diff --git a/articles/automations.md b/articles/automations.md index 478b870556..0af6f8f453 100644 --- a/articles/automations.md +++ b/articles/automations.md @@ -6,7 +6,7 @@ To learn how to use Fleet's maintenance windows, head to this [article](https:// ## Activity automations -Activity automations are triggered when an activity happens in Fleet (queries, scripts, logins, etc). See a list of all activities [here](https://fleetdm.com/docs/using-fleet/audit-logs). +Activity automations are triggered when an activity happens in Fleet (queries, scripts, logins, etc). See our [Audit logs documentation](https://fleetdm.com/docs/using-fleet/audit-logs) for a list of all activity types. You can automatically send activites to a webhook URL or a [log destination](https://fleetdm.com/docs/configuration/fleet-server-configuration#external-activity-audit-logging). diff --git a/articles/chrome-os.md b/articles/chrome-os.md index 3062516301..c140d500c2 100644 --- a/articles/chrome-os.md +++ b/articles/chrome-os.md @@ -1,12 +1,12 @@ # ChromeOS For visibility on ChromeOS hosts, Fleet provides the fleetd Chrome extension which provides similar functionality as osquery on other operating systems. -To learn how to add ChromeOS hosts to Fleet, visit [here](https://fleetdm.com/docs/using-fleet/adding-hosts#enroll-chromebooks). +Follow the instructions in our [host enrollment guide](https://fleetdm.com/guides/enroll-hosts#enroll-chromebooks) to add Chromebooks to Fleet. > The fleetd Chrome browser extension is supported on ChromeOS operating systems that are managed using [Google Admin](https://admin.google.com). It is not intended for non-ChromeOS hosts with the Chrome browser installed. ## Available tables -To see the available tables for ChromeOS, visit [here](https://fleetdm.com/tables/chrome_extensions?platformFilter=chrome). +See our [ChromeOS tables list](https://fleetdm.com/tables/chrome_extensions?platformFilter=chrome) for available tables. ## Setting the hostname By default, the hostname for a Chromebook host will be blank. The hostname can be customized in Google Admin under Devices > Chrome > Settings > Device > Device Settings > Other Settings > [Device network hostname template](https://support.google.com/chrome/a/answer/1375678#zippy=%2Cdevice-network-hostname-template%2Creport-device-os-information). @@ -20,7 +20,7 @@ By default, the hostname for a Chromebook host will be blank. The hostname can b - `usb_devices`: https://github.com/fleetdm/fleet/issues/12780 ## Debugging ChromeOS -To learn how to debug the Fleetd Chrome extension, visit [here](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/getting-started/testing-and-local-development.md#fleetd-chrome-extension). +See our [fleetd Chrome extension testing docs](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/getting-started/testing-and-local-development.md#fleetd-chrome-extension) for debugging instructions. diff --git a/articles/cis-benchmarks.md b/articles/cis-benchmarks.md index 63845ae74e..fd494cb919 100644 --- a/articles/cis-benchmarks.md +++ b/articles/cis-benchmarks.md @@ -142,9 +142,7 @@ Certain benchmarks cannot be automated by a policy in Fleet. For a list of speci - [Windows 11 Enterprise](https://github.com/fleetdm/fleet/blob/main/ee/cis/win-11/README.md) ## Performance testing -In August 2023, we completed scale testing on 10k Windows hosts and 70k macOS hosts. Ultimately, we validated both server and host performance at that scale. - -Detailed results are [here](https://docs.google.com/document/d/1OSpyzMkHjVhG_-EIBkLu7X3hj_XfVASGl3IXIYChpck/edit?usp=sharing). +In August 2023, we completed [scale testing on 10k Windows hosts and 70k macOS hosts](https://docs.google.com/document/d/1OSpyzMkHjVhG_-EIBkLu7X3hj_XfVASGl3IXIYChpck/edit?usp=sharing). Ultimately, we validated both server and host performance at that scale. diff --git a/articles/connect-end-user-to-wifi-with-certificate.md b/articles/connect-end-user-to-wifi-with-certificate.md index 82f200516d..f33332c853 100644 --- a/articles/connect-end-user-to-wifi-with-certificate.md +++ b/articles/connect-end-user-to-wifi-with-certificate.md @@ -20,7 +20,7 @@ To connect end users to W-Fi or VPN with DigiCert certificates, we'll do the fol ### Step 1: Create service user in DigiCert 1. Head to [DigiCert One](https://one.digicert.com/) -2. Follow the instructions to create a service user [here](https://docs.digicert.com/en/platform-overview/manage-your-accounts/account-manager/users-and-access/service-users/create-a-service-user.html) and save the service user's API token. +2. Follow [DigiCert's instructions for creating a service user](https://docs.digicert.com/en/platform-overview/manage-your-accounts/account-manager/users-and-access/service-users/create-a-service-user.html) and save the service user's API token. > Make sure to assign **User and certificate manager** and **Certificate profile manager** roles > when creating service user. @@ -124,7 +124,7 @@ When saving the configuration, Fleet will attempt to connect to the SCEP server 1. Create a [configuration profile](https://fleetdm.com/guides/custom-os-settings) with the SCEP payload. In the profile, for `Challenge`, use`$FLEET_VAR_NDES_SCEP_CHALLENGE`. For `URL`, use `$FLEET_VAR_NDES_SCEP_PROXY_URL`, and make sure to add `$FLEET_VAR_SCEP_RENEWAL_ID` to `CN`. -2. If your Wi-Fi or VPN requires certificates that are unique to each host, update the `Subject`. You can use `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` if your hosts automatically enrolled (via ADE) to Fleet with end user authentication enabled (learn more [here](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping)). You can also use any of the [Apple's built-in variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0). +2. If your Wi-Fi or VPN requires certificates that are unique to each host, update the `Subject`. You can use `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` if your hosts automatically enrolled (via ADE) to Fleet with [end user authentication](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping) enabled. You can also use any of the [Apple's built-in variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0). 3. In Fleet, head to **Controls > OS settings > Custom settings** and add the configuration profile to deploy certificates to your hosts. @@ -218,7 +218,7 @@ To connect end users to W-Fi or VPN with a custom SCEP server, we'll do the foll 2. Replace the ``, with name you created in step 3. For example, if the name of the CA is "WIFI_AUTHENTICATION" the variables will look like this: `$FLEET_VAR_CUSTOM_SCEP_PASSWORD_WIFI_AUTHENTICATION` and `FLEET_VAR_CUSTOM_SCEP_DIGICERT_DATA_WIFI_AUTHENTICATION`. -3. If your Wi-Fi or VPN requires certificates that are unique to each host, update the `Subject`. You can use `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` if your hosts automatically enrolled (via ADE) to Fleet with end user authentication enabled (learn more [here](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping)). You can also use any of the [Apple's built-in variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0). +3. If your Wi-Fi or VPN requires certificates that are unique to each host, update the `Subject`. You can use `$FLEET_VAR_HOST_END_USER_EMAIL_IDP` if your hosts automatically enrolled (via ADE) to Fleet with [end user authentication]((https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping)) enabled. You can also use any of the [Apple's built-in variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0). 4. In Fleet, head to **Controls > OS settings > Custom settings** and add the configuration profile to deploy certificates to your hosts. diff --git a/articles/creating-windows-csps.md b/articles/creating-windows-csps.md index c5abd13c65..0386140eea 100644 --- a/articles/creating-windows-csps.md +++ b/articles/creating-windows-csps.md @@ -4,7 +4,7 @@ Deploying Windows configurations profiles (aka Configuration Service Providers ( This guide will help you understand the building blocks to crafting CSPs of varying complexity – from simple payloads to more complex ones that involve modification of ADMX underpinnings. -> In Fleet, Windows CSPs are called "Custom OS settings." Learn more about Custom OS settings [here](https://fleetdm.com/guides/custom-os-settings). +> In Fleet, Windows CSPs are called [**Custom OS settings**](https://fleetdm.com/guides/custom-os-settings). ## ADMX diff --git a/articles/custom-os-settings.md b/articles/custom-os-settings.md index 82ed0c352d..da0c527ef9 100644 --- a/articles/custom-os-settings.md +++ b/articles/custom-os-settings.md @@ -10,7 +10,7 @@ You can enforce OS settings using the Fleet UI, Fleet API, or [Fleet's GitOps wo For macOS, iOS, and iPadOS hosts, Fleet recommends the [iMazing Profile Creator](https://imazing.com/profile-editor) tool for creating and exporting macOS configuration profiles. Fleet signs these profiles for you. If you have self-signed profiles, run this command to unsign them: `usr/bin/security cms -D -i /path/to/profile/profile.mobileconfig | xmllint --format -` -For Windows hosts, copy this [Windows configuration profile template](https://fleetdm.com/example-windows-profile) and update the profile using any configuration service providers (CSPs) from [Microsoft's MDM protocol](https://learn.microsoft.com/en-us/windows/client-management/mdm/). Learn more about Windows CSPs [here](https://fleetdm.com/guides/creating-windows-csps). +For Windows