Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Chores**
* Updated version tracking and installation metadata for Discord,
Grammarly Desktop, Postman, Rancher, and Tower on macOS to reflect
latest releases.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Anka Virtualization to version 3.9.0 for macOS
* Updated Discord to version 1.0.9236 for Windows
* Updated Nextcloud to version 33.0.4 for macOS
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#44330, Resolves#44331
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests. (I'd defer integration tests to a
separate PR since this one is pretty large already.)
- [x] QA'd all new/changed functionality manually. I've tested this on
both the setup flow and the organization settings page. I haven't had
the time to test this on other places where we render the logo (macOS
setup experience / MDM migration dialog).
https://github.com/user-attachments/assets/95d4eae5-3da6-40f4-98a1-8575b97d96b3
## New Fleet configuration settings
- [x] Setting(s) is/are explicitly excluded from GitOps.
Will handle GitOps in a separate PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Organizations can upload custom logos for light and dark modes.
* Registration and Org Settings support logo file upload, preview,
per-mode replace/delete, and validation (size & image formats).
* Activity feed records logo changes/deletions; site nav displays
uploaded logos per theme.
* File uploader/preview adds a Fleet logo graphic option and improved
logo validation.
* Config/GitOps outputs now include separate dark/light logo fields.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated AnyDesk macOS version support to 9.7.0
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Update fleet-desktop from 1.1.0 to 1.2.0 across Homebrew cask, API
metadata, and darwin output. Adjust package URLs and filenames, update
SHA256 checksums and ruby_source_checksum, and refresh installer script
reference and patched/version queries to match the new release.
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated application version metadata for 8x8 Work, Adobe Acrobat
Reader, Cursor, Ollama, Postman, and Zed across supported platforms with
latest release versions and integrity verification checksums.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#44533
Adds an option to return a PEM certificate from the request_certificate
endpoint, rather than the PKCS7 envelope an EST server returns. This
allows it to be more easily used in scripts without conversions, at the
(small) cost of among other things dropping the PKCS7 envelope which
could be signed by the server, etc(though the PEM cert itself should
also be)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* The "Request a Certificate" endpoint can optionally return the issued
certificate as a PEM-encoded X.509 CERTIFICATE block instead of a
PEM-encoded PKCS#7 envelope.
* **Tests**
* Added comprehensive tests covering PEM conversion, tolerance for
base64 whitespace/newlines, error handling for malformed PKCS#7, and
multi-certificate envelope cases.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated macOS application configurations to support new versions:
* DBeaver Community 26.0.4
* Lulu 4.3.2
* Stats 2.12.13
* Warp 0.2026.04.29.08.57.01
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated application version metadata for Adobe Acrobat Reader,
Dialpad, Granola, OneDrive, and TablePlus to reflect the latest releases
across Windows and macOS platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated supported application versions: Calibre (9.8.0), Fork
(2.66.7), Granola (7.162.5), Microsoft Edge (147.0.3912.98), Microsoft
Teams (26093.311.4599.3126), Ollama (0.22.1), Teleport Connect & Suite
(18.7.6), and Zotero (9.0.2) with latest installer packages and
verification checksums.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#44194
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Team-level disk encryption can be toggled when at least one MDM
platform (Windows or Apple) is configured, enabling BitLocker control
for Windows-only deployments.
* **Bug Fixes**
* Updates validation to reject disk-encryption changes only when no MDM
platforms are configured.
* **Tests**
* Added coverage for platform combinations and expected behavior,
including Apple-specific profile creation when applicable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Arc to version 1.145.0
* Updated ExpressVPN to version 14.1.0
* Updated LibreOffice to version 26.2.3
* Updated Loom to version 0.346.4
* Updated Microsoft Edge to version 147.0.3912.98
* Updated Zen to version 1.19.11b
* Switched Dialpad installer format to pkg
* **Bug Fixes**
* Dialpad: installer integrity check disabled (no_check) and uninstall
now uses package receipt-aware removal instead of direct app deletion
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#44170 and Resolves#44422
Pagination is now pushed into each branch of the merged query, so
per-tick work scales with page size instead of total commands. The
Windows side was rewritten to avoid a disjunctive join that forced a
nested-loop plan. `per_page` is capped (default 10), `page` is capped,
and `order_key` is enforced against a closed allowlist on both code
paths. Cursor pagination is fixed and is the recommended way to traverse
beyond the page cap.
