Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Docs v4.66.0 (#27844)

Browse source 
Documentation changes for the 4.66.0 release.

---------

Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Marko Lisica <markol.lisica@gmail.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com>
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Eugene <eugene@fleetdm.com>
Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
This commit is contained in:
Rachael Shaw 2025-04-04 14:28:09 -05:00 committed by GitHub
parent 9b73f629b2
commit c592c2b24e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 346 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
articles/filtering-software-by-vulnerability.md
View file

@ -13,21 +13,35 @@ This filtering capability is particularly useful in environments where patch man
* Fleet version 4.56 or later
* Premium users have access to advanced filters by severity level and known exploited vulnerabilities
### Filtering Software by Vulnerability
### Filtering software by vulnerability
1. **Navigate to the Software page**: In your Fleet dashboard, go to the **Software** tab. This will display a list of all the software detected in your environment.
2. **Add filters**: Click on the **Add Filters** button. This will open options for filtering the software list based on specific criteria.
2. **Filtering by vulnerability name**: You can use the search bar to filter software by its name or by a CVE vulnerability name associated with it.
3. **Choose severity level**: From the dropdown menu, select the **Severity level** of vulnerabilities you're interested in. This allows you to focus on software with the highest severity of vulnerabilities, such as "Critical" or "High."
3. **Add filters**: Click on the **Add Filters** button. This will open options for filtering the software list based on specific criteria.
4. **Toggle "Has known exploit"**: You can refine your filter by toggling the **Has known exploit** option. This will filter the software list to show only those with vulnerabilities that have known exploits, enabling you to prioritize these for patching.
4. **Choose severity level**: From the dropdown menu, select the **Severity level** of vulnerabilities you're interested in. This allows you to focus on software with the highest severity of vulnerabilities, such as "Critical" or "High."
5. **Review filtered results**: Once you've applied your filters, the software list will update to show only the software that meets your criteria. This filtered view will help you prioritize which software needs immediate attention in your patching strategy.
5. **Toggle "Has known exploit"**: You can refine your filter by toggling the **Has known exploit** option. This will filter the software list to show only those with vulnerabilities that have known exploits, enabling you to prioritize these for patching.
6. **Review filtered results**: Once you've applied your filters, the software list will update to show only the software that meets your criteria. This filtered view will help you prioritize which software needs immediate attention in your patching strategy.
### Filtering software by vulnerability on the Host details page
In Fleet version 4.66 or later, the same vulnerability filtering functionality is available on the Host details page. To access this:
1. **Navigate to the Hosts page**: In your Fleet dashboard, go to the **Hosts** tab.
2. **Select a host**: Click on a particular host to view its details.
3. **Access the Software tab**: On the Host details page, click on the **Software** tab. This will display a list of all software detected on the host.
4. **Filter software**: Follow steps 3 through 6 from the previous section to filter software by severity, known exploit, etc.
### Using the REST API to filter software for vulnerabilities
Fleet provides a REST API to filter software for vulnerabilities, allowing you to integrate this functionality into your automated workflows. Learn more about Fleet's [REST API](https://fleetdm.com/docs/rest-api/rest-api#vulnerabilities).
Fleet provides a REST API to filter software for vulnerabilities, allowing you to integrate this functionality into your automated workflows. You can use the [REST API documentation for vulnerabilities](https://fleetdm.com/docs/rest-api/rest-api#vulnerabilities) to get started, and the [get host's software](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-software) endpoint to retrieve software information for specific hosts.
## Conclusion

5
articles/queries.md
View file

@ -32,6 +32,11 @@ How to create a query:
4. Select **Save**, enter a name and description for your query, select the frequency that the query should run at, and select **Save query**.
## Targeting hosts using labels
_Available in Fleet Premium._
When creating or editing a query, you can restrict the set of hosts that it will run on by using [labels](https://fleetdm.com/guides/managing-labels-in-fleet). By default, a new query will target all hosts, indicated by the **All Hosts** option being selected beneath the **Targets** setting. If you select **Custom** instead, you will be able to select one or more labels for the query to target. Note that the query will run on any host that matches __any__ of the selected labels. To learn more about labels, see [Managing labels in Fleet](https://fleetdm.com/guides/managing-labels-in-fleet).
## View a query report

