<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41742
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed crashes on the "My device" page for Fleet Free instances when a
host is assigned to a team.
* Improved error handling to prevent application crashes when policy
data is unavailable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#40138
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Installed:
```
go install golang.org/x/tools/cmd/goimports@latest
go install golang.org/x/tools/gopls@latest
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
```
Validated:
```
osquery> SELECT * FROM go_packages;
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| name | version | module_path | import_path | go_version | installed_path |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| goimports | v0.42.0 | golang.org/x/tools | golang.org/x/tools/cmd/goimports | go1.25.5 | /Users/josh/go/bin/goimports |
| golangci-lint | v1.64.8 | github.com/golangci/golangci-lint | github.com/golangci/golangci-lint/cmd/golangci-lint | go1.25.5 | /Users/josh/go/bin/golangci-lint |
| gopls | v0.21.1 | golang.org/x/tools/gopls | golang.org/x/tools/gopls | go1.25.5 | /Users/josh/go/bin/gopls |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
```
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41652
Solution is to not pass `labels_include_any` to the payload of the PATCH
endpoint request.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/7c825b92-0b03-448a-8e42-83e39a2acdf6
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41532
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved error messaging when deleting a certificate authority that is
referenced by certificate templates. Users now receive a clear,
user-friendly message instead of a generic database error.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#33714
Added alias `GET /api/v1/fleet/scripts/batch/abc-def/host_results` for
`GET /api/v1/fleet/scripts/batch/abc-def/host-results` for consistency
sake.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
This PR contains identical frontend changes to those currently in
`recovery-pw-feature` - this allows separate frontend review of the code
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41653
<img width="810" height="597" alt="Screenshot 2026-03-13 at 8 44 23 AM"
src="https://github.com/user-attachments/assets/b5e7feff-e576-4c0d-a9ee-b2ef1a17a7ea"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
Deletes a code file that's not referenced by anything and keeps causing
me merge conflicts.
JS linter and tests pass without it, which tells you everything you need
to know 🔪
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41391
# Details
This PR updates front-end API calls to use new URLs and API params, so
that the front end doesn't cause deprecation warnings to appear on the
server.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a, should not be user-visible
## Testing
- [X] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
The biggest risk here is not that we missed a spot that still causes a
deprecation warning, but that we might inadvertently make a change that
breaks the front end, for instance by sending `fleet_id` to a function
that drops it silently and thus sends no ID to the server. Fortunately
we use TypeScript in virtually every place affected by these changes, so
the code would not compile if there were mismatches between the API
expectation and what we're sending. Still, spot checking as many places
as possible both for deprecation-warning leaks and loss of functionality
is important.
## Summary by CodeRabbit
* **Refactor**
* Updated API nomenclature across the application to use "fleets"
instead of "teams" and "reports" instead of "queries" in endpoint paths
and request/response payloads.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40538
This is the initial iteration of CSP functionality, currently gated
behind FLEET_SERVER_ENABLE_CSP. If disabled, no CSP is served. Nonces
are still injected into pages however a dummy nonce is used and has no
effect.
With this setting turned on things break and will be addressed by mainly
frontend changes in https://github.com/fleetdm/fleet/issues/41577
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
## Issue
Closes#39983
## Description
This is so long because installation details are within 3 modals and so
all 3 had to be updated:
- SoftwareInstallDetailsModal
- Updated variables and naming for readability
- Added icons to tests
- `shouldShowInventoryVersions` will show if
`overrideFailedMessageWithInstalledMessage` (bug fix)
- SoftwareIpaInstallDetailsModal
- Updated variables and naming for readability
- Added icons to tests
- Use reusable component `IconStatusMessage`
- Added pre-4.57 "pending" case just in case to match VPP
- Override icon to success icon if
`overrideFailedMessageWithInstalledMessage || isInstalledManual` (bug
fix)
- `shouldShowInventoryVersions` will show if
`overrideFailedMessageWithInstalledMessage` (bug fix)
- VPPInstallDetailsModal
- Updated variables and naming for readability
- TODO: Create tests to add icons to
- Use reusable component `IconStatusMessage`
- Override icon to success icon if
`overrideFailedMessageWithInstalledMessage || isInstalledManual` (bug
fix)
- `shouldShowInventoryVersions` will show if
`overrideFailedMessageWithInstalledMessage` (bug fix)
## Screenshots
### BEFORE
https://github.com/user-attachments/assets/3472daef-47bd-4dbb-9ce9-afbf3d13302b
### AFTER
https://github.com/user-attachments/assets/c3212f58-6172-4437-9d60-76c42b98f451
## Testing
- [x] Added/updated automated tests
Tests already exist, ensured they still passed
- [x] QA'd all new/changed functionality manually
## Issue
Closes#41548
## Description
- Improve string util we use for matching icons
> Note: Lots of retros how this came about
## Screenshot of fix
Arc vs. Archaeology
<img width="522" height="595" alt="Screenshot 2026-03-12 at 4 42 13 PM"
src="https://github.com/user-attachments/assets/9f805678-c08a-4959-ab6a-3b29c4b1f382"
/>
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38669 Unreleased bug/Misunderstood
requirements
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* End User Authentication and lock end-user info settings now
synchronize correctly when one is updated without explicitly setting the
other.