This PR improves but does not fix the use case of fetching commands from
all hosts. Deprecate usage without host_identifier:
https://github.com/fleetdm/fleet/pull/44392/changes
API doc updates: https://github.com/fleetdm/fleet/pull/44292
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enforced pagination on MDM commands list: per_page defaults to 10 (max
1,000) and page is capped at 100; traversal beyond page 100 requires
cursor pagination via after.
* **Bug Fixes / Performance**
* Improved MDM command listing performance and de-duplication for large
queries; fixed SQL error when combining host identifier with cursor
pagination.
* **Validation**
* Requests exceeding pagination caps return 400; invalid sort keys
return 422.
* **Tests**
* Added tests for pagination boundaries, cursor behavior, sort-key
validation, and error responses.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Thunderbird metadata from version 150.0 to version 150.0.1 for
macOS and Windows, including updated installer artifacts and integrity
verification checksums.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Google Drive (Windows) version configuration from 123.0.1.0 to
124.0.3.0 with new installer details
* Updated NordPass (macOS) version configuration from 7.6.18 to 7.6.20
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added support for Postman 12.8.4 on macOS and Windows
* Added support for Wireshark 4.6.5 on macOS and Windows
* Added support for Warp build 0.2026.04.27.15.32.03 on macOS
* Updated P4V installer validation on macOS
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Updates**
* Visual Studio Code updated to version 1.118.1 on macOS and Windows
with new installer checksums.
* **Bug Fixes**
* Improved installation and uninstallation workflows for Druva insync,
Fleet Desktop, and Zoom Rooms on macOS for better reliability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
This pull request introduces support for ingesting Homebrew casks from
third-party taps (not available in the official
`Homebrew/homebrew-cask`) into the Fleet Maintained Apps (FMA) system.
It does this by allowing cask metadata to be committed directly into the
repository and referenced via a new `cask_path` field. The PR also
updates CI workflows to better support Fleet Desktop validation and
documents the new contributor flow.
**Support for custom Homebrew casks:**
* Added a new `cask_path` field to app manifests, allowing the FMA
ingester to read cask metadata from a local JSON file instead of
fetching from the Homebrew API. This enables ingestion of apps from
third-party taps or custom casks not present in the official Homebrew
repository.
[[1]](diffhunk://#diff-be469dd148f0c50ad56489c48bdb514522e1a46d21336e8f747b5880d71a6d1bR49-R66)
[[2]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2R270-R276)
* Refactored the Homebrew ingester (`brewIngester`) to use a new
`fetchCask` helper, which reads from the local file if `cask_path` is
set, or falls back to the API otherwise. Includes robust error handling.
[[1]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2L99-R101)
[[2]](diffhunk://#diff-abd7db4bef16a062c1bd81f54a7c846f1e91b913a9fe9f87976c8075f39b8cd2R200-R251)
* Added comprehensive documentation and examples for the custom tap
workflow, including a new `custom-tap/` directory with cask DSL sources,
generated JSON, and a regeneration script.
[[1]](diffhunk://#diff-2dfa2fc79b9becad555db38289a16afe4ce651665a31868d386fed8b4e160740R1-R85)
[[2]](diffhunk://#diff-be469dd148f0c50ad56489c48bdb514522e1a46d21336e8f747b5880d71a6d1bR49-R66)
* Added new custom casks for `fleet-desktop`, `druva-insync`, and
`zoom-rooms` under `inputs/homebrew/custom-tap/Casks/`.