hosts, copy this [Windows configuration profile template](https://fleetdm.com/example-windows-profile) and update the profile using any [configuration service providers (CSPs)](https://fleetdm.com/guides/creating-windows-csps) from [Microsoft's MDM protocol](https://learn.microsoft.com/en-us/windows/client-management/mdm/). Fleet UI: @@ -22,7 +22,7 @@ Fleet UI: 4. To edit the OS setting, first remove the old configuration profile and then add the new one. On macOS, iOS, and iPadOS, removing a configuration profile will remove enforcement of the OS setting. -Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#add-custom-os-setting-configuration-profile) +Fleet API: Use the [Add custom OS setting (configuration profile) endpoint](https://fleetdm.com/docs/rest-api/rest-api#add-custom-os-setting-configuration-profile) in the Fleet API. ### See status @@ -36,7 +36,7 @@ In the top box, with "Verified," "Verifying," "Pending," and "Failed" statuses, * **Pending**: hosts that are running MDM commands or will run MDM commands to apply OS settings when they come online. -* **Failed**: hosts that failed to apply OS settings. For Windows profiles, the status codes are documented in Microsoft's documentation [here](https://learn.microsoft.com/en-us/windows/client-management/oma-dm-protocol-support#syncml-response-status-codes). +* **Failed**: hosts that failed to apply OS settings. For Windows profiles, status codes are listed in [Microsoft's OMA DM docs](https://learn.microsoft.com/en-us/windows/client-management/oma-dm-protocol-support#syncml-response-status-codes). In the list of hosts, click on an individual host and click the **OS settings** item to see the status for a specific setting. diff --git a/articles/deploy-fleet-on-aws-ecs.md b/articles/deploy-fleet-on-aws-ecs.md index c61304b7a1..d0cf739845 100644 --- a/articles/deploy-fleet-on-aws-ecs.md +++ b/articles/deploy-fleet-on-aws-ecs.md @@ -5,7 +5,7 @@ ![Deploy Fleet on AWS ECS](../website/assets/images/articles/deploy-fleet-on-aws-ecs-800x450@2x.png) -Terraform reference architecture can be found [here](https://github.com/fleetdm/fleet-terraform) +A Terraform reference architecture can be found in the [fleetdm/terrqform](https://github.com/fleetdm/fleet-terraform) repository. ### Infrastructure dependencies diff --git a/articles/deploy-fleet-on-render.md b/articles/deploy-fleet-on-render.md index 536ef5b530..94d9958350 100644 --- a/articles/deploy-fleet-on-render.md +++ b/articles/deploy-fleet-on-render.md @@ -45,7 +45,7 @@ fleetctl package --type=msi --enroll-secret --fleet-url https:// It's possible these profiles can be combined into one payload, but we've kept them separate here for troubleshooting purposes. diff --git a/articles/downgrade-fleet.md b/articles/downgrade-fleet.md index 0874e27c66..2051b99370 100644 --- a/articles/downgrade-fleet.md +++ b/articles/downgrade-fleet.md @@ -2,7 +2,7 @@ Follow these steps to downgrade your Fleet instance from Fleet Premium. -> If you'd like to renew your Fleet Premium license key, please contact us [here](https://fleetdm.com/company/contact). +> If you'd like to renew your Fleet Premium license key, please [contact us](https://fleetdm.com/company/contact). ## Back up your users and update all team-level users to global users @@ -31,7 +31,7 @@ Follow these steps to downgrade your Fleet instance from Fleet Premium. ## Remove your Fleet Premium license key -1. Remove your license key from your Fleet configuration. Documentation on where the license key is located in your configuration is [here](https://fleetdm.com/docs/deploying/configuration#license). +1. Remove your license key from your [Fleet configuration](https://fleetdm.com/docs/deploying/configuration#license). 2. Restart your Fleet server. diff --git a/articles/end-user-authentication.md b/articles/end-user-authentication.md index f9ce0d4b8f..2b57154afa 100644 --- a/articles/end-user-authentication.md +++ b/articles/end-user-authentication.md @@ -22,7 +22,7 @@ Apple's Device Enrollment Program (DEP) was the original, separate Apple service The first step is to enable SAML (Security Assertion Markup Language) SSO for your IdP (Identity Provider). Follow the instructions from the [Single sign-on guide](https://fleetdm.com/docs/deploy/single-sign-on-sso). Use the URL ending with `/mdm/sso/callback.` Make sure to assign users to your SAML integration. -Fleet's guide for setting up end-user authentication during the macOS setup experience is available [here](https://fleetdm.com/guides/macos-setup-experience#end-user-authentication-and-end-user-license-agreement-eula). Note that setting up end-user authentication is done globally. However, enabling end-user authentication is done separately for each team. You may test end-user authentication in a separate team before rolling it out to the rest of your organization. +You can [require users to authenticate with your IdP before using their Mac](https://fleetdm.com/guides/macos-setup-experience#end-user-authentication-and-end-user-license-agreement-eula). Note that setting up end-user authentication is done globally. However, enabling end-user authentication is done separately for each team. You may test end-user authentication in a separate team before rolling it out to the rest of your organization. With end-user authentication enabled for your team, Fleet sends the updated enrollment profile to Apple. This sync happens once a minute and can be adjusted with the [mdm.apple_dep_sync_periodicity](https://fleetdm.com/docs/configuration/fleet-server-configuration#mdm-apple-dep-sync-periodicity) server configuration setting. The relevant attribute of the [Apple enrollment profile](https://developer.apple.com/documentation/devicemanagement/profile) is `configuration_web_url`. Fleet sets it to `{server_url}/mdm/sso`. diff --git a/articles/enforce-disk-encryption.md b/articles/enforce-disk-encryption.md index 6f7d5870c0..c692e090ab 100644 --- a/articles/enforce-disk-encryption.md +++ b/articles/enforce-disk-encryption.md @@ -24,13 +24,13 @@ You can enforce disk encryption using the Fleet UI, Fleet API, or [Fleet's GitOp #### Fleet API: -API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#update-disk-encryption-enforcement). +You can use the [Update disk encryption enforcement API endpoint](https://fleetdm.com/docs/rest-api/rest-api#update-disk-encryption-enforcement) to manage disk encryption settings via the API. ### Disk encryption status In the Fleet UI, head to the **Controls > OS settings > Disk encryption** tab. You will see a table that shows the status of disk encryption on your hosts. -* Verified: the host turned disk encryption on and sent their key to Fleet. Fleet verified with osquery. See instructions for viewing the disk encryption key [here](#view-disk-encryption-key). +* Verified: the host turned disk encryption on and sent their key to Fleet, and Fleet has verified the key with osquery. The [encryption key can be viewed within Fleet](#view-disk-encryption-key). * Verifying: the host acknowledged the MDM command to install the disk encryption profile. Fleet is verifying with osquery and retrieving the disk encryption key. diff --git a/articles/enforce-os-updates.md b/articles/enforce-os-updates.md index 6f376f84d7..a2d7c6dbb4 100644 --- a/articles/enforce-os-updates.md +++ b/articles/enforce-os-updates.md @@ -6,7 +6,7 @@ In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hos ## Turning on enforcement -For Apple (macOS, iOS, and iPadOS) hosts, the you can find the list of available OS versions in the Apple Software Lookup Service [here](https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv). The update will only be enforced if you use a version in that list. +For Apple (macOS, iOS, and iPadOS) hosts, Apple provides a [list of available OS versions](https://gdmf.apple.com/v2/pmv) in the Apple Software Lookup Service. The update will only be enforced if you use a version in that list. ### Fleet UI @@ -46,7 +46,7 @@ If the host was turned off when the deadline passed, the update will be schedule If you set a past date (ex. yesterday) as the deadline, the end user will immediately be prompted to install the update. If they don't, the update will automatically install in one hour. Similarly, if you set the deadline to today, end users will experience the same behavior if it's after 12 PM (end user local time). -For hosts that use Automated Device Enrollment (ADE), if the device is below the specified minimum version, it will be required to update to the latest version during ADE before device setup and enrollment can proceed. You can find the latest version in the Apple Software Lookup Service [here](https://gdmf.apple.com/v2/pmv). Apple's software updates are relatively large (up to several GBs) so ask your end users to connect to a Wi-Fi network that can handle large downloads during ADE. +For hosts that use Automated Device Enrollment (ADE), if the device is below the specified minimum version, it will be required to update to the latest version during ADE before device setup and enrollment can proceed. You can find the latest version in the [Apple Software Lookup Service](https://gdmf.apple.com/v2/pmv). Apple's software updates are relatively large (up to several GBs) so ask your end users to connect to a Wi-Fi network that can handle large downloads during ADE. ### Windows @@ -58,7 +58,7 @@ End users are encouraged to update Windows via the native Windows dialog. If an end user was on vacation when the deadline passed, the end user is given a grace period (configured) before the host automatically restarts. -Fleet enforces OS updates for quality and feature updates. Read more about the types of Windows OS updates in the Microsoft documentation [here](https://learn.