- @noahtalerman: We decided to stop calling the settings experimental
and just warn in the docs what happens if you turn it on. That way we’re
not calling them “experimental” which feels unsafe. They're not
experimental; they're just deliberately allowing custom profiles.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
This PR adds the ability to skip any Fleet logic that validates on
whether or not an MDM Declaration is usable with Fleet by setting a
configuration of `FLEET_MDM_SKIP_DECLARATION_VALIDATION` to `True`. We
would like to leverage declarations such as [config
files](https://developer.apple.com/documentation/devicemanagement/servicesconfigurationfiles)
as well as other none configuration declarations that are
[restricted](https://github.com/fleetdm/fleet/blob/main/server/fleet/apple_mdm.go#L736-L738)
like
[Activations](https://developer.apple.com/documentation/devicemanagement/activationsimple),
and any declaration that requires
[AssetData](https://developer.apple.com/documentation/devicemanagement/assetdata).
We understand that these are not usable by most Fleet customers,
especially those that use Fleets cloud hosting option.
Since we run Fleet on our own infrastructure we are able to leverage our
proxy to support all additional data components needed for declarations
above.
## Testing
I've built and run Fleet locally and validated that with the
`FLEET_MDM_SKIP_DECLARATION_VALIDATION` I am able to add any
declarations I please. Without the config I am unable to add the
requested declaration types above.
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added experimental `mdm.allow_all_declarations` configuration option
to permit all Apple MDM declaration types when enabled, overriding
default validation checks.
* **Documentation**
* Updated configuration documentation with details for the new
experimental MDM option, including defaults, environment variables, YAML
format, and safety considerations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.77.0
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>
Also adds some more rate limiter tests to make sure separate rate limit
buckets interact as expected.
Fixes#29614.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- For new Fleet configuration settings
- [x] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. (excluded;
env var or YAML)
- [x] Added/updated automated tests
- [ ] Manual QA for all new/changed functionality
---------
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
