<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33418 (this OS update change is unrelated
to the bigger Windows delete part of the story)
<img width="598" height="438" alt="image"
src="https://github.com/user-attachments/assets/7dca50c6-5ca4-4c54-b57f-c98dda5fb4d1"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Windows update deadline and grace period settings can now be cleared,
allowing removal of update enforcement policies.
* **Bug Fixes**
* Updated validation logic to properly handle empty deadline and grace
period fields.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42311
- Fixes ID collision on Users table (causing users to not be rendered
when an existing user's ID matches an invited user's ID).
- Fixes total users count.
- Fixes `isResettingCurrentUser` check.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
#### Before
- ID collision caused the admin user to not be rendered on the table
(see the user with Invite pending which has id=1 as the admin does).
- Notice that we have a total of 3 users counting the response from
`users` and `invites` endpoints.
<img width="2557" height="477" alt="Screenshot 2026-03-25 at 2 46 31 PM"
src="https://github.com/user-attachments/assets/833b07f5-a0ce-4f15-94bf-79040bd03dba"
/>
<img width="2555" height="722" alt="Screenshot 2026-03-25 at 2 46 26 PM"
src="https://github.com/user-attachments/assets/5707ab37-b060-40b4-913f-864b2254076d"
/>
#### After
- All users showing.
- Updated count to reflect the sum of users + invited users above the
table.
<img width="1358" height="432" alt="Screenshot 2026-03-25 at 2 53 24 PM"
src="https://github.com/user-attachments/assets/2a995e78-0ae8-4846-a8b1-b35edd61cb02"
/>
## Summary
- Remove incorrect `color: $ui-fleet-black-75` override on `h2` elements
in the Windows automatic enrollment page
(`/settings/integrations/automatic-enrollment/windows`)
- Section headings ("MDM URLs", "Entra tenants") now inherit the global
heading color (`$core-fleet-black` / `#192147`) instead of the muted
body text color (`$ui-fleet-black-75` / `#515774`)
- This aligns the Windows page with the `SectionHeader` component
pattern and all other MDM settings pages in the Fleet UI
## Details
The `_styles.scss` for the Windows automatic enrollment page had an
explicit `color: $ui-fleet-black-75` on `h2` elements, which overrode
the global heading color set in `_global.scss` (`h1, h2, h3 { color:
$core-fleet-black; }`). This made the section headings appear in the
subdued gray color meant for body text rather than the darker color used
for all other headings across the settings UI.
### Changes
-
`frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/_styles.scss`:
Removed `color: $ui-fleet-black-75` from `h2` rule
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773759260523069)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#29657
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This commit introduces support for Python (.py) scripts on macOS and
Linux, including validation for Python shebangs and updates to
documentation, UI, error messages, and backend validation logic. It also
updates tests and file upload handling to recognize and properly process
Python scripts alongside existing shell (.sh) and PowerShell (.ps1)
scripts.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41533
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/64a5f726-1e9f-4508-8726-6227813dcc77
Below I show the `Report clipped` and the `X additional results not
shown` states. For that, I manually inserted records in my DB:
```sql
-- make "clipped"
INSERT INTO query_results (query_id, host_id, last_fetched, data)
SELECT 1, t.n + 1000, NOW(), '{"fake_key": "fake_value"}'
FROM (
SELECT a.N + b.N * 10 + c.N * 100 AS n
FROM (SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) a,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) b,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) c
) t
WHERE t.n BETWEEN 1 AND 999;
-- populate extra query results
INSERT INTO query_results (query_id, host_id, last_fetched, data)
VALUES
(1, 2, NOW(), '{"pid": "9999", "version": "5.21.0"}'),
(1, 2, NOW(), '{"pid": "8888", "version": "5.20.0"}');
```
https://github.com/user-attachments/assets/8056ea4c-b042-47cf-a05f-ee9d8621252a
Pagination (manually changed to 3 items per page for testing purposes)
https://github.com/user-attachments/assets/87a97259-0821-4659-a612-c952e98a158c
## Summary
- Changed all modal "Done" dismiss/close button labels to "Close" across
48 frontend component files
- Updated instructional text in `AutoEnrollMdmModal` that referenced the
"Done" button to say "Close" instead
- Updated 7 test files to assert "Close" instead of "Done" for modal
button names
## Excluded (intentionally not changed)
- `LiveResultsHeading.tsx` — "Done" button is a page-level navigation
action, not a modal dismiss
- `AddAbmModal.tsx` — Instructional text referencing Apple Business
Manager's "Done" button
- `Calendars.tsx` — Instructional text referencing Google Calendar's
"Done" button
- `ModalFooter.stories.tsx` — Storybook demo example
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773674157011109?thread_ts=1773673149.649299&cid=D0AKX7DJFCN)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: melpike <mel@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
## Summary
- Adds Proxyman (macOS) to the Fleet maintained apps catalog
- Input: `ee/maintained-apps/inputs/homebrew/proxyman.json`
- Output generated via ingester script
## Validation checklist
- [ ] App can be downloaded using manifest URL
- [ ] App installs successfully using manifest install script
- [ ] App exists in software inventory after install
- [ ] App uninstalls successfully using manifest uninstall script
Note: @mention #g-software Product Designer in a comment pointing to the
new icon once added.
