<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41749
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41888
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* OpenTelemetry service name can now be configured via the standard
OTEL_SERVICE_NAME environment variable
* Support for OTEL_RESOURCE_ATTRIBUTES environment variable to customize
telemetry resource attributes
* **Chores**
* Enhanced OpenTelemetry resource initialization to support environment
variable overrides for improved deployment flexibility
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40721
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
I (Martin) did test `labels_include_all` for FMA, custom installer, IPA
and VPP apps, and it seemed to all work great for gitops apply and
gitops generate, **except for VPP apps** which seem to have 2 important
pre-existing bugs, see
https://github.com/fleetdm/fleet/issues/40723#issuecomment-4041780707
## New Fleet configuration settings
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
---------
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Resolves#36312
- Validate and trim fleet names in NewTeam, ModifyTeam, and
ApplyTeamSpecs
- Trim fleet names in gitops YAML parsing (parseName)
- Disable submit button in CreateTeamModal and RenameTeamModal when name
is whitespace-only
Resolves#41534
Added GET /api/v1/fleet/hosts/{id}/reports endpoint (also accessible as
/hosts/{id}/queries) that lists the query reports associated with a
specific host.
**Related issue:** Resolves#36799, Sub-task: #41556
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<img width="924" height="278" alt="Screenshot 2026-03-16 at 10 46 38 AM"
src="https://github.com/user-attachments/assets/313b6650-a849-4bc2-ba14-a62d3d13b60c"
/>
<img width="1441" height="300" alt="Screenshot 2026-03-16 at 10 46
44 AM"
src="https://github.com/user-attachments/assets/915cfd26-168f-4621-bcf5-6c26c40e5faf"
/>
<img width="1923" height="788" alt="Screenshot 2026-03-16 at 10 54
04 AM"
src="https://github.com/user-attachments/assets/62356a3e-84fe-4561-b7ad-0a35c9db3b2a"
/>
<img width="2529" height="483" alt="Screenshot 2026-03-16 at 10 47
02 AM"
src="https://github.com/user-attachments/assets/4dc51073-2c24-4934-bd9d-c5ee648d5ae1"
/>
Tested that with latest released fleetd (1.53.0), we still ingest the
available disk space. There's about 5% difference in the UI vs in the
macOS "Get Info" dialog (expected, since we use the old query, now
called `disk_space_darwin_legacy`):
<img width="267" height="306" alt="Screenshot 2026-03-17 at 8 47 22 AM"
src="https://github.com/user-attachments/assets/73fc1eef-a32c-4d8d-a9ca-13980885f8fe"
/>
<img width="883" height="407" alt="Screenshot 2026-03-17 at 8 47 33 AM"
src="https://github.com/user-attachments/assets/98851b9b-82a8-4ac8-af5c-dbb878f85fad"
/>
<img width="159" height="127" alt="Screenshot 2026-03-17 at 8 47 40 AM"
src="https://github.com/user-attachments/assets/209f784a-29a8-4af5-b95d-0f9bd59917c9"
/>
Also tested running with vanilla osquery by stopping fleetd and then
running osquery manually (adding the `--allow_unsafe` flag). Result is
same as above, `disk_space_darwin_legacy` is used:
<img width="1152" height="418" alt="Screenshot 2026-03-17 at 8 59 23 AM"
src="https://github.com/user-attachments/assets/2b34d23d-61de-4ec1-8d1c-2d3ddb682d11"
/>
<img width="893" height="414" alt="Screenshot 2026-03-17 at 8 59 28 AM"
src="https://github.com/user-attachments/assets/d28ee8fb-08c5-434f-abfa-3825b27ac73b"
/>
## Summary
- Adds a new macOS-only fleetd table `disk_space` that uses
`NSURLVolumeAvailableCapacityForImportantUsageKey` to report available
disk capacity including purgeable storage — matching what macOS shows in
Finder's "Get Info" dialog.
- Adds a new `disk_space_darwin` detail query that uses the new table
(with Discovery, so it only runs on hosts with fleetd ≥ 1.54.0).
- Restricts the existing `disk_space_unix` query to Linux only (darwin
was removed since the new query handles it).
- Adds schema documentation for the new table.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41664
Switching `kernel_host_counts` to the established swap pattern. Reduce
load on the DB writer by moving the large read to the DB reader.
Do `CleanupSoftwareTitles` in batches. With a single large
select/delete, it took > 16 minutes. In batches, it took ~1.5 minutes in
loadtest with 100K hosts.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Alerted the release DRI if additional load testing is needed
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Performance Improvements**
* Added indexing and a batched swap/insert flow to speed up
vulnerability-related queries and lower maintenance contention.
* Batched cleanup of orphaned records to reduce long-running delete
operations.
* **Reliability**
* Migration removes a legacy constraint to simplify data maintenance and
avoid migration failures.
* Scheduled vulnerability refresh now runs more atomically to reduce
disruption.
* **Tests**
* Updated assertion logic to improve test clarity for host-count
verification.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** None
Based on a Slack thread from a customer, this endpoint seems like it was
missed
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41771
# Details
Solves two issues in 4.82:
1. The `fleet_id` param in `POST /software/fleet_maintained_apps` wasn't
being read, causing all FMAs using that param to be added to fleet ID 0
(unassigned aka No Team)
2. We were logging deprecation warnings for body params even if the
topic was turned off, meaning Fleet would generate deprecation warnings
in certain cases that users wouldn't be able to fix.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Added unit tests for the decoder since it's got one-off logic in it
- [X] QA'd all new/changed functionality manually
- [X] Added an FMA to a fleet successfully using `fleet_id`
- [X] Added an FMA to a fleet successfully using `team_id` and saw
deprecation warning
- [X] Added an FMA to "Unassigned" successfully using `fleet_id=0`
- [X] Added an FMA to "Unassigned" successfully using `team_id=0`
- [X] Added an FMA to "Unassigned" successfully with no `fleet_id` or
`team_id` param (this seems like a bug but it's existing behavior)
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39899
This fix fixes the determinism issue by ordering the results, however,
it does not necessarily fix the correctness issue. Another bug opened
for that: https://github.com/fleetdm/fleet/issues/41644
That's why you see changes in `cpe_test.go` that may seem incorrect in
some cases. In reality the previous behavior was purely by coincidence
(based on insert order).
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed nondeterministic CPE matching when multiple candidates share the
same product name. CPE selection is now deterministic and prioritizes
matches based on vendor alignment with the software being analyzed.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#32662
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Use CPE alias handling to generate correct CPE from malformed one,
ensuring correct CVEs are matched.
* **Tests**
* Added comprehensive test coverage for the enhanced CPE alias
expansion, including malformed CPE mapping scenarios and CVE matching
validation for Ipswitch WhatsUp.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41742
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed crashes on the "My device" page for Fleet Free instances when a
host is assigned to a team.
* Improved error handling to prevent application crashes when policy
data is unavailable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38036
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* GitOps now correctly orders operations so certificate authorities can
be removed only after referencing certificate templates are handled,
preventing failed deletions during config updates.
* Improved user-facing error when a CA cannot be deleted because
certificate templates still reference it, with guidance to remove
templates first.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#35484
Concurrent execution of GitOps apply runs and
RecordPolicyQueryExecutions led to database locking issues when the
policy_membership table was large. This occurred because the cleanup
process (DELETE operations) was bundled within the same transaction as
the GitOps policy updates. To resolve this, the deletion logic has been
batched and moved outside the primary GitOps transaction, reducing lock
contention.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39308
Doc updates: https://github.com/fleetdm/fleet/pull/41760/changes
The reason secrets are involved here is because `gitops generate` can
get them.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Fixed access permissions for team maintainers, admins, and GitOps
users, enabling them to add certificate templates by granting required
read access to certificate authorities.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40881
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41652
Solution is to not pass `labels_include_any` to the payload of the PATCH
endpoint request.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/7c825b92-0b03-448a-8e42-83e39a2acdf6
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41664
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Alerted the release DRI if additional load testing is needed
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Optimized database performance for vulnerability processing to reduce
contention during routine operations.
* Improved query efficiency for software cleanup processes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41663
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
The 2 first software entries are for FMAs that had multiple versions in
Fleet and had been rolled back. Note that there is 1 row for each.
<img width="2940" height="1912" alt="LWScreenShot 2026-03-13 at 2 53
50 PM"
src="https://github.com/user-attachments/assets/48464655-5728-4965-8fd4-4c4c0c550f35"
/>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41190
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Bug Fixes
* Improved audit log accuracy when canceling pending lock or wipe
commands. The original activity record is now preserved, with the
cancellation tracked as a separate follow-up entry for better
visibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37092
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added per‑IP rate limiting to IdP metadata and SSO endpoints.
* Implemented TTL-backed in‑memory caching for IdP metadata responses to
reduce backend load.
* **Tests**
* Added tests covering metadata caching behavior, cache miss/error
handling, and content type preservation.
* Added tests validating rate limiting behavior across clients, bursts,
and proxy scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41091
# Details
Implements the following config key aliases:
- [x] Add a second name for `bootstrap_package`:
`macos_bootstrap_package`
- Support `bootstrap_package` for backwards compatibility
- [x] Add a second name for `manual_agent_install`:
`macos_manual_agent_install`
- Support `manual_agent_install` for backwards compatibility
- [x] Add a second name for `enable_release_device_manually `: `apple_
enable_release_device_manually `
- Support `enable_release_device_manually` for backwards compatibility
- [x] Add a second name for `script`: `macos_script`
- Support `script` for backwards compatibility
Also cleans up some error messages missed in previous alias PRs.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
ran gitops successfully with new keys
_working on spinning up an ARM Arch Linux host to verify this fix_
**Related issue:** Resolves#33495
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved OS name normalization for Arch Linux ARM hosts by removing
redundant system identifiers for cleaner display.
* **Tests**
* Added validation tests for Arch Linux ARM and standard Arch Linux host
configurations to ensure consistent OS naming and architecture mapping.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40007
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41532
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved error messaging when deleting a certificate authority that is
referenced by certificate templates. Users now receive a clear,
user-friendly message instead of a generic database error.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#33714
Added alias `GET /api/v1/fleet/scripts/batch/abc-def/host_results` for
`GET /api/v1/fleet/scripts/batch/abc-def/host-results` for consistency
sake.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41653
<img width="810" height="597" alt="Screenshot 2026-03-13 at 8 44 23 AM"
src="https://github.com/user-attachments/assets/b5e7feff-e576-4c0d-a9ee-b2ef1a17a7ea"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40642
# Details
This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute
alongside `FLEET_JIT_USER_ROLE_TEAM_`.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
Tested with SimpleSAML SSO.