7
articles/role-based-access.md
View file

@ -96,7 +96,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
| View all [MDM settings](https://fleetdm.com/docs/using-fleet/mdm-macos-settings) | | | | ✅ | ✅ |
| Edit [macOS setup experience]([https://fleetdm.com/docs/](https://fleetdm.com/guides/macos-setup-experience))\* | | | ✅ | ✅ | ✅ |
| Add and edit identity provider for end user authentication, end user license agreement (EULA), and end user migration workflow\* | | | | ✅ | |
| Add and edit Simple Certificate Enrollment Protocol (SCEP) server\* | | | | ✅ | ✅ |
| Add and edit certificate authorities (CA)\* | | | | ✅ | ✅ |
| Run scripts on hosts | | | ✅ | ✅ | |
| View saved scripts\* | ✅ | ✅ | ✅ | ✅ | |
| Edit/upload saved scripts\* | | | ✅ | ✅ | ✅ |
@ -130,6 +130,7 @@ Users with access to multiple teams can be assigned different roles for each tea
| Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels) | ✅ | ✅ | ✅ | ✅ | |
| Target hosts using labels | ✅ | ✅ | ✅ | ✅ | |
| Add/remove manual labels to/from hosts | | | ✅ | ✅ | ✅ |
| Create and edit self-authored labels | | | | | ✅ |
| Add and delete hosts | | | ✅ | ✅ | |
| View software | ✅ | ✅ | ✅ | ✅ | |
| Add and delete software | | | ✅ | ✅ | ✅ |
@ -140,7 +141,7 @@ Users with access to multiple teams can be assigned different roles for each tea
| Filter software | ✅ | ✅ | ✅ | ✅ | |
| Run queries designated "**observer can run**" as live queries against hosts | ✅ | ✅ | ✅ | ✅ | |
| Run any query as [live query](https://fleetdm.com/docs/using-fleet/fleet-ui#run-a-query) | | ✅ | ✅ | ✅ | |
| Create, edit, and delete only **self authored** queries | | | ✅ | ✅ | ✅ |
| Create, edit, and delete self-authored queries | | | ✅ | ✅ | ✅ |
| View team queries and their reports | ✅ | ✅ | ✅ | ✅ | |
| View global (inherited) queries and their reports\** | ✅ | ✅ | ✅ | ✅ | |
| Manage [query automations](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query) | | | ✅ | ✅ | ✅ |
@ -155,7 +156,7 @@ Users with access to multiple teams can be assigned different roles for each tea
| Add and remove team users | | | | ✅ | ✅ |
| Edit team name | | | | ✅ | ✅ |
| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) | | | ✅ | ✅ | |
| Read organization settings\* | ✅ | ✅ | ✅ | ✅ | |
| Read organization settings\* | ✅ | ✅ | ✅ | ✅ | |
| Read agent options\* | ✅ | ✅ | ✅ | ✅ | |
| Edit agent options | | | | ✅ | ✅ |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |

2
articles/secrets-in-scripts-and-configuration-profiles.md
View file

@ -83,7 +83,7 @@ The dollar sign (`$`) can be escaped so it's not considered a variable by using
## Known limitations and issues
- Windows profiles are currently not re-sent to the device when the GitHub action (or GitLab pipeline) runs: [issue #25030](https://github.com/fleetdm/fleet/issues/25030)
- After changing a secret used by a Windows profile, that profile is currently not re-sent to the device when the GitHub action (or GitLab pipeline) runs: [story #27351](https://github.com/fleetdm/fleet/issues/27351)
- Fleet does not hide the secret in script results. DO NOT print/echo your secrets to the console output.
- There is no way to explicitly delete a secret variable. Instead, you can overwrite it with any value.
- Do not use deprecated API endpoint(s) to upload profiles containing secret variables. Use endpoints documented in [Fleet's REST API](https://fleetdm.com/docs/rest-api/rest-api).

