Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version information and installer resources for multiple
maintained applications, including Claude, Cursor, GitHub Desktop, Loom,
Notion, Postman, Sketch, Telegram, Visual Studio Code, WhatsApp, and
Zeplin across Windows and macOS platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Microsoft Office for macOS to version 16.108 across all
applications including Excel, OneNote, PowerPoint, and Word. All
applications now include new installer packages with updated security
checksums and enhanced installation verification mechanisms. These
updates preserve existing functionality and maintain system
compatibility while ensuring proper installation integrity and security
standards.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42600
Unreleased bug:
https://github.com/fleetdm/fleet/issues/42600#issuecomment-4220428519
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Re-enrolling devices now fully reset certificate templates: templates
return to pending (install retained), retry counts and delivery metadata
are cleared to avoid stale state.
* **Behavior**
* Re-enrollment explicitly deletes prior device certificate entries
before creating fresh pending templates to prevent duplicates and stale
data.
* **Tests**
* Added tests covering Android re-enrollment to verify templates are
recreated and metadata is cleared.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43462
During review, Hide whitespace.
Fixed Android agent to retry DNS resolution failures when waking from
Doze mode, and to defer remaining certificates in a batch to the next
enrollment cycle when a DNS failure persists.
The fix does not eliminates DNS errors from the logs, it just handles
them better.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved DNS resilience: automatic retries with backoff for DNS
resolution failures (e.g., after device sleep), upfront validation of
the configured server URL, and clearer failure reporting when retries
are exhausted.
* Certificate enrollment aborts a batch on terminal DNS failures and
defers remaining certificates until connectivity is restored.
* **Tests**
* Added a unit test validating batch abort behavior on DNS resolution
failure.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds a new "Why Claude Teams?" section to the "Why this way?" handbook
page explaining why Fleet uses the Claude Team plan with automatic
overages instead of individual Max ($200/month) plans.
- Covers the $100/month engineering tier, 5-hour usage reset windows,
automatic overages for uninterrupted work, cost savings vs Max plans,
and the 150-employee threshold for moving to Enterprise.
Built for [Luke
Heath](https://fleetdm.slack.com/archives/C09861YJUJ2/p1776106266096629?thread_ts=1776102426.771259&cid=C09861YJUJ2)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Luke Heath <luke@fleetdm.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated managed-app metadata for Claude desktop to version 1.2581.0
* Updated managed-app metadata for Connect Fonts to version 28.1.1
* Updated managed-app metadata for Dropbox to version 248.4.3576
* Updated version detection and installer references for each
application to ensure proper deployment compatibility
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
Changes:
- Removed the `resolution` attribute from the two policies added in
#43415 to fix the website's failing deploy workflow
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Removed resolution information from two Linux policies in the standard
query library: "Ubuntu GNOME password policy" and "Ubuntu GNOME lock
screen after 5 minutes."
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Replace the fleet-maintained app record for "iMazing Profile Editor"
with the full "iMazing" app. Deleted the old input file and added a new
input for imazing; renamed output paths and updated app metadata (bundle
identifier, slug, categories). Bumped version to 3.5.2 and updated
installer URL, install/uninstall script refs and SHA256. Updated
frontend icon mapping and website routes to point to the new imazing
slug, and adjusted fleet configs: workstation software slug, dynamic
label query, and macOS patch policy to reference imazing/darwin and the
new bundle identifier.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* iMazing application (v3.5.2) now replaces iMazing Profile Editor with
improved capabilities and enhanced functionality.
* Application category updated from Developer tools to Utilities for
better organization and discoverability.
* **Updates**
* Updated deployment configurations, system routes, and management
policies to support iMazing across all managed environments and
platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Microsoft Outlook macOS application support to version 16.108
* Refined Thunderbird Windows detection logic for improved accuracy
* Updated Todoist macOS application support to version 9.27.1
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Changes:
- Updated the new password form and change password form on the
logged-in customer dashboard to have the same password requirements the
register form
- Updated the button styles on the 498 response page
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Strengthened password requirements: 12–48 characters, must include at
least one number and one symbol.
* More specific validation feedback for new/confirm password fields.
* **Bug Fixes**
* Modal focus behavior improved so password inputs receive focus when
opened.
* **Style**
* Primary button styling applied to password actions.
