Commit graph

2739 commits

Author SHA1 Message Date
Steven Palmesano
147814405d
Add Wi-Fi profile example (#37177) 2025-12-12 08:26:47 -06:00
Luke Heath
3a183e6772
Add PR review to daily standup, remove incoming bug triage (#37090) 2025-12-11 15:31:51 -06:00
Steven Palmesano
7530a0a55c
Remove link to "Get host's Google Chrome profiles" (#37132)
This doesn't exist any more
2025-12-11 12:34:32 -06:00
Sarah Gillespie
d619746ebf
Ingest Windows host certificates via osquery (#36771) 2025-12-11 09:53:41 -06:00
Noah Talerman
9267541860
Releasing Fleet steps: Wrong Helm chart (#37051) 2025-12-10 14:53:10 -06:00
Ian Littman
fe2a9a867e
Swap minio to rustfs (#36851)
Resolves #36909.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests

- [x] QA'd all new/changed functionality manually
2025-12-10 10:03:48 -06:00
Rachael Shaw
ffcf314a3c
YAML indentation fix in query library (#37022)
Follow-up from https://github.com/fleetdm/fleet/pull/36994
2025-12-09 16:06:18 -06:00
Josh Roskos
a9807ec904
Update Get MCP client configurations query (#36638)
Updating:
https://fleetdm.com/queries/get-mcp-client-configurations#query-detail
Reference:
https://fleetdm.slack.com/archives/C062D0THVV1/p1764781232122449

cc: @karmine05
2025-12-09 14:23:53 -06:00
Steven Palmesano
e7291062ec
Add CrowdStrike Falcon System Extension policy (#36994) 2025-12-09 14:16:35 -06:00
Jonathan Katz
b8d2ba371e
Update replica db setup and guide (#36918)
**Related issue:** Resolves #35937
Changes:
- Fix `make db-replica-setup`
- mention the tool in
`docs/contributing/getting-started/testing-and-local-development.md`.
2025-12-08 17:07:04 -05:00
Steven Palmesano
7fb0ab105a
Windows MDM migration notification (#36525)
Related to https://github.com/fleetdm/confidential/issues/12925

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-12-08 14:10:46 -06:00
Josh Roskos
ed17e84d05
Update SSO configuration paths in documentation (#36894)
Updates from customer call today: 
  - Updated image to reference `Fleet users` callback URL
  - Updated *Fleet configuration* instructions for UI changes
2025-12-08 14:04:49 -06:00
Victor Lyuboslavsky
103d537dc5
Change status to delivered in flowchart. (#36800)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #36795
2025-12-08 10:07:32 -06:00
Victor Lyuboslavsky
321ed1dc12
Update MySQL versions we test with to 8.4.7 and 9.5.0 (#36803)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #36801

Test and docs changes only.

Passing 8.4.7 tests in this workflow run:
https://github.com/fleetdm/fleet/actions/runs/19978256106/job/57299389148
2025-12-08 09:12:05 -06:00
Steven Palmesano
6defeec1b9
Fix broken scep_proxy references (#36777) 2025-12-05 17:32:55 -06:00
Allen Houchins
78b4655555
Typo fix (#36730)
`self-service` is not a valid key. This should be `self_service`.
2025-12-05 17:31:30 -06:00
Victor Lyuboslavsky
b1062296c5
ADR-0007: Pilot activity bounded context (#35402) 2025-12-05 17:19:33 -06:00
Steven Palmesano
d70d8f0731
Add various restrictions profiles for Android (#36607)
Related to #34732
2025-12-05 15:32:37 -06:00
Victor Lyuboslavsky
372c29b07c
Updated Android certificates flowchart (#36538)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #34856
2025-12-05 08:12:02 -06:00
Josh Roskos
7117e6dede
Updated okta-idp-setup.png to reference correct URL (#36647)
Came up during customer interaction, updated screenshot to show what we
also include in the comment box below.
2025-12-04 16:38:27 -06:00
Noah Talerman
13fab1b5f6
MDM_ENABLE_CUSTOM_OS_UPDATES_AND_FILEVAULT is not production ready (#36674) 2025-12-04 16:37:46 -06:00
Marko Lisica
5137f6b6cd
Remove params from activities API (#36687)
This is pushed to 4.78
2025-12-04 16:02:10 -06:00
kitzy
58e254f1e4
Add Docker Compose deployment guide and configuration files (#36507)
- Add comprehensive Docker Compose deployment guide article
- Add docker-compose.yml with Fleet, MySQL, and Redis services
- Add env.example template with configuration options
- Include TLS setup options for both reverse proxy and direct TLS
- Add troubleshooting and production considerations