159
docs/Configuration/yaml-files.md
View file

@ -4,6 +4,8 @@ Use Fleet's best practice GitOps workflow to manage your computers as code. To l
Fleet GitOps workflow is designed to be applied to all teams at once. However, the flow can be customized to only modify specific teams and/or global settings.
Users that have global admin permissions may apply GitOps configurations globally and to all teams, while users whose permissions are scoped to specific teams may apply settings to only to teams they has permissions to modify.
Any settings not defined in your YAML files (including missing or mispelled keys) will be reset to the default values, which may include deleting assets such as software packages.
The following are the required keys in the `default.yml` and any `teams/team-name.yml` files:
@ -19,7 +21,63 @@ org_settings: # Only default.yml
team_settings: # Only teams/team-name.yml
```
Currently, managing labels and users is only supported using Fleet's UI or [API](https://fleetdm.com/docs/rest-api/rest-api) (YAML coming soon).
You may also wish to create specialized API-Only users which may modify configurations through GitOps, but cannot access fleet through the UI. These specialized users can be created through `fleetctl user create` with the `--api-only` flag, and then assigned the `GitOps` role, and given global or team scope in the UI.
## labels
Labels can be specified in your `default.yml` file using inline configuration or references to separate files in your `lib/` folder.
### Options
For possible options, see the parameters for the [Add label API endpoint](https://fleetdm.com/docs/rest-api/rest-api#add-label).
### Example
#### Inline
`default.yml`
```yaml
labels:
- name: Arm64
description: Hosts on the Arm64 architecture
query: SELECT 1 FROM system_info WHERE cpu_type LIKE "arm64%" OR cpu_type LIKE "aarch64%"
label_membership_type: dynamic
- name: C-Suite
description: Hosts belonging to the C-Suite
label_membership_type: manual
hosts:
- "ceo-laptop"
- "the-CFOs-computer"
```
The `labels:` key is _optional_ in your YAML configuration:
+ If it is omitted, any existing labels created via the UI or API will remain untouched by GitOps.
+ If included, GitOps will replace all existing labels with those specified in the YAML, and any labels referenced in other sections (like [policies](https://fleetdm.com/docs/configuration/yaml-files#policies), [queries](https://fleetdm.com/docs/configuration/yaml-files#queries) or [software](https://fleetdm.com/docs/configuration/yaml-files#software)) _must_ be specified in the `labels` section.
#### Separate file
`lib/labels-name.labels.yml`
```yaml
- name: Arm64
description: Hosts on the Arm64 architecture
query: SELECT 1 FROM system_info WHERE cpu_type LIKE "arm64%" OR cpu_type LIKE "aarch64%"
label_membership_type: dynamic
- name: C-Suite
description: Hosts belonging to the C-Suite
label_membership_type: manual
hosts:
- "ceo-laptop"
- "the-CFOs-computer"
```
`lib/default.yml`
```yaml
labels:
path: ./lib/labels-name.labels.yml
```
## policies
@ -117,6 +175,9 @@ queries:
interval: 300
observer_can_run: false
automations_enabled: false
labels_include_any:
- Engineering
- Customer Support
```
#### Separate file
@ -145,6 +206,65 @@ queries:
```yaml
queries:
- path: ../lib/queries-name.queries.yml
labels_include_any:
- Engineering
- Customer Support
```
## labels
Labels can be specified inline in your `default.yml` file. They can also be specified in separate files in your `lib/` folder.
> `labels` is an optional key: if included, existing labels not listed will be deleted. If the `label` key is omitted, existing labels will stay intact. For this reason, enabling [GitOps mode](https://fleetdm.com/learn-more-about/ui-gitops-mode) _does not_ restrict creating/editing labels via the UI.
### Options
For possible options, see the parameters for the [Add label API endpoint](https://fleetdm.com/docs/rest-api/rest-api#add-label).
### Example
#### Inline
`default.yml`
```yaml
labels:
# Dynamic label:
- name: Windows Arm
description: Windows hosts that are running on Arm64.
query: SELECT * FROM os_version WHERE arch LIKE 'ARM%';
platform: windows
# Manual label
- name: Executive (C-suite) computers
hosts:
- FFHH37NTL8
- F2LYH0KG4Y
- H4D5WYVN0L
```
#### Separate file
`lib/labels-name.labels.yml`
```yaml
# Dynamic label:
- name: Windows Arm
description: Windows hosts that are running on Arm64.
query: SELECT * FROM os_version WHERE arch LIKE 'ARM%';
platform: windows
# Manual label
- name: Executive (C-suite) computers
hosts:
- FFHH37NTL8
- F2LYH0KG4Y
- H4D5WYVN0L
```
`default.yml`
```yaml
labels:
- path: ../lib/labels-name.labels.yml
```
## agent_options
@ -295,8 +415,12 @@ Fleet supports adding [GitHub environment variables](https://docs.github.com/en/
- `$FLEET_VAR_NDES_SCEP_CHALLENGE`
- `$FLEET_VAR_NDES_SCEP_PROXY_URL`
- `$FLEET_VAR_HOST_END_USER_EMAIL_IDP`
- `$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_<CA_NAME>` (`<CA_NAME>` should be replaced with name of the certificate authority configured in [scep_proxy](#scep-proxy).)
- `$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_<CA_NAME>`