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates). +Fleet enforces OS updates for quality and feature updates. Microsoft provides documentation on [types of Windows updates](https://learn.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates). ### macOS (below version 14.0) diff --git a/articles/enroll-hosts.md b/articles/enroll-hosts.md index 32ed087fbf..375e6ac4f6 100644 --- a/articles/enroll-hosts.md +++ b/articles/enroll-hosts.md @@ -133,7 +133,7 @@ How to unenroll a host from Fleet: 2. For macOS hosts with MDM turned on, select **Actions > Turn off MDM** to turn MDM off. Instructions for turning off MDM on Windows hosts coming soon. -3. Determine the platform of the host you're trying to unenroll and follow the instructions to uninstall the fleetd agent [here](https://fleetdm.com/guides/how-to-uninstall-fleetd). +3. Determine the platform of the host you're trying to unenroll, then follow the [uninstall instructions](https://fleetdm.com/guides/how-to-uninstall-fleetd) for that platform. 4. Select **Actions > Delete** to delete the host from Fleet. @@ -362,8 +362,7 @@ When generating Fleet's agent (fleetd) for Windows hosts (**.msi**) on a Windows use local installations of the 3 WiX v3 binaries used by this command (`heat.exe`, `candle.exe`, and `light.exe`) instead of those in a pre-configured container, which is the default behavior. To do so: - 1. Install the WiX v3 binaries. To install, you can download them - [here](https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip), then unzip the downloaded file. + 1. Download the [WiX v3 binaries](https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip), then unzip the downloaded file. 2. Find the absolute filepath of the directory containing your local WiX v3 binaries. This will be wherever you saved the unzipped package contents. 3. Run `fleetctl package`, and pass the absolute path above as the string argument to the `--local-wix-dir` flag. For example: @@ -372,7 +371,7 @@ so: ``` If the provided path doesn't contain all 3 binaries, the command will fail. ->**Note:** Creating a fleetd agent for Windows (.msi) on macOS also requires Wine. To install Wine see the script [here](https://fleetdm.com/install-wine). +>**Note:** Creating a fleetd agent for Windows (.msi) on macOS also requires Wine. We've built a [Wine installation script](https://fleetdm.com/install-wine) to help you get it. ### Config-less fleetd agent deployment diff --git a/articles/fleet-4.0.0.md b/articles/fleet-4.0.0.md index e9eab9a1a6..021219b9fc 100644 --- a/articles/fleet-4.0.0.md +++ b/articles/fleet-4.0.0.md @@ -61,7 +61,7 @@ Enroll secrets no longer have “names” and are now either global or for a spe JWT encoding is no longer used for session keys. Sessions now default to expiring in 4 hours of inactivity. `auth_jwt_key` and `auth_jwt_key_file` are no longer accepted as configuration. -As of Fleet 4.0.0, Fleet Device Management Inc. periodically collects anonymous information about your instance. Sending usage statistics is turned off by default for users upgrading from a previous version of Fleet. Read more about the exact information collected [here](https://github.com/fleetdm/fleet/blob/2f42c281f98e39a72ab4a5125ecd26d303a16a6b/docs/1-Using-Fleet/11-Usage-statistics.md). +As of Fleet 4.0.0, Fleet Device Management Inc. periodically collects [anonymous information](https://fleetdm.com/guides/fleet-usage-statistics) about your instance. Sending usage statistics is turned off by default for users upgrading from a previous version of Fleet. diff --git a/articles/fleet-4.50.0.md b/articles/fleet-4.50.0.md index f331194749..11c309795c 100644 --- a/articles/fleet-4.50.0.md +++ b/articles/fleet-4.50.0.md @@ -19,7 +19,7 @@ For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deplo Fleet enhances the deployment capabilities for IT administrators, particularly concerning security agents. Now available in Fleet Premium, this feature allows administrators to add and deploy security agents directly to macOS, Windows, and Linux hosts through the Software page, the Fleet API, or via GitOps workflows. This deployment functionality requires that the host has a `fleetd` agent with scripts enabled, but notably, it does not necessitate MDM (Mobile Device Management) features to be enabled within Fleet. This new capability supports a more streamlined and efficient approach to enhancing host security across diverse operating environments, allowing IT and security teams to ensure their hosts are protected with the necessary security tools without the complexity of additional infrastructure changes. -For users who self-manage (host) Fleet, this feature requires connecting Fleet with an S3 bucket. See how in the server configuration reference [here](https://fleetdm.com/docs/configuration/fleet-server-configuration#s-3). +For users who self-manage (host) Fleet, this feature requires [connecting Fleet with an S3 bucket]((https://fleetdm.com/docs/configuration/fleet-server-configuration#s-3). ## Policy description and resolutions aided by AI diff --git a/articles/fleet-4.59.0.md b/articles/fleet-4.59.0.md index d9dec45aa2..e8d09cda40 100644 --- a/articles/fleet-4.59.0.md +++ b/articles/fleet-4.59.0.md @@ -14,15 +14,15 @@ For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deplo ### Install apps during new Mac boot -Using Fleet, you can now block a user’s screen while software installs or scripts run during macOS Setup Assistant. This prevents users from accessing the desktop before required configurations are enforced, improving security and guaranteeing that all workstations meet organizational standards before use. Learn more in the guide [here](https://fleetdm.com/guides/macos-setup-experience). +Using Fleet, you can now block a user’s screen while software installs or scripts run during the [macOS setup experience](https://fleetdm.com/guides/macos-setup-experience). This prevents users from accessing the desktop before required configurations are enforced, improving security and guaranteeing that all workstations meet organizational standards before use. ### Automatically connect end users to Wi-Fi -With Fleet, you can now install a SCEP certificate from NDES on all macOS hosts as part of the Wi-Fi/Ethernet configuration profile. This ensures seamless and secure network access for end users. Learn more in the guide [here](https://fleetdm.com/guides/ndes-scep-proxy). +With Fleet, you can now [install a SCEP certificate from NDES](https://fleetdm.com/guides/ndes-scep-proxy) on all macOS hosts as part of the Wi-Fi/Ethernet configuration profile. This ensures seamless and secure network access for end users. ### Custom URL for Apple MDM -Fleet now provides the ability to set an alternative MDM URL to help organizations differentiate MDM traffic from other Fleet traffic, allowing the application of network rules specific to MDM communications. Learn more in the guide [here](https://fleetdm.com/guides/alternate-apple-mdm-url). +Fleet now provides the ability to set an [alternative MDM URL](https://fleetdm.com/guides/alternate-apple-mdm-url) to help organizations differentiate MDM traffic from other Fleet traffic, allowing the application of network rules specific to MDM communications. ## Changes diff --git a/articles/fleet-4.60.0.md b/articles/fleet-4.60.0.md index d16b8e9f22..1090f969ab 100644 --- a/articles/fleet-4.60.0.md +++ b/articles/fleet-4.60.0.md @@ -14,7 +14,7 @@ For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deplo ### Escrow Linux disk encryption keys -Fleet now supports escrowing the disk encryption keys for Linux (Ubuntu and Fedora) workstations. This means teams can access encrypted data without needing the local password when an employee leaves, simplifying handoffs and ensuring critical data remains accessible while protected. Learn more in the guide [here](https://fleetdm.com/guides/enforce-disk-encryption). +Fleet now supports [escrowing disk encryption keys](https://fleetdm.com/guides/enforce-disk-encryption) for Linux (Ubuntu and Fedora) workstations. This means teams can access encrypted data without needing the local password when an employee leaves, simplifying handoffs and ensuring critical data remains accessible while protected. ### Custom targets for OS settings diff --git a/articles/fleet-4.61.0.md b/articles/fleet-4.61.0.md index fd13fd1385..6997fb1352 100644 --- a/articles/fleet-4.61.0.md +++ b/articles/fleet-4.61.0.md @@ -14,7 +14,7 @@ For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deplo ### Auto-install software -IT admins can now install a Fleet-maintained app on all hosts without writing a custom policy. This simplifies software management and saves time for your end users by ensuring productivity tools like Slack and Zoom are consistently available. Learn more about automatically installing software [here](https://fleetdm.com/guides/automatic-software-install-in-fleet). +IT admins can now [install a Fleet-maintained app](https://fleetdm.com/guides/automatic-software-install-in-fleet) on all hosts without writing a custom policy. This simplifies software management and saves time for your end users by ensuring productivity tools like Slack and Zoom are consistently available. ### Email two-factor authentication (2FA) diff --git a/articles/fleet-4.62.0.md b/articles/fleet-4.62.0.md index 232f291ca7..77664c7565 100644 --- a/articles/fleet-4.62.0.md +++ b/articles/fleet-4.62.0.md @@ -14,15 +14,15 @@ For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deplo ### Custom targets for software installs -IT admins can now install Fleet-maintained apps and custom packages only on macOS, Windows, and Linux hosts within specific labels. This lets you target installations more precisely, tailoring deployments by department, role, or hardware. Learn more about deploying software [here](https://fleetdm.com/guides/deploy-software-packages). +IT admins can now [install Fleet-maintained apps and custom packages](https://fleetdm.com/guides/deploy-software-packages) on macOS, Windows, and Linux hosts within specific labels. This lets you target installations more precisely, tailoring deployments by department, role, or hardware. Learn more about deploying software. ### Automatic policies for custom packages -Fleet now creates policies automatically when you add a custom package. This eliminates the need to manually write policies, making it faster and easier to deploy software across all your hosts. Learn more about automatically installing software [here](https://fleetdm.com/guides/automatic-software-install-in-fleet). +Fleet now creates [auto-install policies](https://fleetdm.com/guides/automatic-software-install-in-fleet) automatically when you add a custom package. This eliminates the need to manually write policies, making it faster and easier to deploy software across all your hosts. Learn more about automatically installing software. ### Hide secrets in configuration profiles and scripts -Fleet ensures that GitHub or GitLab secrets, like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. Learn more about secrets [here](https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles). +Fleet ensures that GitHub or GitLab [secrets](https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles), like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. ## Changes diff --git a/articles/fleet-4.63.0.md b/articles/fleet-4.63.0.md index ede9d65f42..44ee56900c 100644 --- a/articles/fleet-4.63.0.md +++ b/articles/fleet-4.63.0.md @@ -15,15 +15,15 @@ For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deplo ### Automatically install software -Fleet can now automatically install App Store (VPP) apps when a macOS host fails a policy. This removes the need for third-party automation tools, making large-scale app deployment easier and more reliable. Learn more about installing software [here](https://fleetdm.com/guides/automatic-software-install-in-fleet). +Fleet can now [automatically install App Store (VPP) apps](https://fleetdm.com/guides/automatic-software-install-in-fleet) when a macOS host fails a policy. This removes the need for third-party automation tools, making large-scale app deployment easier and more reliable. ### Faster employee onboarding -During new employee onboarding, Macs can now optionally download bootstrap packages and software from the nearest CloudFront region. This speeds up onboarding for organizations that onboard new employees at different headquarters across the world. Learn more [here](https://fleetdm.com/guides/cdn-signed-urls). +During new employee onboarding, Macs can now optionally [download bootstrap packages and software from the nearest CloudFront region](https://fleetdm.com/guides/cdn-signed-urls). This speeds up onboarding for organizations that onboard new employees at different headquarters across the world. ### GitHub (SLSA) attestation -Fleet and Fleet's agent (`fleetd`) release binaries and images now include Supply-chain Level Software Attestation (SLSA). This allows security-conscious teams to verify that the artifacts they deploy are the exact ones produced by Fleet’s official GitHub workflows, ensuring integrity and preventing tampering. Learn more [here](https://fleetdm.com/guides/fleet-software-attestation). +Fleet and Fleet's agent (`fleetd`) release binaries and images now include [Supply-chain Level Software Attestation (SLSA)](https://fleetdm.com/guides/fleet-software-attestation). This allows security-conscious teams to verify that the artifacts they deploy are the exact ones produced by Fleet’s official GitHub workflows, ensuring integrity and preventing tampering. ## Changes diff --git a/articles/fleet-4.64.0.md b/articles/fleet-4.64.0.md index e33639f613..2a1b6ed6ad 100644 --- a/articles/fleet-4.64.0.md +++ b/articles/fleet-4.64.0.md @@ -25,7 +25,7 @@ Also, IT admins can now edit scripts within the Fleet UI. This eliminates the ne ### Fleetctl for Windows and Linux ARM -Fleet users with Window or Linux ARM workstations can now use the fleetctl command-line interface (CLI) to run scripts, queries, and more. This expands Fleet’s CLI capabilities, allowing users to manage hosts on their preferred operating system (OS). Learn more about fleetctl [here](https://fleetdm.com/guides/fleetctl). +Fleet users with Window or Linux ARM workstations can now use the [fleetctl](https://fleetdm.com/guides/fleetctl) command-line interface (CLI) to run scripts, queries, and more. This expands Fleet’s CLI capabilities, allowing users to manage hosts on their preferred operating system (OS). ## Changes diff --git a/articles/fleet-4.65.0.md b/articles/fleet-4.65.0.md index 7b66b80f61..b9af905c7f 100644 --- a/articles/fleet-4.65.0.md +++ b/articles/fleet-4.65.0.md @@ -15,11 +15,11 @@ You can now put Fleet in "GitOps mode" which puts the Fleet UI in a read-only mo ### Automatically install software -Fleet now allows IT admins to install App Store apps on all your hosts without writing custom policies. This saves time when deploying apps across many hosts, making large-scale app deployment easier and more reliable. Learn more about installing software [here](https://fleetdm.com/guides/automatic-software-install-in-fleet). +Fleet now allows IT admins to [install App Store apps automatically](https://fleetdm.com/guides/automatic-software-install-in-fleet) on all your hosts without writing custom policies. This saves time when deploying apps across many hosts, making large-scale app deployment easier and more reliable. ### Certificates in host vitals -The **Host details** page now displays a list of certificates for macOS, iOS, and iPadOS hosts. This helps IT teams quickly diagnose Wi-Fi or VPN connection issues by identifying missing or expired certificates that may be preventing network access. See more host vitals [here](https://fleetdm.com/vitals/battery). +The **Host details** page now includes [certificates](https://fleetdm.com/vitals/host-certificates-mac-os#apple) for macOS, iOS, and iPadOS hosts as part of [host vitals](https://fleetdm.com/vitals). This helps IT teams quickly diagnose Wi-Fi or VPN connection issues by identifying missing or expired certificates that may be preventing network access. ## Changes diff --git a/articles/fleet-4.66.0.md b/articles/fleet-4.66.0.md index d75f619bff..9848319342 100644 --- a/articles/fleet-4.66.0.md +++ b/articles/fleet-4.66.0.md @@ -14,15 +14,15 @@ Fleet 4.66.0 is now available. See the complete [changelog](https://github.com/f ### Fleet-maintained apps for Windows -Fleet now supports Fleet-maintained apps for Windows. This allows IT admins to easily manage and deploy trusted applications at scale, without manually packaging or scripting installations. More about Fleet-maintained apps [here](https://fleetdm.com/guides/fleet-maintained-apps). +Fleet now supports [Fleet-maintained apps](https://fleetdm.com/guides/fleet-maintained-apps) for Windows. This allows IT admins to easily manage and deploy trusted applications at scale, without manually packaging or scripting installations. ### DigiCert certificate integration -Fleet now integrates with DigiCert Trust Lifecycle Manager, enabling admins to deploy DigiCert certificates directly to their macOS devices via configuration profiles. This simplifies certificate management and helps streamline the provisioning process. Learn how [here](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate#digicert). +Fleet now integrates with DigiCert Trust Lifecycle Manager, enabling admins to [deploy DigiCert certificates](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate#digicert) directly to their macOS devices via configuration profiles. This simplifies certificate management and helps streamline the provisioning process. ### Custom SCEP server support -Admins can now use their own custom Simple Certificate Enrollment Protocol (SCEP) servers with Fleet. This integration allows deployment of certificates to Macs through configuration profiles, while ensuring all traffic to the SCEP server is routed through Fleet. Learn how [here](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate#custom-scep-server). +Admins can now use their own [custom Simple Certificate Enrollment Protocol (SCEP) servers](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate#custom-scep-server) with Fleet. This integration allows deployment of certificates to Macs through configuration profiles, while ensuring all traffic to the SCEP server is routed through Fleet. ## Changes diff --git a/articles/fleet-4.67.0.md b/articles/fleet-4.67.0.md index 255ae4c550..41eec1f1d3 100644 --- a/articles/fleet-4.67.0.md +++ b/articles/fleet-4.67.0.md @@ -14,7 +14,7 @@ Fleet 4.67.0 is now available. See the complete [changelog](https://github.com/f ### Foreign vitals -Fleet