* Validation error messages now clearly state that end-user
authentication must be enabled before locking end-user info.
* **Tests**
* Expanded test coverage for MDM configuration handling and related
scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40607
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38585
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed Microsoft NDES CA selection to work immediately after deleting
an existing NDES CA without requiring a page refresh.
* Added validation preventing multiple NDES CAs from being added, with a
tooltip message explaining the limitation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds Backblaze (data backup and storage service) as a new
fleet-maintained app with **macOS** support via Homebrew cask
(`backblaze`).
- Backblaze uses a manual installer (`Backblaze Installer.app`) inside a
DMG, so custom install and uninstall scripts are provided following the
same pattern as Adobe Creative Cloud.
- The install script mounts the DMG, locates `Backblaze Installer.app`,
and runs the `bzinstall_mate` binary with the `-nogui` flag for silent
installation.
- The uninstall script stops launchctl services
(`com.backblaze.bzbmenu`, `com.backblaze.bzserv`), removes app bundles,
preference pane, diagnostic reports, package data, and per-user
preferences.
### Files added/changed
| File | Description |
|------|-------------|
| `ee/maintained-apps/inputs/homebrew/backblaze.json` | macOS input
definition |
| `ee/maintained-apps/inputs/homebrew/scripts/backblaze_install.sh` |
Custom install script (DMG mount + manual installer execution) |
| `ee/maintained-apps/inputs/homebrew/scripts/backblaze_uninstall.sh` |
Custom uninstall script (launchctl cleanup + file removal) |
| `ee/maintained-apps/outputs/backblaze/darwin.json` | Generated macOS
output manifest |
| `ee/maintained-apps/outputs/apps.json` | Updated with Backblaze entry
and description |
### Windows support note
Windows support via WinGet (`Backblaze.Backblaze`) is not included in
this PR because the Backblaze package has never been successfully merged
into the [winget-pkgs
repository](https://github.com/microsoft/winget-pkgs). All submission
attempts were rejected due to the installer failing WinGet's unattended
installation validation. Windows support can be added once Backblaze is
available in winget-pkgs.
### Checklist
- [x] macOS input file follows Homebrew input schema
- [x] Custom scripts follow existing patterns (Adobe Creative Cloud)
- [x] Output manifest matches expected format
- [x] `apps.json` updated with description following sentence casing
format
- [x] Entry sorted alphabetically in `apps.json`
- [ ] Icon generation (requires macOS host with Backblaze installed)
- [ ] Validation on macOS host
---
Built for [Mitch
Francese](https://fleetdm.slack.com/archives/D0AG92RJGHY/p1773172809438909?thread_ts=1773163736.129729&cid=D0AG92RJGHY)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Mitch Francese <2227948+tux234@users.noreply.github.com>
## Summary
- Adds Ollama as a fleet-maintained app (FMA) with support for both
macOS and Windows platforms
- Ollama is a popular tool to get up and running with large language
models locally
## Changes
### macOS (Darwin)
- **Input**: `ee/maintained-apps/inputs/homebrew/ollama.json` — uses
Homebrew cask `ollama-app`
- **Installer format**: `zip`
- **Bundle identifier**: `com.electron.ollama`
- **Output**: `ee/maintained-apps/outputs/ollama/darwin.json` —
generated via `go run cmd/maintained-apps/main.go --slug="ollama/darwin"
--debug`
### Windows
- **Input**: `ee/maintained-apps/inputs/winget/ollama.json` — uses
WinGet package `Ollama.Ollama`
- **Installer type**: `exe` (Inno Setup)
- **Installer scope**: `user`
- **Custom scripts**: `ollama_install.ps1` and `ollama_uninstall.ps1`
with Inno Setup silent flags (`/VERYSILENT /SUPPRESSMSGBOXES
/NORESTART`)
- **Output**: `ee/maintained-apps/outputs/ollama/windows.json` —
generated via `go run cmd/maintained-apps/main.go
--slug="ollama/windows" --debug`
### App catalog
- Added Ollama entries (darwin + windows) to
`ee/maintained-apps/outputs/apps.json` with description
## Notes
- Icon generation and frontend integration (`tools/software/icons`)
still need to be done separately per the FMA contributing guide
- Category: `Developer tools`
Built for [Mitch
Francese](https://fleetdm.slack.com/archives/D0AG92RJGHY/p1773163983187599?thread_ts=1773163736.129729&cid=D0AG92RJGHY)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Mitch Francese <2227948+tux234@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39781
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with wip
backend work
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
## Summary
- Adds Sequel Ace (free, open-source MySQL/MariaDB database manager for
macOS) as a fleet-maintained app
- Includes input JSON, generated output, app icon, and apps.json entry
- macOS only (zip installer format, cask: `sequel-ace`)
## Test plan
- [ ] Verify `sequel-ace/darwin` output JSON has correct installer URL
and SHA256
- [ ] Verify icon renders correctly in the software page
- [ ] Verify apps.json entry is in correct alphabetical order with
description
#41229
## Summary
- Adds Warp terminal as a Fleet maintained app for macOS (darwin)
- Uses direct CDN URL (`releases.warp.dev`) instead of Homebrew's URL
which requires `User-Agent: Homebrew` header
- Single `WarpDirectInstaller` enricher: overrides URL, sets `sha256:
no_check`, strips `.stable_` from version string
- Version: `0.2026.02.25.08.24.01` (latest stable)
## Validation checklist
- [ ] App can be downloaded using manifest URL
- [ ] App installs successfully on macOS host using manifest install
script
- [ ] App exists in software inventory after install
(`dev.warp.Warp-Stable`)
- [ ] App uninstalls successfully using manifest uninstall script
## Notes
Supersedes #37901 (branch had corrupted git history from a rewrite; this
is a clean branch off main).
