Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

chore: merge main

Browse source
This commit is contained in:
Jahziel Villasana-Espinoza 2024-12-03 13:16:00 -05:00
commit 9df4b066ff
471 changed files with 5193 additions and 27224 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/generate-desktop-targets.yml vendored
View file

@ -19,20 +19,17 @@ defaults:
shell: bash
env:
FLEET_DESKTOP_VERSION: 1.35.0
FLEET_DESKTOP_VERSION: 1.36.0
permissions:
contents: read
jobs:
desktop-macos:
# Set macOS version to '12' (current equivalent to macos-latest) for
# Set macOS version to '13' (previously was macos-12, and it was deprecated) for
# building the binary. This ensures compatibility with macOS version 13 and
# later, avoiding runtime errors on systems using macOS 13 or newer.
#
# Note: Update this version to '13' once GitHub marks macOS 13 as stable
# or if we revise our minimum supported macOS version.
runs-on: macos-12
runs-on: macos-13
steps:
- name: Harden Runner

59
.github/workflows/tuf-update-timestamp.yaml vendored Normal file
View file

@ -0,0 +1,59 @@
# This workflow update the timestamp of the TUF repository at https://tuf.fleetctl.com
name: Update TUF timestamp
on:
schedule:
- cron: "0 14 * * TUE" # Every Tuesday at 2 PM UTC
workflow_dispatch: # Manual
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
env:
AWS_REGION: us-east-1
AWS_IAM_ROLE: arn:aws:iam::142412512209:role/github-actions-role
permissions:
id-token: write # This is required for aws-actions/configure-aws-credentials
jobs:
tuf-update-timestamp:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
with:
role-to-assume: ${{ env.AWS_IAM_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Install fleetctl
run: npm install -g fleetctl
- name: Pull metadata files
run: |
mkdir -p keys repository staged
aws s3 cp s3://fleet-tuf-repo/timestamp.json ./repository/timestamp.json
aws s3 cp s3://fleet-tuf-repo/snapshot.json ./repository/snapshot.json
aws s3 cp s3://fleet-tuf-repo/targets.json ./repository/targets.json
aws s3 cp s3://fleet-tuf-repo/root.json ./repository/root.json
cat ./repository/timestamp.json
- name: Update timestamp
env:
BASE64_ENCRYPTED_TIMESTAMP_KEY_CONTENTS: ${{ secrets.BASE64_ENCRYPTED_TIMESTAMP_KEY }}
FLEET_TIMESTAMP_PASSPHRASE: ${{ secrets.TUF_TIMESTAMP_PASSPHRASE }}
run: |
echo "$BASE64_ENCRYPTED_TIMESTAMP_KEY_CONTENTS" | base64 -d > ./keys/timestamp.json
fleetctl updates timestamp --path .
- name: Push timestamp.json
run: |
cat ./repository/timestamp.json
aws s3 cp ./repository/timestamp.json s3://fleet-tuf-repo/timestamp.json

49
CHANGELOG.md
View file

@ -1,3 +1,52 @@
## Fleet 4.60.0 (Nov 27, 2024)
### Endpoint operations
- Added support for labels_include_any to gitops.
- Added major improvements to keyboard accessibility throughout app (e.g. checkboxes, dropdowns, table navigation).
- Added activity item for `fleetd` enrollment with host serial and display name.
- Added capability for Fleet to serve YARA rules to agents over HTTPS authenticated via node key (requires osquery 5.14+).
- Added a query to allow users to turn on/off automations while being transparent of the current log destination.
- Updated UI to allow users to view scripts (from both the scripts page and host details page) without downloading them.
- Updated activity feed to generate an activity when activity automations are enabled, edited, or disabled.
- Cancelled pending script executions when a script is edited or deleted.
### Device management (MDM)
- Added better handling of timeout and insufficient permissions errors in NDES SCEP proxy.
- Added info banner for cloud customers to help with their windows autoenrollment setup.
- Added DB support for "include any" label profile deployment.
- Added support for "include any" label/profile relationships to the profile reconciliation machinery.
- Added `team_identifier` signature information to Apple macOS applications to the `/api/latest/fleet/hosts/:id/software` API endpoint.
- Added indicator of how fresh a software title's host and version counts are on the title's details page.
- Added UI for allowing users to install custom profiles on hosts that include any of the defined labels.
- Added UI features supporting disk encryption for Ubuntu and Fedora Linux.
- Added support for deb packages compressed with zstd.
### Vulnerability management
- Allowed skipping computationally heavy population of vulnerability details when populating host software on hosts list endpoint (`GET /api/latest/fleet/hosts`) when using Fleet Premium (`populate_software=without_vulnerability_descriptions`).
### Bug fixes and improvements
- Improved memory usage of the Fleet server when uploading a large software installer file. Note that the installer will now use (temporary) disk space and sufficient storage space is required.
- Improved performance of adding and removing profiles to large teams by an order of magnitude.
- Disabled accessibility via keyboard for forms that are disabled via a slider.
- Updated software batch endpoint status code from 200 (OK) to 202 (Accepted).
- Updated a package used for testing (msw) to improve security.
- Updated to reboot linux machine on unlock to work around GDM bug on Ubuntu 24.04.
- Updated GitOps to return an error if the deprecated `apple_bm_default_team` key is used and there are more than 1 ABM tokens in Fleet.
- Dismissed error flash on the my device page when navigating to another URL.
- Modified the Fleet setup experience feature to not run if there is no software or script configured for the setup experience.
- Set a more accurate minimum height for the Add hosts > ChromeOS > Policy for extension field, avoiding a scrollbar.
- Added UI prompt for user to reenter the password if SCEP/NDES url or username has changed.
- Updated ABM public key to download as as PEM format instead of CRT.
- Fixed issue with uploading macOS software packages that do not have a top level `Distribution.xml`, but do have a top level `PackageInfo.xml`. For example, Okta Verify.app.
- Fixed some cases where Fleet Maintained Apps generated incorrect uninstall scripts.
- Fixed a bug where a device that was removed from ABM and then added back wouldn't properly re-enroll in Fleet MDM.
- Fixed name/version parsing issue with PE (EXE) installer self-extracting archives such as Opera.
- Fixed a bug where the create and update label endpoints could return outdated information in a deployment using a mysql replica.
- Fixed the MDM configuration profiles deployment when based on excluded labels.
- Fixed gitops path resolution for installer queries and scripts to always be relative to where the query file or script is referenced. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. installers in a subdirectory referencing scripts elsewhere).
- Fixed issue where minimum OS version enforcement was not being applied during Apple ADE if MDM IdP integration was enabled.
- Fixed a bug where users would be allowed to attempt an install of an App Store app on a host that was not MDM enrolled.
## Fleet 4.59.1 (Nov 18, 2024)
### Bug fixes

17
CODEOWNERS
View file

@ -65,11 +65,10 @@ go.mod @fleetdm/go
#
# (see website/config/custom.js for DRIs of other paths not listed here)
##############################################################################################
/docs @rachaelshaw
/docs/REST\ API/rest-api.md @rachaelshaw # « REST API reference documentation
/docs/Contributing/API-for-contributors.md @rachaelshaw # « Advanced / contributors-only API reference documentation
/docs @rachaelshaw @noahtalerman
/docs/REST\ API/rest-api.md @rachaelshaw @noahtalerman # « REST API reference documentation
/docs/Contributing/API-for-contributors.md @rachaelshaw @noahtalerman # « Advanced / contributors-only API reference documentation
/schema @eashaw # « Data tables (osquery/fleetd schema) documentation
/docs/Deploy/_kubernetes/ @dherder # « Kubernetes best practice
/render.yaml @edwardsb
##############################################################################################
@ -89,15 +88,15 @@ go.mod @fleetdm/go
/handbook/README.md @mikermcneil
/handbook/company/open-positions.yml @sampfluger88
#/handbook/company/product-groups.md 🤡 Covered in custom.js
/handbook/finance/README.md @sampfluger88
/handbook/finance/finance.rituals.yml @sampfluger88
/handbook/finance/README.md @sampfluger88
/handbook/finance/finance.rituals.yml @sampfluger88
/handbook/digital-experience/security.md @sampfluger88
/handbook/digital-experience @sampfluger88
/handbook/customer-success @sampfluger88
/handbook/digital-experience @sampfluger88
/handbook/customer-success @sampfluger88
/handbook/demand @sampfluger88
#/handbook/engineering 🤡 Covered in custom.js
/handbook/sales @sampfluger88
#/handbook/product-design 🤡 Covered in custom.js
#/handbook/product-design 🤡 Covered in custom.js
##############################################################################################
# 🌐 GitHub issue templates

