<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#44330, Resolves#44331
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests. (I'd defer integration tests to a
separate PR since this one is pretty large already.)
- [x] QA'd all new/changed functionality manually. I've tested this on
both the setup flow and the organization settings page. I haven't had
the time to test this on other places where we render the logo (macOS
setup experience / MDM migration dialog).
https://github.com/user-attachments/assets/95d4eae5-3da6-40f4-98a1-8575b97d96b3
## New Fleet configuration settings
- [x] Setting(s) is/are explicitly excluded from GitOps.
Will handle GitOps in a separate PR.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Organizations can upload custom logos for light and dark modes.
* Registration and Org Settings support logo file upload, preview,
per-mode replace/delete, and validation (size & image formats).
* Activity feed records logo changes/deletions; site nav displays
uploaded logos per theme.
* File uploader/preview adds a Fleet logo graphic option and improved
logo validation.
* Config/GitOps outputs now include separate dark/light logo fields.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Added a checkbox for the setup experience page.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42854
<img width="598" height="373" alt="image"
src="https://github.com/user-attachments/assets/4842190f-f9f8-401f-a9e2-61c5755fb5be"
/>
---
<img width="444" height="377" alt="image"
src="https://github.com/user-attachments/assets/e9da5e65-1b09-4b05-ab8c-a5099866704d"
/>
---
<img width="458" height="387" alt="image"
src="https://github.com/user-attachments/assets/bf10b747-805b-4484-a90f-7700ba177098"
/>
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Windows support to the MDM setup experience so admins can
require all software during Windows device setup, saved independently
from macOS.
* **UI**
* Checkbox label clarified to "Cancel setup if software fails".
* Windows checkbox is disabled when Windows MDM is not configured and
shows a contextual tooltip.
* **Tests**
* Added tests covering Windows UI states and save behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Needs #44236
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43790
<img width="1109" height="511" alt="image"
src="https://github.com/user-attachments/assets/256560ee-0d70-4fff-b553-37e46224a54a"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information. Added in backend PR
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Setup Assistant now fetches and shows a default Apple enrollment
profile when a team profile is missing, including its loading state
before showing the uploader.
* **User-facing behavior**
* Default profile can be viewed and downloaded immediately; download
uses a fixed filename and formatted JSON.
* **Documentation**
* Added a "Learn more" link to the Setup Assistant section.
* **Style**
* Default profile card uses a distinct background, smaller description
text, and hides the delete action.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #43769
# Details
This PR adds "Hosts active" and "Hosts enrolled" charts to the
dashboard.
New components:
* **ChartCard.tsx**: encapsulates a visualization-agnostic chart, for
data provided by the new `/charts` endpoint created in
https://github.com/fleetdm/fleet/pull/43910
* **ChartFilterModal.tsx**: modal for setting filters on a chart.
Currently supports filtering by label, platform and individual host.
* **CheckerboardViz.tsx**: a checkerboard visualization for use in
ChartCard. Capable of charting 1, 7, 14 or 30 days at a time, although
only 30 day charts are used right now. Bespoke rendering using SVG,
since recharts scatterchart was harder to wrangle than it was worth.
* **LineChartViz.tsx**: a line-chart visualization using Recharts
* **HostsEnrolledCard.tsx**: a bar chart of enrolled hosts using
Recharts
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- With backend provided by https://github.com/fleetdm/fleet/pull/43910:
<img width="1426" height="428" alt="image"
src="https://github.com/user-attachments/assets/0f53b9d1-c87b-4225-a175-2d40af5afe41"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Dashboard now shows interactive "Hosts active" (line/heatmap) and
"Hosts enrolled" (bar) charts with metric selection, filter modal
(labels/platforms/hosts), legends, tooltips, and responsive layout.
* **Tests**
* Added comprehensive tests covering chart rendering, checkerboard
heatmap, and no-data states.