- [x] Updated `users.php` to use both the new attribute and the old
attribute for a user, and was able to log in with that user and see them
created using JIT with the correct permissions
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33421
Video: https://www.youtube.com/watch?v=-mpW8o4vqu0
Docs: https://github.com/fleetdm/fleet/pull/41496/changes
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for NDES (Network Device Enrollment Service) Certificate
Authority for Windows devices, enabling secure device enrollment through
NDES proxy integration.
* New profile variables (NDESSCEPChallenge and NDESSCEPProxyURL) enable
NDES configuration in Windows profiles.
* Enhanced validation ensures proper NDES configuration requirements are
met in Windows MDM profiles.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves #
https://github.com/fleetdm/fleet/issues/31303
- Include "ltsr" in the `sw_edition` field when generating CPEs for
Citrix Workstation with versions that are in the discreet set of LTSR
releases
- Modify NVD CVE feed entry for CVE-2024-6286 to specify the correct
resolved-in version for LTSR releases of the software
- Ensure correct resolved-in is chosen when sw_edition is "ltsr"
- Doc updates
- Test updates
- Failing CI test is expected, these updates are confirmed with local
build of the relevant vuln repo resources
QAed locally by [generating vulnerability repo
artifiacts](https://github.com/fleetdm/vulnerabilities/blob/main/.github/workflows/generate-cve.yml)
and confirming:
- resolved-in versions are correct:
<img width="683" height="202"
alt="generated-cves-successfully-swapped-resolved-in"
src="https://github.com/user-attachments/assets/a3730373-7a17-4e65-9a38-d0ccd602820a"
/>
- validation passes:
<img width="882" height="59" alt="cve-translation-validation-ok"
src="https://github.com/user-attachments/assets/c52a3969-2eec-4d24-b77c-d6f161b41aac"
/>
- Broken tests now pass for both CR and LTSR versions of Citrix
Workspace:
<img width="1277" height="80"
alt="test-passes-with-freshly-built-cve-data"
src="https://github.com/user-attachments/assets/26a8f108-99d9-40a0-ac59-dc7f5d0a6bbe"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40607
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38585
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed Microsoft NDES CA selection to work immediately after deleting
an existing NDES CA without requiring a page refresh.
* Added validation preventing multiple NDES CAs from being added, with a
tooltip message explaining the limitation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39781
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with wip
backend work
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41074
# Details
Fixes an issue where CSV export still has `team_name` and `team_id`
columns, but not `fleet_name` or `fleet_id`.
Unlike the API param and other renames, I took a manual approach here
since it's just the two fields and isn't likely to expand. I added
cleaning them up to my Fleet 5 punchlist.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [X] QA'd all new/changed functionality manually
- [X] exported report from UI, saw both team_name and fleet_name
- [X] exported report via API with no columns requested (so all columns
returned), saw team_id, team_name, fleet_id and fleet_name
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40627
# Details
This PR updates the way we enable failed policy reporting (via webhook
or ticket integration) for individual policies in GitOps. The existing
method is to declare a `policy_ids` key underneath
`failing_policies_webhook:` in either the global or a fleet .yml file,
and specify a list of policy IDs to enable the automation for. This PR
maintains this feature for backwards compatibility, and adds a new
feature where you can set `webhook_and_tickets_enabled: true` key in the
policy declaration itself. If _both_ these methods are used, the GitOps
run will fail.
**Implementation note:**
Because we're keeping the old way of doing this until Fleet 5, I took
the easy route and just translated the new way into the old way; that
is, we gather up the list of policies with `webhook_and_tickets_enabled:
true`, get their IDs and send that list to the server under the same
config we did previously. This works fine and there's nothing _wrong_
with it but ideally this flag would work the same as other per-policy
flags like `calendar_events_enabled` that are stored on the policy
record. That requires a migration and more new code that we'd have to
maintain alongside the existing code (or translate the old strategy to
the new one). I'm taking the lower-touch path here.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [x] Verified that `generate-gitops` outputs the new
`webhooks_and_tickets_enabled` flag instead of outputting `policy_ids`
under `failing_policies_webhook`
- [X] Verified that using the new flag in a fleet .yml file results in
the specified policies being enabled in the "other" automations for
policies (whether the webhook automation is enabled or not)
- [X] Verified the same for a global .default.yml file
- [X] Verified that using the old `failing_policies_webhook.policy_ids`
a fleet .yml file results in the specified policies being enabled in the
"other" automations for policies (whether the webhook automation is
enabled or not)
- [X] Verified the same for a global .default.yml file
- [X] Verified that trying to use both `webhooks_and_tickets_enabled`
and `failing_policies_webhook.policy_ids` at the same time results in an
error.
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
see
https://github.com/fleetdm/fleet/issues/40627#issuecomment-4024988552
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added configuration flag to enable webhooks and tickets for policies
in GitOps settings.
* System automatically resolves and assigns policy IDs when using the
new flag.
* **Tests**
* Added comprehensive test coverage for webhook and ticket enablement in
GitOps workflows, including conflict detection and policy ID assignment
validation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40036
Ran nvd locally to generate the new
`fleet_msrc_Windows_Server_2025-2026_03_08.json` file.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added vulnerability scanning support for Windows Server 2025 hosts,
enabling detection of security vulnerabilities on the latest Windows
Server platform.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#28091
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Bug Fixes
* Fixed an issue where vulnerability counts would inflate over time due
to orphaned vulnerability entries remaining after hosts are removed.
Vulnerability cleanup now automatically runs during routine scanning
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41225
Most diffs are from regenerating software.sql, where we added this:
```
('_OR_ (FTS5 keyword test)', '1.0.0', 'apps', 'com.test.or', 'Test Vendor', '', '', '', '', NULL, NULL),
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed CPE matching failures when software names contain reserved
keywords (AND, OR, NOT), ensuring accurate matching in all scenarios.
* **Tests**
* Added test coverage for CPE matching with reserved keyword names to
prevent regressions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41374
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Alerted the release DRI if additional load testing is needed
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Resolved database lock contention that occurred during software
cleanup operations, which previously caused failures under heavy load.
The cleanup process now uses an optimized batched approach for improved
reliability and performance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#41262
This extends the expiration date for the host auth token cookie.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40790
Updating error message returned when EUA is still enabled in at least
one team, and user attempts to clear out End users settings in Settings
> Integrations > SSO.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/492fed92-019e-4c2a-ab09-98841bb45da4
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41233
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Bug Fixes
* Fixed pagination on the host software page to prevent the "Next"
button from being incorrectly disabled when a software title has
multiple installer versions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#33045
When creating or updating queries either via the API or Gitops, make
sure that the license is premium if the query is targeting a label.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41006
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Added tests for using path, paths and inline declaration for reports,
policies and labels.
- [X] QA'd all new/changed functionality manually
- [x] tested that `path:` works for policies
- [x] tested that `paths:` works for policies
- [x] tested that incline declaration works for policies
- [x] tested that `path:` works for reports
- [x] tested that `paths:` works for reports
- [x] tested that incline declaration works for reports
- [x] tested that `path:` works for labels
- [x] tested that `paths:` works for labels
- [x] tested that incline declaration works for labels
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for glob patterns in path specifications within reports,
labels, and policies configuration sections.
* Enhanced validation and error handling for external file references.
* Improved logging and error messages during configuration parsing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#40813
* Added configurable body size limits for the `/api/osquery/log`,
`/api/osquery/distributed/write` and `/api/osquery/config` endpoints.
* Fixed false positive `PayloadTooLargeError` errors.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41012
# Details
This PR makes it allowable to leave out almost all top-level keys from
GitOps files. The only required keys are _either_ `name:` (for a fleet
settings file) or `org_settings:` (for a global settings file). Omitting
a key is identical to supplying it with no value.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Updated the "missing all global keys test", and added some new tests to
verify that omitting the key was the same as supplying it with an empty
value.
- [X] QA'd all new/changed functionality manually
1. Ran `fleetctl generate-gitops` to get a clean set of GitOps yml files
2. Removed all removable keys from default.yml and ran `fleetctl gitops`
3. Ran `fleetctl generate-gitops` again into a different dir
4. Ran `fleetctl gitops` with the original files to get back to original
state
5. Cleared out all now-removable keys and replaced them with empty value
(e.g. `reports:` with nothing under it)
6. Ran `fleetctl generate-gitops` again into a third dir
7. Compared the files from the second and third generate-gitops runs to
verify that omitting the key had the same result as supplying it with an
empty value
8. Did the above steps with a fleet (i.e. non-global) .yml file.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* GitOps files now support omitting top-level configuration keys instead
of requiring them to be explicitly set to empty values.
* org_settings is now required when team name is not specified.
* **Tests**
* Added integration tests validating behavior when omitting top-level
keys in global and team-level GitOps configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40327
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36682
- Added similar "not found" handling than the one we have when calling
`getHostScriptExecutionResultDB` within the `GetHostLockWipeStatus`
function for consistency => now return a 404 instead of a 500 when no
rows are returned.
- Applied similar changes to
https://github.com/fleetdm/fleet/issues/33090 (PR:
https://github.com/fleetdm/fleet/pull/40009) => logging an error instead
of returning a 404, so that the Host details page does not crash.
The actual fix would be to remove the `host_mdm_actions` record that
contains the orphan `lock_ref` mentioned in the issue.
I'm not sure what the root cause is, but I think setting up some
monitoring on the logs I added should help determining that.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40496
# Details
This is the first phase of an effort to detect unknown keys in GitOps
.yml files. In the regular `fleetctl gitops` case, it will fail when
unknown keys are detected. This behavior can be changed with a new
`--allow-unknown-keys` flag which will log the issues and continue.
In this first phase we are detecting unknown keys in _most_ GitOps
sections, other than the top-level `org_settings:` and `settings:`
sections which have more complicated typing. I will tackle those
separately as they require a bit more thought. Also ultimately I'd like
us to be doing this validation in a more top-down fashion in one place,
rather than spreading it across the code by doing it in each individual
section, but this is a good first step.
As a bonus, I invited my pal Mr. Levenshtein to the party so that we can
make suggestions when unknown keys are detected, like:
```
* unknown key "queyr" in "./lib/some-report.yml"; did you mean "query"?
```
> Note: the goal is to return as many validation errors as possible to
the user, so they don't have to keep running `fleetctl gitops` to get
the next error. I did _not_ update any other errors to stop returning
early, in an effort to keep this as low-touch as possible.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] Tested this against existing it-and-security folder and one with
updated keys from https://github.com/fleetdm/fleet/pull/40959; no
unknown keys detected
- [X] Added unknown keys at various levels, GitOps errored with helpful
messages
- [X] Same as above but with `--allow-unknown-keys`; GitOps outputted
helpful messages but continued.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* GitOps runs now fail when unknown or misspelled keys are present in
configuration files.
