Replace the package_receipts-based query with a file table check for
/Library/LaunchAgents/com.fleetdm.fleet-desktop-hidden.plist. Update the
policy description and resolution to reference the plist presence and to
instruct confirming the installer drops that plist if the check fails.
Other policy fields (install_software, labels) remain unchanged.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added automatic launch agent support for Fleet Desktop.app on macOS
devices, enabling the app to start automatically at system login without
user interaction
* Implemented MDM configuration profiles and policies for seamless
deployment and automatic management across macOS devices
* Added dynamic labeling capabilities to identify and track macOS hosts
with the Fleet Desktop launch agent profile installed
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add a new macOS configuration profile
(fleet-desktop-launchagent.mobileconfig) that configures managed
login/background items to allow Fleet Desktop.app's launch agent to run
at login without prompting the user. Also reference the profile in
it-and-security/fleets/workstations.yml so hosts labeled as having Fleet
Desktop.app installed will match the control.
Delete the macOS policy 'enrollment-profile-up-to-date' and the 'Nudge
test devices' label, and remove their references from it-and-security
manifests. Files removed:
it-and-security/lib/macos/policies/enrollment-profile-up-to-date.yml and
it-and-security/lib/all/labels/nudge-test-devices.yml; references
dropped from it-and-security/default.yml,
it-and-security/fleets/testing-and-qa.yml, and
it-and-security/fleets/workstations.yml to avoid loading deleted
artifacts.
Delete the macOS configuration profile that managed Fleet Desktop as a
login item
(it-and-security/lib/macos/configuration-profiles/fleet-desktop-login-item.mobileconfig)
and remove its inclusion and associated label filter from the
workstations fleet controls (it-and-security/fleets/workstations.yml).
Cleans up an obsolete/unused profile and its reference.
Make Fleet Desktop detection more precise and switch to fleet-maintained
app workflow. Rename label to include the .app suffix and filter by
bundle_identifier; update workstations.yml to reference the new label
and replace the file-based software entry with the fleet-maintained slug
(fleet-desktop/darwin). Add a Fleet Desktop entry to the
patch-fleet-maintained-apps policy so Fleet Desktop is managed via the
fleet_maintained_app_slug. Remove the now-obsolete update-fleet-desktop
policy and the packaged fleet-desktop software metadata file.
Add macOS and Windows screen-lock configuration profiles and manual
exclusion labels, and wire them into fleet manifests and policies.
- Add macOS mobileconfig (screen-lock-inactivity) to start screensaver
after 900s and require a password with a 60s delay.
- Add Windows configuration (Screen lock timeout.xml) to set
InteractiveLogon_MachineInactivityLimit to 900s (15 minutes).
- Create manual labels: "macOS screen lock exclusions" and "Windows
screen lock exclusions" (empty host lists).
- Register the new labels in it-and-security/default.yml and include the
new profiles in workstations.yml with labels_exclude_any pointing to the
appropriate exclusion label.
- Update macOS and Windows policy YAMLs to exclude hosts in the
corresponding exclusion labels.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added macOS and Windows "screen lock exclusions" labels to allow
manual exemption of devices.
* Introduced a macOS configuration profile that enforces a 15-minute
inactivity screen lock and requires a password on resume.
* Introduced a Windows configuration profile setting an equivalent
15-minute inactivity timeout.
* Screen-lock policies now support label-based exclusions so exempted
devices are not affected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Pin the gnome-shell appindicator extension to a specific ubuntu upstream
commit and download an immutable tarball URL. Verify the downloaded
archive's SHA-256 (refuse to proceed if sha256sum/shasum is missing or
the checksum mismatches) and only extract when verification succeeds.
Add quoting for $username in sudo/mkdir invocations and preserve the
staging/copy workflow for user-owned extension installation. For the
InstallRemoteExtension flow on other distros, add a 90s polling timeout
when waiting for metadata.json and surface an error on timeout to avoid
hanging indefinitely.
This pull request addresses a startup issue with Fleet Desktop on
openSUSE Leap 16 and similar Linux distributions. The main change is to
adjust how Fleet Desktop and key-escrow dialogs are launched to avoid
environment variable loss caused by login shell profile scripts. The fix
is scoped specifically to openSUSE Leap 16+ to avoid impacting other
distributions.
