#21998
While looking through this I noticed a few other issues:
1. We seem to be inconsistent about what time we pick for OS update
deadlines. For profiles [it's noon local
time](2e5bf75b6d/ee/server/service/mdm.go (L1096)),
while for Nudge [it appears to be 4am...server time or
UTC](2e5bf75b6d/server/fleet/nudge.go (L53-L57))?
#9013 also mentions "noon UTC-8/Pacific Standard Time", which is neither
of the above (and means that, if implemented as spec'd, the deadline
would shift by an hour during DST), while docs prior to this PR
mentioned 4am UTC-8. Maybe we don't care enough to fix the Nudge
behavior since macOS 14 (which no longer requires Nudge) came out over a
year ago, but we should at least agree on desired behavior for DDM and
document that (which is what I've done for iOS/iPad OS since they don't
use Nudge).
2. The [REST API
docs](2e5bf75b6d/docs/REST%20API/rest-api.md (L1720-L1757))
don't seem to match the description of macOS behavior in the article;
the former indicates that OS updates pop up with increasing frequency
post-deadline, rather than having an impassible dialog. This may be
because behavior changed from Nudge to DDM, but iOS/iPadOS got
copy-pasted from the macOS REST docs and they never used Nudge. My guess
is that we should describe DDM behavior here.
Tagging in @mna as he looks to have implemented DDM OS updates so should
have some context here, and @noahtalerman to confirm desired behavior,
particularly on the deadline side.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Closes https://github.com/fleetdm/fleet/issues/22951
- Updated the guides listed on
https://fleetdm.com/docs/get-started/tutorials-and-guides to only
include the most essential onboarding guides. Guides are listed in the
following order:
- Deploying Fleet
- Organizational units
- Controls
- Installing software
- Admin
- Added archive notices to the three "How to install osquery..."
articles
- Added "Further reading" links to the bottom of the Queries guide and
Policies guide to point to related advanced topics
- Renamed "Managing labels in Fleet" to "Labels" for parallelism with
our other guides (left the URL as is, no redirect necessary)
- Renamed "What are Fleet policies" to "Policies" for parallelism with
our other guides (left the URL as is, no redirect necessary)
- Add learn more link to pricing page to point to deploy software guide
[here](https://fleetdm.com/guides/deploy-software-packages)
- Update deploy software guide to link to the guides for other software
types (Fleet-maintained and App Store apps) and automatic install guide
- This way, when a user lands on deploy software, they can quickly find
guides for all other guides
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- Update guides to reflect use case: automatically run scripts and
install software
- @noahtalerman: I removed top image from "Automatically run scripts"
b/c I think it looked rushed/unexpected
- Update "execute" language to "run" and add "manual" language
- Clarify when a policy's host counts are reset
- Clarify support for policy automations: team v. default (global) v. no
team
- Update `software.packages` example to best practice: separate file
- Inline is supported for backwards compatibility
- Remove `policies` and `controls` call outs about "No team." This info
is covered in the starter filed in fleetdm/gitops. For an example, see
`teams/no-teams.yml` here:
https://github.com/fleetdm/fleet-gitops/blob/main/teams/no-team.yml
> No issue, but realized guide had some mistakes
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Manual QA for all new/changed functionality
> Related issue: #23161
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
During the CS+QA offsite we review this guide.
- Update title to clarify that this is about macOS MDM migration
- Add "domain (DNS)" to make the topic approachable for non-technical
readers
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Changed instances of Azure AD to Microsoft Entra ID. Did not change URLs
because they still seem to work to connect to the service. @noahtalerman
has already verbally ok'd this change.
Adjusted prerequisites, moved sections, etc.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Change “Press the top right “Add policy” button.” to “Press the “Add
policy” button”
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Document interim best practice for modifying OS settings. Later Fleet
might add an "Edit" button in the UI so the IT admin doesn't have to add
a new profile and then remove the old.
#21447
Validated based on looking through code. If I need to try running
fleetctl with a bare OS to confirm these are all the packages we need in
each case let me know.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
Updated the "How to uninstall osquery" document to no longer reference
older osquery references and file paths that no longer exist.
---------
Co-authored-by: JD <spokanemac@users.noreply.github.com>
Co-authored-by: Eric <eashaw@sailsjs.com>
