<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41815
### Changes
- Extracted patch policy creation to `pkg/patch_policy`
- Added a `patch_query` column to the `software_installers` table
- By default that column is empty, and patch policies will generate with
the default query if so
- On app manifest ingestion, the appropriate entry in
`software_installers` will save the override "patch" query from the
manifest in patch_query
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
- Relied on integration test for FMA version pinning
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## Summary
- Adds `.claude/commands/fleet-gitops.md`, a new slash command
(`/fleet-gitops`) for Claude Code users working in the `it-and-security`
folder
- Mirrors the existing Kilocode skill
(`/.kilocode/skills/fleet-gitops/SKILL.md`) with the same validation
rules for osquery queries, configuration profiles
(Apple/Windows/Android), software management, DDM declarations, and CVE
remediation
- Command is explicitly invoked only — does not auto-trigger, so it has
zero impact on the engineering team's normal Claude usage
## Test plan
- [ ] Verify `/fleet-gitops` is available as a slash command in Claude
Code when opened in this repo
- [ ] Confirm the command correctly sets context for GitOps work
(queries, profiles, software, DDM)
- [ ] Confirm no change to existing engineering commands (`/review-pr`,
`/test`, `/fix-ci`, etc.)
Add documentation for the full agent release process.
Fleetd is composed of several components released through different
channels, and the handbook only linked to TUF. This adds references to
Android (Google Play), Chrome extension (Google Admin), and TUF version
tracking, with links to the relevant release guides for each.
Bumps
[github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server)
from 2.12.3 to 2.12.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nats-io/nats-server/releases">github.com/nats-io/nats-server/v2's
releases</a>.</em></p>
<blockquote>
<h2>Release v2.12.6</h2>
<h2>Changelog</h2>
<p>Refer to the <a
href="https://docs.nats.io/release-notes/whats_new/whats_new_212">2.12
Upgrade Guide</a> for backwards compatibility notes with 2.11.x.</p>
<h3>Go Version</h3>
<ul>
<li>1.25.8</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>golang.org/x/crypto v0.49.0 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7953">#7953</a>)</li>
<li>github.com/nats-io/jwt/v2 v2.8.1 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7960">#7960</a>)</li>
<li>golang.org/x/sys v0.42.0 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li>
<li>golang.org/x/time v0.15.0 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li>
</ul>
<h3>CVEs</h3>
<ul>
<li>Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting
systems using MQTT)</li>
<li>Fixes CVE-2026-33246 (affects systems using leafnodes and service
imports)</li>
<li>Fixes CVE-2026-33218 (affects systems using leafnodes)</li>
<li>Fixes CVE-2026-33219 (affects systems using WebSockets)</li>
<li>Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using
JetStream)</li>
<li>Fixes CVE-2026-33248 (affects systems using mutual TLS)</li>
<li>Fixes CVE-2026-33247 (affects systems providing credentials on the
command line)</li>
<li>Fixes CVE-2026-33249 (affects systems where client publish
permissions should be restricted)</li>
</ul>
<h3>Improved</h3>
<p>General</p>
<ul>
<li>Non-WebSocket leafnode connections can now be proxied using HTTP
CONNECT (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7781">#7781</a>)</li>
<li>The <code>$SYS.REQ.USER.INFO</code> response now includes the
friendly nametag of the account and/or user if known (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7973">#7973</a>)</li>
</ul>
<p>JetStream</p>
<ul>
<li>The stream peer-remove command now accepts a peer ID as well as a
server name (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7952">#7952</a>)</li>
</ul>
<p>MQTT</p>
<ul>
<li>Protocol compliance has been improved, including more error handling
on invalid or malformed MQTT packets (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7933">#7933</a>)</li>
</ul>
<h3>Fixed</h3>
<p>General</p>
<ul>
<li>Client connections are no longer registered after an auth callout
timeout (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7932">#7932</a>)</li>
<li>Improved handling of duplicate headers</li>
<li>A correctness bug when validating relative distinguished names has
been fixed</li>
<li>Secrets are now redacted correctly in trace logging (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7942">#7942</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0e0639058e"><code>0e06390</code></a>
Release v2.12.6</li>
<li><a
href="f593d279da"><code>f593d27</code></a>
Cherry-picks for 2.12.6 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/61">#61</a>)</li>
<li><a
href="9f904de022"><code>9f904de</code></a>
[FIXED] Incomplete route pool on premature pong</li>
<li><a
href="b5101921e2"><code>b510192</code></a>
[FIXED] Avoid stalling read loop on leafnode
ErrMinimumVersionRequired</li>
<li><a
href="53941c24a1"><code>53941c2</code></a>
Report the account and user name in USER.INFO request</li>
<li><a
href="1ab002ab2b"><code>1ab002a</code></a>
[IMPROVED] Support HTTP proxy connection from leaf nodes also for
TCP</li>
<li><a
href="8b6408239f"><code>8b64082</code></a>
Release v2.12.6-RC.3</li>
<li><a
href="e6ab7e9541"><code>e6ab7e9</code></a>
Cherry-picks for 2.12.6-RC.3 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/59">#59</a>)</li>
<li><a
href="9f4d96076c"><code>9f4d960</code></a>
Make the deduplication window actually work for deduplication for
sourcing</li>
<li><a
href="304e18402b"><code>304e184</code></a>
Remove FIXME about auth callout nonce</li>
<li>Additional commits viewable in <a
href="https://github.com/nats-io/nats-server/compare/v2.12.3...v2.12.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
---------
Co-authored-by: Juan Fernandez <juan-fdz-hawa@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#29657
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Summary
- Adds a new **macOS - FileVault enabled** policy that checks whether
FileVault disk encryption is enabled on macOS devices by querying
`filevault_status` for an active status.