[[1]](diffhunk://#diff-2555a54830de2bfb0ffca8bc487aac67de84dee5d431fe5f42e90e1754f63bb6R1-R36)
[[2]](diffhunk://#diff-db1fa8a43a27c5adf49a5ade04e61405ce1e9420f266e3160156cabf69ed4ea8R1-R40)
[[3]](diffhunk://#diff-effd461583140683d41dc68d9a93692d039be5ad5e52b6b108ece79f17155107R1-R44)
**Testing and validation:**
* Added a new test (`TestIngestCaskPath`) to ensure the ingester
correctly reads from `cask_path` and does not make unnecessary HTTP
requests, with error handling for missing files.
**CI workflow improvements:**
* Updated GitHub Actions workflows to handle Fleet Desktop's installer
requirements in CI by creating a managed preferences stub when
validating Fleet Desktop, ensuring the installer succeeds even without
MDM enrollment.
[[1]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R100)
[[2]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R116-R123)
[[3]](diffhunk://#diff-28b30c8601cb7662d59efbfbbcf800cae91455fd3d875627659dced8c1257a24R148-R172)
[[4]](diffhunk://#diff-c263ffc3062c3b5e4e4eb65976080c6cbddac478a5fed3392fe8b23c49bb2da8R69-R92)
These changes make it possible to maintain and test apps from custom
Homebrew taps within the Fleet repo, improving flexibility and
reliability for Fleet-maintained apps.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for three new macOS apps: Fleet Desktop, Druva inSync,
and Zoom Rooms
* Added UI icons for Fleet Desktop and Zoom Rooms
* **Enhancements**
* Fleet Desktop includes an MDM enrollment caveat and improved installer
validation for macOS installers
* Support for overriding Homebrew cask input via a local cask JSON file
* **Tests**
* Added unit coverage for local cask JSON ingestion behavior
* **Chores**
* Added a deterministic script to regenerate Homebrew custom-tap
manifests
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Brave Browser to version 147.1.89.145 on macOS and Windows.
* Updated WindSurf to version 2.1.32 on macOS.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
**Related issue:** Resolves#35173
# macOS 26 Tahoe CIS benchmark v1.0.0 (new benchmark)
Adds a brand-new policy set covering the **CIS Apple macOS 26 Tahoe
Benchmark, v1.0.0** under `ee/cis/macos-26/`. Follows the same layout as
`macos-13`/`-14`/`-15` (`cis-policy-queries.yml`, `README.md`,
`test/scripts/`, `test/profiles/`).
## Coverage
| Section | Title | Status |
|---|---|---|
| 1 | Install Updates, Patches and Additional Security Software |
complete (6/6 automated) |
| 2 | System Settings | complete (all automated across §2.1–§2.18) |
| 3 | Logging and Auditing | complete (5/5 automated) |
| 4 | Network Configurations | complete (3/3 automated) |
| 5 | System Access, Authentication and Authorization | complete (19/19
automated) |
| 6 | Applications | complete (7/7 automated) |
| 7 | Supplemental | skipped (per Fleet convention) |
Total automated policies shipped: **89**. Manual-assessment
recommendations are documented in `ee/cis/macos-26/README.md` under
**Limitations**.
## Notable query/format choices
- **Combined-key profiles per CIS instructions.** §2.2.1+§2.2.2
(Firewall + Stealth Mode) are shipped as a single
`2.2.1-and-2.2.2.mobileconfig` because CIS explicitly requires both keys
in the same profile. §2.6.5 (Gatekeeper) and §2.11.2 (screensaver
wake-password + delay) follow the same pattern.
- **§2.5.2.1 (Siri)** uses the new `allowAssistant=false` key on
`com.apple.applicationaccess`, replacing the deprecated
`com.apple.ironwood.support` payload from earlier benchmarks.
- **§2.6.3.2** uses the spaced literal key `Siri Data Sharing Opt-In
Status` (integer 2) on `com.apple.assistant.support` — the v1.0.0
PayloadType move from `com.apple.applicationaccess`.
