- Simplify top section
- Added explanation on what enroll means for different platforms and how
to unenroll different platforms + callout that unenroll feature for
personal (BYOD) iOS/iPadOS and Android is coming soon.
- Fleet says "enroll secret"
- Move "Supported osquery version" to "Advanced"
- Add link to enroll hosts guide
- Document best practice migration
- Removed section about user sync from Microsoft to Google, and section
about Google Workspace authentication
Closes#32558
This PR adds Omnissa Horizon Client as a new maintained app for macOS.
The app is available through homebrew and is used for connecting to
virtual desktops and applications in enterprise environments, enabling
secure remote access for end users.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for the Omnissa Horizon Client application on macOS,
including installation and comprehensive uninstallation procedures.
* The application is now listed among maintained apps with relevant
metadata and management scripts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Kenny Botelho <kbotelho@nvidia.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
We got the following warning today:
<img width="1311" height="200" alt="Screenshot 2025-08-29 at 9 51 52 AM"
src="https://github.com/user-attachments/assets/a62ab52d-fe89-4b96-9082-f1a91d6e8b08"
/>
The process for updating the signature which happens every Tuesday
failed, and nobody realized it failed because we missed adding a Slack
notification to it.
For #30095.
#32482 is additional cleanup. Merging this to unblock orchestration
Linux setup experience work. Code has already been reviewed prior to
merging into the feature branch.
---------
Co-authored-by: Konstantin Sykulev <konst@sykulev.com>
Co-authored-by: Anthony Maxwell <133805840+Illbjorn@users.noreply.github.com>
Changes:
- Updated the configuration builder to include settings from the
restrictions payload for macOS and iOS, and settings related to
restrictions for Android.
# Overview
This PR addresses a missing product name bump when the parse reaches the
table-formatted section of HTML.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
Signed-off-by: Illbjorn <am@hades.so>
Fixes#32061
- Depends on the backend changes in #32387 for full functionality
- Removed special case for primo mode
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Team-level configuration now supports the “No Team” selection (team
0).
* Expanded availability of the “Other” option in the Automations
dropdown for non-maintainers.
* **Bug Fixes**
* Team 0 loads correctly in Policies management.
* Automations configuration correctly switches between global (All
Teams) and team contexts, including No Team.
* Post-update refresh behavior is consistent: global refresh for All
Teams, team refresh otherwise.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Added Jira and Zendesk integrations for "No team". (These are not
supported by GitOps for teams)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [x] Setting(s) is/are explicitly excluded from GitOps
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Default (No Team) responses now include limited integrations (Jira,
Zendesk).
- You can configure or clear Jira/Zendesk integrations for the Default
(No Team) settings.
- Bug Fixes
- More consistent handling of the Default (No Team) when fetching team
details.
- Improved validation to prevent conflicting automation settings between
webhooks and integrations.
- Documentation
- Clarified that Jira/Zendesk integrations aren’t supported via GitOps
or at the team level (including No Team).
- Noted that certain options (e.g., Google Calendar, Conditional Access)
aren’t supported for the Default (No Team).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
The existing query used a CROSS JOIN with USING(uid), which is not valid
SQL in Fleet/osquery/SQLite and prevented the query from being saved.
This change replaces the CROSS JOIN with a standard JOIN ... ON ...
clause. The explicit ON form was chosen for clarity:
- Makes the join condition (u.uid = vs.uid) explicit to readers
- Avoids the subtle column-merging behavior of USING
This preserves the intended behavior (joining users with their installed
VS Code extensions) while ensuring the query runs correctly in Fleet.
The existing query used a CROSS JOIN with USING(id), which is not valid
SQL in Fleet/SQLite and resulted in a syntax error when saving the
query.
This change replaces the CROSS JOIN with a standard JOIN ... ON ...
clause. The explicit ON form was chosen for clarity:
- Makes the join condition (c.id = p.id) obvious to readers
- Avoids the subtle column-merging behavior of USING
This preserves the intended behavior (joining containers with their
processes by ID) while ensuring the query can be saved and run correctly
in Fleet.
Fixes: #30403
Keys for deletedTitles map were generated differently, causing the same
software title to be marked removed even when a new version of the same
title was inserted.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
fixes#32209
this is a fix for the host details and my device pages where the content
was overflowing past the edge of the screen on narrow widths
It required a small change to the grid columns to keep the content
within the grid.
