Resolves#42979
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] QA'd all new/changed functionality manually
Tested UI flow described in issue with:
- Global admin.
- Global maintainer.
- Team admin of one team.
- Team admin of two teams (where bug manifests).
- Team maintainer of two teams.
- Team admin of one team, maintainer of another team.
- Team admin of one team, technician of another team.
## Summary
Closes#42402
- **Root Cause 1 (Row deduplication):** `DataTable`'s `getRowId` used
`row.id` directly as the react-table row identity. When query results
contain an `id` column with non-unique values (e.g., `SELECT id FROM
processes` where multiple hosts share PID 0), react-table deduplicates
rows with the same row ID, displaying fewer results than expected.
- **Root Cause 2 (Misleading count):** The "Showing X results" count was
derived from react-table's `rows` array, which was already deduplicated.
Fixing Root Cause 1 resolves this as well — all rows are now preserved,
so the count is accurate.
## Changes
- **`DataTable.tsx`**: Changed `getRowId` to append the array index to
the row ID (`${row.id}-${index}` instead of `String(row.id)`),
guaranteeing uniqueness while preserving the `id` prefix.
- **`InstallSoftwareTable.tsx`**: Updated `generateSelectedRows` to
produce keys matching the new `getRowId` format
(`${software.id}-${index}`), so that `defaultSelectedRows` continues to
correctly persist row selection.
## QA
1. Run a live query like `SELECT id FROM processes` targeting multiple
hosts → all rows should appear (no deduplication).
2. Verify the results count matches the actual number of displayed rows.
3. Verify the Setup Experience > Install Software table still correctly
shows pre-selected software with checkmarks persisted across pagination.
---
Built for [Rachael
Shaw](https://fleetdm.slack.com/archives/D0AFC5BRFHD/p1775167005579149?thread_ts=1775164653.589489&cid=D0AFC5BRFHD)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Co-authored-by: nulmete <nicoulmete1@gmail.com>
Resolves https://github.com/fleetdm/fleet/issues/39632
---
## Summary
- Updated the styling of the "Label queries and platforms are
immutable..." text on the edit labels page to use default body text
styles instead of the `help-text` mixin.
- Changed font-size from `$xx-small` (12px) to `$x-small` (14px), color
from `$ui-fleet-black-50` (#8b8fa2) to `$ui-fleet-black-75` (#515774),
and added explicit `line-height: 1.5` to match standard body text
throughout the Fleet UI.
## Changes
- `frontend/pages/labels/components/LabelForm/_styles.scss`: Replaced
`@include help-text` with explicit default body text properties
(`font-size: $x-small`, `font-weight: $regular`, `color:
$ui-fleet-black-75`, `line-height: 1.5`).
---
Built for [Rachael
Shaw](https://fleetdm.slack.com/archives/D0AFC5BRFHD/p1775073298182989)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42673
Every manifest version now matches what hosts report. Here's the
before/after comparison:
| App | Before (Library) | After (Library) | Host Reports | Match? |
|-----|-----------------|----------------|-------------|--------|
| Android Studio | `2025.3.2.6` | `2025.3` | `2025.3` | Yes |
| Citrix Workspace | `25.11.1.42` | `25.11.1` | `25.11.1` | Yes |
| Elgato Stream Deck | `7.3.1.22604` | `7.3.1` | `7.3.1` | Yes |
| FileMaker Pro | `22.0.5.500` | `22.0.5` | `22.0.5` | Yes |
| Microsoft Auto Update | `4.82.26020434` | `4.82` | `4.82` | Yes |
| Opera | `129.0.5823.28` | `129.0` | `129.0` | Yes |
| Royal TSX | `6.4.2.1000` | `6.4.2` | `6.4.2` | Yes |
| Twingate | `2026.29.22575` | `2026.29` | `2026.29` | Yes |
| Microsoft OneNote | `16.107.26032211` | `16.107.2` | `16.107.2` | Yes
|
| Microsoft Outlook | `16.107.26032211` | `16.107.2` | `16.107.2` | Yes
|
| Microsoft PowerPoint | `16.107.26032211` | `16.107.2` | `16.107.2` |
Yes |
| Sublime Text | `4200` | `Build 4200` | `Build 4200` | Yes |
| Sublime Merge | `2123` | `Build 2123` | `Build 2123` | Yes |
| MySQL Workbench | `8.0.46` | `8.0.46.CE` | `8.0.46.CE` | Yes |
| Lens | `2026.3.251250` | `2026.3.251250-latest` |
`2026.3.251250-latest` | Yes |
The library version, the patch policy `version_compare`, and the
frontend comparison will all use versions that match what hosts actually
report.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42964
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
No changes file as this is part of the SHAA feature
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** The entire ACME feature branch merge
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
- @noahtalerman: For the following quick win:
- #41107
The "Activities run as listed" tooltip on the host details upcoming
activity pane said "Currently, only software and scripts are guaranteed
to run in order" — ambiguous wording that implies the order is
configurable or changeable.