- **§5.1.6, §5.1.7, §3.1, §5.7** use fleetd-only osquery tables
(`find_cmd`, `authdb`, `pwd_policy`, `dscl`, etc.) and are flagged
`(Fleetd Required)` in the policy descriptions.
- **§2.10.1.2** (Apple Silicon sleep ≤15 min) default-passes on Intel
hosts via a `system_info.cpu_type` check.
## Test artifacts added
| Type | Count | Location |
|---|---|---|
| Pass scripts | 48 | `ee/cis/macos-26/test/scripts/CIS_*_pass.sh` |
| Fail scripts | 46 | `ee/cis/macos-26/test/scripts/CIS_*_fail.sh` |
| Pass-only scripts | 2 | `CIS_1.1.sh`, `CIS_5.1.6.sh` |
| MDM profiles | 37 | `ee/cis/macos-26/test/profiles/*.mobileconfig` |
Profile-only recommendations (§2.3.1.x AirDrop/AirPlay, §2.5.x Apple
Intelligence, §2.6.3.x Analytics, §6.x Safari/Terminal) ship with a
`.mobileconfig` only and no script counterpart, since CIS marks them as
configurable solely via profile.
## Documentation updates
| File | Change |
|---|---|
| `ee/cis/macos-26/README.md` | New file — coverage table, limitations,
per-section notes (query patterns, fleetd dependencies, FDA
requirements). |
| `ee/cis/CIS-BENCHMARKS.md` | Added `macos-26/` to the directory
layout; updated **Query patterns** doc to include the `EXISTS`/`NOT
EXISTS` user-vs-system-scope guidance and `username = ''` notes. |
| `ee/cis/prompt.md` | Refreshed authoring prompts with macOS-26
conventions (combined-key profiles, fleetd-table flagging). |
| `tools/cis/cis-test-runner.py` | Minor adjustments to support the new
benchmark directory. |
| `changes/35173-cis-macos-26-v1` | User-visible change note. |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added macOS 26 CIS Benchmark v1.0.0 with comprehensive configuration
profiles to enforce recommended system and app settings (updates,
firewall/stealth, privacy, backups, FileVault, Safari, Terminal, etc.).
* **Tests**
* Added extensive pass/fail remediation and validation scripts for CIS
controls across macOS subsystems; test runner updated to include macOS
26 support and mark an SSH-related control as manual.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Changes:
- Updated the vulnerability dashboard's `update-reports` script to use
the list software versions API endpoint
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Improved vulnerability report accuracy by updating the system to
identify affected hosts using software version-specific identifiers
instead of general software IDs, enabling more precise tracking and
impact analysis across vulnerable and critical software categories.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Rename Homebrew input for Linear from `linear-linear` to `linear` and
update slug paths accordingly. Update
ee/maintained-apps/outputs/apps.json and website routes to use
`linear/darwin` and the `/software-catalog/linear` route. Add
ee/maintained-apps/outputs/linear/darwin.json with version 1.28.13
metadata, installer/uninstall script refs and scripts, queries, and
sha256. This normalizes naming and exposes the Darwin package for
Linear.
