2557 commits

Author	SHA1	Message	Date
Jordan Montgomery	227e94de5b	🤖 Chore: remove deprecated appendListOptionsWithCursorToSQL (#44385) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44723 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Strengthened validation of sorting/order parameters across many list and cursor-based endpoints — unsupported sort keys now return explicit errors and prevent unsafe queries. * Labels listing: label-list pagination query name changed; ordering by host_count is rejected when host counts are disabled (validated at request parsing). * **Tests** * Added/expanded tests covering allowed order keys, rejection of unknown keys, and pagination behavior for multiple listing APIs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>	2026-05-05 10:26:47 -04:00
Scott Gress	5e7f5a7584	Optimize data collection: add index and batch deletes (#44692) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44609 # Details This PR optimizes the historical data collection system in two ways: 1. Adds an additional index on the `host_scd_data` table allowing more efficient lookups of rows by their `valid_to`, to optimize both closing out open rows and deleting old rows 2. Implements batching in the job that deletes old rows, so that it no longer blocks writes if the collection job happens to happen at the same time as the cleanup job # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. n/a, unreleased - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [ ] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [ ] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually SQL explains -- before: ``` +----+-------------+---------------+------------+------+---------------+------+---------+------+--------+----------+-------------+ | id | select_type | table | partitions | type | possible_keys | key | key_len | ref | rows | filtered | Extra | +----+-------------+---------------+------------+------+---------------+------+---------+------+--------+----------+-------------+ | 1 | DELETE | host_scd_data | NULL | ALL | NULL | NULL | NULL | NULL | 144320 | 100.00 | Using where | +----+-------------+---------------+------------+------+---------------+------+---------+------+--------+----------+-------------+ +----+-------------+---------------+------------+-------+--------------------------------------+--------------------+---------+-------------+------+----------+-------------+ | id | select_type | table | partitions | type | possible_keys | key | key_len | ref | rows | filtered | Extra | +----+-------------+---------------+------------+-------+--------------------------------------+--------------------+---------+-------------+------+----------+-------------+ | 1 | UPDATE | host_scd_data | NULL | range | uniq_entity_bucket,idx_dataset_range | uniq_entity_bucket | 604 | const,const | 3030 | 100.00 | Using where | +----+-------------+---------------+------------+-------+--------------------------------------+--------------------+---------+-------------+------+----------+-------------+ ``` Using a test set of data (~144k "open" rows), UPDATES happened at 9 ops per second. after: ``` +----+-------------+---------------+------------+-------+----------------------+----------------------+---------+-------+-------+----------+-------------+ | id | select_type | table | partitions | type | possible_keys | key | key_len | ref | rows | filtered | Extra | +----+-------------+---------------+------------+-------+----------------------+----------------------+---------+-------+-------+----------+-------------+ | 1 | DELETE | host_scd_data | NULL | range | idx_valid_to_dataset | idx_valid_to_dataset | 5 | const | 55749 | 100.00 | Using where | +----+-------------+---------------+------------+-------+----------------------+----------------------+---------+-------+-------+----------+-------------+ +----+-------------+---------------+------------+-------+-----------------------------------------------------------+----------------------+---------+-------------------+------+----------+------------------------------+ | id | select_type | table | partitions | type | possible_keys | key | key_len | ref | rows | filtered | Extra | +----+-------------+---------------+------------+-------+-----------------------------------------------------------+----------------------+---------+-------------------+------+----------+------------------------------+ | 1 | UPDATE | host_scd_data | NULL | range | uniq_entity_bucket,idx_dataset_range,idx_valid_to_dataset | idx_valid_to_dataset | 609 | const,const,const | 4 | 100.00 | Using where; Using temporary | +----+-------------+---------------+------------+-------+-----------------------------------------------------------+----------------------+---------+-------------------+------+----------+------------------------------+ ``` Using the same test set of data, UPDATES happened at 4,910 ops per second. For unreleased bug fixes in a release candidate, one of: - [X] Confirmed that the fix is not expected to adversely impact load test results this should significantly improve results! - [ ] Alerted the release DRI if additional load testing is needed ## Database migrations - [X] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Cleanup now runs in controlled, ordered batches, removing only closed/historical records while respecting cancellation; error reporting for cleanup was strengthened. * Added a new composite index on historical data to improve cleanup and query performance. * **Tests** * Added tests and test helpers validating batched cleanup behavior, preservation of open records, multi-batch operation, and cancellation handling. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-05 08:29:47 -05:00
Nico	b4a207fb5a	Add ability to upload custom org logos (#44390) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44330, Resolves #44331 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests. (I'd defer integration tests to a separate PR since this one is pretty large already.) - [x] QA'd all new/changed functionality manually. I've tested this on both the setup flow and the organization settings page. I haven't had the time to test this on other places where we render the logo (macOS setup experience / MDM migration dialog). https://github.com/user-attachments/assets/95d4eae5-3da6-40f4-98a1-8575b97d96b3 ## New Fleet configuration settings - [x] Setting(s) is/are explicitly excluded from GitOps. Will handle GitOps in a separate PR. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Organizations can upload custom logos for light and dark modes. * Registration and Org Settings support logo file upload, preview, per-mode replace/delete, and validation (size & image formats). * Activity feed records logo changes/deletions; site nav displays uploaded logos per theme. * File uploader/preview adds a Fleet logo graphic option and improved logo validation. * Config/GitOps outputs now include separate dark/light logo fields. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-05 14:42:52 +02:00
Tim Lee	8d37ec690c	Revert "Fix SCEP autorenew failing for offline hosts (#44250)" (#44535)	2026-05-04 13:33:42 -06:00
Konstantin Sykulev	779cdd663b	Periodic background job to cleanup Windows MDM command queue (#44458) ... **Related issue:** Resolves #44190 - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a periodic cleanup job that removes aged, acknowledged Windows MDM command-queue entries to reduce write pressure during ACK processing. * **Bug Fixes** * Pending-command detection now excludes already-ACKed commands from dispatch; queue rows are retained after ACK and cleaned later. * **Tests** * Added and updated tests to validate cleanup behavior and revised ACK/queue semantics. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-05-04 11:32:45 -05:00