Resolves #33774
2025-12-04 12:11:59 -05:00
Victor Lyuboslavsky
ccd66921e7
Updating golangci-lint to 2.7.1 (#36678)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #32999

And fixing newly flagged lint issues.
2025-12-04 10:45:50 -06:00
Rachael Shaw
25191f3054
Preview of v4.77.0 doc changes (#35924)
This PR will remain in draft as a preview of upcoming documentation
changes for 4.77.0

---------

Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>
2025-12-02 17:24:15 -06:00
Steven Palmesano
e6a5aafd1f
Change "ad-hoc" to "ad hoc" (#36549)
These are two (Latin) words, they should not be hyphenated. Found
because I was trying to use command + f to search for "ad hoc," since
that's the proper spelling.
2025-12-02 15:55:43 -06:00
Martin Angers
5a8e2774bf
Feature branch: Android Setup Experience support (#35951)
Feature branch for
https://github.com/fleetdm/fleet/issues/33761#issuecomment-3548996114


---------

Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
2025-12-02 12:27:20 -05:00
Rachael Shaw
cb621bdfef
[UPDATED] #31719 API/YAML design (Add custom package that only contains a script) (#33648) 2025-11-26 16:43:31 -06:00
Steven Palmesano
41a933ff52
Add Linux desktop environment support to docs (#35770)
I'm not 100% sure if these are the supported desktop environments, but I
figured this PR would kick off the discussion.

Brought up during a call with `customer-cisneros`: [Gong
snippet](https://us-65885.app.gong.io/call?id=6065255196915724079&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A654%2C%22to%22%3A1079%7D%5D)

[Here's](https://wiki.archlinux.org/title/Desktop_environment) the list
of desktop environments that the customer mentioned on the call to
highlight the fragmentation of the Linux world. 😆

---------

Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-11-26 12:38:28 -06:00
Marko Lisica
23b60d79d5
[Docs bug] team_id is not required (#36269)
Clarified the description of the 'team_id' parameter in the API
documentation. If not set default is no team
2025-11-26 12:23:52 -06:00
Harrison Ravazzolo
22034d7983
remove duplicate smallstep section from yaml reference (#36339)
Dupe blocks of code
2025-11-26 12:23:24 -06:00
Steven Palmesano
a2327f84af
Add initial Android configuration profiles (#36227) 2025-11-25 15:32:43 -06:00
Jahziel Villasana-Espinoza
8aeb5e3dac
add display name to missing spots (#36219)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #35654 Resolves #36194

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [x] Confirmed that the fix is not expected to adversely impact load
test results
2025-11-24 18:20:39 -05:00
George Karr
8ab356a666
Fix links in Configuration README (#35538) 2025-11-24 17:11:16 -06:00
Marko Lisica
598d4babf8
Document research for Android agent app (#35094)
Related to:
- #34856
2025-11-24 12:10:40 +01:00
Scott Gress
c40f189321
Update instructions for installing golangci-lint in dev environments (#36125)
Updates the testing-and-local-development to reference the
`golangci-lint` version as of
https://github.com/fleetdm/fleet/issues/33251.
2025-11-21 10:14:15 -06:00
Steven Palmesano
03e8a35854
Fix link to Download bootstrap package (#35300) 2025-11-20 11:16:44 -06:00
Magnus Jensen
e4fbc4fb6e
Fix table of content links on Rest API page (#35348)
Fixes the outdated MDM link, and adds the missing top-level links.