Wrap $INSTALLER_PATH in quotes when calling realpath to compute TMPDIR
to avoid word-splitting for paths containing spaces. Updated the
homebrew script builder and multiple installer scripts (dbeaver
variants, evernote, github-desktop, grammarly, logi-options-plus,
microsoft-edge, omnigraffle, royal-tsx) and bumped the install script
refs in firefox and firefox@esr darwin outputs to the updated script.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43712
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced Homebrew installation scripts for multiple applications to
properly handle installer paths containing spaces and special
characters. Affected applications include DBEaver Enterprise, DBEaver
Lite, DBEaver Ultimate, Evernote, GitHub Desktop, Grammarly Desktop,
Logi Options+, Microsoft Edge, OmniGraffle, Royal TSX, and Firefox.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated supported versions for 20+ third-party applications across
multiple platforms, including Claude, Cursor, Discord, Firefox ESR,
Google Chrome, Microsoft Office suite, Notion, Ollama, Opera, Postman,
Raycast, Sketch, Visual Studio Code, Wacom Tablet drivers, WhatsApp, and
Windsurf to enable deployment of latest releases.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41592
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed SSO failures when a custom Apple MDM URL is configured: callback
requests are now redirected to the configured MDM URL when needed, and
SAML validation correctly considers the configured MDM/server URLs so
authentication succeeds for custom MDM setups.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version metadata and installer information for maintained
applications across macOS and Windows platforms. Version updates applied
to Figma, Firefox, Firefox ESR, Granola, Microsoft Outlook, Notion,
Ollama, Podman Desktop, PyCharm, and Warp, each with new installer URLs
and verification checksums for security and integrity.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Changes:
- Updated the fleet-agent-downloader app's dependencies (Added
`sails-postgresql`, and removed `@sailshq/socket.io-redis`)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated backend dependencies for the fleet agent downloader service to
improve database connectivity and stability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Changes:
- Updated the configuration in the ee/fleet-agent-downloader app to
disable the sockets hook and to use environment variables set by Heroku
add-ons (`DATABASE_URL` and `REDIS_URL`) in production
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Configured database setup with PostgreSQL and SSL/TLS support.
* Enabled Redis-backed session storage with TLS security configuration.
* Disabled sockets hook in core configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43659
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Preserves install scripts for script-only software installers when
using hash-based references in GitOps, preventing self-service installs
from silently no‑opping.
* **Tests**
* Added an integration regression test to verify batch installer
resolution by hash preserves uploaded install script contents.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated release version metadata and associated installer integrity
checksums for maintained applications. Updated apps include: Grammarly
macOS (1.163.0), Loom macOS (0.346.3), Microsoft Edge Windows
(147.0.3912.86), NordPass macOS (7.6.18), Postman macOS and Windows
(12.8.1), Slack Windows (4.49.89), Tor Browser macOS (15.0.11), and
Transmit macOS (5.11.6).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Slack macOS app version metadata for patch tracking.
* Marked Google Gemini app as frozen to pause automatic updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43789
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* View and download the default automatic MDM (Apple Setup Assistant)
enrollment profile via a new endpoint.
* Shows a last-updated timestamp when present; returns the in‑app
default with no timestamp if none is stored.
* **Access**
* Access follows existing team and global permission rules; not
available on Free-tier licenses.
* **Tests**
* Added unit and integration tests covering endpoint behavior and access
controls.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Register Google Gemini for macOS: add a Homebrew input
(ee/maintained-apps/inputs/homebrew/gemini.json), update apps index
(ee/maintained-apps/outputs/apps.json), and add a darwin output with
installer/uninstaller scripts and version 1.49.2.233
(ee/maintained-apps/outputs/google-gemini/darwin.json). Also add
frontend icon component and asset
(frontend/pages/SoftwarePage/components/icons/Gemini.tsx, updated icon
index) and a 60x60@2x PNG app icon
(website/assets/images/app-icon-google-gemini-60x60@2x.png). Includes
installer URL and script refs for install/uninstall, plus app relaunch
handling.
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated maintained-app metadata for 7-Zip (26.01), Discord (0.0.388),
Nextcloud (33.0.3), Parallels Desktop (26.3.2), Textexpander (8.4.3),
and Zen Browser (1.19.10b) with corresponding installer checksums and
references.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Docker Desktop application support to version 4.71.0 for macOS
and Windows platforms.
* Updated Postman application support to version 12.8.0 for macOS and
Windows platforms.
* Updated Rider application support to version 2026.1.1 for macOS
platform.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version support for Notepad++ (8.9.4), Signal for macOS
(8.8.0), and Stats for macOS (2.12.12).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Cursor (macOS and Windows) to version 3.2.10
* Updated Draw.io Desktop (macOS) to version 29.7.9
* Updated Zen Browser (macOS) to version 1.19.9b
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
This pull request adds support for the Zen Browser across the
application, including its metadata, installation scripts, and UI icon.