**Distribution-specific sudo invocation changes:**
* The `-i` (login shell) flag is now omitted from the `sudo` command
when launching Fleet Desktop and key-escrow dialogs on openSUSE Leap 16
and newer, preventing environment variables from being lost due to
profile script interference.
[[1]](diffhunk://#diff-633ab361af6795ef458233819e2806dfba4ca56f684866d956321825b8fd2e91R1)
[[2]](diffhunk://#diff-3e8315d9f12512bce490457c5d20bd7c5aebaa2a8e18b1abf50e504815dd7a9dR178-R193)
* For all other supported distributions, the previous behavior (using
`-i`) is preserved to maintain compatibility and avoid unnecessary
re-testing.
**Detection logic:**
* Introduced a new helper function `isOpenSUSELeap16Plus` in
`execuser_linux.go` to detect if the host is running openSUSE Leap 16 or
newer by parsing `/etc/os-release`. This ensures the workaround is only
applied where necessary.
---
**Related issue:** N/A — surfaced via field investigation on openSUSE
Leap 16 (arm64).
This PR addresses two distinct issues that together prevent Fleet
Desktop from working on openSUSE Leap 16, both validated end-to-end on a
real Leap 16 (arm64) host.
## 1. Launch reliability — drop `sudo -i`
`orbit/pkg/execuser/execuser_linux.go`
On Linux, Orbit launches Fleet Desktop with:
```
sudo -n -i -u <user> -H env WAYLAND_DISPLAY=… … FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH=/opt/orbit/identifier … /…/fleet-desktop
```
The `-i` flag makes sudo "simulate initial login" — it runs the target
user's shell as a login shell and wraps the rest of the command in `bash
--login -c '<escaped>'`. That sources `/etc/profile` and every script in
`/etc/profile.d/*` before our `env KEY=val … fleet-desktop` line runs,
and shell metacharacters (`=`, `:`, `/`, `.`) get backslash-escaped
through the shell layer.
On **openSUSE Leap 16 (arm64)**, that indirection causes the inline
env-var assignments to not reach `fleet-desktop`, which exits
immediately with:
```
FTL missing URL environment FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH
```
Orbit then respawns it every ~15 s in a tight kill-and-respawn loop, so
the tray icon never appears.
**Fix:** drop `-i` from the sudo invocation. We don't need a login
shell:
- `-H` already sets `HOME` to the target user.
- sudo's default `env_reset` sets `USER` / `LOGNAME` / `SHELL` / `MAIL`
and `PATH` to `secure_path`.
- All session vars (`WAYLAND_DISPLAY`, `DISPLAY`,
`DBUS_SESSION_BUS_ADDRESS`, `LD_LIBRARY_PATH`) and every
`FLEET_DESKTOP_*` var are already passed explicitly via `env KEY=val …`.
After the change, sudo `execve()`s `env` directly with no shell layer in
between, so `/etc/profile.d` sourcing and shell-escaping are out of the
picture.
The `runuser -l` /proc/keys-leak regression from PR #32309 does not
apply — that was specific to `runuser -l` creating session keyrings;
sudo without `-i` doesn't.
# Checklist for submitter
- [x] Changes file added:
`orbit/changes/fleet-desktop-linux-no-login-shell`
- [x] Input data is properly validated; untrusted data interpolated into
shell scripts/commands is validated against shell metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops (script's wait loop now bounded at 90s).
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes — N/A.
## Testing
Manual QA needed before merge:
- [x] **openSUSE Leap 16 (arm64)** — Fleet Desktop process starts, stays
running, env vars present, no FTL respawn loop. Done via `sudo` shim.
- [x] **openSUSE Leap 16 (arm64) — extension fallback** — manual tarball
install + schema compilation produces a working tray icon (matching what
the script automates).
- [ ] **Ubuntu 22.04 / 24.04** — regression check: Fleet Desktop tray
icon still appears, key-escrow zenity dialog still renders, AppIndicator
script still installs via the official path.
- [ ] **Fedora (recent)** — regression check: same as above.
- [ ] **Debian** — regression check: same as above.
