag, scripts, pre-install query, and self-service availability to be edited in-place rather than deleted and re-added. + +**Device Management (MDM)** + +- Added feature allowing automatic installation of software on hosts that fail policies. +- Added feature for end users to enroll BYOD devices into Fleet MDM. +- Added the ability to use Fleet to uninstall packages from hosts. +- Added an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts. +- Added protocol support for OTA enrollment and automatic team assignment for hosts. +- Added validation of Setup Assistant profiles on profile upload. +- Added validation to prevent installing software on a host with a pending installation. +- Allowed custom SCEP CA certificates with any kind of extendedKeyUsage attributes. +- Modified `POST /api/latest/fleet/software/batch` endpoint to be asynchronous and added a new endpoint `GET /api/latest/fleet/software/batch/{request_uuid}` to retrieve the result of the batch upload. + +**Vulnerability Management** + +- Fixed a false negative vulnerability for git. +- Fixed false positive vulnerabilities for minio. +- Fixed an issue where virtual box for macOS wasn't matching against the NVD product name. +- Fixed Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions. + +**Bug fixes and improvements** + +- Updated Go to go1.23.1. +- Removed validation of APNS certificate from server startup. +- Removed invalid node keys from server logs. +- Improved the UX of turning off MDM on an offline host. +- Improved clarity of GitOps VPP app ID type errors. +- Improved gitops error message about enabling windows MDM. +- Improved messaging for VPP token constraint errors. +- Improved loading state for UI tables when no data is present yet. +- Improved permissions so that hosts can no longer access installers that aren't directly assigned to them. +- Improved verification of premium license before uploading VPP tokens. +- Added "0 items" description on empty software tables for UI consistency. +- Updated the macos target minimum version tooltip. +- Fixed logic to properly catch and log APNs errors. +- Fixed UI overflow issues with OS settings table data. +- Fixed regression for checking email used to get a signed CSR. +- Fixed bugs on enrollment profiles when the organization name contains invalid XML characters. +- Fixed an issue with cron profiles delivery failing if a Windows VM is enrolled twice. +- Fixed issue where Fleet server could start when an expired ABM certificate was provided as server config. +- Fixed self-service checkbox appearing when iOS or iPadOS app is selected. + + +## Ready to upgrade? + +Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.57.0. + + + + + + + diff --git a/changes/17558-validation-errs b/changes/17558-validation-errs deleted file mode 100644 index 115c9bf14e..0000000000 --- a/changes/17558-validation-errs +++ /dev/null @@ -1,2 +0,0 @@ -- Adds validation of Setup Assistant profiles on profile upload, giving users immediate feedback on -the validity of the profile. \ No newline at end of file diff --git a/changes/18897-shoe-zeroes b/changes/18897-shoe-zeroes deleted file mode 100644 index 7faddd522d..0000000000 --- a/changes/18897-shoe-zeroes +++ /dev/null @@ -1 +0,0 @@ -Added "0 items" description on empty software tables for UI consistency diff --git a/changes/19442-ubuntu-python-packages b/changes/19442-ubuntu-python-packages deleted file mode 100644 index 0be7e95616..0000000000 --- a/changes/19442-ubuntu-python-packages +++ /dev/null @@ -1 +0,0 @@ -- Addressing Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions. \ No newline at end of file diff --git a/changes/19551-policy-software-automations b/changes/19551-policy-software-automations deleted file mode 100644 index 4b88cb4c1f..0000000000 --- a/changes/19551-policy-software-automations +++ /dev/null @@ -1 +0,0 @@ -* Implement features allowing automatic installation of software on hosts that fail policies. diff --git a/changes/19808-prof b/changes/19808-prof deleted file mode 100644 index 71d19f8c4b..0000000000 --- a/changes/19808-prof +++ /dev/null @@ -1 +0,0 @@ -* Fixed bugs on enrollment profiles when the organization name contains invalid XML characters. diff --git a/changes/20320-uninstall-packages b/changes/20320-uninstall-packages deleted file mode 100644 index 89ab892841..0000000000 --- a/changes/20320-uninstall-packages +++ /dev/null @@ -1 +0,0 @@ -* Implement the ability to use Fleet to uninstall packages from hosts. \ No newline at end of file diff --git a/changes/20404-edit-software b/changes/20404-edit-software deleted file mode 100644 index ec65b392b4..0000000000 --- a/changes/20404-edit-software +++ /dev/null @@ -1 +0,0 @@ -* Software installer packages, self-service flag, scripts, pre-install query, and self-service availability can now be edited in-place rather than needing to be deleted and re-added. diff --git a/changes/20535-sw-table-loading b/changes/20535-sw-table-loading deleted file mode 100644 index d144ce782c..0000000000 --- a/changes/20535-sw-table-loading +++ /dev/null @@ -1 +0,0 @@ -* Improve loading state for DataTables when no data is present yet \ No newline at end of file diff --git a/changes/20683-less-columns-smaller-width b/changes/20683-less-columns-smaller-width new file mode 100644 index 0000000000..c2e03aedde --- /dev/null +++ b/changes/20683-less-columns-smaller-width @@ -0,0 +1 @@ +- UI cleanup: Host details about section condenses information into fewer columns at smaller widths diff --git a/changes/20757-profiles-batch-activity b/changes/20757-profiles-batch-activity deleted file mode 100644 index 6b110b87c7..0000000000 --- a/changes/20757-profiles-batch-activity +++ /dev/null @@ -1 +0,0 @@ -API endpoint `/api/v1/fleet/mdm/profiles/batch` will now not log an activity for profile types that did not change in the database (Apple configuration profiles, Windows configuration profiles, or Apple declarations). diff --git a/changes/20764-fix-cron-with-duplicate-host-uuid-windows-mdm b/changes/20764-fix-cron-with-duplicate-host-uuid-windows-mdm deleted file mode 100644 index df19c08bc8..0000000000 --- a/changes/20764-fix-cron-with-duplicate-host-uuid-windows-mdm +++ /dev/null @@ -1 +0,0 @@ -* Fixed an issue where cron profiles delivery fails if a Windows VM is enrolled twice with the same `host_uuid` / `mdm_device_id`. diff --git a/changes/20828-better-appid-error b/changes/20828-better-appid-error deleted file mode 100644 index 540c8fcbfa..0000000000 --- a/changes/20828-better-appid-error +++ /dev/null @@ -1 +0,0 @@ -- Improve clarity of gitops VPP app ID type errors diff --git a/changes/20846-vuln-virtual-box b/changes/20846-vuln-virtual-box deleted file mode 100644 index 225dd0be22..0000000000 --- a/changes/20846-vuln-virtual-box +++ /dev/null @@ -1 +0,0 @@ -- resolved an issue where virtual box for macOS wasn't matching against the vm_virtualbox NVD product name \ No newline at end of file diff --git a/changes/20868-turn-off-mdm b/changes/20868-turn-off-mdm deleted file mode 100644 index bfcd35d315..0000000000 --- a/changes/20868-turn-off-mdm +++ /dev/null @@ -1 +0,0 @@ -- Improves the UX of turning off MDM on an offline host (endpoint doesn't error anymore) \ No newline at end of file diff --git a/changes/20895-policy-software-install-gitops b/changes/20895-policy-software-install-gitops deleted file mode 100644 index 774f6a4bfe..0000000000 --- a/changes/20895-policy-software-install-gitops +++ /dev/null @@ -1 +0,0 @@ -* Added support for configuring policy installers via GitOps. diff --git a/changes/21019-ota-enrollment b/changes/21019-ota-enrollment deleted file mode 100644 index b43db060a7..0000000000 --- a/changes/21019-ota-enrollment +++ /dev/null @@ -1 +0,0 @@ -* Implement protocol support for OTA enrollment and automatic team assignment for hosts. diff --git a/changes/21264-fix-reserved-team-names b/changes/21264-fix-reserved-team-names deleted file mode 100644 index 6363b81869..0000000000 --- a/changes/21264-fix-reserved-team-names +++ /dev/null @@ -1,2 +0,0 @@ -- Prevents teams with the name "All teams" or "No team" from being created (these are reserved team - names in Fleet). \ No newline at end of file diff --git a/changes/21315-vpp-premium-license b/changes/21315-vpp-premium-license deleted file mode 100644 index 2fd081703e..0000000000 --- a/changes/21315-vpp-premium-license +++ /dev/null @@ -1 +0,0 @@ -- Verify user has premium license before uploading VPP tokens diff --git a/changes/21402-improve-windows-mdm-enabled-error-message b/changes/21402-improve-windows-mdm-enabled-error-message deleted file mode 100644 index 36dc6082f6..0000000000 --- a/changes/21402-improve-windows-mdm-enabled-error-message +++ /dev/null @@ -1 +0,0 @@ -- Improve gitops error message about enabling windows MDM diff --git a/changes/21404-minio-false-positive b/changes/21404-minio-false-positive deleted file mode 100644 index 57b4245e45..0000000000 --- a/changes/21404-minio-false-positive +++ /dev/null @@ -1 +0,0 @@ -- resolved issue where minio was