* Link hover visuals enhanced.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add metadata and install/uninstall automation for Thunderbird on
Windows. Adds ee/maintained-apps/inputs/winget/thunderbird.json plus
PowerShell install/uninstall scripts (NSIS silent /S, install uses
/PreventRebootRequired=true; uninstall resolves registry entry for x64
en-US and appends /S). Update maintained apps outputs: register
Thunderbird in ee/maintained-apps/outputs/apps.json and add
ee/maintained-apps/outputs/thunderbird/windows.json (version 149.0.2,
installer URL and sha256, script refs). Also update frontend icon
component and app PNG asset for Thunderbird.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43526
Adjust the name field in
ee/maintained-apps/inputs/homebrew/sourcetree.json from "SourceTree" to
"Sourcetree" to match the expected branding/casing. No other fields were
modified.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated application name formatting for consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:**
Ref #34797
Ref #42675
## Problem
When a software installer spec has no `hash_sha256`, Fleet re-downloads
the package, re-extracts metadata, and re-upserts the DB on every GitOps
run, even if the upstream file hasn't changed. For deployments with 50+
URL-only packages across multiple teams, this wastes bandwidth and
processing time on every run.
## Solution
By default, use etags to avoid unnecessary downloads:
1. First run: Fleet downloads the package normally and stores the
server's ETag header
2. Subsequent runs: Fleet sends a conditional GET with `If-None-Match`.
If the server returns 304 Not Modified, Fleet skips the download,
metadata extraction, S3 upload, and DB upsert entirely
Opt-out with `always_download:true`, meaning packages continue to be
downloaded and re-processed on every run, same as today. No UI changes
needed.
```yaml
url: https://nvidia.gpcloudservice.com/global-protect/getmsi.esp?version=64&platform=windows
always_download: true
install_script:
path: install.ps1
```
### Why conditional GET instead of HEAD
Fleet team [analysis of 276 maintained
apps](https://github.com/fleetdm/fleet/pull/42216#issuecomment-4105430061)
showed 7 apps where HEAD requests fail (405, 403, timeout) but GET works
for all. Conditional GET eliminates that failure class: if the server
doesn't support conditional requests, it returns 200 with the full body,
same as today.
### Why opt-in
5 of 276 apps (1.8%) have stale ETags (content changes but ETag stays
the same), caused by CDN caching artifacts (CloudFront, Cloudflare,
nginx inode-based ETags). The `cache` key lets users opt in per package
for URLs where they've verified ETag behavior is correct.
Validation rejects `always_download: true` when hash_sha256` is set
## Changes
- New YAML field: `cache` (bool, package-level)
- New migration: `http_etag` VARCHAR(512) column (explicit
`utf8mb4_unicode_ci` collation) + composite index `(global_or_team_id,
url(255))` on `software_installers`
- New datastore method: `GetInstallerByTeamAndURL`
- `downloadURLFn` accepts optional `If-None-Match` header, returns 304
as `(resp, nil, nil)` with `http.NoBody`
- ETag validated per RFC 7232 (ASCII printable only, no control chars,
max 512 bytes) at both write and read time
- Cache skipped for `.ipa` packages (multi-platform extraInstallers)
- TempFileReader and HTTP response leak prevention on download retry
- Docs updated in `yaml-files.md`
## What doesn't change
- Packages with `hash_sha256`: existing hash-based skip, untouched
- FMA packages: FMA version cache, untouched
- Packages with `always_download: true`: identical to current behavior
- Fleet UI: no changes
## Test plan
Automated testing:
- [x] 16 unit tests for `validETag`
- [x] 8 unit tests for conditional GET behavior (304, 200, 403, 500,
weak ETag, S3 multipart, no ETag)
- [x] MySQL integration test for `GetInstallerByTeamAndURL`
- [x] All 23 existing `TestSoftwareInstallers` datastore tests pass
- [x] All existing service tests pass
Manual testing:
- [x] E2E: 86 packages across 6 CDN patterns, second apply shows 51
conditional hits (304)
- [x] @sgress454 used a local fileserver tool to test w/ a new instance
and dummy packages
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* ETag-based conditional downloads to skip unchanged remote installer
files.
* New always_download flag to force full re-downloads.
* **Tests**
* Added integration and unit tests covering conditional GETs, ETag
validation, retries, edge cases, and payload behavior.
* **Chores**
* Persist HTTP ETag and related metadata; DB migration and index to
speed installer lookups.
* Added installer lookup by team+URL to support conditional download
flow.
* **Bug Fix**
* Rejects using always_download together with an explicit SHA256 in
uploads.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Scott Gress <scott@fleetdm.com>
Co-authored-by: Scott Gress <scott@pigandcow.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Changes:
- Updated fleet-vs-jamf-vs-iru-kandji-mdm-comparison.md and
fleet-vs-jumpcloud-vs-workspace-one-comparison.md to use the comparison
article template.