Resolves#42185
## Summary
- Added `flatcar` and `coreos` to `HostLinuxOSs` in
`server/fleet/hosts.go`
- Added both to `HostNeitherDebNorRpmPackageOSs` (neither distro uses
deb or rpm)
- Added both to `HOST_LINUX_PLATFORMS` in
`frontend/interfaces/platform.ts`
- Added test cases in `server/fleet/hosts_test.go`
- Updated platform lists in
`docs/Contributing/product-groups/orchestration/understanding-host-vitals.md`
- Added changelog entry
## Problem
Flatcar Container Linux reports `platform=flatcar` and
`platform_like=coreos` via osquery's `os_version` table. Neither value
is in `HostLinuxOSs`, so `PlatformFromHost("flatcar")` returns `""` and
`RunsForPlatform` skips all Linux-platform-filtered detail queries.
**Symptoms:** Flatcar hosts enroll successfully, appear online, and
respond to live queries. But host details (private IP, disk space, etc.)
are never populated because the detail queries that collect this data
are never sent to the host.
## Context
Flatcar Container Linux is an immutable, container-optimized Linux
distribution (successor to CoreOS Container Linux). We deploy Fleet's
Orbit agent on Flatcar via systemd-sysext and have confirmed that all
osquery tables work correctly — the only gap was this platform string
not being recognized.
This follows the same pattern as prior platform additions: #19011
(tuxedo), #28977 (neon), #34357 (manjaro-arm).
## Changes file
- [x] Changes file added in `changes/`
## Checklist
- [x] Added/updated automated tests
- [x] Manual QA: Verified on Flatcar Container Linux 4459.2.4 with
osquery 5.21.0 and Orbit 1.53.0 — confirmed detail queries work after
patching `HostLinuxOSs` locally
- [x] No database migrations needed
- [x] No endpoint changes
- [x] No backward compatibility concerns (additive change only)
**Related issue:** Resolves#38546
This fixes a quick error message flash on the mdm settings page when
apple mdm is turned off. We have a finally fixed an issue of stale data
on the integration page getting passed down to the mdm card when turning
apple mdm off. We now invalidate the cache of the config when apple mdm
is turned off, that way we make a request to get the most recent config
which will have the up to date data for `mdm.enabled_and_configured`.
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40724
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Resolves#36312
- Validate and trim fleet names in NewTeam, ModifyTeam, and
ApplyTeamSpecs
- Trim fleet names in gitops YAML parsing (parseName)
- Disable submit button in CreateTeamModal and RenameTeamModal when name
is whitespace-only
Adds Tor Browser as a Fleet-maintained app for macOS only.
## Changes
- **macOS**: Homebrew cask `tor-browser`, DMG installer, bundle
identifier `org.torproject.torbrowser`
- Icon sourced from the official Tor Project GitHub at 128x128
- Added to `apps.json` catalog in alphabetical order
**Note:** Windows support was dropped. Tor Browser for Windows uses a
portable installer that installs to `%LOCALAPPDATA%` (not `C:\Program
Files`), which is outside the scope of what Fleet's CI validator and
Windows install validation can detect. macOS-only is the correct scope
for this app.
## Test plan
- [ ] Verify `go run cmd/maintained-apps/main.go
--slug="tor-browser/darwin"` produces valid output
- [ ] Confirm icon renders correctly in the software catalog UI
- [ ] Confirm macOS install/uninstall scripts work on a test device
## Summary
Adds [Charles Proxy](https://www.charlesproxy.com/) as a
Fleet-maintained app for macOS.
Charles is an HTTP proxy, monitor, and reverse proxy that lets
developers view all HTTP and HTTPS traffic between their machine and the
internet. It's commonly used for debugging, testing, and network
analysis.
- macOS: DMG installer via Homebrew cask `charles`, bundle ID
`com.xk72.Charles`
- Windows: Not included — the WinGet package (`XK72.Charles`) uses an
`appx` installer type, which is not supported by Fleet's winget ingester
## Test plan
- [ ] Install Charles on a macOS host via Fleet self-service and confirm
it installs to `/Applications/Charles.app`
- [ ] Confirm `SELECT 1 FROM apps WHERE bundle_identifier =
'com.xk72.Charles';` returns a result after installation
- [ ] Uninstall Charles via Fleet and confirm the app is removed
- [ ] Confirm the Charles icon appears correctly in the Fleet UI
software catalog
- [ ] Run `go run cmd/maintained-apps/main.go --slug="charles/darwin"
--debug` and confirm no errors
Adds Krita (free and open-source digital painting application) as a
Fleet Maintained App for macOS and Windows.