**Related issue:** Resolves#39996
This adds a new flow where the user is asked to navigate and dowload the
enrollment profile in safari for ios and ipados devices.
This fixes an issue where the enrollment profile was not downloaded
correctly on browsers other than Safari.
https://github.com/user-attachments/assets/20304389-4b36-445b-9b8f-d4b9bfbff143
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Simplified modal structures across multiple dialog components for
improved code maintainability.
* Enhanced modal component's flexibility to support broader content
types.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#41262
This extends the expiration date for the host auth token cookie.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39723
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
- [x] With spoofed data
- [ ] Integrated with backend (wip)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Recovery Lock Passwords: new OS Settings card to enable/disable
enforcement and save changes.
* Host Actions: view a host's Recovery Lock password via a modal from
the host actions menu.
* Activity tracking: new activity entries for viewing, setting,
enabling, and disabling Recovery Lock passwords.
* Navigation: added a dedicated route for Passwords under OS Settings.
* **Documentation**
* Updated guidance for updating local config after an update to ensure
latest values.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Many users will be single-clicking the downloaded Profile from the
expanded dock - "open" is the right level of specificity.
<img width="199" height="240" alt="Screenshot 2026-03-05 at 10 35 28 AM"
src="https://github.com/user-attachments/assets/5c782753-f479-425c-9492-61e9b13fef86"
/>
- The fact that we call out that there will be a warning communicates
that it is expected, redundant to say so. Also, it looks cleaner.
<img width="829" height="413" alt="Screenshot 2026-03-05 at 10 32 59 AM"
src="https://github.com/user-attachments/assets/f4e1fff2-4391-4971-ba99-32edbf2e25f4"
/>
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40327
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38965
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38593
<img width="375" height="667" alt="My device Fleet 2"
src="https://github.com/user-attachments/assets/e5db8607-761f-40e8-befb-59a0fbdd7aac"
/>
_There was no figma, so wasn't sure if the boldness and spacing is
correct, but just used default values._
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Summary
- Changes label text from "Run this command with the Fleet command-line
tool" to "Generate your installer with the Fleet command-line tool" —
making clear the command produces an installer package, not something
run on each host
- Adds help text to Windows (MSI), Linux (deb), and macOS (pkg) tabs:
"Run this on your admin computer, then deploy the generated package to
your hosts"
## Problem
Customer feedback: users believe they need to install both `fleetctl`
and the enrollment package on each host they're enrolling. The old copy
didn't convey that:
1. `fleetctl package` is run once on an admin machine (not on hosts)
2. The output is a deployable installer package that goes to the hosts
## Test plan
- [ ] Open the Add hosts modal on macOS, Windows, and Linux tabs
- [ ] Confirm label reads "Generate your installer with the Fleet
command-line tool"
- [ ] Confirm help text below the command reads "Run this on your admin
computer, then deploy the generated package to your hosts"
- [ ] Confirm the Advanced tab label is also updated
- [ ] Confirm plain-osquery path is unaffected (no label shown)
- [ ] Confirm ChromeOS, iOS & iPadOS, Android tabs are unaffected
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #41030
# Details
This PR updates front-end routes and redirects the old routes to the new
ones.
While I typically have shied away from renaming vars and constants in
this phase of the renaming work, I chose to rename the path constants
here because they're a lot less useful when they have names that don't
correspond to the paths they're representing. I did the renames using
VSCode's "Rename Symbol" feature which automatically finds and fixes any
references. I then asked Claude to verify the changes and it didn't find
any dangling references (also the code would fail to compile unless all
the new names collided with old ones).