The changes ensure Zen Browser is now recognized as a maintained app,
can be installed/uninstalled via scripts, and displays its icon in the
frontend.
**Zen Browser Integration**
* Added Zen Browser metadata to the maintained apps input (`zen.json`)
and output (`apps.json`) files, making it available in the maintained
apps list.
[[1]](diffhunk://#diff-1227fd3d4a73fdd49df2d7e2977fc94f56c8fe606a444ae5d995916abbbccdb5R1-R8)
[[2]](diffhunk://#diff-4c1446cfc02c6bb0bda874481e333c65b84e184fcea52f656b49a6489f73c9c2R1957-R1963)
* Created a new versioned output file for Zen Browser
(`zen/darwin.json`), including installer and uninstaller scripts,
version information, and download details.
**Frontend/UI Updates**
* Added a new React SVG icon component for Zen Browser (`Zen.tsx`).
* Registered the Zen icon in the icon index and mapped the "zen"
software name to the new icon, enabling its display in the UI.
[[1]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR249)
[[2]](diffhunk://#diff-628095892e1d16090be1db6cc1a5c9cebc65248c32a8b1312385394818f2907bR514)
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version tracking for 24+ applications to enable proper
recognition of latest releases. Supported apps include 1Password, Brave,
Adobe Acrobat Reader, Arc, CLion, Clockify, GoLand, Granola, Microsoft
Office apps, Miro, OBS Studio, Ollama, Opera, PhpStorm, Postman,
ProtonVPN, RubyMine, RustRover, Spotify, WebStorm, and others. Updated
with latest installer URLs and verification checksums.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Resolves#33557
The tems.name column uses utf8mb4_unicode_ci, so names like "ABC" and
"abc" compare as equal at the database level. Before this change name
collisions were handled in different ways in the UI and in GitOps.
The changes introduced here, consolidates the logic used for detecting
name collisions in all code path. All conflicts return 409 with the
canonical copy "Fleet names must differ by at least one non-special
character (case-insensitive).
**Related issue:** Resolves#35171
# macOS 15 CIS benchmark v1.1.0 → v2.0.0 change set
## Policy changes
| CIS ID | Policy name (new) | Change type | Effect |
|---|---|---|---|
| 1.1 | CIS - Ensure Apple-provided Software Updates Are Installed
(Fleetd Required) | Modified | Renamed from "Ensure All Apple-provided
Software Is Current"; resolution expanded with terminal `softwareupdate
-i -a` method; `cis_id` added. Query unchanged (still uses fleetd's
`software_update` table). |
| 1.6 | CIS - Ensure Software Update Deferment Is Less Than or Equal to
30 Days (MDM Required) | Modified | Added Apple-deprecation note to
description; `cis_id` added. Query unchanged. |
| 1.7 | CIS - Ensure XProtect Is Running and Updated | Removed | Deleted
— v2.0.0 removed 1.7 from the numbered benchmark and moved it to
Supplemental section 7.4. Per authoring outline, Fleet does not track
section 7+ recommendations. |
| 2.1.1.1 | CIS - Ensure iCloud Passwords & Keychain is enabled/disabled
(MDM Required) | Modified | Renamed from "iCloud Keychain" to match
v2.0.0's "Audit iCloud Passwords & Keychain"; Description, Rationale,
and Impact Statement updated from the new PDF; `cis_id` added to both
enable/disable variants. Query unchanged (`allowCloudKeychainSync` key
is the same). |
| 2.3.1.1 | CIS - Ensure AirDrop Is Disabled (MDM Required) | Modified |
Added note to resolution stating AirDrop can only be toggled via
configuration profile; `cis_id` added. Query unchanged. |
| 2.3.3.4 | CIS - Ensure Remote Login Is Disabled | Modified |
Description rewritten to match v2.0.0 text; terminal remediation
(`systemsetup -setremotelogin off`) added to resolution; `cis_id` added.