40
articles/enforce-disk-encryption.md
View file

@ -2,21 +2,19 @@
_Available in Fleet Premium_
In Fleet, you can enforce disk encryption for your macOS and Windows hosts.
In Fleet, you can enforce disk encryption for your macOS and Windows hosts, and verify disk encryption for Ubuntu Linux and Fedora Linux hosts.
> Apple calls this [FileVault](https://support.apple.com/en-us/HT204837) and Microsoft calls this [BitLocker](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/).
> Apple calls this [FileVault](https://support.apple.com/en-us/HT204837), Microsoft calls this [BitLocker](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/), and Linux typically uses [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) (Linux Unified Key Setup).
When disk encryption is enforced, hosts disk encryption keys will be stored in Fleet.
When disk encryption is enforced, hosts' disk encryption keys will be stored in Fleet.
For macOS hosts that automatically enroll, disk encryption is enforced during Setup Assistant.
For Windows, disk encryption is enforced on the C: volume (default system/OS drive).
For macOS hosts that automatically enroll, disk encryption is enforced during Setup Assistant. For Windows, disk encryption is enforced on the C: volume (default system/OS drive). On Linux, encryption requires user interaction to encrypt the device with LUKS.
## Enforce disk encryption
You can enforce disk encryption using the Fleet UI, Fleet API, or [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops).
Fleet UI:
#### Fleet UI:
1. In Fleet, head to the **Controls > OS settings > Disk encryption** page.
@ -24,7 +22,9 @@ Fleet UI:
3. Check the box next to **Turn on** and select **Save**.
Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#update-disk-encryption-enforcement).
#### Fleet API:
API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#update-disk-encryption-enforcement).
### Disk encryption status
@ -42,10 +42,28 @@ In the Fleet UI, head to the **Controls > OS settings > Disk encryption** tab. Y
* Removing enforcement (pending): the host will receive the MDM command to remove the disk encryption profile when the host comes online.
* Failed: hosts that are failed to enforce disk encryption.
* Failed: hosts that failed to enforce disk encryption.
You can click each status to view the list of hosts for that status.
## Enforce disk encryption on Linux
To enforce disk encryption on Ubuntu Linux and Fedora Linux devices, Fleet supports Linux Unified Key Setup (LUKS) for encrypting volumes. Support for Ubuntu 20.04 is coming soon.
1. Share [this step-by-step guide](https://fleetdm.com/learn-more-about/encrypt-linux-device) with end users setting up a work computer running Ubuntu Linux or Fedora Linux.
> Note that full disk encryption can only enabled during operating system setup. If the operating system has already been installed, the end user will be required to re-install the OS to enable disk encryption.
2. Once the user encrypts the disk, Fleet will initiate a key escrow process through Fleet Desktop:
* Fleet Desktop prompts the user to enter their current encryption passphrase.
* A new encryption passphrase is generated and added as a LUKS keyslot for the encrypted volume.
* The new passphrase is securely stored in Fleet.
3. Fleet verifies that the encryption is complete, and the key has been escrowed. Once successful, the host's status will be updated to "Verified" in the disk encryption status table.
> Note: LUKS allows multiple passphrases for decrypting the volume. The original passphrase remains active along with the escrowed passphrase created by Fleet.
## View disk encryption key
How to view the disk encryption key:
@ -54,6 +72,8 @@ How to view the disk encryption key:
2. On the **Host details** page, select **Actions > Show disk encryption key**.
> This action is logged in the activity log for security auditing purposes.
## Migrate macOS hosts
When migrating macOS hosts from another MDM solution, in order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must log out or restart their device.
@ -65,4 +85,4 @@ Share [these guided instructions](https://fleetdm.com/guides/mdm-migration#how-t
<meta name="authorFullName" value="Noah Talerman">
<meta name="publishedOn" value="2024-08-14">
<meta name="articleTitle" value="Enforce disk encryption">
<meta name="description" value="Learn how to enforce disk encryption on macOS and Windows hosts and manage encryption keys with Fleet Premium.">
<meta name="description" value="Learn how to enforce disk encryption on macOS, Windows, and Linux hosts and manage encryption keys with Fleet Premium.">

4
articles/fleet-4.40.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.40.0 | More Data, Rapid Security Response, CIS Benchmark updates.
![Fleet 4.40.0](../website/assets/images/articles/fleet-4.40.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/8xNtquy9HFw?si=JkI5GrZvIEymRAt4" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.40.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.40.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.47.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.47.0 | Cross-platform remote wipe, vulnerabilities page, and scripting improvements.
![Fleet 4.47.0](../website/assets/images/articles/fleet-4.47.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/yDBob6v1MZQ?si=pyNbrHgayW-ANu-a" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.47.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.47.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.48.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.48.0 | IdP local account creation, VS Code extensions.
![Fleet 4.48.0](../website/assets/images/articles/fleet-4.48.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/zd_JFeryiQE?si=1jVm9M1YWW44uR2s" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.48.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.48.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.49.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.49.0 | VulnCheck's NVD++, device health API, `fleetd` data parsing.
![Fleet 4.49.0](../website/assets/images/articles/fleet-4.49.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/UQEQZV_puHg?si=J6BE0ch56CSDMP5d" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.49.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.49.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.50.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.50.0 | Security agent deployment, AI descriptions, and Mac Admins SOFA support.
![Fleet 4.50.0](../website/assets/images/articles/fleet-4.50.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/0SSww4lzL_A?si=TzDdP8HmCKwi5EZg" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.50.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.50.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.51.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.51.0 | Global activity webhook, macOS TCC table, and software self-service.
![Fleet 4.51.0](../website/assets/images/articles/fleet-4.51.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/K1KN0BrBncw?si=VbxhfEBwcQ95yBoB" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.51.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.51.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.53.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.53.0 | Better vuln matching, multi-issue hosts, & `fleetd` logs as tables.
![Fleet 4.53.0](../website/assets/images/articles/fleet-4.53.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/mqnjDNtJkjg?si=hjVjSAxTkzpTMhXD" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.53.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.53.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.54.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.54.0 | Target hosts via label exclusion, arm64 support, script execution time.
![Fleet 4.54.0](../website/assets/images/articles/fleet-4.54.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/8i6tzXm41VM?si=5Sxv3FavghntPEXo" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.54.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.54.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.55.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.55.0 | MySQL 8, arm64 support, FileVault improvements, VPP support.
![Fleet 4.55.0](../website/assets/images/articles/fleet-4.55.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/tpXTJ2RX0wA?si=rOXdjGUX8dddnAmc" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.55.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.55.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.56.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.56.0 | Enhanced MDM migration, Exact CVE Search, and Self-Service VPP Apps.
![Fleet 4.56.0](../website/assets/images/articles/fleet-4.56.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/aQyePPQ0uXA?si=w9FB7AvxbOrun76O" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.56.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.56.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.57.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.57.0 | Software improvements, policy automation, GitLab support.
![Fleet 4.57.0](../website/assets/images/articles/fleet-4.57.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="https://www.youtube.com/embed/xcCmYm7eLZM?si=ZzrSy2lSo0DMdzq-" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.57.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

4
articles/fleet-4.58.0.md
View file

@ -1,6 +1,8 @@
# Fleet 4.58.0 | Run script on policy failure, Fleet-maintained apps, Sequoia firewall status.
![Fleet 4.58.0](../website/assets/images/articles/fleet-4.58.0-1600x900@2x.png)
<div purpose="embedded-content">
<iframe src="ttps://www.youtube.com/embed/2vJsE5K4ru4?si=iKjxLYHw1PUTAdTV" frameborder="0" allowfullscreen></iframe>
</div>
Fleet 4.58.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.58.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.

2
articles/fleet-4.59.0.md
View file

@ -96,7 +96,7 @@ SET i.software_title_name = COALESCE(a.details->>"$.software_title", i.software_
## Ready to upgrade?
Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.58.0.
Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.59.0.
<meta name="category" value="releases">
<meta name="authorFullName" value="Noah Talerman">