* New CLI flag --allow-unknown-keys lets unknown keys be treated as
warnings instead of errors.
* Unknown-key messages include suggested valid key names to help correct
mistakes.
* **Tests**
* Expanded test coverage to validate unknown-key detection and the
allow-as-warning option.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
## Summary
- `checkPermFile` in `pkg/secure/secure.go` now self-heals incorrect
file permissions via `os.Chmod` instead of returning a fatal error
- Fixes orbit crash-looping indefinitely when
`/opt/orbit/updates-metadata.json` has mode 755 instead of the expected
600
## Problem
Orbit refuses to start when `updates-metadata.json` has wrong
permissions (e.g. 755 instead of 600), entering an infinite restart loop
(`systemd` restart counter observed at 3447+). The manual workaround is
`chmod 600 /opt/orbit/updates-metadata.json`, but the root cause — an
external process changing file permissions — is intermittent and hard to
track.
The `checkPermFile` function in `pkg/secure/secure.go` was designed as a
security check, but its behavior of fatally erroring on any permission
mismatch causes a denial-of-service on the legitimate user. For
comparison, `checkPermPath` (the directory equivalent) already tolerates
permissions that are less permissive than expected.
## Fix
When `checkPermFile` detects a permission mismatch, it now attempts
`os.Chmod` to correct the permissions before proceeding. It only returns
an error if the chmod itself fails (e.g. insufficient privileges). This
preserves the security intent — files end up with correct permissions —
while making orbit resilient to external permission drift.
## Test plan
- [ ] `go test ./pkg/secure/ -v -run TestOpenFile` — verifies
self-healing behavior
- [ ] `go test ./pkg/secure/ -v -run TestMkdirAll` — unchanged, verifies
directory checks still work
- [ ] Manual: create `/opt/orbit/updates-metadata.json` with mode 755,
start orbit, confirm it self-heals and starts normally
---------
Co-authored-by: Bash Bandicoot <bash-bandicoot@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38965
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38593
<img width="375" height="667" alt="My device Fleet 2"
src="https://github.com/user-attachments/assets/e5db8607-761f-40e8-befb-59a0fbdd7aac"
/>
_There was no figma, so wasn't sure if the boldness and spacing is
correct, but just used default values._
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40488
# Details
Implements the renames requested in #40488:
- [X] Add a second name for `macos_setup`: `setup_experience`
- [X] Add a second name for `macos_settings`: `apple_settings`
- [X] Add a second name for `custom_settings`: `configuration_profiles`
- [X] Add a second name for `macos_setup_assistant`:
`apple_setup_assistant`
Prior names are deprecated and log warnings. This uses the same
`renameto` tags as previous aliases, and adds code in relevant sections
in gitops.go to run the existing "rename new to old keys" function so
that we can unmarshall into the existing structs (that still have their
`json` tags set to the old key names until Fleet 5).
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] Ran current it-and-security GitOps files successfully locally
(removing mdm stuff that wouldn't work for me locally, but wasn't
relevant to the updated keys
- [X] Run same files successfully after changing the deprecated key
names to their new aliases
- [X] Verified that new keys show up in API responses:
<img width="506" height="243" alt="image"
src="https://github.com/user-attachments/assets/db1eb522-a702-4d17-b313-81ca203632b6"
/>
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
n/a
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduces new configuration key aliases: apple_settings (macOS),
configuration_profiles (profiles for macOS/Windows/Android),
setup_experience (macOS setup), and apple_setup_assistant (macOS setup
assistant).
* Old configuration keys remain supported for backward compatibility;
tooling and generated controls will accept either the new or legacy
names.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36093
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
# Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Queries/reports
### Team user with team report (observer_can_run = true)
Created user with the following assignments:
<img width="596" height="285" alt="Screenshot 2026-03-02 at 4 58 47 PM"
src="https://github.com/user-attachments/assets/a3a8e7dd-2bfc-40f9-948c-b26b016162ae"
/>
Created report on **Workstations (canary)** fleet with
**observers_can_run = true**
<img width="1020" height="711" alt="Screenshot 2026-03-02 at 5 09 25 PM"
src="https://github.com/user-attachments/assets/58aa98c7-8cbd-4a7a-a159-f4b40a65f2c9"
/>
Logged in with newly-created user, selected the report above to run it
as a live report.
- Verified that **Servers (canary)** is disabled => user is **Observer**
on that fleet, but query belongs to **Workstations (canary)**.
- All the other fleets are enabled:
- User is **Observer+ or more** in those fleets.
- User is **Observer** in **Workstations (canary)** => enabled because
report belongs to this fleet, AND **observer_can_run = true**.
<img width="986" height="823" alt="Screenshot 2026-03-02 at 5 07 29 PM"
src="https://github.com/user-attachments/assets/b6b7aa4b-5036-46e3-8497-3a77f93a3a2c"
/>
### Global user with team report (observer_can_run = true)
- Created global Observer user.
- Accessed same report created above for **Workstations (canary)** fleet
with **observers_can_run = true**.
- Logged in with newly-created user, selected the report above to run it
as a live report.
- Verified that the only target available is **Workstations (canary)**:
<img width="1087" height="883" alt="Screenshot 2026-03-03 at 10 47
05 AM"
src="https://github.com/user-attachments/assets/9fc8d4d4-6a38-4ecb-98fe-b56b46ac4f74"
/>
### Global user with global report (observer_can_run = true)
Global Observer user can target all fleets.
<img width="1329" height="609" alt="Screenshot 2026-03-03 at 10 56
03 AM"
src="https://github.com/user-attachments/assets/059d4eb2-546f-4a19-9eee-b64dd0250bf1"
/>
<img width="981" height="818" alt="Screenshot 2026-03-03 at 10 57 50 AM"
src="https://github.com/user-attachments/assets/afa0ee58-3457-4838-a96e-dd508d924079"
/>
### Global user with global report (observer_can_run = false)
Global Observer user can't target any fleet.
<img width="691" height="574" alt="Screenshot 2026-03-03 at 10 59 57 AM"
src="https://github.com/user-attachments/assets/f328d547-ed06-4c30-ac22-5df7bb32240a"
/>
<img width="985" height="814" alt="Screenshot 2026-03-03 at 11 00 06 AM"
src="https://github.com/user-attachments/assets/bb55da11-ea3f-40c7-bd98-652880d9e8f9"
/>
## Policies
On the FE, the same component is used to display the targets for Live
Policies, so just making sure that I didn't introduce any regression.
### Global technician user, all fleets policy
Can select all fleets.
<img width="1130" height="858" alt="Screenshot 2026-03-03 at 11 13
40 AM"
src="https://github.com/user-attachments/assets/8d9d97c4-9946-4c4c-9a8a-d79c65d9cb33"
/>
### Team user with team policy
Created user:
- **Technician** on **Servers**.
- **Observer** on **Servers (canary)**.
<img width="745" height="770" alt="Screenshot 2026-03-03 at 11 18 11 AM"
src="https://github.com/user-attachments/assets/56973c34-49bb-4007-9fac-09cf5315bdff"
/>
Can only select **Servers** as a target:
<img width="999" height="754" alt="Screenshot 2026-03-03 at 11 18 56 AM"
src="https://github.com/user-attachments/assets/82d14a8f-46e1-41f5-9355-d717477c85d8"
/>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
**Related issue:** Resolves#38546
This fixes an issue where the MDM section on the intergation page was
not updating properly when apple mdm was turned off
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Fixes#40975.
8.0.32 (was running in Aurora managed cloud at the time) -> 8.0.39 (what
we're running now) 8.0.36 -> 8.0.44 (latest 8.0.x version supported by
Aurora; holding off on 8.0.45 until Aurora supports it) 8.4.7 -> 8.4.8
9.5.0 -> 9.6.0
Also bumped the supported Aurora version from 3.07.0 to 3.08.2 to match
what we're running in managed cloud right now
Fleet might work on older patch versions but we'll no longer dev/test on
them. MySQL 9.x not testing previous minor versions matches with our
previous approach for that version.
Since these are all patch/minor bumps (and the overnight build cases are
patch bumps/are covered by AWS envs) automated testing should be
sufficient here.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38611
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40789
Seems like on specific pages of server-side paginated tables, the
select-all header checkbox does not work. This happens when:
- the page has less than 20 rows (I think this is the default page size)
- AND not all the rows are selectable
`headerProps.rows` always contains all rows currently visible in the
table. Using rows also keeps the select logic consistent with the
deselect and "all selected" checks, which already used rows.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
### Before
Clicking on the table header checkbox doesn't perform any selection
https://github.com/user-attachments/assets/d5b1f2fc-1400-4f3e-a2b4-2ae6a3da65af
### After
https://github.com/user-attachments/assets/54a67707-7978-40ec-ba50-c146a67795b2
**Related issue:** Resolves#39184
show apns expiration banner for the free tier in the UI. Before it was
limited to show only for premium tier.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Nico <32375741+nulmete@users.noreply.github.com>
**Related issue:** Resolves#40855
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40900
# Details
This PR makes the `secrets:` key under the top-level `org_settings` (for
default.yml) or `settings:` (for fleet .yml files) optional. Omitting
the key causes any enroll secrets present on the server to be retained.
There is more to the parent story that will require more design, but I
am getting this one out early because:
1. Our updated it-and-security files will not have `secrets:` and
2. This is not a breaking change, since currently omitting this key
results in a fatal error, _not_ the removal of all secrets (that
requires specifying an empty `secrets:` key)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [x] Using `secrets:` with correct syntax in `defaults.yml` updated
global secrets
- [x] Using `secrets:` with no value in `defaults.yml` removed all
global secrets
- [x] Omitting `secrets:` in `defaults.yml` retained all global secrets
- [x] Using `secrets:` with correct syntax in a fleet .yml file updated
that fleet's secrets
- [x] Using `secrets:` with no value in in a fleet .yml file removed
that fleet's secrets
- [x] Omitting `secrets:` in in a fleet .yml file retained that fleet's
secrets
FYI @allenhouchins: We will want to remove any of the changes made to
the ee folder in this PR before merging since these files were added for
testing
---
**Related issue:** Resolves
https://github.com/fleetdm/fleet/issues/38254
This pull request updates how Fleet-maintained apps handle default
categories, improving compatibility with older Fleet builds that may not
recognize newer categories. It introduces a more flexible approach for
category assignment, ensuring apps can still be added even if some
categories do not exist in the current database.
**Category compatibility improvements:**
* The service now maps only existing categories to IDs when adding
Fleet-maintained apps, allowing apps to be added even if some default
categories (like "Security" or "Utilities") are not present in older
Fleet builds. This prevents errors and improves backward compatibility.