Query unchanged (still checks `disabled.plist`). |
| 2.6.3.1, 2.6.3.2, 2.6.3.3, 2.6.3.4 | CIS - Ensure Sending Diagnostic
and Usage Data to Apple Is Disabled (MDM Required) | Modified | **Query
change**: Siri Data Sharing Opt-In Status check moved from
`com.apple.applicationaccess` → `com.apple.assistant.support` domain to
track v2.0.0's new PayloadType; `cis_id` added (combined). |
| 2.4.1 | CIS - Ensure Show Wi-Fi status in Menu Bar Is Enabled (MDM
Required) | Removed | Deleted — recommendation removed in v2.0.0. |
| 2.4.2 | CIS - Ensure Show Bluetooth Status in Menu Bar Is Enabled (MDM
Required) | Removed | Deleted — recommendation removed in v2.0.0
(replaced by Manual 2.4.1 "Audit Menu Bar and Control Center Icons"). |
| 6.1.1 | CIS - Ensure Show All Filename Extensions Setting is Enabled |
Removed | Deleted — recommendation downgraded to Manual in v2.0.0. |
Policy count: 113 → 109.
## Test artifacts added
| Target CIS ID | File | Type | Notes |
|---|---|---|---|
| 2.3.3.4 | `ee/cis/macos-15/test/scripts/CIS_2.3.3.4_pass.sh` | pass
script | `systemsetup -setremotelogin off` |
| 2.3.3.4 | `ee/cis/macos-15/test/scripts/CIS_2.3.3.4_fail.sh` | fail
script | `systemsetup -setremotelogin on` |
| 1.6 | `ee/cis/macos-15/test/profiles/1.6.mobileconfig` | MDM profile |
Sets `enforcedSoftwareUpdateDelay=30`,
`forceDelayedSoftwareUpdates=true` |
| 2.3.1.1 | `ee/cis/macos-15/test/profiles/2.3.1.1.mobileconfig` | MDM
profile | Sets `allowAirDrop=false` |
| 2.6.3.2 | `ee/cis/macos-15/test/profiles/2.6.3.2.mobileconfig` | MDM
profile | Four payloads covering the combined Fleet query: Siri opt-in
(new v2.0.0 domain), AutoSubmit, allowDiagnosticSubmission,
AXSAudioDonationSiriImprovementEnabled |
No test added for 1.1 — query depends on live OS update state (fleetd
`software_update` table) and cannot be toggled by a script or profile.
No test added for 2.1.1.1 — it is an org-decision Audit recommendation
(Fleet ships both enable and disable variants); one of the two policies
fails by construction regardless of system state.
## Documentation updates
| File | Change |
|---|---|
| `ee/cis/macos-15/README.md` | Benchmark version bumped v1.1.0 →
v2.0.0. Limitations list renumbered to v2.0.0 section numbers; added
2.4.1 (new "Audit Menu Bar and Control Center Icons") and 6.1.1 (now
Manual "Audit Show All Filename Extensions"). Org-decision entry renamed
from "Audit iCloud Keychain" to "Audit iCloud Passwords & Keychain" to
match v2.0.0 terminology. |
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42948
- Updated `(mos *MacOSSetup) Validate()` and `(mos *MacOSSetup)
SetDefaultsIfNeeded()` to account for new fields
- Updated default creation and editing for team edit/creation paths
- Updated `generate-gitops` warning message from `macos_setup` to
`setup_experience`
- Updated fields types to optjson and updated test files
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
- Team edit and team creation through GitOps, validated config with `
curl -k -X GET 'https://localhost:8080/api/v1/fleet/fleets/:id'`
- New error message says `setup_experience` instead of `macos_setup`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added macOS MDM settings to control local account behavior: enable
managed local accounts (default false) and specify end-user local
account type (default "admin") for fleet and team configs. GitOps output
now highlights unsupported setup-experience cases.
* **Tests**
* Updated fixtures and integration tests to assert and persist the new
macOS local-account settings across config, team, and GitOps scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