now pulls end user details from your identity provider (IdP)—like IdP email, full name, and group memberships—into host vitals. This makes it easier to identify who is using each host to speed up troubleshooting and audits. Learn more [here](https://fleetdm.com/guides/foreign-vitals-map-idp-users-to-hosts). +Fleet now pulls end user details from your identity provider (IdP)—like IdP email, full name, and group memberships—into host vitals. This makes it easier to identify who is using each host to speed up troubleshooting and audits. Learn more with our [foreign vitals guide](https://fleetdm.com/guides/foreign-vitals-map-idp-users-to-hosts). ### Policy targets diff --git a/articles/fleet-4.68.0.md b/articles/fleet-4.68.0.md index cbdd47603a..fac2e3e166 100644 --- a/articles/fleet-4.68.0.md +++ b/articles/fleet-4.68.0.md @@ -25,7 +25,7 @@ Security engineers can now send scheduled query results to a webhook URL. This m ### Deploy tarballs -Fleet now supports deploying `.tar.gz` and `.tgz packages`. Security engineers no longer need separate hosting or deployment tools, simplifying the process of distributing software across hosts. Learn more [here](https://fleetdm.com/guides/deploy-software-packages). +Fleet now supports deploying `.tar.gz` and `.tgz packages`. Security engineers no longer need separate hosting or deployment tools, simplifying the process of distributing software across hosts. Learn more in our [software deployment guide](https://fleetdm.com/guides/deploy-software-packages). ### SHA-256 verification @@ -33,15 +33,15 @@ IT admins can now specify a `hash_sha256` when adding custom packages to Fleet v ### Certificate renewal -Fleet can now automatically renew certificates from DigiCert, NDES, or custom certificate authorities (CA). This ensures end users can maintain seamless Wi-Fi and VPN access without manual certificate management. Learn more [here](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate). +Fleet can now automatically renew certificates from DigiCert, NDES, or custom certificate authorities (CA). This ensures end users can maintain seamless Wi-Fi and VPN access without manual certificate management. See the [WiFi and VPN certificate guide](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate) for more information. ### Configuration profile variables -IT admins can now insert end users' identity provider (IdP) usernames and groups into macOS, iOS, and iPadOS configuration profiles. This allows certificates to include user-specific data and enables other tools, like Munki, to take group-based actions. See all configuration profile variables Fleet currently supports [here](https://fleetdm.com/docs/configuration/yaml-files#macos-settings-and-windows-settings). +IT admins can now insert end users' identity provider (IdP) usernames and groups into macOS, iOS, and iPadOS configuration profiles. This allows certificates to include user-specific data and enables other tools, like Munki, to take group-based actions. Supported configuration profile variables are listed in [GitOps documentation](https://fleetdm.com/docs/configuration/yaml-files#macos-settings-and-windows-settings). ### Software self-service categories -IT admins can now organize software in **Fleet Desktop > Self service** into categories like "🌎 Browsers," "👬 Communication," "🧰 Developer tools," and "🖥️ Productivity." This makes it easier for end users to quickly find and install the apps they need. Learn more [here](https://fleetdm.com/guides/software-self-service). +IT admins can now organize software in **Fleet Desktop > Self service** into categories like "🌎 Browsers," "👬 Communication," "🧰 Developer tools," and "🖥️ Productivity." This makes it easier for end users to quickly find and install the apps they need. See the [software self-service guide](https://fleetdm.com/guides/software-self-service) for more information. ### Run scripts in bulk @@ -57,7 +57,7 @@ A new `fleetctl generate-gitops` command now generates GitOps (YAML) files based ### Custom Fleet agent (fleetd) during new Mac setup (ADE) -Fleet now allows IT admins to deploy a custom fleetd during Mac Setup Assistant (ADE). This makes it possible to custom the fleetd configuration to point hosts to a custom Fleet server URL during initial enrollment, meeting security requirements without manual reconfiguration. Learn how [here](https://fleetdm.com/guides/macos-setup-experience#advanced). +Fleet now allows IT admins to deploy a custom fleetd during Mac Setup Assistant (ADE). This makes it possible to custom the fleetd configuration to point hosts to a custom Fleet server URL during initial enrollment, meeting security requirements without manual reconfiguration. See the [macOS setup experience guide](https://fleetdm.com/guides/macos-setup-experience#advanced) for more information. ## Changes diff --git a/articles/fleet-desktop-says-hello-world.md b/articles/fleet-desktop-says-hello-world.md index 58ed620ca5..7c605cd605 100644 --- a/articles/fleet-desktop-says-hello-world.md +++ b/articles/fleet-desktop-says-hello-world.md @@ -29,7 +29,7 @@ This page explains what Fleet and osquery can and cannot see on their computers. Fleet Premium users can point this link to an internal resource to customize the content for their organization’s situation. ## Deploying Fleet Desktop -To install Fleet Desktop on your end users' machines, you will need to generate a new osquery installer and run it on end users’ machines. Learn more [here](https://fleetdm.com/docs/using-fleet/adding-hosts#fleet-desktop). +To install Fleet Desktop on your end users' machines, you will need to [generate a fleetd agent](https://fleetdm.com/docs/using-fleet/adding-hosts#fleet-desktop) and run it on end users’ machines. Once installed, Fleet Desktop’s versioning is thereafter managed by our agent manager, Orbit. diff --git a/articles/fleet-software-attestation.md b/articles/fleet-software-attestation.md index 3c728805c9..c2d790da30 100644 --- a/articles/fleet-software-attestation.md +++ b/articles/fleet-software-attestation.md @@ -4,7 +4,7 @@ As of version 4.63.0 Fleet added [SLSA attestations](https://slsa.dev/) to our r ## What is software attestation? -A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software _artifacts_ (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We utilize the SLSA framework for attestations which you can read more about [here](https://slsa.dev/). After each release, attestations are added to https://github.com/fleetdm/fleet/attestations. +A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software _artifacts_ (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We use the [SLSA framework](https://slsa.dev/) for attestations. After each release, attestations are added to https://github.com/fleetdm/fleet/attestations. ## Verifying a release diff --git a/articles/fleetctl.md b/articles/fleetctl.md index f6e9b69986..5c90179931 100644 --- a/articles/fleetctl.md +++ b/articles/fleetctl.md @@ -39,7 +39,7 @@ You can also install the latest version of the binary from [GitHub](https://gith Much of the functionality available in the Fleet UI is also available in fleetctl. You can run queries, add and remove users, generate Fleet's agent (fleetd) to add new hosts, get information about existing hosts, and more! -> Note: Unless a logging infrastructure is configured on your Fleet server, osquery-related logs will be stored locally on each device. Read more [here](https://fleetdm.com/guides/log-destinations) +> Unless a [log destination](https://fleetdm.com/guides/log-destinations) is configured, osquery logs will be stored locally on each device. To see the available commands you can run: diff --git a/articles/foreign-vitals-map-idp-users-to-hosts.md b/articles/foreign-vitals-map-idp-users-to-hosts.md index 12650f11bc..4b0860cf93 100644 --- a/articles/foreign-vitals-map-idp-users-to-hosts.md +++ b/articles/foreign-vitals-map-idp-users-to-hosts.md @@ -36,7 +36,7 @@ To map users from Okta to hosts in Fleet, do the following steps: 3. For the **Unique identifier field for users**, enter `userName`. 4. For the **Supported provisioning actions**, select **Push New Users**, **Push Profile Updates**, and **Push Groups**. 5. For the **Authentication Mode**, select **HTTP Header**. -6. Create a Fleet API-only user with maintainer permissions and copy API token for that user (learn how [here](https://fleetdm.com/guides/fleetctl#create-api-only-user)). Paste your API token in Okta's **Authorization** field. +6. [Create a Fleet API-only user](https://fleetdm.com/guides/fleetctl#create-api-only-user) with maintainer permissions and copy API token for that user. Paste your API token in Okta's **Authorization** field. 