- `$FLEET_VAR_DIGICERT_PASSWORD_<CA_NAME>` (`<CA_NAME>` should be replaced with name of the certificate authority configured in [digicert](#digicert).)
- `$FLEET_VAR_DIGICERT_DATA_<CA_NAME>`
Use `labels_include_all` to target hosts that have all labels in the array, `labels_include_any` to target hosts that have any label in the array, or `labels_exclude_any` to target hosts that don't have any of the labels in the array. Only one of `labels_include_all`, `labels_include_any`, or `labels_exclude_any` can be specified. If none are specified, all hosts are targeted.
Use `labels_include_all` to target hosts that have all labels, `labels_include_any` to target hosts that have any label, or `labels_exclude_any` to target hosts that don't have any of the labels. Only one of `labels_include_all`, `labels_include_any`, or `labels_exclude_any` can be specified. If none are specified, all hosts are targeted.
### macos_setup
@ -350,7 +474,7 @@ software:
- Marketing
```
Use `labels_include_any` to target hosts that have any label in the array or `labels_exclude_any` to target hosts that don't have any label in the array. Only one of `labels_include_any` or `labels_exclude_any` can be specified. If neither are specified, all hosts are targeted.
Use `labels_include_any` to target hosts that have any label or `labels_exclude_any` to target hosts that don't have any label. Only one of `labels_include_any` or `labels_exclude_any` can be specified. If neither are specified, all hosts are targeted.
### packages
@ -526,7 +650,7 @@ org_settings:
The `integrations` section lets you configure your Google Calendar, Jira, and Zendesk. After configuration, you can enable [automations](https://fleetdm.com/docs/using-fleet/automations) like calendar event and ticket creation for failing policies. Currently, enabling ticket creation is only available using Fleet's UI or [API](https://fleetdm.com/docs/rest-api/rest-api) (YAML files coming soon).
In addition, you can configure your the SCEP server to help your end users connect to Wi-Fi. Learn more about SCEP and NDES in Fleet [here](https://fleetdm.com/guides/ndes-scep-proxy).
In addition, you can configure your certificate authorities (CA) to help your end users connect to Wi-Fi. Learn more about certificate authorities in Fleet [here](https://fleetdm.com/guides/certificate-authorities).
#### Example
@ -546,11 +670,24 @@ org_settings:
email: user1@example.com
api_token: $ZENDESK_API_TOKEN
group_id: 1234
digicert:
- name: DIGICERT_WIFI
url: https://one.digicert.com
api_token: $DIGICERT_API_TOKEN
profile_id: 926dbcdd-41c4-4fe5-96c3-b6a7f0da81d8
certificate_common_name: $FLEET_VAR_HOST_HARDWARE_SERIAL@example.com
certificate_user_principal_names:
- $FLEET_VAR_HOST_HARDWARE_SERIAL@example.com
certificate_seat_id: $FLEET_VAR_HOST_HARDWARE_SERIAL@example.com
ndes_scep_proxy:
url: https://example.com/certsrv/mscep/mscep.dll
admin_url: https://example.com/certsrv/mscep_admin/
username: Administrator@example.com
password: 'myPassword'
custom_scep_proxy:
- name: SCEP_VPN
url: https://example.com/scep
challenge: $SCEP_VPN_CHALLENGE
```
For secrets, you can add [GitHub environment variables](https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow)
@ -574,12 +711,26 @@ For secrets, you can add [GitHub environment variables](https://docs.github.com/
- `api_token` is the Zendesk API token (default: `""`).
- `group_id`is found by selecting **Admin > People > Groups** in Zendesk. Find your group and select it. The group ID will appear in the search field.
#### digicert
- `name` is the name of certificate authority that will be used in variables in configuration profiles. Only letters, numbers, and underscores are allowed.
- `url` is the URL to DigiCert One instance (default: `https://one.digicert.com`).
- `api_token` is the token used to authenticate requests to DigiCert.
- `profile_id` is the ID of certificate profile in DigiCert.
- `certificate_common_name` is the certificate's CN.
- `certificate_user_principal_names` is the certificate's user principal names (UPN) attribute in Subject Alternative Name (SAN).
- `certificate_seat_id` is the ID of the DigiCert's seat. Seats are license units in DigiCert.
#### ndes_scep_proxy
- `url` is the URL of the NDES SCEP endpoint (default: `""`).
- `admin_url` is the URL of the NDES admin endpoint (default: `""`).
- `username` is the username of the NDES admin endpoint (default: `""`).
- `password` is the password of the NDES admin endpoint (default: `""`).
#### scep_proxy
- `name` is the name of certificate authority that will be used in variables in configuration profiles. Only letters, numbers, and underscores are allowed.
- `url` is the URL of the Simple Certificate Enrollment Protocol (SCEP) server.
- `challenge` is the static challenge password used to authenticate requests to SCEP server.
### webhook_settings
The `webhook_settings` section lets you define webhook settings for failing policy, vulnerability, and host status automations. Learn more about automations in Fleet [here](https://fleetdm.com/docs/using-fleet/automations).