83
articles/fleet-4.60.0.md Normal file
View file

@ -0,0 +1,83 @@
# Fleet 4.60.0 | Escrow Linux disk encryption keys, custom targets for OS settings, scripts preview
![Fleet 4.60.0](../website/assets/images/articles/fleet-4.60.0-1600x900@2x.png)
Fleet 4.60.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.60.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.
## Highlights
- Escrow Linux disk encryption keys
- Custom targets for OS settings
- Preview scripts before run
### Escrow Linux disk encryption keys
Fleet now supports escrowing the disk encryption keys for Linux (Ubuntu and Fedora) workstations. This means teams can access encrypted data without needing the local password when an employee leaves, simplifying handoffs and ensuring critical data remains accessible while protected. Learn more in the guide [here](https://fleetdm.com/guides/enforce-disk-encryption).
### Custom targets for OS settings
With Fleet, you can now use a new "include any" label option to target OS settings (configuration profiles) to specific hosts within a team. This added flexibility allows for finer control over which OS settings apply to which hosts, making it easier to tweak configurations without disrupting broader baselines (Fleet [teams](https://fleetdm.com/guides/teams)).
### Preview scripts before run
Fleet now provides the ability to preview scripts directly on the **Host details** or **Scripts** page. This quick-view feature reduces the risk of errors by letting you verify the script is correct before running it, saving time and ensuring smoother operations.
## Changes
### Endpoint operations
- Added support for `labels_include_any` to gitops.
- Added major improvements to keyboard accessibility throughout app (e.g. checkboxes, dropdowns, table navigation).
- Added activity item for `fleetd` enrollment with host serial and display name.
- Added capability for Fleet to serve YARA rules to agents over HTTPS authenticated via node key (requires osquery 5.14+).
- Added a query to allow users to turn on/off automations while being transparent of the current log destination.
- Updated UI to allow users to view scripts (from both the scripts page and host details page) without downloading them.
- Updated activity feed to generate an activity when activity automations are enabled, edited, or disabled.
- Cancelled pending script executions when a script is edited or deleted.
### Device management (MDM)
- Added better handling of timeout and insufficient permissions errors in NDES SCEP proxy.
- Added info banner for cloud customers to help with their windows autoenrollment setup.
- Added DB support for "include any" label profile deployment.
- Added support for "include any" label/profile relationships to the profile reconciliation machinery.
- Added `team_identifier` signature information to Apple macOS applications to the `/api/latest/fleet/hosts/:id/software` API endpoint.
- Added indicator of how fresh a software title's host and version counts are on the title's details page.
- Added UI for allowing users to install custom profiles on hosts that include any of the defined labels.
- Added UI features supporting disk encryption for Ubuntu and Fedora Linux.
- Added support for deb packages compressed with zstd.
### Vulnerability management
- Allowed skipping computationally heavy population of vulnerability details when populating host software on hosts list endpoint (`GET /api/latest/fleet/hosts`) when using Fleet Premium (`populate_software=without_vulnerability_descriptions`).
### Bug fixes and improvements
- Improved memory usage of the Fleet server when uploading a large software installer file. Note that the installer will now use (temporary) disk space and sufficient storage space is required.
- Improved performance of adding and removing profiles to large teams by an order of magnitude.
- Disabled accessibility via keyboard for forms that are disabled via a slider.
- Updated software batch endpoint status code from 200 (OK) to 202 (Accepted).
- Updated a package used for testing (msw) to improve security.
- Updated to reboot linux machine on unlock to work around GDM bug on Ubuntu 24.04.
- Updated GitOps to return an error if the deprecated `apple_bm_default_team` key is used and there are more than 1 ABM tokens in Fleet.
- Dismissed error flash on the my device page when navigating to another URL.
- Modified the Fleet setup experience feature to not run if there is no software or script configured for the setup experience.
- Set a more accurate minimum height for the Add hosts > ChromeOS > Policy for extension field, avoiding a scrollbar.
- Added UI prompt for user to reenter the password if SCEP/NDES url or username has changed.
- Updated ABM public key to download as as PEM format instead of CRT.
- Fixed issue with uploading macOS software packages that do not have a top level `Distribution.xml`, but do have a top level `PackageInfo.xml`. For example, Okta Verify.app.
- Fixed some cases where Fleet Maintained Apps generated incorrect uninstall scripts.
- Fixed a bug where a device that was removed from ABM and then added back wouldn't properly re-enroll in Fleet MDM.
- Fixed name/version parsing issue with PE (EXE) installer self-extracting archives such as Opera.
- Fixed a bug where the create and update label endpoints could return outdated information in a deployment using a mysql replica.
- Fixed the MDM configuration profiles deployment when based on excluded labels.
- Fixed gitops path resolution for installer queries and scripts to always be relative to where the query file or script is referenced. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. installers in a subdirectory referencing scripts elsewhere).
- Fixed issue where minimum OS version enforcement was not being applied during Apple ADE if MDM IdP integration was enabled.
- Fixed a bug where users would be allowed to attempt an install of an App Store app on a host that was not MDM enrolled.
## Ready to upgrade?
Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.60.0.
<meta name="category" value="releases">
<meta name="authorFullName" value="Noah Talerman">
<meta name="authorGitHubUsername" value="noahtalerman">
<meta name="publishedOn" value="2024-11-27">
<meta name="articleTitle" value="Fleet 4.60.0 | Escrow Linux disk encryption keys, custom targets for OS settings, scripts preview">
<meta name="articleImageUrl" value="../website/assets/images/articles/fleet-4.60.0-1600x900@2x.png">

56
articles/linux-disk-encryption-end-user.md Normal file
View file

@ -0,0 +1,56 @@
# Encrypt your Fleet-managed Linux device
> This guide is intended for new device setup. If the operating system has already been installed without enabling disk encryption, you will need to re-install in order to turn on full disk encryption.
LUKS (Linux Unified Key Setup) is a standard tool for encrypting Linux disks. It uses a "volume key" to encrypt your data, and this key is protected by passphrases. LUKS supports multiple passphrases, allowing you to securely share access or recover encrypted data. Fleet uses LUKS to ensure that only authorized users can access the data on your work computer.
Fleet securely stores a passphrase to ensure that the data on your work computer is always recoverable. To get your computer set up for key escrow, you will first need to enable disk encryption on your end, then provide your encryption passphrase to Fleet.
Follow the steps below to get set up.
## 1. Enable encryption during installation
#### Ubuntu Linux
- When installing Ubuntu, choose the option to "Use LVM with encryption."
- Set a strong passphrase when prompted. This passphrase will be used to encrypt your disk and is separate from your login password.
![Ubuntu setup "How do you want to install Ubuntu?" screen](../website/assets/images/articles/ubuntu-1-1200x675@2x.png)
![Ubuntu setup: Advanced features > Use LVM and encryption](../website/assets/images/articles/ubuntu-2-1200x675@2x.png)
#### Fedora Linux
- During Fedora installation, under **Installation destination** > **Encryption** select the "Encrypt my data" checkbox.
- Enter a secure passphrase when prompted.
![Fedora setup "Installation summary" screen](../website/assets/images/articles/fedora-1-1200x675@2x.png)
![Fedora setup: Installation destination > Encryption > Encrypt my data](../website/assets/images/articles/fedora-2-1200x675@2x.png)
## 2. Verify encryption
- Once installation is complete, verify that your disk is encrypted by running:
```bash
lsblk -o NAME,MOUNTPOINT,TYPE,SIZE,FSUSED,FSTYPE,ENCRYPTED
```
- **Ubuntu Linux**: Look for the root (`/`) partition, and confirm it is marked as encrypted.
- **Fedora Linux**: Ensure the `/` (root) and `/home` partitions are encrypted.
## 3. Escrow your key with Fleet
- Open Fleet Desktop. If your device is encrypted, you'll see a banner prompting you to escrow the key.
- Click **Create key**. Enter your existing encryption passphrase when prompted.
- Fleet will generate and securely store a new passphrase for recovery. This may take several minutes. A popup will appear when Fleet is done.
Now, your encryption status will update to "verified" in Fleet Desktop, meaning that your recovery key has been successfully stored.
<meta name="articleTitle" value="Encrypt your Fleet-managed Linux device">
<meta name="authorFullName" value="Rachael Shaw">
<meta name="authorGitHubUsername" value="rachaelshaw">
<meta name="category" value="guides">
<meta name="publishedOn" value="2024-11-25">
<meta name="description" value="Instructions for end users to encrypt Linux devices enrolled in Fleet.">

1
changes/14899-yara-rules
View file

@ -1 +0,0 @@
* Added capability for Fleet to serve yara rules to agents over HTTPS authenticated via node key (requires osquery 5.14+).

1
changes/20595-improve-memory-usage-software-installers
View file

@ -1 +0,0 @@
* Improved memory usage of the Fleet server when uploading a large software installer file. Note that the installer will now use (temporary) disk space and sufficient storage space is required.

1
changes/21338-scope-profile-pending-rebuild
View file

@ -1 +0,0 @@
- Speed up adding and removing profiles to large teams by an order of magnitude

1
changes/21633-windows-auto-enrollment-info-banner
View file

@ -1 +0,0 @@
- add info banner for cloud customers to help with their windows autoenrollment setup

1
changes/21709-activities-automation-activity
View file

@ -1 +0,0 @@
* Generate an activity when activity automations are enabled, edited, or disabled.

1
changes/21795-resend-config-profile-api Normal file
View file

@ -0,0 +1 @@
* Update resend config profile API from hosts/[hostid}/configuration_profiles/resend/{uuid} to hosts/{hostid}/configuration_profiles/{uuid}/resend

1
changes/21888-dequeue-pending-scripts
View file

@ -1 +0,0 @@
* Cancelled pending script executions when a script is edited or deleted.

1
changes/21908-replace-mozilla-pkcs7 Normal file
View file

@ -0,0 +1 @@
* Replaced the internal use of the deprecated `go.mozilla.org/pkcs7` package with the maintained fork `github.com/smallstep/pkcs7`.

1
changes/22162-exclude-labels-fix-default-behavior
View file

@ -1 +0,0 @@
* Fixed the MDM configuration profiles deployment when based on excluded labels - prior to this fix, hosts were considered "not a member" of the label by default, even if they had not yet returned results for the excluded labels. The fix checks the label's creation time vs the host's last reported label results timestamp to prevent deploying a configuration profile if it does not yet know if the host is a member or not of those labels.

1
changes/22187-gitops-software-relative-paths
View file

@ -1 +0,0 @@
* GitOps: Fixed path resolution for installer queries and scripts to always be relative to where the query file or script is referenced. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. installers in a subdirectory referencing scripts elsewhere).

1
changes/22224-query-log-destinations
View file

@ -1 +0,0 @@
- Creating a query allow users to turn on/off automations while being transparent of the current log destination

1
changes/22269-software-title-updated-at
View file

@ -1 +0,0 @@
* Added indicator of how fresh a software title's host and version counts are on the title's details page

2
changes/22359-gitops-mult-abm
View file

@ -1,2 +0,0 @@
- Updates GitOps to return an error if the deprecated `apple_bm_default_team` key is used and there
are more than 1 ABM tokens in Fleet.

2
changes/22361-os-update-ade-sso
View file

@ -1,2 +0,0 @@
- Fixed issue where minimum OS version enforcement was not being applied during Apple ADE if MDM
IdP integration was enabled.