- [ ] **openSUSE Tumbleweed** — confirm `InstallRemoteExtension` path
still works (no fallback path triggered).
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet —
pure launch-flag change plus a script update; no protocol or schema
impact.
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes — Go change is in
`execuser_linux.go`, only built on Linux. The script is Linux-only by
construction.
- [ ] Verified that fleetd runs on macOS, Linux and Windows — Linux
re-verification pending QA above; macOS/Windows code paths unchanged.
- [ ] Verified auto-update works from the released version of component
to the new version.
## Notes for reviewers
- The tray-icon visibility issue is an OS-side prerequisite (GNOME 3.26+
has no native tray), so the AppIndicator extension is required
regardless. Even after installing it, Wayland requires a logout/login to
pick up new extensions — this is documented behavior and not specific to
the fallback path.
Add forceful Adobe Acrobat Reader patch policy for all devices
Add critical patch policies for Adobe Acrobat Reader on macOS and
Windows that enforce immediate automatic updates via install_software:
true. This ensures all devices running Adobe Reader are patched without
user intervention, addressing the high-risk security profile of PDF
readers.
Changes:
- Add macOS patch policy (adobe-acrobat-reader/darwin) with critical
flag
- Add Windows patch policy (adobe-acrobat-reader/windows) with critical
flag
- Register Adobe Acrobat Reader as a fleet_maintained_app for both
platforms
in workstations.yml
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Adobe Acrobat Reader added as self-service software for macOS and x86
Windows; categorized under Productivity.
* Adobe Acrobat Pro added as self-service software for macOS;
categorized under Productivity.
* Automatic device targeting now surfaces these apps only to hosts that
already have them installed.
* New critical patch policies for macOS and Windows enable automatic
updates with self-service fallback on install failures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Insert blank lines in the description sections of several
it-and-security reports to improve readability. Files updated:
collect-chromium-browser-extensions.yml,
collect-firefox-browser-extensions.yml, collect-listening-ports.yml,
collect-local-user-accounts.yml, collect-safari-browser-extensions.yml,
collect-usb-devices.yml. No query or functional changes.
Add multiple endpoint security policies and telemetry reports and wire
them into the workstations fleet manifest. New macOS policies: firewall,
Gatekeeper, SIP (critical), Remote Login disabled, screen-lock
inactivity, and local-admin count; new Windows policies: Secure Boot,
Remote Desktop disabled, interactive screen-lock timeout; new Linux
policy: sshd PermitRootLogin restriction. Added cross-platform reports
for disk encryption (includes BitLocker), local user/admin inventory,
USB devices, listening ports, and Chromium-family browser extensions.
These changes improve compliance and detection coverage (SOC2/ISO
mappings included) and enable more comprehensive fleet monitoring.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added device compliance checks: macOS firewall, Gatekeeper, SIP, local
admin count, Windows Secure Boot, and Linux SSH root-login restriction
* Disabled high-risk remote access: macOS Remote Login and Windows
Remote Desktop checks
* Added screen-lock inactivity checks for macOS and Windows
* New inventory reports: local user accounts, connected USB devices,
open listening ports, and browser extensions (Safari, Firefox,
Chromium-family)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Add detection and remediation for Santa's Endpoint Security system
extension: new policy
it-and-security/lib/macos/policies/santa-endpoint-security-extension-active.yml
and remediation script
it-and-security/lib/macos/scripts/load-santa-system-extension.sh. Add a
dynamic label for Macs with Santa installed and update the macOS patch
policy to include a Fleet-maintained santa/darwin entry so Fleet can
install/patch Santa. Update workstations fleet config to reference the
new script, policy, and the santa/darwin software slug; remove the old
static santa.yml package file. The policy checks for Santa's bundle id
and the system_extensions record (identifier/team/state) and the script
invokes Santa's binary to request loading the system extension as the
console user.
Comment out the nudge-installed policy in
it-and-security/fleets/workstations.yml and set install_software: true
for the Nudge fleet-maintained app in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml. This
ensures Fleet will automatically install/patch Nudge on matching Macs
(using the existing install-nudge-assets policy) rather than relying on
the nudge-installed enforcement entry.
