Add support for Druva inSync: new winget input
(ee/maintained-apps/inputs/winget/druva-insync.json), app metadata
(added entry in ee/maintained-apps/outputs/apps.json) and
platform-specific output with version, installer URL,
installer/uninstaller script refs, sha256 and upgrade_code
(ee/maintained-apps/outputs/druva-insync/windows.json). Also add
frontend icon component and mapping
(frontend/pages/SoftwarePage/components/icons/DruvaInSync.tsx and
index.ts) plus the PNG asset
(website/assets/images/app-icon-druva-insync-60x60@2x.png) so the app is
manageable and visually represented in the UI.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43702
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42765
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Style
* Enhanced the responsive design of the Identity Provider section by
updating the "learn more" link to dynamically size based on its content
rather than maintaining a fixed width constraint, improving flexibility
and visual consistency across different contexts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#42879
* Full UI for API-only user management: create/edit flows, fleet/role
assignment, selectable API endpoint permissions, and one-time API key
display.
* New reusable components: API user form, endpoint selector, API access
section, and API key presentation.
* Admin workflow switched from in-page modals to dedicated pages and
streamlined action dropdown navigation.
* Layout and styling refinements for user management, team lists, and
dropdown behaviors.
---------
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
Missed a few AMB UI instances as part of [Rename Apple Business Manager
(ABM) to Apple Business (AB) in
UI](https://github.com/fleetdm/fleet/issues/42512)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:**
https://github.com/fleetdm/fleet/issues/42512#issuecomment-4238323552
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated user-facing text and messaging across Apple Business Manager
integration pages, including modal titles, instructional content, and
setup guides
* Refined terminology, formatting, and punctuation throughout tooltip
content, administrative configuration descriptions, and user guidance
* Adjusted messaging and instructional text in Apple Business Manager
and VPP settings pages
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
Replace the fleet-maintained app record for "iMazing Profile Editor"
with the full "iMazing" app. Deleted the old input file and added a new
input for imazing; renamed output paths and updated app metadata (bundle
identifier, slug, categories). Bumped version to 3.5.2 and updated
installer URL, install/uninstall script refs and SHA256. Updated
frontend icon mapping and website routes to point to the new imazing
slug, and adjusted fleet configs: workstation software slug, dynamic
label query, and macOS patch policy to reference imazing/darwin and the
new bundle identifier.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* iMazing application (v3.5.2) now replaces iMazing Profile Editor with
improved capabilities and enhanced functionality.
* Application category updated from Developer tools to Utilities for
better organization and discoverability.
* **Updates**
* Updated deployment configurations, system routes, and management
policies to support iMazing across all managed environments and
platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add metadata and install/uninstall automation for Thunderbird on
Windows. Adds ee/maintained-apps/inputs/winget/thunderbird.json plus
PowerShell install/uninstall scripts (NSIS silent /S, install uses
/PreventRebootRequired=true; uninstall resolves registry entry for x64
en-US and appends /S). Update maintained apps outputs: register
Thunderbird in ee/maintained-apps/outputs/apps.json and add
ee/maintained-apps/outputs/thunderbird/windows.json (version 149.0.2,
installer URL and sha256, script refs). Also update frontend icon
component and app PNG asset for Thunderbird.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43526
Add support for Granola (Windows) including winget input,
installer/uninstaller scripts, and output metadata. Added
ee/maintained-apps/inputs/winget/granola.json plus install/uninstall
PowerShell scripts, and new
ee/maintained-apps/outputs/granola/windows.json containing version
7.128.0, installer URL and script refs (with SHA256). Also register
Granola in ee/maintained-apps/outputs/apps.json and update the frontend
icon and website app image assets for Granola.