7. Select the **Test Connector Configuration** button. You should see success message in Okta. 8. In Fleet, head to **Settings > Integrations > Identity provider (IdP)** and verify that Fleet successfully received the request from IdP. 9. Back in Okta, select **Save**. diff --git a/articles/how-to-configure-logging-destinations.md b/articles/how-to-configure-logging-destinations.md index bc9dab9856..7b52ba0d07 100644 --- a/articles/how-to-configure-logging-destinations.md +++ b/articles/how-to-configure-logging-destinations.md @@ -78,7 +78,7 @@ Sumo Logic supports data ingestion via HTTP, making it a reliable choice for log #### For Splunk -Splunk is a powerful platform for searching, monitoring, and analyzing machine-generated big data. Learn how to connect Fleet to Splunk [here](https://fleetdm.com/guides/log-destinations#splunk). +Splunk is a powerful platform for searching, monitoring, and analyzing machine-generated big data. You can [configure Fleet to send logs to Splunk](https://fleetdm.com/guides/log-destinations#splunk). ### Conclusion diff --git a/articles/how-to-uninstall-fleetd.md b/articles/how-to-uninstall-fleetd.md index bfb5381085..e1513836cc 100644 --- a/articles/how-to-uninstall-fleetd.md +++ b/articles/how-to-uninstall-fleetd.md @@ -18,7 +18,7 @@ How to uninstall fleetd from a host via Fleet (remotely): After performing these steps, the host will display as an offline host in the Fleet UI until you delete it. -Are you having trouble uninstalling Fleetd on macOS, Windows, or Linux? Get help [here](https://fleetdm.com/slack). +Are you having trouble uninstalling Fleetd on macOS, Windows, or Linux? Get help via one of our [support channels](https://fleetdm.com/support). diff --git a/articles/how-to-use-policies-for-patch-management-in-fleet.md b/articles/how-to-use-policies-for-patch-management-in-fleet.md index d183bab9b3..62d0a30ab5 100644 --- a/articles/how-to-use-policies-for-patch-management-in-fleet.md +++ b/articles/how-to-use-policies-for-patch-management-in-fleet.md @@ -24,7 +24,7 @@ Additionally, updated software often includes new features that can ultimately h In this article, we will be using Google Chrome to demonstrate the functionality, and I already have the latest version’s .pkg downloaded locally. -Select the team you want the policy to run on. Navigate to **Software > Add Software**. Here you can use one of Fleet’s maintained apps, add from VPP or Custom Package. We will use Custom Package in this example and upload the Google Chrome.pkg mentioned previously. After upload, there are a couple of options for pre/post-install queries and scripts - you can read more about those options [here](https://fleetdm.com/guides/deploy-software-packages). +Select the team you want the policy to run on. Navigate to **Software > Add Software**. Here you can use one of Fleet’s maintained apps, add from VPP or Custom Package. We will use Custom Package in this example and upload the Google Chrome.pkg mentioned previously. After upload, there are a couple of options for pre/post-install queries and scripts - you can read more about those options in our [guide on deploying software](https://fleetdm.com/guides/deploy-software-packages). Navigate to **Policies**, select the team you want the policy to run in. diff --git a/articles/log-destinations.md b/articles/log-destinations.md index dcf95717a8..8dbe3ba777 100644 --- a/articles/log-destinations.md +++ b/articles/log-destinations.md @@ -84,7 +84,7 @@ resource "aws_kinesis_firehose_delivery_stream" "test_stream" { } ``` -For the latest configuration go to HashiCorp's Terraform docs [here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#splunk-destination). +For the latest configuration go to [HashiCorp's Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#splunk-destination). ## Amazon Kinesis Data Streams diff --git a/articles/macos-mdm-setup.md b/articles/macos-mdm-setup.md index 8beec86bdc..83028b0e17 100644 --- a/articles/macos-mdm-setup.md +++ b/articles/macos-mdm-setup.md @@ -62,7 +62,7 @@ Hosts that automatically enroll will be assigned to a default team. You can conf > Available in Fleet Premium -To connect Fleet to Apple's VPP, head to the guide [here](https://fleetdm.com/guides/install-vpp-apps-on-macos-using-fleet). +To connect Fleet to Apple's VPP, follow the instructions in our [VPP guide](https://fleetdm.com/guides/install-vpp-apps-on-macos-using-fleet#prerequisites). ## Best practice diff --git a/articles/macos-setup-experience.md b/articles/macos-setup-experience.md index 84feb2d5c4..5e091d69ef 100644 --- a/articles/macos-setup-experience.md +++ b/articles/macos-setup-experience.md @@ -16,7 +16,7 @@ In Fleet, you can customize the out-of-the-box macOS Setup Assistant with Remote In addition to the customization above, Fleet automatically installs the fleetd agent during out-of-the-box macOS setup. This agent is responsible for reporting host vitals to Fleet and presenting Fleet Desktop to the end user. -macOS setup features require connecting Fleet to Apple Business Manager (ABM). Learn how [here](https://fleetdm.com/guides/macos-mdm-setup#apple-business-manager-abm). +macOS setup features require [connecting Fleet to Apple Business Manager (ABM)](https://fleetdm.com/guides/macos-mdm-setup#apple-business-manager-abm). ## End user authentication and end user license agreement (EULA) @@ -95,7 +95,7 @@ Verify that the package is a distribution package: To sign the package we need a valid Developer ID Installer certificate: 1. Login to your [Apple Developer account](https://developer.apple.com/account). -2. Follow Apple's instructions to create a Developer ID Installer certificate [here](https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates). +2. Follow [Apple's instructions to create a Developer ID Installer certificate](https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates). > During step 3 in Apple's instructions, make sure you choose "Developer ID Installer." You'll need this kind of certificate to sign the package. @@ -139,7 +139,7 @@ To customize the macOS Setup Assistant, we will do the following steps: ### Step 1: Create an automatic enrollment profile -1. Download Fleet's example automatic enrollment profile by navigating to the example [here](https://fleetdm.com/example-dep-profile) and clicking the download icon. +1. Download Fleet's example automatic enrollment profile by navigating to [the example](https://fleetdm.com/example-dep-profile) and clicking the **Download** icon. 2. Open the automatic enrollment profile and replace the `profile_name` key with your organization's name. @@ -147,7 +147,7 @@ To customize the macOS Setup Assistant, we will do the following steps: 4. In your automatic enrollment profile, edit the `skip_setup_items` array so that it includes the panes you want to hide. - > You can modify properties other than `skip_setup_items`. These are documented by Apple [here](https://developer.apple.com/documentation/devicemanagement/profile). + > You can modify properties other than `skip_setup_items`. See [Apple's profile documentation](https://developer.apple.com/documentation/devicemanagement/profile) for valid fields. The `await_device_configured` option is always set to `true` to allow Fleet to take actions like running scripts and installing software packages during the enrollment process. If you'd like to release devices manually, you can check the "Release device manually" option in Setup experience > Setup assistant > Show advanced options. @@ -167,7 +167,7 @@ Testing requires a test Mac that is present in your Apple Business Manager (ABM) 2. In Fleet, navigate to the Hosts page and find your Mac. Make sure that the host's **MDM status** is set to "Pending." - > New Macs purchased through Apple Business Manager appear in Fleet with MDM status set to "Pending." Learn more about these hosts [here](https://fleetdm.com/guides/macos-mdm-setup#apple-business-manager-abm). + > New Macs purchased through Apple Business Manager appear in Fleet with MDM status set to "Pending." See our [automatic enrollment guide](https://fleetdm.com/guides/macos-mdm-setup#automatic-enrollment) for more information. 3. Transfer this host to the "Workstations (canary)" team by selecting the checkbox to the left of the host and selecting **Transfer** at the top of the table. In the modal, choose the Workstations (canary) team and select **Transfer**. @@ -183,7 +183,7 @@ If you configure software and/or a script for setup experience, users will see a This window shows the status of the software installations as well as the script exectution. Once all steps have completed, the window can be closed and Setup Assistant will proceed as usual. -To replace the Fleet logo with your organization's logo, head to **Settings** > **Organization settings** > **Organization info**, add URLs to your logos in the **Organization avatar URL (for dark backgrounds)** and **Organization avatar URL (for light backgrounds)** fields, and select **Save**. See recommended sizes for logos [here](https://fleetdm.com/docs/configuration/yaml-files#org-info). +To replace the Fleet logo with your organization's logo, head to **Settings** > **Organization settings** > **Organization info**, add URLs to your logos in the **Organization avatar URL (for dark backgrounds)** and **Organization avatar URL (for light backgrounds)** fields, and select **Save**. See [configuration documentation](https://fleetdm.com/docs/configuration/yaml-files#org-info) for recommended logo sizes. > The setup experience script always runs after setup experience software is installed. Currently, software that [automatically installs](https://fleetdm.com/guides/automatic-software-install-in-fleet) and scripts that [automatically run](https://fleetdm.com/guides/policy-automation-run-script) are also installed and run during Setup Assistant but won't appear in the window. Automatic software and scripts may run before or after setup the experience software/script. They aren't installed/run in any particular order. @@ -209,7 +209,7 @@ Fleet also provides a REST API for managing setup experience software and script ### Configuring via GitOps -To manage setup experience software and script using Fleet's best practice GitOps, check out the `macos_setup` key in the GitOps reference