reporting false positive vulnerabilities due to a mismatch in version strings \ No newline at end of file diff --git a/changes/21412-remove-node-key-from-server-logs b/changes/21412-remove-node-key-from-server-logs deleted file mode 100644 index c6555bd5bc..0000000000 --- a/changes/21412-remove-node-key-from-server-logs +++ /dev/null @@ -1 +0,0 @@ -* Removed invalid node keys from server logs. diff --git a/changes/21428-policy-automatic-install-software b/changes/21428-policy-automatic-install-software deleted file mode 100644 index e61dc2a9ea..0000000000 --- a/changes/21428-policy-automatic-install-software +++ /dev/null @@ -1 +0,0 @@ -* Added automatic installation of software packages using policy automations. diff --git a/changes/21428-prevent-install-when-already-pending b/changes/21428-prevent-install-when-already-pending deleted file mode 100644 index d01006d6f9..0000000000 --- a/changes/21428-prevent-install-when-already-pending +++ /dev/null @@ -1 +0,0 @@ -* Added validation to `POST /api/_version_/fleet/hosts/{host_id}/software/install/{software_title_id}` to prevent installing on a host that already has a pending installation for that software title. diff --git a/changes/21462-host-vulnerability-filter b/changes/21462-host-vulnerability-filter deleted file mode 100644 index e55fb8c836..0000000000 --- a/changes/21462-host-vulnerability-filter +++ /dev/null @@ -1 +0,0 @@ -- fixed issue where the vulnerability filter was returning software not vulnerable for the currently selected host \ No newline at end of file diff --git a/changes/21467-policies-for-no-team b/changes/21467-policies-for-no-team deleted file mode 100644 index 4613cd39ed..0000000000 --- a/changes/21467-policies-for-no-team +++ /dev/null @@ -1 +0,0 @@ -* Added support for policies in "No team" that run on hosts that belong to "No team". diff --git a/changes/21468-no-teams-policies b/changes/21468-no-teams-policies deleted file mode 100644 index d11adda1b8..0000000000 --- a/changes/21468-no-teams-policies +++ /dev/null @@ -1 +0,0 @@ -* Enable 'No teams' funcitonality for the policies page and associated workflows. \ No newline at end of file diff --git a/changes/21557-ota-profile-endpoint b/changes/21557-ota-profile-endpoint deleted file mode 100644 index 4acf2bbcf5..0000000000 --- a/changes/21557-ota-profile-endpoint +++ /dev/null @@ -1 +0,0 @@ -- Adds an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts. \ No newline at end of file diff --git a/changes/21559-add-end-user-enrolment-page b/changes/21559-add-end-user-enrolment-page deleted file mode 100644 index 427f1c5beb..0000000000 --- a/changes/21559-add-end-user-enrolment-page +++ /dev/null @@ -1 +0,0 @@ -- add feature for end users to enroll their device into fleet mdm diff --git a/changes/21612-edit-software-gitops b/changes/21612-edit-software-gitops deleted file mode 100644 index 9a157286d4..0000000000 --- a/changes/21612-edit-software-gitops +++ /dev/null @@ -1 +0,0 @@ -* Reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents diff --git a/changes/21683-apns-cert-validation-on-start b/changes/21683-apns-cert-validation-on-start deleted file mode 100644 index 9f17143599..0000000000 --- a/changes/21683-apns-cert-validation-on-start +++ /dev/null @@ -1,2 +0,0 @@ -- Removed validation of APNS certificate from server startup. This was no longer necessary because - we now allow for APNS certificates to be renewed in the UI. diff --git a/changes/21779-git-false-negative b/changes/21779-git-false-negative deleted file mode 100644 index 080dfe1a4e..0000000000 --- a/changes/21779-git-false-negative +++ /dev/null @@ -1 +0,0 @@ -- fixed a false negative vulnerability for git \ No newline at end of file diff --git a/changes/21813-email-err b/changes/21813-email-err deleted file mode 100644 index a9d25ecc21..0000000000 --- a/changes/21813-email-err +++ /dev/null @@ -1,2 +0,0 @@ -- Fixed regression: we now check if the email used to get a signed CSR is invalid (i.e. is an email - from a free email provider). \ No newline at end of file diff --git a/changes/21866-startup-expired-abm-cert b/changes/21866-startup-expired-abm-cert deleted file mode 100644 index f9e74bb641..0000000000 --- a/changes/21866-startup-expired-abm-cert +++ /dev/null @@ -1,2 +0,0 @@ -- Fixed issue where Fleet server could start when expired ABM cerfificate was provided as server - config options. diff --git a/changes/21890-vpp-token-error b/changes/21890-vpp-token-error deleted file mode 100644 index da03734eca..0000000000 --- a/changes/21890-vpp-token-error +++ /dev/null @@ -1 +0,0 @@ -- Improve messaging for VPP token constraint errors diff --git a/changes/21976-update-macos-target-version-tooltip b/changes/21976-update-macos-target-version-tooltip deleted file mode 100644 index 5ae1a5ffdf..0000000000 --- a/changes/21976-update-macos-target-version-tooltip +++ /dev/null @@ -1 +0,0 @@ -- update the macos target minimum version tooltip diff --git a/changes/22069-gitops-async-software-batch b/changes/22069-gitops-async-software-batch deleted file mode 100644 index 35f0652fe2..0000000000 --- a/changes/22069-gitops-async-software-batch +++ /dev/null @@ -1 +0,0 @@ -* Modified `POST /api/latest/fleet/software/batch` endpoint to be asynchronous and added a new endpoint `GET /api/latest/fleet/software/batch/{request_uuid}` to retrieve the result of the batch upload. diff --git a/changes/22136-software-status-no-teams-hosts-page b/changes/22136-software-status-no-teams-hosts-page deleted file mode 100644 index 6ede268471..0000000000 --- a/changes/22136-software-status-no-teams-hosts-page +++ /dev/null @@ -1 +0,0 @@ -* Support the software status filter for 'No teams' on the hosts page \ No newline at end of file diff --git a/changes/22158-scep b/changes/22158-scep deleted file mode 100644 index ab75574680..0000000000 --- a/changes/22158-scep +++ /dev/null @@ -1 +0,0 @@ -* Allow custom SCEP CA certificates with any kind of extendedKeyUsage attributes. diff --git a/changes/7476-fix-ui-overflow-os-settings-table b/changes/7476-fix-ui-overflow-os-settings-table deleted file mode 100644 index 6c95925de8..0000000000 --- a/changes/7476-fix-ui-overflow-os-settings-table +++ /dev/null @@ -1 +0,0 @@ -- fixes UI overflow issues with OS settings table data diff --git a/changes/apns-errors b/changes/apns-errors deleted file mode 100644 index 6de48617a1..0000000000 --- a/changes/apns-errors +++ /dev/null @@ -1 +0,0 @@ -* Fixed logic to properly catch and log APNs errors. diff --git a/changes/hosts-can-access-any-software b/changes/hosts-can-access-any-software deleted file mode 100644 index 0fbcae035a..0000000000 --- a/changes/hosts-can-access-any-software +++ /dev/null @@ -1 +0,0 @@ -- Hosts can no longer access installers that aren't directly assigned to it diff --git a/changes/update-go1.23.1 b/changes/update-go1.23.1 deleted file mode 100644 index 22a59cdc40..0000000000 --- a/changes/update-go1.23.1 +++ /dev/null @@ -1 +0,0 @@ -* Updated Go to go1.23.1 diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml index adc22108c2..c23438bf22 100644 --- a/charts/fleet/Chart.yaml +++ b/charts/fleet/Chart.yaml @@ -8,7 +8,7 @@ version: v6.2.0 home: https://github.com/fleetdm/fleet sources: - https://github.com/fleetdm/fleet.git -appVersion: v4.56.0 +appVersion: v4.57.0 dependencies: - name: mysql condition: mysql.enabled diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index 040a539a83..03539df9da 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -3,7 +3,7 @@ hostName: fleet.localhost replicas: 3 # The number of Fleet instances to deploy imageRepository: fleetdm/fleet -imageTag: v4.56.0 # Version of Fleet to deploy +imageTag: v4.57.0 # Version of Fleet to deploy podAnnotations: {} # Additional annotations to add to the Fleet pod serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account resources: diff --git a/docs/Configuration/yaml-files.md b/docs/Configuration/yaml-files.md index f66c79f1e7..7599fd259f 100644 --- a/docs/Configuration/yaml-files.md +++ b/docs/Configuration/yaml-files.md @@ -6,14 +6,16 @@ To learn how to set up a GitOps workflow see the [Fleet GitOps repo](https://git ## File structure -- `default.yml`- File where you define the queries, policies, controls, and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams"). Controls and agent options are defined for hosts on "No team." -- `teams/` - Folder where you define your teams in Fleet. These `teams/team-name.yml` files define the controls, queries, policies, and agent options for hosts assigned to the specified team. Teams are available in Fleet Premium. +- `default.yml` - File where you define the queries, policies and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams"). +- `teams/no-team.yml` - File where you define the policies, controls, and software for hosts on "No team". Available in Fleet Premium. +- `teams/` - Folder where you define your teams in Fleet. These `teams/team-name.yml` files define the controls, queries, policies, software, and agent options for hosts assigned to