_The notation for integrations `#integrations-1`, is to take the second
occurence of integrations, as we have another integrations title in the
update webhook configuration._

I can see this doesn't affect the website (or shouldn't) since it uses
it's own way to generate the TOC, but will help for manually browsing
the markdown.
2025-11-20 11:16:20 -06:00
Rachael Shaw
65fdb6ae40
API Docs: Add missing parameter in "Update configuration" (#36025)
`integrations` section was there but not linked in the main parameters
table.
2025-11-19 16:32:10 -06:00
Noah Talerman
521e8be95e
[API reference] Fix broken link (#35953) 2025-11-18 16:24:17 -06:00
Jordan Montgomery
64adfc1116
Remove new PUT endpoint, update docs for POST (#35820)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #35309 docs changes

For more context see
https://fleetdm.slack.com/archives/C019WG4GH0A/p1763137466439419

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-11-18 12:03:49 -06:00
Noah Talerman
6e635e7888
Delete Entra modal: Update instructions (#35874)
Deleting Microsoft Entra ID doesn't unblock end users. Instead, to
unblock, the IT admin has to disable the "Conditional Access" policy in
Entra.

Context: https://github.com/fleetdm/fleet/pull/35632/files#r2524534037
2025-11-18 06:45:24 -08:00
Victor Lyuboslavsky
a87a460de3
API changes for Okta conditional access (#35632) 2025-11-17 19:25:34 -06:00
Graham Williams
33510dc40c
Add Ubuntu Advantage Query to Library (#35680)
Adds the Ubuntu Advantage policy to the policy library that checks to see
if the file exists, and that it is attached, and expiry date has not
passed.

This can be used in combination with a script automation running `pro
attach <tokenID>`, with a tokenID configured in Fleet Variables. E.g:
`pro attach $FLEET_SECRET_UBUNTUPRO` for remediation.

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-11-17 10:04:16 +00:00
Noah Talerman
85cca255bf
Add setup_experience to example YAML (#35780)
- Clarify that `setup_experience` can be used for `app_store_apps` and
`fleet_maintained_apps`
2025-11-15 13:01:51 -05:00
Jordan Montgomery
98452d4827
[API/YAML] Docs for new setup experience script PUT endpoint (#35736)
API changes for #35309 

Also updates bug notes to call out fixed version.

Related PR #35651

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-11-14 17:47:34 -05:00
Rachael Shaw
a074498668
API design: #33758 (OS vulnerabilities bug) (#33533)
> This PR to be left in draft until bug is brought into a sprint, at
which point we'll close and re-open to the correct release branch.

Changes for the following bug:
+ https://github.com/fleetdm/fleet/issues/33758

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-11-14 16:58:00 -05:00
Janis Watts
ecf5c789aa
Update yaml-files.md (#35765)
Proposing that we update this language to match what actually happens if
you add a VPP app using an adamID (all platforms with that adamID are
added, along with any settings like self service categories, setup
experience, labels, etc.)
2025-11-14 13:11:11 -05:00
Marko Lisica
daae2c1c06
Update MySQL support details in Reference Architectures (#35706)
Added information about supported database setups and resource
provisioning for multiple Fleet instances.

Related to:

- #35400

We got a community member trying to install Fleet in a way we don't
test, but it's not explicitly documented that we don't support that way.
2025-11-14 11:28:44 -05:00
Jordan Moore
01298afe9c
REST API Human-device mapping table of contents correction (#35718)
Corrected REST API Documentation table of contents so that the `Update
human-device mapping` heading linked to the right location in the
document and the heading in the table of contents matches the actual
heading.
2025-11-13 17:58:36 -05:00
jacobshandling
926cdc6da0
Manually update & delete host IdP mappings (#35325)
**Related issue:** Resolves #34222 


[Demo](https://drive.google.com/file/d/1MyLlyUW8Qoad_3_FLwiMhMBbb8wJNwGk/view?usp=drive_link)

<img width="1504" height="986" alt="Screenshot 2025-11-10 at 4 45 48 PM"
src="https://github.com/user-attachments/assets/9ee80fd3-c9e7-4712-b150-11ac08c70db6"
/>

# Checklist for submitter
If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`, 
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
2025-11-13 09:05:40 -08:00
Mitch Francese
542e8ff259
Update links to example configuration profiles (#35420)
Fixing broken links in the article to point to absolute paths.