Martin Angers	c2dda6a16c	Wipe host cancels all upcoming activities (#44323) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40459 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually Recording: https://drive.google.com/file/d/1_XqLyy-oY-WnIa97R4t9HihiBq3Fui6n/view?usp=drive_link <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Wiping a host now cancels all upcoming and queued activities for that host in a single, atomic operation to avoid intermediate activations. * **Bug Fixes** * Wipe response handling now distinguishes success vs failure and reliably cancels queued activities; datastore errors during host lookup or cancellation are surfaced. * Device lock/erase flows consistently update and propagate datastore errors. * **Tests** * Added integration and datastore tests validating wipe clears upcoming activities across macOS, Windows, Linux, and mixed-host scenarios. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Magnus Jensen <magnus@fleetdm.com>	2026-05-01 14:01:46 -06:00
Carlo	ce5640c99e	Prevent silent corruption of software title icons (#44540)	2026-05-01 14:19:48 -04:00
Magnus Jensen	275b266ca1	produce failed enrollment renewal activity (#44511) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #41418 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually To manually QA, I put an early return with `msg.Fail` in the `mdm_scep.go` file under PKIOperation method, and then triggered a SCEP renewal. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Activity logging for Apple MDM enrollment profile renewal failures to improve auditing and diagnostics. * Host display enhancements: include computer name and hardware model to improve host identification in activities and UI. * **Tests** * Integration tests verifying enrollment renewal failure activity creation, association to the correct host, and activity payload contents. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-01 11:38:08 -06:00
Victor Lyuboslavsky	de86536f42	Redis-backed cache for host-by-key lookups (#43936) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43928 This PR adds a Redis-backed cache in front of the two host-by-key lookups on the agent auth paths. Docs: https://github.com/fleetdm/fleet/pull/44504 ## What changes **Read path (osquery/orbit auth):** - `LoadHostByNodeKey` and `LoadHostByOrbitNodeKey` now check Redis before falling through to MySQL. - Successful lookups are cached for 60s ± 10% jitter (configurable via `FLEET_REDIS_HOST_CACHE_TTL`). - `NotFound` results are cached for 5s as a negative entry, dampening repeated probes for keys that do not exist (deleted hosts whose agents are still polling, attacker scans, retry storms). - Concurrent lookups for the same key collapse into one DB query via `singleflight`. The shared query runs under a context detached from any one caller's deadline so the leader giving up does not abort the work for joiners. The shared query is itself bounded by a 30s timeout so a wedged DB call cannot pin the singleflight slot indefinitely. **Write path (invalidations):** - These methods now invalidate the cache after a successful inner call: `UpdateHost`, `SerialUpdateHost`, `UpdateHostOsqueryIntervals`, `UpdateHostRefetchRequested`, `UpdateHostRefetchCriticalQueriesUntil`, `UpdateHostIdentityCertHostIDBySerial`, `EnrollOsquery`, `EnrollOrbit`, `NewHost`, `DeleteHost`, `DeleteHosts`, `CleanupExpiredHosts`, `CleanupIncomingHosts`, `AddHostsToTeam`. - `AddHostsToTeam`, `DeleteHosts`, `CleanupExpiredHosts`, and `CleanupIncomingHosts` use a pipelined batch invalidator so 10k-host operations stay in the millisecond range instead of taking minutes of sequential round-trips. - Inner-call errors are not invalidations: a failing write leaves cached state intact. **Configuration:** - New flags `FLEET_REDIS_HOST_CACHE_ENABLED` (default `true`) and `FLEET_REDIS_HOST_CACHE_TTL` (default `60s`). - Server refuses to start if the cache is enabled with `TTL <= 0`. **Observability:** - Three new OTEL counters under the `fleet` meter: - `fleet.host_cache.lookups{result=hit|negative_hit|miss}` - `fleet.host_cache.errors{op=get|set|del}` - `fleet.host_cache.invalidations{reason=update|enroll|team|delete|cert}` - A pre-built SigNoz dashboard ships in `tools/signoz/host_cache_dashboard.json`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Optional Redis-backed host lookup cache for osquery and orbit auth, with automatic invalidation and metrics/monitoring dashboard. * **Bug Fixes** * Fixed host-removal batching so cache-related removals use correct chunks. * **Tests** * Added comprehensive host-cache unit tests covering hits, negative cache, invalidation, concurrency, and JSON round-trips. * **Chores** * New config flags to enable the cache and set TTL (default 60s ±10% jitter). <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-01 12:06:16 -05:00
Lucas Manuel Rodriguez	1e4a9f292f	Add activities for user actions on labels (#44522) ... Resolves #36976 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Label operations (create, edit, delete) now generate activities shown in the activity feed with label and optional fleet context. * Host label add/remove operations emit corresponding label edited activities; duplicate label names are deduplicated. * Label activity types are selectable/filterable in the activity dashboard. * **Tests** * Added unit, integration, and UI tests covering label activity emission, rendering, filtering, and GitOps label lifecycle scenarios. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-01 10:19:45 -03:00
Victor Lyuboslavsky	2723c132c2	Fixed GET /api/v1/fleet/commands timeout in large Fleet deployments (#44297) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44170 and Resolves #44422 Pagination is now pushed into each branch of the merged query, so per-tick work scales with page size instead of total commands. The Windows side was rewritten to avoid a disjunctive join that forced a nested-loop plan. `per_page` is capped (default 10), `page` is capped, and `order_key` is enforced against a closed allowlist on both code paths. Cursor pagination is fixed and is the recommended way to traverse beyond the page cap. This PR improves but does not fix the use case of fetching commands from all hosts. Deprecate usage without host_identifier: https://github.com/fleetdm/fleet/pull/44392/changes API doc updates: https://github.com/fleetdm/fleet/pull/44292 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enforced pagination on MDM commands list: per_page defaults to 10 (max 1,000) and page is capped at 100; traversal beyond page 100 requires cursor pagination via after. * **Bug Fixes / Performance** * Improved MDM command listing performance and de-duplication for large queries; fixed SQL error when combining host identifier with cursor pagination. * **Validation** * Requests exceeding pagination caps return 400; invalid sort keys return 422. * **Tests** * Added tests for pagination boundaries, cursor behavior, sort-key validation, and error responses. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-30 15:44:19 -05:00
Juan Fernandez	38a6129d0a	Add include_all label scope to policies and reports (#44305) ... **Related issue:** Resolves #41564 - Added include_all label scope to policies. - Added include_all and include_any scope to reports.	2026-04-30 11:28:30 -04:00