Uncomment 1Password entries in workstations.yml so 1Password is managed
as a fleet_maintained_app for both macOS and Windows. Commented out the
separate Windows 1Password installed policy path and enabled the
corresponding patch checks in
macos/windows/patch-fleet-maintained-apps.yml to surface/update
out-of-date 1Password installations.
Comment out 1Password fleet-maintained app entries and related
install/patch policies for macOS and Windows. Updates remove/disable the
fleet_maintained_app references in
it-and-security/fleets/workstations.yml and comment out install_software
and patch entries in the macOS and Windows policy files to temporarily
stop automatic installation and patch enforcement for 1Password.
Temporarily disable 1Password-related Fleet checks and app entry.
workstations.yml: commented out the macOS policies
1password-emergency-kit-check.yml and 1password-installed.yml and the
fleet_maintained_apps entry for 1password/darwin.
lib/macos/policies/patch-fleet-maintained-apps.yml: commented out the
patch rule for 1password/darwin. This stops 1Password health checks and
automatic patching until re-enabled.
Replace ad-hoc 1Password update flow with fleet_maintained app handling:
remove the macOS updater script and platform-specific update policy
files; switch install_software refs in macOS/Windows 1Password policies
to fleet_maintained_app_slug; add fleet_maintained_apps entries for
1Password in the workstation fleet manifest; add dynamic labels and
patch policies to track/upkeep 1Password on macOS and Windows. Also
remove references to the removed update step from the dogfood CI
workflow and simplify PR title/branch generation logic accordingly.
Replace the previous manual Nudge install flow with fleet-managed
configuration: add policies and label entries for Nudge, add an
assets-only policy, and add a fleet_maintained software slug. Updated
it-and-security/fleets/workstations.yml to reference
nudge-installed.yml, install-nudge-assets.yml and the new nudge/darwin
software slug (moved from the old nudge software entry). Added label for
Macs with Nudge installed (bundle id com.github.macadmins.Nudge). Added
policy it-and-security/lib/macos/policies/install-nudge-assets.yml and
it-and-security/lib/macos/policies/nudge-installed.yml, and added a
patch policy entry to patch-fleet-maintained-apps.yml for keeping Nudge
up to date. Removed the legacy combined install-nudge.yml policy and the
install-nudge.sh script since installation is now handled via the
fleet-maintained app.
Add a new macOS report (lib/macos/reports/collect-default-browser.yml)
and enable it in the it-and-security/fleets/workstations.yml reports
list. The report gathers each local user's default web browser by
reading LaunchServices plist entries, runs weekly (interval 604800),
uses snapshot logging, and is observer-runnable. Automations are
disabled by default.
Add Slack logo asset and update Linux package manifests to use the new
release. Adds it-and-security/lib/all/icons/slack-logo.png and updates
slack-deb.yml and slack-rpm.yml to bump the Slack desktop version to
4.49.81 and include an icon.path reference.
Introduce a new macOS configuration profile to register
/Applications/Fleet Desktop.app as a managed login item so Fleet Desktop
auto-launches. Adds
it-and-security/lib/macos/configuration-profiles/fleet-desktop-login-item.mobileconfig
and includes it in it-and-security/fleets/workstations.yml limited to
hosts labeled "Macs with Fleet Desktop installed".
Expose a display_name for the `enable-touch-id-sudo.sh` entry in the
workstations fleet manifest so it shows properly in Self Service. Also
add a commented icon placeholder (`../lib/all/icons/touch-id.png`) for
potential future use.
Register a new macOS fleet script that enables Touch ID authentication
for sudo on macOS 15+. Adds
it-and-security/lib/macos/scripts/enable-touch-id-sudo.sh which checks
for the sudo_local.template, creates /etc/pam.d/sudo_local if missing,
and idempotently uncomments or appends the pam_tid line. Also adds a
touch-id.png icon and exposes the script in
it-and-security/fleets/workstations.yml as a self_service Security item.
Provides logging and exits safely when already configured or when run
without root.
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Add a new dynamic label 'Macs with Fleet Desktop installed' (platform:
darwin) that selects hosts where apps.name = 'Fleet Desktop'. Update the
macOS policy update-fleet-desktop.yml to include this label via
labels_include_any so the policy targets only hosts with Fleet Desktop
installed. Files changed:
it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
(new) and it-and-security/lib/macos/policies/update-fleet-desktop.yml
(modified).
