Fresh PR to avoid product design PRs messing with the PR open time KPI
(original here: https://github.com/fleetdm/fleet/pull/17369)
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(previously https://github.com/fleetdm/fleet/pull/17711)
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(previously https://github.com/fleetdm/fleet/pull/17841)
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(previously https://github.com/fleetdm/fleet/pull/17670)
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Fresh PR to avoid product design PRs messing with the PR open time KPI
(original: https://github.com/fleetdm/fleet/pull/16982)
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
File carves were moved to their own section in contributor docs
https://github.com/fleetdm/fleet/pull/16877
Fixed link on API page
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
#16767
To create a manual label:
```sh
cat labels.yml
---
apiVersion: v1
kind: label
spec:
name: Manually Managed Example
label_membership_type: manual
hosts:
- lucass-macbook-pro.local
```
To add/delete a manual label to/from a host:
```
curl -k -v -X POST -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}'
curl -k -v -X DELETE -H "Authorization: Bearer $TEST_TOKEN" https://localhost:8080/api/latest/fleet/hosts/1/labels -d '{"labels": ["Manually Managed Example"]}'
```
API draft changes: https://github.com/fleetdm/fleet/pull/16979/files
Figma with error strings:
https://www.figma.com/file/JiWoAiuHlkt76s3o3Uyz6h/%2316767-API-endpoint-for-updating-a-host's-manual-labels?type=design&node-id=2-130&mode=design&t=pxRPhrn6E1bOCrEd-0
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
~- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- ~[ ] If database migrations are included, checked table schema to
confirm autoupdate~
- ~For database migrations:~
- ~[ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.~
- ~[ ] Confirmed that updating the timestamps is acceptable, and will
not cause unwanted side effects.~
- ~[ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).~
- [x] Manual QA for all new/changed functionality
- ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
Docs improvements uncovered during
[dogfooding](https://github.com/fleetdm/confidential/issues/2506):
- Update end user auth docs to link to SSO docs. So the user knows what
do to get the necessary info from their IdP (create an Okta/GW app)
- Cut content from SSO docs and move Okta and Google Workspace to top
level headers
- "IDP" => "IdP"
- Use **bold** styling to indicate UI elements in docs (instead of
_italics_)
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Adds `webhook_settings.host_status_webhook` options to team config for
#14916.
Also updated conceptual docs that reference this config (and cut down
some content to make room).
The Wine developer does have an Apple Develeoper certificate but the
"Wine Stable" app bundle is not code-signed or notarized post-install &
disables Gatekeeper for the install. This adds a warning to the script
user about the app not being signed. post-install
---------
Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
#17827
Updated 1Password policy to only search one level deep for performance
reasons.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
For better readability: add periods as separation between the Fleet
Premium message and parameter descriptions.
✅ _Available in Fleet Premium_. Description text.
❌ _Available in Fleet Premium_ Description text.
- Updated `GET /api/v1/fleet/scripts`: documented `team_id` parameter
that was missing
- Replaced "Upload" with "Add" since that's the language we want to use
across the product and docs.
- Removed articles from headings
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
This instructions were inaccurate following these steps only `Fleet
Osquery` was installed not `orbit`
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Closes: #17582
Changes:
- Updated the `build-static-content` script to not generate HTML pages
for files in subfolders that are prefixed with an underscore
- Renamed the `docs/Deploy/kubernetes` folder »
`docs/Deploy/_kubernetes`
- Documented this new behavior on the communications page of the
handbook.
- Updated commands on the Deploy Fleet on Kubernetes page.
---------
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
Typo: "removing" /past from host's activities API
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
#15565
Replace the use of the isFederated registry key with a keys that check
for AAD (Azure Active Directory, now Entra ID)
Federated enrollment (`isFederated`) seems to be when windows uses a
Discovery MDM endpoint to get its policy and management endpoint
configuration. This is always the case when a client is enrolled with
fleet, so installations always show up as automatic.
It's being replaced by a different key, `AADResourceID`, which appears
to identify the resource that controls the automated deployment. In my
tests it only appears to be populated when the computer is enrolled
through automated deployments. This key appears on both Windows 10 and
11.
There is a similar key, `AADTenantID`, which appears to identify the
client (tenant) to the Azure cloud. I haven't seen this ID in our
systems, so it is likely exclusively used in Azure. Both this key and
`AADResourceID` seem to always be set at the same time, so we only
check for the `AADResourceID`.
I've also added documentation on the registry keys I've analyzed for future reference.
This PR addresses an issue in the documentation for installing the MySQL
chart using Helm. Previously, the documentation provided a Helm install
command that incorrectly referenced mysqlUser and mysqlDatabase.
However, these keys don't exist in the chart's values.yaml file anymore.
Removed reference to **Scripts** tab and added instructions for
accessing the **Run Script** modal from the host detail page.
