## Summary
- Remove incorrect `color: $ui-fleet-black-75` override on `h2` elements
in the Windows automatic enrollment page
(`/settings/integrations/automatic-enrollment/windows`)
- Section headings ("MDM URLs", "Entra tenants") now inherit the global
heading color (`$core-fleet-black` / `#192147`) instead of the muted
body text color (`$ui-fleet-black-75` / `#515774`)
- This aligns the Windows page with the `SectionHeader` component
pattern and all other MDM settings pages in the Fleet UI
## Details
The `_styles.scss` for the Windows automatic enrollment page had an
explicit `color: $ui-fleet-black-75` on `h2` elements, which overrode
the global heading color set in `_global.scss` (`h1, h2, h3 { color:
$core-fleet-black; }`). This made the section headings appear in the
subdued gray color meant for body text rather than the darker color used
for all other headings across the settings UI.
### Changes
-
`frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/_styles.scss`:
Removed `color: $ui-fleet-black-75` from `h2` rule
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773759260523069)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a **macOS battery health check** policy that verifies the battery
health is "Good" and condition is "Normal" using the osquery `battery`
table's macOS-specific `health` and `condition` columns.
- Adds a **Windows battery health check** policy that verifies the
battery's full charge capacity remains above 80% of its designed
capacity using the osquery `battery` table's `max_capacity` and
`designed_capacity` columns.
- References both new policies in the **Workstations** team config
(`it-and-security/fleets/workstations.yml`).
- **Desktop computers (no battery) automatically pass** both policies.
The queries use a `NOT EXISTS` pattern so that devices returning zero
rows from the `battery` table are not treated as failures.
## Changes
| File | Description |
|------|-------------|
| `it-and-security/lib/macos/policies/battery-health-check.yml` | New
macOS battery health policy |
| `it-and-security/lib/windows/policies/battery-health-check.yml` | New
Windows battery health policy |
| `it-and-security/fleets/workstations.yml` | Added policy references
for both platforms |
## Testing
- Policy queries validated against the [osquery `battery` table
schema](https://github.com/fleetdm/fleet/blob/main/schema/tables/battery.yml).
- macOS query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
health != 'Good' OR condition != 'Normal');`
- Windows query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
designed_capacity > 0 AND CAST(max_capacity AS REAL) / designed_capacity
<= 0.80);`
### Expected behavior
| Scenario | Result |
|----------|--------|
| Laptop with healthy battery | PASS |
| Laptop with unhealthy battery | FAIL |
| Desktop (no battery / zero rows) | PASS |
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774454193574469?thread_ts=1774453340.076579&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds the new "Closed Lost opportunity ownership transitional policy"
to the sales playbook under Rules of engagement, alongside existing
policies.
- This policy allows AEs to retain ownership of up to 5 Closed Lost
opportunities (at PoV stage or later) for 120 days from the later of
Closed Lost date or territory assignment date, given the shift to a
territory-based model.
Built for [Chaz
MacLaughlin](https://fleetdm.slack.com/archives/D0AHH0ZEMLY/p1774454144158589)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41345
Updates the README.md generated from `fleetctl new` to include
instructions on how to deploy to GitHub / Gitlab.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
## Summary
- Enables `calendar_events_enabled: true` for the **Windows - 1Password
up to date** and **Windows - Firefox up to date** policies on the
Workstations team.
- Updates the `description` and `resolution` text to match the pattern
already used by the macOS counterparts, referencing the scheduled
maintenance window and calendar.
This mirrors the calendar integration that was previously enabled for
the macOS 1Password and Firefox update policies.
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774451322610839)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds `setup_experience: true` to the `claude/darwin` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the macOS setup experience for new device enrollments.
- Adds `setup_experience: true` to the `claude/windows` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the Windows setup experience for new device enrollments.
## Changes
Only `it-and-security/fleets/workstations.yml` is modified. Two lines
added — one `setup_experience: true` for each platform's Claude entry
under `fleet_maintained_apps`.