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [ ] Added/updated automated tests
no relevant tests exist
- [X] QA'd all new/changed functionality manually
## Reports (formerly Queries)
**New routes:**
- [x] /reports/manage — Reports list page
- [x] /reports/new — New report editor
- [x] /reports/new/live — New report live query
- [x] /reports/:id — Report details
- [x] /reports/:id/edit — Edit report
- [x] /reports/:id/live — Live report run
**Redirects from old routes:**
- [x] /queries → /reports
- [x] /queries/manage → /reports/manage
- [x] /queries/new → /reports/new
- [x] /queries/new/live → /reports/new/live
- [x] /queries/:id → /reports/:id
- [x] /queries/:id/edit → /reports/:id/edit
- [x] /queries/:id/live → /reports/:id/live
## Host Reports (formerly Host Queries)
**New routes:**
- [x] /hosts/:host_id/reports/:query_id — Host report results
**Redirects from old routes:**
- [ ] ~/hosts/:host_id/schedule → /hosts/:host_id/reports~ <- this is
not a real URL; removed current broken redirect
- [x] /hosts/:host_id/queries/:query_id →
/hosts/:host_id/reports/:query_id
## Fleets (formerly Teams)
**New routes:**
- [x] /settings/fleets — Fleets list page
- [x] /settings/fleets/users?fleet_id=:id — Fleet users
- [x] /settings/fleets/options?fleet_id=:id — Fleet agent options
- [x] /settings/fleets/settings?fleet_id=:id — Fleet settings
**Redirects from old routes:**
- [x] /settings/teams → /settings/fleets
- [x] /settings/teams/users → /settings/fleets/users
- [x] /settings/teams/options → /settings/fleets/options
- [x] /settings/teams/settings → /settings/fleets/settings
- [x] /settings/teams/:team_id → /settings/fleets
- [x] /settings/teams/:team_id/users → /settings/fleets
- [x] /settings/teams/:team_id/options → /settings/fleets
**Navigation & Links**
- [x] Top nav "Reports" link goes to /reports/manage
- [x] User menu team switcher navigates to
/settings/fleets/users?fleet_id=:id
- [x] Admin sidebar "Fleets" tab goes to /settings/fleets
- [x] "Create a fleet" links (user form, transfer host modal) go to
/settings/fleets
- [x] "Back to fleets" button on fleet details goes to /settings/fleets
- [x] Fleet table name links go to /settings/fleets/users?fleet_id=:id
- [x] Host details "Add query" button goes to /reports/new
- [x] Select query modal links go to /reports/new and /reports/:id/edit
- [x] Query report "full report" link goes to /reports/:id
- [x] Browser tab titles show correct names for report pages
**Query params preserved through redirects**
- [x] /queries/:id?fleet_id=1 → /reports/:id?fleet_id=1
- [x] /settings/teams/users?fleet_id=1 →
/settings/fleets/users?fleet_id=1
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #41031
# Details
* Updates server-side error message about software installers to use
"fleet" instead of "team".
* Update front-end code that rewrites that error text 🤦
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] Saw correct error banner when trying to add a VPP app that
conflicted with an FMA
<img width="741" height="67" alt="image"
src="https://github.com/user-attachments/assets/d171097c-b165-45f8-bafb-fd6337c94cb9"
/>
- [X] Saw correct error banner when trying to add a script with the same
contents as a another script
<img width="765" height="60" alt="image"
src="https://github.com/user-attachments/assets/db02b92a-942d-448d-9062-3fca49132a94"
/>
I haven't tested all the other cases but I think these two cover them;
one uses the `CantAddSoftwareConflictMessage` constant on the server and
one uses a hard-coded message. Everything else uses the constant.
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36093
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
# Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Queries/reports
### Team user with team report (observer_can_run = true)
Created user with the following assignments:
<img width="596" height="285" alt="Screenshot 2026-03-02 at 4 58 47 PM"
src="https://github.com/user-attachments/assets/a3a8e7dd-2bfc-40f9-948c-b26b016162ae"
/>
Created report on **Workstations (canary)** fleet with
**observers_can_run = true**
<img width="1020" height="711" alt="Screenshot 2026-03-02 at 5 09 25 PM"
src="https://github.com/user-attachments/assets/58aa98c7-8cbd-4a7a-a159-f4b40a65f2c9"
/>
Logged in with newly-created user, selected the report above to run it
as a live report.
- Verified that **Servers (canary)** is disabled => user is **Observer**
on that fleet, but query belongs to **Workstations (canary)**.
- All the other fleets are enabled:
- User is **Observer+ or more** in those fleets.
- User is **Observer** in **Workstations (canary)** => enabled because
report belongs to this fleet, AND **observer_can_run = true**.
<img width="986" height="823" alt="Screenshot 2026-03-02 at 5 07 29 PM"
src="https://github.com/user-attachments/assets/b6b7aa4b-5036-46e3-8497-3a77f93a3a2c"
/>
### Global user with team report (observer_can_run = true)
- Created global Observer user.
- Accessed same report created above for **Workstations (canary)** fleet
with **observers_can_run = true**.
- Logged in with newly-created user, selected the report above to run it
as a live report.
- Verified that the only target available is **Workstations (canary)**:
<img width="1087" height="883" alt="Screenshot 2026-03-03 at 10 47
05 AM"
src="https://github.com/user-attachments/assets/9fc8d4d4-6a38-4ecb-98fe-b56b46ac4f74"
/>
### Global user with global report (observer_can_run = true)
Global Observer user can target all fleets.
<img width="1329" height="609" alt="Screenshot 2026-03-03 at 10 56
03 AM"
src="https://github.com/user-attachments/assets/059d4eb2-546f-4a19-9eee-b64dd0250bf1"
/>
<img width="981" height="818" alt="Screenshot 2026-03-03 at 10 57 50 AM"
src="https://github.com/user-attachments/assets/afa0ee58-3457-4838-a96e-dd508d924079"
/>
### Global user with global report (observer_can_run = false)
Global Observer user can't target any fleet.