1
changes/22437-linux-lock-black-screen
View file

@ -1 +0,0 @@
- Reboot linux machine on unlock to work around GDM bug on Ubuntu 24.04

1
changes/22446-scripts-modal
View file

@ -1 +0,0 @@
- Users can view scripts in the UI (from both the scripts page and host details page) without downloading them

1
changes/22527-policy-automation-ui-improvements Normal file
View file

@ -0,0 +1 @@
- Update help text for policy automation Install software and Run script modals

2
changes/22575-ui-for-include-any-labels
View file

@ -1,2 +0,0 @@
- add UI for allowing users to install custom profiles on hosts that include any of the defined
labels

1
changes/22576-labels-include-any-gitops
View file

@ -1 +0,0 @@
- Add support for labels_include_any to gitops

1
changes/22578-db-schema
View file

@ -1 +0,0 @@
- Adds DB support for "include any" label profile deployment

1
changes/22581-cron-updates
View file

@ -1 +0,0 @@
- Adds support for "include any" label/profile relationships to the profile reconciliation machinery.

1
changes/22606-keyboard-accessiblity
View file

@ -1 +0,0 @@
- Fleet UI: Major improvements to keyboard accessibility throughout app (e.g. checkboxes, dropdowns, table navigation)

1
changes/22702-linux-encryption-frontend
View file

@ -1 +0,0 @@
- Added UI features supporting disk encryption for Ubuntu and Fedora Linux.

1
changes/22773-fma-uninstall-fix
View file

@ -1 +0,0 @@
- Fix some cases where Fleet Maintained Apps generated incorrect uninstall scripts

1
changes/22810-fleetd-enroll-activity
View file

@ -1 +0,0 @@
Added activity item for fleetd enrollment with host serial and display name.

1
changes/22891-zstd-deb-packages
View file

@ -1 +0,0 @@
- Add support for deb packages compressed with zstd

1
changes/22896-ui-windows-automatic-migration Normal file
View file

@ -0,0 +1 @@
- add UI changes for windows mdm page and allow for automatic migration for windows hosts.

1
changes/22897-add-windows-migration-enabled-setting Normal file
View file

@ -0,0 +1 @@
* Added support for the new `windows_migration_enabled` setting (can be set via `fleetctl`, the `PATCH /api/latest/fleet/config` API endpoint and the UI). Requires a premium license.

1
changes/22985-disable-forms-keyboard-access
View file

@ -1 +0,0 @@
- Fleet UI: Disable accessibility via keyboard for forms that are disabled via a slider

2
changes/23016-add-chrome-host-text-area-height
View file

@ -1,2 +0,0 @@
* Set a more elegant minimum height for the Add hosts > ChromeOS > Policy for extension field,
avoiding a scrollbar.

1
changes/23021-abm-cert-pem
View file

@ -1 +0,0 @@
- Download ABM public key as PEM format instead of CRT

1
changes/23027-settings-empty-states Normal file
View file

@ -0,0 +1 @@
* Improve side nav empty state UI under `/settings`

1
changes/23078-allow-skipping-vuln-details
View file

@ -1 +0,0 @@
* Allowed skipping computationally heavy population of vulnerability details when populating host software on hosts list endpoint (`GET /api/latest/fleet/hosts`) when using Fleet Premium (`populate_software=without_vulnerability_descriptions`)

1
changes/23128-update-mock-service-worker-package-for-secutiy
View file

@ -1 +0,0 @@
- update a package used for testing (msw) to improve security

2
changes/23200-ade-enroll
View file

@ -1,2 +0,0 @@
- Fixes a bug where a device that was removed from ABM and then added back wouldn't properly
re-enroll in Fleet MDM

1
changes/23213-okta-verify
View file

@ -1 +0,0 @@
Fixed issue with uploading macOS software packages that do not have a top level Distribution.xml, but do have a top level PackageInfo.xml. For example, Okta Verify.app

2
changes/23247-vpp-app-install
View file

@ -1,2 +0,0 @@
- Fixes a bug where users would be allowed to attempt an install of an App Store app on a host that
was not MDM enrolled.

1
changes/23462-show-windows-mdm-wstep-options Normal file
View file

@ -0,0 +1 @@
- Display Windows MDM WSTEP flags in `fleet --help`.

1
changes/23492-software-batch-status-code
View file

@ -1 +0,0 @@
* Updated software batch endpoint status code from 200 (OK) to 202 (Accepted)

1
changes/23525-ndes-errors
View file

@ -1 +0,0 @@
Added better handling of timeout and insufficient permissions errors in NDES SCEP proxy.

1
changes/23540-pe-sfx
View file

@ -1 +0,0 @@
Fixed name/version parsing issue with PE (EXE) installer self-extracting archives such as Opera.

1
changes/23597-fix-create-update-label-returns-outdated-info
View file

@ -1 +0,0 @@
* Fixed a bug where the create and update label endpoints could return outdated information in a deployment using a mysql replica.

1
changes/23621-unlock-text Normal file
View file

@ -0,0 +1 @@
- Fixes an issue with the copy for the activity generated by viewing a locked macOS host's PIN.

1
changes/23651-reenter-password
View file

@ -1 +0,0 @@
- Fleet UI: Prompt user to reenter the password if SCEP/NDES url or username has changed

1
changes/23669-dismiss-error-flash-on-url-change-dup
View file

@ -1 +0,0 @@
* Dismiss error flash on the my device page when navigating to another URL.

2
changes/23686-update-zoom Normal file
View file

@ -0,0 +1,2 @@
- Replaces Zoom Fleet-maintained app with Zoom for IT, which does not open any windows during
installation.

1
changes/23733-apple-app-store-icons Normal file
View file

@ -0,0 +1 @@
- Fleet UI: Remove image borders that are included in Apple's app store icons

1
changes/24009-gh-translation Normal file
View file

@ -0,0 +1 @@
* Fixed an issue where the github cli software name was not matching against the cpe vulnerability name

2
changes/24024-bypass-setup-experience-if-empty Normal file
View file

@ -0,0 +1,2 @@
* Bypass the setup experience UI if there is no setup experience item to process (no software to install, no script to execute), so that releasing the device is done without going through that window.
* Fixed releasing a DEP-enrolled macOS device if mTLS is configured for `fleetd`.

2
changes/24024-no-setup-exp
View file

@ -1,2 +0,0 @@
- Modifies the Fleet setup experience feature to not run if there is no software or script
configured for the setup experience.

1
changes/24093-clear-policy-automation Normal file
View file

@ -0,0 +1 @@
- Fleet UI: Fix ability to clear policy automation that empties webhook URL

1
changes/24109-drop-duplicate-indexes Normal file
View file

@ -0,0 +1 @@
Removed duplicate indexes from the database schema.

2
changes/24248-host-details-encryption-banner Normal file
View file

@ -0,0 +1,2 @@
* Only show the "follow instructions on My device" banner for Linux hosts whose disks are encrypted
but for which Fleet hasn't escrowed a valid key.

1
changes/24288-mdm-gitops-role Normal file
View file

@ -0,0 +1 @@
Fixed breaking with gitops user role running `fleetctl gitops` command when MDM is enabled.

1
changes/jve-fix-typo Normal file
View file

@ -0,0 +1 @@
- Fixes a typo in the loading modal when adding a Fleet-maintained app.

4
charts/fleet/Chart.yaml
View file

@ -4,11 +4,11 @@ name: fleet
keywords:
- fleet
- osquery
version: v6.2.2
version: v6.2.3
home: https://github.com/fleetdm/fleet
sources:
- https://github.com/fleetdm/fleet.git
appVersion: v4.59.1
appVersion: v4.60.0
dependencies:
- name: mysql
condition: mysql.enabled

2
charts/fleet/values.yaml
View file

@ -3,7 +3,7 @@
hostName: fleet.localhost
replicas: 3 # The number of Fleet instances to deploy
imageRepository: fleetdm/fleet
imageTag: v4.59.1 # Version of Fleet to deploy
imageTag: v4.60.0 # Version of Fleet to deploy
podAnnotations: {} # Additional annotations to add to the Fleet pod
serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
resources:

6
cmd/cpe/generate.go
View file

@ -22,10 +22,10 @@ import (
)
const (
httpClientTimeout = 2 * time.Minute
httpClientTimeout = 3 * time.Minute
waitTimeBetweenRequests = 6 * time.Second
waitTimeForRetry = 30 * time.Second
maxRetryAttempts = 10
waitTimeForRetry = 10 * time.Second
maxRetryAttempts = 20
apiKeyEnvVar = "NVD_API_KEY" //nolint:gosec
)

25
cmd/fleet/cron.go
View file

@ -1182,7 +1182,7 @@ func appleMDMDEPSyncerJob(
}
}
func newMDMProfileManager(
func newAppleMDMProfileManagerSchedule(
ctx context.Context,
instanceID string,
ds fleet.Datastore,
@ -1207,6 +1207,29 @@ func newMDMProfileManager(
schedule.WithJob("manage_apple_declarations", func(ctx context.Context) error {
return service.ReconcileAppleDeclarations(ctx, ds, commander, logger)
}),
)
return s, nil
}
func newWindowsMDMProfileManagerSchedule(
ctx context.Context,
instanceID string,
ds fleet.Datastore,
logger kitlog.Logger,
) (*schedule.Schedule, error) {
const (
name = string(fleet.CronMDMWindowsProfileManager)
// Note: per a request from #g-product we are running this cron
// every 30 seconds, we should re-evaluate how we handle the
// cron interval as we scale to more hosts.
defaultInterval = 30 * time.Second
)
logger = kitlog.With(logger, "cron", name)
s := schedule.New(
ctx, name, instanceID, defaultInterval, ds, ds,
schedule.WithLogger(logger),
schedule.WithJob("manage_windows_profiles", func(ctx context.Context) error {
return service.ReconcileWindowsProfiles(ctx, ds, logger)
}),