---------

Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
2025-11-12 15:08:18 -05:00
Noah Talerman
15f5880638
[YAML reference] Clarify variable (#34956)
IdP username is an email
2025-11-11 18:01:11 -05:00
Noah Talerman
f684118edd
YAML reference (#35546)
- Fleet supports payload-free packages for Linux (`.sh`) and Windows
(`.ps1`)
- `.ipa` coming in 4.77
2025-11-11 14:15:11 -05:00
Rachael Shaw
3135e9a0a7
#30117 API/YAML design: Require all software installs during macOS setup experience (#33016)
User story:

+ #30117
2025-11-11 10:04:05 -05:00
Rachael Shaw
86b80e28ed
Documentation v4.76.0 (#34943)
Documentation changes for the 4.76 release
2025-11-11 09:30:14 -05:00
Ian Littman
f91aa591b0
Target Redis 6 everywhere rather than a mix of 5 and 6 (#35373)
Redis 5 has been EOL for a few years, and didn't get updates for the
latest high-severity CVEs. We're already using 6 in most places
(fleetctl preview, recommended reference architectures, managed cloud
environments) so it's safe to set 6 as the new minimum.

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-11-10 17:05:44 -06:00
Luke Heath
56c997983a
Update release workflow documentation with tag examples (#35290) 2025-11-10 13:14:56 -06:00
Rachael Shaw
480a73c669
Move setup experience bug message (#35393) 2025-11-08 13:19:18 -06:00
Rachael Shaw
9cc3b8f0ba
Docs: Add messaging about 🪲 #35309 (#35392)
Add caveat to macOS setup experience and GitOps docs re: 🪲 #35309
<img width="828" height="306" alt="Screenshot 2025-11-08 at 1 05 11 PM"
src="https://github.com/user-attachments/assets/ca6a04f6-bea6-4863-839e-65a004bad932"
/>
2025-11-08 13:11:06 -06:00
jacobshandling
acb563337e
Ingest, store, consider in unique_identifier, and serve upgrade_codes for Windows software (#34786)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #33907 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

## Database migrations

- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
~- [ ] Confirmed that updating the timestamps is acceptable, and will
not cause unwanted side effects.~ N/A
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* Windows software inventory now includes upgrade code data for better
software identification and tracking.

* **Chores**
* Database schema updated to support upgrade code storage for software
titles and inventory records.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-11-07 15:33:31 -08:00
Noah Talerman
8f3888ff0f
Fleet release note template: Supported fleetctl (#35298) 2025-11-06 16:03:28 -06:00
Ian Littman
f1c3f02dac
Update host foreign vitals IdP guide + related tweaks (#35229)
Fixes #32072.

Biggest changes are in the foreign vitals IdP (SCIM) guide:

* Moved Android from "coming soon" to live (true as of 4.75)
* Moved Okta-specific troubleshooting under the Okta section
* Moved "Other IdPs" into its own top level section instead of partway
through the Google section (looks like the result of a bad merge)
* Added a link to the labels guide where relevant
* Various minor clarity/grammar fixes based on running through the
process end-to-end with Okta


Additionally:

* Clarity fixes on labels docs
* Noted in contributing docs the existence of the Okta Integrator Free
plan for E2E testing SSO/SCIM flows
2025-11-05 13:55:49 -06:00
Dave Siederer
c61ea7e5cd
Create aws-ec2-mac-setup.sh (#35217)
Script to run during the first launch of an AWS EC2 Mac instance to make
it easier to set up the Amazon Machine Image (AMI). Uses data from
https://github.com/aws-samples/amazon-ec2-mac-mdm-enrollment-automation/blob/main/Secret_SecretsManager_CF.yaml
that the AWS instance accesses at runtime.

Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
2025-11-05 12:51:24 -05:00
Steven Palmesano
41335e1ce7
Correct Create package to Add package (#35175) 2025-11-05 11:42:39 -06:00
Jahziel Villasana-Espinoza
621012356f
software display names: API support (#35182)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #33778

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
2025-11-05 12:03:30 -05:00
Dante Catalfamo
f06e6fc582
Gitops docs changes for #34689 (#35015) 2025-11-04 16:27:36 -05:00
Dante Catalfamo
37722a925f
EST certificate proxy backend and configs (#34689)
#34275
2025-11-04 16:27:15 -05:00
Rachael Shaw
caeea404f0
Docs: Fix broken link (#35162) 2025-11-04 11:16:53 -06:00
Dale Ribeiro
c662f82f61
solutions folder cleanup (#35113) 2025-11-03 11:57:04 -05:00
Dale Ribeiro
c2b458db99
Dale ios folder rename (#35112) 2025-11-03 11:54:16 -05:00
Dale Ribeiro
fbefff8d79
added .keep file to add empty folders (#35109) 2025-11-03 11:45:48 -05:00
Matt Rebelo
87a48c0653
Update rest-api.md (#34992)
Correcting description of action when no team is applied to fleet
premium when modifying OS settings.

https://fleetdm.slack.com/archives/C019WG4GH0A/p1761829754255319

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [ ] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed

## Database migrations

- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).

## New Fleet configuration settings

- [ ] Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for
GitOps-enabled settings:

- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled

## fleetd/orbit/Fleet Desktop

- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
2025-11-03 10:40:01 -06:00
Dale Ribeiro
573d493bb5
Dale solutions cleanup 2 (#35108)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [ ] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed

## Database migrations

- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).

## New Fleet configuration settings

- [ ] Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for
GitOps-enabled settings:

- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled

## fleetd/orbit/Fleet Desktop

- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
2025-11-03 11:30:04 -05:00
Dale Ribeiro
fbdb0b7937
Delete docs/solutions/windows directory (#35107)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [ ] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed

## Database migrations

- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).

## New Fleet configuration settings

- [ ] Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for
GitOps-enabled settings:

- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled

## fleetd/orbit/Fleet Desktop

- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
2025-11-03 11:21:30 -05:00
Steven Palmesano
a042bfd5aa
Add directory for Tines stories (#34947) 2025-11-01 13:48:22 -04:00
Zach Wasserman
0cdde239b9
Add activity feed entries for host deletion and expiration (#34720)
**Related issue:** Resolves #33513 

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
2025-10-31 09:37:31 -07:00
Noah Talerman
b46180ad7e
YAML reference: Certificate authority (CA) variables (#34859)
- Context: https://github.com/fleetdm/fleet/issues/33918
2025-10-30 17:00:14 -04:00
Jordan Montgomery
f0e1b1425f
Apply CDATA fix to a couple of problematic CSPs (#34830)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
Fixes CSPs that were having issues verifying on the call with
`customer-rembrandt`. Also removes a CSP that was a duplicate of another
- "disable Windows Remote Assistance – [UnsolicitedRemoteAssistance,
SolicitedRemoteAssistance].xml" was duplicated by "disable remote
assistance - [AllowRemoteAssistance].xml"
2025-10-30 13:49:23 -04:00
Noah Talerman
93bea644ce
Update releasing-fleet (#34937) 2025-10-30 11:11:37 -05:00
Harrison Ravazzolo
c08dcac37e
Update SCEP CSP Windows (#34885) 2025-10-29 19:30:34 -04:00
Steven Palmesano
282c975b4d
Add three profiles created for customer-mozartia (#34948) 2025-10-29 19:29:44 -04:00
Noah Talerman
7dc9604a5c
Consistent API language (#34878)
This language and in this order:
- List
  - For many items (ex. List host)
- Create
- Get
  - For one item (ex. Get host)
- Update
- Delete

---------

Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-10-29 12:30:02 -05:00
Adam Baali
55e3a65a0c
Script that triggers the SCEP enrollment (#34912)
This pull request adds a new PowerShell script to automate triggering
SCEP enrollment for Windows devices via Fleet MDM. The script is
designed to be user-friendly and configurable, with clear instructions
for setting up required secrets and variables.