<img width="691" height="574" alt="Screenshot 2026-03-03 at 10 59 57 AM"
src="https://github.com/user-attachments/assets/f328d547-ed06-4c30-ac22-5df7bb32240a"
/>
<img width="985" height="814" alt="Screenshot 2026-03-03 at 11 00 06 AM"
src="https://github.com/user-attachments/assets/bb55da11-ea3f-40c7-bd98-652880d9e8f9"
/>
## Policies
On the FE, the same component is used to display the targets for Live
Policies, so just making sure that I didn't introduce any regression.
### Global technician user, all fleets policy
Can select all fleets.
<img width="1130" height="858" alt="Screenshot 2026-03-03 at 11 13
40 AM"
src="https://github.com/user-attachments/assets/8d9d97c4-9946-4c4c-9a8a-d79c65d9cb33"
/>
### Team user with team policy
Created user:
- **Technician** on **Servers**.
- **Observer** on **Servers (canary)**.
<img width="745" height="770" alt="Screenshot 2026-03-03 at 11 18 11 AM"
src="https://github.com/user-attachments/assets/56973c34-49bb-4007-9fac-09cf5315bdff"
/>
Can only select **Servers** as a target:
<img width="999" height="754" alt="Screenshot 2026-03-03 at 11 18 56 AM"
src="https://github.com/user-attachments/assets/82d14a8f-46e1-41f5-9355-d717477c85d8"
/>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
**Related issue:** Resolves#38546
This fixes an issue where the MDM section on the intergation page was
not updating properly when apple mdm was turned off
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
For #39676.
Work is mine. Diagnosis was courtesy Zed + Sonnet 4.6, which caught this
as I was iterating with it on building a test plan. Ran the prompt below
to catch any other issues:
> Find any cases where `!` as ending punctuation was added to copy since
`bf5d342`.
Will test this along with the QA for the parent issue once it's
cherry-picked.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40789
Seems like on specific pages of server-side paginated tables, the
select-all header checkbox does not work. This happens when:
- the page has less than 20 rows (I think this is the default page size)
- AND not all the rows are selectable
`headerProps.rows` always contains all rows currently visible in the
table. Using rows also keeps the select logic consistent with the
deselect and "all selected" checks, which already used rows.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
### Before
Clicking on the table header checkbox doesn't perform any selection
https://github.com/user-attachments/assets/d5b1f2fc-1400-4f3e-a2b4-2ae6a3da65af
### After
https://github.com/user-attachments/assets/54a67707-7978-40ec-ba50-c146a67795b2
**Related issue:** Resolves#39184
show apns expiration banner for the free tier in the UI. Before it was
limited to show only for premium tier.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Nico <32375741+nulmete@users.noreply.github.com>
**Related issue:** Resolves#38669
Added the ability to lock end user info on the end use auth section of
the setup experience page
<img width="468" height="372" alt="image"
src="https://github.com/user-attachments/assets/a5f4e21b-3a1e-4631-b0d4-e3d833a4484c"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34521
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
Fixed intermittent test failure in `EditLabelPage › renders the
ManualLabelForm when the label is manual` caused by redundant assertions
after async queries.
## Changes
- Removed redundant `toBeInTheDocument()` assertions after
`findByText()` calls in the manual label test
- `findByText()` already asserts element presence when it resolves;
storing the result and asserting again created a race condition
**Before:**
```typescript
const host1 = await screen.findByText("Test host #1");
expect(host1).toBeInTheDocument();
```
**After:**
```typescript
await screen.findByText("Test host #1");
```
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
- [x] Added/updated automated tests
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Tests**
* Refactored test assertions to use implicit presence validation instead
of explicit checks, improving test code maintainability without
affecting functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
## Issue
Closes#37828
## Description
3 followups:
- Cancel checkbox should be disabled for manual agent install
- Copy change matches Figma and not previous copy text
- Ungate from Windows MDM (released bug since September 2025 caught by
@iansltx 's thorough QA)
## Screenshots of fixes
- ungated
<img width="1377" height="629" alt="Screenshot 2026-02-27 at 4 24 09 PM"
src="https://github.com/user-attachments/assets/dc6e2a21-ff32-4ad2-aa81-de07c8d4c538"
/>
- checkbox now disabled along with rest of form
<img width="1377" height="638" alt="Screenshot 2026-02-27 at 4 24 00 PM"
src="https://github.com/user-attachments/assets/c2e8fe9e-9f4c-45e5-8934-28e0b5aa2908"
/>
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Expedited drafting change for #38041
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] QA'd all new/changed functionality manually
### Screenshot:
<img width="413" height="184" alt="Screenshot 2026-02-25 at 6 04 19 PM"
src="https://github.com/user-attachments/assets/50def1d7-71d4-4c18-932e-ba98f7880ab0"
/>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
This updates the functions in `App.tsx` to use the best practice and
include all deps in the dep array. This also requires some of these
functions to use `useCallback`.
**Related issue:** Resolves#39361
This fixes an issue of the overflow of the resend button off the edge of
the os settting modal table.