* **Chores**
* Added charting library dependency to support visualizations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#42879
* Full UI for API-only user management: create/edit flows, fleet/role
assignment, selectable API endpoint permissions, and one-time API key
display.
* New reusable components: API user form, endpoint selector, API access
section, and API key presentation.
* Admin workflow switched from in-page modals to dedicated pages and
streamlined action dropdown navigation.
* Layout and styling refinements for user management, team lists, and
dropdown behaviors.
---------
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
## Issue
- First batch of @iansltx 's work of cleaning up lint warnings #43387
## Description
- Quick PR review and grabbed as many confirmed low-risk quick wins as I
could `git checkout lint-cleanup <file/path/1> <file/path/2>`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
This release contains internal code improvements with one minor UI
tweak:
* **Style**
* Dropdown menu background color adjusted for clearer contrast in action
lists
* **Refactor**
* Improved type safety across the codebase with stricter TypeScript
annotations
* Removed unused imports and constants to reduce code clutter
* Enhanced React hook dependency arrays for more consistent component
behavior
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Rachel Perkins <rachel@Rachels-MacBook-Pro.local>
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42369
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information. **Done in backend task for whole story**
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added "Clear passcode" action for iOS and iPad hosts in the host
actions menu, accessible only to Premium tier users with appropriate
permissions.
* Added confirmation modal for clearing device passcodes.
* Passcode clearing activity now appears in the activity feed with actor
information.
* Action is conditionally disabled during specific device states (Lost
Mode, pending wipe) with contextual tooltips.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41601
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Details
This PR updates the front end to use the following renamed API keys:
* bootstrap_package -> macos_bootstrap_package
* manual_agent_install -> macos_manual_agent_install
* enable_release_device_manually -> apple_
enable_release_device_manually
* script -> macos_script
* macos_setup -> setup_experience
* macos_settings -> apple_settings
* custom_settings -> configuration_profiles
* macos_setup_assistant -> apple_setup_assistant
It also ensures that consumers of the "get fleet config" API pull from
the `.fleet` property rather than `.team`, so that they can use all of
the newly renamed response fields.
## Summary by CodeRabbit
* **Refactor**
* Restructured Mobile Device Management configuration for Apple devices,
reorganizing setup experience, bootstrap package, and device
configuration field organization.
* Updated filter terminology and query parameters throughout device
management interfaces, improving how users filter and navigate Apple
device settings.
* Enhanced configuration field naming conventions for better clarity and
maintainability across device management features.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
---
Manual Test Plan
Prerequisites
- Fleet server with MDM enabled (macOS at minimum)
- At least one macOS host enrolled in Fleet MDM
- A team configured with setup experience settings
---
1. Manage Hosts — Filters
- [X] macOS settings filter:
- Go to Hosts > Manage Hosts
- Filter by macOS settings status (e.g. Pending, Verified, Failed)
- Verify the filter applies and hosts list updates
- Check that the URL contains apple_settings=<status>
- Copy the URL, paste it in a new tab — verify the filter is still
applied
- Manually edit the URL to use macos_settings=<status> instead — verify
it still works (backward compat)
- Clear the filter pill — verify both apple_settings and macos_settings
are removed from the URL
- [X] Bootstrap package filter:
- Filter by bootstrap package status
- Verify the URL contains macos_bootstrap_package=<status>
- Manually edit the URL to use bootstrap_package=<status> — verify it
still works
- Clear the filter pill — verify both params are removed
---
2. Setup Experience (Controls Page)
- [X] Bootstrap package:
- Go to Controls > Setup experience for a team
- Upload a bootstrap package — verify it appears in the table
- Toggle the "manual agent install" advanced option on/off — verify it
saves
- Delete the bootstrap package — verify it's removed
- In the bootstrap package table, click "View all hosts" link for a
status row — verify it navigates to Manage Hosts with
macos_bootstrap_package in the URL
- [X] End user authentication:
- Toggle end user authentication on/off for a team and for "No team"
- Verify the toggle reflects the saved state after page reload
- [X] Setup assistant:
- Upload a setup assistant profile
- Verify the "release device manually" toggle works for both a team and
"No team"
- [X] Install software:
- Verify the "require all software" checkbox reflects the correct saved
state for both team and "No team"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41541, #42293
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33418 (this OS update change is unrelated
to the bigger Windows delete part of the story)
<img width="598" height="438" alt="image"
src="https://github.com/user-attachments/assets/7dca50c6-5ca4-4c54-b57f-c98dda5fb4d1"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Windows update deadline and grace period settings can now be cleared,
allowing removal of update enforcement policies.