- Adds a new **Windows - BitLocker enabled** policy that checks whether
BitLocker disk encryption is enabled on the C: drive of Windows devices
by querying `bitlocker_info` for protection status.
- Both policies are added to the Workstations team configuration in
`workstations.yml`, placed alongside the existing disk encryption check
policies.
- Updated the resolution text for both policies to indicate that
settings should be automatically applied via MDM and to direct users to
#help-it for assistance.
- Changed resolution phrasing from "If you're still seeing this issue"
to "If you're still failing this policy" for both policies.
## Changes
| File | Change |
|------|--------|
| `it-and-security/lib/macos/policies/filevault-enabled.yml` | New
policy file for macOS FileVault check |
| `it-and-security/lib/windows/policies/bitlocker-enabled.yml` | New
policy file for Windows BitLocker check |
| `it-and-security/fleets/workstations.yml` | Added references to both
new policy files |
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774388430297229?thread_ts=1774386241.477189&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This PR automatically updates macOS version policies, 1Password macOS
version policy, and Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
## Summary
- Adds a new "Why no project management function?" section to the "Why
this way?" handbook page.
- Explains that functional managers at Fleet own the flow of work for
their teams, thinking about output like a factory and taking direct
responsibility over results.
- References Andy Grove's *High Output Management*, Eliyahu Goldratt's
*The Goal* and *The Phoenix Project* (with Audible links), and Sid
Sijbrandij's writings during his time as CEO of GitLab (with a link to
the GitLab handbook).
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774395518585529?thread_ts=1774395316.916289&cid=D0AFASLRHNU)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Updates the copy in the "See reality clearly" section of the Fleet
homepage
- Changes "Run live queries, generate reports, and export logs." to "Run
live reports, collect data, and export logs."
## Changes
**File:** `website/views/pages/homepage.ejs` (line 128)
| Before | After |
|--------|-------|
| Run live queries, generate reports, and export logs. | Run live
reports, collect data, and export logs. |
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774392594786109)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
**Related issue:** Resolves#41644
There are two cases that exist in the cpe database where this generic
logic could not be applied.
django from python_packages:
gofiber:django
djangoproject:django
npm from npm_packages:
microsoft:npm
npmjs:npm
These will require individual cve overrides that is outside the scope of
this task.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced CPE (Common Platform Enumeration) matching to reduce
non-deterministic vendor selection when multiple vendors exist for the
same software product. The algorithm now incorporates software ecosystem
information to ensure more accurate and consistent vulnerability
resolution across package types.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41631
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## Summary
- Adds a new open position entry for "🚀 Customer Support Engineer
(APAC)" to `handbook/company/open-positions.yml`
- Based on the existing (commented-out) Customer Support Engineer
template, with the same department, hiring manager, OTE,
responsibilities, and experience requirements
## Changes
- `handbook/company/open-positions.yml`: Added new active position entry
for Customer Support Engineer (APAC)
---
Built for [Isabell
Reedy](https://fleetdm.slack.com/archives/D0AEGJCGJR0/p1774371863364109)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Isabell Reedy <113355639+ireedy@users.noreply.github.com>
## Summary
- Adds a new article covering how to use Fleet and Apple Business
Manager to enroll large numbers of MacBook Neos with zero-touch
enrollment
- References and quotes Jonny Evans' Computerworld article on MacBook
Neo as the Mac's potential "iPhone moment" in the enterprise
- Provides practical guidance for IT teams planning a large-scale
MacBook Neo rollout, including ABM setup, enrollment configuration,
GitOps workflows, and ongoing fleet management
## Changes
- New file:
`articles/enroll-macbook-neo-at-scale-with-fleet-zero-touch.md`
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774111597501669?thread_ts=1774105884.042939&cid=D0AFASLRHNU)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
## Summary
- Updates Firefox from 148.0.2 to 149.0 (released March 23, 2026) across
the Workstations team configuration
- Updates macOS custom package download URL to Firefox 149.0
- Updates macOS and Windows version-check policies to enforce version >=
149.0
## Changes
| File | Change |
|---|---|
| `it-and-security/lib/macos/software/mozilla-firefox.yml` | Updated
package URL from 148.0.2 to 149.0 |
| `it-and-security/lib/macos/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
| `it-and-security/lib/windows/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
## Notes
- Firefox on Windows uses the Fleet-maintained app (`slug:
firefox/windows`), which is managed by the Fleet catalog and will
auto-update when the catalog is refreshed
- Firefox on macOS uses a custom package URL since the existing pattern
uses a `.pkg` installer
- Both macOS and Windows already have self-service enabled and
corresponding update policies with calendar event enforcement (macOS)
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774366778146629)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