## Changes
- **macOS**: Homebrew cask `krita`, DMG installer, bundle ID
`org.kde.krita`
- **Windows**: WinGet `KDE.Krita`, NSIS EXE installer with custom silent
install/uninstall scripts
- Icon generated from KDE official icon (128x128 PNG), added to icon
index
- Both platforms added to `apps.json` alphabetically (after Keka, before
LastPass)
## Testing
- macOS ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/darwin" --debug`
- Windows ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/windows" --debug`
- Output files generated: `ee/maintained-apps/outputs/krita/darwin.json`
and `windows.json`
## Related issue
Add Krita FMA
## Summary
- Adds Arduino IDE (macOS only) as a Fleet maintained app using Homebrew
cask `arduino-ide`
- Bundle identifier: `cc.arduino.IDE2`, installer format: DMG, version
2.3.8
- Includes app icon, install/uninstall scripts, catalog entry, and icon
component
## Test plan
- [ ] Install Arduino IDE via Fleet on a macOS device and verify it
launches
- [ ] Uninstall Arduino IDE via Fleet and verify the app and user data
are removed
- [ ] Verify the Arduino IDE icon renders correctly in the software
catalog UI
- [ ] Confirm the entry appears alphabetically in the software catalog
(after Archaeology, before Asana)
Relates to #
Resloves: #41820
## Summary
- Adds `1.5rem` vertical margin to the GitOps mode info banner on the
**Software > Add Software > Custom Packages** page
- Uses an instance-level `className` prop
(`software-custom-package__gitops-banner`) and a page-scoped SCSS rule,
following existing codebase patterns for instance-specific spacing
- Does **not** modify the shared `InfoBanner` component styles
## Changes
-
`frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareCustomPackage/SoftwareCustomPackage.tsx`
— Added `className` prop to the GitOps `InfoBanner` instance
-
`frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareCustomPackage/_styles.scss`
— Added `&__gitops-banner` rule with `margin: 1.5rem 0`
---
Built for [Marko
Lisica](https://fleetdm.slack.com/archives/D0AFA3M07AP/p1773750050662559?thread_ts=1773749619.263099&cid=D0AFA3M07AP)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41742
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed crashes on the "My device" page for Fleet Free instances when a
host is assigned to a team.
* Improved error handling to prevent application crashes when policy
data is unavailable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#40138
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Installed:
```
go install golang.org/x/tools/cmd/goimports@latest
go install golang.org/x/tools/gopls@latest
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
```
Validated:
```
osquery> SELECT * FROM go_packages;
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| name | version | module_path | import_path | go_version | installed_path |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| goimports | v0.42.0 | golang.org/x/tools | golang.org/x/tools/cmd/goimports | go1.25.5 | /Users/josh/go/bin/goimports |
| golangci-lint | v1.64.8 | github.com/golangci/golangci-lint | github.com/golangci/golangci-lint/cmd/golangci-lint | go1.25.5 | /Users/josh/go/bin/golangci-lint |
| gopls | v0.21.1 | golang.org/x/tools/gopls | golang.org/x/tools/gopls | go1.25.5 | /Users/josh/go/bin/gopls |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
```
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41652
Solution is to not pass `labels_include_any` to the payload of the PATCH
endpoint request.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/7c825b92-0b03-448a-8e42-83e39a2acdf6
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41532
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved error messaging when deleting a certificate authority that is
referenced by certificate templates. Users now receive a clear,
user-friendly message instead of a generic database error.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#33714
Added alias `GET /api/v1/fleet/scripts/batch/abc-def/host_results` for
`GET /api/v1/fleet/scripts/batch/abc-def/host-results` for consistency
sake.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
This PR contains identical frontend changes to those currently in
`recovery-pw-feature` - this allows separate frontend review of the code
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41653
<img width="810" height="597" alt="Screenshot 2026-03-13 at 8 44 23 AM"
src="https://github.com/user-attachments/assets/b5e7feff-e576-4c0d-a9ee-b2ef1a17a7ea"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
Deletes a code file that's not referenced by anything and keeps causing
me merge conflicts.
JS linter and tests pass without it, which tells you everything you need
to know 🔪
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41391
# Details
This PR updates front-end API calls to use new URLs and API params, so
that the front end doesn't cause deprecation warnings to appear on the
server.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a, should not be user-visible
## Testing
- [X] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
The biggest risk here is not that we missed a spot that still causes a
deprecation warning, but that we might inadvertently make a change that
breaks the front end, for instance by sending `fleet_id` to a function
that drops it silently and thus sends no ID to the server. Fortunately
we use TypeScript in virtually every place affected by these changes, so
the code would not compile if there were mismatches between the API
expectation and what we're sending. Still, spot checking as many places
as possible both for deprecation-warning leaks and loss of functionality
is important.
## Summary by CodeRabbit
* **Refactor**
* Updated API nomenclature across the application to use "fleets"
instead of "teams" and "reports" instead of "queries" in endpoint paths
and request/response payloads.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40538
This is the initial iteration of CSP functionality, currently gated
behind FLEET_SERVER_ENABLE_CSP. If disabled, no CSP is served. Nonces
are still injected into pages however a dummy nonce is used and has no
effect.