14
cmd/fleet/cron_test.go
View file

@ -23,14 +23,24 @@ import (
kitlog "github.com/go-kit/log"
)
func TestNewMDMProfileManagerWithoutConfig(t *testing.T) {
func TestNewAppleMDMProfileManagerWithoutConfig(t *testing.T) {
ctx := context.Background()
mdmStorage := &mdmmock.MDMAppleStore{}
ds := new(mock.Store)
cmdr := apple_mdm.NewMDMAppleCommander(mdmStorage, nil)
logger := kitlog.NewNopLogger()
sch, err := newMDMProfileManager(ctx, "foo", ds, cmdr, logger)
sch, err := newAppleMDMProfileManagerSchedule(ctx, "foo", ds, cmdr, logger)
require.NotNil(t, sch)
require.NoError(t, err)
}
func TestNewWindowsMDMProfileManagerWithoutConfig(t *testing.T) {
ctx := context.Background()
ds := new(mock.Store)
logger := kitlog.NewNopLogger()
sch, err := newWindowsMDMProfileManagerSchedule(ctx, "foo", ds, logger)
require.NotNil(t, sch)
require.NoError(t, err)
}

13
cmd/fleet/serve.go
View file

@ -924,7 +924,7 @@ the way that the Fleet server works.
}
if err := cronSchedules.StartCronSchedule(func() (fleet.CronSchedule, error) {
return newMDMProfileManager(
return newAppleMDMProfileManagerSchedule(
ctx,
instanceID,
ds,
@ -935,6 +935,17 @@ the way that the Fleet server works.
initFatal(err, "failed to register mdm_apple_profile_manager schedule")
}
if err := cronSchedules.StartCronSchedule(func() (fleet.CronSchedule, error) {
return newWindowsMDMProfileManagerSchedule(
ctx,
instanceID,
ds,
logger,
)
}); err != nil {
initFatal(err, "failed to register mdm_windows_profile_manager schedule")
}
if err := cronSchedules.StartCronSchedule(func() (fleet.CronSchedule, error) {
return newMDMAPNsPusher(
ctx,

4
cmd/fleetctl/gitops.go
View file

@ -299,12 +299,12 @@ func checkABMTeamAssignments(config *spec.GitOps, fleetClient *service.Client) (
return nil, false, false, errors.New(fleet.AppleABMDefaultTeamDeprecatedMessage)
}
abmToks, err := fleetClient.ListABMTokens()
abmToks, err := fleetClient.CountABMTokens()
if err != nil {
return nil, false, false, err
}
if hasLegacyConfig && len(abmToks) > 1 {
if hasLegacyConfig && abmToks > 1 {
return nil, false, false, errors.New(fleet.AppleABMDefaultTeamDeprecatedMessage)
}

37
cmd/fleetctl/gitops_test.go
View file

@ -1217,6 +1217,9 @@ func TestGitOpsBasicGlobalAndTeam(t *testing.T) {
ds.ListABMTokensFunc = func(ctx context.Context) ([]*fleet.ABMToken, error) {
return []*fleet.ABMToken{}, nil
}
ds.GetABMTokenCountFunc = func(ctx context.Context) (int, error) {
return 0, nil
}
ds.DeleteSetupExperienceScriptFunc = func(ctx context.Context, teamID *uint) error {
return nil
}
@ -1815,6 +1818,9 @@ func TestGitOpsFullGlobalAndTeam(t *testing.T) {
ds.ListABMTokensFunc = func(ctx context.Context) ([]*fleet.ABMToken, error) {
return []*fleet.ABMToken{}, nil
}
ds.GetABMTokenCountFunc = func(ctx context.Context) (int, error) {
return 0, nil
}
apnsCert, apnsKey, err := mysql.GenerateTestCertBytes()
require.NoError(t, err)
@ -2854,6 +2860,9 @@ software:
}
return []*fleet.ABMToken{{OrganizationName: "Fleet Device Management Inc."}, {OrganizationName: "Foo Inc."}}, nil
}
ds.GetABMTokenCountFunc = func(ctx context.Context) (int, error) {
return len(tt.tokens), nil
}
ds.TeamsSummaryFunc = func(ctx context.Context) ([]*fleet.TeamSummary, error) {
var res []*fleet.TeamSummary
@ -3177,6 +3186,9 @@ software:
ds.ListABMTokensFunc = func(ctx context.Context) ([]*fleet.ABMToken, error) {
return []*fleet.ABMToken{{OrganizationName: "Fleet Device Management Inc."}, {OrganizationName: "Foo Inc."}}, nil
}
ds.GetABMTokenCountFunc = func(ctx context.Context) (int, error) {
return 1, nil
}
ds.TeamsSummaryFunc = func(ctx context.Context) ([]*fleet.TeamSummary, error) {
var res []*fleet.TeamSummary
@ -3219,6 +3231,31 @@ software:
}
}
func TestGitOpsWindowsMigration(t *testing.T) {
cases := []struct {
file string
wantErr string
}{
// booleans are Windows MDM enabled and Windows migration enabled
{"testdata/gitops/global_config_windows_migration_true_true.yml", ""},
{"testdata/gitops/global_config_windows_migration_false_true.yml", "Windows MDM is not enabled"},
{"testdata/gitops/global_config_windows_migration_true_false.yml", ""},
{"testdata/gitops/global_config_windows_migration_false_false.yml", ""},
}
for _, c := range cases {
t.Run(filepath.Base(c.file), func(t *testing.T) {
setupFullGitOpsPremiumServer(t)
_, err := runAppNoChecks([]string{"gitops", "-f", c.file})
if c.wantErr == "" {
require.NoError(t, err)
} else {
require.ErrorContains(t, err, c.wantErr)
}
})
}
}
type memKeyValueStore struct {
m sync.Map
}

1
cmd/fleetctl/testdata/expectedGetConfigAppConfigJson.json vendored
View file

@ -118,6 +118,7 @@
"deadline_days": 7,
"grace_period_days": 3
},
"windows_migration_enabled": false,
"macos_migration": {
"enable": false,
"mode": "",

1
cmd/fleetctl/testdata/expectedGetConfigAppConfigYaml.yml vendored
View file

@ -27,6 +27,7 @@ spec:
volume_purchasing_program: null
windows_enabled_and_configured: false
enable_disk_encryption: false
windows_migration_enabled: false
macos_migration:
enable: false
mode: ""

1
cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigJson.json vendored
View file

@ -70,6 +70,7 @@
"deadline_days": 7,
"grace_period_days": 3
},
"windows_migration_enabled": false,
"macos_migration": {
"enable": false,
"mode": "",

1
cmd/fleetctl/testdata/expectedGetConfigIncludeServerConfigYaml.yml vendored
View file

@ -27,6 +27,7 @@ spec:
enabled_and_configured: false
windows_enabled_and_configured: false
enable_disk_encryption: false
windows_migration_enabled: false
macos_migration:
enable: false
mode: ""

75
cmd/fleetctl/testdata/gitops/global_config_windows_migration_false_false.yml vendored Normal file
View file

@ -0,0 +1,75 @@
controls:
macos_settings:
windows_settings:
scripts:
enable_disk_encryption: false
macos_migration:
enable: false
mode: ""
webhook_url: ""
macos_setup:
bootstrap_package: null
enable_end_user_authentication: false
macos_setup_assistant: null
macos_updates:
deadline: null
minimum_version: null
windows_enabled_and_configured: false
windows_migration_enabled: false
windows_updates:
deadline_days: null
grace_period_days: null
queries:
policies:
agent_options:
command_line_flags:
distributed_denylist_duration: 0
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_tls_endpoint: /api/v1/osquery/log
pack_delimiter: /
org_settings:
server_settings:
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 2000
query_reports_disabled: false
scripts_disabled: false
server_url: $FLEET_SERVER_URL
ai_features_disabled: true
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: ""
org_logo_url_light_background: ""
org_name: $ORG_NAME
smtp_settings:
sso_settings:
integrations:
mdm:
end_user_authentication:
webhook_settings:
fleet_desktop: # Applies to Fleet Premium only
transparency_url: https://fleetdm.com/transparency
host_expiry_settings: # Applies to all teams
host_expiry_enabled: false
activity_expiry_settings:
activity_expiry_enabled: true
activity_expiry_window: 60
features: # Features added to all teams
enable_host_users: true
enable_software_inventory: true
vulnerability_settings:
databases_path: ""
secrets: # These secrets are used to enroll hosts to the "All teams" team
- secret: SampleSecret123
- secret: ABC
software:

75
cmd/fleetctl/testdata/gitops/global_config_windows_migration_false_true.yml vendored Normal file
View file