**Related issue:** Fixes#42260
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This commit introduces support for Python (.py) scripts on macOS and
Linux, including validation for Python shebangs and updates to
documentation, UI, error messages, and backend validation logic. It also
updates tests and file upload handling to recognize and properly process
Python scripts alongside existing shell (.sh) and PowerShell (.ps1)
scripts.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40794
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41533
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/64a5f726-1e9f-4508-8726-6227813dcc77
Below I show the `Report clipped` and the `X additional results not
shown` states. For that, I manually inserted records in my DB:
```sql
-- make "clipped"
INSERT INTO query_results (query_id, host_id, last_fetched, data)
SELECT 1, t.n + 1000, NOW(), '{"fake_key": "fake_value"}'
FROM (
SELECT a.N + b.N * 10 + c.N * 100 AS n
FROM (SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) a,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) b,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) c
) t
WHERE t.n BETWEEN 1 AND 999;
-- populate extra query results
INSERT INTO query_results (query_id, host_id, last_fetched, data)
VALUES
(1, 2, NOW(), '{"pid": "9999", "version": "5.21.0"}'),
(1, 2, NOW(), '{"pid": "8888", "version": "5.20.0"}');
```
https://github.com/user-attachments/assets/8056ea4c-b042-47cf-a05f-ee9d8621252a
Pagination (manually changed to 3 items per page for testing purposes)
https://github.com/user-attachments/assets/87a97259-0821-4659-a612-c952e98a158c
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #41345
* Adds a missing comment delimiter
* Adds required `organization_name` to `apple_business_manager` section
* Adds required `location` to `volume_purchasing_program ` section
* Adds Windows MDM section with `windows_enabled_and_configured`,
required for the Windows OS update settings to work
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
**Related issue:** Resolves#42296
This fixes an issue where users who login via sso were not having an
expiration date set on their host token cookie. This would cause them to
have to relogin after every browser session
- [x] QA'd all new/changed functionality manually
Add display_name: "Mozilla Firefox" to the Firefox software entries in
it-and-security/fleets/workstations.yml (macOS and Windows sections).
This ensures a consistent, user-facing name in self-service catalogs for
both platforms.
## Summary
- **Removed the WhatsApp block rule** from the Santa rules configuration
profile (`santa-rules.mobileconfig`). The rule blocked WhatsApp.app via
a CDHASH identifier (`54a8ec11bcea48a276b1fdce556a29108ba77de4`) and is
no longer needed.
- **Expanded Santa profile deployment to all macOS hosts** on the
Workstations team. Both `santa-configuration.mobileconfig` and
`santa-rules.mobileconfig` were previously scoped only to the `"Santa
test devices"` label (4 specific Macs). Removed the `labels_include_any`
restriction so these profiles now install on all Macs in the
Workstations team.
- **Deleted the "Santa test devices" label entirely.** Removed the label
definition file (`santa-test-devices.yml`), its reference in
`default.yml`, and all remaining `labels_include_any` references to it
from the Santa software entry, install-santa-extension policy, and
collect-santa-denied-logs report.
## Changes
###
`it-and-security/lib/macos/configuration-profiles/santa-rules.mobileconfig`
- Removed the `BLOCKLIST` / `CDHASH` rule entry for WhatsApp.app
(identifier `54a8ec11bcea48a276b1fdce556a29108ba77de4`)
- The allowlist for North Pole Security (Team ID) and the test block
rule for BundleExample.app remain unchanged
### `it-and-security/fleets/workstations.yml`
- Removed `labels_include_any: ["Santa test devices"]` from the
`santa-configuration.mobileconfig` and `santa-rules.mobileconfig`
profile entries
- Removed `labels_include_any: ["Santa test devices"]` from the Santa
software entry
- All Santa-related profiles and software now apply to all macOS hosts
on the Workstations team
### `it-and-security/lib/all/labels/santa-test-devices.yml` (deleted)
- Removed the manual label definition for "Santa test devices"
(previously scoped to 4 specific Macs)
### `it-and-security/default.yml`
- Removed the label path reference to `santa-test-devices.yml`
### `it-and-security/lib/macos/policies/install-santa-extension.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the policy
applies to all macOS hosts
### `it-and-security/lib/macos/reports/collect-santa-denied-logs.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the report
applies to all macOS hosts
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774320804143629?thread_ts=1774320368.198119&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Enables `calendar_events_enabled` on the macOS Firefox update policy,
matching the 1Password update policy pattern
- Updates the description to use "This device" (consistent with the
1Password policy language)
- Updates the resolution text to reference Self-service and scheduled
maintenance windows instead of Firefox's built-in updater
This aligns the Firefox update enforcement with how 1Password updates
are already handled — via calendar event automations that notify users
of upcoming scheduled maintenance windows.
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774318829543349)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Refine policy description and resolution messaging for the macOS
1Password check: change 'The host' to 'This device', direct users to
download from Self-service and note automatic install during scheduled
maintenance, and enable calendar events by setting
calendar_events_enabled to true.