With this setting turned on things break and will be addressed by mainly
frontend changes in https://github.com/fleetdm/fleet/issues/41577
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
## Issue
Closes#39983
## Description
This is so long because installation details are within 3 modals and so
all 3 had to be updated:
- SoftwareInstallDetailsModal
- Updated variables and naming for readability
- Added icons to tests
- `shouldShowInventoryVersions` will show if
`overrideFailedMessageWithInstalledMessage` (bug fix)
- SoftwareIpaInstallDetailsModal
- Updated variables and naming for readability
- Added icons to tests
- Use reusable component `IconStatusMessage`
- Added pre-4.57 "pending" case just in case to match VPP
- Override icon to success icon if
`overrideFailedMessageWithInstalledMessage || isInstalledManual` (bug
fix)
- `shouldShowInventoryVersions` will show if
`overrideFailedMessageWithInstalledMessage` (bug fix)
- VPPInstallDetailsModal
- Updated variables and naming for readability
- TODO: Create tests to add icons to
- Use reusable component `IconStatusMessage`
- Override icon to success icon if
`overrideFailedMessageWithInstalledMessage || isInstalledManual` (bug
fix)
- `shouldShowInventoryVersions` will show if
`overrideFailedMessageWithInstalledMessage` (bug fix)
## Screenshots
### BEFORE
https://github.com/user-attachments/assets/3472daef-47bd-4dbb-9ce9-afbf3d13302b
### AFTER
https://github.com/user-attachments/assets/c3212f58-6172-4437-9d60-76c42b98f451
## Testing
- [x] Added/updated automated tests
Tests already exist, ensured they still passed
- [x] QA'd all new/changed functionality manually
## Issue
Closes#41548
## Description
- Improve string util we use for matching icons
> Note: Lots of retros how this came about
## Screenshot of fix
Arc vs. Archaeology
<img width="522" height="595" alt="Screenshot 2026-03-12 at 4 42 13 PM"
src="https://github.com/user-attachments/assets/9f805678-c08a-4959-ab6a-3b29c4b1f382"
/>
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38669 Unreleased bug/Misunderstood
requirements
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* End User Authentication and lock end-user info settings now
synchronize correctly when one is updated without explicitly setting the
other.
* Validation error messages now clearly state that end-user
authentication must be enabled before locking end-user info.
* **Tests**
* Expanded test coverage for MDM configuration handling and related
scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40607
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38585
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed Microsoft NDES CA selection to work immediately after deleting
an existing NDES CA without requiring a page refresh.
* Added validation preventing multiple NDES CAs from being added, with a
tooltip message explaining the limitation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds Backblaze (data backup and storage service) as a new
fleet-maintained app with **macOS** support via Homebrew cask
(`backblaze`).
- Backblaze uses a manual installer (`Backblaze Installer.app`) inside a
DMG, so custom install and uninstall scripts are provided following the
same pattern as Adobe Creative Cloud.
- The install script mounts the DMG, locates `Backblaze Installer.app`,
and runs the `bzinstall_mate` binary with the `-nogui` flag for silent
installation.
- The uninstall script stops launchctl services
(`com.backblaze.bzbmenu`, `com.backblaze.bzserv`), removes app bundles,
preference pane, diagnostic reports, package data, and per-user
preferences.
### Files added/changed
| File | Description |
|------|-------------|
| `ee/maintained-apps/inputs/homebrew/backblaze.json` | macOS input
definition |
| `ee/maintained-apps/inputs/homebrew/scripts/backblaze_install.sh` |
Custom install script (DMG mount + manual installer execution) |
| `ee/maintained-apps/inputs/homebrew/scripts/backblaze_uninstall.sh` |
Custom uninstall script (launchctl cleanup + file removal) |
| `ee/maintained-apps/outputs/backblaze/darwin.json` | Generated macOS
output manifest |
| `ee/maintained-apps/outputs/apps.json` | Updated with Backblaze entry
and description |
### Windows support note
Windows support via WinGet (`Backblaze.Backblaze`) is not included in
this PR because the Backblaze package has never been successfully merged
into the [winget-pkgs
repository](https://github.com/microsoft/winget-pkgs). All submission
attempts were rejected due to the installer failing WinGet's unattended
installation validation. Windows support can be added once Backblaze is
available in winget-pkgs.