[[1]](diffhunk://#diff-9e807526199f81f987717f1f3c0ec60260510dc79c12cbeb6b20190dcf39caa7L167-R186)
[[2]](diffhunk://#diff-8384a65651f44fd1a1b78da9bad5794155a76b3849d1b846f8cc5e06018c1365R1)
* Introduced a new `GetSoftwareCategoryNameToIDMap` method in the
datastore to return a mapping of known category names to their IDs, only
including those that exist. This is used in both production and test
code.
[[1]](diffhunk://#diff-4fe70646343c5f7a1b61dd6906889113f0e0ae63f684ab74a617acecb39fe6d3R6170-R6197)
[[2]](diffhunk://#diff-2fa819f19cb7709a65ded13aa51ac75cacbeb5764c88e4a64a02f3ab5b8933b2R700-R702)
[[3]](diffhunk://#diff-f4666ccc907f67a670871fd5600a726858ae613f67aeca8f2537b8315f9b1bf0R544-R545)
[[4]](diffhunk://#diff-f4666ccc907f67a670871fd5600a726858ae613f67aeca8f2537b8315f9b1bf0R2526-R2528)
[[5]](diffhunk://#diff-f4666ccc907f67a670871fd5600a726858ae613f67aeca8f2537b8315f9b1bf0R6148-R6154)
**App category updates:**
* Changed the default category for `appcleaner` from "Productivity" to
"Utilities" in both input and output JSON files.
[[1]](diffhunk://#diff-a6ff089976e7e51f336ab7fc67670375498323de9ec3b87d9aa6c6308ab8fb30L7-R7)
[[2]](diffhunk://#diff-a90f40ad8bd457b4977a1d53984999f89e014fa7442851defc559db252bcdf24L13-R13)
* Changed the default category for `nordvpn` from "Productivity" to
"Security" in both input and output JSON files.
[[1]](diffhunk://#diff-f3ea48ab7da0ffc182e6ec342ee426c0280aa105c79282a7284d0fa35e9a1cf5L7-R7)
[[2]](diffhunk://#diff-83f09709778de1c5a20cbfe88125d58c85563bd1afbc76dcf9f4e8731d6884b3L13-R13)
**Test and codebase adjustments:**
* Updated mocks and tests to use the new
`GetSoftwareCategoryNameToIDMap` method instead of the previous category
ID list approach.
[[1]](diffhunk://#diff-d29fdd0261044f92f761a0707ff8417c9478054ca7d9e4ab5b9d04ed95e15573L285-R286)
[[2]](diffhunk://#diff-d29fdd0261044f92f761a0707ff8417c9478054ca7d9e4ab5b9d04ed95e15573L371-R372)
* Removed an unused import (`fmt`) from `maintained_apps.go` for
cleanup.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40108
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed double encoding of secret environment variables when configured
through GitOps, ensuring secrets are stored with proper escaping.
* **Tests**
* Added test coverage for configuration profile escaping to verify
proper handling of secret variables and API keys during GitOps
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39150
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40302
# Details
This PR adds support for a `paths:` key for scripts declared under
`controls:` in a GitOps fleet file. If supplied, `paths:` must contain a
"glob" expression (as [supported by the doublestar
package](https://github.com/bmatcuk/doublestar?tab=readme-ov-file#patterns)).
The existing `path:` key still works but may not contain glob
expressions. When a `paths:` key is encountered, we expand it and add
all matching valid (as in, `.sh` or `.ps1`) files to the set of script
files to process.
Subsequent PRs will add this functionality to other entities that use
`path:` (such as reports and policies).
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
Tried with various combinations of `*` and `**` in gitops runs, and
mixing of `path:` and `paths:`
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40284
Following existing codebase pattern of passing the NOW time to the
method.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
- Via manipulating DB.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Enhanced Android certificate renewal system with improved
time-handling capabilities and better testability infrastructure for
certificate template operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38432
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40183 and #40182
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
This PR adds the ability to skip any Fleet logic that validates on
whether or not an MDM Declaration is usable with Fleet by setting a
configuration of `FLEET_MDM_SKIP_DECLARATION_VALIDATION` to `True`. We
would like to leverage declarations such as [config
files](https://developer.apple.com/documentation/devicemanagement/servicesconfigurationfiles)
as well as other none configuration declarations that are
[restricted](https://github.com/fleetdm/fleet/blob/main/server/fleet/apple_mdm.go#L736-L738)
like
[Activations](https://developer.apple.com/documentation/devicemanagement/activationsimple),
and any declaration that requires
[AssetData](https://developer.apple.com/documentation/devicemanagement/assetdata).
We understand that these are not usable by most Fleet customers,
especially those that use Fleets cloud hosting option.
Since we run Fleet on our own infrastructure we are able to leverage our
proxy to support all additional data components needed for declarations
above.
## Testing
I've built and run Fleet locally and validated that with the
`FLEET_MDM_SKIP_DECLARATION_VALIDATION` I am able to add any
declarations I please. Without the config I am unable to add the
requested declaration types above.
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added experimental `mdm.allow_all_declarations` configuration option
to permit all Apple MDM declaration types when enabled, overriding
default validation checks.
* **Documentation**
* Updated configuration documentation with details for the new
experimental MDM option, including defaults, environment variables, YAML
format, and safety considerations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35799
Loadtest results for 100K hosts and 300K software titles.
```
=== Performance Test Results: No team_id (all teams) ===
Description Average Worst Results
----------- ------- ----- -------
Page 0, hosts_count DESC 229ms 241ms 20 items
Page 0, hosts_count ASC 203ms 211ms 20 items
Page 1, hosts_count DESC 339ms 423ms 20 items
Page 1000, hosts_count DESC 202ms 219ms 20 items
100 per_page, hosts_count DESC 620ms 708ms 100 items
Default sort (no order params) 229ms 245ms 20 items
Order by name ASC, page 0 4.642s 4.785s 20 items
Order by name ASC, page 1000 6.418s 6.771s 20 items
Vulnerable only 3.431s 3.496s 20 items
Search 'chrome' 9.6s 10.111s 20 items
Known exploit filter 9.792s 10.102s 20 items
Min CVSS score 7.0 12.368s 12.665s 20 items
CVSS range 7.0-9.0 12.221s 12.523s 20 items
Available for install 87ms 93ms NO RESULTS
Self-service only 4.46s 4.757s 20 items
=== Performance Test Results: team_id=0 (no team / unassigned) ===
Description Average Worst Results
----------- ------- ----- -------
Page 0, hosts_count DESC 378ms 404ms 20 items
Page 0, hosts_count ASC 339ms 345ms 20 items
Page 1, hosts_count DESC 478ms 513ms 20 items
Page 1000, hosts_count DESC 398ms 417ms 20 items
100 per_page, hosts_count DESC 864ms 1.025s 100 items
Default sort (no order params) 399ms 411ms 20 items
Order by name ASC, page 0 5.346s 5.41s 20 items
Order by name ASC, page 1000 7.444s 7.615s 20 items
Search 'chrome' 9.051s 9.245s 20 items
Known exploit filter 10.511s 10.884s 20 items
Min CVSS score 7.0 16.589s 16.701s 20 items
CVSS range 7.0-9.0 15.878s 15.999s 20 items
Available for install 1.394s 1.429s 1 items
Self-service only 1.4s 1.456s 1 items
```
Documented in the issue:
The fix includes a small behavior change. The default primary sort of
/software/titles remains host_counts, but the secondary sort is now
software_title_id and not name. This was necessary to optimize the
endpoint. This means that if you have 1 host in your fleet, the software
page will not show the software titles ordered by name anymore. For
large fleets, this does not matter since all titles generally have
different host counts.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Optimized the software titles endpoint for improved query performance
and faster data retrieval.
* Enhanced database efficiency when retrieving software information,
resulting in better overall system responsiveness and reduced query
times.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39247
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This pull request updates the logic for selecting which user receives
maintenance window calendar events on hosts with multiple users. The
changes clarify and enforce a priority system for choosing the recipient
email, ensuring that IdP-sourced emails are preferred, followed by
Google Chrome profile emails. This affects both user-facing
documentation and backend implementation.
**User-facing behavior and documentation:**
* The end-user documentation now explicitly describes the email
selection priority for calendar event recipients: IdP Username email is
chosen first, then Google Chrome profile email, and if multiple Chrome
emails exist, the first alphabetically is selected.
**Backend logic and data selection:**
* The comment in `calendar_cron.go` is updated to match the new email
selection logic, explaining the prioritization of email sources for
host-user assignment.
* The SQL query in `policies.go` is refactored to implement the new
priority system for selecting user emails per host:
- IdP sources (`mdm_idp_accounts`, `idp`) are considered first,
- then Google Chrome profiles,
- then other sources.
- If multiple emails exist at the same priority, the first
alphabetically is chosen.
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Juan Fernandez <juan-fdz-hawa@users.noreply.github.com>
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39673
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
**Related issue:** Resolves#39361
This fixes an issue of the overflow of the resend button off the edge of
the os settting modal table.
We've changed the syling to grow and shrink the error text and column
dynamically so that the table will always be pushed up against the right
edge and the text will grow and shrink as needed so that it wont push
the button any further right
<img width="838" height="436" alt="image"
src="https://github.com/user-attachments/assets/a5acfd44-0d77-4062-92e4-909077827fee"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#40066
This allows ipados and ios devices to resend their profiles on the host
details and my device pages
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#39324
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40685
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40564
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added OpenTelemetry instrumentation to the internal HTTP client to
provide enhanced observability through distributed tracing and metrics
collection for HTTP operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#37802
Attempt to fix Windows FMAs not showing up as available when the
software titles they match to have upgrade codes. Since we don't surface
upgrade codes in the `fleet_maintained_apps` table and matching exactly
by name could miss some cases, this fix uses `team_titles.name LIKE
CONCAT(LEAST(fma.name, fma.unique_identifier), '%')`. Note the LEAST
there is only for the "Box Drive" app which has a longer name than
unique_identifier, and just compares the strings and not their length.
This isn't optimal for performance or correctness, but it only checks
with titles already available to the team as installers so it shouldn't
be terrible. Until upgrade_code is surfaced in the
`fleet_maintained_apps` table this should be sufficient.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#14401
# Checklist for submitter
this updates the mechanism of storing the auth token for a user that is
used for making requests and validating a user session. We change the
storage from local storage to a cookie. This allow a bit more security
and prepares for a future change where we will allow the browser to
handle setting and passing the auth token in the request.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #40433
# Details
This PR updates `fleetctl gitops` and `fleetctl generate_gitops` to use
`unassigned.yml` in place of `no-team.yml`. The two files are utilized
identically, except that `unassigned.yml` expects the `name:` to be
`Unassigned` rather than `No team`.
