- Added custom domain + ngrok setup instructions for local Autopilot
testing (Entra requires a verified domain, not raw ngrok URLs).
- Clarified that `FLEET_DEV_DOWNLOAD_FLEETDM_URL` is a server runtime
env var requiring `--dev` mode.
- @noahtalerman: We decided to stop calling the settings experimental
and just warn in the docs what happens if you turn it on. That way we’re
not calling them “experimental” which feels unsafe. They're not
experimental; they're just deliberately allowing custom profiles.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40809
**Orbit agent: key rotation replaces decrypt-then-re-encrypt:**
- When the disk is already encrypted, orbit now adds a new Fleet-managed
recovery key protector, removes old ones, and escrows the new key. The
disk is never decrypted.
- If key escrow fails, the rotated key is cached in memory and retried
on subsequent ticks without rotating again.
- Removes `DecryptVolume` and `decrypt()` (no longer called from
production code).
**Server: osquery query returns both protection_status and
conversion_status:**
- The `disk_encryption_windows` query now returns both columns instead
of just checking `protection_status = 1`. This lets the server correctly
identify a disk as encrypted via `conversion_status = 1` even when
`protection_status = 0`.
- New `directIngestDiskEncryptionWindows` function parses both values,
handles parse errors, and normalizes `protection_status = 2` (unknown)
to NULL.
**Server: new `bitlocker_protection_status` column and status logic:**
- Adds `bitlocker_protection_status` column to `host_disks` (DB
migration).
- When a disk is encrypted and key is escrowed but protection is off,
the host shows "Action required" with a detail message explaining the
issue, instead of misleadingly showing "Verified."
- `protection_status = 2` (unknown) and `NULL` (older orbit hosts) are
treated as protection on for backward compatibility.
- The `profiles_verified` and `profiles_verifying` branches in the
combined profiles+BitLocker summary now handle
`bitlocker_action_required`, counting those hosts as "pending".
Contributor docs updates: https://github.com/fleetdm/fleet/pull/43241
Public docs updates: https://github.com/fleetdm/fleet/pull/43243/changes
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Fixed Windows BitLocker encryption/decryption request loop on systems
with secondary drives and auto-unlock.
* **New Features**
* Added BitLocker recovery key rotation capability, allowing safe key
updates without full disk re-encryption.
* Enhanced BitLocker protection status tracking to correctly display
"Action required" when protection is disabled.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The SCEP profile for NDES certificate authority requires the
$FLEET_VAR_SCEP_RENEWAL_ID variable in the Subject OU field. Without
this, GitOps runs fail with an error about missing variables.
https://claude.ai/code/session_01DW2rrUmrxsTaD3t5J66Xz4
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Co-authored-by: Claude <noreply@anthropic.com>
## Summary
- Clarifies in the MySQL docs intro that read replica configuration is
fully independent — no values are inherited from the primary config
- Adds explicit callout that `mysql_read_replica_region` must be set
separately when using IAM authentication
- Adds note to `mysql_tls_config` explaining that this setting is
typically not needed for RDS IAM auth since Fleet uses bundled RDS CA
certificates (including GovCloud regions)
These changes address real-world customer confusion where a GovCloud
deployment failed because `FLEET_MYSQL_READ_REPLICA_REGION` was not set
independently of `FLEET_MYSQL_REGION`.
Note: related to #39832
## Testing
Documentation-only change — no code impact.
Add script-only package documentation to the packages section.
Script-only packages (.sh and .ps1 files) are a supported package type
but had no example or guidance in the YAML configuration docs. This adds
a "Script-only" example after the existing URL and Hash examples,
documenting:
- Script-only packages must be configured inline in the team YAML file
- self_service, categories, labels, and icon are specified inline
- Script packages do not support install_script, uninstall_script,
post_install_script, pre_install_query, or automatic install
- Separate package YAML files are not currently supported for
script-only packages
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38647
<img width="398" height="230" alt="image"
src="https://github.com/user-attachments/assets/7e68e0d7-54b0-4039-a0be-8b0ad4bb1fbf"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Updating supported version of Windows based on active Windows support:
https://endoflife.date/windows
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** #42144
Resolves#40692
The `activity_expiry_enabled` description implied all activities older
than the configured window are deleted. In reality, activities linked to
a host (via `host_activities`) are exempt and persist until the host is
deleted.