We've changed the syling to grow and shrink the error text and column
dynamically so that the table will always be pushed up against the right
edge and the text will grow and shrink as needed so that it wont push
the button any further right
<img width="838" height="436" alt="image"
src="https://github.com/user-attachments/assets/a5acfd44-0d77-4062-92e4-909077827fee"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#40066
This allows ipados and ios devices to resend their profiles on the host
details and my device pages
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
Potentially resolves#39943. (Needs to be tested; my local Fleet
instance isn't fancy enough to have Firefox addons in software
inventory, so this is just a hunch.)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40408
Part of the root cause for this issue is this commit:
5136d40e27
In summary, I moved the QueryClient instantiation out of AppWrapper
because it needs to be a stable reference. I realized this was necessary
when manipulating react-query's cache as part of that work.
(I was debugging react-query's cache using **getQueryData** and it was
always returning **undefined** for every entry -- that was fixed by
doing what I described just above).
When QueryClient was re-created on each AppWrapper mount,
refetchOnMount: false had no effect.. there was never cached data to
serve, so useQuery always fetched on every navigation to the host
details page.
After moving it out of AppWrapper, refetchOnMount: false works as
expected and the cached (stale) data is served instead of refetching.
The fix removes the refetchOnMount: false, refetchOnReconnect: false,
and refetchOnWindowFocus: false overrides, restoring react-query's
defaults so data is refreshed on navigation, tab focus, and reconnect.
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/fa3f90ef-46f4-4a30-acc6-2176a22e8299
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
**Related issue:** Resolves#14401
# Checklist for submitter
this updates the mechanism of storing the auth token for a user that is
used for making requests and validating a user session. We change the
storage from local storage to a cookie. This allow a bit more security
and prepares for a future change where we will allow the browser to
handle setting and passing the auth token in the request.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40366
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Automated update of MIN_OSQUERY_VERSION_OPTIONS with any new osquery
release. (Note: This automatic update is the solution to issue #21431)
Co-authored-by: RachelElysia <RachelElysia@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #40348
# Details
This PR replaces the use of "No team" with "Unassigned" and "All teams"
with "All fleets" in appropriate checks and error messages. Specifically
it restricts using "All fleets" or "Unassigned" as team names
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
* tested attempting to add "no team", "all teams", "unassigned" and "all
fleets" as teams and saw appropriate error message
- **Gitops specify FMA rollback version (#39582)**
- **Fleet UI: Show versions options for FMA installers (#39583)**
- **rollback: DB and core implementation (#39650)**
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#31919
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Carlo DiCelico <carlo@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
This isn't strictly necessary on the DUP since the type column is wider
there, but this change will handle any future cases where we have an
even longer type string without affecting current handling. No need for
a cherry-pick.
<img width="959" height="521" alt="Screenshot 2026-02-23 at 3 56 14 PM"
src="https://github.com/user-attachments/assets/f8d9b4b2-ea52-4155-a875-992ba21b3221"
/>
- [x] QA'd all new/changed functionality manually
## Issue
Closes#39699
## Description
- `display_name` is super far reaching and was not caught as needing
updates in several places by design nor dev (original ticket made me
deep dive in the code looking for more missed instances and I found
several)
Fixes:
- during setup experience, if a critical software fails, it shows the
display_name instead of the default name
- when viewing the versions modal from fleet desktop, it shows the
display_name instead of the default name as the modal title (screenshot
below)
- when getting an error message from changing the package type when
editing software, it shows the display_name instead of the default name
(screenshot below)
- ORIGINAL REQUEST: when editing auto updates for an ipados/ios
software, it shows the display_name instead of the default name
(screenshot below)
## Screenshots of fixes
<img width="1296" height="483" alt="Screenshot 2026-02-20 at 3 30 26 PM"
src="https://github.com/user-attachments/assets/d3a8659d-1fcf-4384-8670-202c5681ed72"
/>
<img width="1383" height="485" alt="Screenshot 2026-02-20 at 3 36 18 PM"
src="https://github.com/user-attachments/assets/619467dc-5d18-4edf-98ee-116558fa945e"
/>
<img width="1378" height="381" alt="Screenshot 2026-02-20 at 3 41 38 PM"
src="https://github.com/user-attachments/assets/13550024-bd61-4c09-a136-f3a237f01aaf"
/>
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40116
This PR also fixes a weird bug that could cause a crash on host details
page, if hosts.users array was missing
<img width="1350" height="472" alt="image"
src="https://github.com/user-attachments/assets/48aba9a3-6145-4a0c-bab0-c99c3345040a"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34370
<img width="932" height="1152" alt="Screenshot 2026-02-20 at 8 23 49 AM"
src="https://github.com/user-attachments/assets/c7b6d0ae-a20e-4115-835d-5d5fb01c12bb"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40170
# Details
Fixes an unreleased issue where when attempting to modify a fleet enroll
secret, you get a 400 response indicating that both team_id and fleet_id
params are being sent. The request was piping the "get enroll secrets"
response back into the "modify enroll secrets"
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a, unreleased bug
## Testing
- [ ] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
On main: reproduced issue when attempting to add secret to a fleet
On branch: secret added successfully
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
This pull request adds support for the PuTTY application (Windows) to
the maintained apps system, including metadata,
installation/uninstallation scripts, and frontend icon integration. The
changes ensure that PuTTY can be managed and visually represented in the
software catalog.