- **`frontend/pages/hosts/details/cards/Activity/Activity.tsx`**:
Replace tooltip text with "Software and scripts are always processed in
order. Each waits until the previous one completes." — accurately
reflects the blocking/sequential behavior described in the contributing
guide.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: getvictor <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
## Summary
- Adds a new "MAC address" vital to the host details page, displaying
`primary_mac` from the host API response
- Follows the same rendering pattern as existing vitals (Private IP
address, Public IP address, etc.) using `DataSet` +
`TooltipTruncatedText`
- Scoped to the same host types that show IP addresses (excludes
iOS/iPadOS and Android hosts, matching the behavior in the Manage Hosts
table)
## Changes
- `frontend/pages/hosts/details/cards/Vitals/Vitals.tsx` — Added MAC
address vital entry within the existing `!isIosOrIpadosHost &&
!isAndroidHost` conditional block
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774991978746479)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
UPDATE: @noahtalerman: For the following quick win:
- https://github.com/fleetdm/fleet/issues/42054
## Summary
- Always use plural forms ("reports", "hosts", "policies") in delete
modal titles and success/error flash messages, regardless of selection
count
- Remove conditional singular/plural logic from delete reports, delete
hosts, and delete policies flows
- Fix DeleteHostModal body text to properly pluralize "host"/"hosts"
based on count while dropping "the record of" for cleaner messaging
Resolves#40164
Manually verified:
<img width="785" height="187" alt="image"
src="https://github.com/user-attachments/assets/c2b91fd4-3592-4760-8241-c33a89e162c0"
/>
Adds a "Learn more" link to the [End-user
Authentication](https://fleetdm.com/guides/setup-experience#end-user-authentication)
documentation on the `/settings/integrations/sso/end-users` page, making
it easier for customers to reference docs while configuring SSO
settings.
- **`EndUserAuthSection.tsx`**: Appended a `Learn more` anchor (opens in
new tab) after the description text in the end-user auth settings card.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a "Learn more" link in the end user authentication setup
section, providing quick access to comprehensive setup guidance and
documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: getvictor <2685025+getvictor@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40117
Fix:
<img width="1033" height="320" alt="image"
src="https://github.com/user-attachments/assets/a6a642ef-d174-4ca7-b89b-8bb127c5c961"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed incorrect platform detection for SQL queries that use table
aliases (e.g., `FROM mounts m`).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37546
Noah approved design here:
https://fleetdm.slack.com/archives/C09HG9VMRSS/p1774895365069069?thread_ts=1774647818.613419&cid=C09HG9VMRSS
Docs: https://github.com/fleetdm/fleet/pull/42609
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Certificate installation activity logging for Android hosts (success &
failure)
* "Installed certificate" activity type displayed in host activity feed
with status
* Host activity card enabled on Android host details page to show
installs
* Detailed install modal with error detail reveal when failures occur
* Upcoming activities tab disabled for Android hosts where unsupported
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40317
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
With the current router we have in place, we can't really test `<Link>`
elements, so our ability to make useful automated tests is pretty
limited here. I extracted the fleet name sorting code into an exported
function and added some tests for that.
- [X] QA'd all new/changed functionality manually
- [X] verified that when All Fleets is selected in dropdown, navigating
to Controls switches to Workstations
- [X] verified that when another fleet is selected in dropdown,
navigating to Controls maintains that selection
- [X] verified that when a fleet is selected in dropdown, navigating to
the dashboard changes to All Fleets
- [X] verified that when "Unassigned" is present in the fleets dropdown,
it is at the bottom
- [X] verified that when using a permalink to the dashboard with a fleet
selected (e.g. `?fleet_id=1`), the correct fleet shows as selected
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42184
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for GitOps exceptions per entity type (labels, software,
secrets), allowing specific areas to bypass GitOps mode restrictions
when configured.