## Changes
- **`docs/REST API/rest-api.md`**: Appended clarification to
`activity_expiry_enabled` description: _"Activities linked to a host are
preserved until the host is deleted."_
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: getvictor <2685025+getvictor@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Action items for #40725 postmortem
Added in both places because we should consider these things both when
working on bugs and drafting new features. #40725 happened because what
was thought to be a temporary state had no limits on retries
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.83.0
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
Co-authored-by: kilo-code-bot[bot] <240665456+kilo-code-bot[bot]@users.noreply.github.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>
We're keeping the tested version at 6 for now until we have a CI matrix
to test multiple versions. We run both 6.x and 7.x in production and if
we shipped 7+ code we'd break things.
This PR also fixes a spot I missed when mentioning MySQL version
compatibility.
We are planning to productize OTEL for our on-prem customers. This makes
our on-prem offering more attractive against our competition. As part of
our on-prem story, we need to make telemetry a first-class experience.
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
The script now correctly sets the 'idp' source when updating device
mappings, which updates the IDP username field that Fleet uses for
profile variables and IDP-related features, rather than adding to the
'other emails' field.
Resolves#40396.
No changes file because there should be no user visible changes.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] Verified that fleetd runs on macOS, Linux and Windows
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Instructions on how to test EAP-TLS with FreeRADIUS and micromdm/scep.
Links to [this guide](https://github.com/fleetdm/fleet/issues/42324)
(not merged yet).
---------
Co-authored-by: Steven Palmesano <3100993+spalmesano0@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42226
When doing dev in a remote environment, like a public cloud VM, don't
expose ports to the public.
This is a contributor security improvement.
The localstack fail is present on main, and was not caused by this
change:
https://github.com/fleetdm/fleet/actions/runs/23439965808/job/68187858627
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Docker Compose configuration updated across multiple services (Redis,
MySQL, mail, monitoring, and storage services) to restrict port bindings
to localhost only instead of all network interfaces.
* Documentation Docker Compose examples updated to reflect
localhost-only port binding for core services.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#42185
## Summary
- Added `flatcar` and `coreos` to `HostLinuxOSs` in
`server/fleet/hosts.go`
- Added both to `HostNeitherDebNorRpmPackageOSs` (neither distro uses
deb or rpm)
- Added both to `HOST_LINUX_PLATFORMS` in
`frontend/interfaces/platform.ts`
- Added test cases in `server/fleet/hosts_test.go`
- Updated platform lists in
`docs/Contributing/product-groups/orchestration/understanding-host-vitals.md`
- Added changelog entry
## Problem
Flatcar Container Linux reports `platform=flatcar` and
`platform_like=coreos` via osquery's `os_version` table. Neither value
is in `HostLinuxOSs`, so `PlatformFromHost("flatcar")` returns `""` and
`RunsForPlatform` skips all Linux-platform-filtered detail queries.
**Symptoms:** Flatcar hosts enroll successfully, appear online, and
respond to live queries. But host details (private IP, disk space, etc.)
are never populated because the detail queries that collect this data
are never sent to the host.
## Context
Flatcar Container Linux is an immutable, container-optimized Linux
distribution (successor to CoreOS Container Linux). We deploy Fleet's
Orbit agent on Flatcar via systemd-sysext and have confirmed that all
osquery tables work correctly — the only gap was this platform string
not being recognized.
This follows the same pattern as prior platform additions: #19011
(tuxedo), #28977 (neon), #34357 (manjaro-arm).
## Changes file
- [x] Changes file added in `changes/`
## Checklist
- [x] Added/updated automated tests
- [x] Manual QA: Verified on Flatcar Container Linux 4459.2.4 with
osquery 5.21.0 and Orbit 1.53.0 — confirmed detail queries work after
patching `HostLinuxOSs` locally
- [x] No database migrations needed
- [x] No endpoint changes
- [x] No backward compatibility concerns (additive change only)
Updates MySQL version references from 8.0.39 to 8.0.42 in GitHub Actions
workflow test matrices to match current Aurora version as of #42120.