### Checklist
- [x] macOS input file follows Homebrew input schema
- [x] Custom scripts follow existing patterns (Adobe Creative Cloud)
- [x] Output manifest matches expected format
- [x] `apps.json` updated with description following sentence casing
format
- [x] Entry sorted alphabetically in `apps.json`
- [ ] Icon generation (requires macOS host with Backblaze installed)
- [ ] Validation on macOS host
---
Built for [Mitch
Francese](https://fleetdm.slack.com/archives/D0AG92RJGHY/p1773172809438909?thread_ts=1773163736.129729&cid=D0AG92RJGHY)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Mitch Francese <2227948+tux234@users.noreply.github.com>
## Summary
- Adds Ollama as a fleet-maintained app (FMA) with support for both
macOS and Windows platforms
- Ollama is a popular tool to get up and running with large language
models locally
## Changes
### macOS (Darwin)
- **Input**: `ee/maintained-apps/inputs/homebrew/ollama.json` — uses
Homebrew cask `ollama-app`
- **Installer format**: `zip`
- **Bundle identifier**: `com.electron.ollama`
- **Output**: `ee/maintained-apps/outputs/ollama/darwin.json` —
generated via `go run cmd/maintained-apps/main.go --slug="ollama/darwin"
--debug`
### Windows
- **Input**: `ee/maintained-apps/inputs/winget/ollama.json` — uses
WinGet package `Ollama.Ollama`
- **Installer type**: `exe` (Inno Setup)
- **Installer scope**: `user`
- **Custom scripts**: `ollama_install.ps1` and `ollama_uninstall.ps1`
with Inno Setup silent flags (`/VERYSILENT /SUPPRESSMSGBOXES
/NORESTART`)
- **Output**: `ee/maintained-apps/outputs/ollama/windows.json` —
generated via `go run cmd/maintained-apps/main.go
--slug="ollama/windows" --debug`
### App catalog
- Added Ollama entries (darwin + windows) to
`ee/maintained-apps/outputs/apps.json` with description
## Notes
- Icon generation and frontend integration (`tools/software/icons`)
still need to be done separately per the FMA contributing guide
- Category: `Developer tools`
Built for [Mitch
Francese](https://fleetdm.slack.com/archives/D0AG92RJGHY/p1773163983187599?thread_ts=1773163736.129729&cid=D0AG92RJGHY)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Mitch Francese <2227948+tux234@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39781
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with wip
backend work
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
## Summary
- Adds Sequel Ace (free, open-source MySQL/MariaDB database manager for
macOS) as a fleet-maintained app
- Includes input JSON, generated output, app icon, and apps.json entry
- macOS only (zip installer format, cask: `sequel-ace`)
## Test plan
- [ ] Verify `sequel-ace/darwin` output JSON has correct installer URL
and SHA256
- [ ] Verify icon renders correctly in the software page
- [ ] Verify apps.json entry is in correct alphabetical order with
description
#41229
## Summary
- Adds Warp terminal as a Fleet maintained app for macOS (darwin)
- Uses direct CDN URL (`releases.warp.dev`) instead of Homebrew's URL
which requires `User-Agent: Homebrew` header
- Single `WarpDirectInstaller` enricher: overrides URL, sets `sha256:
no_check`, strips `.stable_` from version string
- Version: `0.2026.02.25.08.24.01` (latest stable)
## Validation checklist
- [ ] App can be downloaded using manifest URL
- [ ] App installs successfully on macOS host using manifest install
script
- [ ] App exists in software inventory after install
(`dev.warp.Warp-Stable`)
- [ ] App uninstalls successfully using manifest uninstall script
## Notes
Supersedes #37901 (branch had corrupted git history from a rewrite; this
is a clean branch off main).
**Related issue:** Resolves#39996
This adds a new flow where the user is asked to navigate and dowload the
enrollment profile in safari for ios and ipados devices.
This fixes an issue where the enrollment profile was not downloaded
correctly on browsers other than Safari.
https://github.com/user-attachments/assets/20304389-4b36-445b-9b8f-d4b9bfbff143
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Simplified modal structures across multiple dialog components for
improved code maintainability.
* Enhanced modal component's flexibility to support broader content
types.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#41262
This extends the expiration date for the host auth token cookie.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39723
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
- [x] With spoofed data
- [ ] Integrated with backend (wip)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Recovery Lock Passwords: new OS Settings card to enable/disable
enforcement and save changes.
* Host Actions: view a host's Recovery Lock password via a modal from
the host actions menu.
* Activity tracking: new activity entries for viewing, setting,
enabling, and disabling Recovery Lock passwords.
* Navigation: added a dedicated route for Passwords under OS Settings.
* **Documentation**
* Updated guidance for updating local config after an update to ensure
latest values.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Many users will be single-clicking the downloaded Profile from the
expanded dock - "open" is the right level of specificity.
<img width="199" height="240" alt="Screenshot 2026-03-05 at 10 35 28 AM"
src="https://github.com/user-attachments/assets/5c782753-f479-425c-9492-61e9b13fef86"
/>
- The fact that we call out that there will be a warning communicates
that it is expected, redundant to say so. Also, it looks cleaner.