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774450304000589)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41815
### Changes
- Extracted patch policy creation to `pkg/patch_policy`
- Added a `patch_query` column to the `software_installers` table
- By default that column is empty, and patch policies will generate with
the default query if so
- On app manifest ingestion, the appropriate entry in
`software_installers` will save the override "patch" query from the
manifest in patch_query
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
- Relied on integration test for FMA version pinning
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## Summary
- Adds `.claude/commands/fleet-gitops.md`, a new slash command
(`/fleet-gitops`) for Claude Code users working in the `it-and-security`
folder
- Mirrors the existing Kilocode skill
(`/.kilocode/skills/fleet-gitops/SKILL.md`) with the same validation
rules for osquery queries, configuration profiles
(Apple/Windows/Android), software management, DDM declarations, and CVE
remediation
- Command is explicitly invoked only — does not auto-trigger, so it has
zero impact on the engineering team's normal Claude usage
## Test plan
- [ ] Verify `/fleet-gitops` is available as a slash command in Claude
Code when opened in this repo
- [ ] Confirm the command correctly sets context for GitOps work
(queries, profiles, software, DDM)
- [ ] Confirm no change to existing engineering commands (`/review-pr`,
`/test`, `/fix-ci`, etc.)
Add documentation for the full agent release process.
Fleetd is composed of several components released through different
channels, and the handbook only linked to TUF. This adds references to
Android (Google Play), Chrome extension (Google Admin), and TUF version
tracking, with links to the relevant release guides for each.
Bumps
[github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server)
from 2.12.3 to 2.12.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nats-io/nats-server/releases">github.com/nats-io/nats-server/v2's
releases</a>.</em></p>
<blockquote>
<h2>Release v2.12.6</h2>
<h2>Changelog</h2>
<p>Refer to the <a
href="https://docs.nats.io/release-notes/whats_new/whats_new_212">2.12
Upgrade Guide</a> for backwards compatibility notes with 2.11.x.</p>
<h3>Go Version</h3>
<ul>
<li>1.25.8</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>golang.org/x/crypto v0.49.0 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7953">#7953</a>)</li>
<li>github.com/nats-io/jwt/v2 v2.8.1 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7960">#7960</a>)</li>
<li>golang.org/x/sys v0.42.0 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li>
<li>golang.org/x/time v0.15.0 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li>
</ul>
<h3>CVEs</h3>
<ul>
<li>Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting
systems using MQTT)</li>
<li>Fixes CVE-2026-33246 (affects systems using leafnodes and service
imports)</li>
<li>Fixes CVE-2026-33218 (affects systems using leafnodes)</li>
<li>Fixes CVE-2026-33219 (affects systems using WebSockets)</li>
<li>Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using
JetStream)</li>
<li>Fixes CVE-2026-33248 (affects systems using mutual TLS)</li>
<li>Fixes CVE-2026-33247 (affects systems providing credentials on the
command line)</li>
<li>Fixes CVE-2026-33249 (affects systems where client publish
permissions should be restricted)</li>
</ul>
<h3>Improved</h3>
<p>General</p>
<ul>
<li>Non-WebSocket leafnode connections can now be proxied using HTTP
CONNECT (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7781">#7781</a>)</li>
<li>The <code>$SYS.REQ.USER.INFO</code> response now includes the
friendly nametag of the account and/or user if known (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7973">#7973</a>)</li>
</ul>
<p>JetStream</p>
<ul>
<li>The stream peer-remove command now accepts a peer ID as well as a
server name (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7952">#7952</a>)</li>
</ul>
<p>MQTT</p>
<ul>
<li>Protocol compliance has been improved, including more error handling
on invalid or malformed MQTT packets (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7933">#7933</a>)</li>
</ul>
<h3>Fixed</h3>
<p>General</p>
<ul>