New Windows SCEP enrollment script:

* Added `trigger scep enrollment.ps1` script with detailed user
instructions for configuring Fleet secrets and node names.
* Script collects host UUID, generates a SyncML command for SCEP
enrollment, and sends it to Fleet MDM using an authenticated API
request.
* Includes error handling and guidance for checking command results
using `fleetctl`.

---------

Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
2025-10-29 12:49:06 -04:00
Noah Talerman
8d363678cd
Fleet 4.75: Santa tables (#34867)
Context: https://github.com/fleetdm/fleet/issues/34789
2025-10-28 18:17:26 -04:00
Jonathan Katz
bb512cc345
Documentation updates for in-house-app features (#34817)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
2025-10-28 12:05:47 -05:00
Noah Talerman
2bc25471f6
API reference: Batch-modify profiles w/ 100+ profiles (#34853)
Requests take 5+ seconds

Context:
https://github.com/fleetdm/fleet/issues/32786#issuecomment-3456612158
2025-10-28 12:03:30 -05:00
Martin Angers
cab7cc15be
Initial support for in-house apps on iOS/iPadOS (#34802) 2025-10-28 08:33:58 -04:00
Noah Talerman
4c104da5b9
[YAML reference] Clarify Apple's built-in variables (#34030)
- @noahtalerman: These variables are only supported in specific
payloads. Apple source:
https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0
- @noahtalerman: We confirmed this. See @allenhouchins's findings in
this feature request: https://github.com/fleetdm/fleet/issues/28636

Co-authored-by: Rachael Shaw <r@rachael.wtf>
2025-10-27 17:29:42 -05:00
Noah Talerman
53a6179500
[Fleet server configuration] Clarify that only one can be set (#34743)
- Clarified that only one of `server_private_key_arn` or
`server_private_key` can be set.

Context:
https://github.com/fleetdm/fleet/issues/31321#issuecomment-3412996433
2025-10-27 17:12:58 -05:00
Noah Talerman
b6348c505b
hash_sha256 is the cdhash_sha256 (#34822)
The `hash_sha256` from the [`/hosts/:id/software` Fleet
API](https://fleetdm.com/docs/rest-api/rest-api#get-hosts-software) is
an attribute that Santa can use to block applications:
https://northpole.dev/features/binary-authorization/#cdhash

https://fleetdm.com/tables/codesign:

<img width="894" height="449" alt="Screenshot 2025-10-27 at 1 49 29 PM"
src="https://github.com/user-attachments/assets/287750b5-ef38-4eba-aa8c-085520150be0"
/>
2025-10-27 17:05:48 -05:00
Jorge Falcon
084fd97578
Fix software icon links in REST API documentation (#34734) 2025-10-27 17:05:20 -05:00
Carlo
9b87af915e
Upgrade Fleet's Node.js version (#34603)
Fixes #31466. Upgrades Node.js to 24.10.0
2025-10-27 17:21:50 -04:00
Graham Williams
19f3cdb168
Create windows-device-wirelessdisplay-requirepin.xml (#34507)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to enable the setting as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-wirelessdisplay#requirepinforpairing)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors
- Registry confirms PIN requirement

<img width="1468" height="296" alt="image"
src="https://github.com/user-attachments/assets/5da9d4d2-a74b-4f0b-a2ec-12008b911766"
/>

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-27 08:51:12 +00:00
Graham Williams
60f7bf0711
Create windows-device-power-standbynetwork.xml (#34506)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the setting as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization)
- Profiles return as **Verified** in FleetUI (Requires device restart)
- Event Viewer shows expected merge

<img width="1302" height="296" alt="image"
src="https://github.com/user-attachments/assets/892eb6c5-3bcf-4902-901d-f0b2700d23c4"
/>

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-25 19:02:21 -04:00
Mason Buettner
74f26d9ff0
Add disable-toast-notifications-from-lock.xml (#34497)
This profile disables toast notifications from the lock screen.