Extend the battery-health-check SQL to flag batteries whose max_capacity
/ designed_capacity is below 80%. The new clause guards against zero
capacities and casts max_capacity to REAL for proper floating-point
division, improving detection of degraded batteries in the macOS policy.
Replace two icon assets used by the it-and-security module:
it-and-security/lib/all/icons/fleet-desktop-icon.png and
it-and-security/lib/all/icons/keynote-theme-swan.png. These binary PNG
updates refresh the visuals for the corresponding icons.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
Remove several x86-only Fleet-maintained Windows applications and their
associated dynamic labels and patch policies. Changes touch:
- it-and-security/fleets/workstations.yml: removed fleet app entries for
Brave, Docker Desktop, GitHub Desktop, Postman, Sublime Text, Spotify,
Figma, Google Drive, and Cursor.
-
it-and-security/lib/all/labels/windows-with-fleet-maintained-apps-installed.yml:
removed the matching x86 dynamic labels.
- it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml:
removed the corresponding patch policies for those apps.
This cleans up configuration related to x86-only Windows apps (labels
previously filtered on arch NOT LIKE 'ARM%').
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
Replace the fleet-maintained app record for "iMazing Profile Editor"
with the full "iMazing" app. Deleted the old input file and added a new
input for imazing; renamed output paths and updated app metadata (bundle
identifier, slug, categories). Bumped version to 3.5.2 and updated
installer URL, install/uninstall script refs and SHA256. Updated
frontend icon mapping and website routes to point to the new imazing
slug, and adjusted fleet configs: workstation software slug, dynamic
label query, and macOS patch policy to reference imazing/darwin and the
new bundle identifier.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* iMazing application (v3.5.2) now replaces iMazing Profile Editor with
improved capabilities and enhanced functionality.
* Application category updated from Developer tools to Utilities for
better organization and discoverability.
* **Updates**
* Updated deployment configurations, system routes, and management
policies to support iMazing across all managed environments and
platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Remove Microsoft Edge and Suspicious Package from fleet configurations:
deleted their software entries in
it-and-security/fleets/workstations.yml, removed corresponding dynamic
labels in
it-and-security/lib/all/labels/macs-with-fleet-maintained-apps-installed.yml,
and removed their patch policies in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml.
These apps are no longer included in the fleet-maintained app lists and
patch checks.
Add multiple Fleet-maintained apps to workstations (macOS and x86
Windows), create dynamic labels to detect installed apps, and add patch
policies to flag out-of-date installs. workstations.yml: add numerous
macOS self-service entries (e.g. GitHub Desktop, Postman, iTerm2,
Sublime Text, Figma, Spotify, Google Drive, Cursor, etc.) and x86
Windows entries with labels_include_any for x86 hosts.
lib/all/labels/...: add dynamic macOS labels using bundle identifiers
and x86 Windows labels using program name plus arch checks.
lib/macos/policies/... and lib/windows/policies/...: add patch policies
for each new app to notify about outdated versions and provide
remediation guidance (Self-service or app update/uninstall). These
changes enable inventory, self-service deployment, and patch management
for additional developer and productivity applications.
Add more DEX queries for building DEX dashboards and reporting
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
This PR automatically updates macOS version policies, 1Password macOS
version policy, and Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Register AWS VPN Client in fleet configs: add an IdP group label (IdP
group: SAML-aws-vpn), include that label in default.yml, and add
aws-vpn-client/darwin to fleet_maintained_apps (self_service=true,
labeled for the SAML-aws-vpn group). Add a dynamic label for macOS hosts
with AWS VPN Client installed (bundle id com.amazonaws.acvc.osx) and add
a macOS patch policy to surface/update hosts with out-of-date AWS VPN
Client. These changes enable inventorying, self-service installation,
and patch tracking for the AWS VPN Client.
Remove wording that suggested deleting/uninstalling apps from resolution
text in fleet-maintained app patch policies. Updated macOS and Windows
policy files to only advise updating via Self-service or each app's
built-in update functionality (no mention of deleting/uninstalling).
Affected files:
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml and
it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml.
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