* **Bug Fixes**
* Improved GitOps mode behavior to properly respect per-entity-type
exception settings across software, labels, and secrets management.
* **Tests**
* Extended test coverage for GitOps exception handling scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#42383. Re-roll of #42384 using the relevant helper function.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Enhanced Android software configuration success notifications to
dynamically display the actual software display name, replacing
previously static messaging. This improvement provides users with more
specific and personalized feedback when confirming successful software
configurations, improving clarity and reducing potential confusion when
managing multiple software installations or updates on their Android
devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#42182
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See <a
href="https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files">Changes
files</a> for more information.
will add to last PR
## Testing
- [X] Added/updated automated tests
- [X] Added `ChangeManagement.tests.tsx` with unit/integration tests
covering:
- Exceptions checkboxes render correctly from config for new install
(only Enroll secrets checked) and migrated instances (Labels and Enroll
secrets checked)
- Form save sends the correct `gitops.exceptions` payload via
`configAPI.update`
- Form validation shows error when GitOps mode is enabled but no repo
URL is provided
- Non-premium tier renders the premium feature message
- [X] QA'd all new/changed functionality manually
- [X] verified that Labels and Secrets are checked for pre-existing
(migrated) instance
- [X] verified that only Secrets is checked for new instance
- [X] verified that changing the settings in the UI and saving persists
the `gitops.exceptions` config as expected
<img
src="https://github.com/user-attachments/assets/095c538c-68aa-4179-b4b1-fd5878c0a2b0">
## Summary by CodeRabbit
* **New Features**
* Added GitOps exceptions configuration in Change Management settings
with toggles for Labels, Software, and Enroll Secrets, enabling granular
control over exception flags.
<!-- START COPILOT CODING AGENT TIPS -->
---
✨ Let Copilot coding agent [set things up for
you](https://github.com/fleetdm/fleet/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: sgress454 <553428+sgress454@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41601
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Details
This PR updates the front end to use the following renamed API keys:
* bootstrap_package -> macos_bootstrap_package
* manual_agent_install -> macos_manual_agent_install
* enable_release_device_manually -> apple_
enable_release_device_manually
* script -> macos_script
* macos_setup -> setup_experience
* macos_settings -> apple_settings
* custom_settings -> configuration_profiles
* macos_setup_assistant -> apple_setup_assistant
It also ensures that consumers of the "get fleet config" API pull from
the `.fleet` property rather than `.team`, so that they can use all of
the newly renamed response fields.
## Summary by CodeRabbit
* **Refactor**
* Restructured Mobile Device Management configuration for Apple devices,
reorganizing setup experience, bootstrap package, and device
configuration field organization.
* Updated filter terminology and query parameters throughout device
management interfaces, improving how users filter and navigate Apple
device settings.
* Enhanced configuration field naming conventions for better clarity and
maintainability across device management features.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
---
Manual Test Plan
Prerequisites
- Fleet server with MDM enabled (macOS at minimum)
- At least one macOS host enrolled in Fleet MDM
- A team configured with setup experience settings
---
1. Manage Hosts — Filters
- [X] macOS settings filter:
- Go to Hosts > Manage Hosts
- Filter by macOS settings status (e.g. Pending, Verified, Failed)
- Verify the filter applies and hosts list updates
- Check that the URL contains apple_settings=<status>
- Copy the URL, paste it in a new tab — verify the filter is still
applied
- Manually edit the URL to use macos_settings=<status> instead — verify
it still works (backward compat)
- Clear the filter pill — verify both apple_settings and macos_settings
are removed from the URL
- [X] Bootstrap package filter:
- Filter by bootstrap package status
- Verify the URL contains macos_bootstrap_package=<status>
- Manually edit the URL to use bootstrap_package=<status> — verify it
still works
- Clear the filter pill — verify both params are removed
---
2. Setup Experience (Controls Page)
- [X] Bootstrap package:
- Go to Controls > Setup experience for a team
- Upload a bootstrap package — verify it appears in the table
- Toggle the "manual agent install" advanced option on/off — verify it
saves
- Delete the bootstrap package — verify it's removed
- In the bootstrap package table, click "View all hosts" link for a
status row — verify it navigates to Manage Hosts with
macos_bootstrap_package in the URL
- [X] End user authentication:
- Toggle end user authentication on/off for a team and for "No team"
- Verify the toggle reflects the saved state after page reload
- [X] Setup assistant:
- Upload a setup assistant profile
- Verify the "release device manually" toggle works for both a team and
"No team"
- [X] Install software:
- Verify the "require all software" checkbox reflects the correct saved
state for both team and "No team"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42047
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
This pull request adds support for the "Google Credential Provider for
Windows" application to the maintained apps system, including its
metadata, installation logic, and user interface icon. The changes
ensure that the app is properly recognized, categorized, and visually
represented in the frontend.