Add Windows support for Linear: new winget input
(ee/maintained-apps/inputs/winget/linear.json) with installer metadata
and category, plus install/uninstall PowerShell scripts. Add output
metadata (ee/maintained-apps/outputs/linear/windows.json) including a
version entry, installer URL, sha256 and script refs, and register the
app in apps.json. Update frontend icon component to reference a new PNG
and add the image asset.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43501
Fixes#34288.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Setup experience cancellations now create explicit cancellation
activities for skipped/failed software and VPP app installs, plus a new
"Canceled setup experience" activity type and a from_setup_experience
flag. Activity text and host activity views now indicate "during setup
experience" when applicable.
* **Tests**
* Added and updated tests for cancellation activity creation, VPP
license-failure handling, and WasFromAutomation/from_setup_experience
behaviors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Issue
- First batch of @iansltx 's work of cleaning up lint warnings #43387
## Description
- Quick PR review and grabbed as many confirmed low-risk quick wins as I
could `git checkout lint-cleanup <file/path/1> <file/path/2>`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
This release contains internal code improvements with one minor UI
tweak:
* **Style**
* Dropdown menu background color adjusted for clearer contrast in action
lists
* **Refactor**
* Improved type safety across the codebase with stricter TypeScript
annotations
* Removed unused imports and constants to reduce code clutter
* Enhanced React hook dependency arrays for more consistent component
behavior
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Rachel Perkins <rachel@Rachels-MacBook-Pro.local>
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40702
New look:
<img width="812" height="350" alt="image"
src="https://github.com/user-attachments/assets/83e82480-b756-4c51-be3f-09a72e736770"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Simplified pending status labels in OS Settings modal by removing
"(pending)" suffix from states like "Enforcing" and "Removing
enforcement"
* Improved OS Settings modal table layout and styling
* **New Features**
* Added dedicated action buttons to resend MDM profiles and rotate
Recovery Lock password
* Enhanced error tooltip handling for failed profile states
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#40177 and subissues.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [sorta] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Profile names are now displayed alongside mobile device management
commands for installing or removing profiles. These names are visible in
command details modals and within device activity timelines.
* Added "NotNow" status for deferred profile commands, providing
improved transparency into which profiles are being managed and the
current status of profile installation or removal operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Delete AdobeAcrobat.tsx (embedded PNG icon) and update icons index to
remove its import and map 'adobe acrobat' to the existing AcrobatReader
component, consolidating Acrobat icon usage.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43287
Zed + Opus 4.6; prompt: Convert the InputField JSX component to
TypeScript and remove the ts-ignore directives that we no longer need
after doing so.
- [x] Changes file added
- [x] Automated tests updated
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38647
<img width="398" height="230" alt="image"
src="https://github.com/user-attachments/assets/7e68e0d7-54b0-4039-a0be-8b0ad4bb1fbf"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42512
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42369
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information. **Done in backend task for whole story**
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added "Clear passcode" action for iOS and iPad hosts in the host
actions menu, accessible only to Premium tier users with appropriate
permissions.
* Added confirmation modal for clearing device passcodes.
* Passcode clearing activity now appears in the activity feed with actor
information.
* Action is conditionally disabled during specific device states (Lost
Mode, pending wipe) with contextual tooltips.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42405
Demo video: https://www.youtube.com/watch?v=F3nfFvwdj-c
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Android Wi‑Fi configuration profiles that reference client
certificates are withheld until the certificate is installed or reaches
a terminal state.
* Host OS settings now show the specific pending reason in the detail
column when Android profiles are waiting on certificate installation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- @noahtalerman: Feedback from `cisneros` that it's not clear that Fleet
retries 3 times for software and scripts.
For the following quick win:
- https://github.com/fleetdm/fleet/issues/41107
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36643
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
## Summary
Closes#42402
- **Root Cause 1 (Row deduplication):** `DataTable`'s `getRowId` used
`row.id` directly as the react-table row identity. When query results
contain an `id` column with non-unique values (e.g., `SELECT id FROM
processes` where multiple hosts share PID 0), react-table deduplicates
rows with the same row ID, displaying fewer results than expected.
- **Root Cause 2 (Misleading count):** The "Showing X results" count was
derived from react-table's `rows` array, which was already deduplicated.