5
docs/Contributing/API-for-contributors.md
View file

@ -577,6 +577,7 @@ The MDM endpoints exist to support the related command-line interface sub-comman
- [Get Android Enterprise signup URL](#get-android-enterprise-signup-url)
- [Connect Android Enterprise](#connect-android-enterprise)
- [Delete Android Enterprise](#delete-android-enterprise)
- [Get Android enrollment token](#get-android-enrollment-token)
- [Create Android enrollment token](#create-android-enrollment-token)
- [Get Android Enterprise server-sent event](#get-android-enterprise-server-sent-event)
- [Android Enterprise PubSub push endpoint](#android-enterprise-pubsub-push-endpoint)
@ -1029,6 +1030,7 @@ Content-Type: application/octet-stream
| team_id | number | query | _Available in Fleet Premium_ The team ID to apply the custom settings to. Only one of `team_name`/`team_id` can be provided. |
| team_name | string | query | _Available in Fleet Premium_ The name of the team to apply the custom settings to. Only one of `team_name`/`team_id` can be provided. |
| dry_run | bool | query | Validate the provided profiles and return any validation errors, but do not apply the changes. |
| no_cache | bool | query | Do not use the cached version of Fleet's configuration. This parameter should only be used when the configuration was updated less than 1 second ago. |
| profiles | json | body | An array of objects, consisting of a `profile` base64-encoded .mobileconfig or JSON for macOS and XML (Windows) file, `labels_include_all`, `labels_include_any`, or `labels_exclude_any` array of strings (label names), and `name` display name (for Windows configuration profiles and macOS declaration profiles). |
@ -1289,6 +1291,7 @@ This endpoint is used to proxy SCEP requests to the configured SCEP server. It u
### Get Android Enterprise signup URL
> **Experimental feature.** This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
This endpoint is used to generate a URL, which opens Google's wizard to create Android Enterprise.
`GET /api/v1/fleet/android_enterprise/signup_url`
@ -1382,6 +1385,7 @@ This endpoint is used to generate enrollment token and enrollment URL which open
### Get Android Enterprise server-sent event
> **Experimental feature.** This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
This endpoint is used to get server-sent events (SSE) messages, so that UI know if Android Enterprise is created and bound to Fleet.
`GET /api/v1/fleet/android_enterprise/signup_sse`
@ -1401,6 +1405,7 @@ Android Enterprise successfully connected
### Android Enterprise PubSub push endpoint
> **Experimental feature.** This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
This endpoint is used by Google Pub/Sub subscription to push messages to Fleet.
`POST /api/v1/fleet/android_enterprise/pubsub`

