Added a checkbox for the setup experience page.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42854
<img width="598" height="373" alt="image"
src="https://github.com/user-attachments/assets/4842190f-f9f8-401f-a9e2-61c5755fb5be"
/>
---
<img width="444" height="377" alt="image"
src="https://github.com/user-attachments/assets/e9da5e65-1b09-4b05-ab8c-a5099866704d"
/>
---
<img width="458" height="387" alt="image"
src="https://github.com/user-attachments/assets/bf10b747-805b-4484-a90f-7700ba177098"
/>
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Windows support to the MDM setup experience so admins can
require all software during Windows device setup, saved independently
from macOS.
* **UI**
* Checkbox label clarified to "Cancel setup if software fails".
* Windows checkbox is disabled when Windows MDM is not configured and
shows a contextual tooltip.
* **Tests**
* Added tests covering Windows UI states and save behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Follow up from comments on: #44253
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Improved component styling architecture to follow modern CSS naming
conventions, enhancing code maintainability and consistency across the
setup assistant profile card. No changes to user-facing functionality or
appearance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Needs #44236
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43790
<img width="1109" height="511" alt="image"
src="https://github.com/user-attachments/assets/256560ee-0d70-4fff-b553-37e46224a54a"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information. Added in backend PR
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Setup Assistant now fetches and shows a default Apple enrollment
profile when a team profile is missing, including its loading state
before showing the uploader.
* **User-facing behavior**
* Default profile can be viewed and downloaded immediately; download
uses a fixed filename and formatted JSON.
* **Documentation**
* Added a "Learn more" link to the Setup Assistant section.
* **Style**
* Default profile card uses a distinct background, smaller description
text, and hides the delete action.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40702
New look:
<img width="812" height="350" alt="image"
src="https://github.com/user-attachments/assets/83e82480-b756-4c51-be3f-09a72e736770"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Simplified pending status labels in OS Settings modal by removing
"(pending)" suffix from states like "Enforcing" and "Removing
enforcement"
* Improved OS Settings modal table layout and styling
* **New Features**
* Added dedicated action buttons to resend MDM profiles and rotate
Recovery Lock password
* Enhanced error tooltip handling for failed profile states
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Zed + Opus 4.6; prompt: Convert the InputField JSX component to
TypeScript and remove the ts-ignore directives that we no longer need
after doing so.
- [x] Changes file added
- [x] Automated tests updated
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42184
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added support for GitOps exceptions per entity type (labels, software,
secrets), allowing specific areas to bypass GitOps mode restrictions
when configured.
* **Bug Fixes**
* Improved GitOps mode behavior to properly respect per-entity-type
exception settings across software, labels, and secrets management.
* **Tests**
* Extended test coverage for GitOps exception handling scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41601
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Details
This PR updates the front end to use the following renamed API keys:
* bootstrap_package -> macos_bootstrap_package
* manual_agent_install -> macos_manual_agent_install
* enable_release_device_manually -> apple_
enable_release_device_manually
* script -> macos_script
* macos_setup -> setup_experience
* macos_settings -> apple_settings
* custom_settings -> configuration_profiles
* macos_setup_assistant -> apple_setup_assistant
It also ensures that consumers of the "get fleet config" API pull from
the `.fleet` property rather than `.team`, so that they can use all of
the newly renamed response fields.
## Summary by CodeRabbit
* **Refactor**
* Restructured Mobile Device Management configuration for Apple devices,
reorganizing setup experience, bootstrap package, and device
configuration field organization.
* Updated filter terminology and query parameters throughout device
management interfaces, improving how users filter and navigate Apple
device settings.
* Enhanced configuration field naming conventions for better clarity and
maintainability across device management features.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
---
Manual Test Plan
Prerequisites
- Fleet server with MDM enabled (macOS at minimum)
- At least one macOS host enrolled in Fleet MDM
- A team configured with setup experience settings
---
1. Manage Hosts — Filters
- [X] macOS settings filter:
- Go to Hosts > Manage Hosts
- Filter by macOS settings status (e.g. Pending, Verified, Failed)
- Verify the filter applies and hosts list updates
- Check that the URL contains apple_settings=<status>
- Copy the URL, paste it in a new tab — verify the filter is still
applied
- Manually edit the URL to use macos_settings=<status> instead — verify
it still works (backward compat)
- Clear the filter pill — verify both apple_settings and macos_settings
are removed from the URL
- [X] Bootstrap package filter:
- Filter by bootstrap package status
- Verify the URL contains macos_bootstrap_package=<status>
- Manually edit the URL to use bootstrap_package=<status> — verify it
still works
- Clear the filter pill — verify both params are removed
---
2. Setup Experience (Controls Page)
- [X] Bootstrap package:
- Go to Controls > Setup experience for a team
- Upload a bootstrap package — verify it appears in the table
- Toggle the "manual agent install" advanced option on/off — verify it
saves
- Delete the bootstrap package — verify it's removed
- In the bootstrap package table, click "View all hosts" link for a
status row — verify it navigates to Manage Hosts with
macos_bootstrap_package in the URL
- [X] End user authentication:
- Toggle end user authentication on/off for a team and for "No team"
- Verify the toggle reflects the saved state after page reload
- [X] Setup assistant:
- Upload a setup assistant profile
- Verify the "release device manually" toggle works for both a team and
"No team"
- [X] Install software:
- Verify the "require all software" checkbox reflects the correct saved
state for both team and "No team"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33418 (this OS update change is unrelated
to the bigger Windows delete part of the story)
<img width="598" height="438" alt="image"
src="https://github.com/user-attachments/assets/7dca50c6-5ca4-4c54-b57f-c98dda5fb4d1"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Windows update deadline and grace period settings can now be cleared,
allowing removal of update enforcement policies.