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Adds `docs/solutions/api-scripts/sync_jamf_users_to_fleet.py`, a Python
script that:
- Scrapes every computer in Jamf Pro via the Classic API
(`/JSSResource/computers/subset/basic`)
- Pulls the assigned user's email (falls back to username if no email is
set)
- Matches each device to a Fleet host by serial number
- Assigns that user to the host in Fleet via `PUT
/api/v1/fleet/hosts/:id/device_mapping`
Features:
- Supports both OAuth 2.0 client credentials and username/password auth
for Jamf
- `--dry-run` flag to preview changes without modifying Fleet
- Summary statistics on completion (assigned, skipped, errors)
Resolvesfleetdm/confidential#14972
Just updating the standard query library to reflect the renaming of
"queries" to "reports". This will fix the warnings when importing the
library via fleetctl:
> ```[!] `kind: query` is deprecated, please use `kind: report`
instead.```
## Summary
- Reverts the changes introduced by issue
[#38834](https://github.com/fleetdm/fleet/issues/38834), which changed
the Apple (macOS, iOS, iPadOS) OS update enforcement deadline from 12:00
PM (Noon) to 7:00 PM local time.
- Reverts code from [PR
#38810](https://github.com/fleetdm/fleet/pull/38810) (backend, frontend,
tests) and [PR #39185](https://github.com/fleetdm/fleet/pull/39185)
(documentation).
- Restores the original noon (12:00) deadline in the MDM declaration
payload, frontend tooltip, integration tests, REST API docs, and YAML
configuration docs.
## Changes
| File | Change |
|------|--------|
| `ee/server/service/mdm.go` | `TargetLocalDateTime` reverted from
`T19:00:00` to `T12:00:00` |
| `frontend/.../AppleOSTargetForm.tsx` | Deadline tooltip reverted from
"19:00 (7PM)" to "12:00 (Noon)" |
| `server/service/integration_enterprise_test.go` | Test assertion
reverted from `T19:00:00` to `T12:00:00` |
| `docs/Configuration/yaml-files.md` | 3 references reverted from "7PM"
to "noon" |
| `docs/REST API/rest-api.md` | 6 references reverted from "7PM" to
"noon" |
Built for
[ntalerman](https://fleetdm.slack.com/archives/D0AEA6U4SM9/p1773780763835429)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
**Related issue:** Resolves#36799, Sub-task: #41556
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<img width="924" height="278" alt="Screenshot 2026-03-16 at 10 46 38 AM"
src="https://github.com/user-attachments/assets/313b6650-a849-4bc2-ba14-a62d3d13b60c"
/>
<img width="1441" height="300" alt="Screenshot 2026-03-16 at 10 46
44 AM"
src="https://github.com/user-attachments/assets/915cfd26-168f-4621-bcf5-6c26c40e5faf"
/>
<img width="1923" height="788" alt="Screenshot 2026-03-16 at 10 54
04 AM"
src="https://github.com/user-attachments/assets/62356a3e-84fe-4561-b7ad-0a35c9db3b2a"
/>
<img width="2529" height="483" alt="Screenshot 2026-03-16 at 10 47
02 AM"
src="https://github.com/user-attachments/assets/4dc51073-2c24-4934-bd9d-c5ee648d5ae1"
/>
Tested that with latest released fleetd (1.53.0), we still ingest the
available disk space. There's about 5% difference in the UI vs in the
macOS "Get Info" dialog (expected, since we use the old query, now
called `disk_space_darwin_legacy`):
<img width="267" height="306" alt="Screenshot 2026-03-17 at 8 47 22 AM"
src="https://github.com/user-attachments/assets/73fc1eef-a32c-4d8d-a9ca-13980885f8fe"
/>
<img width="883" height="407" alt="Screenshot 2026-03-17 at 8 47 33 AM"
src="https://github.com/user-attachments/assets/98851b9b-82a8-4ac8-af5c-dbb878f85fad"
/>
<img width="159" height="127" alt="Screenshot 2026-03-17 at 8 47 40 AM"
src="https://github.com/user-attachments/assets/209f784a-29a8-4af5-b95d-0f9bd59917c9"
/>
Also tested running with vanilla osquery by stopping fleetd and then
running osquery manually (adding the `--allow_unsafe` flag). Result is
same as above, `disk_space_darwin_legacy` is used:
<img width="1152" height="418" alt="Screenshot 2026-03-17 at 8 59 23 AM"
src="https://github.com/user-attachments/assets/2b34d23d-61de-4ec1-8d1c-2d3ddb682d11"
/>
<img width="893" height="414" alt="Screenshot 2026-03-17 at 8 59 28 AM"
src="https://github.com/user-attachments/assets/d28ee8fb-08c5-434f-abfa-3825b27ac73b"
/>
## Summary
- Adds a new macOS-only fleetd table `disk_space` that uses
`NSURLVolumeAvailableCapacityForImportantUsageKey` to report available
disk capacity including purgeable storage — matching what macOS shows in
Finder's "Get Info" dialog.