W0lfbane	ad7ea0aa7f	fix(android): remove tautological NCR filter in hostVPPInstalls (#42873) ... ## Problem The `hostVPPInstalls` function in `server/datastore/mysql/software.go` contains a SQL condition: ```sql (hvsi.platform != 'android' OR ncr.id IS NULL) AND ``` This is a logical tautology — it **never filters any rows**: - **Android rows**: `ncr.id` is always `NULL` because Android installs use Google's Android Management API, not nanoMDM. The condition evaluates to `(FALSE OR TRUE) = TRUE`. - **Apple rows**: The first operand `hvsi.platform != 'android'` is `TRUE`, so the whole expression is `TRUE` regardless of `ncr.id`. The condition was likely added during early Android VPP support to guard against unexpected NCR joins for Android. However, since `nano_command_results` is only written by the nanoMDM Apple MDM storage layer (`server/mdm/nanomdm/storage/mysql/queue.go:168`), the guard can never trigger. Elsewhere in the codebase, the canonical pattern for NCR filtering is: ```sql -- vpp.go:248, software_installers.go:1812 (ncr.id IS NOT NULL OR (:platform = 'android' AND ncr.id IS NULL)) ``` This pattern has *different semantics* — it filters per-app aggregate status counts to only include confirmed installs. The `hostVPPInstalls` function serves the host software list where showing all statuses (including pending) is intentional, so no NCR filter is needed. ## Changes - Removed the dead condition from the `last_vpp_install` UNION branch - Added a clarifying comment explaining why no NCR filter is applied and how this differs from other query sites - Added changelog entry ## Testing - No behavior change — the removed condition was always TRUE - Existing tests pass without modification - `go build ./server/datastore/mysql/...` compiles clean #android #sql #cleanup --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-30 15:30:19 +01:00
Konstantin Sykulev	5aac997101	Exclude orphaned windows profiles (#44423) ... **Related issue:** Resolves #44369 - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Prevented operations on Windows MDM profiles for hosts without active enrollments. * Batch processing now skips hosts lacking current enrollments so only enrolled hosts receive queued commands. * Strengthened profile-removal checks to avoid acting on orphaned profile rows. * **Tests** * Added regression tests covering orphaned enrollment/profile scenarios and mixed-host batch processing. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-29 17:12:27 -05:00
Jonathan Katz	c158f912c6	43962 vpp managed config migration (#44435) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43962 Adds two tables: `vpp_app_configurations` and `in_house_app_configurations` `vpp_app_configurations` has `team_id` unsigned **not nullable**, rather than `team_id` nullable + `global_or_team_id`. This is following the pattern in `software_title_display_names` and `software_title_icons`, since software installers are team only and cannot be global. `android_app_configurations` uses team_id + global_or_team_id but that seems to be unnecessary. `in_house_app_configurations` keys on `in_house_app_id` only — the parent `in_house_apps` row already pins the team and platform. Both use MEDIUMTEXT to store the XML configuration. # Checklist for submitter If some of the following don't apply, delete the relevant line. ## Database migrations - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Added database tables for storing VPP and in-house app configurations, organized by team/platform with automatic cleanup when parent apps are deleted. * **Tests** * Added migration tests to validate config storage fidelity, uniqueness and platform-specific constraints, foreign-key enforcement, and cascade-delete behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-29 17:47:08 -04:00
Dante Catalfamo	96569a9c1c	Fix SCEP autorenew failing for offline hosts (#44250) ... **Related issue:** Resolves #44111 Customers reported certificates deployed via custom SCEP proxy were silently failing to auto-renew, leaving devices with expired certs. Five compounding bugs were causing this: ### 1. Cert metadata was wiped on every reconcile re-render `BulkUpsertMDMManagedCertificates` unconditionally overwrote `not_valid_before`, `not_valid_after`, and `serial` in `ON DUPLICATE KEY UPDATE`. Since the SCEP-proxy render-time payload has those fields nil (cert details aren't known until the device completes the handshake and osquery reports), every renewal trigger wiped them. Once NULL, the renewal cron's `HAVING validity_period IS NOT NULL` clause excluded the row — silently disabling future renewal attempts. Fixed by switching those columns to `COALESCE(VALUES(col), col)` so a nil incoming value preserves the existing value. DigiCert's flow (which does set the fields) and osquery's separate UPDATE in `updateHostMDMManagedCertDetailsDB` are unaffected. ### 2. 1-hour challenge TTL was too short for offline devices The challenge is generated at profile-render time but consumed when the device makes its SCEP request — which can be hours or days later (laptop asleep, on a plane, etc.). Devices that didn't pick up the InstallProfile push within the hour hit `challenge not found: sql: no rows in result set` and the renewal failed. Bumped `OneTimeChallengeTTL` from 1 hour to 7 days. Once consumed, the challenge is deleted immediately regardless of TTL. ### 3. Renewal cron re-fired on in-flight deliveries `WHERE hp.status IS NOT NULL` matched `'pending'` and `'verifying'` too, so a host whose delivery was still in flight (e.g., offline laptop) would have its profile re-rendered with a fresh challenge every cron tick — generating orphan nano commands and challenge rows hourly. Pre-fix this was masked by bug 1; once the COALESCE preserves cert metadata, the loop becomes visible. Tightened the filter to `WHERE hp.status IN ('verified', 'failed')` — settled states only. ### 4. iOS/iPadOS managed-cert profiles short-circuited to verified before cert metadata synced iOS/iPadOS profiles short-circuit `pending` → `verified` directly on MDM ack (no `verifying` step), since osquery isn't available to drive the standard verification cycle. That's correct for non-cert profiles, but for managed-cert profiles it created a window where the renewal cron saw `status='verified'` paired with stale cert metadata still in the renewal window — and the new `IN ('verified', 'failed')` filter from bug 3 kept matching, re-firing renewal each tick until `CertificateList` ingestion eventually caught up. Fixed by parking iOS/iPadOS managed-cert profiles at `'verifying'` on MDM ack and flipping them to `'verified'` from `updateHostMDMManagedCertDetailsDB` once fresh cert metadata arrives — i.e., reusing the existing state machine instead of inventing a parallel "renewal in flight" tracking column. The `EXISTS(SELECT 1 FROM host_mdm_managed_certificates ...)