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
Fixes#32504
Homebrew has removed the ability to install via a local .rb file. For
context see the PR here: https://github.com/Homebrew/brew/pull/20414 .
Also the long list of PRs and commits referencing can give you some idea
of how others are solving this
We have a few different options we can take.
We can use the usual homebrew method of doing an install
wine-stable@[version] but this does not support us installing a version
referenced by a commit SHA, rather we just get to choose a specific
semver.
We can set EVs normally intended for use only by homebrew developers.
The actual Homebrew developers have strongly cautioned against this as
it has more side effects than simply allowing local package installs.
Finally, we can take the method suggested by the Homebrew developers,
which I have done here, of creating a local tap containing our specified
Wine version's cask file and installing from it. This works well in
local testing and I think has the fewest downsides while maintaining the
reference to a specific immutable version.
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
Fixed CI run here:
https://github.com/fleetdm/fleet/actions/runs/17407514780/job/49415787748
Expanded group assignment for the conditional access policy. To help
admins understand that if they want to properly enforce access for
certain applications, they need to scope the broadest group possible for
their application. This will make sure that any devices not managed by
Fleet will be prompted to enroll in Fleet and be marked as compliant
before access is granted.
# Details
This PR updates the version in the chrome extension package.json to
1.3.3, updates the changelog with entries for the past two releases, and
updates to the beta-testing instructions in the README.
- Document order of what happens and when during new Mac setup
- Add anchor links to sections
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Related to https://github.com/fleetdm/confidential/issues/12052
Changes:
- updated the get-enriched helper to use the coresignal's new search API
endpoints
- Updated the `intercept()`s in the get-enriched helper to log warnings
if an error is returned by the coresignal API
For #28713
Refactored the PATH fleet/config end-point to use the primary DB node
for both persisting changes and fetching modified App Config to avoid
stale UI due to read replica delay.
Fixes#31580
Fixes issues
- When updating a script to exactly match the content of another script,
we fail
- When updating one script which happens to match content of another
script, both get updated and not just the one being edited
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Resolved error when updating a script to exactly match another
script’s contents.
* Improved handling of script content updates: identical contents are
deduplicated and unused versions are cleaned up.
* Scheduled/pending runs are canceled on content updates with clearer
cancellation messaging.
* **Documentation**
* Added changelog entry describing the fix.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## For #31226
New features:
- Dynamic header for each possible state of a batch script run: Started,
Scheduled, and Finished (corresponds to tabs at
`/controls/scripts/progress`
- Unique tabs for each possible status of hosts targeted by a batch
script run: Ran, Errored, Pending, Incompatible, Canceled.
- Within each tab, sortable, paginated host results with output preview
and execution time.
- View script/run details, cancel a batch, view manage hosts page
filtered for the script batch run and a status.
- Global script batch runs activities and and Scripts progress rows now
navigate to this details page.
Cleanups and improvements:
- Expand tab count badge options using “alert”/“pending” variants across
hosts, policies, and query results.
- Misc cleanups and improvements
- [x] Changes file added for user-visible changes in `changes/`,
- [x] Updated automated tests - new tests tracked for follow-up work
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Fixes#32313
OpenTelemetry Tracing
- Added tracing to async task collectors: FlushHostsLastSeen,
collectHostsLastSeen, collectLabelQueryExecutions,
collectPolicyQueryExecutions, collectScheduledQueryStats
- Updated HTTP middleware to use OTEL semantic convention for span names
({method} {route})
- Added OTELEnabled() helper to FleetConfig
Optimizations
- Reduced OTEL batch size from 512 to 256 spans to prevent gRPC message
size errors
- Enabled gzip compression for trace exports
NOTE: I tried to improve OTEL instrumentation for cron jobs, but it got
too complicated due to goroutines in `schedule.go` so that effort should
be separate. We do have SQL instrumentation for cron jobs, but we are
missing root spans for cron jobs as a whole.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Expanded OpenTelemetry tracing for async tasks (host last seen, label
membership, policy membership, scheduled query stats) to provide richer
observability.
* More descriptive HTTP span names using “METHOD /route” for clearer
trace analysis.
* **Bug Fixes**
* Improved OTLP gRPC exporter reliability by enabling gzip compression
and reducing export batch size, mitigating intermittent gRPC errors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