@ -0,0 +1,75 @@
controls:
macos_settings:
windows_settings:
scripts:
enable_disk_encryption: false
macos_migration:
enable: false
mode: ""
webhook_url: ""
macos_setup:
bootstrap_package: null
enable_end_user_authentication: false
macos_setup_assistant: null
macos_updates:
deadline: null
minimum_version: null
windows_enabled_and_configured: false
windows_migration_enabled: true
windows_updates:
deadline_days: null
grace_period_days: null
queries:
policies:
agent_options:
command_line_flags:
distributed_denylist_duration: 0
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_tls_endpoint: /api/v1/osquery/log
pack_delimiter: /
org_settings:
server_settings:
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 2000
query_reports_disabled: false
scripts_disabled: false
server_url: $FLEET_SERVER_URL
ai_features_disabled: true
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: ""
org_logo_url_light_background: ""
org_name: $ORG_NAME
smtp_settings:
sso_settings:
integrations:
mdm:
end_user_authentication:
webhook_settings:
fleet_desktop: # Applies to Fleet Premium only
transparency_url: https://fleetdm.com/transparency
host_expiry_settings: # Applies to all teams
host_expiry_enabled: false
activity_expiry_settings:
activity_expiry_enabled: true
activity_expiry_window: 60
features: # Features added to all teams
enable_host_users: true
enable_software_inventory: true
vulnerability_settings:
databases_path: ""
secrets: # These secrets are used to enroll hosts to the "All teams" team
- secret: SampleSecret123
- secret: ABC
software:

75
cmd/fleetctl/testdata/gitops/global_config_windows_migration_true_false.yml vendored Normal file
View file

@ -0,0 +1,75 @@
controls:
macos_settings:
windows_settings:
scripts:
enable_disk_encryption: false
macos_migration:
enable: false
mode: ""
webhook_url: ""
macos_setup:
bootstrap_package: null
enable_end_user_authentication: false
macos_setup_assistant: null
macos_updates:
deadline: null
minimum_version: null
windows_enabled_and_configured: true
windows_migration_enabled: false
windows_updates:
deadline_days: null
grace_period_days: null
queries:
policies:
agent_options:
command_line_flags:
distributed_denylist_duration: 0
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_tls_endpoint: /api/v1/osquery/log
pack_delimiter: /
org_settings:
server_settings:
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 2000
query_reports_disabled: false
scripts_disabled: false
server_url: $FLEET_SERVER_URL
ai_features_disabled: true
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: ""
org_logo_url_light_background: ""
org_name: $ORG_NAME
smtp_settings:
sso_settings:
integrations:
mdm:
end_user_authentication:
webhook_settings:
fleet_desktop: # Applies to Fleet Premium only
transparency_url: https://fleetdm.com/transparency
host_expiry_settings: # Applies to all teams
host_expiry_enabled: false
activity_expiry_settings:
activity_expiry_enabled: true
activity_expiry_window: 60
features: # Features added to all teams
enable_host_users: true
enable_software_inventory: true
vulnerability_settings:
databases_path: ""
secrets: # These secrets are used to enroll hosts to the "All teams" team
- secret: SampleSecret123
- secret: ABC
software:

75
cmd/fleetctl/testdata/gitops/global_config_windows_migration_true_true.yml vendored Normal file
View file

@ -0,0 +1,75 @@
controls:
macos_settings:
windows_settings:
scripts:
enable_disk_encryption: false
macos_migration:
enable: false
mode: ""
webhook_url: ""
macos_setup:
bootstrap_package: null
enable_end_user_authentication: false
macos_setup_assistant: null
macos_updates:
deadline: null
minimum_version: null
windows_enabled_and_configured: true
windows_migration_enabled: true
windows_updates:
deadline_days: null
grace_period_days: null
queries:
policies:
agent_options:
command_line_flags:
distributed_denylist_duration: 0
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_tls_endpoint: /api/v1/osquery/log
pack_delimiter: /
org_settings:
server_settings:
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 2000
query_reports_disabled: false
scripts_disabled: false
server_url: $FLEET_SERVER_URL
ai_features_disabled: true
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: ""
org_logo_url_light_background: ""
org_name: $ORG_NAME
smtp_settings:
sso_settings:
integrations:
mdm:
end_user_authentication:
webhook_settings:
fleet_desktop: # Applies to Fleet Premium only
transparency_url: https://fleetdm.com/transparency
host_expiry_settings: # Applies to all teams
host_expiry_enabled: false
activity_expiry_settings:
activity_expiry_enabled: true
activity_expiry_window: 60
features: # Features added to all teams
enable_host_users: true
enable_software_inventory: true
vulnerability_settings:
databases_path: ""
secrets: # These secrets are used to enroll hosts to the "All teams" team
- secret: SampleSecret123
- secret: ABC
software:

1
cmd/fleetctl/testdata/macosSetupExpectedAppConfigEmpty.yml vendored
View file

@ -27,6 +27,7 @@ spec:
enabled_and_configured: true
windows_enabled_and_configured: false
enable_disk_encryption: false
windows_migration_enabled: false
macos_migration:
enable: false
mode: ""

1
cmd/fleetctl/testdata/macosSetupExpectedAppConfigSet.yml vendored
View file

@ -27,6 +27,7 @@ spec:
enabled_and_configured: true
windows_enabled_and_configured: false
enable_disk_encryption: false
windows_migration_enabled: false
macos_migration:
enable: false
mode: ""

12
docs/Contributing/Audit-logs.md
View file

@ -894,6 +894,18 @@ Generated when a user turns off MDM features for all Windows hosts.
This activity does not contain any detail fields.
## enabled_windows_mdm_migration
Generated when a user enables automatic MDM migration for Windows hosts, if Windows MDM is turned on.
This activity does not contain any detail fields.
## disabled_windows_mdm_migration
Generated when a user disables automatic MDM migration for Windows hosts, if Windows MDM is turned on.
This activity does not contain any detail fields.
## ran_script
Generated when a script is sent to be run for a host.

116
docs/REST API/rest-api.md
View file

@ -500,6 +500,19 @@ for pagination. For a comprehensive list of activity types and detailed informat
"status": "failed_install"
}
},
{
"created_at": "2021-07-29T14:40:27Z",
"id": 21,
"actor_full_name": "name",
"actor_id": 1,
"actor_gravatar": "",
"actor_email": "name@example.com",
"type": "created_team",
"details": {
"team_id": 2,
"team_name": "Apples"
}
},
{
"created_at": "2021-07-30T13:41:07Z",
"id": 24,
@ -541,80 +554,6 @@ for pagination. For a comprehensive list of activity types and detailed informat
"team_name": "Oranges"
}
},
{
"created_at": "2021-07-29T14:40:27Z",
"id": 21,
"actor_full_name": "name",
"actor_id": 1,
"actor_gravatar": "",
"actor_email": "name@example.com",
"type": "created_team",
"details": {
"team_id": 2,
"team_name": "Apples"
}
},
{
"created_at": "2021-07-27T14:35:08Z",
"id": 20,
"actor_full_name": "name",
"actor_id": 1,
"actor_gravatar": "",
"actor_email": "name@example.com",
"type": "created_pack",
"details": {
"pack_id": 2,
"pack_name": "New pack"
}
},
{
"created_at": "2021-07-27T13:25:21Z",
"id": 19,
"actor_full_name": "name",
"actor_id": 1,
"actor_gravatar": "",
"actor_email": "name@example.com",
"type": "live_query",
"details": {
"targets_count": 14
}
},
{
"created_at": "2021-07-27T13:25:14Z",
"id": 18,
"actor_full_name": "name",
"actor_id": 1,
"actor_gravatar": "",
"actor_email": "name@example.com",
"type": "live_query",
"details": {
"targets_count": 14
}
},
{
"created_at": "2021-07-26T19:28:24Z",
"id": 17,
"actor_full_name": "name",
"actor_id": 1,
"actor_gravatar": "",
"actor_email": "name@example.com",
"type": "live_query",
"details": {
"target_counts": 1
}
},
{
"created_at": "2021-07-26T17:27:37Z",
"id": 16,
"actor_full_name": "name",
"actor_id": 1,
"actor_gravatar": "",
"actor_email": "name@example.com",
"type": "live_query",
"details": {
"target_counts": 14
}
},
{
"created_at": "2021-07-26T17:27:08Z",
"id": 15,
@ -2543,11 +2482,13 @@ the `software` table.
| bootstrap_package | string | query | _Available in Fleet Premium_. Filters the hosts by the status of the MDM bootstrap package on the host. Valid options are 'installed', 'pending', or 'failed'. |
| os_settings | string | query | Filters the hosts by the status of the operating system settings applied to the hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. **Note: If this filter is used in Fleet Premium without a team ID filter, the results include only hosts that are not assigned to any team.** |
| os_settings_disk_encryption | string | query | Filters the hosts by the status of the disk encryption setting applied to the hosts. Valid options are 'verified', 'verifying', 'action_required', 'enforcing', 'failed', or 'removing_enforcement'. **Note: If this filter is used in Fleet Premium without a team ID filter, the results include only hosts that are not assigned to any team.** |
| populate_software | boolean | query | If `true`, the response will include a list of installed software for each host, including vulnerability data. (Note that software lists can be large, so this may cause significant CPU and RAM usage depending on page size and request concurrency.) |
| populate_software | string | query | If `false` (or omitted), omits installed software details for each host. If `"without_vulnerability_details"`, include a list of installed software for each host, including which CVEs apply to the installed software versions. `true` adds vulnerability description, CVSS score, and other details when using Fleet Premium. See notes below on performance. |
| populate_policies | boolean | query | If `true`, the response will include policy data for each host. |
> `software_id` is deprecated as of Fleet 4.42. It is maintained for backwards compatibility. Please use the `software_version_id` instead.
> `populate_software` returns a lot of data per host when set, and drastically more data when set to `true` on Fleet Premium. If you need vulnerability details for a large number of hosts, consider setting `populate_software` to `without_vulnerability_details` and pulling vulnerability details from the [Get vulnerability](#get-vulnerability) endpoint, as this returns details once per vulnerability rather than once per vulnerability per host.
If `software_title_id` is specified, an additional top-level key `"software_title"` is returned with the software title object corresponding to the `software_title_id`. See [List software](#list-software) response payload for details about this object.
If `software_version_id` is specified, an additional top-level key `"software"` is returned with the software object corresponding to the `software_version_id`. See [List software versions](#list-software-versions) response payload for details about this object.
@ -5729,12 +5670,12 @@ Get aggregate disk encryption status counts of macOS and Windows hosts enrolled
```json
{
"verified": {"macos": 123, "windows": 123},
"verifying": {"macos": 123, "windows": 0},
"action_required": {"macos": 123, "windows": 0},
"enforcing": {"macos": 123, "windows": 123},
"failed": {"macos": 123, "windows": 123},
"removing_enforcement": {"macos": 123, "windows": 0},
"verified": {"macos": 123, "windows": 123, "linux": 13},
"verifying": {"macos": 123, "windows": 0, "linux": 0},
"action_required": {"macos": 123, "windows": 0, "linux": 37},
"enforcing": {"macos": 123, "windows": 123, "linux": 0},
"failed": {"macos": 123, "windows": 123, "linux": 0},
"removing_enforcement": {"macos": 123, "windows": 0, "linux": 0}
}
```
@ -5838,6 +5779,8 @@ Sets the custom MDM setup enrollment profile for a team or no team.
}
```
> NOTE: The `ConfigurationWebURL` and `URL` values in the custom MDM setup enrollment profile are automatically populated. Attempting to populate them with custom values may generate server response errors.
### Get custom MDM setup enrollment profile
_Available in Fleet Premium_
@ -7656,6 +7599,9 @@ Returns a list of global queries or team queries.
| team_id | integer | query | _Available in Fleet Premium_. The ID of the parent team for the queries to be listed. When omitted, returns global queries. |
| query | string | query | Search query keywords. Searchable fields include `name`. |
| merge_inherited | boolean | query | _Available in Fleet Premium_. If `true`, will include global queries in addition to team queries when filtering by `team_id`. (If no `team_id` is provided, this parameter is ignored.) |
| compatible_platform | string | query | Return queries that only reference tables compatible with this platform (not a strict compatibility check). One of: `"macos"`, `"windows"`, `"linux"`, `"chrome"` (case-insensitive). |
| page | integer | query | Page number of the results to fetch. |
| per_page | integer | query | Results per page. |
#### Example
@ -7744,7 +7690,12 @@ Returns a list of global queries or team queries.
"total_executions": null
}
}
]
],
"meta": {
"has_next_results": true,
"has_previous_results": false
},
"count": 200
}
```
@ -9367,6 +9318,7 @@ Returns information about the specified software. By default, `versions` are sor
}
},
"app_store_app": null,
"counts_updated_at": "2024-11-03T22:39:36Z",
"source": "apps",
"browser": "",
"hosts_count": 48,