# Checklist for submitter
Docs-only change
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
```mermaid
sequenceDiagram
participant windows as Windows
participant orbit as Orbit
participant server as fleet server
loop every 30 seconds
orbit->>+server: POST /api/fleet/orbit/config
server-->>-orbit: pending notifications
end
note over orbit: receive enrollment notification
orbit->>windows: mdmregistration.dll<br/>RegisterDeviceWithManagement
windows->>+server: POST /api/mdm/microsoft/discovery
server-->>-windows: EnrollmentServiceURL, EnrollmentPolicyServiceUrl
windows->>+server: POST /api/mdm/microsoft/policy<br/>DeviceEnrollmentUserToken
server-->>-windows: Policy Schema, Certificate requirements
activate windows
note left of windows: Generate keypair
deactivate windows
windows->>+server: POST /api/mdm/microsoft/enroll<br/>Self-signed CSR & cert values
note right of server: Creates certificate signed by WSTEP ident key
server-->>-windows: Signed certificate, management endpoint, enrollment parameters
loop SYNCML MDM Protocol (mTLS)
windows->>+server: POST /api/mdm/microsoft/management
server-->>-windows: Response
end
```
REST API changes for #15919
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Tim Lee <timlee@fleetdm.com>
The _"Fleet's best practice `fleet-deployment.yml` file"_ link on the
["Deploy Fleet on Kubernetes" docs
page](https://fleetdm.com/docs/deploy/deploy-fleet-on-kubernetes)
doesn't actually target the YAML file it purports to and, instead, it
just points to the Markdown version of the "Deploy Fleet on Kubernetes"
docs on GitHub.
This PR changes the target URL so that link actually goes to the place
where one would expect it to (the YAML file).
Closes: #16797
Changes:
- Updated `build-static-content` to throw an error if an extensionless
Markdown link containing a hash link is found.
- Fixed two broken relative links in the contributing documentation
Python >= 3.12 no longer ships with the `distutils` module out of the
box. It can be installed using `pip install setuptools`.
This may be fixed when updating node packages that rely on python, but
until then it may come up during `make deps`.
Reference: https://stackoverflow.com/a/76691103
Moving mdm_profiles to it-and-security/lib/mdm_profiles so that they are
together with other gitops config files.
---------
Co-authored-by: Noah Talerman <noahtal@umich.edu>
+ Changed a bunch of instances of "member" to "user" to match the
updated UI (https://github.com/fleetdm/fleet/issues/15893)
+ Cut some step-by-step instructions for using the team UI from the
"Segment hosts" docs
+ Add some missing "_Available in Fleet Premium_." flags to `team_id`
parameter descriptions for API endpoints available in Fleet Free.
+ Remove one duplicate instance of `team_id`
- Remove example YAML file from docs to deduplicate
- Update "Prepare a new version of Fleet" handbook instructions to point
to the best practice YAML
- Add README to point to docs
- Move tools for deploying Fleet on Kubernetes to `Deploy/` folder.
- Add @dherder as CODEOWNER so that Dave gets pinged every time a
contributor wants to make a change to the Kubernetes
---------
Co-authored-by: Dave Herder <27025660+dherder@users.noreply.github.com>
Co-authored-by: Luke Heath <luke@fleetdm.com>
updated URL for orbit docs. The previous location forwarded to
https://fleetdm.com/docs/using-fleet/enroll-hosts and did not give info
about Orbit.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Removing entry. 1) failed to build again. Now that this is "device
health" this query probably doesn't really fit with the rest of the list
anyway. Sorry for all the approvals...
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
When attempting to follow the kubernetes install directions I
encountered a few issues.
1. The image version was no longer hosted on dockerhub. And new versions
now are tagged with a "v" prefix.
2. The webserver was not able to bind to port 443 on a managed version
of k8s.
3. The dns name(s) for the latest redis helm chart have changed. They
are now `{release}-master` for read-write and `{release}-replica` for
read only nodes.
4. The deployment API is out of date.
This PR fixes those issues.
- Cut down on user facing doc content so first time Fleet users can find
the right information. This could be moved into an "Advanced" section in
the future.
Docs for the "Windows OS updates" (#11951) user story
- Update "macOS updates" doc page to cross-platform "OS updates" page
- Update pricing page
- Update copy in the UI to clarify behavior of Windows updates
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Part of #9949
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
Changes:
- Updated two (broken) relative links on the "macOS updates"
documentation page to point to the documentation page on fleetdm.com
- Added a redirect to fix broken links to the product design handbook
page (/handbook/product » /handbook/product-design)
Addresses the following subtask: #16073
Fleet is investing in more automated testing for MDM features.