Internally, we still map some things to the string "no team" before
sending to the back end so that we don't have to update back-end code
and make more spaghetti to clean up when we 🔪 No Team as a concept in
Fleet 5.
We do pass the filename into the main `DoGitOps` method, but both I and
Claude did our best to determine that it's not used in any way that
would break with this change.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
From test plan:
- [X] With a pre-existing GitOps folder w/ `no-team.yml`, run `fleetctl
gitops -f /path/to/no-team.yml --dry-run
--enable-log-topics=deprecated-field-names` and verify that everything
works as expected and you get the deprecation warning.
- [X] Do the above without `--dry-run` and verify via the UI and/or
`fleetctl generate-gitops` that the Fleet config is as expected.
- [X] Change `no-team.yml` to `unassigned.yml`, try a gitops run with
`fleetctl gitops -f /path/to/unassigned.yml --dry-run
--enable-log-topics=deprecated-field-names` and verify that you get an
error because the `name:` is still `No team`
- [X] Change the `name:` to `Unassigned`, repeat the run above and
verify that the output is the same as with `no-team.yml`, and that no
deprecation warning is listed.
- [X] Do the same as the above without `--dry-run` and verify that the
Fleet config is as expected.
- [X] Run `fleetctl generate-gitops` and verify that `unassigned.yml` is
output rather than `no-team.yml`, and any related files are under the
`lib/unassigned` folder rather than `lib/no-team`, and any paths inside
`unassigned.yml` (e.g. for scripts) are pointed at `lib/unassigned`.
## New Fleet configuration settings
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
@noahtalerman will work on this
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40021
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed false positive detections for Python packages on Ubuntu systems,
addressing misclassification scenarios that were affecting package
detection accuracy on Ubuntu 20.04 and other versions.
* Enhanced handling of duplicate Python package entries to correctly
identify and consolidate multiple occurrences, preventing incorrect
over-reporting of installed packages.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38536
This PR moves all logic to create new activities to activity bounded
context.
The old service and ActivityModule methods are not facades that route to
the new activity bounded context. The facades will be removed in a
subsequent PR.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added webhook support for activity events with configurable endpoint
and enable/disable settings.
* Enhanced automation-initiated activity creation without requiring a
user context.
* Improved activity service architecture with centralized creation and
management.
* **Improvements**
* Refactored activity creation to use a dedicated service layer for
better separation of concerns.
* Added support for host-specific and automation-originated activities.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Extended the statistics payload to include arrays of Fleet-maintained
app slugs in use on macOS and Windows. Updated the datastore to query
and populate these fields, and documented the new fields in the usage
statistics article.
---------
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35805
Fixed to make sure software host counts tables never have host counts of
0.
Planning to loadtest this fix along with the follow up fix for
https://github.com/fleetdm/fleet/issues/35799
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed accumulation of dead rows in software host count tracking,
improving data accuracy and system performance.
* Enhanced validation to ensure consistent and reliable software
availability records.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- **Gitops specify FMA rollback version (#39582)**
- **Fleet UI: Show versions options for FMA installers (#39583)**
- **rollback: DB and core implementation (#39650)**
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#31919
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Carlo DiCelico <carlo@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#15744
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
Manually inserted 10k hosts and random emails associated to them.
Response times were always below 200ms locally.
We already have covering indexes so we don't need a migration.
https://github.com/user-attachments/assets/721db4f1-f3c9-4ede-ba62-499ac30c4a02
SQL used:
```sql
-- Seed 10k hosts for performance testing email search.
-- Requires: SET cte_max_recursion_depth = 10000;
--
-- Distribution (by osquery_host_id suffix):
-- 1-2500: Chrome profile email only
-- 2501-5000: IdP email only
-- 5001-7500: Both Chrome profile and IdP emails
-- 7501-10000: No email association
-- Generate 10k hosts using a recursive CTE
INSERT INTO hosts (osquery_host_id, node_key, hostname, uuid, platform, detail_updated_at, label_updated_at, policy_updated_at)
WITH RECURSIVE seq AS (
SELECT 1 AS n
UNION ALL
SELECT n + 1 FROM seq WHERE n < 10000
)
SELECT
CONCAT('perf-osq-', n),
CONCAT('perf-nk-', n),
CONCAT('perf-host-', n),
CONCAT('perf-uuid-', n),
'darwin',
NOW(),
'2000-01-01 00:00:00',
'2000-01-01 00:00:00'
FROM seq;
-- Populate display names so that hosts are visible in the UI.
INSERT INTO host_display_names (host_id, display_name)
SELECT id, hostname
FROM hosts
WHERE osquery_host_id LIKE 'perf-osq-%';
-- 1-2500: Chrome profile email only
INSERT INTO host_emails (host_id, email, source)
SELECT id, CONCAT('chrome-', id, '@example.com'), 'google_chrome_profiles'
FROM hosts
WHERE osquery_host_id LIKE 'perf-osq-%'
AND CAST(SUBSTRING(osquery_host_id, 10) AS UNSIGNED) BETWEEN 1 AND 2500;
-- 2501-5000: IdP email only
INSERT INTO host_emails (host_id, email, source)
SELECT id, CONCAT('idp-', id, '@example.com'), 'mdm_idp_accounts'
FROM hosts
WHERE osquery_host_id LIKE 'perf-osq-%'
AND CAST(SUBSTRING(osquery_host_id, 10) AS UNSIGNED) BETWEEN 2501 AND 5000;
-- 5001-7500: Both Chrome profile and IdP emails
INSERT INTO host_emails (host_id, email, source)
SELECT id, CONCAT('chrome-', id, '@example.com'), 'google_chrome_profiles'
FROM hosts
WHERE osquery_host_id LIKE 'perf-osq-%'
AND CAST(SUBSTRING(osquery_host_id, 10) AS UNSIGNED) BETWEEN 5001 AND 7500;
INSERT INTO host_emails (host_id, email, source)
SELECT id, CONCAT('idp-', id, '@example.com'), 'mdm_idp_accounts'
FROM hosts
WHERE osquery_host_id LIKE 'perf-osq-%'
AND CAST(SUBSTRING(osquery_host_id, 10) AS UNSIGNED) BETWEEN 5001 AND 7500;
-- 7501-10000: no emails (nothing to insert)
-- Cleanup:
-- DELETE FROM host_emails WHERE host_id IN (SELECT id FROM hosts WHERE osquery_host_id LIKE 'perf-osq-%');
-- DELETE FROM host_display_names WHERE host_id IN (SELECT id FROM hosts WHERE osquery_host_id LIKE 'perf-osq-%');
-- DELETE FROM hosts WHERE osquery_host_id LIKE 'perf-osq-%';
```
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40054
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Updated internal logging infrastructure across Mobile Device
Management (MDM) service modules to improve code consistency and
maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#34068 Adds automatic retries (up to 3 attempts) for failed software installs from host details, self-service, and setup experience across all installer types.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40124
# Details
Implements the proposal in
https://docs.google.com/document/d/16qe6oVLKK25nA9GEIPR9Gw_IJ342_wlJRdnWEMmWdas/edit?tab=t.0#heading=h.nlw4agv1xs3g
Allows doing e.g.
```go
logger.WarnContext(logCtx, "The `team_id` param is deprecated, use `fleet_id` instead", "log_topic", "deprecated-field-names")
```
or
```go
if logging.TopicEnabled("deprecated-api-params") {
logging.WithLevel(ctx, slog.LevelWarn)
logging.WithExtras(
ctx,
"deprecated_param",
queryTagValue,
"deprecation_warning",
fmt.Sprintf("'%s' is deprecated, use '%s'", queryTagValue, renameTo),
)
}
```
Topics can be disabled at the app level, and enabled/disabled at the
command-line level.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
No logs have this in prod yet, but I added some manually in a branch and
verified that I could enable/disable them via CLI options and env vars,
including enabling topics that were disabled on the server. Tested for
both server and `fleetctl gitops`.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added per-topic logging control to enable or disable logging for
specific topics via configuration and CLI flags.
* Added context-aware logging methods (ErrorContext, WarnContext,
InfoContext, DebugContext) to support contextual logging.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39858
~~Also implements the idea from this comment:
https://github.com/fleetdm/fleet/issues/37802#issuecomment-3715729822~~
Decided to move the FMA name overriding idea to another PR.
## Changes
- `getOrGenerateSoftwareInstallerTitleID` now attempts to find existing
titles by name or by upgrade code if possible. It will update the
upgrade code if possible.
- also updated `addSoftwareTitleToMatchingSoftware` to match _only_ by
upgrade code if the installer has an upgrade code
These are the assumptions (and tests mostly) I made:
| installer | existing title | result |
|------------------|-----------------------------------|----------------------------------------------------------------------------|
| no upgrade code | same name, no upgrade code | uses existing |
| no upgrade code | same name, has upgrade code | uses existing,
existing upgrade code stays |
| has upgrade code | same name, no upgrade code | uses existing,
existing title is updated with the incoming upgrade code |
| has upgrade code | same name, different upgrade code | new title is
created with same name |
| has upgrade code | same name, same upgrade code | uses existing |
| has upgrade code | different name, same upgrade code | uses existing,
~~existing title's name is updated~~ |
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
- Tested having the title `7-Zip 23.01 (x64)` with an upgrade code in
the db, added 7-Zip FMA, title became the existing `7-Zip 23.01 (x64)`
title with the same upgrade code.
- Trying to add it again fails with the correct error message
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34370
<img width="932" height="1152" alt="Screenshot 2026-02-20 at 8 23 49 AM"
src="https://github.com/user-attachments/assets/c7b6d0ae-a20e-4115-835d-5d5fb01c12bb"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
https://github.com/shogo82148/rdsmysql/pull/222
Adds AWS GovCloud RDS CA certificates (us-gov-east-1, us-gov-west-1) to
the rdsmysql TLS bundle, improving compatibility for Fleet deployments
in AWS GovCloud regions.
Transitive dependency updates pulled in by rdsmysql v2.5.0:
- github.com/aws/aws-sdk-go-v2 and related submodules (minor bumps)
- github.com/go-sql-driver/mysql v1.9.1 -> v1.9.3
- filippo.io/edwards25519 v1.1.0 -> v1.1.1
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves
https://github.com/fleetdm/fleet/issues/40148
## Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
— dependency bump only; ran full local test suite across all affected
packages (`server/platform/mysql`, `server/logging`, `server/config`,
`server/mail`) with no regressions. `go mod verify` passed.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40028
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Fixed telemetry misclassification where client-side errors were
incorrectly reported as server errors. Client-side errors and request
cancellations are now properly categorized for improved error tracking
and observability.