* **Bug Fixes**
* Updated validation logic to properly handle empty deadline and grace
period fields.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41533
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/64a5f726-1e9f-4508-8726-6227813dcc77
Below I show the `Report clipped` and the `X additional results not
shown` states. For that, I manually inserted records in my DB:
```sql
-- make "clipped"
INSERT INTO query_results (query_id, host_id, last_fetched, data)
SELECT 1, t.n + 1000, NOW(), '{"fake_key": "fake_value"}'
FROM (
SELECT a.N + b.N * 10 + c.N * 100 AS n
FROM (SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) a,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) b,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) c
) t
WHERE t.n BETWEEN 1 AND 999;
-- populate extra query results
INSERT INTO query_results (query_id, host_id, last_fetched, data)
VALUES
(1, 2, NOW(), '{"pid": "9999", "version": "5.21.0"}'),
(1, 2, NOW(), '{"pid": "8888", "version": "5.20.0"}');
```
https://github.com/user-attachments/assets/8056ea4c-b042-47cf-a05f-ee9d8621252a
Pagination (manually changed to 3 items per page for testing purposes)
https://github.com/user-attachments/assets/87a97259-0821-4659-a612-c952e98a158c
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40724
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Deletes a code file that's not referenced by anything and keeps causing
me merge conflicts.
JS linter and tests pass without it, which tells you everything you need
to know 🔪
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41391
# Details
This PR updates front-end API calls to use new URLs and API params, so
that the front end doesn't cause deprecation warnings to appear on the
server.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a, should not be user-visible
## Testing
- [X] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
The biggest risk here is not that we missed a spot that still causes a
deprecation warning, but that we might inadvertently make a change that
breaks the front end, for instance by sending `fleet_id` to a function
that drops it silently and thus sends no ID to the server. Fortunately
we use TypeScript in virtually every place affected by these changes, so
the code would not compile if there were mismatches between the API
expectation and what we're sending. Still, spot checking as many places
as possible both for deprecation-warning leaks and loss of functionality
is important.
## Summary by CodeRabbit
* **Refactor**
* Updated API nomenclature across the application to use "fleets"
instead of "teams" and "reports" instead of "queries" in endpoint paths
and request/response payloads.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39781
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with wip
backend work
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
**Related issue:** Resolves#41262
This extends the expiration date for the host auth token cookie.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39723
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
- [x] With spoofed data
- [ ] Integrated with backend (wip)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Recovery Lock Passwords: new OS Settings card to enable/disable
enforcement and save changes.
* Host Actions: view a host's Recovery Lock password via a modal from
the host actions menu.
* Activity tracking: new activity entries for viewing, setting,
enabling, and disabling Recovery Lock passwords.
* Navigation: added a dedicated route for Passwords under OS Settings.