# Checklist for submitter

If some of the following don't apply, delete the relevant line.


## Testing


- [x] QA'd all new/changed functionality manually
2025-10-25 19:01:39 -04:00
Graham Williams
680b36c802
Windows Configuration Profiles - Disabling System Services (#34446)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the services as required based
on [Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-systemservices)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors
- Services listed as disabled

Adds configuration profiles for disabling the following services on
startup

Windows Mobile Hotspot Service (icssvc) -
0199f25b-795f-7dee-92cc-0a69d91d6c8a
Internet Connection Sharing (ICS) (SharedAccess) -
0199f25b-795f-76d9-99cb-d122e5b6e6f1
Routing and Remote Access (RemoteAccess) -
0199f25b-795f-7699-8735-e316ffc0564e
Remote Procedure Call (RPC) Locator (RpcLocator) -
0199f25b-795f-7882-9309-44b8f0633b01
SSDP Discovery (SSDPSRV) - 0199f25b-795f-703f-99a1-abecba6b71f8
UPnP Device Host (upnphost) - 0199f25b-795f-7802-9b16-efae4418f444
Windows Media Player Network Sharing Service (WMPNetworkSvc) -
0199f25b-795f-7af7-99ba-2f418f05e77b
World Wide Web Publishing Service (W3SVC) -
0199f25b-795f-7966-a812-4b1d5c5c54cb (Non-standard Service)
Microsoft FTP Service (FTPSVC) - 0199f25b-795f-7d7c-b6ca-597d08a1839d
(Non-standard Service)

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-25 19:01:03 -04:00
Graham Williams
966373876e
Create windows-device-systemservices-xbox-disabled.xml (#34432)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the services as required based
on [Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-systemservices#configurexboxaccessorymanagementservicestartupmode)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors
- Services listed as disabled

<img width="653" height="375" alt="image"
src="https://github.com/user-attachments/assets/d059751a-e853-4bd1-ab36-1ee5d5dc9566"
/>

<img width="1654" height="1113" alt="image"
src="https://github.com/user-attachments/assets/a47ec8fd-c889-472f-802c-89787eb42fbe"
/>

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-25 18:58:15 -04:00
Magnus Jensen
8f1bccb5fb
add defender smartscreen windows CSP policies (#34428)
Adds 4 defender smartscreen policies, to enable notifying and one for
disabling automatic data collection.
2025-10-25 18:57:22 -04:00
Steven Palmesano
3a1b4b6880
Add CSP to disable Game DVR (#34427)
Verified working with Windows 11 Pro.

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-25 18:56:48 -04:00
Graham Williams
07fce813d4
Create windows-device-system-bootstartdriver-disabled.xml (#34424)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the setting as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors
- Registry shows EarlyLaunch entry with expected defaults

<img width="546" height="375" alt="image"
src="https://github.com/user-attachments/assets/058d4283-6ea4-4900-abaf-6e9de1f1b1b3"
/>

<img width="1654" height="1113" alt="image"
src="https://github.com/user-attachments/assets/9e5cb2ff-578b-4fe6-9dfb-50d2c6d910ee"
/>
2025-10-25 18:55:55 -04:00
Graham Williams
40fde14407
Adds msialwaysinstall profiles (#34423)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created both **User** and **Device** profiles as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#msialwaysinstallwithelevatedprivileges)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors
- Registry shows provider set for both **Device** and **User** scopes

<img width="1009" height="464" alt="image"
src="https://github.com/user-attachments/assets/90df1b0c-651f-4bfb-bf19-ceb30e34be8e"
/>