documentation [here](https://fleetdm.com/docs/configuration/yaml-files#macos-setup) +To manage setup experience software and script using Fleet's best practice GitOps, check out the `macos_setup` key in the [GitOps reference documentation](https://fleetdm.com/docs/configuration/yaml-files#macos-setup) ## Advanced diff --git a/articles/managing-labels-in-fleet.md b/articles/managing-labels-in-fleet.md index 4a258b70cc..df423a50ac 100644 --- a/articles/managing-labels-in-fleet.md +++ b/articles/managing-labels-in-fleet.md @@ -66,7 +66,7 @@ fleetctl get labels -* **Targeting extensions with labels**: Labels can also target extensions to specific hosts. You can find more details on this functionality [here](https://fleetdm.com/docs/configuration/agent-configuration#targeting-extensions-with-labels). +* **Targeting extensions with labels**: Labels can also [target extensions to specific hosts](https://fleetdm.com/docs/configuration/agent-configuration#targeting-extensions-with-labels). ### Conclusion diff --git a/articles/mdm-commands.md b/articles/mdm-commands.md index 6ea85537af..cf115b59d4 100644 --- a/articles/mdm-commands.md +++ b/articles/mdm-commands.md @@ -23,7 +23,7 @@ The end result simply needs to be a standard, plain text file with the correct k ### Examples -To restart a macOS host, we can use the "Restart a Device" MDM command documented by Apple [here](https://developer.apple.com/documentation/devicemanagement/restart_a_device#3384428). +To restart a macOS host, we can use the ["Restart a Device" MDM command](https://developer.apple.com/documentation/devicemanagement/restart_a_device). Below is the text to be used as the MDM command payload. Save it as a file and name it something like `apple-restart-device.xml`. @@ -41,7 +41,7 @@ Below is the text to be used as the MDM command payload. Save it as a file and n ``` -To restart a Windows host, we can use the "Reboot" command documented by Microsoft [here](https://learn.microsoft.com/en-us/windows/client-management/mdm/reboot-csp). +To restart a Windows host, we can use the ["Reboot" command](https://learn.microsoft.com/en-us/windows/client-management/mdm/reboot-csp). Below is the text to be used as the MDM command payload. Save it as a file and name it something like `windows-restart-device.xml`. diff --git a/articles/mdm-migration.md b/articles/mdm-migration.md index 9ea48d3479..1dd5fe60d2 100644 --- a/articles/mdm-migration.md +++ b/articles/mdm-migration.md @@ -20,7 +20,7 @@ To migrate hosts, we will do the following steps: ### Step 1: Enroll hosts to Fleet -1. First, enroll your hosts to Fleet by installing Fleet's agent (fleetd). Learn how [here](https://fleetdm.com/guides/enroll-hosts). +1. First, [enroll your hosts](https://fleetdm.com/guides/enroll-hosts) to Fleet by installing Fleet's agent (fleetd). 2. Ensure your end users have access to an admin account on their Mac. End users won't be able to migrate on their own if they have a standard account. ### Step 2: Assign hosts in Apple Business Manager (ABM) to Fleet @@ -72,10 +72,10 @@ Fleet UI: 2. Scroll down to the **End user migration workflow** section and select the toggle to enable the workflow. 3. Under **Mode**, choose a mode, enter the webhook URL for your automation tool (e.g., Tines) under **Webhook URL**, and select **Save**. 4. During the end user migration workflow, an end user's device will have its selected system theme (light or dark) applied. If your logo is not easy to see on both light and dark backgrounds, you can optionally set a logo for each theme: -Head to **Settings** > **Organization settings** > **Organization info**, add URLs to your logos in the **Organization avatar URL (for dark backgrounds)** and **Organization avatar URL (for light backgrounds)** fields, and select **Save**. See recommended sizes for logos [here](https://fleetdm.com/docs/configuration/yaml-files#org-info). +Head to **Settings** > **Organization settings** > **Organization info**, add URLs to your logos in the **Organization avatar URL (for dark backgrounds)** and **Organization avatar URL (for light backgrounds)** fields, and select **Save**. See [configuration docs](https://fleetdm.com/docs/configuration/yaml-files#org-info) for recommended sizes for logos. 5. During migration, end users will see a button that says "Unsure? Contact IT". Head to **Settings** > **Organization settings** > **Organization info** > **Organization support URL** to direct users to your help desk if they have any questions. -Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#mdm-macos-migration) +Fleet API: MDM migration settings are configured via the [`mdm.macos_migration`](https://fleetdm.com/docs/rest-api/rest-api#mdm-macos-migration) field on the [Modify configuration API endpoint](https://fleetdm.com/docs/rest-api/rest-api#modify-configuration). GitOps: - To manage macOS MDM migration configuration using Fleet's best practice GitOps, check out the `macos_migration` key in the [GitOps reference documentation](https://fleetdm.com/docs/configuration/yaml-files#macos-migration). @@ -93,7 +93,7 @@ _Available in Fleet Premium_ When migrating from a previous MDM, end users must restart or log out of their device to escrow FileVault keys to Fleet. The **My device** page in Fleet Desktop will present users with instructions on how to reset their key. -To start, enforce FileVault disk encryption and escrow recovery keys in Fleet. Learn how [here](https://fleetdm.com/guides/enforce-disk-encryption). +To start, [enforce FileVault disk encryption](https://fleetdm.com/guides/enforce-disk-encryption) in Fleet. After turning on disk encryption in Fleet, share [these guided instructions](#how-to-turn-on-disk-encryption) with your end users. diff --git a/articles/migrating-to-gitops-using-fleetctl.md b/articles/migrating-to-gitops-using-fleetctl.md index e577755797..f7cfbf2e39 100644 --- a/articles/migrating-to-gitops-using-fleetctl.md +++ b/articles/migrating-to-gitops-using-fleetctl.md @@ -2,7 +2,7 @@ ## Introduction -At Fleet, we are strong proponents of using [GitOps](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage#basic-article) to manage your configuration (you can read more about our rationale [here](https://fleetdm.com/guides/articles/preventing-mistakes-with-gitops)). But what if you already have a Fleet instance with complex configuration or a large numbers of labels, policies, queries or software installers? How can you migrate your configuration management to GitOps while ensuring that nothing is lost in the shuffle? +At Fleet, we are strong proponents of using [GitOps](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage#basic-article) to manage your configuration, as it [improves reliability, reduces errors, and enables consistent, auditable management of your device infrastructure](https://fleetdm.com/guides/articles/preventing-mistakes-with-gitops). But what if you already have a Fleet instance with complex configuration or a large numbers of labels, policies, queries or software installers? How can you migrate your configuration management to GitOps while ensuring that nothing is lost in the shuffle? Enter `fleetctl generate-gitops`. diff --git a/articles/policy-automation-run-script.md b/articles/policy-automation-run-script.md index 3e0a0c49ea..1beee61504 100644 --- a/articles/policy-automation-run-script.md +++ b/articles/policy-automation-run-script.md @@ -4,7 +4,7 @@ Fleet [v4.58.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.58.0) introduces the ability to execute scripts on hosts automatically based on predefined policy failures. This guide will walk you through configuring Fleet to automatically execute scripts on hosts using uploaded scripts based on programmed policies. -Fleet allows users to upload scripts executed on macOS, Windows, and Linux hosts to remediate issues with those hosts. These scripts can now be automated to run when a policy fails. Learn more about scripts [here](https://fleetdm.com/guides/scripts). +Fleet allows users to upload [scripts](https://fleetdm.com/guides/scripts) executed on macOS, Windows, and Linux hosts to remediate issues with those hosts. These scripts can now be automated to run when a policy fails. ## Prerequisites diff --git a/articles/queries.md b/articles/queries.md index 9cac2d8ea2..1cc9a02fa4 100644 --- a/articles/queries.md +++ b/articles/queries.md @@ -2,7 +2,7 @@ Queries in Fleet allow you to ask questions to help you manage, monitor, and identify threats on your devices. This guide will walk you through how to create, schedule, and run a query. -> Note: Unless a logging infrastructure is configured on your Fleet server, osquery-related logs will be stored locally on each device. Read more [here](https://fleetdm.com/guides/log-destinations) +> Unless a [log destination](https://fleetdm.com/guides/log-destinations) is configured, osquery logs will be stored locally on each device. > New users may find it helpful to start with Fleet's policies. You can find policies and queries from the community in Fleet's [query library](https://fleetdm.com/queries). To learn more about policies, see [What are Fleet policies?](https://fleetdm.com/securing/what-are-fleet-policies) and [Understanding the intricacies of Fleet policies](https://fleetdm.com/guides/understanding-the-intricacies-of-fleet-policies). diff --git a/articles/scripts.md b/articles/scripts.md index e320a7c448..bb3e28d576 100644 --- a/articles/scripts.md +++ b/articles/scripts.md @@ -13,14 +13,12 @@ Script