**New application support:**
- Added metadata for "Google Credential Provider for Windows" in
`winget` input, including identifiers, architecture, installer type, and
default category.
- Added output configuration for the app, specifying version, detection
query, installer/uninstaller scripts, installer URL, and SHA256 hash.
- Registered the app in the main `apps.json` output with a description
and platform information.
**Frontend/UI updates:**
- Added a new React SVG icon component for "Google Credential Provider
for Windows" in the software page.
- Registered the new icon in the icons index and mapped the app name to
the icon in the `SOFTWARE_NAME_TO_ICON_MAP`.
[[1]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR13)
[[2]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR317)
- @noahtalerman: "at" is more accurate than "by" because my
understanding is that the password will never be rotated before the
shown time. That's when the command goes out.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41541, #42293
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33418 (this OS update change is unrelated
to the bigger Windows delete part of the story)
<img width="598" height="438" alt="image"
src="https://github.com/user-attachments/assets/7dca50c6-5ca4-4c54-b57f-c98dda5fb4d1"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Windows update deadline and grace period settings can now be cleared,
allowing removal of update enforcement policies.
* **Bug Fixes**
* Updated validation logic to properly handle empty deadline and grace
period fields.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42311
- Fixes ID collision on Users table (causing users to not be rendered
when an existing user's ID matches an invited user's ID).
- Fixes total users count.
- Fixes `isResettingCurrentUser` check.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
#### Before
- ID collision caused the admin user to not be rendered on the table
(see the user with Invite pending which has id=1 as the admin does).
- Notice that we have a total of 3 users counting the response from
`users` and `invites` endpoints.
<img width="2557" height="477" alt="Screenshot 2026-03-25 at 2 46 31 PM"
src="https://github.com/user-attachments/assets/833b07f5-a0ce-4f15-94bf-79040bd03dba"
/>
<img width="2555" height="722" alt="Screenshot 2026-03-25 at 2 46 26 PM"
src="https://github.com/user-attachments/assets/5707ab37-b060-40b4-913f-864b2254076d"
/>
#### After
- All users showing.
- Updated count to reflect the sum of users + invited users above the
table.
<img width="1358" height="432" alt="Screenshot 2026-03-25 at 2 53 24 PM"
src="https://github.com/user-attachments/assets/2a995e78-0ae8-4846-a8b1-b35edd61cb02"
/>
## Summary
- Remove incorrect `color: $ui-fleet-black-75` override on `h2` elements
in the Windows automatic enrollment page
(`/settings/integrations/automatic-enrollment/windows`)
- Section headings ("MDM URLs", "Entra tenants") now inherit the global
heading color (`$core-fleet-black` / `#192147`) instead of the muted
body text color (`$ui-fleet-black-75` / `#515774`)
- This aligns the Windows page with the `SectionHeader` component
pattern and all other MDM settings pages in the Fleet UI
## Details
The `_styles.scss` for the Windows automatic enrollment page had an
explicit `color: $ui-fleet-black-75` on `h2` elements, which overrode
the global heading color set in `_global.scss` (`h1, h2, h3 { color:
$core-fleet-black; }`). This made the section headings appear in the
subdued gray color meant for body text rather than the darker color used
for all other headings across the settings UI.