12
docs/Contributing/Audit-logs.md
View file

@ -930,6 +930,18 @@ Generated when a user disables automatic MDM migration for Windows hosts, if Win
This activity does not contain any detail fields.
## enabled_android_mdm
Generated when a user turns on MDM features for all Android hosts.
This activity does not contain any detail fields.
## disabled_android_mdm
Generated when a user turns off MDM features for all Android hosts.
This activity does not contain any detail fields.
## ran_script
Generated when a script is sent to be run for a host.

164
docs/REST API/rest-api.md
View file

@ -745,7 +745,7 @@ None.
Returns all information about the Fleet's configuration.
The `agent_options`, `sso_settings` and `smtp_settings` fields are only returned for admin users with global access. Learn more about roles and permissions [here](https://fleetdm.com/guides/role-based-access).
The `agent_options`, `sso_settings` and `smtp_settings` fields are only returned for admin and GitOps users with global access. Learn more about roles and permissions [here](https://fleetdm.com/guides/role-based-access).
`mdm.macos_settings.custom_settings`, `mdm.windows_settings.custom_settings`, and `scripts` only include the configuration profiles and scripts applied using [Fleet's YAML](https://fleetdm.com/docs/configuration/yaml-files). To list profiles or scripts added in the UI or API, use the [List configuration profiles](https://fleetdm.com/docs/rest-api/rest-api#list-custom-os-settings-configuration-profiles) or [List scripts](https://fleetdm.com/docs/rest-api/rest-api#list-scripts) endpoints instead.
@ -974,12 +974,37 @@ None.
}
],
"jira": [],
"digicert": [
{
"name": "DIGICERT_WIFI",
"url": "https://one.digicert.com",
"api_token": "********",
"profile_id": "7ed77396-9186-4bfa-9fa7-63dddc46b8a3",
"certificate_common_name": "$FLEET_VAR_HOST_HARDWARE_SERIAL@example.com",
"certificate_user_principal_names": [
"$FLEET_VAR_HOST_HARDWARE_SERIAL@example.com",
]
"certificate_seat_id": "$FLEET_VAR_HOST_HARDWARE_SERIAL@example.com"
}
],
"ndes_scep_proxy": {
"admin_url": "https://example.com/certsrv/mscep_admin/",
"password": "********",
"url": "https://example.com/certsrv/mscep/mscep.dll",
"username": "Administrator@example.com"
},
"custom_scep_proxy": [
{
"name": "SCEP_WIFI",
"url": "https://example.com/scep",
"challenge": "********",
},
{
"name": "SCEP_VPN",
"url": "https://example.com/scep",
"challenge": "********",
}
],
"zendesk": []
},
"logging": {
@ -1040,7 +1065,7 @@ Modifies the Fleet's configuration with the supplied information.
| fleet_desktop | object | body | See [fleet_desktop](#fleet-desktop). |
| webhook_settings | object | body | See [webhook_settings](#webhook-settings). |
| gitops | object | body | See [gitops](#gitops). |
| integrations | object | body | Includes `ndes_scep_proxy` object and `jira`, `zendesk`, and `google_calendar` arrays. See [integrations](#integrations) for details. |
| integrations | object | body | Includes `ndes_scep_proxy` object and `jira`, `zendesk`, `digicert`, `custom_scep_proxy`, and `google_calendar` arrays. See [integrations](#integrations) for details. |
| mdm | object | body | See [mdm](#mdm). |
| features | object | body | See [features](#features). |
| scripts | array | body | A list of script files to add so they can be executed at a later time. |
@ -1602,7 +1627,9 @@ _Available in Fleet Premium._
| jira | array | See [`integrations.jira`](#integrations-jira). |
| zendesk | array | See [`integrations.zendesk`](#integrations-zendesk). |
| google_calendar | array | See [`integrations.google_calendar`](#integrations-google-calendar). |
| digicert | array | See [`integrations.digicert`](#integrations-digicert). |
| ndes_scep_proxy | object | See [`integrations.ndes_scep_proxy`](#integrations-ndes-scep-proxy). |
| custom_scep_proxy | array | See [`integrations.custom_scep_proxy`](#integrations-scep-proxy). |
<br/>
@ -1652,9 +1679,28 @@ _Available in Fleet Premium._
<br/>
##### integrations.digicert
`integrations.digicert` is an array of objects with the following structure:
| Name | Type | Description |
| --------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| name | string | Name of the certificate authority that will be used in variables in configuration profiles. Only letters, numbers, and underscores are allowed. |
| url | string | DigiCert instance URL, used as base URL for DigiCert API requests. |
| api_token | string | API token used to authenticate requests to DigiCert. |
| profile_id | string | The ID of certificate profile in DigiCert. |
| certificate_common_name | string | The certificate's common name. |
| certificate_user_principal_names | array | The certificate's user principal names (UPN) attribute in Subject Alternative Name (SAN). |
| certificate_seat_id | string | The ID of the DigiCert seat. Seats are license units in DigiCert. |
<br/>
> Note that when making changes to the `integrations.digicert` array, all integrations must be provided (not just the one being modified). This is because the endpoint will consider missing integrations as deleted.
##### integrations.ndes_scep_proxy
> **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
`integrations.ndes_scep_proxy` is an object with the following structure:
| Name | Type | Description |
@ -1666,6 +1712,19 @@ _Available in Fleet Premium._
Setting `integrations.ndes_scep_proxy` to `null` will clear existing settings. Not specifying `integrations.ndes_scep_proxy` in the payload will not change the existing settings.
##### integrations.custom_scep_proxy
`integrations.custom_scep_proxy` is an array of objects with the following structure:
| Name | Type | Description |
| --------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| name | string | Name of the certificate authority that will be used in variables in configuration profiles. Only letters, numbers, and underscores are allowed. |
| url | boolean | URL of the Simple Certificate Enrollment Protocol (SCEP) server |
| challenge | string | Static challenge password used to authenticate requests to SCEP server. |
<br/>