execution is disabled by default. Continue reading to learn how to enable If you use Fleet's macOS MDM features, scripts are automatically enabled for macOS hosts that have MDM turned on. You're set! -If you don't use MDM features, to enable scripts, we'll deploy a fleetd agent with scripts enabled: +If you don't use MDM features, to enable scripts, we'll [deploy a fleetd agent](https://fleetdm.com/guides/enroll-hosts) with scripts enabled: 1. Generate a new fleetd agent for macOS, Windows, or Linux using the `fleetctl package` command with the `--enable-scripts` flag. 2. Deploy fleetd to your hosts. If your hosts already have fleetd installed, you can deploy the new fleetd on-top of the old installation. -Learn more about generating a fleetd agent and deploying it [here](https://fleetdm.com/guides/enroll-hosts). - ## Manually run scripts You can run a script in the Fleet UI, with Fleet API, or with the fleetctl command-line interface (CLI). @@ -47,11 +45,11 @@ fleetctl run-script --script-path=/path/to/script --host=hostname ## Automatically run scripts -Learn more about automatically running scripts [here](https://fleetdm.com/guides/policy-automation-run-script). +You can [automatically run scripts](https://fleetdm.com/guides/policy-automation-run-script) using Fleet via policy automations. ## Batch execute scripts -You can execute a script on a large number of hosts at the same time using the Fleet UI or Fleet API. +You can execute a script on a large number of hosts at the same time using the Fleet UI or Fleet API. Fleet UI: diff --git a/articles/security-testing-at-fleet-orbit-auto-updater-audit.md b/articles/security-testing-at-fleet-orbit-auto-updater-audit.md index d6dbaf61df..f86ffa67a3 100644 --- a/articles/security-testing-at-fleet-orbit-auto-updater-audit.md +++ b/articles/security-testing-at-fleet-orbit-auto-updater-audit.md @@ -6,12 +6,10 @@ At Fleet, openness is one of our core [values](https://fleetdm.com/handbook/comp [Orbit](https://blog.fleetdm.com/introducing-orbit-for-osquery-751da494d617) is an [osquery](https://github.com/osquery/osquery) runtime and auto-updater. It leverages [The Update Framework](https://theupdateframework.io/) to create a secure update mechanism using a hierarchy of cryptographic keys and operations. -About a year ago, while Orbit was still brand new, not “production-ready,” and in use by almost nobody, we had an external vendor ([Trail of Bits](https://www.trailofbits.com/)) perform a security audit on the Orbit auto-updater functionality. +About a year ago, while Orbit was still brand new, not “production-ready,” and in use by almost nobody, we had an external vendor ([Trail of Bits](https://www.trailofbits.com/)) perform a [security audit](https://fleetdm.com/docs/using-fleet/security-audits) on the Orbit auto-updater functionality. We then handled the issues surfaced by the audit publicly in the Fleet repository and the old Orbit repository. -You can read more about the 2021 Orbit auto-updater security audit [here](https://fleetdm.com/docs/using-fleet/security-audits). - ### Testing in the future Fleet will regularly perform security tests. These tests will target Fleet, Orbit, our company, and many other components. diff --git a/articles/teams.md b/articles/teams.md index 19fe65dff6..1f3f1572ab 100644 --- a/articles/teams.md +++ b/articles/teams.md @@ -46,7 +46,7 @@ You can add hosts to a team in Fleet by either enrolling the host with a team's ## Advanced -You can automatically enroll hosts to a specific team in Fleet by installing a fleetd with a team enroll secret. Learn more [here](https://fleetdm.com/guides/enroll-hosts#enroll-host-to-a-specific-team). +You can automatically enroll hosts to a specific team in Fleet by installing a fleetd agent with a [team enroll secret](https://fleetdm.com/guides/enroll-hosts#enroll-host-to-a-specific-team). Changing the host's enroll secret after enrollment will not cause the host to be transferred to a different team. diff --git a/articles/using-fleet-and-okta-workflows-to-generate-a-daily-os-report.md b/articles/using-fleet-and-okta-workflows-to-generate-a-daily-os-report.md index 33b9499bbd..e3d179c105 100644 --- a/articles/using-fleet-and-okta-workflows-to-generate-a-daily-os-report.md +++ b/articles/using-fleet-and-okta-workflows-to-generate-a-daily-os-report.md @@ -116,7 +116,7 @@ With all of the parts needed for the post, we use a final `Compose` card to stri ![Okta workflow Compose card composing Slack message.](../website/assets/images/articles/using-fleet-and-okta-workflows-image8-500x426@2x.png "Okta workflow Compose card composing Slack message.") -Using one of my favorite cards, the `Construct` we create the key:value pair for our Slack message. So, for example, to post to the Slack API, we need a couple of values like, `channel` and `text`. And since we are using our friendly bot, we throw in the `username` as well. Check out the Slack docs [here](https://api.slack.com/methods/chat.postMessage) for the different keys you can use in the chat.postMessage API method, it's extensive! +Using one of my favorite cards, the `Construct` we create the key:value pair for our Slack message. So, for example, to post to the Slack API, we need a couple of values like, `channel` and `text`. And since we are using our friendly bot, we throw in the `username` as well. Check out the [Slack API docs](https://api.slack.com/methods/chat.postMessage) for the different keys you can use in the chat.postMessage API method, it's extensive! ```{ diff --git a/articles/what-api-endpoints-to-expose-to-the-public-internet.md b/articles/what-api-endpoints-to-expose-to-the-public-internet.md index eced92e721..89c1b0a644 100644 --- a/articles/what-api-endpoints-to-expose-to-the-public-internet.md +++ b/articles/what-api-endpoints-to-expose-to-the-public-internet.md @@ -33,7 +33,7 @@ If you would like to use Fleet's macOS MDM features, the following endpoints nee - `/mdm/apple/mdm`: Allows hosts to reach the server using the MDM protocol. - `/api/mdm/apple/enroll`: If you use automatic enrollment, allows hosts to get an enrollment profile. - `/api/*/fleet/device/*`: Provides end users access to their **My device** page. - - This page is where they download their manual enrollment profile, rotate their disk encryption key, and use other features. For more information on these API endpoints see the documentation [here](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/api-for-contributors.md#device-authenticated-routes). + - This page is where they download their manual enrollment profile, rotate their disk encryption key, and use other features. For more information on these API endpoints see the [API documentation for device-authenticated routes](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/api-for-contributors.md#device-authenticated-routes). - `/api/*/fleet/mdm/sso` and `/api/*/fleet/mdm/sso/callback`: If you use automatic enrollment and you require [end user authentication](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#end-user-authentication-and-eula) during out-of-the-box macOS setup, allows end users to authenticate with your IdP. - `/api/*/fleet/mdm/setup/eula/*`: If you use automatic enrollment and you require that the end user agrees to an [End User License Agreement (EULA)](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#end-user-authentication-and-eula) during out-of-the-box macOS setup, allows end user to see the EULA. - `/api/*/fleet/mdm/bootstrap`: If you use automatic enrollment and you install a [bootstrap package](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#bootstrap-package) during out-of-the-box macOS setup, installs the bootstrap package. diff --git a/articles/windows-mdm-setup.md b/articles/windows-mdm-setup.md index 84ccfe7531..ed5ccb783e 100644 --- a/articles/windows-mdm-setup.md +++ b/articles/windows-mdm-setup.md @@ -6,7 +6,7 @@ To control OS settings, updates, and more on Windows hosts follow the manual enr To use automatic enrollment (aka zero-touch) features on Windows, follow instructions to connect Fleet to Microsoft Entra ID. You can further customize zero-touch with Windows Autopilot. -To migrate Windows hosts from your current MDM solution to Fleet, follow the instructions [here](#automatic-windows-mdm-migration). +To migrate Windows hosts from your current MDM solution to Fleet, follow the [Automatic Windows MDM migration](#automatic-windows-mdm-migration) instructions. ## Turn on Windows MDM @@ -142,7 +142,7 @@ Testing automatic enrollment requires creating a test user in Microsoft Entra ID 2. After it's been wiped, open your workstation and follow the setup steps. At screen in which you're asked to sign in, you should see the title "Welcome to [your organziation]!" next to the logo you uploaded in step 4. -## Automatic Windows MDM Migration +## Automatic Windows MDM migration Fleet can automatically migrate your Windows hosts from another MDM solution to Fleet without end user interaction. @@ -168,7 +168,7 @@ Follow the [steps above](#manual-enrollment) to turn on Windows MDM in Fleet. Once the automatic migration is enabled, Fleet sends a notification to each host to tell it to migrate. This process usually takes a few minutes at most. -You can track migration progress in Fleet. Learn how [here](https://fleetdm.com/guides/mdm-migration#check-migration-progress). +You can [track migration progress in Fleet](https://fleetdm.com/guides/mdm-migration#check-migration-progress). ## Turn off Windows MDM