` check is folded into the existing platform-detection query, so no extra round-trip. macOS is unaffected: the new flip is redundant with `VerifyHostMDMProfiles` but idempotent. **Trade-off worth flagging:** if `CertificateList` ingestion never runs for an iOS managed-cert profile (broken cron, device offline indefinitely), the profile sits at `'verifying'` and the renewal cron's filter excludes it. In practice both run on the same Apple MDM cron loop — if one is broken, much else is too — but it's a sharper failure mode than letting renewals re-fire wastefully. ### 5. Permanent-failure profiles loop hourly through the renewal cron Once `'failed'` was added to the cron's status filter (bug 3), there was no longer any circuit breaker for profiles that fail at render time for non-transient reasons — CA deleted from app config, IDP variables missing from host, premium license downgraded. Each cron tick (1h interval) the cron flips `'failed'` → NULL, reconcile re-renders and immediately re-fails via `fleet.MarkProfilesFailed`, status returns to `'failed'`, repeat. Pre-fix this was masked by bug 1 (metadata wipe acted as accidental circuit breaker); once metadata is preserved (bug 1 fix), the loop becomes real and produces a profile-render attempt + nano command per failed cert per hour. Added a `renewalFailedRetryBackoff` constant (24h) and gated the `'failed'` branch on `hp.updated_at < DATE_SUB(NOW(), INTERVAL renewalFailedRetryBackoff SECOND)`. Transient SCEP-server outages still recover (within at most 24h, well under any cert validity window). Permanent failures still get retried daily (so a customer fixing the underlying issue eventually auto-recovers), but they don't churn nano commands hourly. `'verified'` rows in the renewal window are unaffected — they bypass the gate. ## Tests - `testMDMManagedSCEPCertificates`: three new sub-tests covering (a) cert-metadata preservation across reconcile re-renders, (b) in-flight-status skip behavior, (c) the permanent-failure backoff. Exercised against both NDES and Custom SCEP via the existing table-driven harness. - New `testIOSManagedCertProfileStaysVerifying`: verifies that on iOS, a managed-cert profile stays at `'verifying'` after MDM ack and only flips to `'verified'` once `UpdateHostCertificates` ingests fresh cert metadata. - New `challenges_test.go` covering `NewChallenge`/`ConsumeChallenge` lifecycle and TTL boundaries. - `TestCustomSCEPIntegration`: updated the hardcoded 2-hour challenge backdate to use `fleet.OneTimeChallengeTTL` so it stays correct as the constant evolves. - New `TestCustomSCEPRenewalPreservesCertMetadata` end-to-end test: drives the full reconcile path (rather than calling the bare datastore method) so a future change to the render-time payload structure can't silently regress the COALESCE preservation.	2026-04-29 17:14:26 -04:00
Jordan Montgomery	62b60fef24	Improve filtering on commands endpoints (#44426) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Provides better errors on invalid/unexpected sort keys passed to `/api/v1/fleet/commands`, `/api/v1/fleet/mdm/commands` and `/api/v1/fleet/mdm/apple/commands` endpoints # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved validation for invalid `order_key` values on MDM command endpoints (`/api/v1/fleet/commands`, `/api/v1/fleet/mdm/commands`, and `/api/v1/fleet/mdm/apple/commands`), ensuring only approved sorting parameters are accepted. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-04-29 16:08:49 -04:00
Jordan Montgomery	78c0b0c651	43885: MLAPR migration + UUID capture (#44244) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43885 Adds a migration and code to capture the value of the fleet managed admin account if one exists. Changes file added for entire feature # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually ## Database migrations - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Automatic password rotation for managed local admin accounts on macOS, triggered after viewing activity. * Provisioning now captures and persists the managed admin account identifier (UUID) to support rotation and prevents that account from being stored as a regular user. * Hosts will request a best-effort recheck when the managed admin identifier is not yet available. * **Chores** * Database schema updated to store rotation scheduling and pending credential state. * **Tests** * Added tests covering UUID capture, conditional updates, migration, and ingest behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-29 11:14:50 -04:00
Magnus Jensen	98cad56716	redirect to correct URL, and allow both URLs for MDM SSO SAML validation if set (#44156) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #41592 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed SSO failures when a custom Apple MDM URL is configured: callback requests are now redirected to the configured MDM URL when needed, and SAML validation correctly considers the configured MDM/server URLs so authentication succeeds for custom MDM setups. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-29 08:43:58 -06:00
Lucas Manuel Rodriguez	52caba768c	Fix filtering in /api/v1/fleet/labels/:id/hosts endpoint (#44293) ... - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed filtering in the /api/v1/fleet/labels/:id/hosts endpoint and tightened validation to reject invalid sort/order keys with HTTP 422 responses. * Enforced ordering restrictions tied to feature flags (issues and device-mapping), rejecting unsupported order_key values. * **Tests** * Added extensive integration tests for order_key validation, deterministic sorting across allowed keys, and cursor pagination. * **Documentation** * Added a changelog entry noting the hosts-in-label filtering fix. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-29 10:43:39 -03:00
Allen Houchins	ff60104c9a	Prevent patch title ID collisions (#44179) ... Fixes #44183	2026-04-28 18:22:11 -04:00
Victor Lyuboslavsky	c0ecbfc1d8	Return Windows Enrollment Status Page (ESP) (#43454) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #42843 This change shows Windows Enrollment Status Page (ESP) during OOBE enrollment. It does not track/update the status of that page, so the end user does not actually see any progress on it. Its purpose is to block the user from proceeding to desktop until all the profiles have been sent to the device. Software apps are not being tracked/blocked in this PR. This is what the final ESP screen looks for this PR before it takes the user to set up Windows Hello: <img width="646" height="549" alt="image" src="https://github.com/user-attachments/assets/748a2710-9388-4d04-93d1-8f2a518965a1" /> # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Enrollment Status Page (ESP) support for Windows Autopilot: sends hold/release commands and advances enrollment states during setup. * Scoped profile installation checks per host and a default ESP timeout (3 hours). * **Bug Fixes** * Clears prior profile delivery state during reenrollment cleanup to avoid stale delivery state. * Safer state transitions for "awaiting configuration" with guarded compare-and-swap updates. * **Tests** * New unit and integration tests validating ESP flows and awaiting-configuration transitions. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Konstantin Sykulev <konst@sykulev.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-28 15:39:03 -05:00