<img width="829" height="413" alt="Screenshot 2026-03-05 at 10 32 59 AM"
src="https://github.com/user-attachments/assets/f4e1fff2-4391-4971-ba99-32edbf2e25f4"
/>
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40327
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38965
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38593
<img width="375" height="667" alt="My device Fleet 2"
src="https://github.com/user-attachments/assets/e5db8607-761f-40e8-befb-59a0fbdd7aac"
/>
_There was no figma, so wasn't sure if the boldness and spacing is
correct, but just used default values._
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Summary
- Changes label text from "Run this command with the Fleet command-line
tool" to "Generate your installer with the Fleet command-line tool" —
making clear the command produces an installer package, not something
run on each host
- Adds help text to Windows (MSI), Linux (deb), and macOS (pkg) tabs:
"Run this on your admin computer, then deploy the generated package to
your hosts"
## Problem
Customer feedback: users believe they need to install both `fleetctl`
and the enrollment package on each host they're enrolling. The old copy
didn't convey that:
1. `fleetctl package` is run once on an admin machine (not on hosts)
2. The output is a deployable installer package that goes to the hosts
## Test plan
- [ ] Open the Add hosts modal on macOS, Windows, and Linux tabs
- [ ] Confirm label reads "Generate your installer with the Fleet
command-line tool"
- [ ] Confirm help text below the command reads "Run this on your admin
computer, then deploy the generated package to your hosts"
- [ ] Confirm the Advanced tab label is also updated
- [ ] Confirm plain-osquery path is unaffected (no label shown)
- [ ] Confirm ChromeOS, iOS & iPadOS, Android tabs are unaffected
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #41030
# Details
This PR updates front-end routes and redirects the old routes to the new
ones.
While I typically have shied away from renaming vars and constants in
this phase of the renaming work, I chose to rename the path constants
here because they're a lot less useful when they have names that don't
correspond to the paths they're representing. I did the renames using
VSCode's "Rename Symbol" feature which automatically finds and fixes any
references. I then asked Claude to verify the changes and it didn't find
any dangling references (also the code would fail to compile unless all
the new names collided with old ones).
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [ ] Added/updated automated tests
no relevant tests exist
- [X] QA'd all new/changed functionality manually
## Reports (formerly Queries)
**New routes:**
- [x] /reports/manage — Reports list page
- [x] /reports/new — New report editor
- [x] /reports/new/live — New report live query
- [x] /reports/:id — Report details
- [x] /reports/:id/edit — Edit report
- [x] /reports/:id/live — Live report run
**Redirects from old routes:**
- [x] /queries → /reports
- [x] /queries/manage → /reports/manage
- [x] /queries/new → /reports/new
- [x] /queries/new/live → /reports/new/live
- [x] /queries/:id → /reports/:id
- [x] /queries/:id/edit → /reports/:id/edit
- [x] /queries/:id/live → /reports/:id/live
## Host Reports (formerly Host Queries)
**New routes:**
- [x] /hosts/:host_id/reports/:query_id — Host report results
**Redirects from old routes:**
- [ ] ~/hosts/:host_id/schedule → /hosts/:host_id/reports~ <- this is
not a real URL; removed current broken redirect
- [x] /hosts/:host_id/queries/:query_id →
/hosts/:host_id/reports/:query_id
## Fleets (formerly Teams)
**New routes:**
- [x] /settings/fleets — Fleets list page
- [x] /settings/fleets/users?fleet_id=:id — Fleet users
- [x] /settings/fleets/options?fleet_id=:id — Fleet agent options
- [x] /settings/fleets/settings?fleet_id=:id — Fleet settings
**Redirects from old routes:**
- [x] /settings/teams → /settings/fleets
- [x] /settings/teams/users → /settings/fleets/users
- [x] /settings/teams/options → /settings/fleets/options
- [x] /settings/teams/settings → /settings/fleets/settings
- [x] /settings/teams/:team_id → /settings/fleets
- [x] /settings/teams/:team_id/users → /settings/fleets
- [x] /settings/teams/:team_id/options → /settings/fleets
**Navigation & Links**
- [x] Top nav "Reports" link goes to /reports/manage
- [x] User menu team switcher navigates to
/settings/fleets/users?fleet_id=:id
- [x] Admin sidebar "Fleets" tab goes to /settings/fleets
- [x] "Create a fleet" links (user form, transfer host modal) go to
/settings/fleets
- [x] "Back to fleets" button on fleet details goes to /settings/fleets
- [x] Fleet table name links go to /settings/fleets/users?fleet_id=:id
- [x] Host details "Add query" button goes to /reports/new
- [x] Select query modal links go to /reports/new and /reports/:id/edit
- [x] Query report "full report" link goes to /reports/:id
- [x] Browser tab titles show correct names for report pages
**Query params preserved through redirects**
- [x] /queries/:id?fleet_id=1 → /reports/:id?fleet_id=1
- [x] /settings/teams/users?fleet_id=1 →
/settings/fleets/users?fleet_id=1
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #41031
# Details
* Updates server-side error message about software installers to use
"fleet" instead of "team".
* Update front-end code that rewrites that error text 🤦
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] Saw correct error banner when trying to add a VPP app that
conflicted with an FMA
<img width="741" height="67" alt="image"
src="https://github.com/user-attachments/assets/d171097c-b165-45f8-bafb-fd6337c94cb9"
/>
- [X] Saw correct error banner when trying to add a script with the same
contents as a another script
<img width="765" height="60" alt="image"
src="https://github.com/user-attachments/assets/db02b92a-942d-448d-9062-3fca49132a94"
/>
I haven't tested all the other cases but I think these two cover them;
one uses the `CantAddSoftwareConflictMessage` constant on the server and
one uses a hard-coded message. Everything else uses the constant.