10
ee/bulk-operations-dashboard/api/controllers/software/delete-software.js
View file

@ -16,7 +16,10 @@ module.exports = {
exits: {
softwareDeletionFailed: {
description: 'The specified software could not be deleted from the Fleet instance.',
statusCode: 409,
}
},
@ -34,6 +37,11 @@ module.exports = {
headers: {
Authorization: `Bearer ${sails.config.custom.fleetApiToken}`,
}
})
.intercept({raw:{statusCode: 409}}, (error)=>{
// If the Fleet instance's returns a 409 response, then the software is configured to be installed as
// part of the macOS setup experience, and must be removed before it can be deleted via API requests.
return {softwareDeletionFailed: error};
});
}
}

125
ee/bulk-operations-dashboard/api/controllers/software/edit-software.js
View file

@ -46,9 +46,23 @@ module.exports = {
description: 'The provided replacement software\'s has the wrong extension.',
statusCode: 400,
},
softwareUploadFailed: {
description: 'The software upload failed'
}
},
softwareAlreadyExistsOnThisTeam: {
description: 'A software installer with this name already exists on the Fleet Instance',
},
couldNotReadVersion: {
description:'Fleet could not read version information from the provided software installer.'
},
softwareDeletionFailed: {
description: 'The specified software could not be deleted from the Fleet instance.',
statusCode: 409,
},
},
@ -84,6 +98,9 @@ module.exports = {
headers: {
Authorization: `Bearer ${sails.config.custom.fleetApiToken}`,
}
})
.intercept('non200Response', (error)=>{
return new Error(`When attempting to transfer the installer for ${software.name} to a new team on the Fleet instance, the Fleet isntance returned a non-200 response when a request was sent to get a download stream of the installer on team_id ${teamIdToGetInstallerFrom}. Full Error: ${require('util').inspect(error, {depth: 1})}`);
});
let tempUploadedSoftware = await sails.uploadOne(softwareStream, {bucket: sails.config.uploads.bucketWithPostfix});
softwareFd = tempUploadedSoftware.fd;
@ -164,7 +181,35 @@ module.exports = {
}
};
},
})
}
)
.intercept({response: {status: 409}}, async (error)=>{// handles errors related to duplicate software items.
if(!software.id) {// If the software does not have an ID, it not stored in the app's database/s3 bucket, so we can safely delete the file in s3.
await sails.rm(sails.config.uploads.prefixForFileDeletion+softwareFd);
}
return {'softwareAlreadyExistsOnThisTeam': error};
})
.intercept({name: 'AxiosError', response: {status: 400}}, async (error)=>{// Handles errors related to malformed installer packages
if(!software.id) {// If the software does not have an ID, it not stored in the app's database/s3 bucket, so we can safely delete the file in s3.
await sails.rm(sails.config.uploads.prefixForFileDeletion+softwareFd);
}
let axiosError = error;
if(axiosError.response.data) {
if(axiosError.response.data.errors && _.isArray(axiosError.response.data.errors)){
if(axiosError.response.data.errors[0] && axiosError.response.data.errors[0].reason) {
let errorMessageFromFleetInstance = axiosError.response.data.errors[0].reason;
if(_.startsWith(errorMessageFromFleetInstance, `Couldn't add. Fleet couldn't read the version`)){
return 'couldNotReadVersion';
} else {
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API. Error returned from Fleet API: ${errorMessageFromFleetInstance}`);
return {'softwareUploadFailed': error};
}
}
}
}
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 3})}`);
return {'softwareUploadFailed': error};
})
.intercept(async (error)=>{
// Note: with this current behavior, all errors from this upload are currently swallowed and a softwareUploadFailed response is returned.
// FUTURE: Test to make sure that uploading duplicate software to a team results in a 409 response.
@ -173,7 +218,7 @@ module.exports = {
await sails.rm(sails.config.uploads.prefixForFileDeletion+softwareFd);
}
// Log a warning containing an error
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 0})}`);
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, Full error: ${require('util').inspect(error, {depth: 2})}`);
return {'softwareUploadFailed': error};
});
// console.timeEnd(`transfering ${software.name} to fleet instance for team id ${team}`);
@ -183,15 +228,6 @@ module.exports = {
// If a new installer package was provided, send patch requests to update the installer package on teams that it is already deployed to.
await sails.helpers.flow.simultaneouslyForEach(unchangedTeamIds, async (teamApid)=>{
// console.log(`Adding new version of ${softwareName} to teamId ${teamApid}`);
await sails.helpers.http.sendHttpRequest.with({
method: 'DELETE',
baseUrl: sails.config.custom.fleetBaseUrl,
url: `/api/v1/fleet/software/titles/${software.fleetApid}/available_for_install?team_id=${teamApid}`,
headers: {
Authorization: `Bearer ${sails.config.custom.fleetApiToken}`,
}
});
// console.log(`transfering the changed installer ${software.name} to fleet instance for team id ${teamApid}`);
// console.time(`transfering ${software.name} to fleet instance for team id ${teamApid}`);
await sails.cp(softwareFd, {bucket: sails.config.uploads.bucketWithPostfix},
{
@ -220,7 +256,7 @@ module.exports = {
contentType: 'application/octet-stream'
});
(async ()=>{
await axios.post(`${sails.config.custom.fleetBaseUrl}/api/v1/fleet/software/package`, form, {
await axios.patch(`${sails.config.custom.fleetBaseUrl}/api/v1/fleet/software/titles/${software.fleetApid}/package`, form, {
headers: {
Authorization: `Bearer ${sails.config.custom.fleetApiToken}`,
...form.getHeaders()
@ -240,6 +276,33 @@ module.exports = {
};
},
})
.intercept({response: {status: 409}}, async (error)=>{// handles errors related to duplicate software items.
if(!software.id) {// If the software does not have an ID, it not stored in the app's database/s3 bucket, so we can safely delete the file in s3.
await sails.rm(sails.config.uploads.prefixForFileDeletion+softwareFd);
}
return {'softwareAlreadyExistsOnThisTeam': error};
})
.intercept({name: 'AxiosError', response: {status: 400}}, async (error)=>{// Handles errors related to malformed installer packages
if(!software.id) {// If the software does not have an ID, it not stored in the app's database/s3 bucket, so we can safely delete the file in s3.
await sails.rm(sails.config.uploads.prefixForFileDeletion+softwareFd);
}
let axiosError = error;
if(axiosError.response.data) {
if(axiosError.response.data.errors && _.isArray(axiosError.response.data.errors)){
if(axiosError.response.data.errors[0] && axiosError.response.data.errors[0].reason) {
let errorMessageFromFleetInstance = axiosError.response.data.errors[0].reason;
if(_.startsWith(errorMessageFromFleetInstance, `Couldn't add. Fleet couldn't read the version`)){
return 'couldNotReadVersion';
} else {
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API. Error returned from Fleet API: ${errorMessageFromFleetInstance}`);
return {'softwareUploadFailed': error};
}
}
}
}
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 3})}`);
return {'softwareUploadFailed': error};
})
.intercept(async (error)=>{
// Note: with this current behavior, all errors from this upload are currently swallowed and a softwareUploadFailed response is returned.
// FUTURE: Test to make sure that uploading duplicate software to a team results in a 409 response.
@ -248,7 +311,7 @@ module.exports = {
await sails.rm(sails.config.uploads.prefixForFileDeletion+softwareFd);
}
// Log a warning containing an error
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 0})}`);
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 2})}`);
return {'softwareUploadFailed': error};
});
// console.timeEnd(`transfering ${software.name} to fleet instance for team id ${teamApid}`);
@ -285,6 +348,11 @@ module.exports = {
headers: {
Authorization: `Bearer ${sails.config.custom.fleetApiToken}`,
}
})
.intercept({raw:{statusCode: 409}}, (error)=>{
// If the Fleet instance's returns a 409 response, then the software is configured to be installed as
// part of the macOS setup experience, and must be removed before it can be deleted via API requests.
return {softwareDeletionFailed: error};
});
}
// If the software had been previously undeployed, delete the installer in s3 and the db record.
@ -295,9 +363,23 @@ module.exports = {
} else if(software.teams && newTeamIds.length === 0) {
// If this is a deployed software that is being unassigned, save information about the uploaded file in our s3 bucket.
for(let team of software.teams) {
// Now delete the software on the Fleet instance.
await sails.helpers.http.sendHttpRequest.with({
method: 'DELETE',
baseUrl: sails.config.custom.fleetBaseUrl,
url: `/api/v1/fleet/software/titles/${software.fleetApid}/available_for_install?team_id=${team.fleetApid}`,
headers: {
Authorization: `Bearer ${sails.config.custom.fleetApiToken}`,
}
})
.intercept({raw:{statusCode: 409}}, (error)=>{
// If the Fleet instance's returns a 409 response, then the software is configured to be installed as
// part of the macOS setup experience, and must be removed before it can be deleted via API requests.
return {softwareDeletionFailed: error};
});
}
if(newSoftware) {
// remove the old copy.
// console.log('Removing old package for ',softwareName);
await UndeployedSoftware.create({
uploadFd: softwareFd,
uploadMime: softwareMime,
@ -321,17 +403,6 @@ module.exports = {
uninstallScript,
});
}
// Now delete the software on the Fleet instance.
for(let team of software.teams) {
await sails.helpers.http.sendHttpRequest.with({
method: 'DELETE',
baseUrl: sails.config.custom.fleetBaseUrl,
url: `/api/v1/fleet/software/titles/${software.fleetApid}/available_for_install?team_id=${team.fleetApid}`,
headers: {
Authorization: `Bearer ${sails.config.custom.fleetApiToken}`,
}
});
}
} else {
// console.log('updating existing db record!');