Victor Lyuboslavsky	9628f49cb8	Improved the performance of Windows MDM profile reconciliation (#44075) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44052 Improve performance by reducing the time for the synchronous API call to update profiles or switch teams. And spreading out the application of profiles by processing 2000 hosts every 30 seconds. 1. **Windows profile reconciliation is no longer synchronous to bulk-set.** Apple, Android, and Apple-declaration paths still write their pending state inside the bulk-set transaction. The Windows path commits the transactional inputs and lets the existing `mdm_windows_profile_manager` cron pick the work up on its next tick. The visible effect is that `host_mdm_windows_profiles` is no longer guaranteed to be populated by the time bulk-set returns; it converges within one cron interval. 2. **The Windows reconciler now processes hosts in bounded batches, with a persisted cursor.** Previous behavior was "scan the universe of pending Windows hosts on every tick." New behavior is a host-window query bounded by batch size and a `host_uuid` cursor, advanced after the batch commits successfully and persisted across ticks. A failed tick leaves the cursor untouched so the same window is retried. 3. **Two replication races are now explicitly handled.** - Admin-delete vs reconcile: the existence check the reconciler uses to avoid touching a just-deleted profile reads from the primary, not a replica. - Insert lag in the reconciler's own listings: hosts that appear in the cursor query but are not yet visible in the scoped listings advance the cursor instead of jamming the loop. 4. **`updates.WindowsConfigProfile` from `BulkSetPendingMDMHostProfiles` is now always false in production.** The only consumer ORs it with the transactional signal from `BatchSetMDMProfiles`, which is the accurate source. The bulk-set call no longer attempts to compute or return that activity signal itself. 5. **Tests opt in to the old synchronous behavior via a named hook.** Default test behavior matches production (deferred). Legacy tests whose assertions require Windows rows immediately after bulk-set call an explicit enable-hook and rely on `t.Cleanup` to restore. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Windows MDM profile reconciliation batching improvements enable large team transfers and bulk profile change operations to complete faster, with profile updates rolling out in the background without blocking host check-ins or other MDM activity. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-28 15:37:43 -05:00
Jonathan Katz	51dca83dec	Fix script-only packages not setting install script file (#44299) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43659 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [ ] Timeouts are implemented and retries are limited to avoid infinite loops - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Preserves install scripts for script-only software installers when using hash-based references in GitOps, preventing self-service installs from silently no‑opping. * **Tests** * Added an integration regression test to verify batch installer resolution by hash preserves uploaded install script contents. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-28 13:37:03 -04:00
Carlo	5ac50a2dc9	Bound orbit retries on missing installer details to 5 mins (#44284) ... Fixes #44084	2026-04-28 12:58:10 -04:00
Martin Angers	2c609ae78e	CSAH: appconfig/gitops/DB migration to add preserve_host_activities_on_reenrollment field (#44212) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43943 # Checklist for submitter - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually See https://github.com/fleetdm/fleet/issues/43943#issuecomment-4329658412 ## Database migrations - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. ## New Fleet configuration settings - [x] Verified that the setting is exported via `fleetctl generate-gitops` - [x] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) (see https://github.com/fleetdm/fleet/pull/43877/changes) - [x] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [ ] Verified that any relevant UI is disabled when GitOps mode is enabled (should be done by https://github.com/fleetdm/fleet/issues/43947) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a configuration option to preserve host activities during host re-enrollment, letting admins choose whether activity history is retained when hosts re-enroll. * **Chores** * Updated defaults and database migration state so the new setting is present in stored and generated configs and in GitOps outputs. * **Tests** * Added unit, integration, migration, and GitOps fixtures to validate behavior, serialization, and upgrade semantics. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-28 08:47:38 -04:00
Konstantin Sykulev	9ec20e60b7	Windows MDM improved host profile status performance (#44225) ... **Related issue:** Resolves #44189 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Performance** * Optimized Windows MDM profile removal to skip redundant database writes for terminal removals. * **Bug Fixes** * Ensure terminal remove responses (both verified and failed) delete the corresponding profile records without affecting concurrent installs. * **Tests** * Added coverage for mixed install/remove responses and re-install after a verified removal. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-27 20:09:27 -05:00
Jonathan Katz	899dc5aa57	Check for duplicate linux software installers (#44234) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43959 #44038 Refactored `checkSoftwareConflictsByIdentifier` to a switch statement with different logic per platform # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [ ] Timeouts are implemented and retries are limited to avoid infinite loops - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Bug Fixes - Prevented duplicate software installer entries on Linux. - Improved conflict detection for software installers across iOS, macOS, Windows, and Linux platforms to prevent incompatible uploads. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-27 17:14:47 -04:00
Lucas Manuel Rodriguez	bd18bac797	Adding gitOpsModeEnabled and gitOpsModeExceptions to anonymous statistics payload (#44161) ... **Related issue:** Resolves #42240. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Statistics now include GitOps mode: whether it’s enabled and the ordered list of configured exception categories (serializes as an empty list when none). * **Tests** * Added tests for GitOps-related statistics transitions and made statistics-timing tests deterministic for reliable behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-27 08:28:49 -03:00
Victor Lyuboslavsky	65fcc132ae	Fixed a race where a host could silently revert to its previous team (#44074) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44071 Verified fix in loadtest. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed a race condition that could cause hosts to silently revert to a previous team after an admin team transfer. * Improved reliability of team-transfer handling to prevent unexpected reversion during certificate/template transfers and device/profile operations. * **Tests** * Added regression tests to ensure team assignments persist correctly across host refreshes and related workflows. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-24 14:34:37 -05:00
Lucas Manuel Rodriguez	c22954edf2	Remove unused windows_updates MySQL table and ingestion (#44128) ... **Related issue:** Resolves #44127 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Removed the unused Windows Updates feature: ingestion, parsing, persistence APIs, and detail query; added a migration to drop the related database table. * **Tests** * Removed unit and integration tests for Windows update parsing, ingestion, persistence, and query inclusion. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-24 15:21:34 -03:00
Victor Lyuboslavsky	43552b8dac	Reworked Windows profile delete batching (#44047) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #42545 This rework does not significantly improve the worst case performance, but it does improve some cases (like lower number of hosts with a lot of profiles). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Performance Improvements** * Improved batch deletion for Windows MDM configuration profiles to handle very large-scale cleanup with fewer database updates. * Replaced per-profile update loops with multi-profile batched updates to reduce update overhead and improve determinism. * **Tests** * Added tests validating multi-profile batch delete behavior and ensuring each queued delete command is correctly targeted. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-24 11:42:59 -05:00