- Updated the styles for mobile comparison tables
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved comparison table display on mobile devices by allowing table
labels to wrap properly instead of staying on a single line.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated application version metadata for macOS: Grammarly Desktop
(1.161.1), JetBrains Toolbox (3.4.2), and Surfshark (4.27.0).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Add support for Granola (Windows) including winget input,
installer/uninstaller scripts, and output metadata. Added
ee/maintained-apps/inputs/winget/granola.json plus install/uninstall
PowerShell scripts, and new
ee/maintained-apps/outputs/granola/windows.json containing version
7.128.0, installer URL and script refs (with SHA256). Also register
Granola in ee/maintained-apps/outputs/apps.json and update the frontend
icon and website app image assets for Granola.
Add a 3-part version shortener for Grammarly Desktop and register it in
the Homebrew ingester functions. Update tests to include the
grammarly-desktop case to ensure versions like "1.160.0.0" become
"1.160.0". Update the grammarly-desktop darwin output to use the
shortened version in the version field and patched query (installer_url
left pointing to the original full version). Files changed: main.go,
version_shortener.go, version_shortener_test.go, and
outputs/grammarly-desktop/darwin.json.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Grammarly Desktop support for macOS with version normalization.
* **Tests**
* Expanded test coverage with comprehensive version shortening
scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Related to: https://github.com/fleetdm/confidential/issues/15379
Changes:
- Added two exits to the VPP metadata proxy that are used when the Apple
API returns errors. `appleApiReturnedServerError` Is returned when the
Apple API returns a 500 error, and `appleApiReturnedForbiddenResponse`
is used when the Apple API returns a 403 response.
- Updated the error handler in the VPP metadata proxy to return the body
of the logged error.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved Apple App Store API error handling: forbidden (403) and
server (500) responses are now distinguished and mapped to specific
error outcomes.
* Other API errors now return the API response body (not the internal
error object), and error logging text was clarified for better
diagnostics.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Two fixes to the Deploying Platform SSO with Okta and Fleet guide:
1. Clarified that `certificate_authorities` is a top-level key under
`org_settings` and not nested inside `integrations`. The guide's
example snippet showed `integrations:` in isolation, making it easy
to incorrectly nest `certificate_authorities` underneath it.
2. Added missing opening ```sql code fence in the Option 2 (Static SCEP
challenge) section. The missing fence was causing a large unformatted
block to break the article layout. Also removed a stray `);` at the
end of the query which was invalid SQL and appeared to be a
copy-paste artifact.
## Issue
Closes#42655
## Description
- Will need cherry-pick into 4.84.0 RC
- Whackamole issue that popped up when changing the overflow
- Ensured DOM/z-index has no issues + dropdown options are scrollable
## Testing
- [x] QA'd all new/changed functionality manually
ub.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Improved dropdown menu usability by enabling scrollable lists with
consistent height constraints, preventing menus from extending
excessively.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Rachel Perkins <rachel@Rachels-MacBook-Pro.local>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version metadata for 12 maintained applications to their
latest releases: Adobe Acrobat Reader, Blender, Claude, Cursor, Discord,
Elgato Stream Deck, NordPass, Ollama, Postman, Spotify, Sublime Merge,
and Warp, with corresponding installer URLs and checksums synchronized
across macOS and Windows platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Add Windows support for Linear: new winget input
(ee/maintained-apps/inputs/winget/linear.json) with installer metadata
and category, plus install/uninstall PowerShell scripts. Add output
metadata (ee/maintained-apps/outputs/linear/windows.json) including a
version entry, installer URL, sha256 and script refs, and register the
app in apps.json. Update frontend icon component to reference a new PNG
and add the image asset.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43501
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated macOS metadata for five maintained applications: Android
Studio (2025.3.3.7), Loom (0.343.0), Signal (8.6.1), WhatsApp
(26.15.16), and Windows App (11.3.5). Each update includes refreshed
installer package references, updated integrity checksums for
verification, and revised version comparison thresholds to ensure
accurate patch status detection and proper reporting across all
supported platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Fixes#34288.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Setup experience cancellations now create explicit cancellation
activities for skipped/failed software and VPP app installs, plus a new
"Canceled setup experience" activity type and a from_setup_experience
flag. Activity text and host activity views now indicate "during setup
experience" when applicable.
* **Tests**
* Added and updated tests for cancellation activity creation, VPP
license-failure handling, and WasFromAutomation/from_setup_experience
behaviors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