* **Tests**
* Added test coverage for client error detection and context
cancellation handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #39344
# Details
This PR builds on the previous PR
(https://github.com/fleetdm/fleet/pull/39847) which added `renameto`
tags to certain API parameters to mark them as deprecated. How this is
used:
### In requests
* When decoding requests, log a warning if a `json` or `query` param is
used that has a `renameto` tag, e.g. if a `team_id` param is sent but
the related struct has `renameto:"fleet_id"` in it.
* If the `renamedto` version (e.g. `fleet_id`) is sent in the request,
rewrite it to the deprecated name so that it can be unmarshalled into
the struct
* If both versions are sent (e.g. `team_id` AND `fleet_id`), throw an
error and quit
* URLs with deprecated terms have new aliases using `WithAltPaths` --
warning on using old URLSs a TODO that will be handled in a subsequent
PR.
### In responses
* Output _both_ the deprecated and new names for fields that have
`renameto` tags, so that we don't break existing workflows expecting the
old keys. Uses a shared `DuplicateJSONKeys` to do the duplication.
* Most API responses are handled in `EncodeCommonResponse`. Exceptions
are activities, failing policy webhooks and the streaming "list hosts"
endpoints which call the function directly.
### In fleetctl
* Similar to requests, log warnings when deprecated keys are used and
rewrite the new keys internally so that they can be unmarshalled.
* For `fleetctl get` and `fleetctl generate-gitops`, _only_ output the
new names
* The set of keys to replace is hardcoded in `fleetctl` rather than
being dynamically generated as it is for API endpoints. Given the
mixture of typed and untyped data and the level of nesting, dynamic map
generation was very fragile and error-prone.
### Performance considerations
* The biggest performance hit is the addition of the JSON key rewriter
to the request pipeline. The rewriter buffers the entire request into
memory before eventually passing it to the decoder than unmarshals the
data into structs. I tried implementing this as a true streaming
rewriter but encountered issues where the request would hang if the
downstream reader (the decoder) encountered any errors. It's possible we
could implement this in a streaming fashion if we replace our [current
request
decoder](da43bf8371/server/service/endpoint_utils.go (L108))
with the v2 version, which is a bigger change requiring more thoughtful
discussion in the engineering team. As it stands, memory usage for
requests with deprecated fields will double while the request is being
decoded.
* The "alias rules" used to determine the old and new key names are
cached per struct type and for most endpoints are generated on server
start, so no performance impact is expected.
* Some `fleetctl` commands may have an extra unmarshal/marshal step but
as these are user-initiated and not performed in tight loops, the impact
should be minimal.
### TODO
* Log deprecation warnings when old URLs like "/fleet/teams" are used
* Update API fields that the front-end uses to avoid deprecation
warnings
* Update `fleetctl apply` to accept/return `kind: fleet` rather than
`kind: team`
* Find/update any fleet server config vars with old language
* Update all error messages that use old language
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [X] QA'd all new/changed functionality manually
* Clicking around the front-end, no broken pages due to request
ingestion errors or bad responses
* Looking in network tab to verify that responses have both the old and
new keys
* Running `fleetctl generate-gitops` and verifying that the output looks
correct and can be ingested by `fleetctl gitops`
* Running `fleetctl get` and `fleetctl apply`
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
#39921
Summary of fixes:
- Removed unnecessary calls to `BulkSetPendingMDMHostProfiles` when
settings are unchanged.
- Removed 3 unnecessary calls to `BulkSetPendingMDMHostProfiles` when
the Apple OS updates are unset.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37306
I think we should actually solve this at the osquery level, but this is
just an alternative solution.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
#### Setup
On a macOS VM:
1. Generated a certificate with Cyrillic characters in CN and O fields:
```bash
openssl req -x509 -newkey rsa:2048 -keyout newkey.pem -out newcert.pem -days 365 -nodes -utf8 -subj "/CN=АБВГДЕЖЗИКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯа/O=АБВГДЕЖЗИКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯа"
```
2. Installed the certificate:
```bash
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain newcert.pem
```
#### Before
Refetched vitals and observed certificate field too long error logs:
```
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=subject_org host_id=32 original_length=304 max_length=255 truncated_value=\xC3\x90\xC2\xA2\xC3\x90\xC2\xB5\xC3\x91\xC2\x81\xC3\x91\xC2\x82\xC3\x90\xC2\xBE\xC3\x90\xC2\xB2\xC3\x90\xC2\xB0\xC3\x91\xC2\x8F\xC3\x90\xC2\x9E\xC3\x91\xC2\x80\xC3\x90\xC2\xB3\xC3\x90\xC2\xB0\xC3\x90\xC2\xBD\xC3\x90\xC2\xB8\xC3\x90\xC2\xB7\xC3\x90\xC2\xB
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=subject_common_name host_id=32 original_length=304 max_length=255 truncated_value=\xC3\x90\xC2\xA2\xC3\x90\xC2\xB5\xC3\x91\xC2\x81\xC3\x91\xC2\x82\xC3\x90\xC2\xBE\xC3\x90\xC2\xB2\xC3\x90\xC2\xB0\xC3\x91\xC2\x8F\xC3\x90\xC2\x9E\xC3\x91\xC2\x80\xC3\x90\xC2\xB3\xC3\x90\xC2\xB0\xC3\x90\xC2\xBD\xC3\x90\xC2\xB8\xC3\x90\xC2\xB7\xC3\x90\xC2\xB
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=issuer_org host_id=32 original_length=304 max_length=255 truncated_value=\xC3\x90\xC2\xA2\xC3\x90\xC2\xB5\xC3\x91\xC2\x81\xC3\x91\xC2\x82\xC3\x90\xC2\xBE\xC3\x90\xC2\xB2\xC3\x90\xC2\xB0\xC3\x91\xC2\x8F\xC3\x90\xC2\x9E\xC3\x91\xC2\x80\xC3\x90\xC2\xB3\xC3\x90\xC2\xB0\xC3\x90\xC2\xBD\xC3\x90\xC2\xB8\xC3\x90\xC2\xB7\xC3\x90\xC2\xB
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=issuer_common_name host_id=32 original_length=304 max_length=255 truncated_value=\xC3\x90\xC2\xA2\xC3\x90\xC2\xB5\xC3\x91\xC2\x81\xC3\x91\xC2\x82\xC3\x90\xC2\xBE\xC3\x90\xC2\xB2\xC3\x90\xC2\xB0\xC3\x91\xC2\x8F\xC3\x90\xC2\x9E\xC3\x91\xC2\x80\xC3\x90\xC2\xB3\xC3\x90\xC2\xB0\xC3\x90\xC2\xBD\xC3\x90\xC2\xB8\xC3\x90\xC2\xB7\xC3\x90\xC2\xB
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=subject_org host_id=32 original_length=256 max_length=255 truncated_value=\xD0\x90\xD0\x91\xD0\x92\xD0\x93\xD0\x94\xD0\x95\xD0\x96\xD0\x97\xD0\x98\xD0\x9A\xD0\x9B\xD0\x9C\xD0\x9D\xD0\x9E\xD0\x9F\xD0\xA0\xD0\xA1\xD0\xA2\xD0\xA3\xD0\xA4\xD0\xA5\xD0\xA6\xD0\xA7\xD0\xA8\xD0\xA9\xD0\xAA\xD0\xAB\xD0\xAC\xD0\xAD\xD0\xAE\xD0\xAF\xD0\xB
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=subject_common_name host_id=32 original_length=256 max_length=255 truncated_value=\xD0\x90\xD0\x91\xD0\x92\xD0\x93\xD0\x94\xD0\x95\xD0\x96\xD0\x97\xD0\x98\xD0\x9A\xD0\x9B\xD0\x9C\xD0\x9D\xD0\x9E\xD0\x9F\xD0\xA0\xD0\xA1\xD0\xA2\xD0\xA3\xD0\xA4\xD0\xA5\xD0\xA6\xD0\xA7\xD0\xA8\xD0\xA9\xD0\xAA\xD0\xAB\xD0\xAC\xD0\xAD\xD0\xAE\xD0\xAF\xD0\xB
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=issuer_org host_id=32 original_length=256 max_length=255 truncated_value=\xD0\x90\xD0\x91\xD0\x92\xD0\x93\xD0\x94\xD0\x95\xD0\x96\xD0\x97\xD0\x98\xD0\x9A\xD0\x9B\xD0\x9C\xD0\x9D\xD0\x9E\xD0\x9F\xD0\xA0\xD0\xA1\xD0\xA2\xD0\xA3\xD0\xA4\xD0\xA5\xD0\xA6\xD0\xA7\xD0\xA8\xD0\xA9\xD0\xAA\xD0\xAB\xD0\xAC\xD0\xAD\xD0\xAE\xD0\xAF\xD0\xB
ts=2026-02-18T21:50:47Z level=error msg="truncating certificate field" err="certificate field too long" field=issuer_common_name host_id=32 original_length=256 max_length=255 truncated_value=\xD0\x90\xD0\x91\xD0\x92\xD0\x93\xD0\x94\xD0\x95\xD0\x96\xD0\x97\xD0\x98\xD0\x9A\xD0\x9B\xD0\x9C\xD0\x9D\xD0\x9E\xD0\x9F\xD0\xA0\xD0\xA1\xD0\xA2\xD0\xA3\xD0\xA4\xD0\xA5\xD0\xA6\xD0\xA7\xD0\xA8\xD0\xA9\xD0\xAA\xD0\xAB\xD0\xAC\xD0\xAD\xD0\xAE\xD0\xAF\xD0\xB
```
https://github.com/user-attachments/assets/31b80643-34fb-42ee-b3a1-19d54fe1d516
#### After
https://github.com/user-attachments/assets/d49c1643-0920-4607-a2f1-fa6bb658c16b
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38699
The fix will only apply to new Fleet instances. To fix existing Fleet
instances, we need to support rotation:
https://github.com/fleetdm/fleet/issues/40080
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38351
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
- Including Okta conditional access
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Device authentication tokens now remain valid after automatic refresh,
keeping your Device page URL accessible
* Device tokens are automatically generated when needed during
conditional access authentication
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#35528
Potentially #38983
I avoided adding a migration to fix existing bad platform data. However
a small migration is needed to convert software titles with the source
"pkg_packages" that have a bundle id, to the source "apps".