Victor Lyuboslavsky	4fd9244195	Don't update host values that didn't change (reduce writer load) (#43992) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #42545 Tested in loadtest. `host_orbit_info` and `host_disks` are seeing the massive skip wins # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Performance** * Avoids unnecessary database writes when incoming host data already match stored values, reducing steady-state update volume. * **Tests** * Added tests to validate skip-on-no-change behavior, including cases with small numeric precision differences and idempotency checks. * **Documentation** * Added changelog entry describing the reduced-write behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-24 10:46:47 -05:00
Juan Fernandez	1539c6b094	Enforce consistent fleet name uniqueness across UI and GitOps (#33557) ... Resolves #33557 The tems.name column uses utf8mb4_unicode_ci, so names like "ABC" and "abc" compare as equal at the database level. Before this change name collisions were handled in different ways in the UI and in GitOps. The changes introduced here, consolidates the logic used for detecting name collisions in all code path. All conflicts return 409 with the canonical copy "Fleet names must differ by at least one non-special character (case-insensitive).	2026-04-23 16:44:09 -04:00
Jonathan Katz	ba0f6b3c72	Update GitOps for managed local account fields (#44058) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #42948 - Updated `(mos *MacOSSetup) Validate()` and `(mos *MacOSSetup) SetDefaultsIfNeeded()` to account for new fields - Updated default creation and editing for team edit/creation paths - Updated `generate-gitops` warning message from `macos_setup` to `setup_experience` - Updated fields types to optjson and updated test files # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [ ] Timeouts are implemented and retries are limited to avoid infinite loops - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually - Team edit and team creation through GitOps, validated config with ` curl -k -X GET 'https://localhost:8080/api/v1/fleet/fleets/:id'` - New error message says `setup_experience` instead of `macos_setup` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added macOS MDM settings to control local account behavior: enable managed local accounts (default false) and specify end-user local account type (default "admin") for fleet and team configs. GitOps output now highlights unsupported setup-experience cases. * **Tests** * Updated fixtures and integration tests to assert and persist the new macOS local-account settings across config, team, and GitOps scenarios. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-23 15:05:27 -04:00
Victor Lyuboslavsky	fb499b9a01	Improved Windows MDM profiles summary performance (#44034) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44050 Original query like: ```sql SELECT CASE WHEN EXISTS ( SELECT 1 FROM host_mdm_windows_profiles hmwp WHERE h.uuid = hmwp.host_uuid AND hmwp.status = 'failed' -- fleet.MDMDeliveryFailed AND hmwp.profile_name NOT IN (<reserved_names>) ) THEN 'failed' WHEN EXISTS ( SELECT 1 FROM host_mdm_windows_profiles hmwp WHERE h.uuid = hmwp.host_uuid AND (hmwp.status IS NULL OR hmwp.status = 'pending') -- fleet.MDMDeliveryPending AND hmwp.profile_name NOT IN (<reserved_names>) AND NOT EXISTS ( SELECT 1 FROM host_mdm_windows_profiles hmwp2 WHERE h.uuid = hmwp2.host_uuid AND hmwp2.status = 'failed' AND hmwp2.profile_name NOT IN (<reserved_names>) ) ) THEN 'pending' WHEN EXISTS ( SELECT 1 FROM host_mdm_windows_profiles hmwp WHERE h.uuid = hmwp.host_uuid AND hmwp.operation_type = 'install' -- fleet.MDMOperationTypeInstall AND hmwp.status = 'verifying' -- fleet.MDMDeliveryVerifying AND hmwp.profile_name NOT IN (<reserved_names>) AND NOT EXISTS ( SELECT 1 FROM host_mdm_windows_profiles hmwp2 WHERE h.uuid = hmwp2.host_uuid AND hmwp2.operation_type = 'install' AND hmwp2.profile_name NOT IN (<reserved_names>) AND (hmwp2.status IS NULL OR hmwp2.status NOT IN ('verifying', 'verified')) ) ) THEN 'verifying' WHEN EXISTS ( SELECT 1 FROM host_mdm_windows_profiles hmwp WHERE h.uuid = hmwp.host_uuid AND hmwp.operation_type = 'install' AND hmwp.status = 'verified' -- fleet.MDMDeliveryVerified AND hmwp.profile_name NOT IN (<reserved_names>) AND NOT EXISTS ( SELECT 1 FROM host_mdm_windows_profiles hmwp2 WHERE h.uuid = hmwp2.host_uuid AND hmwp2.operation_type = 'install' AND hmwp2.profile_name NOT IN (<reserved_names>) AND (hmwp2.status IS NULL OR hmwp2.status != 'verified') ) ) THEN 'verified' ELSE '' END AS final_status, SUM(1) AS count FROM hosts h JOIN host_mdm hmdm ON h.id = hmdm.host_id JOIN mdm_windows_enrollments mwe ON h.uuid = mwe.host_uuid WHERE mwe.device_state = 'enrolled' -- microsoft_mdm.MDMDeviceStateEnrolled AND h.platform = 'windows' AND hmdm.is_server = 0 AND hmdm.enrolled = 1 AND <team_filter> GROUP BY final_status; ``` New query like: ```sql SELECT ( SELECT CASE WHEN SUM(CASE WHEN hmwp.status = 'failed' AND hmwp.profile_name NOT IN (<reserved_names>) THEN 1 ELSE 0 END) > 0 THEN 'failed' WHEN SUM(CASE WHEN (hmwp.status IS NULL OR hmwp.status = 'pending') AND hmwp.profile_name NOT IN (<reserved_names>) THEN 1 ELSE 0 END) > 0 THEN 'pending' WHEN SUM(CASE WHEN hmwp.operation_type = 'install' AND hmwp.status = 'verifying' AND hmwp.profile_name NOT IN (<reserved_names>) THEN 1 ELSE 0 END) > 0 THEN 'verifying' WHEN SUM(CASE WHEN hmwp.operation_type = 'install' AND hmwp.status = 'verified' AND hmwp.profile_name NOT IN (<reserved_names>) THEN 1 ELSE 0 END) > 0 THEN 'verified' ELSE '' END FROM host_mdm_windows_profiles hmwp WHERE hmwp.host_uuid = h.uuid ) AS final_status, SUM(1) AS count FROM hosts h JOIN host_mdm hmdm ON h.id = hmdm.host_id JOIN mdm_windows_enrollments mwe ON h.uuid = mwe.host_uuid WHERE mwe.device_state = 'enrolled' AND h.platform = 'windows' AND hmdm.is_server = 0 AND hmdm.enrolled = 1 AND <team_filter> GROUP BY final_status; ``` # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Alerted the release DRI if additional load testing is needed <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Performance Improvements** * Optimized Windows MDM profile summary and host OS settings filtering for faster, lower-cost server queries. * **Tests** * Added an exhaustive verification test covering all Windows MDM profile permutations to ensure correct status bucketing and host membership. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-23 13:35:22 -05:00