### Changes
-
`frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/_styles.scss`:
Removed `color: $ui-fleet-black-75` from `h2` rule
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773759260523069)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#29657
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This commit introduces support for Python (.py) scripts on macOS and
Linux, including validation for Python shebangs and updates to
documentation, UI, error messages, and backend validation logic. It also
updates tests and file upload handling to recognize and properly process
Python scripts alongside existing shell (.sh) and PowerShell (.ps1)
scripts.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41533
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/64a5f726-1e9f-4508-8726-6227813dcc77
Below I show the `Report clipped` and the `X additional results not
shown` states. For that, I manually inserted records in my DB:
```sql
-- make "clipped"
INSERT INTO query_results (query_id, host_id, last_fetched, data)
SELECT 1, t.n + 1000, NOW(), '{"fake_key": "fake_value"}'
FROM (
SELECT a.N + b.N * 10 + c.N * 100 AS n
FROM (SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) a,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) b,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) c
) t
WHERE t.n BETWEEN 1 AND 999;
-- populate extra query results
INSERT INTO query_results (query_id, host_id, last_fetched, data)
VALUES
(1, 2, NOW(), '{"pid": "9999", "version": "5.21.0"}'),
(1, 2, NOW(), '{"pid": "8888", "version": "5.20.0"}');
```
https://github.com/user-attachments/assets/8056ea4c-b042-47cf-a05f-ee9d8621252a
Pagination (manually changed to 3 items per page for testing purposes)
https://github.com/user-attachments/assets/87a97259-0821-4659-a612-c952e98a158c
## Summary
- Changed all modal "Done" dismiss/close button labels to "Close" across
48 frontend component files
- Updated instructional text in `AutoEnrollMdmModal` that referenced the
"Done" button to say "Close" instead
- Updated 7 test files to assert "Close" instead of "Done" for modal
button names
## Excluded (intentionally not changed)
- `LiveResultsHeading.tsx` — "Done" button is a page-level navigation
action, not a modal dismiss
- `AddAbmModal.tsx` — Instructional text referencing Apple Business
Manager's "Done" button
- `Calendars.tsx` — Instructional text referencing Google Calendar's
"Done" button
- `ModalFooter.stories.tsx` — Storybook demo example
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773674157011109?thread_ts=1773673149.649299&cid=D0AKX7DJFCN)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: melpike <mel@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
## Summary
- Adds Proxyman (macOS) to the Fleet maintained apps catalog
- Input: `ee/maintained-apps/inputs/homebrew/proxyman.json`
- Output generated via ingester script
## Validation checklist
- [ ] App can be downloaded using manifest URL
- [ ] App installs successfully using manifest install script
- [ ] App exists in software inventory after install
- [ ] App uninstalls successfully using manifest uninstall script
Note: @mention #g-software Product Designer in a comment pointing to the
new icon once added.
Resolves#42185
## Summary
- Added `flatcar` and `coreos` to `HostLinuxOSs` in
`server/fleet/hosts.go`
- Added both to `HostNeitherDebNorRpmPackageOSs` (neither distro uses
deb or rpm)
- Added both to `HOST_LINUX_PLATFORMS` in
`frontend/interfaces/platform.ts`
- Added test cases in `server/fleet/hosts_test.go`
- Updated platform lists in
`docs/Contributing/product-groups/orchestration/understanding-host-vitals.md`
- Added changelog entry
## Problem
Flatcar Container Linux reports `platform=flatcar` and
`platform_like=coreos` via osquery's `os_version` table. Neither value
is in `HostLinuxOSs`, so `PlatformFromHost("flatcar")` returns `""` and
`RunsForPlatform` skips all Linux-platform-filtered detail queries.
**Symptoms:** Flatcar hosts enroll successfully, appear online, and
respond to live queries. But host details (private IP, disk space, etc.)
are never populated because the detail queries that collect this data
are never sent to the host.
## Context
Flatcar Container Linux is an immutable, container-optimized Linux
distribution (successor to CoreOS Container Linux). We deploy Fleet's
Orbit agent on Flatcar via systemd-sysext and have confirmed that all
osquery tables work correctly — the only gap was this platform string
not being recognized.
This follows the same pattern as prior platform additions: #19011
(tuxedo), #28977 (neon), #34357 (manjaro-arm).
## Changes file
- [x] Changes file added in `changes/`
## Checklist
- [x] Added/updated automated tests
- [x] Manual QA: Verified on Flatcar Container Linux 4459.2.4 with
osquery 5.21.0 and Orbit 1.53.0 — confirmed detail queries work after
patching `HostLinuxOSs` locally
- [x] No database migrations needed
- [x] No endpoint changes
- [x] No backward compatibility concerns (additive change only)
**Related issue:** Resolves#38546
This fixes a quick error message flash on the mdm settings page when
apple mdm is turned off. We have a finally fixed an issue of stale data
on the integration page getting passed down to the mdm card when turning
apple mdm off. We now invalidate the cache of the config when apple mdm
is turned off, that way we make a request to get the most recent config
which will have the up to date data for `mdm.enabled_and_configured`.