* **Documentation**
* Updated guidance for updating local config after an update to ensure
latest values.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#38669
Added the ability to lock end user info on the end use auth section of
the setup experience page
<img width="468" height="372" alt="image"
src="https://github.com/user-attachments/assets/a5f4e21b-3a1e-4631-b0d4-e3d833a4484c"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#14401
# Checklist for submitter
this updates the mechanism of storing the auth token for a user that is
used for making requests and validating a user session. We change the
storage from local storage to a cookie. This allow a bit more security
and prepares for a future change where we will allow the browser to
handle setting and passing the auth token in the request.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40170
# Details
Fixes an unreleased issue where when attempting to modify a fleet enroll
secret, you get a 400 response indicating that both team_id and fleet_id
params are being sent. The request was piping the "get enroll secrets"
response back into the "modify enroll secrets"
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
n/a, unreleased bug
## Testing
- [ ] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
On main: reproduced issue when attempting to add secret to a fleet
On branch: secret added successfully
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
**Related issue:** Resolves#39000
<img width="1014" height="626" alt="Screenshot 2026-02-10 at 8 44 22 PM"
src="https://github.com/user-attachments/assets/9d66906f-732e-4376-83c7-24b4deda7665"
/>
- [x] Changes file added for user-visible changes in `changes/
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually - TODO with [wip API
portion](https://github.com/fleetdm/fleet/issues/39004)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Fleet administrators can now control conditional access bypass on a
per-policy basis
* Added toggles to enable or disable bypass for individual policies
* Enhanced UI with tooltips displaying conditional access provider
configuration details
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39303 (child of #25080).
- Added `inherited_query_count` to `ListQueriesResponse` (thought of
adding a brand new endpoint just for counting, but felt like extending
the current one was good enough). In the parent task, [it was
suggested](https://github.com/fleetdm/fleet/issues/25080#issuecomment-3326071574)
to `"Depend on team list entity endpoint's count field / team entity
count endpoint for whether or not to disable the manage automations
button"`, which Rachael approved, so I went for this approach.
- The `ManageQueryAutomationsModal` now fetches its own data with
`merge_inherited = false` (meaning it only fetches non-inherited queries
only). Previously, queries were passed down as props to it, which would
not show the queries available to automate if the first page of queries
were all inherited and the second page contained queries for that team
(the user would have to navigate to the second page for the button to be
enabled).
^ The fact that the modal fetches its own data is similar behavior to
what is currently done in `Policies`. For queries, I noticed that we
would need to add pagination within the `Manage Automations` modal, but
that can be a follow-up.
<img width="2480" height="1309" alt="Screenshot 2026-02-04 at 11 48
42 AM"
src="https://github.com/user-attachments/assets/ebac79a5-a793-4708-9313-d9a697dfd7de"
/>
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/119f03b9-dde1-4bb9-9fee-6204b1a58879
Resolves#37464.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [x] Setting(s) is/are explicitly excluded from GitOps
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #33391
## Testing
- [X] Added/updated automated tests
there's a number of tests for this, if they still pass we're in good
shape
- [X] QA'd all new/changed functionality manually
I tested the front-end successfully, and saw an auto-update go through
on an ipad. Also verified that the activity metadata is correct.
**Related issue:** Resolves#36867
This updates the UI to show the mdm commands for the past and upcoming
tabs in the activity card on the host details page.
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
**Related issue:** Resolves#36689
<img width="1840" height="1196" alt="Screenshot 2025-12-15 at 5 08
02 PM"
src="https://github.com/user-attachments/assets/4f491c80-403f-4188-8cab-552e997c6e9c"
/>
<img width="1840" height="1196" alt="Screenshot 2025-12-15 at 5 09
18 PM"
src="https://github.com/user-attachments/assets/b6e4d9ad-40c1-45c3-8b77-e14d17a2bc7e"
/>
<img width="1840" height="1196" alt="Screenshot 2025-12-15 at 5 09
22 PM"
src="https://github.com/user-attachments/assets/661beee2-3ee2-4269-ab0b-ca070c1a40b8"
/>
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added comprehensive Android certificate management in OS Settings with
create, list, and delete operations
* Integrated certificate management with premium tier gating and MDM
enablement checks
* Supports team-scoped certificates with pagination controls
* Includes validation for certificate names and certificate authority
selection
* **Refactor**
* Generalized heading component to support multiple entity types beyond
configuration profiles
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