Scott Gress	28908e6083	Dashboard charts backend (#43910) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** For #42812 # Details This PR implements a new bounded context, `chart`, with a single endpoint `/charts`. The context encompasses a framework for recording and querying and aggregating historical data for Fleet hosts, and returning that data via the API for the purpose of charting. This initial iteration has a full implementation of a dataset called "uptime" which captures which hosts were online hour-by-hour (online meaning, having been "seen" at some point during that hour). It has a partial implementation of a "cve" dataset which will capture which hosts were vulnerable to which CVEs during a given day. ### Data storage Data is stored in an SCD (slowly-changing dimension) format in the `host_scd_data` table, where the main "value" in a row is stored in the `host_bitmap` column, which is a `mediumblob` where each bit encodes a host ID (bit one represents host ID 1, bit 1444 represents host ID 1444, etc.). The set of bits set on a row represents that hosts for which that dataset is "on" during a given time period represented by the `valid_from` (inclusive) and `valid_to` (exclusive) dates, where a `valid_to` can have the special "sentinel" value 9999-12-31T00:00:00.000 meaning that the row is still "open" (the value represents everything from `valid_from` to the present). Additionally an `entity_id` column can be used for datasets with multiple dimensions, e.g. CVE exposure or software usage which would have entity IDs representing CVEs or software items respectively. ### Data collection Data is collected via a cron job that runs every 10 minutes. Each dataset has its own `Collect` method which will sample the data for the given moment. For example the "uptime" dataset gathers the set of hosts that are online at the moment, and the "cve" dataset will gather the set of hosts that are vulnerable to each CVE at that moment. The sample can then be recorded using one of two strategies: * `accumulate`: bitwise OR the sample with any data already recorded for the current hour, or add a new pre-closed row for that hour. * `snapshot`: if there is no open row, create one with the sample and `valid_to set` to the sentinel. Otherwise: * If the sample has the same value as the current open row, do nothing * If the sample has a different value and the current open row's `valid_from` is within the same hour, update the current row's value * If the sample has a different value and the current open row's `valid_from` is not within the same hour, close the current open row and start a new one with `valid_from` = the start of the current hour ### Data retrieval 1. Gets the set of host IDs to retrieve data for. This starts with the set of host IDs in the requested fleet (or all the hosts a user has access to if no `fleet_id` param was passed to the `/charts` endpoint), and further whittled down by any filter options supplied with the request (labels, platforms, etc.). 2. Finds all `host_scd_data` rows for the requested dataset and date range (i.e. all rows whose `valid_from` is < the date range end and `valid_to` is > the date range start). 3. Calculates the date ranges of the "buckets" to return datapoints for. For the uptime chart we default to 3-hour buckets, so we want 8 buckets per day. 4. Iterates over each bucket and finds the row or rows from host_scd_data that cover that bucket range. For datasets using the "accumulate" strategy, the values for those rows are ORed together. For "snapshot"s, we take the one active at the bucket end time to represent the bucket (e.g. "which hosts had a given CVE at the end of the day") ### Tools This PR includes two dev tools that don't require deep review: * **chart-backfill** - used to backfill data to various datasets for testing * **charts-collect** - used to collect data from a live server via the API and put into a local hosts_scd_data table # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [X] Added/updated automated tests - [X] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [X] QA'd all new/changed functionality manually - With [front-end branch](https://github.com/fleetdm/fleet/pull/43878) <img width="712" height="434" alt="image" src="https://github.com/user-attachments/assets/b2ccce49-b5fd-4076-b47f-0eea6a53260c" /> ## Database migrations - [X] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [X] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [X] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added charting bounded context: HTTP API for metrics (uptime, CVE), dataset registry, hosted dataset collection, background collection/cleanup with opt-out env. * New utilities: host bitmap operations and string-list/uint-list parsers. * New CLI tools to collect and backfill chart data. * **Database** * Migration and schema to store host time-series SCD chart data. * **Tests** * Extensive unit and integration tests for service, storage, caching, cron, and utilities. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-23 12:43:23 -05:00
Martin Angers	5da912a33e	Bugfix: escape characters not supported in JSON when resolving variables (#43955) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #38013 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually See https://drive.google.com/file/d/1zeFNLuf_rT5FWzDiYyL2_hbIBW2neba-/view?usp=drive_link <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * GitOps variables in JSON configuration profiles (Apple DDM declarations and Android profiles) are now automatically escaped for JSON special characters, ensuring proper handling of sensitive values. * **Tests** * Added JSON configuration profile escaping validation to the enterprise GitOps integration test suite. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-23 10:34:12 -06:00
Konstantin Sykulev	7fa1341c73	Windows wipe failed acivitiy (#43795) ... **Related issue:** Resolves #42290 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Failed Windows MDM wipe attempts now create a tracked "Failed wipe" activity showing the affected host and display name for visibility; UI filter and activity feed now surface this type. * **Bug Fixes** * Improved detection and reporting of wipe result statuses so real failures are reliably surfaced. * Duplicate failure responses are suppressed to avoid repeated alerts. * **Tests** * Added tests validating wipe-failure activity creation and related control flows. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>	2026-04-22 17:53:59 -05:00
Victor Lyuboslavsky	565b842d5e	Fix handling of cross-team stale Windows MDM profiles after host movement (#43990) ... Unreleased bug - Added team scoping to LocURI protection for profile deletion. - Addressed stale MDM profile rows when hosts transfer between teams. - Improved test coverage for Windows MDM profile deletion scenarios. <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #33418 # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Confirmed that the fix is not expected to adversely impact load test results <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed Windows MDM profile deletion so devices moved between teams are correctly cleaned up and receive removal commands, preventing stale profile configurations from persisting. * Added a regression test ensuring deletion of no-team profiles isn’t blocked by leftover host-profile rows or by profiles in other teams. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-22 16:47:13 -05:00
Tim Lee	9feb9c2be0	Fix Recovery Lock password desync on MDM re-enrollment (#43827)	2026-04-22 15:17:48 -06:00
Victor Lyuboslavsky	ad2c47c419	Added an index on software.bundle_identifier (#43979) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43978 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Confirmed that the fix is not expected to adversely impact load test results - [x] Alerted the release DRI if additional load testing is needed <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Optimized database performance for the app synchronization process by adding an index to improve query efficiency and reduce CPU load on large deployments. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-22 14:30:43 -05:00
Magnus Jensen	1365068858	Fix various DDM stuck remove/pending issues (#43382) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40322 (Second part) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Cleans up orphaned pending Apple MDM profile removals so pending remove rows no longer get stuck during batch processing. * Fixes DDM status handling so remove operations are skipped/handled based on the incoming update, preventing incorrect flips. * Reconciler now self-heals stuck pending removal profiles across batches. * **Tests** * Added unit tests covering cross-batch cleanup, orphaned pending removes, and DDM status/reporting edge cases. * **Documentation** * Updated changelog entry for DDM pending/remove fixes. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-22 13:05:09 -06:00