- Adds a new `disk_space_darwin` detail query that uses the new table
(with Discovery, so it only runs on hosts with fleetd ≥ 1.54.0).
- Restricts the existing `disk_space_unix` query to Linux only (darwin
was removed since the new query handles it).
- Adds schema documentation for the new table.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
**Related issue:** Resolves#40138
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Installed:
```
go install golang.org/x/tools/cmd/goimports@latest
go install golang.org/x/tools/gopls@latest
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
```
Validated:
```
osquery> SELECT * FROM go_packages;
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| name | version | module_path | import_path | go_version | installed_path |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| goimports | v0.42.0 | golang.org/x/tools | golang.org/x/tools/cmd/goimports | go1.25.5 | /Users/josh/go/bin/goimports |
| golangci-lint | v1.64.8 | github.com/golangci/golangci-lint | github.com/golangci/golangci-lint/cmd/golangci-lint | go1.25.5 | /Users/josh/go/bin/golangci-lint |
| gopls | v0.21.1 | golang.org/x/tools/gopls | golang.org/x/tools/gopls | go1.25.5 | /Users/josh/go/bin/gopls |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
```
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Resolves#33714
Added alias `GET /api/v1/fleet/scripts/batch/abc-def/host_results` for
`GET /api/v1/fleet/scripts/batch/abc-def/host-results` for consistency
sake.
## Summary
- Embeds Fleet's ["The Basics of Fleet
GitOps"](https://www.youtube.com/watch?v=wgqI_lHnGJc) YouTube video on
the [GitOps YAML files documentation
page](https://fleetdm.com/docs/configuration/yaml-files).
- The video is placed in the introduction section, right after the
opening paragraph and before the first callout, so users see it early
when landing on the page.
- Uses the existing `<div purpose="embedded-content"><iframe>` embed
pattern consistent with other Fleet docs pages (e.g.,
`articles/queries.md`, `articles/fleetctl.md`,
`articles/vulnerability-processing.md`).
### Changes
- `docs/Configuration/yaml-files.md`: Added YouTube video embed for "The
Basics of Fleet GitOps" (`wgqI_lHnGJc`).
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1773338930980929)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.82.0
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Nico <32375741+nulmete@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
## Summary
- Adds Fleet's dynamic SCEP challenge (Okta CA with a dynamic challenge,
available since Fleet 4.81.0) as the recommended path for Device Access
certificates on macOS 14+
- Preserves static SCEP as a documented legacy option, each with its own
downloadable example profile
- Adds `okta-device-access-scep-dynamic-example.mobileconfig` using
`$FLEET_VAR_NDES_SCEP_PROXY_URL` and `$FLEET_VAR_NDES_SCEP_CHALLENGE`;
existing static example profile unchanged
- Corrects renewal claim: neither static nor dynamic SCEP supports
automatic certificate renewal per Okta's own documentation — both
require profile redeployment before expiration
- Adds Okta documentation links throughout for proper SEO and
cross-reference:
- [Use Okta as a CA for Device
Access](https://help.okta.com/oie/en-us/content/topics/oda/oda-as-scep-okta-ca.htm)
- [Configure Okta as a CA with a dynamic SCEP
challenge](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-dynamic-scep-macos-jamf.htm)
- [Configure Okta as a CA with a static SCEP
challenge](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-static-scep-macos-jamf.htm)
- Uses correct Fleet UI path and CA type name verified against
`helpers.tsx` and the 4.81.0 release article
- Uses Okta's exact field names (SCEP URL, Challenge URL, Username,
Password) verified from Okta's documentation
- Updates `publishedOn` to reflect the revision date
## Files changed
- `articles/deploying-okta-platform-sso-with-fleet.md` — article update
-
`docs/solutions/macos/configuration-profiles/okta-device-access-scep-dynamic-example.mobileconfig`
— new dynamic SCEP example profile
-
`docs/solutions/macos/configuration-profiles/okta-device-access-scep-example.mobileconfig`
— unchanged (static example)
## Test plan
- [ ] Article renders correctly on fleetdm.com preview
- [ ] Dynamic example profile link resolves:
`okta-device-access-scep-dynamic-example.mobileconfig`
- [ ] Static example profile link resolves:
`okta-device-access-scep-example.mobileconfig`