<li>Client connections are no longer registered after an auth callout
timeout (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7932">#7932</a>)</li>
<li>Improved handling of duplicate headers</li>
<li>A correctness bug when validating relative distinguished names has
been fixed</li>
<li>Secrets are now redacted correctly in trace logging (<a
href="https://redirect.github.com/nats-io/nats-server/issues/7942">#7942</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0e0639058e"><code>0e06390</code></a>
Release v2.12.6</li>
<li><a
href="f593d279da"><code>f593d27</code></a>
Cherry-picks for 2.12.6 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/61">#61</a>)</li>
<li><a
href="9f904de022"><code>9f904de</code></a>
[FIXED] Incomplete route pool on premature pong</li>
<li><a
href="b5101921e2"><code>b510192</code></a>
[FIXED] Avoid stalling read loop on leafnode
ErrMinimumVersionRequired</li>
<li><a
href="53941c24a1"><code>53941c2</code></a>
Report the account and user name in USER.INFO request</li>
<li><a
href="1ab002ab2b"><code>1ab002a</code></a>
[IMPROVED] Support HTTP proxy connection from leaf nodes also for
TCP</li>
<li><a
href="8b6408239f"><code>8b64082</code></a>
Release v2.12.6-RC.3</li>
<li><a
href="e6ab7e9541"><code>e6ab7e9</code></a>
Cherry-picks for 2.12.6-RC.3 (<a
href="https://redirect.github.com/nats-io/nats-server/issues/59">#59</a>)</li>
<li><a
href="9f4d96076c"><code>9f4d960</code></a>
Make the deduplication window actually work for deduplication for
sourcing</li>
<li><a
href="304e18402b"><code>304e184</code></a>
Remove FIXME about auth callout nonce</li>
<li>Additional commits viewable in <a
href="https://github.com/nats-io/nats-server/compare/v2.12.3...v2.12.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
---------
Co-authored-by: Juan Fernandez <juan-fdz-hawa@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#29657
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Summary
- Adds a new **macOS - FileVault enabled** policy that checks whether
FileVault disk encryption is enabled on macOS devices by querying
`filevault_status` for an active status.
- Adds a new **Windows - BitLocker enabled** policy that checks whether
BitLocker disk encryption is enabled on the C: drive of Windows devices
by querying `bitlocker_info` for protection status.
- Both policies are added to the Workstations team configuration in
`workstations.yml`, placed alongside the existing disk encryption check
policies.
- Updated the resolution text for both policies to indicate that
settings should be automatically applied via MDM and to direct users to
#help-it for assistance.
- Changed resolution phrasing from "If you're still seeing this issue"
to "If you're still failing this policy" for both policies.
## Changes
| File | Change |
|------|--------|
| `it-and-security/lib/macos/policies/filevault-enabled.yml` | New
policy file for macOS FileVault check |
| `it-and-security/lib/windows/policies/bitlocker-enabled.yml` | New
policy file for Windows BitLocker check |
| `it-and-security/fleets/workstations.yml` | Added references to both
new policy files |
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774388430297229?thread_ts=1774386241.477189&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This PR automatically updates macOS version policies, 1Password macOS
version policy, and Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
## Summary
- Adds a new "Why no project management function?" section to the "Why
this way?" handbook page.
- Explains that functional managers at Fleet own the flow of work for
their teams, thinking about output like a factory and taking direct
responsibility over results.
- References Andy Grove's *High Output Management*, Eliyahu Goldratt's
*The Goal* and *The Phoenix Project* (with Audible links), and Sid
Sijbrandij's writings during his time as CEO of GitLab (with a link to
the GitLab handbook).
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774395518585529?thread_ts=1774395316.916289&cid=D0AFASLRHNU)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Updates the copy in the "See reality clearly" section of the Fleet
homepage
- Changes "Run live queries, generate reports, and export logs." to "Run
live reports, collect data, and export logs."