Fixing Root Cause 1 resolves this as well — all rows are now preserved,
so the count is accurate.
## Changes
- **`DataTable.tsx`**: Changed `getRowId` to append the array index to
the row ID (`${row.id}-${index}` instead of `String(row.id)`),
guaranteeing uniqueness while preserving the `id` prefix.
- **`InstallSoftwareTable.tsx`**: Updated `generateSelectedRows` to
produce keys matching the new `getRowId` format
(`${software.id}-${index}`), so that `defaultSelectedRows` continues to
correctly persist row selection.
## QA
1. Run a live query like `SELECT id FROM processes` targeting multiple
hosts → all rows should appear (no deduplication).
2. Verify the results count matches the actual number of displayed rows.
3. Verify the Setup Experience > Install Software table still correctly
shows pre-selected software with checkmarks persisted across pagination.
---
Built for [Rachael
Shaw](https://fleetdm.slack.com/archives/D0AFC5BRFHD/p1775167005579149?thread_ts=1775164653.589489&cid=D0AFC5BRFHD)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Co-authored-by: nulmete <nicoulmete1@gmail.com>
Resolves https://github.com/fleetdm/fleet/issues/39632
---
## Summary
- Updated the styling of the "Label queries and platforms are
immutable..." text on the edit labels page to use default body text
styles instead of the `help-text` mixin.
- Changed font-size from `$xx-small` (12px) to `$x-small` (14px), color
from `$ui-fleet-black-50` (#8b8fa2) to `$ui-fleet-black-75` (#515774),
and added explicit `line-height: 1.5` to match standard body text
throughout the Fleet UI.
## Changes
- `frontend/pages/labels/components/LabelForm/_styles.scss`: Replaced
`@include help-text` with explicit default body text properties
(`font-size: $x-small`, `font-weight: $regular`, `color:
$ui-fleet-black-75`, `line-height: 1.5`).
---
Built for [Rachael
Shaw](https://fleetdm.slack.com/archives/D0AFC5BRFHD/p1775073298182989)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42673
Every manifest version now matches what hosts report. Here's the
before/after comparison:
| App | Before (Library) | After (Library) | Host Reports | Match? |
|-----|-----------------|----------------|-------------|--------|
| Android Studio | `2025.3.2.6` | `2025.3` | `2025.3` | Yes |
| Citrix Workspace | `25.11.1.42` | `25.11.1` | `25.11.1` | Yes |
| Elgato Stream Deck | `7.3.1.22604` | `7.3.1` | `7.3.1` | Yes |
| FileMaker Pro | `22.0.5.500` | `22.0.5` | `22.0.5` | Yes |
| Microsoft Auto Update | `4.82.26020434` | `4.82` | `4.82` | Yes |
| Opera | `129.0.5823.28` | `129.0` | `129.0` | Yes |
| Royal TSX | `6.4.2.1000` | `6.4.2` | `6.4.2` | Yes |
| Twingate | `2026.29.22575` | `2026.29` | `2026.29` | Yes |
| Microsoft OneNote | `16.107.26032211` | `16.107.2` | `16.107.2` | Yes
|
| Microsoft Outlook | `16.107.26032211` | `16.107.2` | `16.107.2` | Yes
|
| Microsoft PowerPoint | `16.107.26032211` | `16.107.2` | `16.107.2` |
Yes |
| Sublime Text | `4200` | `Build 4200` | `Build 4200` | Yes |
| Sublime Merge | `2123` | `Build 2123` | `Build 2123` | Yes |
| MySQL Workbench | `8.0.46` | `8.0.46.CE` | `8.0.46.CE` | Yes |
| Lens | `2026.3.251250` | `2026.3.251250-latest` |
`2026.3.251250-latest` | Yes |
The library version, the patch policy `version_compare`, and the
frontend comparison will all use versions that match what hosts actually
report.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42964
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
No changes file as this is part of the SHAA feature
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