- [ ] All Okta documentation links resolve
- [ ] Fleet UI path verified: **Settings → Integrations → Certificate
authorities → Add CA → Okta CA or Microsoft Device Enrollment service
(NDES)**
- [ ] Fleet variables `$FLEET_VAR_NDES_SCEP_PROXY_URL` and
`$FLEET_VAR_NDES_SCEP_CHALLENGE` confirmed in Fleet docs
- [ ] Meta tags present with updated `publishedOn` date
- [ ] Style guide compliance verified (active voice, bold UI elements,
no marketing fluff)
Added information about silent migration enrollment profile for Apple
MDM devices.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Relates #39796
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38536
The final activity bounded context PR is in review:
https://github.com/fleetdm/fleet/pull/41194
So, I'm putting up the associated README up for review as well.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#28584
The correct fix for the bug was to add a migration to update existing
software rows to match the new naming convention. However, that should
have been done in Fleet 4.67, and that ship has already sailed.
See the issue description in the `Name changes and the rename problem`
of the doc.
Resolves#40813
* Added configurable body size limits for the `/api/osquery/log`,
`/api/osquery/distributed/write` and `/api/osquery/config` endpoints.
* Fixed false positive `PayloadTooLargeError` errors.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Attempted to make the warning stand out more so people don't skip past
it, and added a note encouraging Fleet users to make feature requests to
bring the contributor endpoints they want to use into the public API
before building anything with them. (Hopefully will help avoid bugs like
[this](https://github.com/fleetdm/fleet/issues/40448).)
Fixes#40975.
8.0.32 (was running in Aurora managed cloud at the time) -> 8.0.39 (what
we're running now) 8.0.36 -> 8.0.44 (latest 8.0.x version supported by
Aurora; holding off on 8.0.45 until Aurora supports it) 8.4.7 -> 8.4.8
9.5.0 -> 9.6.0
Also bumped the supported Aurora version from 3.07.0 to 3.08.2 to match
what we're running in managed cloud right now
Fleet might work on older patch versions but we'll no longer dev/test on
them. MySQL 9.x not testing previous minor versions matches with our
previous approach for that version.
Since these are all patch/minor bumps (and the overnight build cases are
patch bumps/are covered by AWS envs) automated testing should be
sufficient here.
Add documentation for enabling bootstrap packages during MDM migration.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39634
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
This PR adds the ability to skip any Fleet logic that validates on
whether or not an MDM Declaration is usable with Fleet by setting a
configuration of `FLEET_MDM_SKIP_DECLARATION_VALIDATION` to `True`. We
would like to leverage declarations such as [config
files](https://developer.apple.com/documentation/devicemanagement/servicesconfigurationfiles)
as well as other none configuration declarations that are
[restricted](https://github.com/fleetdm/fleet/blob/main/server/fleet/apple_mdm.go#L736-L738)
like
[Activations](https://developer.apple.com/documentation/devicemanagement/activationsimple),
and any declaration that requires
[AssetData](https://developer.apple.com/documentation/devicemanagement/assetdata).
We understand that these are not usable by most Fleet customers,
especially those that use Fleets cloud hosting option.
Since we run Fleet on our own infrastructure we are able to leverage our
proxy to support all additional data components needed for declarations
above.
## Testing
I've built and run Fleet locally and validated that with the
`FLEET_MDM_SKIP_DECLARATION_VALIDATION` I am able to add any
declarations I please. Without the config I am unable to add the
requested declaration types above.
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added experimental `mdm.allow_all_declarations` configuration option
to permit all Apple MDM declaration types when enabled, overriding
default validation checks.
* **Documentation**
* Updated configuration documentation with details for the new
experimental MDM option, including defaults, environment variables, YAML
format, and safety considerations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Clarify the rare cases when upgrading to a minor/patch version can break
compatibility.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