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36093
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
# Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Queries/reports
### Team user with team report (observer_can_run = true)
Created user with the following assignments:
<img width="596" height="285" alt="Screenshot 2026-03-02 at 4 58 47 PM"
src="https://github.com/user-attachments/assets/a3a8e7dd-2bfc-40f9-948c-b26b016162ae"
/>
Created report on **Workstations (canary)** fleet with
**observers_can_run = true**
<img width="1020" height="711" alt="Screenshot 2026-03-02 at 5 09 25 PM"
src="https://github.com/user-attachments/assets/58aa98c7-8cbd-4a7a-a159-f4b40a65f2c9"
/>
Logged in with newly-created user, selected the report above to run it
as a live report.
- Verified that **Servers (canary)** is disabled => user is **Observer**
on that fleet, but query belongs to **Workstations (canary)**.
- All the other fleets are enabled:
- User is **Observer+ or more** in those fleets.
- User is **Observer** in **Workstations (canary)** => enabled because
report belongs to this fleet, AND **observer_can_run = true**.
<img width="986" height="823" alt="Screenshot 2026-03-02 at 5 07 29 PM"
src="https://github.com/user-attachments/assets/b6b7aa4b-5036-46e3-8497-3a77f93a3a2c"
/>
### Global user with team report (observer_can_run = true)
- Created global Observer user.
- Accessed same report created above for **Workstations (canary)** fleet
with **observers_can_run = true**.
- Logged in with newly-created user, selected the report above to run it
as a live report.
- Verified that the only target available is **Workstations (canary)**:
<img width="1087" height="883" alt="Screenshot 2026-03-03 at 10 47
05 AM"
src="https://github.com/user-attachments/assets/9fc8d4d4-6a38-4ecb-98fe-b56b46ac4f74"
/>
### Global user with global report (observer_can_run = true)
Global Observer user can target all fleets.
<img width="1329" height="609" alt="Screenshot 2026-03-03 at 10 56
03 AM"
src="https://github.com/user-attachments/assets/059d4eb2-546f-4a19-9eee-b64dd0250bf1"
/>
<img width="981" height="818" alt="Screenshot 2026-03-03 at 10 57 50 AM"
src="https://github.com/user-attachments/assets/afa0ee58-3457-4838-a96e-dd508d924079"
/>
### Global user with global report (observer_can_run = false)
Global Observer user can't target any fleet.
<img width="691" height="574" alt="Screenshot 2026-03-03 at 10 59 57 AM"
src="https://github.com/user-attachments/assets/f328d547-ed06-4c30-ac22-5df7bb32240a"
/>
<img width="985" height="814" alt="Screenshot 2026-03-03 at 11 00 06 AM"
src="https://github.com/user-attachments/assets/bb55da11-ea3f-40c7-bd98-652880d9e8f9"
/>
## Policies
On the FE, the same component is used to display the targets for Live
Policies, so just making sure that I didn't introduce any regression.
### Global technician user, all fleets policy
Can select all fleets.
<img width="1130" height="858" alt="Screenshot 2026-03-03 at 11 13
40 AM"
src="https://github.com/user-attachments/assets/8d9d97c4-9946-4c4c-9a8a-d79c65d9cb33"
/>
### Team user with team policy
Created user:
- **Technician** on **Servers**.
- **Observer** on **Servers (canary)**.
<img width="745" height="770" alt="Screenshot 2026-03-03 at 11 18 11 AM"
src="https://github.com/user-attachments/assets/56973c34-49bb-4007-9fac-09cf5315bdff"
/>
Can only select **Servers** as a target:
<img width="999" height="754" alt="Screenshot 2026-03-03 at 11 18 56 AM"
src="https://github.com/user-attachments/assets/82d14a8f-46e1-41f5-9355-d717477c85d8"
/>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
**Related issue:** Resolves#38546
This fixes an issue where the MDM section on the intergation page was
not updating properly when apple mdm was turned off
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
For #39676.
Work is mine. Diagnosis was courtesy Zed + Sonnet 4.6, which caught this
as I was iterating with it on building a test plan. Ran the prompt below
to catch any other issues:
> Find any cases where `!` as ending punctuation was added to copy since
`bf5d342`.