> Note that when making changes to the `integrations.custom_scep_proxy` array, all integrations must be provided (not just the one being modified). This is because the endpoint will consider missing integrations as deleted.
##### Example request body
@ -1690,12 +1749,35 @@ Setting `integrations.ndes_scep_proxy` to `null` will clear existing settings. N
"api_key_json": "<API KEY JSON>"
}
],
"digicert": [
{
"name": "DIGICERT_WIFI",
"url": "https://one.digicert.com",
"api_token": "********",
"profile_id": "7ed77396-9186-4bfa-9fa7-63dddc46b8a3",
"certificate_common_name": "$FLEET_VAR_HOST_HARDWARE_SERIAL@example.com",
"certificate_subject_alternative_name": "$FLEET_VAR_HOST_HARDWARE_SERIAL@example.com",
"certificate_seat_id": "$FLEET_VAR_HOST_HARDWARE_SERIAL@example.com"
}
],
"ndes_scep_proxy": {
"admin_url": "https://example.com/certsrv/mscep_admin/",
"password": "abc123",
"url": "https://example.com/certsrv/mscep/mscep.dll",
"username": "Administrator@example.com"
}
},
"custom_scep_proxy": [
{
"name": "SCEP_WIFI",
"url": "https://example.com/scep",
"challenge": "********"
},
{
"name": "SCEP_VPN",
"url": "https://example.com/scep",
"challenge": "********"
}
]
}
}
```
@ -4790,7 +4872,8 @@ If both `query` and `hosts` aren't specified, a manual label with no hosts will
"label_membership_type": "dynamic",
"display_text": "Ubuntu hosts",
"count": 0,
"host_ids": null
"host_ids": null,
"author_id": 1
}
}
```
@ -4843,7 +4926,8 @@ Updates the specified label. Note: Label queries and platforms are immutable. To
"label_membership_type": "dynamic",
"display_text": "Ubuntu hosts",
"count": 0,
"host_ids": null
"host_ids": null,
"author_id": 1
}
}
```
@ -4881,7 +4965,8 @@ Returns the specified label.
"label_membership_type": "dynamic",
"display_text": "Ubuntu",
"count": 0,
"host_ids": null
"host_ids": null,
"author_id": 1
}
}
```
@ -4973,7 +5058,8 @@ Returns a list of all the labels in Fleet.
"host_count": 7,
"display_text": "All Hosts",
"count": 7,
"host_ids": null
"host_ids": null,
"author_id": 1
},
{
"created_at": "2021-02-02T23:55:25Z",
@ -4988,7 +5074,8 @@ Returns a list of all the labels in Fleet.
"host_count": 1,
"display_text": "macOS",
"count": 1,
"host_ids": null
"host_ids": null,
"author_id": 1
},
{
"created_at": "2021-02-02T23:55:25Z",
@ -5003,7 +5090,8 @@ Returns a list of all the labels in Fleet.
"host_count": 3,
"display_text": "Ubuntu Linux",
"count": 3,
"host_ids": null
"host_ids": null,
"author_id": 1
},
{
"created_at": "2021-02-02T23:55:25Z",
@ -5017,7 +5105,8 @@ Returns a list of all the labels in Fleet.
"host_count": 3,
"display_text": "CentOS Linux",
"count": 3,
"host_ids": null
"host_ids": null,
"author_id": 1
},
{
"created_at": "2021-02-02T23:55:25Z",
@ -5031,7 +5120,8 @@ Returns a list of all the labels in Fleet.
"label_membership_type": "dynamic",
"display_text": "MS Windows",
"count": 0,
"host_ids": null
"host_ids": null,
"author_id": 1
}
]
}
@ -5793,6 +5883,7 @@ Upload a bootstrap package that will be automatically installed during DEP setup
| ------- | ------ | ---- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| package | file | form | **Required**. The bootstrap package installer. It must be a signed `pkg` file. |
| team_id | string | form | The team ID for the package. If specified, the package will be installed to hosts that are assigned to the specified team. If not specified, the package will be installed to hosts that are not assigned to any team. |
| manual_agent_install | boolean | form | If set to `true` Fleet's agent (fleetd) won't be installed as part of automatic enrollment (ADE) on macOS hosts. (Default: `false`) |
#### Example
@ -7501,6 +7592,7 @@ Returns a list of global queries or team queries.
"author_id": 1,
"author_name": "noah",
"author_email": "noah@example.com",
"labels_include_any": [],
"packs": [
{
"created_at": "2021-01-05T21:13:04Z",
@ -7539,6 +7631,7 @@ Returns a list of global queries or team queries.
"author_id": 1,
"author_name": "noah",
"author_email": "noah@example.com",
"labels_include_any": ["macOS 13+"],
"packs": [
{
"created_at": "2021-01-19T17:08:31Z",
@ -7608,6 +7701,7 @@ Returns the query specified by ID.
"author_id": 1,
"author_name": "John",
"author_email": "john@example.com",
"labels_include_any": [],
"packs": [
{
"created_at": "2021-01-19T17:08:31Z",
@ -7799,6 +7893,7 @@ Creates a global query or team query.
| team_id | integer | body | _Available in Fleet Premium_. The parent team to which the new query should be added. If omitted, the query will be global. |
| interval | integer | body | The amount of time, in seconds, the query waits before running. Can be set to `0` to never run. Default: 0. |
| platform | string | body | The OS platforms where this query will run (other platforms ignored). Comma-separated string. If omitted, runs on all compatible platforms. |
| labels_include_any | array | body | _Available in Fleet Premium_. Labels to target with this query. If specified, the query will run on hosts that match **any of these** labels. |
| min_osquery_version | string | body | The minimum required osqueryd version installed on a host. If omitted, all osqueryd versions are acceptable. |
| automations_enabled | boolean | body | Whether to send data to the configured log destination according to the query's `interval`. |
| logging | string | body | The type of log output for this query. Valid values: `"snapshot"`(default), `"differential"`, or `"differential_ignore_removals"`. |
@ -7821,7 +7916,10 @@ Creates a global query or team query.
"min_osquery_version": "",
"automations_enabled": true,
"logging": "snapshot",
"discard_data": false
"discard_data": false,
"labels_include_any": [
"Hosts with Docker installed"
]
}
```
@ -7850,7 +7948,10 @@ Creates a global query or team query.
"author_email": "",
"observer_can_run": true,
"discard_data": false,
"packs": []
"packs": [],
"labels_include_any": [
"Hosts with Docker installed"
]
}
}
```
@ -7872,6 +7973,7 @@ Modifies the query specified by ID.
| observer_can_run | boolean | body | Whether or not users with the `observer` role can run the query. In Fleet 4.0.0, 3 user roles were introduced (`admin`, `maintainer`, and `observer`). This field is only relevant for the `observer` role. The `observer_plus` role can run any query and is not limited by this flag (`observer_plus` role was added in Fleet 4.30.0). |