**Maintained Apps Integration:**
- Added a new input file `putty.json` with PuTTY metadata for Windows,
specifying installer details and categories.
- Generated an output file `putty/windows.json` containing version
information, install/uninstall scripts, installer URL, and SHA256 hash
for PuTTY.
- Updated the aggregated `apps.json` output to include PuTTY with its
description and unique identifier for the Windows platform.
**Frontend/Icon Integration:**
- Added a new React SVG icon component for PuTTY in `Putty.tsx`.
- Registered the PuTTY icon in the icon index and mapped it in
`SOFTWARE_NAME_TO_ICON_MAP` for display in the software catalog.
[[1]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR15)
[[2]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR412)
This pull request adds support for the LastPass password manager to the
maintained apps ecosystem, including its metadata, installation and
uninstallation scripts, and a new icon for the frontend. The changes
ensure that LastPass can be managed like other supported applications
and is visually represented in the software UI.
**LastPass app integration:**
* Added LastPass metadata to `winget` inputs, including installer
details and default categories.
* Added LastPass to the maintained apps output list (`apps.json`) with a
description for display in the UI.
* Created a new output file for LastPass (`lastpass/windows.json`)
specifying versioning, detection queries, install/uninstall scripts, and
installer hash.
**Frontend/UI updates:**
* Added a new React SVG icon component for LastPass (`LastPass.tsx`).
* Registered the LastPass icon in the software icon map so it appears in
the UI when LastPass is detected.
[[1]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR10)
[[2]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR297)
Resolves: #39251
## Changes
This PR updates the lock modal for iOS/iPadOS hosts to display the copy
which explains that host can't be unlocked if restarted, because Wi-Fi
can't be connected.
- [x] Changes are covered by tests
- [x] Manual QA for all new/changed functionality
---
Built for [Marko
Lisica](https://fleetdm.slack.com/archives/D0AFA3M07AP/p1771343829171799?thread_ts=1771342741.687709&cid=D0AFA3M07AP)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Marko Lisica <markol.lisica@gmail.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
**Related issue:** Resolves#39266
# Checklist for submitter
created UI global activities for adding and removing Microsoft Entra
tenant
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40077
# Details
Fixes an unreleased bug where rewriting the location with `fleet_id` in
the string would not properly set the current team in the useTeamParam
hook. This is because we haven't fully switched over to `fleet_id`
internally yet, so we still need to check for `team_id` until we do.
Also updated a few lingering instances of "team" in the user-facing
text.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a, unreleased bug
## Testing
- [ ] Added/updated automated tests
no tests to speak of
- [X] QA'd all new/changed functionality manually
On main branch, was able to reproduce the issue where selecting an
option from the "All software" dropdown on the Software page caused the
selected fleet to be reset. On this branch, the selected fleet was
maintained after making a selection.
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39260
# Details
Fixes the banner displayed when a team has no enroll secrets to match
similar, non-dismissible warning banners, and corrects the padding
between text and button in the "Add enroll secret" modal empty state.
<img width="773" height="221" alt="image"
src="https://github.com/user-attachments/assets/490f49f1-ccaa-47c7-8ba3-a7de2896d932"
/>
---
<img width="662" height="380" alt="image"
src="https://github.com/user-attachments/assets/0f73b9b8-d625-4f40-ac8d-edb71e9f2a22"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
n/a, styling only
- [X] QA'd all new/changed functionality manually
See screenshots above
**Related issue:** Resolves#38654
# Checklist for submitter
This fixes an issue where the status name was wrapping at smaller
viewport sizes on the mdm card of the dashboard page.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
Until backend updates are merged, we can't send `fleet_id` as a query
parameter in API calls. This PR reverts the code that switched to
`fleet_id` so that the front end will continue to work while we finalize
back-end changes in https://github.com/fleetdm/fleet/pull/39873.
On current main branch, switching between fleets in the dropdown on the
Hosts page does nothing (always shows Unassigned hosts). With this fix
it switches between fleets as expected.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39794
Before –> After
<img width="2015" height="479" alt="Screenshot 2026-02-16 at 1 28 11 PM"
src="https://github.com/user-attachments/assets/5f54b3d0-94d4-4881-8364-d22398289f18"
/>
- [x] Changes file added for user-visible changes in `changes/
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35561
<img width="647" height="655" alt="Screenshot 2026-02-13 at 4 24 57 PM"
src="https://github.com/user-attachments/assets/b191f8bb-e6b7-4f3d-8819-eccf23a408f8"
/>
- Spot checked all relevant instances of `InputField` (`type="textarea"
and `enableCopy`)
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
## Issue
Closes#38767
## Description
- Update copy and basic test of copy
- To be merged along with @mna 's BE changes for #38766
## Screenshot of change
<img width="1259" height="333" alt="Screenshot 2026-02-04 at 4 29 33 PM"
src="https://github.com/user-attachments/assets/04accd98-e57d-4ec6-a050-85bb3d8a8aef"
/>
## Testing
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#29076
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Vulnerability webhooks are now available for free-tier users.