29
ee/bulk-operations-dashboard/api/controllers/software/upload-software.js
View file

@ -35,6 +35,10 @@ module.exports = {
softwareUploadFailed: {
description:'An unexpected error occurred communicating with the Fleet API'
},
couldNotReadVersion: {
description:'Fleet could not read version information from the provided software installer.'
}
},
@ -100,13 +104,32 @@ module.exports = {
};
}
})
.intercept({response: {status: 409}}, async (error)=>{
.intercept({response: {status: 409}}, async (error)=>{// handles errors related to duplicate software items.
await sails.rm(sails.config.uploads.prefixForFileDeletion+uploadedSoftware.fd);
return {'softwareAlreadyExistsOnThisTeam': error};
})
.intercept({name: 'AxiosError'}, async (error)=>{
.intercept({name: 'AxiosError', response: {status: 400}}, async (error)=>{// Handles errors related to malformed installer packages
await sails.rm(sails.config.uploads.prefixForFileDeletion+uploadedSoftware.fd);
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 0})}`);
let axiosError = error;
if(axiosError.response.data) {
if(axiosError.response.data.errors && _.isArray(axiosError.response.data.errors)){
if(axiosError.response.data.errors[0] && axiosError.response.data.errors[0].reason) {
let errorMessageFromFleetInstance = axiosError.response.data.errors[0].reason;
if(_.startsWith(errorMessageFromFleetInstance, `Couldn't add. Fleet couldn't read the version`)){
return 'couldNotReadVersion';
} else {
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API. Error returned from Fleet API: ${errorMessageFromFleetInstance}`);
return {'softwareUploadFailed': error};
}
}
}
}
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 3})}`);
return {'softwareUploadFailed': error};
})
.intercept({name: 'AxiosError'}, async (error)=>{// Handles any other error.
await sails.rm(sails.config.uploads.prefixForFileDeletion+uploadedSoftware.fd);
sails.log.warn(`When attempting to upload a software installer, an unexpected error occurred communicating with the Fleet API, ${require('util').inspect(error, {depth: 3})}`);
return {'softwareUploadFailed': error};
});
}

2
ee/bulk-operations-dashboard/api/controllers/software/view-software.js
View file

@ -104,7 +104,7 @@ module.exports = {
let undeployedSoftware = await UndeployedSoftware.find();
allSoftware = allSoftware.concat(undeployedSoftware);
return {software: allSoftware, teams};
return {software: allSoftware, teams, fleetBaseUrl: sails.config.custom.fleetBaseUrl};
}

11
ee/bulk-operations-dashboard/views/pages/software/software.ejs
View file

@ -145,8 +145,11 @@
<p class="mb-2"><strong>Teams</strong></p>
<multifield :value="formData.teams" v-model="formData.newTeamIds" input-type="teamSelect" :select-options="teams" add-button-text="Add team"></multifield>
</div>
<cloud-error v-if="cloudError && cloudError.exit === 'wrongInstallerExtension'">{{cloudError.responseInfo.body}}</cloud-error>
<cloud-error v-else-if="cloudError"></cloud-error>
<cloud-error class="mb-2" v-if="cloudError && cloudError.exit === 'wrongInstallerExtension'">{{cloudError.responseInfo.body}}</cloud-error>
<cloud-error class="mb-2" v-else-if="cloudError && cloudError === 'couldNotReadVersion'">The Fleet instance could not read version information from the provided software installer.</cloud-error>
<cloud-error class="mb-2" v-else-if="cloudError && cloudError === 'softwareDeletionFailed'">This software has been configured to be installed as part of the macOS setup experience and cannot be removed from a team. Please remove this software from any teams you want to remove this from in the <a :href="`${fleetBaseUrl}/controls/setup-experience/install-software`" target="_blank">"Setup experience" tab of the Controls page</a> on your Fleet instance and try again </cloud-error>
<cloud-error class="mb-2" v-else-if="cloudError && cloudError === 'softwareAlreadyExistsOnThisTeam'">An error occured when transfering this software to a new team. A software installer with the same name as this software already exists on one or more of the selected teams.</cloud-error>
<cloud-error class="mb-2" v-else-if="cloudError"></cloud-error>
<div purpose="modal-buttons" class="d-flex flex-row justify-content-end align-items-center">
<ajax-button :syncing.sync="syncing" purpose="modal-button" type="submit">Save</ajax-button>
</div>
@ -163,7 +166,8 @@
</div>
<p>{{formData.software.name}} will be removed from your library.</p>
<ajax-form :handle-submitting="handleSubmittingDeleteSoftwareForm" :syncing.sync="syncing" :cloud-error.sync="cloudError" :form-errors.sync="formErrors" :form-data="formData" :form-rules="editSoftwareFormRules" @submitted="submittedForm()">
<cloud-error v-if="cloudError"></cloud-error>
<cloud-error v-if="cloudError && cloudError === 'softwareDeletionFailed'">This software has been configured to be installed as part of the macOS setup experience and cannot be deleted. Please remove this software from all teams the <a :href="`${fleetBaseUrl}/controls/setup-experience/install-software`" target="_blank">"Setup experience" tab of the Controls page</a> on your Fleet instance and try again </cloud-error>
<cloud-error v-else-if="cloudError"></cloud-error>
<div class="d-flex flex-row justify-content-end align-items-center">
<a class="mr-3" style="color: #D66C7B; cursor: pointer;" @click="closeModal()">Cancel</a>
<ajax-button class="btn" purpose="delete-button" :syncing.sync="syncing">Delete</ajax-button>
@ -188,6 +192,7 @@
</div>
<div class="invalid-feedback text-center" v-if="formErrors.teams">Please select the teams you want to deploy this software to.</div>
<cloud-error v-if="cloudError && cloudError === 'softwareAlreadyExistsOnThisTeam'">A software with the same name as the uploaded software already exists on one or more of the selected teams.</cloud-error>
<cloud-error v-if="cloudError && cloudError === 'couldNotReadVersion'">The Fleet instance could not read version information from the provided software installer.</cloud-error>
<cloud-error v-else-if="cloudError"></cloud-error>
<div purpose="modal-buttons" class="d-flex flex-row justify-content-end align-items-center">
<a purpose="cancel-button" @click="closeModal()">Cancel</a>

Some files were not shown because too many files have changed in this diff Show more