Update the table to reflect the versions that Fleet is running tests
against:
- macOS 13 and 14
- Windows 10 and 11
- Ubuntu Linux 20+
To support `fleetctl gitops`, gitops role can now read policies/queries
and write scripts.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Closes: #16451
Changes:
- Updated the "spin up for yourself" link in the FAQ to go to the
deploying docs.
- Updated the custom idp integration card link to go to the IDP
configuration section of the SSO docs page.
- Update "Custom macOS settings" page to cross-platform "Custom OS
settings" page
- Match format w/ "Disk encryption" and "OS updates" pages
- Cut content and make the docs more of reference
- Link to best practice GitOps
- Update pricing page
- Add redirects
It is very easy for data collection like this to veer into double /
triple negative mulitverse of madness stuff...
That said, I may have a lack of understanding about how the product
works, i.e., that a query literally must return a 0 value & not null in
order to "pass" in a policy. If so, then this works as expected.
However, if a query just needs to return empty (null) & 0 is implied in
the logic that sets a policy flag to green or red, then, as a rule,
queries like this should be always be simplified & should default to
using "positive" as opposed to "negative" logic, i.e., check if
something exists, never check if a thing does NOT exist.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests: Tested by adding dummy Emergency Kit.pdf
files to Desktop & Downloads, running query, then, removing files &
running query.
API changes for the "Upcoming activities: Run scripts on online/offline
hosts" (#15529) story
Changes:
- Script endpoints are available in Fleet Free and Fleet Premium
- Update `POST /scripts/run` to add a script to the bottom of the
upcoming activities
- Update `POST /scripts/run/sync`
- Add `GET /hosts/:id/activities` to show past activity feed
- Add `GET /hosts/:id/activities/upcoming` to show upcoming activity
feed
- Move docs for `GET /hosts/:id/scripts` to a new "Get host's scripts
section" under "Hosts"
API changes for the following story:
- #14674
- Both `GET /software` and [`GET
/software/versions`](https://github.com/fleetdm/fleet/pull/14831/files#diff-7246bc304b15c8865ed8eaa205e9c244d0a0314e4bae60cf553dc06147c38b64R7035)
will work the same. We're just documenting `GET /software/versions`
- Both `GET /software/{id}` and `GET /software/versions/{id}` will work
the same. We're just documenting `GET /software/versions/{id}`
- `count` added in both `GET /software/versions` and `GET
/software/titles`. `GET / software/count` still available (but removed
from docs).
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
API changes for the Windows configuration profiles story:
- #13281
It's **ready for review**, but marked as a draft because of KPI (PR open
time)
- DONE: Remove activity types changes before merging (those will be
automatically generated)
#### `profile_id` and `profile_uuid` changes specified in following
ticket:
- #15274
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
- Pull info about duration-based settings to the top to make it clear.
For this bug: #15926
- Add info about self-managed v. managed-cloud customers
- Cut content
Closes: https://github.com/fleetdm/confidential/issues/4665
Changes:
- Added a new documentation page that provides instructions for
downgrading from Fleet premium. The content for this section was pulled
from a [commented-out FAQ
question](1d2f5ae42a/docs/Get%20started/FAQ.md (L363-L394)).
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
> Relevant issue: #15625
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
> Relevant issue: #14500
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
previous: ...one ticket is created per CVE regardless of the number of
hosts on which such CVE is detected.
Hope that meaning is the same? If so, what is there is a little clunky.
Not meaning to be pedantic just trying to make the flow a bit more
natural. :)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
#14879
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
📺 Loom:
https://www.loom.com/share/9e17848963574af3aa10d426b450bcd0?sid=f8078293-c7e1-4864-a8a3-4cec996971f5#15476#15540#15542
After upgrading fleetd, customer-blanco saw a spike in traffic and a
spike in DB connections. These fixes attempt to reduce the traffic and
DB load when fleetd is upgraded.
On the server, added fleet/device/{token}/ping endpoint to be used by
agents to check their token.
On the agent:
- Removed call to fleet/orbit/device_token unless token needs to be
updated.
- Changed call to fleet/device/{token}/desktop with a less resource
intensive call to fleet/device/{token}/ping
- Removed call to fleet/orbit/ping
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- Associated w/ this story: #15600
- Update docs now that disk encryption enforcement is cross platform
(Windows story here: #12577)
- Remove section about resetting a password w/ disk encryption key to
reduce doc content. Remove this link from the UI
Makes parameter formatting in documented REST API paths consistent.
Previously, we were using a mix of `/foo/:parameter/bar` and
`/foo/{parameter}/bar`. This updates all URLs to use `:` instead of
`{…}`.
Also, opportunistically fixed some other inconsistent formatting I
noticed in a couple places.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any permissions changes (docs/Using
Fleet/manage-access.md)
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- Simplify usage instructions to make it more like a reference
- Move "Run script asynchronously" to contributor docs so that user
facing API docs have one best practice API endpoint for scripts. Call
synchronous endpoint "Run script"