* **Bug Fixes**
* Updated validation logic to properly handle empty deadline and grace
period fields.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#29657
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This commit introduces support for Python (.py) scripts on macOS and
Linux, including validation for Python shebangs and updates to
documentation, UI, error messages, and backend validation logic. It also
updates tests and file upload handling to recognize and properly process
Python scripts alongside existing shell (.sh) and PowerShell (.ps1)
scripts.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
## Summary
- Changed all modal "Done" dismiss/close button labels to "Close" across
48 frontend component files
- Updated instructional text in `AutoEnrollMdmModal` that referenced the
"Done" button to say "Close" instead
- Updated 7 test files to assert "Close" instead of "Done" for modal
button names
## Excluded (intentionally not changed)
- `LiveResultsHeading.tsx` — "Done" button is a page-level navigation
action, not a modal dismiss
- `AddAbmModal.tsx` — Instructional text referencing Apple Business
Manager's "Done" button
- `Calendars.tsx` — Instructional text referencing Google Calendar's
"Done" button
- `ModalFooter.stories.tsx` — Storybook demo example
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773674157011109?thread_ts=1773673149.649299&cid=D0AKX7DJFCN)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: melpike <mel@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
This PR contains identical frontend changes to those currently in
`recovery-pw-feature` - this allows separate frontend review of the code
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41391
# Details
This PR updates front-end API calls to use new URLs and API params, so
that the front end doesn't cause deprecation warnings to appear on the
server.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a, should not be user-visible
## Testing
- [X] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
The biggest risk here is not that we missed a spot that still causes a
deprecation warning, but that we might inadvertently make a change that
breaks the front end, for instance by sending `fleet_id` to a function
that drops it silently and thus sends no ID to the server. Fortunately
we use TypeScript in virtually every place affected by these changes, so
the code would not compile if there were mismatches between the API
expectation and what we're sending. Still, spot checking as many places
as possible both for deprecation-warning leaks and loss of functionality
is important.
## Summary by CodeRabbit
* **Refactor**
* Updated API nomenclature across the application to use "fleets"
instead of "teams" and "reports" instead of "queries" in endpoint paths
and request/response payloads.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38669 Unreleased bug/Misunderstood
requirements
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* End User Authentication and lock end-user info settings now
synchronize correctly when one is updated without explicitly setting the
other.
* Validation error messages now clearly state that end-user
authentication must be enabled before locking end-user info.
* **Tests**
* Expanded test coverage for MDM configuration handling and related
scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39781
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with wip
backend work
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Simplified modal structures across multiple dialog components for
improved code maintainability.
* Enhanced modal component's flexibility to support broader content
types.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39723
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
- [x] With spoofed data
- [ ] Integrated with backend (wip)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Recovery Lock Passwords: new OS Settings card to enable/disable
enforcement and save changes.
* Host Actions: view a host's Recovery Lock password via a modal from
the host actions menu.
* Activity tracking: new activity entries for viewing, setting,
enabling, and disabling Recovery Lock passwords.
* Navigation: added a dedicated route for Passwords under OS Settings.
* **Documentation**
* Updated guidance for updating local config after an update to ensure
latest values.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#38669
Added the ability to lock end user info on the end use auth section of
the setup experience page
<img width="468" height="372" alt="image"
src="https://github.com/user-attachments/assets/a5f4e21b-3a1e-4631-b0d4-e3d833a4484c"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
## Issue
Closes#37828
## Description
3 followups:
- Cancel checkbox should be disabled for manual agent install
- Copy change matches Figma and not previous copy text
- Ungate from Windows MDM (released bug since September 2025 caught by
@iansltx 's thorough QA)
## Screenshots of fixes
- ungated
<img width="1377" height="629" alt="Screenshot 2026-02-27 at 4 24 09 PM"
src="https://github.com/user-attachments/assets/dc6e2a21-ff32-4ad2-aa81-de07c8d4c538"
/>
- checkbox now disabled along with rest of form
<img width="1377" height="638" alt="Screenshot 2026-02-27 at 4 24 00 PM"
src="https://github.com/user-attachments/assets/c2e8fe9e-9f4c-45e5-8934-28e0b5aa2908"
/>
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34370
<img width="932" height="1152" alt="Screenshot 2026-02-20 at 8 23 49 AM"
src="https://github.com/user-attachments/assets/c7b6d0ae-a20e-4115-835d-5d5fb01c12bb"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] QA'd all new/changed functionality manually
Resolves#38621, #38627, and #38623.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added a new premium-tier Technician role with read/write permissions
across teams, hosts, policies, queries, and configurations.
* License validation now prevents assigning premium roles on Fleet Free
editions.
* **Bug Fixes**
* Updated role-based access controls across team management pages to
properly restrict technician access.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Updated documentation, backend, frontend, and tests to set the OS update
enforcement deadline to 19:00 (7PM) local time instead of noon. This
ensures consistency across user-facing text, API docs, configuration
files, and the MDM payload.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38834
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