the specified team. Available in Fleet Premium. - `lib/` - Folder where you define policies, queries, configuration profiles, scripts, and agent options. These files can be referenced in top level keys in the `default.yml` file and the files in the `teams/` folder. - `.github/workflows/workflow.yml` - The GitHub workflow file where you can add [environment variables](https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow). -The following files are responsible for running the GitHub action. Most users don't need to edit these files. +The following files are responsible for running the GitHub action or GitLab CI/CD. Most users don't need to edit these files. - `gitops.sh` - The bash script that applies the latest configuration to Fleet. This script is used in the GitHub action file. - `.github/gitops-action/action.yml` - The GitHub action that runs `gitops.sh`. This action is used in the GitHub workflow file. It can also be used in other workflows. +- `.gitlab-ci.yml` - The GitLab CI/CD file that applies the latest configuration to Fleet. ## Configuration options @@ -24,8 +26,7 @@ name: # Only teams/team-name.yml. To edit a team's name, change `name` but don't policies: queries: agent_options: -controls: -software: +controls: # Can be defined in teams/no-team.yml too. org_settings: # Only default.yml team_settings: # Only teams/team-name.yml ``` @@ -40,6 +41,8 @@ team_settings: # Only teams/team-name.yml ### policies Polcies can be specified inline in your `default.yml` file or `teams/team-name.yml` files. They can also be specified in separate files in your `lib/` folder. +Policies defined in `default.yml` run on **all** hosts. +Policies defined in `teams/no-team.yml` run on hosts that belong to "No team". #### Options @@ -81,9 +84,16 @@ policies: platform: darwin critical: false calendar_event_enabled: false +- name: Firefox on Linux installed and up to date + platform: linux + description: "This policy checks that Firefox is installed and up to date." + resolution: "Install Firefox version 129.0.2 or higher." + query: "SELECT 1 FROM deb_packages WHERE name = 'firefox' AND version_compare(version, '129.0.2') >= 0;" + install_software: + package_path: "../lib/linux-firefox.deb.package.yml" ``` -`default.yml` or `teams/team-name.yml` +`default.yml`, `teams/team-name.yml`, or `teams/no-team.yml` ```yaml policies: @@ -210,6 +220,8 @@ queries: The `controls` section allows you to configure scripts and device management (MDM) features in Fleet. +Controls for hosts that are in "No team" can be defined in `default.yml` or in `teams/no-team.yml` (but not in both files). + - `scripts` is a list of paths to macOS, Windows, or Linux scripts. - `windows_enabled_and_configured` specifies whether or not to turn on Windows MDM features (default: `false`). Can only be configured for all teams (`default.yml`). - `enable_disk_encryption` specifies whether or not to enforce disk encryption on macOS and Windows hosts (default: `false`). @@ -304,11 +316,15 @@ Can only be configure for all teams (`default.yml`). > **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows. The `software` section allows you to configure packages and Apple App Store apps that you want to install on your hosts. +Software for hosts that belong to "No team" have to be defined in `teams/no-team.yml`. +Software can also be specified in separate files in your `lib/` folder. - `packages` is a list of software packages (.pkg, .msi, .exe, or .deb) and software specific options. - `app_store_apps` is a list of Apple App Store apps. -##### Example +#### Example + +##### Inline ```yaml software: @@ -326,7 +342,7 @@ software: - app_store_id: '1091189122' ``` -#### packages +##### packages - `url` specifies the URL at which the software is located. Fleet will download the software and upload it to S3 (default: `""`). - `install_script.path` specifies the command Fleet will run on hosts to install software. The [default script](https://github.com/fleetdm/fleet/tree/main/pkg/file/scripts) is dependent on the software type (i.e. .pkg). @@ -334,12 +350,41 @@ software: - `post_install_script.path` is the script Fleet will run on hosts after intalling software (default: `""`). - `self_service` specifies whether or not end users can install from **Fleet Desktop > Self-service**. -#### app_store_apps +##### app_store_apps - `app_store_id` is the ID of the Apple App Store app. You can find this at the end of the app's App Store URL. For example, "Bear - Markdown Notes" URL is "https://apps.apple.com/us/app/bear-markdown-notes/id1016366447" and the `app_store_id` is `1016366447`. > Make sure to include only the ID itself, and not the `id` prefix shown in the URL. The ID must be wrapped in quotes as shown in the example so that it is processed as a string. +##### Separate file + +`lib/software-name.package.yml`: + +```yaml +url: https://dl.tailscale.com/stable/tailscale-setup-1.72.0.exe +install_script: + path: ../lib/software/tailscale-install-script.ps1 +self_service: true +``` + +`lib/software/tailscale-install-script.ps1` + +```yaml +$exeFilePath = "${env:INSTALLER_PATH}" +$installProcess = Start-Process $exeFilePath ` + -ArgumentList "/quiet /norestart" ` + -PassThru -Verb RunAs -Wait +``` + +`default.yml`, `teams/team-name.yml`, or `teams/no-team.yml` + +```yaml +software: + packages: + - path: ../lib/software-name.package.yml +# path is relative to default.yml or teams/team-name.yml +``` + ### org_settings and team_settings #### features @@ -640,6 +685,19 @@ Once the IdP settings are configured, you can use the [`controls.macos_setup.ena Can only be configured for all teams (`org_settings`). +##### end_user_authentication + +The `end_user_authentication` section lets you define the identity provider (IdP) settings used for end user authentication during Automated Device Enrollment (ADE). Learn more about end user authentication in Fleet [here](https://fleetdm.com/guides/macos-setup-experience#end-user-authentication-and-eula). + +Once the IdP settings are configured, you can use the [`controls.macos_setup.enable_end_user_authentication`](#macos_setup) key to control the end user experience during ADE. + +- `idp_name` is the human-friendly name for the identity provider that will provide single sign-on authentication (default: `""`). +- `entity_id` is the entity ID: a Uniform Resource Identifier (URI) that you use to identify Fleet when configuring the identity provider. It must exactly match the Entity ID field used in identity provider configuration (default: `""`). +- `metadata` is the metadata (in XML format) provided by the identity provider. (default: `""`) +- `metadata_url` is the URL that references the identity provider metadata. Only one of `metadata` or `metadata_url` is required (default: `""`). + +Can only be configured for all teams (`org_settings`). + diff --git a/docs/Contributing/API-for-contributors.md b/docs/Contributing/API-for-contributors.md index ec39149199..2ba361b2c3 100644 --- a/docs/Contributing/API-for-contributors.md +++ b/docs/Contributing/API-for-contributors.md @@ -543,11 +543,13 @@ The MDM endpoints exist to support the related command-line interface sub-comman - [Batch-apply MDM custom settings](#batch-apply-mdm-custom-settings) - [Initiate SSO during DEP enrollment](#initiate-sso-during-dep-enrollment) - [Complete SSO during DEP enrollment](#complete-sso-during-dep-enrollment) +- [Over the air enrollment](#over-the-air-enrollment) - [Preassign profiles to devices](#preassign-profiles-to-devices) - [Match preassigned profiles](#match-preassigned-profiles) - [Get FileVault statistics](#get-filevault-statistics) - [Upload VPP content token](#upload-vpp-content-token) - [Disable VPP](#disable-vpp) +- [Get an over the air (OTA) enrollment profile](#get-an-over-the-air-ota-enrollment-profile) ### Generate Apple Business Manager public key (ADE) @@ -1029,6 +1031,34 @@ If the credentials are valid, the server redirects the client to the Fleet UI. T - `profile_token` is a token that can be used to download an enrollment profile (.mobileconfig). - `eula_token` (optional) if an EULA was uploaded, this contains a token that can be used to view the EULA document. +### Over the air enrollment + +This endpoint handles over the air (OTA) MDM enrollments + +`POST /api/v1/fleet/ota_enrollment` + +#### Parameters + +| Name | Type | In | Description | +| ------------------- | ------ | ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| enroll_secret | string | url | **Required** Assigns the host to a team with a matching enroll secret | +| XML device response | XML | body | **Required**. The XML response from the device. Fields are documented [here](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/ConfigurationProfileExamples/ConfigurationProfileExamples.html#//apple_ref/doc/uid/TP40009505-CH4-SW7) | + +> Note: enroll secrets can contain special characters. Ensure any special characters are [properly escaped](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). + +#### Example + +`POST /api/v1/fleet/ota_enrollment?enroll_secret=0Z6IuKpKU4y7xl%2BZcrp2gPcMi1kKNs3p` + +##### Default response + +`Status: 200` + +Per [the spec](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505-CH1-SW1), the response is different depending on the signature of the XML device response: + +- If the body is signed with a certificate that can be validated by our root SCEP certificate, it returns an enrollment profile. +- Otherwise, it returns a SCEP payload. + ### Preassign profiles to devices _Available in Fleet Premium_ @@ -1453,12 +1483,14 @@ NOTE: when updating a policy, team and platform will be ignored. "name": "new policy", "description": "This will be a new policy because a policy with the name 'new policy' doesn't exist in Fleet.", "query": "SELECT * FROM osquery_info", + "team": "No team", "resolution": "some resolution steps here", "critical": false }, { "name": "Is FileVault enabled on macOS devices?", "query": "SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT “” AND filevault_status = ‘on’ LIMIT 1;", + "team": "Workstations", "description": "Checks to make sure that the FileVault feature is enabled on macOS devices.", "resolution": "Choose Apple menu > System Preferences, then click Security & Privacy. Click the FileVault tab. Click the Lock icon, then enter an administrator name and password. Click Turn On FileVault.", "platform": "darwin", @@ -3293,36 +3325,7 @@ If both `team_id` and `team_name` parameters are included, this endpoint will re `Status: 204` -## Software - -### Batch-apply software - -_Available in Fleet Premium._ - -`POST /api/v1/fleet/software/batch` - -#### Parameters - -| Name | Type | In | Description | -| --------- | ------ | ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| team_id | number | query | The ID of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request, omit this parameter if using `team_name`. Ommitting these parameters will add software to 'No Team'. | -| team_name | string | query | The name of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request, omit this parameter if using `team_id`. Ommitting these parameters will add software to 'No Team'. | -| dry_run | bool | query | If `true`, will validate the provided software packages and return any validation errors, but will not apply the changes. | -| software | object | body | The team's software that will be available for install. | -| software.packages | list | body | An array of objects. Each object consists of:`url`- URL to the software package (PKG, MSI, EXE or DEB),`install_script` - command that Fleet runs to install software, `pre_install_query` - condition query that determines if the install will proceed, `post_install_script` - script that runs after software install, and `uninstall_script` - command that Fleet runs to uninstall software. | -| software.app_store_apps | list | body | An array objects. Each object consists of `app_store_id` - ID of the App Store app. | - -If both `team_id` and `team_name` parameters are included, this endpoint will respond with an error. If no `team_name` or `team_id` is provided, the scripts will be applied for **all hosts**. - -#### Example - -`POST /api/v1/fleet/software/batch` - -##### Default response - -`Status: 204` - - ### Run live script +### Run live script Run a live script and get results back (5 minute timeout). Live scripts only runs on the host if it has no other scripts running. @@ -3361,62 +3364,3 @@ Run a live script and get results back (5 minute timeout). Live scripts only run "exit_code": 0 } ``` - -### Get token to download package - -_Available in Fleet Premium._ - -`POST /api/v1/fleet/software/titles/:software_title_id/package/token?alt=media` - -The returned token is a one-time use token that expires after 10 minutes. - -#### Parameters - -| Name | Type | In | Description | -|-------------------|---------|-------|------------------------------------------------------------------| -| software_title_id | integer | path | **Required**. The ID of the software title for software package. | -| team_id | integer | query | **Required**. The team ID containing the software package. | -| alt | integer | query | **Required**. Must be specified and set to "media". | - -#### Example - -`POST /api/v1/fleet/software/titles/123/package/token?alt=media&team_id=2` - -##### Default response - -`Status: 200` - -```json -{ - "token": "e905e33e-07fe-4f82-889c-4848ed7eecb7" -} -``` - -### Download package using a token - -_Available in Fleet Premium._ - -`GET /api/v1/fleet/software/titles/:software_title_id/package/token/:token?alt=media` - -#### Parameters - -| Name | Type | In | Description | -|-------------------|---------|------|--------------------------------------------------------------------------| -| software_title_id | integer | path | **Required**. The ID of the software title to download software package. | -| token | string | path | **Required**. The token to download the software package. | - -#### Example - -`GET /api/v1/fleet/software/titles/123/package/token/e905e33e-07fe-4f82-889c-4848ed7eecb7` - -##### Default response - -`Status: 200` - -```http -Status: 200 -Content-Type: application/octet-stream -Content-Disposition: attachment -Content-Length: -Body: -``` diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index c160aac679..638728015b 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -484,6 +484,22 @@ for pagination. For a comprehensive list of activity types and detailed informat ```json { "activities": [ + { + "created_at": "2023-07-27T14:35:08Z", + "id": 25, + "actor_full_name": "Anna Chao", + "actor_id": 3, + "actor_gravatar": "", + "actor_email": "", + "type": "uninstalled_software", + "details": { + "host_id": 1, + "host_display_name": "Marko's MacBook Pro", + "software_title": "Adobe Acrobat.app", + "script_execution_id": "eeeddb94-52d3-4071-8b18-7322cd382abb", + "status": "failed" + } + }, { "created_at": "2021-07-30T13:41:07Z", "id": 24, @@ -4241,7 +4257,7 @@ Resends a configuration profile for the specified host. "last_install": { "install_uuid": "8bbb8ac2-b254-4387-8cba-4d8a0407368b", "installed_at": "2024-05-15T15:23:57Z" - }, + } }, "app_store_app": null "source": "apps", @@ -4262,10 +4278,16 @@ Resends a configuration profile for the specified host. "name": "FalconSensor-6.44.pkg" "self_service": false, "last_install": null + "last_install": null, + "last_uninstall": { + "script_execution_id": "ed579e73-0f41-46c8-aaf4-3c1e5880ed27", + "uninstalled_at": "2024-05-15T15:23:57Z" + } }, "app_store_app": null "source": "", "status": null, + "status": "pending_uninstall", "installed_versions": [], }, { @@ -4546,6 +4568,38 @@ To wipe a macOS, iOS, iPadOS, or Windows host, the host must have MDM turned on. ```json { "activities": [ + { + "created_at": "2023-07-27T14:35:08Z", + "actor_id": 1, + "actor_full_name": "Anna Chao", + "id": 4, + "actor_gravatar": "", + "actor_email": "", + "type": "uninstalled_software", + "details": { + "host_id": 1, + "host_display_name": "Marko’s MacBook Pro", + "software_title": "Adobe Acrobat.app", + "script_execution_id": "ecf22dba-07dc-40a9-b122-5480e948b756", + "status": "failed" + } + }, + { + "created_at": "2023-07-27T14:35:08Z", + "actor_id": 1, + "actor_full_name": "Anna Chao", + "id": 3, + "actor_gravatar": "", + "actor_email": "", + "type": "uninstalled_software", + "details": { + "host_id": 1, + "host_display_name": "Marko’s MacBook Pro", + "software_title": "Adobe Acrobat.app", + "script_execution_id": "ecf22dba-07dc-40a9-b122-5480e948b756", + "status": "uninstalled" + } + }, { "created_at": "2023-07-27T14:35:08Z", "id": 2, @@ -4610,6 +4664,23 @@ To wipe a macOS, iOS, iPadOS, or Windows host, the host must have MDM turned on. { "count": 3, "activities": [ + { + "created_at": "2023-07-27T14:35:08Z", + "actor_id": 1, + "actor_full_name": "Anna Chao", + "uuid": "cc081637-fdf9-4d44-929f-96dfaec00f67", + "actor_gravatar": "", + "actor_email": "", + "type": "uninstalled_software", + "fleet_initiated_activity": false, + "details": { + "host_id": 1, + "host_display_name": "Marko's MacBook Pro", + "software_title": "Adobe Acrobat.app", + "script_execution_id": "ecf22dba-07dc-40a9-b122-5480e948b756", + "status": "pending_uninstall", + } + }, { "created_at": "2023-07-27T14:35:08Z", "uuid": "d6cffa75-b5b5-41ef-9230-15073c8a88cf", @@ -6812,6 +6883,29 @@ Team policies work the same as policies, but at the team level. "failing_host_count": 0, "host_count_updated_at": "2023-12-20T15:23:57Z", "calendar_events_enabled": false + }, + { + "id": 3, + "name": "macOS - install/update Adobe Acrobat", + "query": "SELECT 1 FROM apps WHERE name = \"Adobe Acrobat.app\" AND bundle_short_version != \"24.002.21005\";", + "description": "Checks if the hard disk is encrypted on Windows devices", + "critical": false, + "author_id": 43, + "author_name": "Alice", + "author_email": "alice@example.com", + "team_id": 1, + "resolution": "Resolution steps", + "platform": "darwin", + "created_at": "2021-12-16T14:37:37Z", + "updated_at": "2021-12-16T16:39:00Z", + "passing_host_count": 