## Changes
**File:** `website/views/pages/homepage.ejs` (line 128)
| Before | After |
|--------|-------|
| Run live queries, generate reports, and export logs. | Run live
reports, collect data, and export logs. |
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774392594786109)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
**Related issue:** Resolves#41644
There are two cases that exist in the cpe database where this generic
logic could not be applied.
django from python_packages:
gofiber:django
djangoproject:django
npm from npm_packages:
microsoft:npm
npmjs:npm
These will require individual cve overrides that is outside the scope of
this task.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced CPE (Common Platform Enumeration) matching to reduce
non-deterministic vendor selection when multiple vendors exist for the
same software product. The algorithm now incorporates software ecosystem
information to ensure more accurate and consistent vulnerability
resolution across package types.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41631
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## Summary
- Adds a new open position entry for "🚀 Customer Support Engineer
(APAC)" to `handbook/company/open-positions.yml`
- Based on the existing (commented-out) Customer Support Engineer
template, with the same department, hiring manager, OTE,
responsibilities, and experience requirements
## Changes
- `handbook/company/open-positions.yml`: Added new active position entry
for Customer Support Engineer (APAC)
---
Built for [Isabell
Reedy](https://fleetdm.slack.com/archives/D0AEGJCGJR0/p1774371863364109)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Isabell Reedy <113355639+ireedy@users.noreply.github.com>
## Summary
- Adds a new article covering how to use Fleet and Apple Business
Manager to enroll large numbers of MacBook Neos with zero-touch
enrollment
- References and quotes Jonny Evans' Computerworld article on MacBook
Neo as the Mac's potential "iPhone moment" in the enterprise
- Provides practical guidance for IT teams planning a large-scale
MacBook Neo rollout, including ABM setup, enrollment configuration,
GitOps workflows, and ongoing fleet management
## Changes
- New file:
`articles/enroll-macbook-neo-at-scale-with-fleet-zero-touch.md`
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774111597501669?thread_ts=1774105884.042939&cid=D0AFASLRHNU)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
## Summary
- Updates Firefox from 148.0.2 to 149.0 (released March 23, 2026) across
the Workstations team configuration
- Updates macOS custom package download URL to Firefox 149.0
- Updates macOS and Windows version-check policies to enforce version >=
149.0
## Changes
| File | Change |
|---|---|
| `it-and-security/lib/macos/software/mozilla-firefox.yml` | Updated
package URL from 148.0.2 to 149.0 |
| `it-and-security/lib/macos/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
| `it-and-security/lib/windows/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
## Notes
- Firefox on Windows uses the Fleet-maintained app (`slug:
firefox/windows`), which is managed by the Fleet catalog and will
auto-update when the catalog is refreshed
- Firefox on macOS uses a custom package URL since the existing pattern
uses a `.pkg` installer
- Both macOS and Windows already have self-service enabled and
corresponding update policies with calendar event enforcement (macOS)
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774366778146629)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
**Related issue:** Fixes#42260
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This commit introduces support for Python (.py) scripts on macOS and
Linux, including validation for Python shebangs and updates to
documentation, UI, error messages, and backend validation logic. It also
updates tests and file upload handling to recognize and properly process
Python scripts alongside existing shell (.sh) and PowerShell (.ps1)
scripts.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40794
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41533
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/64a5f726-1e9f-4508-8726-6227813dcc77
Below I show the `Report clipped` and the `X additional results not
shown` states. For that, I manually inserted records in my DB:
```sql
-- make "clipped"
INSERT INTO query_results (query_id, host_id, last_fetched, data)
SELECT 1, t.n + 1000, NOW(), '{"fake_key": "fake_value"}'
FROM (
SELECT a.N + b.N * 10 + c.N * 100 AS n
FROM (SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) a,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) b,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) c
) t
WHERE t.n BETWEEN 1 AND 999;
-- populate extra query results
INSERT INTO query_results (query_id, host_id, last_fetched, data)
VALUES
(1, 2, NOW(), '{"pid": "9999", "version": "5.21.0"}'),
(1, 2, NOW(), '{"pid": "8888", "version": "5.20.0"}');
```
https://github.com/user-attachments/assets/8056ea4c-b042-47cf-a05f-ee9d8621252a
Pagination (manually changed to 3 items per page for testing purposes)
https://github.com/user-attachments/assets/87a97259-0821-4659-a612-c952e98a158c
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #41345
* Adds a missing comment delimiter
* Adds required `organization_name` to `apple_business_manager` section
* Adds required `location` to `volume_purchasing_program ` section
* Adds Windows MDM section with `windows_enabled_and_configured`,
required for the Windows OS update settings to work
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