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40724
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Resolves#36312
- Validate and trim fleet names in NewTeam, ModifyTeam, and
ApplyTeamSpecs
- Trim fleet names in gitops YAML parsing (parseName)
- Disable submit button in CreateTeamModal and RenameTeamModal when name
is whitespace-only
Adds Tor Browser as a Fleet-maintained app for macOS only.
## Changes
- **macOS**: Homebrew cask `tor-browser`, DMG installer, bundle
identifier `org.torproject.torbrowser`
- Icon sourced from the official Tor Project GitHub at 128x128
- Added to `apps.json` catalog in alphabetical order
**Note:** Windows support was dropped. Tor Browser for Windows uses a
portable installer that installs to `%LOCALAPPDATA%` (not `C:\Program
Files`), which is outside the scope of what Fleet's CI validator and
Windows install validation can detect. macOS-only is the correct scope
for this app.
## Test plan
- [ ] Verify `go run cmd/maintained-apps/main.go
--slug="tor-browser/darwin"` produces valid output
- [ ] Confirm icon renders correctly in the software catalog UI
- [ ] Confirm macOS install/uninstall scripts work on a test device
## Summary
Adds [Charles Proxy](https://www.charlesproxy.com/) as a
Fleet-maintained app for macOS.
Charles is an HTTP proxy, monitor, and reverse proxy that lets
developers view all HTTP and HTTPS traffic between their machine and the
internet. It's commonly used for debugging, testing, and network
analysis.
- macOS: DMG installer via Homebrew cask `charles`, bundle ID
`com.xk72.Charles`
- Windows: Not included — the WinGet package (`XK72.Charles`) uses an
`appx` installer type, which is not supported by Fleet's winget ingester
## Test plan
- [ ] Install Charles on a macOS host via Fleet self-service and confirm
it installs to `/Applications/Charles.app`
- [ ] Confirm `SELECT 1 FROM apps WHERE bundle_identifier =
'com.xk72.Charles';` returns a result after installation
- [ ] Uninstall Charles via Fleet and confirm the app is removed
- [ ] Confirm the Charles icon appears correctly in the Fleet UI
software catalog
- [ ] Run `go run cmd/maintained-apps/main.go --slug="charles/darwin"
--debug` and confirm no errors
Adds Krita (free and open-source digital painting application) as a
Fleet Maintained App for macOS and Windows.
## Changes
- **macOS**: Homebrew cask `krita`, DMG installer, bundle ID
`org.kde.krita`
- **Windows**: WinGet `KDE.Krita`, NSIS EXE installer with custom silent
install/uninstall scripts
- Icon generated from KDE official icon (128x128 PNG), added to icon
index
- Both platforms added to `apps.json` alphabetically (after Keka, before
LastPass)
## Testing
- macOS ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/darwin" --debug`
- Windows ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/windows" --debug`
- Output files generated: `ee/maintained-apps/outputs/krita/darwin.json`
and `windows.json`
## Related issue
Add Krita FMA
## Summary
- Adds Arduino IDE (macOS only) as a Fleet maintained app using Homebrew
cask `arduino-ide`
- Bundle identifier: `cc.arduino.IDE2`, installer format: DMG, version
2.3.8
- Includes app icon, install/uninstall scripts, catalog entry, and icon
component
## Test plan
- [ ] Install Arduino IDE via Fleet on a macOS device and verify it
launches
- [ ] Uninstall Arduino IDE via Fleet and verify the app and user data
are removed
- [ ] Verify the Arduino IDE icon renders correctly in the software
catalog UI
- [ ] Confirm the entry appears alphabetically in the software catalog
(after Archaeology, before Asana)
Relates to #
Resloves: #41820
## Summary
- Adds `1.5rem` vertical margin to the GitOps mode info banner on the
**Software > Add Software > Custom Packages** page
- Uses an instance-level `className` prop
(`software-custom-package__gitops-banner`) and a page-scoped SCSS rule,
following existing codebase patterns for instance-specific spacing
- Does **not** modify the shared `InfoBanner` component styles
## Changes
-
`frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareCustomPackage/SoftwareCustomPackage.tsx`
— Added `className` prop to the GitOps `InfoBanner` instance
-
`frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareCustomPackage/_styles.scss`
— Added `&__gitops-banner` rule with `margin: 1.5rem 0`
---
Built for [Marko
Lisica](https://fleetdm.slack.com/archives/D0AFA3M07AP/p1773750050662559?thread_ts=1773749619.263099&cid=D0AFA3M07AP)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