2300, + "failing_host_count": 3, + "host_count_updated_at": "2023-12-20T15:23:57Z", + "calendar_events_enabled": false, + "install_software": { + "name": "Adobe Acrobat.app", + "software_title_id": 1234 + } } ], "inherited_policies": [ @@ -6993,6 +7087,7 @@ The semantics for creating a team policy are the same as for global policies, se | resolution | string | body | The resolution steps for the policy. | | platform | string | body | Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms. | | critical | boolean | body | _Available in Fleet Premium_. Mark policy as critical/high impact. | +| software_title_id | integer | body | _Available in Fleet Premium_. ID of software title to install if the policy fails. | Either `query` or `query_id` must be provided. @@ -7036,7 +7131,11 @@ Either `query` or `query_id` must be provided. "passing_host_count": 0, "failing_host_count": 0, "host_count_updated_at": null, - "calendar_events_enabled": false + "calendar_events_enabled": false, + "install_software": { + "name": "Adobe Acrobat.app", + "software_title_id": 1234 + } } } ``` @@ -7091,6 +7190,7 @@ Either `query` or `query_id` must be provided. | platform | string | body | Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms. | | critical | boolean | body | _Available in Fleet Premium_. Mark policy as critical/high impact. | | calendar_events_enabled | boolean | body | _Available in Fleet Premium_. Whether to trigger calendar events when policy is failing. | +| software_title_id | integer | body | _Available in Fleet Premium_. ID of software title to install if the policy fails. | #### Example @@ -7132,7 +7232,11 @@ Either `query` or `query_id` must be provided. "passing_host_count": 0, "failing_host_count": 0, "host_count_updated_at": null, - "calendar_events_enabled": true + "calendar_events_enabled": true, + "install_software": { + "name": "Adobe Acrobat.app", + "software_title_id": 1234 + } } } ``` @@ -8300,12 +8404,15 @@ Gets the result of a script that was executed. "host_timeout": false, "host_id": 1, "execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002", - "runtime": 20 + "runtime": 20, + "created_at": "2024-09-11T20:30:24Z" } ``` > Note: `exit_code` can be `null` if Fleet hasn't heard back from the host yet. +> Note: `created_at` is the creation timestamp of the script execution request. + ### Add script Uploads a script, making it available to run on hosts assigned to the specified team (or no team). @@ -8539,10 +8646,15 @@ Deletes the session specified by ID. When the user associated with the session n - [Add package](#add-package) - [List App Store apps](#list-app-store-apps) - [Add App Store app](#add-app-store-app) +- [Add Fleet library app](#add-fleet-library-app) - [Install package or App Store app](#install-package-or-app-store-app) - [Get package install result](#get-package-install-result) - [Download package](#download-package) - [Delete package or App Store app](#delete-package-or-app-store-app) +- [Batch-apply software](#batch-apply-software) +- [Batch-apply app store apps](#batch-apply-app-store-apps) +- [Get token to download package](#get-token-to-download-package) +- [Download package using a token](#download-package-using-a-token) ### List software @@ -8854,14 +8966,17 @@ Returns information about the specified software. By default, `versions` are sor "installer_id": 23, "team_id": 3, "uploaded_at": "2024-04-01T14:22:58Z", - "install_script": "sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /", + "install_script": "sudo installer -pkg '$INSTALLER_PATH' -target /", "pre_install_query": "SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';", "post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX", + "uninstall_script": "/Library/CS/falconctl uninstall", "self_service": true, "status": { "installed": 3, - "pending": 1, - "failed": 2, + "pending_install": 1, + "failed_install": 0, + "pending_uninstall": 2, + "failed_uninstall": 1 } }, "app_store_app": null, @@ -9067,7 +9182,7 @@ Add a package (.pkg, .msi, .exe, .deb) to install on macOS, Windows, or Linux (U | ---- | ------- | ---- | -------------------------------------------- | | software | file | form | **Required**. Installer package file. Supported packages are PKG, MSI, EXE, and DEB. | | team_id | integer | form | **Required**. The team ID. Adds a software package to the specified team. | -| install_script | string | form | Command that Fleet runs to install software. If not specified Fleet runs [default install command](https://github.com/fleetdm/fleet/tree/f71a1f183cc6736205510580c8366153ea083a8d/pkg/file/scripts) for each package type. | +| install_script | string | form | Script that Fleet runs to install software. If not specified Fleet runs [default install script](https://github.com/fleetdm/fleet/tree/f71a1f183cc6736205510580c8366153ea083a8d/pkg/file/scripts) for each package type. | | pre_install_query | string | form | Query that is pre-install condition. If the query doesn't return any result, Fleet won't proceed to install. | | post_install_script | string | form | The contents of the script to run after install. If the specified script fails (exit code non-zero) software install will be marked as failed and rolled back. | | self_service | boolean | form | Self-service software is optional and can be installed by the end user. | @@ -9112,6 +9227,87 @@ Content-Type: application/octet-stream `Status: 200` +### Modify package + +_Available in Fleet Premium._ + +Update a package to install on macOS, Windows, or Linux (Ubuntu) hosts. + +`PATCH /api/v1/fleet/software/titles/:title_id/package` + +#### Parameters + +| Name | Type | In | Description | +| ---- | ------- | ---- | -------------------------------------------- | +| software | file | form | Installer package file. Supported packages are PKG, MSI, EXE, and DEB. | +| team_id | integer | form | **Required**. The team ID. Updates a software package in the specified team. | +| install_script | string | form | Command that Fleet runs to install software. If not specified Fleet runs the [default install command](https://github.com/fleetdm/fleet/tree/f71a1f183cc6736205510580c8366153ea083a8d/pkg/file/scripts) for each package type. | +| pre_install_query | string | form | Query that is pre-install condition. If the query doesn't return any result, the package will not be installed. | +| post_install_script | string | form | The contents of the script to run after install. If the specified script fails (exit code non-zero) software install will be marked as failed and rolled back. | +| self_service | boolean | form | Whether this is optional self-service software that can be installed by the end user. | + +> Changes to the installer package will reset installation counts. Changes to any field other than `self_service` will cancel pending installs for the old package. +#### Example + +`PATCH /api/v1/fleet/software/titles/1/package` + +##### Request header + +```http +Content-Length: 8500 +Content-Type: multipart/form-data; boundary=------------------------d8c247122f594ba0 +``` + +##### Request body + +```http +--------------------------d8c247122f594ba0 +Content-Disposition: form-data; name="team_id" +1 +--------------------------d8c247122f594ba0 +Content-Disposition: form-data; name="self_service" +true +--------------------------d8c247122f594ba0 +Content-Disposition: form-data; name="install_script" +sudo installer -pkg /temp/FalconSensor-6.44.pkg -target / +--------------------------d8c247122f594ba0 +Content-Disposition: form-data; name="pre_install_query" +SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db'; +--------------------------d8c247122f594ba0 +Content-Disposition: form-data; name="post_install_script" +sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX +--------------------------d8c247122f594ba0 +Content-Disposition: form-data; name="software"; filename="FalconSensor-6.44.pkg" +Content-Type: application/octet-stream + +--------------------------d8c247122f594ba0 +``` + +##### Default response + +`Status: 200` + +```json +{ + "software_package": { + "name": "FalconSensor-6.44.pkg", + "version": "6.44", + "installer_id": 23, + "team_id": 3, + "uploaded_at": "2024-04-01T14:22:58Z", + "install_script": "sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /", + "pre_install_query": "SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';", + "post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX", + "self_service": true, + "status": { + "installed": 0, + "pending": 0, + "failed": 0 + } + } +} +``` + ### List App Store apps > **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows. @@ -9238,9 +9434,7 @@ _Available in Fleet Premium._ Install software (package or App Store app) on a macOS, iOS, iPadOS, Windows, or Linux (Ubuntu) host. Software title must have a `software_package` or `app_store_app` added to be installed. -> Note: Fleet's agent (fleetd) only installs software it has been asked to install, but technically has access