| interval | integer | body | The amount of time, in seconds, the query waits before running. Can be set to `0` to never run. Default: 0. |
| platform | string | body | The OS platforms where this query will run (other platforms ignored). Comma-separated string. If set to "", runs on all compatible platforms. |
| labels_include_any | list | body | _Available in Fleet Premium_. Labels to target with this query. If specified, the query will run on hosts that match **any of these** labels. |
| min_osquery_version | string | body | The minimum required osqueryd version installed on a host. If omitted, all osqueryd versions are acceptable. |
| automations_enabled | boolean | body | Whether to send data to the configured log destination according to the query's `interval`. |
| logging | string | body | The type of log output for this query. Valid values: `"snapshot"`(default), `"differential"`, or `"differential_ignore_removals"`. |
@ -7879,6 +7981,7 @@ Modifies the query specified by ID.
> Note that any of the following conditions will cause the existing query report to be deleted:
> - Updating the `query` (SQL) field
> - Updating the filters for targeted hosts (`platform`, `min_osquery_version`, `labels_include_any`)
> - Changing `discard_data` from `false` to `true`
> - Changing `logging` from `"snapshot"` to `"differential"` or `"differential_ignore_removals"`
@ -7895,7 +7998,11 @@ Modifies the query specified by ID.
"platform": "",
"min_osquery_version": "",
"automations_enabled": false,
"discard_data": true
"discard_data": true,
"labels_include_any": [
"Hosts with Docker installed",
"macOS 13+"
]
}
```
@ -7923,7 +8030,11 @@ Modifies the query specified by ID.
"author_name": "noah",
"observer_can_run": true,
"discard_data": true,
"packs": []
"packs": [],
"labels_include_any": [
"Hosts with Docker installed",
"macOS 13+"
]
}
}
```
@ -9812,7 +9923,7 @@ List available Fleet-maintained apps.
| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| team_id | integer | query | If supplied, only list apps for which an installer doesn't already exist for the specified team. |
| team_id | integer | query | If specified, each app includes the `software_title_id` if the software has already been added to that team. |
| page | integer | query | Page number of the results to fetch. |
| per_page | integer | query | Results per page. |
@ -9830,21 +9941,23 @@ List available Fleet-maintained apps.
{
"id": 1,
"name": "1Password",
"version": "8.10.40",
"platform": "darwin"
"software_title_id": 3
},
{
"id": 2,
"name": "Adobe Acrobat Reader",
"version": "24.002.21005",
"platform": "darwin"
"name": "1Password",
"platform": "windows"
"platform": "darwin",
"software_title_id": 1
},
{
"id": 3,
"name": "Box Drive",
"version": "2.39.179",
"platform": "darwin"
"name": "Adobe Acrobat Reader",
"platform": "darwin",
"software_title_id": null
},
...
],
"meta": {
"has_next_results": false,
@ -9856,6 +9969,7 @@ List available Fleet-maintained apps.
### Get Fleet-maintained app
> **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
Returns information about the specified Fleet-maintained app.
`GET /api/v1/fleet/software/fleet_maintained_apps/:id`
@ -9865,7 +9979,7 @@ Returns information about the specified Fleet-maintained app.
| Name | Type | In | Description |
| ---- | ---- | -- | ----------- |
| id | integer | path | **Required.** The Fleet-maintained app's ID. |
| team_id | integer | query | If supplied, set `software_title_id` on the response when an installer or VPP app has already been added to that team for that software. |
#### Example
@ -9879,6 +9993,7 @@ Returns information about the specified Fleet-maintained app.
{
"fleet_maintained_app": {
"id": 1,
"slug": "1password/darwin",
"name": "1Password",
"filename": "1Password-8.10.50-aarch64.zip",
"version": "8.10.50",
@ -9886,6 +10001,7 @@ Returns information about the specified Fleet-maintained app.
"url": "https://downloads.1password.com/mac/1Password-8.10.50-aarch64.zip",
"install_script": "#!/bin/sh\ninstaller -pkg \"$INSTALLER_PATH\" -target /",
"uninstall_script": "#!/bin/sh\npkg_ids=$PACKAGE_ID\nfor pkg_id in '${pkg_ids[@]}'...",
"software_title_id": 3
}
}
```

2
handbook/company/pricing-features-table.yml
View file

@ -1117,7 +1117,7 @@
waysToUse:
- description: Automatically set admin access to Fleet based on your IDP
- industryName: Grant Wi-Fi access
description: Help your end users connect to Wi-Fi by adding your Simple Certificate Enrollment Protocol (SCEP) server.
description: Help your end users connect to Wi-Fi by adding your certificate authority (CA).
documentationUrl: https://fleetdm.com/guides/ndes-scep-proxy
isExperimental: yes
productCategories: [Device management]

3
website/config/routes.js vendored
View file

@ -688,6 +688,8 @@ module.exports.routes = {
'GET /guides/how-to-uninstall-osquery': (req,res)=> { return res.redirect(301, '/guides/how-to-uninstall-fleetd');},
'GET /guides/sysadmin-diaries-lost-device': (req,res)=> { return res.redirect(301, '/guides/lock-wipe-hosts');},
'GET /guides/secret-variables': '/guides/secrets-in-scripts-and-configuration-profiles',
'GET /guides/ndes-scep-proxy': '/guides/certificate-authorities',
// Release note article redirects.
'GET /releases/fleet-3.10.0': '/releases/fleet-3-10-0',
@ -828,6 +830,7 @@ module.exports.routes = {
'GET /learn-more-about/custom-os-settings': '/docs/using-fleet/mdm-custom-os-settings',
'GET /learn-more-about/ndes': 'https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/network-device-enrollment-service-overview', // TODO: Confirm URL
'GET /learn-more-about/setup-ndes': '/guides/ndes-scep-proxy',
'GET /learn-more-about/certificate-authorities': '/guides/certificate-authorities',
'GET /learn-more-about/idp-email': 'https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping',
'GET /learn-more-about/enrolling-hosts': '/docs/using-fleet/adding-hosts',
'GET /learn-more-about/setup-assistant': '/guides/macos-setup-experience#macos-setup-assistant',