* **Improvements**
* Refined webhook payload display for free-tier users by removing
certain advanced vulnerability metrics.
* Updated UI text descriptions in automation management to reflect
free-tier vulnerability scanning behavior.
* Simplified permission requirements for accessing automation management
features.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#30967
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<img width="884" height="475" alt="Screenshot 2026-02-12 at 4 17 42 PM"
src="https://github.com/user-attachments/assets/169f4046-567e-455d-a6a3-8c70c4628321"
/>
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: Jacob Shandling <jacob@shandling.dev>
Ran `yarn upgrade` to catch things up. Seeing if tests pass, then will
add other items on top.
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39389 (unreleased bug)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [ ] QA'd all new/changed functionality manually
**Related issue:** Resolves#39000
<img width="1014" height="626" alt="Screenshot 2026-02-10 at 8 44 22 PM"
src="https://github.com/user-attachments/assets/9d66906f-732e-4376-83c7-24b4deda7665"
/>
- [x] Changes file added for user-visible changes in `changes/
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with [wip API
portion](https://github.com/fleetdm/fleet/issues/39004)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Fleet administrators can now control conditional access bypass on a
per-policy basis
* Added toggles to enable or disable bypass for individual policies
* Enhanced UI with tooltips displaying conditional access provider
configuration details
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#38621, #38627, and #38623.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added a new premium-tier Technician role with read/write permissions
across teams, hosts, policies, queries, and configurations.
* License validation now prevents assigning premium roles on Fleet Free
editions.
* **Bug Fixes**
* Updated role-based access controls across team management pages to
properly restrict technician access.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38880, #38881
This adds the UI updates to the enroll page to so that verious devices
can enroll after scanning the QR code.
> NOTE: still a small piece is needed to integrate with the API changes
and to ensure android devices can actually enroll with the new QR code.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39304 (part of #25080)
Implemented similar approach to
https://github.com/fleetdm/fleet/pull/39302, with the difference that
the list policies endpoint does not include a count, and there is a
separate endpoint. I extended the count policies endpoint to include an
`inherited_policy_count`.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39303 (child of #25080).
- Added `inherited_query_count` to `ListQueriesResponse` (thought of
adding a brand new endpoint just for counting, but felt like extending
the current one was good enough). In the parent task, [it was
suggested](https://github.com/fleetdm/fleet/issues/25080#issuecomment-3326071574)
to `"Depend on team list entity endpoint's count field / team entity
count endpoint for whether or not to disable the manage automations
button"`, which Rachael approved, so I went for this approach.
- The `ManageQueryAutomationsModal` now fetches its own data with
`merge_inherited = false` (meaning it only fetches non-inherited queries
only). Previously, queries were passed down as props to it, which would
not show the queries available to automate if the first page of queries
were all inherited and the second page contained queries for that team
(the user would have to navigate to the second page for the button to be
enabled).
^ The fact that the modal fetches its own data is similar behavior to
what is currently done in `Policies`. For queries, I noticed that we
would need to add pagination within the `Manage Automations` modal, but
that can be a follow-up.
<img width="2480" height="1309" alt="Screenshot 2026-02-04 at 11 48
42 AM"
src="https://github.com/user-attachments/assets/ebac79a5-a793-4708-9313-d9a697dfd7de"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/119f03b9-dde1-4bb9-9fee-6204b1a58879
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38881
This adds the UI to the add host modal that allows for android fully
managed devices.
<img width="800" height="405" alt="image"
src="https://github.com/user-attachments/assets/2f86d417-ee14-456b-a06f-32c292c5e7a3"
/>
It also includes a small copy change for delete host modal
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#37219
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
This pull request adds support for managing the Yubico Authenticator
application on Windows. The changes introduce the necessary metadata,
installation and uninstallation scripts, and update the application
catalog to include this new platform-specific entry.
**Addition of Yubico Authenticator for Windows:**
* Added a new input file with metadata for the Windows version of Yubico
Authenticator, specifying details like package identifier, architecture,
and default categories in `yubico-authenticator.json`.
* Created an output file containing version information, installation
and uninstallation scripts, installer URL, SHA256 hash, and upgrade code
for Yubico Authenticator on Windows in
`yubico-authenticator/windows.json`.
* Updated the main application catalog (`apps.json`) to include a
Windows-specific entry for Yubico Authenticator, with appropriate slug
and description.
**Frontend icon update:**
* Updated the image data for the Yubico Authenticator icon in the
frontend component to reflect the correct or updated icon asset.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39313
Implements [this
prioritization](https://github.com/fleetdm/fleet/issues/39313#issuecomment-3849419330)
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
Updated documentation, backend, frontend, and tests to set the OS update
enforcement deadline to 19:00 (7PM) local time instead of noon. This
ensures consistency across user-facing text, API docs, configuration
files, and the MDM payload.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38834
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Resolves#38582
* Updated front end to prevent entraPhase state to be overwritten over and over again by useQuery + useEffect.
* Refactored UI displayed when entraPhase is in confirming state.