Will test this along with the QA for the parent issue once it's
cherry-picked.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40789
Seems like on specific pages of server-side paginated tables, the
select-all header checkbox does not work. This happens when:
- the page has less than 20 rows (I think this is the default page size)
- AND not all the rows are selectable
`headerProps.rows` always contains all rows currently visible in the
table. Using rows also keeps the select logic consistent with the
deselect and "all selected" checks, which already used rows.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
### Before
Clicking on the table header checkbox doesn't perform any selection
https://github.com/user-attachments/assets/d5b1f2fc-1400-4f3e-a2b4-2ae6a3da65af
### After
https://github.com/user-attachments/assets/54a67707-7978-40ec-ba50-c146a67795b2
**Related issue:** Resolves#39184
show apns expiration banner for the free tier in the UI. Before it was
limited to show only for premium tier.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Nico <32375741+nulmete@users.noreply.github.com>
**Related issue:** Resolves#38669
Added the ability to lock end user info on the end use auth section of
the setup experience page
<img width="468" height="372" alt="image"
src="https://github.com/user-attachments/assets/a5f4e21b-3a1e-4631-b0d4-e3d833a4484c"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34521
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
Fixed intermittent test failure in `EditLabelPage › renders the
ManualLabelForm when the label is manual` caused by redundant assertions
after async queries.
## Changes
- Removed redundant `toBeInTheDocument()` assertions after
`findByText()` calls in the manual label test
- `findByText()` already asserts element presence when it resolves;
storing the result and asserting again created a race condition
**Before:**
```typescript
const host1 = await screen.findByText("Test host #1");
expect(host1).toBeInTheDocument();
```
**After:**
```typescript
await screen.findByText("Test host #1");
```
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
- [x] Added/updated automated tests
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Refactored test assertions to use implicit presence validation instead
of explicit checks, improving test code maintainability without
affecting functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
## Issue
Closes#37828
## Description
3 followups:
- Cancel checkbox should be disabled for manual agent install
- Copy change matches Figma and not previous copy text
- Ungate from Windows MDM (released bug since September 2025 caught by
@iansltx 's thorough QA)
## Screenshots of fixes
- ungated
<img width="1377" height="629" alt="Screenshot 2026-02-27 at 4 24 09 PM"
src="https://github.com/user-attachments/assets/dc6e2a21-ff32-4ad2-aa81-de07c8d4c538"
/>
- checkbox now disabled along with rest of form
<img width="1377" height="638" alt="Screenshot 2026-02-27 at 4 24 00 PM"
src="https://github.com/user-attachments/assets/c2e8fe9e-9f4c-45e5-8934-28e0b5aa2908"
/>
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Expedited drafting change for #38041
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] QA'd all new/changed functionality manually
### Screenshot:
<img width="413" height="184" alt="Screenshot 2026-02-25 at 6 04 19 PM"
src="https://github.com/user-attachments/assets/50def1d7-71d4-4c18-932e-ba98f7880ab0"
/>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
This updates the functions in `App.tsx` to use the best practice and
include all deps in the dep array. This also requires some of these
functions to use `useCallback`.
**Related issue:** Resolves#39361
This fixes an issue of the overflow of the resend button off the edge of
the os settting modal table.
We've changed the syling to grow and shrink the error text and column
dynamically so that the table will always be pushed up against the right
edge and the text will grow and shrink as needed so that it wont push
the button any further right
<img width="838" height="436" alt="image"
src="https://github.com/user-attachments/assets/a5acfd44-0d77-4062-92e4-909077827fee"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#40066
This allows ipados and ios devices to resend their profiles on the host
details and my device pages
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
Potentially resolves#39943. (Needs to be tested; my local Fleet
instance isn't fancy enough to have Firefox addons in software
inventory, so this is just a hunch.)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40408
Part of the root cause for this issue is this commit:
5136d40e27
In summary, I moved the QueryClient instantiation out of AppWrapper
because it needs to be a stable reference. I realized this was necessary
when manipulating react-query's cache as part of that work.
(I was debugging react-query's cache using **getQueryData** and it was
always returning **undefined** for every entry -- that was fixed by
doing what I described just above).
When QueryClient was re-created on each AppWrapper mount,
refetchOnMount: false had no effect.. there was never cached data to
serve, so useQuery always fetched on every navigation to the host
details page.
After moving it out of AppWrapper, refetchOnMount: false works as
expected and the cached (stale) data is served instead of refetching.
The fix removes the refetchOnMount: false, refetchOnReconnect: false,
and refetchOnWindowFocus: false overrides, restoring react-query's
defaults so data is refreshed on navigation, tab focus, and reconnect.
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/fa3f90ef-46f4-4a30-acc6-2176a22e8299
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
**Related issue:** Resolves#14401
# Checklist for submitter
this updates the mechanism of storing the auth token for a user that is
used for making requests and validating a user session. We change the
storage from local storage to a cookie. This allow a bit more security
and prepares for a future change where we will allow the browser to
handle setting and passing the auth token in the request.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40366
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Automated update of MIN_OSQUERY_VERSION_OPTIONS with any new osquery
release. (Note: This automatic update is the solution to issue #21431)
Co-authored-by: RachelElysia <RachelElysia@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #40348
# Details
This PR replaces the use of "No team" with "Unassigned" and "All teams"
with "All fleets" in appropriate checks and error messages. Specifically
it restricts using "All fleets" or "Unassigned" as team names
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
* tested attempting to add "no team", "all teams", "unassigned" and "all
fleets" as teams and saw appropriate error message