Jonathan Katz	c2eb45f9a7	🤖 Fix GitOps leaving duplicate software installer rows (#43903) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43738 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [ ] Timeouts are implemented and retries are limited to avoid infinite loops - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually - Before the fix, switching from custom package to FMA via GitOps created two software installer rows and duplicate setup experience installers (the setup experience page said "2 software items will be installed during setup" even though only one was selected. - After the fix, switching from custom package to FMA via GitOps deleted the old installer and left only one row with the correct FMA. In setup experience, only one instance of the software was installed. - Added a custom package (obsidian) and a policy with a software install automation for it, then applied gitops and replaced obsidian with the FMA version and the policy with the FMA slug, and it redirected the policy to the new installer. - Adding setup experience software will only set `install_during_setup=1` on the active FMA, and not on installer rows with `is_active=0` <img width="1222" height="558" alt="image" src="https://github.com/user-attachments/assets/ace5922a-63ec-4591-b615-1a8534a70805" /> <img width="1173" height="483" alt="image" src="https://github.com/user-attachments/assets/05c7c718-4f4a-4549-bbf1-1e1d6dae75d0" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Prevent duplicate installs by ensuring only active installers are considered during setup; remove or replace custom installers when a managed (fleet‑maintained) installer is added, repointing policies to the active installer and canceling now-obsolete pending setup actions. * **Tests** * Added tests covering active-installer selection, custom→managed installer replacement, policy repointing, display-name preservation, and cancellation of pending setup activities. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-22 13:48:56 -04:00
Carlo	39e4f616ea	macOS managed local account foundations (#43381) ... Implements both #42942 and #42943 Co-authored-by: jkatz01 <yehonatankatz@gmail.com>	2026-04-22 09:05:07 -04:00
Scott Gress	91d9b25924	Allow conditional downloads across fleets (#43679) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43417 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. done in https://github.com/fleetdm/fleet/pull/42216 ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually - Using a local fileserver, added the same software to two fleets and ran `fleetctl gitops`. Verified that the first fleet downloaded the file, the second fleet used the cache, and both fleet showed the software installer in the UI. ## Summary by CodeRabbit * **Chores** * Updated software installer lookup mechanism to support optional team-scoped searches, enabling fallback to cross-team installer cache when team-specific installers are unavailable. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-21 17:06:23 -05:00
Victor Lyuboslavsky	1f6e556818	Improved Windows MDM performance (#43912) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43875 `POST /api/mdm/microsoft/management` is the hot endpoint for any Windows-MDM-enrolled fleet. Every enrolled host hits it twice per check-in interval. At 40k hosts that's a four-figure sustained queries-per-second rate on the database reader pool, dominated by one expensive query plus a handful of redundant `MDMWindowsGetEnrolledDeviceWithDeviceID` lookups on the same row. This PR cuts that load by: 1. Short-circuiting the pending-commands query when the device's queue is empty (the overwhelming common case). Replaces a 3-table join plus anti-join with a cheap primary-key probe. 2. Loading the enrolled device exactly once in `isTrustedRequest` and threading it through to every downstream consumer instead of re-fetching it three times. No behavior change to the protocol, no schema change. Also filed a related issue: https://github.com/fleetdm/fleet/issues/43897 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Alerted the release DRI if additional load testing is needed <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved Windows MDM server performance at scale by reducing database queries during device check-ins. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-21 16:52:36 -05:00
Victor Lyuboslavsky	c378e27d82	Fixed Android pubsub panic when host was deleted (#43788) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #42494 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Prevented a server panic (HTTP 502) when Android pubsub status reports arrive for hosts deleted from Fleet by validating re-enrollment before processing. * Improved Android host creation to avoid creating duplicate hosts when an Orbit-only enrollment already exists. * **Tests** * Added unit tests for the re-enrollment flow for deleted hosts and deduplication between Orbit and Android enrollments. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-21 16:01:51 -05:00
Magnus Jensen	1d41ba5605	make DDM name check case insensitive (#43347) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40322 The issue was due to case insensitivity in go maps, so when we checked if we should keep the DDM profile or not, it failed. So we now default to lowercasing all profile names to make it case insensitive. _While that fixes the cause, for the issue, I will follow up with another PR for the all profiles stuck in pending, since it's a scaling issue due to batching and always taking installs before removes, so with 11k hosts it would never have both install and remove in the same run, failing to clear out the stuck pending. It can be manually remediated, but we want to have a better fix for this that actually cleans it up, if this is met as it can be perfectly valid._ # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed Apple MDM profile batch operations to handle declaration names case-insensitively. Updating a declaration with different name casing (e.g., mixed-case to lowercase) no longer creates duplicate profiles or triggers unnecessary operations. * **Tests** * Added test coverage for case-insensitive Apple MDM declaration name handling across team and non-team configurations. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-21 08:31:30 -06:00
Martin Angers	a0f60dc7f8	DDMV: fix unresolved Fleet variable in DDM profile behavior (#43556) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #43047 Follow-up to https://github.com/fleetdm/fleet/pull/43222 # Checklist for submitter - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually See https://github.com/fleetdm/fleet/issues/42960#issuecomment-4246769629 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved Apple MDM declaration handling: declarations with unresolved per-device variables are now attempted per host, marked failed when resolution fails, and omitted from device configuration/activation manifests. * Declarations that fail resolution still factor into declaration token computation to keep token behavior consistent. * **Tests** * Updated tests to reflect per-device resolution failures and adjusted validation flow. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-20 14:05:21 -04:00