### Changes
To get an installer with the wrong platform fixed:
- Remove then add back the .pkg installer that showed the wrong platform
to see it create a new title with the correct platform
To get hosts that report the wrong platform in inventory/library fixed:
- Devices would still show the app with the wrong platform in
inventory/library. This happens because there are still entries in
`software` that match the incorrect previous title. All of these entries
need to be deleted for this bug to be fixed. One way for this to happen
is for all hosts with that app to remove it then wait for refetch and
the `vulnerabilities` cron, or be deleted directly in the database where
they should get restored after new refetches.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39871
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
Note: this solves https://github.com/fleetdm/fleet/issues/39832
---------
Co-authored-by: Scott Gress <scott@fleetdm.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
**Related issue:** Resolves#38955
The query that was causing the lock contention was identified as `DELETE
FROM host_mdm_apple_profiles WHERE ( profile_identifier , host_uuid ) IN
( (...) /* , ... */ )` which corresponds to the query we use to delete
the Apple profiles in Bulk. The query was refactored to utilize the
primary key: (profile_uuid, host_uuid), which removes any kind of table
scanning.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39260
# Details
Fixes the banner displayed when a team has no enroll secrets to match
similar, non-dismissible warning banners, and corrects the padding
between text and button in the "Add enroll secret" modal empty state.
<img width="773" height="221" alt="image"
src="https://github.com/user-attachments/assets/490f49f1-ccaa-47c7-8ba3-a7de2896d932"
/>
---
<img width="662" height="380" alt="image"
src="https://github.com/user-attachments/assets/0f73b9b8-d625-4f40-ac8d-edb71e9f2a22"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
n/a, styling only
- [X] QA'd all new/changed functionality manually
See screenshots above
**Related issue:** Resolves#38654
# Checklist for submitter
This fixes an issue where the status name was wrapping at smaller
viewport sizes on the mdm card of the dashboard page.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39745
Needed to add a custom matching rule because the Notepad CPE does not
exist in NVD (yet?).
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Added detection and resolution tracking for CVE-2026-20841 affecting
Windows Notepad, resolved in version 11.2510.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR changes 3 things.
1. Validate `admin_url` + all URLs for HTTPS/non-private
2. Add custom `DialContext` hook in fleethttp.NewClient(), this is
needed for DNS-rebinding protection at connection time
3. Validate Smallstep SCEP challenge endpoint
# **IMPORTANT**
There are two validations occurring.
1. `CheckURLForSSRF`
2. `SSRFDialContext`
## Why?
`CheckURLForSSRF` checks the hostname. It resolves DNS, validates the
ip, and then returns an error to the user. It protects certificate
authority create/update API endpoints. But then
`GetSmallstepSCEPChallenge` calls `http.NewRequest(http.MethodPost,
ca.ChallengeURL, ...)` with the original hostname
This is where `SSRFDialContext` comes into play. It fires when an actual
HTTP request is attempted. Meaning Fleet would first build the request,
encode the body, set up TLS, etc., before being blocked at the dial.
`CheckURLForSSRF` stops the operation before any of that work happens.
`SSRFDialContext` protects the actual challenge fetch that happens later
at enrollment time. They're not always called together. The dial-time
check is the only thing protecting the enrollment request and DNS
rebinding.
## Should we remove `CheckURLForSSRF`
This is debatable and I don't have a strong opinion. Removing
`CheckURLForSSRF` would still provide the same protection. However, it
would return a generic connection error from the HTTP client which would
make it slightly hard to diagnose why it is broken.
## What's next
I implemented this for certificate authorities. I am sure there are
other places in the code base that take user submitted urls and could
also use this check. That is outside the scope of this particular PR.
But worthy to investigate in the near future.
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Security**
* Added SSRF protections for validating external URLs and blocking
private/IP-metadata ranges; dev mode can bypass checks for local testing
* **New Features**
* Introduced an SSRF-protected HTTP transport and an option to supply a
custom transport per client
* **Tests**
* Added comprehensive tests covering SSRF validation, dialing behavior,
and resolution edge cases
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39228
Manually tested by triggering a failover on loadtest.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Health checks now detect a primary DB becoming read-only and report
failure so the service restarts and reconnects to a writable primary.
* Write failures due to DB read-only state now trigger immediate fatal
handling to prompt graceful shutdown and recovery.
* Improved detection and handling of read-only DB conditions to increase
stability during failovers.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39794
Before –> After
<img width="2015" height="479" alt="Screenshot 2026-02-16 at 1 28 11 PM"
src="https://github.com/user-attachments/assets/5f54b3d0-94d4-4881-8364-d22398289f18"
/>
- [x] Changes file added for user-visible changes in `changes/
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35561
<img width="647" height="655" alt="Screenshot 2026-02-13 at 4 24 57 PM"
src="https://github.com/user-attachments/assets/b191f8bb-e6b7-4f3d-8819-eccf23a408f8"
/>
- Spot checked all relevant instances of `InputField` (`type="textarea"
and `enableCopy`)
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35044
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Prevented parallel execution of vulnerability jobs when one job runs
longer than two hours, improving job reliability and preventing
concurrent conflicts.
* **Chores**
* Enhanced cron job lock management to better handle long-running
scheduled tasks and prevent premature expiration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#31633.
Main change is stop relying on `who` command output to get the value of
the DISPLAY variable on X11 sessions (old distributions), and instead
search the value of the `DISPLAY` variable in processes that are owned
by the target user.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced X11 session detection for improved support in multi-session
environments, providing more reliable display variable identification in
complex session configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#29076
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Vulnerability webhooks are now available for free-tier users.
* **Improvements**
* Refined webhook payload display for free-tier users by removing
certain advanced vulnerability metrics.
* Updated UI text descriptions in automation management to reflect
free-tier vulnerability scanning behavior.
* Simplified permission requirements for accessing automation management
features.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38889
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Updated internal logging infrastructure to improve standardization and
maintainability. Logging functionality remains unchanged from an
end-user perspective.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38431
Attempts to get the ManualAgentInstall config from `ds.TeamLite` in the
case of software installers. In the VPP case, it attempts to get it from
either `ds.TeamByName` or from global `ds.AppConfig` if no team name is
provided.
I had to add some mock functions for TeamLite that were missing, or
missing for the team 0 case. Also added
FLEET_INTEGRATION_TESTS_DISABLE_LOG to disable logs in gitops
integration tests.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36355
Docs PR: #39830
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Bug Fixes
* Fixed a database error that could occur when requesting large activity
lists without specifying pagination parameters
* Enforced a maximum limit of 10,000 items per request for activities
endpoints to improve API stability
## Tests
* Added validation test to ensure the per_page limit is properly
enforced
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#30967
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<img width="884" height="475" alt="Screenshot 2026-02-12 at 4 17 42 PM"
src="https://github.com/user-attachments/assets/169f4046-567e-455d-a6a3-8c70c4628321"
/>
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: Jacob Shandling <jacob@shandling.dev>
**Related issue:** Resolves#30670
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#39000
<img width="1014" height="626" alt="Screenshot 2026-02-10 at 8 44 22 PM"
src="https://github.com/user-attachments/assets/9d66906f-732e-4376-83c7-24b4deda7665"
/>
- [x] Changes file added for user-visible changes in `changes/
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with [wip API
portion](https://github.com/fleetdm/fleet/issues/39004)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Fleet administrators can now control conditional access bypass on a
per-policy basis
* Added toggles to enable or disable bypass for individual policies
* Enhanced UI with tooltips displaying conditional access provider
configuration details
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves
fleetdm/fleet#123, or remove if NA -->
**Related issue:** Resolvesfleetdm/confidential#14268
The root cause was that the poorly named `checkConfig(replicaConf)` was
mutating the config without it being obvious to developers.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where MySQL read replica connections were not secured
with TLS. Read replicas now properly use TLS encryption for secure
database connections.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#38621, #38627, and #38623.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added a new premium-tier Technician role with read/write permissions
across teams, hosts, policies, queries, and configurations.
* License validation now prevents assigning premium roles on Fleet Free
editions.
* **Bug Fixes**
* Updated role-based access controls across team management pages to
properly restrict technician access.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37182
# Details
The `policy_membership` table records pass/fail status for each (host,
policy) tuple where the policy targets that host and has run at least
once on the host. It's used to get the # of failing policies for a host,
for the Fleet Desktop icon menu as well as the Policies badge on the
host details page.
When a policy changes materially (e.g. the query changed) we wipe all of
the `policy_membership` records for it, and if the `platform` changes we
_selectively_ wiped records for hosts that no longer met the platform
requirements. This PR adds logic to selectively wipe records for hosts
that no longer meet _label_ requirements when those requirements change.
This fixes issues where a policy would change which labels it applied
to, but hosts that weren't members of the new label set would still show
failures for that policy when clicking the Fleet Desktop icon.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [X] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39634
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
https://github.com/fleetdm/confidential/issues/14236
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34990
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34620
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Bug Fixes
* Fixed an issue where macOS app names could become empty after removing
the ".app" extension. The app name extraction logic now correctly
handles edge cases, ensuring app names are properly ingested without
empty values.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38534
moved `/api/_version_/fleet/hosts/{id:[0-9]+}/activities` endpoint and
`MarkActivitiesAsStreamed` to activity bounded context
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added new endpoint to retrieve host-specific past activities with
pagination metadata.
* **Refactor**
* Refactored activity service architecture and authorization layer to
improve data provider integration and activity streaming capabilities.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36361
This PR adds some additional debug logging to log hostUUID:profileUUID
when renewing MDM managed certificates.
Also adds log statements when processing a profile, when hitting NDES or
Smallstep (not SCEP as it's a static challenge, that is fetched and
replaced, no external calls).
NDES: If we get a successful call (which is the standard, with errors on
the HTML page), we debug log, the entire HTML response, and the request
duration.
Smallstep: Normal API errors, non OK we log: status code, the status
text, the request duration, and spit out the entire body (max 2mb), if
more than 2mb we don't log the response body.
I tried looking for more relevant places, but couldn't really find any
that would make sense to log for this ticket.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually -> Did a quick test
for some of the logs, but the NDES one is not really easy to verify.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39304 (part of #25080)
Implemented similar approach to
https://github.com/fleetdm/fleet/pull/39302, with the difference that
the list policies endpoint does not include a count, and there is a
separate endpoint. I extended the count policies endpoint to include an
`inherited_policy_count`.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39303 (child of #25080).
- Added `inherited_query_count` to `ListQueriesResponse` (thought of
adding a brand new endpoint just for counting, but felt like extending
the current one was good enough). In the parent task, [it was
suggested](https://github.com/fleetdm/fleet/issues/25080#issuecomment-3326071574)
to `"Depend on team list entity endpoint's count field / team entity
count endpoint for whether or not to disable the manage automations
button"`, which Rachael approved, so I went for this approach.
- The `ManageQueryAutomationsModal` now fetches its own data with
`merge_inherited = false` (meaning it only fetches non-inherited queries
only). Previously, queries were passed down as props to it, which would
not show the queries available to automate if the first page of queries
were all inherited and the second page contained queries for that team
(the user would have to navigate to the second page for the button to be
enabled).