to all installer executables. - -`POST /api/v1/fleet/hosts/:id/software/install/:software_title_id` +`POST /api/v1/fleet/hosts/:id/software/:software_title_id/install` #### Parameters @@ -9251,7 +9445,31 @@ Install software (package or App Store app) on a macOS, iOS, iPadOS, Windows, or #### Example -`POST /api/v1/fleet/hosts/123/software/install/3435` +`POST /api/v1/fleet/hosts/123/software/3435/install` + +##### Default response + +`Status: 202` + +### Uninstall package + +> **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows. +_Available in Fleet Premium._ + +Uninstall software (package) on a macOS, Windows, or Linux (Ubuntu) host. Software title must have a `software_package` added to be uninstalled. + +`POST /api/v1/fleet/hosts/:id/software/:software_title_id/uninstall` + +#### Parameters + +| Name | Type | In | Description | +| --------- | ---------- | ---- | -------------------------------------------- | +| id | integer | path | **Required**. The host's ID. | +| software_title_id | integer | path | **Required**. The software title's ID. | + +#### Example + +`POST /api/v1/fleet/hosts/123/software/3435/uninstall` ##### Default response @@ -9263,7 +9481,7 @@ Install software (package or App Store app) on a macOS, iOS, iPadOS, Windows, or _Available in Fleet Premium._ -`GET /api/v1/fleet/software/install/results/:install_uuid` +`GET /api/v1/fleet/software/install/:install_uuid/results` Get the results of a software package install. @@ -9275,7 +9493,7 @@ To get the results of an App Store app install, use the [List MDM commands](#lis #### Example -`GET /api/v1/fleet/software/install/results/b15ce221-e22e-4c6a-afe7-5b3400a017da` +`GET /api/v1/fleet/software/install/b15ce221-e22e-4c6a-afe7-5b3400a017da/results` ##### Default response @@ -9321,6 +9539,117 @@ Deletes software that's available for install (package or App Store app). `Status: 204` +### Batch-apply software + +_Available in Fleet Premium._ + +`POST /api/v1/fleet/software/batch` + +#### Parameters + +| Name | Type | In | Description | +| --------- | ------ | ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| team_id | number | query | The ID of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request; omit this parameter if using `team_name`. Omitting these parameters will add software to "No Team". | +| team_name | string | query | The name of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request; omit this parameter if using `team_id`. Omitting these parameters will add software to "No Team". | +| dry_run | bool | query | If `true`, will validate the provided software packages and return any validation errors, but will not apply the changes. | +| software | object | body | The team's software that will be available for install. | +| software.packages | list | body | An array of objects. Each object consists of:`url`- URL to the software package (PKG, MSI, EXE or DEB),`install_script` - command that Fleet runs to install software, `pre_install_query` - condition query that determines if the install will proceed, `post_install_script` - script that runs after software install, and `uninstall_script` - command that Fleet runs to uninstall software. | +| software.app_store_apps | list | body | An array objects. Each object consists of `app_store_id` - ID of the App Store app. | + +If both `team_id` and `team_name` parameters are included, this endpoint will respond with an error. If no `team_name` or `team_id` is provided, the scripts will be applied for **all hosts**. + +#### Example + +`POST /api/v1/fleet/software/batch` + +##### Default response + +`Status: 204` + +### Batch-apply app store apps + +_Available in Fleet Premium._ + +`POST /api/v1/fleet/software/app_store_apps/batch` + +#### Parameters + +| Name | Type | In | Description | +|-----------------|---------|-------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| team_name | integer | query | **Required**. The name of the team to add the app to. | +| dry_run | bool | query | If `true`, will validate the provided apps and return any validation errors, but will not apply the changes. | +| apps_store_apps | list | body | The list of objects containing `app_store_id`: a string representation of the app's App ID, `self_service`: a bool indicating if the app's installation can be initiated by end users. | + +> Note that this endpoint replaces all apps associated with a team. + +#### Example + +`POST /api/v1/fleet/software/app_store_apps/batch` + +#### Default response + +`Status: 204` + +### Get token to download package + +_Available in Fleet Premium._ + +`POST /api/v1/fleet/software/titles/:software_title_id/package/token?alt=media` + +The returned token is a one-time use token that expires after 10 minutes. + +#### Parameters + +| Name | Type | In | Description | +|-------------------|---------|-------|------------------------------------------------------------------| +| software_title_id | integer | path | **Required**. The ID of the software title for software package. | +| team_id | integer | query | **Required**. The team ID containing the software package. | +| alt | integer | query | **Required**. Must be specified and set to "media". | + +#### Example + +`POST /api/v1/fleet/software/titles/123/package/token?alt=media&team_id=2` + +##### Default response + +`Status: 200` + +```json +{ + "token": "e905e33e-07fe-4f82-889c-4848ed7eecb7" +} +``` + +### Download package using a token + +_Available in Fleet Premium._ + +`GET /api/v1/fleet/software/titles/:software_title_id/package/token/:token?alt=media` + +#### Parameters + +| Name | Type | In | Description | +|-------------------|---------|------|--------------------------------------------------------------------------| +| software_title_id | integer | path | **Required**. The ID of the software title to download software package. | +| token | string | path | **Required**. The token to download the software package. | + +#### Example + +`GET /api/v1/fleet/software/titles/123/package/token/e905e33e-07fe-4f82-889c-4848ed7eecb7` + +##### Default response + +`Status: 200` + +```http +Status: 200 +Content-Type: application/octet-stream +Content-Disposition: attachment +Content-Length: +Body: +``` + + ## Vulnerabilities - [List vulnerabilities](#list-vulnerabilities) diff --git a/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/AddSoftwareVppForm.tsx b/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/AddSoftwareVppForm.tsx index 12b5db6226..3fb066d791 100644 --- a/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/AddSoftwareVppForm.tsx +++ b/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/AddSoftwareVppForm.tsx @@ -149,6 +149,9 @@ const AddSoftwareVppForm = ({ const onSelectApp = (app: IVppApp) => { setIsSubmitDisabled(false); setSelectedApp(app); + if (app.platform === "ios" || app.platform === "ipados") { + setIsSelfService(false); + } }; const onAddSoftware = async (evt: React.FormEvent) => { @@ -181,6 +184,27 @@ const AddSoftwareVppForm = ({ setIsUploading(false); }; + const renderSelfServiceContent = (platform: string) => { + if (platform !== "ios" && platform !== "ipados") { + return ( + setIsSelfService(newVal)} + className={`${baseClass}__self-service-checkbox`} + tooltipContent={ + <> + End users can install from Fleet Desktop {">"}{" "} + Self-service. + + } + > + Self-service + + ); + } + return null; + }; + const renderContent = () => { if (!hasVppToken) { return ; @@ -203,19 +227,9 @@ const AddSoftwareVppForm = ({ apps, head to{" "} - setIsSelfService(newVal)} - className={`${baseClass}__self-service-checkbox`} - tooltipContent={ - <> - End users can install from Fleet Desktop {">"}{" "} - Self-service. - - } - > - Self-service - + {renderSelfServiceContent( + (selectedApp && selectedApp.platform) || "" + )} ); } diff --git a/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/helpers.tsx b/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/helpers.tsx index a0130de802..9740cc2a90 100644 --- a/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/helpers.tsx +++ b/frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareAppStoreVpp/AddSoftwareVppForm/helpers.tsx @@ -33,13 +33,15 @@ const generateAlreadyAvailableMessage = (msg: string) => { // eslint-disable-next-line import/prefer-default-export export const getErrorMessage = (e: unknown) => { - const reason = getErrorReason(e); - + let reason = getErrorReason(e); // software is already available for install if (reason.toLowerCase().includes("already")) { return generateAlreadyAvailableMessage(reason); } - return DEFAULT_ERROR_MESSAGE; + if (reason && !reason.endsWith(".")) { + reason += "."; + } + return reason || DEFAULT_ERROR_MESSAGE; }; export const getUniqueAppId = (app: IVppApp) => diff --git a/frontend/pages/hosts/details/HostDetailsPage/_styles.scss b/frontend/pages/hosts/details/HostDetailsPage/_styles.scss index 3809916a6b..25f6e705f6 100644 --- a/frontend/pages/hosts/details/HostDetailsPage/_styles.scss +++ b/frontend/pages/hosts/details/HostDetailsPage/_styles.scss @@ -63,11 +63,6 @@ flex-direction: row; } } - &__block { - display: flex; - flex-direction: column; - margin-right: $pad-xxlarge; - } &__data { margin-bottom: $pad-medium; diff --git a/frontend/pages/hosts/details/_styles.scss b/frontend/pages/hosts/details/_styles.scss index e3f17951b7..f2ef26fe9d 100644 --- a/frontend/pages/hosts/details/_styles.scss +++ b/frontend/pages/hosts/details/_styles.scss @@ -21,41 +21,6 @@ margin: 0 0 $pad-medium 0; } - .info-grid { - display: grid; - grid-auto-flow: column; - grid-template-columns: repeat( - 3, - max-content - ); // Prevents overflow off screen - grid-template-rows: repeat(4, 1fr); - column-gap: $pad-xxlarge; - row-gap: $pad-medium; - - @media (min-width: $break-md) { - grid-template-columns: repeat(4, max-content); - grid-template-rows: repeat(3, 1fr); - } - - &__block { - font-size: $x-small; - display: flex; - flex-direction: column; - white-space: nowrap; - } - - &__data { - .device-mapping { - &__source { - color: $ui-fleet-black-75; - } - &__more { - color: $ui-fleet-black-50; - } - } - } - } - .list { list-style: none; padding: 0; diff --git a/frontend/pages/hosts/details/cards/About/About.tsx b/frontend/pages/hosts/details/cards/About/About.tsx index 94d1bdf36f..f1667f8900 100644 --- a/frontend/pages/hosts/details/cards/About/About.tsx +++ b/frontend/pages/hosts/details/cards/About/About.tsx @@ -189,11 +189,11 @@ const About = ({

About

-
+
Permission sets". Find the [inbox permission set](https://fleetdm.lightning.force.com/lightning/setup/PermSets/page?address=%2F005%3Fid%3D0PS4x000002uUn2%26isUserEntityOverride%3D1%26SetupNode%3DPermSets%26sfdcIFrameOrigin%3Dhttps%253A%252F%252Ffleetdm.lightning.force.com%26clc%3D1) and assign it to the new team member. + - To enable email sync for a user: + - Navigate to the [user’s record](https://fleetdm.lightning.force.com/lightning/setup/ManageUsers/home) and scroll to the bottom of the permission set section. + - Add the “Inbox with Einstein Activity Capture” permission set and save. + - Navigate to the ["Einstein Activity Capture Settings"](https://fleetdm.lightning.force.com/lightning/setup/ActivitySyncEngineSettingsMain/home) and click the "Configurations" tab. + - Select "Edit", under "User and Profile Assignments" move the new user's name from "Available" to "Selected", scroll all the way down and click save. ### Change the "Integrations admin" Salesforce account password diff --git a/handbook/sales/README.md b/handbook/sales/README.md index c27cbc8785..46688864e5 100644 --- a/handbook/sales/README.md +++ b/handbook/sales/README.md @@ -10,6 +10,7 @@ This handbook page details processes specific to working [with](#contact-us) and | Chief Revenue Officer (CRO) | [Alex Mitchell](https://www.linkedin.com/in/alexandercmitchell/) _([@alexmitchelliii](https://github.com/alexmitchelliii))_ | Solutions Consulting (SC) | [Dave Herder](https://www.linkedin.com/in/daveherder/) _([@dherder](https://github.com/dherder))_
[Zach Wasserman](https://www.linkedin.com/in/zacharywasserman/) _([@zwass](https://github.com/zwass))_
[Allen Houchins](https://www.linkedin.com/in/allenhouchins/) _([@allenhouchins](https://github.com/allenhouchins))_
[Harrison Ravazzolo](https://www.linkedin.com/in/harrison-ravazzolo/) _([@harrisonravazzolo](https://github.com/harrisonravazzolo))_ | Channel Sales | [Tom Ostertag](https://www.linkedin.com/in/tom-ostertag-77212791/) _([@tomostertag](https://github.com/TomOstertag))_ +| Sr. Account Executive | [Kendra McKeever](https://www.linkedin.com/in/kendramckeever/) _([@KendraAtFleet](https://github.com/KendraAtFleet))_ | Account Executive (AE) | [Patricia Ambrus](https://www.linkedin.com/in/pambrus/) _([@ambrusps](https://github.com/ambrusps))_
[Anthony Snyder](https://www.linkedin.com/in/anthonysnyder8/) _([@anthonysnyder8](https://github.com/AnthonySnyder8))_
[Paul Tardif](https://www.linkedin.com/in/paul-t-750833/) _([@phtardif1](https://github.com/phtardif1))_ diff --git a/infrastructure/dogfood/terraform/aws/variables.tf b/infrastructure/dogfood/terraform/aws/variables.tf index db7a79e5e1..2020de2f83 100644 --- a/infrastructure/dogfood/terraform/aws/variables.tf +++ b/infrastructure/dogfood/terraform/aws/variables.tf @@ -56,7 +56,7 @@ variable "database_name" { variable "fleet_image" { description = "the name of the container image to run" - default = "fleetdm/fleet:v4.56.0" + default = "fleetdm/fleet:v4.57.0" } variable "software_inventory" { diff --git a/infrastructure/dogfood/terraform/gcp/variables.tf b/infrastructure/dogfood/terraform/gcp/variables.tf index ba81f4af53..906a58c153 100644 --- a/infrastructure/dogfood/terraform/gcp/variables.tf +++ b/infrastructure/dogfood/terraform/gcp/variables.tf @@ -68,7 +68,7 @@ variable "redis_mem" { } variable "image" { - default = "fleetdm/fleet:v4.56.0" + default = "fleetdm/fleet:v4.57.0" } variable "software_installers_bucket_name" { diff --git a/infrastructure/loadtesting/terraform/ecs.tf b/infrastructure/loadtesting/terraform/ecs.tf index cce392657a..2327c2787b 100644 --- a/infrastructure/loadtesting/terraform/ecs.tf +++ b/infrastructure/loadtesting/terraform/ecs.tf @@ -203,7 +203,11 @@ resource "aws_ecs_task_definition" "backend" { { name = "FLEET_OSQUERY_ASYNC_HOST_REDIS_SCAN_KEYS_COUNT" value = "10000" - } + }, + { + name = "FLEET_S3_SOFTWARE_INSTALLERS_BUCKET" + value = aws_s3_bucket.software_installers.bucket + }, ], local.additional_env_vars) } ]) @@ -329,18 +333,18 @@ resource "aws_appautoscaling_policy" "ecs_policy_cpu" { resource "random_password" "fleet_server_private_key" { length = 32 special = true -} - -resource "aws_secretsmanager_secret" "fleet_server_private_key" { +} + +resource "aws_secretsmanager_secret" "fleet_server_private_key" { name = "${terraform.workspace}-fleet-server-private-key" recovery_window_in_days = "0" lifecycle { create_before_destroy = true } -} - +} + resource "aws_secretsmanager_secret_version" "fleet_server_private_key" { secret_id = aws_secretsmanager_secret.fleet_server_private_key.id secret_string = random_password.fleet_server_private_key.result -} +} diff --git a/infrastructure/loadtesting/terraform/rds.tf b/infrastructure/loadtesting/terraform/rds.tf index 87dea81348..b70d4de1cf 100644 --- a/infrastructure/loadtesting/terraform/rds.tf +++ b/infrastructure/loadtesting/terraform/rds.tf @@ -26,10 +26,10 @@ module "aurora_mysql" { #tfsec:ignore:aws-rds-enable-performance-insights-encryp source = "terraform-aws-modules/rds-aurora/aws" version = "7.7.1" - name = "${local.name}-mysql" - engine = "aurora-mysql" - engine_version = "8.0.mysql_aurora.3.05.2" - instance_class = var.db_instance_type + name = "${local.name}-mysql" + engine = "aurora-mysql" + engine_version = "8.0.mysql_aurora.3.05.2" + instance_class = var.db_instance_type instances = { one = {} diff --git a/infrastructure/loadtesting/terraform/s3.tf b/infrastructure/loadtesting/terraform/s3.tf new file mode 100644 index 0000000000..ca15b37dba --- /dev/null +++ b/infrastructure/loadtesting/terraform/s3.tf @@ -0,0 +1,46 @@ +data "aws_iam_policy_document" "software_installers" { + statement { + actions = [ + "s3:GetObject*", + "s3:PutObject*", + "s3:ListBucket*", + "s3:ListMultipartUploadParts*", + "s3:DeleteObject", + "s3:CreateMultipartUpload", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts", + "s3:GetBucketLocation" + ] + resources = [aws_s3_bucket.software_installers.arn, "${aws_s3_bucket.software_installers.arn}/*"] + } +} + +resource "aws_iam_policy" "software_installers" { + policy = data.aws_iam_policy_document.software_installers.json +} + +resource "aws_iam_role_policy_attachment" "software_installers" { + policy_arn = aws_iam_policy.software_installers.arn + role = aws_iam_role.main.name +} + +resource "aws_s3_bucket" "software_installers" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15 + bucket_prefix = terraform.workspace +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "software_installers" { + bucket = aws_s3_bucket.software_installers.bucket + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } +} + +resource "aws_s3_bucket_public_access_block" "software_installers" { + bucket = aws_s3_bucket.software_installers.