Multiple customers have now requested scripts for setting hostnames on
macOS, and a couple for Linux. This adds scripts to the solutions folder
for that purpose.
Linux tested against `Ubuntu 26.04` and `openSUSE Tumbleweed`
macOS tested against `Tahoe 26.4.1`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added an automated Linux hostname configuration solution that derives
a hostname from the device serial, applies it system-wide, and updates
host entries.
* Added an automated macOS hostname configuration solution that sets
ComputerName/LocalHostName/HostName from the device serial and reports
the new hostname.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The SCEP profile for NDES certificate authority requires the
$FLEET_VAR_SCEP_RENEWAL_ID variable in the Subject OU field. Without
this, GitOps runs fail with an error about missing variables.
https://claude.ai/code/session_01DW2rrUmrxsTaD3t5J66Xz4
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Co-authored-by: Claude <noreply@anthropic.com>
## Summary
- Adds Fleet's dynamic SCEP challenge (Okta CA with a dynamic challenge,
available since Fleet 4.81.0) as the recommended path for Device Access
certificates on macOS 14+
- Preserves static SCEP as a documented legacy option, each with its own
downloadable example profile
- Adds `okta-device-access-scep-dynamic-example.mobileconfig` using
`$FLEET_VAR_NDES_SCEP_PROXY_URL` and `$FLEET_VAR_NDES_SCEP_CHALLENGE`;
existing static example profile unchanged
- Corrects renewal claim: neither static nor dynamic SCEP supports
automatic certificate renewal per Okta's own documentation — both
require profile redeployment before expiration
- Adds Okta documentation links throughout for proper SEO and
cross-reference:
- [Use Okta as a CA for Device
Access](https://help.okta.com/oie/en-us/content/topics/oda/oda-as-scep-okta-ca.htm)
- [Configure Okta as a CA with a dynamic SCEP
challenge](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-dynamic-scep-macos-jamf.htm)
- [Configure Okta as a CA with a static SCEP
challenge](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-static-scep-macos-jamf.htm)
- Uses correct Fleet UI path and CA type name verified against
`helpers.tsx` and the 4.81.0 release article
- Uses Okta's exact field names (SCEP URL, Challenge URL, Username,
Password) verified from Okta's documentation
- Updates `publishedOn` to reflect the revision date
## Files changed
- `articles/deploying-okta-platform-sso-with-fleet.md` — article update
-
`docs/solutions/macos/configuration-profiles/okta-device-access-scep-dynamic-example.mobileconfig`
— new dynamic SCEP example profile
-
`docs/solutions/macos/configuration-profiles/okta-device-access-scep-example.mobileconfig`
— unchanged (static example)
## Test plan
- [ ] Article renders correctly on fleetdm.com preview
- [ ] Dynamic example profile link resolves:
`okta-device-access-scep-dynamic-example.mobileconfig`
- [ ] Static example profile link resolves:
`okta-device-access-scep-example.mobileconfig`
- [ ] All Okta documentation links resolve
- [ ] Fleet UI path verified: **Settings → Integrations → Certificate
authorities → Add CA → Okta CA or Microsoft Device Enrollment service
(NDES)**
- [ ] Fleet variables `$FLEET_VAR_NDES_SCEP_PROXY_URL` and
`$FLEET_VAR_NDES_SCEP_CHALLENGE` confirmed in Fleet docs
- [ ] Meta tags present with updated `publishedOn` date
- [ ] Style guide compliance verified (active voice, bold UI elements,
no marketing fluff)
@ddribeiro After talking with Noah about troubleshooting and logs, I
thought it would be good if we created a user-facing guide for
troubleshooting. Our CSEs frequently send the same troubleshooting
information to customers when they report issues. We can empower
customers with one resource that they can work through, reducing the
significant amount of time in back-and-forth steps sent over Slack.
Also, we've talked about pulling the "Finding fleetd logs" section out
of the [Enroll hosts](https://fleetdm.com/guides/enroll-hosts) guide.
Perhaps when this is complete, we can link to this document from that
guide.
This certainly doesn't contain everything! Please bring the CSEs in to
flesh this out since they're in the day-to-day and have much more
knowledge regarding this than I do.
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Discussed at
https://macadmins.slack.com/archives/C0214NELAE7/p1769719765777279
- The endpoints for marking a device as unmanaged and sending an
unmanage command were deprecated and no longer work. The endpoint for
looking up a device by serial number was also deprecated, so I've
proactively updated it.
- The whole story is now refactored and simplified.
- Also fixed a link in the `tines` README.
Fixing broken links in the article to point to absolute paths.
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