^ The fact that the modal fetches its own data is similar behavior to
what is currently done in `Policies`. For queries, I noticed that we
would need to add pagination within the `Manage Automations` modal, but
that can be a follow-up.
<img width="2480" height="1309" alt="Screenshot 2026-02-04 at 11 48
42 AM"
src="https://github.com/user-attachments/assets/ebac79a5-a793-4708-9313-d9a697dfd7de"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/119f03b9-dde1-4bb9-9fee-6204b1a58879
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39264
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
For #39522. Guessing this doesn't resolve goreleaser issues though?
Tested with this branch (shows a snapshot), `4.77.9-plus-sparklies`,
`v4.77.12-without-sparkles`, and `rc-patch-fleet-v4.77.7` locally to
make sure this behaves properly.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38607
Contributor docs update:
https://github.com/fleetdm/fleet/pull/39285/changes
Another contributor docs update:
https://github.com/fleetdm/fleet/pull/39402/changes
Also:
- renamed OtelHandler to OtelTracingHandler
- made "opentelemetry" be the default when tracing is enabled
- updated OTEL dependencies
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [x] Setting(s) is/are explicitly excluded from GitOps
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added OpenTelemetry log export capability, enabling logs to be sent to
OpenTelemetry collectors.
* New configuration option `logging.otel_logs_enabled` (requires tracing
to be enabled).
* **Chores**
* Updated OpenTelemetry dependencies to v1.40.0 with latest OTLP
exporters and logging support.
* Updated dependencies including gRPC (v1.78.0), Google libraries, and
cryptography packages.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#38543
- Fixed `filterHostsByOSSettingsDiskEncryptionStatus` using the wrong
subquery for action_pendig
- Added checks against `host_mdm` and `nano_enrollments` to FileVault
summary counts to match ListHosts behaviour.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
- Tested that a macOS host with action_pending shows up in the list
hosts page
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38878 and #38879
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38911
* Fixed false positive CVE for Nextcloud Desktop.
* Fixed rare CPE error when software name sanitizes to empty (e.g. only
special characters)
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed false positive vulnerability detection for Nextcloud Desktop
* Resolved error occurring when software names contain only special
characters and sanitize to empty
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39293
Contributor's fix: https://github.com/fleetdm/fleet/pull/39367
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
**Related issue:** Resolves#37219
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
Resolves#35366
The false negative was caused by a mismatch in product name translation
for `acrobat_reader_dc`. The resolution required platform-specific logic
to accurately identify the "Document Cloud" (DC) variants.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35613
Android profiles will now show up in the UI as "pending" immediately on
a profile upload, to match Apple profiles behavior. Previously, you
would have to wait until the `mdm_android_profile_manager` cron job for
them to show up and actually install them.
This could cost a little bit of performance, but is the existing
behavior for Apple profiles.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually:
- Adding an Android profile adds it to null in
host_mdm_android_profiles, which makes it show up as “pending”
immediately in the UI. When `mdm_android_profile_manager` runs it sets
them to pending in the database instead of null.
- Deleting a profile will also cause all profiles to become pending
immediately.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35659
Adds profiles that failed before to the list of profiles that get
reverified on an Android device's status report.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#39158 / #39308
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38889
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Structured logging with selectable JSON/text output and optional trace
correlation (trace_id, span_id).
* Backward-compatible output (ts timestamp, lowercase levels) and
adapter to interoperate with existing logging calls.
* **Refactor**
* Simplified logger initialization and centralized slog-based logging
infrastructure.
* **Tests**
* Extensive tests and a test handler for logging behavior, formats,
levels, and trace injection.
* **Chores**
* Added package-level dependency check for the logging package.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39048
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- After doing a "forgot password", then logging in and changing password
manually, the "reset password" link I received no longer allows
resetting password
- Changing my password via the UI clears the my session and forces
re-login
- Changing another user's password via the UI clears their session and
forces re-login
- Upon first login for a new user, after forced password change, user's
session is _not_ cleared (they continue to home screen as expected)
- After clicking "require password reset" for a user, logging in as that
user, and changing password, user's session is _not_ cleared (they
continue to home screen as expected)
Updated documentation, backend, frontend, and tests to set the OS update
enforcement deadline to 19:00 (7PM) local time instead of noon. This
ensures consistency across user-facing text, API docs, configuration
files, and the MDM payload.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38834
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Resolves#38582
* Updated front end to prevent entraPhase state to be overwritten over and over again by useQuery + useEffect.
* Refactored UI displayed when entraPhase is in confirming state.
**Related issue:** Resolves#33296
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
**Bug Fixes**
- Disk encryption key escrowing now only proceeds when disk encryption
is explicitly enabled at the global or team level.
**Tests**
- Significantly expanded test coverage for Mobile Device Management,
including VPP app handling, device enrollment workflows, host lock/wipe
operations, SCEP proxy integrations, and DigiCert certificate handling.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36494
Fixes:
- Allow matching software to title solely by non-empty upgrade code
- Match names case-insentive and trimmed whitespace and special unicode
characters (in our osquery-perf dataset)
- Match bundle ID case-insensitive
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Different variations/versions of the same software that share the same
upgrade code are now unified under a single software title, preventing
duplicate titles and improving linkage across releases.
* **Tests**
* Added a test verifying that entries with the same upgrade code but
different names link to an existing shared title.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38666
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38975
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#35194
The NVD database for CVE-2023-28205 contains two broad CPE match rules:
Safari: Any version < 16.4.1 is vulnerable
macOS: Any version < 13.3.1 is vulnerable
The problem is Safari versions 13.x, 14.x, and 15.x were never actually
vulnerable to this CVE and macOS versions 10.x, 11.x, and 12.x never
received a system-level fix for this CVE.
Apple fixed the cve in two ways
1. Safari 16.4.1 standalone update
2. macOS Ventura 13.3.1 system update fix at the OS level
This is why there is such a complicated `IgnoreIf` for the
`CPEMatchingRule`.
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Improved accuracy of Safari CVE-2023-28205 vulnerability detection
with version-specific filtering for Safari 16.0-16.4.0 and macOS
Ventura.
* **Tests**
* Added comprehensive test coverage for CVE-2023-28205 across multiple
Safari versions and macOS releases.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37072
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
Currently in Fleet Device Management, there is no support for Apple
iPods.
Eventhough iPods are considered vintage by Apple already, we still use
them and I know that in various companies they are still used as a low
cost device within the company. (eg. shops/warehouses to look up stock
levels)
Currently, enrolling an iPod through ABM, results in the device being
recognised as a Mac device.
With this PR, I'd like to add support for iPods, similar functionality
as iPhones to Fleet, simply as iOS device, which works fine. Considering
that all commands are the same (if available) and considering iPods
aren't updated anymore, I don't think we need to explicitly mention it,
perhaps just in docs, and add them to a separate category than iPhones.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Added/updated automated tests
- I have not added automated tests since it'd basically be a 1:1 copy of
iPhone tests
- [x] Manual QA for all new/changed functionality
> Follows up on discussion from #27263 with @noahtalerman
Manual QA:
- adding an iPod in ABM results in the device being recognised as iOS
<img width="1754" alt="overview"
src="https://github.com/user-attachments/assets/7681c613-2b34-489a-8b94-10eff8977e19"
/>
<img width="1766" alt="detail-abm"
src="https://github.com/user-attachments/assets/f88c8e84-e55f-4c5f-8998-8b6697b57abc"
/>
- after enrolling the iPod through setup, it is correctly synced with
Fleet and all commands are possible. (tried Restart, Rename device, push
apps)
<img width="1766" alt="ipod-post-sync"
src="https://github.com/user-attachments/assets/7668942e-b110-4c38-a448-b6027419507c"
/>
- enrollment video (can be uploaded if needed)
- manual enrollment works fine too (using Enroll url)
---------
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
**Related issue:** Resolves#37944
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [x] Setting(s) is/are explicitly excluded from GitOps (it's a server
configuration)
**Related issue:** Resolves#34521
Updated NDES add/edit modal:
<img width="649" height="592" alt="Screenshot 2026-01-27 at 11 29 20 PM"
src="https://github.com/user-attachments/assets/88a083e5-0ba3-40b9-9668-5cd0bfa427a1"
/>
Also - CA descriptions made consistent between modal and list:
<img width="1424" height="934" alt="Screenshot 2026-01-28 at 10 13
43 AM"
src="https://github.com/user-attachments/assets/b2266e45-30e7-40ad-b5b1-d1fa2cf97952"
/>
<img width="738" height="572" alt="Screenshot 2026-01-28 at 11 19 13 AM"
src="https://github.com/user-attachments/assets/b7e133a8-a055-41f7-b074-2f0db74f257c"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for dynamic SCEP challenges for Okta certificates.
* **Improvements**
* Enhanced help text for NDES form fields with clearer references to
Network Device Enrollment Service configuration details.
* Align CA descriptions between cert list and cert options dropdown in
Add/Edit CA modal
* Improve organization of relevant code
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36335
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed false negative CVE vulnerability detection for 7-Zip
installations on Windows (MSI). Version numbers are now correctly
normalized to industry standards, enabling accurate identification of
applicable security vulnerabilities for this software.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37957
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Bug Fixes
* **Enhanced pgAdmin 4 vulnerability detection** – Improved the system's
ability to identify pgAdmin 4-related vulnerabilities across multiple
platforms and installation configurations, addressing previously
undetected security issues.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#35281
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed false positives when detecting security vulnerabilities in
Microsoft 365 companion apps by improving targeting accuracy.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37651
Switched to issue the SCEP fleet challenge on demand instead of ahead of
time.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Resolved Android certificate enrollment failures caused by SCEP
challenge expiration during offline periods, improving enrollment
reliability when devices lack connectivity.
* **Improvements**
* Certificate challenges are now generated on-demand when requested by
devices, rather than pre-generated, enhancing offline enrollment
support.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35717
# Details
This PR adds a check before enqueuing setup experience items, so that if
the specified host has already been enrolled for > 24 hours we skip the
setup experience. This handles the edge case where an enrolled host
upgrades from an Orbit version that didn't support setup experience to
one that does.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
I didn't go through the process of getting a 1.48.1 fleetd installation
on my VM, but I tested in this way:
1. Installed fleetd on a host to a team with no setup experience items
2. Manually adjusted the `last_enrolled_at` date of that host's db
record to be > 24 hours in the past.
3. After enrollment, added setup experience items to that team. No setup
window popped up (expected).
4. Deleted the `setup_experience.json` file on that host and restarted
Orbit.
5. On `main` branch, the setup experience window popped up. When
repeating these steps on this branch, no window popped up.
6. Also verified that for a new enrollment wiht `last_enrolled_at` in
the last 24 hours, the setup experience window popped up as expected.