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index 353f9c8500..1d7ea39710 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -138,6 +138,20 @@ policies: resolution: We will perform system maintenance on your device. platform: darwin calendar_events_enabled: true + - name: macOS - Upgrade Firefox + query: SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '130.0.1') >= 0; + critical: false + description: The host may have an outdated or non-existent version of Firefox, potentially risking security vulnerabilities or compatibility issues. + resolution: During maintenance, the Firefox app could be updated to the correct version or installed if it's missing. + platform: darwin + calendar_events_enabled: false + - name: macOS - Upgrade Slack + query: SELECT 1 FROM apps WHERE name = 'Slack.app' AND version_compare(bundle_short_version, '4.40.126') >= 0; + critical: false + description: The host may be running an outdated version of Slack, which could pose security vulnerabilities or compatibility issues. + resolution: The host's Slack application will likely be updated to a version that is greater than or equal to '4.40.126'. + platform: darwin + calendar_events_enabled: false queries: - path: ../lib/collect-failed-login-attempts.queries.yml - path: ../lib/collect-fleetd-information.yml diff --git a/orbit/TUF.md b/orbit/TUF.md index 64cd1cb9f2..c022aa4a65 100644 --- a/orbit/TUF.md +++ b/orbit/TUF.md @@ -7,8 +7,8 @@ Following are the currently deployed versions of fleetd components on the `stabl | Component\OS | macOS | Linux | Windows | Linux (arm64) | |--------------|--------------|--------|---------|---------------| -| orbit | 1.32.0 | 1.32.0 | 1.32.0 | 1.32.0 | -| desktop | 1.32.0 | 1.32.0 | 1.32.0 | 1.32.0 | +| orbit | 1.33.0 | 1.33.0 | 1.33.0 | 1.33.0 | +| desktop | 1.33.0 | 1.33.0 | 1.33.0 | 1.33.0 | | osqueryd | 5.13.1 | 5.13.1 | 5.13.1 | 5.13.1 | | nudge | 1.1.10.81462 | - | - | - | | swiftDialog | 2.1.0 | - | - | - | diff --git a/terraform/addons/vuln-processing/variables.tf b/terraform/addons/vuln-processing/variables.tf index feb850667d..8d296903fd 100644 --- a/terraform/addons/vuln-processing/variables.tf +++ b/terraform/addons/vuln-processing/variables.tf @@ -24,7 +24,7 @@ variable "fleet_config" { vuln_processing_cpu = optional(number, 2048) vuln_data_stream_mem = optional(number, 1024) vuln_data_stream_cpu = optional(number, 512) - image = optional(string, "fleetdm/fleet:v4.56.0") + image = optional(string, "fleetdm/fleet:v4.57.0") family = optional(string, "fleet-vuln-processing") sidecars = optional(list(any), []) extra_environment_variables = optional(map(string), {}) @@ -82,7 +82,7 @@ variable "fleet_config" { vuln_processing_cpu = 2048 vuln_data_stream_mem = 1024 vuln_data_stream_cpu = 512 - image = "fleetdm/fleet:v4.56.0" + image = "fleetdm/fleet:v4.57.0" family = "fleet-vuln-processing" sidecars = [] extra_environment_variables = {} diff --git a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf index 0270c8fb52..27565cb90f 100644 --- a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf +++ b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf @@ -16,7 +16,7 @@ variable "fleet_config" { mem = optional(number, 4096) cpu = optional(number, 512) pid_mode = optional(string, null) - image = optional(string, "fleetdm/fleet:v4.56.0") + image = optional(string, "fleetdm/fleet:v4.57.0") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) @@ -119,7 +119,7 @@ variable "fleet_config" { mem = 512 cpu = 256 pid_mode = null - image = "fleetdm/fleet:v4.56.0" + image = "fleetdm/fleet:v4.57.0" family = "fleet" sidecars = [] depends_on = [] diff --git a/terraform/byo-vpc/byo-db/variables.tf b/terraform/byo-vpc/byo-db/variables.tf index 0044e48e5c..041ff9d0f8 100644 --- a/terraform/byo-vpc/byo-db/variables.tf +++ b/terraform/byo-vpc/byo-db/variables.tf @@ -77,7 +77,7 @@ variable "fleet_config" { mem = optional(number, 4096) cpu = optional(number, 512) pid_mode = optional(string, null) - image = optional(string, "fleetdm/fleet:v4.56.0") + image = optional(string, "fleetdm/fleet:v4.57.0") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) @@ -205,7 +205,7 @@ variable "fleet_config" { mem = 512 cpu = 256 pid_mode = null - image = "fleetdm/fleet:v4.56.0" + image = "fleetdm/fleet:v4.57.0" family = "fleet" sidecars = [] depends_on = [] diff --git a/terraform/byo-vpc/example/main.tf b/terraform/byo-vpc/example/main.tf index 887b907b30..3176d07def 100644 --- a/terraform/byo-vpc/example/main.tf +++ b/terraform/byo-vpc/example/main.tf @@ -17,7 +17,7 @@ provider "aws" { } locals { - fleet_image = "fleetdm/fleet:v4.56.0" + fleet_image = "fleetdm/fleet:v4.57.0" domain_name = "example.com" } diff --git a/terraform/byo-vpc/variables.tf b/terraform/byo-vpc/variables.tf index cba22bf845..ce2a81f88c 100644 --- a/terraform/byo-vpc/variables.tf +++ b/terraform/byo-vpc/variables.tf @@ -170,7 +170,7 @@ variable "fleet_config" { mem = optional(number, 4096) cpu = optional(number, 512) pid_mode = optional(string, null) - image = optional(string, "fleetdm/fleet:v4.56.0") + image = optional(string, "fleetdm/fleet:v4.57.0") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) @@ -298,7 +298,7 @@ variable "fleet_config" { mem = 512 cpu = 256 pid_mode = null - image = "fleetdm/fleet:v4.56.0" + image = "fleetdm/fleet:v4.57.0" family = "fleet" sidecars = [] depends_on = [] diff --git a/terraform/example/main.tf b/terraform/example/main.tf index 33b6f5221e..2b21125179 100644 --- a/terraform/example/main.tf +++ b/terraform/example/main.tf @@ -63,8 +63,8 @@ module "fleet" { fleet_config = { # To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror - # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.56.0" - image = "fleetdm/fleet:v4.56.0" # override default to deploy the image you desire + # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.57.0" + image = "fleetdm/fleet:v4.57.0" # override default to deploy the image you desire # See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling # memory and cpu. autoscaling = { diff --git a/terraform/variables.tf b/terraform/variables.tf index 5933307f11..7dc798cf63 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -218,7 +218,7 @@ variable "fleet_config" { mem = optional(number, 4096) cpu = optional(number, 512) pid_mode = optional(string, null) - image = optional(string, "fleetdm/fleet:v4.56.0") + image = optional(string, "fleetdm/fleet:v4.57.0") family = optional(string, "fleet") sidecars = optional(list(any), []) depends_on = optional(list(any), []) @@ -346,7 +346,7 @@ variable "fleet_config" { mem = 512 cpu = 256 pid_mode = null - image = "fleetdm/fleet:v4.56.0" + image = "fleetdm/fleet:v4.57.0" family = "fleet" sidecars = [] depends_on = [] diff --git a/tools/fleetctl-npm/package.json b/tools/fleetctl-npm/package.json index 0db37e98d5..96a4dcd081 100644 --- a/tools/fleetctl-npm/package.json +++ b/tools/fleetctl-npm/package.json @@ -1,6 +1,6 @@ { "name": "fleetctl", - "version": "v4.56.0", + "version": "v4.57.0", "description": "Installer for the fleetctl CLI tool", "bin": { "fleetctl": "./run.js" diff --git a/website/assets/images/articles/fleet-4.57.0-1600x900@2x.png b/website/assets/images/articles/fleet-4.57.0-1600x900@2x.png new file mode 100644 index 0000000000..ec48ddd12a Binary files /dev/null and b/website/assets/images/articles/fleet-4.57.0-1600x900@2x.png differ diff --git a/website/config/routes.js b/website/config/routes.js index 8c9991200f..28fdbbf106 100644 --- a/website/config/routes.js +++ b/website/config/routes.js @@ -324,6 +324,7 @@ module.exports.routes = { 'GET /use-cases/get-and-stay-compliant-across-your-devices-with-fleet': '/securing/get-and-stay-compliant-across-your-devices-with-fleet', 'GET /use-cases/import-and-export-queries-and-packs-in-fleet': '/guides/import-and-export-queries-and-packs-in-fleet', 'GET /guides/import-and-export-queries-and-packs-in-fleet': '/guides/import-and-export-queries-in-fleet', + 'GET /guides/deploy-security-agents': '/guides/deploy-software-packages', 'GET /use-cases/locate-assets-with-osquery': '/guides/locate-assets-with-osquery', 'GET /use-cases/osquery-a-tool-to-easily-ask-questions-about-operating-systems': '/guides/osquery-a-tool-to-easily-ask-questions-about-operating-systems', 'GET /use-cases/osquery-consider-joining-against-the-users-table': '/guides/osquery-consider-joining-against-the-users-table', @@ -559,10 +560,15 @@ module.exports.routes = { 'GET /learn-more-about/host-identifiers': '/docs/rest-api/rest-api#get-host-by-identifier', 'GET /learn-more-about/uninstall-fleetd': '/docs/using-fleet/faq#how-can-i-uninstall-fleetd', 'GET /learn-more-about/vulnerability-processing': '/docs/using-fleet/vulnerability-processing', + 'GET /learn-more-about/dep-profile': 'https://developer.apple.com/documentation/devicemanagement/define_a_profile', 'GET /learn-more-about/apple-business-manager-tokens-api': '/docs/rest-api/rest-api#list-apple-business-manager-abm-tokens', 'GET /learn-more-about/apple-business-manager-teams-api': 'https://github.com/fleetdm/fleet/blob/main/docs/Contributing/API-for-contributors.md#update-abm-tokens-teams', 'GET /learn-more-about/apple-business-manager-gitops': '/docs/using-fleet/gitops#apple-business-manager', 'GET /learn-more-about/s3-bootstrap-package': '/docs/configuration/fleet-server-configuration#s-3-software-installers-bucket', + 'GET /learn-more-about/exe-install-scripts': '/guides/exe-install-scripts', + 'GET /learn-more-about/install-scripts': '/guides/deploy-software-packages#install-script', + 'GET /learn-more-about/uninstall-scripts': '/guides/deploy-software-packages#uninstall-script', + 'GET /learn-more-about/read-package-version': '/guides/deploy-software-packages##add-a-software-package-to-a-team', // Sitemap // =============================================================================================================