Discussed at
https://macadmins.slack.com/archives/C0214NELAE7/p1769719765777279
- The endpoints for marking a device as unmanaged and sending an
unmanage command were deprecated and no longer work. The endpoint for
looking up a device by serial number was also deprecated, so I've
proactively updated it.
- The whole story is now refactored and simplified.
- Also fixed a link in the `tines` README.
Resolves#35366
The false negative was caused by a mismatch in product name translation
for `acrobat_reader_dc`. The resolution required platform-specific logic
to accurately identify the "Document Cloud" (DC) variants.
This pull request updates the Okta Verify on Windows SCEP configuration
documentation and profile to simplify deployment with Fleet and reduce
manual steps. The changes make the process more reliable by
standardizing variable usage, improving instructions, and automating
certificate enrollment.
**Key improvements and changes:**
**Documentation and workflow simplification:**
- The guide in
`articles/enable-okta-verify-on-windows-using-a-scep-configuration-profile.md`
was rewritten for clarity and to reflect the new automated approach.
Manual editing of XML and scripts is no longer needed; Fleet-managed
variables and secrets now handle all required values. Steps for
gathering prerequisites, deploying, verifying, and renewing certificates
are streamlined, and troubleshooting guidance is expanded.
- The subject name in the certificate is now set to use the hardware
serial (`$FLEET_VAR_HOST_HARDWARE_SERIAL`) instead of the host UUID,
improving uniqueness and traceability.
([docs/solutions/windows/configuration-profiles/install Okta attestation
certificate -
[Bundle].xmlL77-R89](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L77-R89))
**Secret management and security:**
- The configuration profile now references Fleet secrets
(`$FLEET_SECRET_OKTA_SCEP_URL`, `$FLEET_SECRET_OKTA_SCEP_CHALLENGE`,
`$FLEET_SECRET_OKTA_CA_THUMBPRINT`) directly, removing the need for
manual substitution and reducing risk of misconfiguration.
([docs/solutions/windows/configuration-profiles/install Okta attestation
certificate -
[Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141))
**Automated certificate enrollment:**
- An `<Exec>` command is added to the XML profile to automatically
trigger SCEP enrollment upon deployment, further reducing manual
intervention. ([docs/solutions/windows/configuration-profiles/install
Okta attestation certificate -
[Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141))
These changes make the Okta Verify SCEP configuration for Windows much
easier to deploy and maintain, with improved automation and clearer
instructions.
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.80.0
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Nico <32375741+nulmete@users.noreply.github.com>
Co-authored-by: Luke Heath <luke@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38223
Retrospective action item from a prior sprint. Do we want to link this
somewhere like the bug template or is it enough to share it with our
customer-facing employees?
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
A customer just commented that it would be more relevant if this note
block for the Entity ID was above the screenshot, since it goes with the
preceding paragraph.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
- During Product office hours on 2025-12-23, we learned that no one on
the call knew what the current request body format was for API endpoints
that take `multipart/form-data`
- We think the updated format is more friendly for humans who are using
curl/Postman
- We later learned that this the current format is the raw request
(formatted by a browser or curl command)
- Also update "form" to "body" in the "Parameters" table. We learned
that the form data is actually part the body. Postman's UI shows this.
Rephrase instructions for creating API-only users for clarity.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35696
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37264
Adds a fleet maintained app example with the new `slug` field in the
response for `/software/batch/:request_uuid` from #38497
See the PR above for an explanation on why this was added.
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.79.0
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: Steven Palmesano <3100993+spalmesano0@users.noreply.github.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>
- Document which keys are supported on which platforms.
- Separate feature request to come up with a cross-platform name for
`macos_setup` is here: https://github.com/fleetdm/fleet/issues/33059