<img width="1654" height="1113" alt="image"
src="https://github.com/user-attachments/assets/ed325e97-6d3a-4c53-b700-75f38490cc6d"
/>
2025-10-25 18:54:21 -04:00
Noah Talerman
d7f4348d33
Remove "experimental" from Omarchy and Arch Linux (#34757) 2025-10-24 17:32:44 -05:00
kitzy
e96365ab58
[DOCS] Add example YAML configuration for macOS setup (#34766)
This came out of a customer call where we received the following output
from the `fleetctl generate-gitops` command:
```
The macos_setup configuration is not supported by this tool yet.  To configure it, please follow the Fleet documentation at https://fleetdm.com/docs/configuration/yaml-files#macos-setup
```
In the moment, it wasn't clear to me or the customer what had to be
done. This update provides the context (where the `macos_setup`
configuration is supposed to exist) as well as an example of what it
should look like.
2025-10-24 17:32:03 -05:00
Tim Lee
c5d7c9f626
31970 NPM vuln support (#33100) 2025-10-24 12:54:57 -06:00
Victor Lyuboslavsky
0db1b472a1
Okta conditional access configs (#34566)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #34533

This is the first sub-task out of several. Changes file will be added in
a subsequent PR.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

## New Fleet configuration settings

- [x] Setting(s) is/are explicitly **excluded** from GitOps

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added Okta Conditional Access support (IDP, ACS URL, audience,
certificate) and exposed conditional access in AppConfig/API
  * App activity logging for adding/removing Okta conditional access

* **Bug Fixes**
  * Fixed typo in conditional access validation messaging

* **Tests**
* Added tests for Okta Conditional Access lifecycle, license gating, and
GitOps export exclusion

* **Documentation**
  * Added audit-log entries for Okta conditional access add/delete
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-10-24 10:11:14 -05:00
Steven Palmesano
e15d4afcb6
Add CSP to disable lock screen slide show (#34551)
Using a workaround described
[here](https://github.com/fleetdm/fleet/issues/33731#issuecomment-3423354681)
to get the verification to succeed.

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-23 16:15:57 -04:00
Jake Stenger
c9e589f142
two more (#34678) 2025-10-23 15:47:22 -04:00
Graham Williams
92bf89f235
Create enable built-in Admin Approval Mode - [UseAdminApprovalMode].xml (#34680)
- Enables the
[UserAccountControl_UseAdminApprovalMode](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#useraccountcontrol_useadminapprovalmode)
setting
- MDMPolicyManager Merge successful
- Policy verifies in FleetUI

<img width="1143" height="377" alt="image"
src="https://github.com/user-attachments/assets/53bb96ab-b657-463b-ab89-0c3f2bc8584d"
/>
2025-10-23 13:49:03 +01:00
Graham Williams
c78a047dff
Create disable diagnostic data - [CommercialId].xml (#34679)
- Disables the
[CommercialId](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-datacollection#commercialidpolicy)
setting
- MDMPolicyManager Merge successful
- Policy verifies in FleetUI

<img width="1112" height="362" alt="image"
src="https://github.com/user-attachments/assets/e31a9e0c-89f7-4f0b-84e4-fa35e6e19bea"
/>
2025-10-23 13:48:51 +01:00
Jake Stenger
d8865f369a
Doc/solutions/windows cleanup (#34676)
Consolidates all the CSPs from the spreadsheet into one location.
Removes CmdID keys from all CSPs.
2025-10-22 19:59:12 -07:00
Harrison Ravazzolo
346da470b8
Refactor SCEP configuration for Okta certificate (#34674)
Updated SCEP configuration for Okta attestation certificate
installation, including placeholders for various parameters.
2025-10-22 18:30:54 -07:00
Jake Stenger
81faf4e9cb
organize files into platform, function folders. Standardize filenames… (#34659)
… for easier readibility. Standardize on 2-space indentation.
2025-10-22 17:07:33 -04:00
Noah Talerman
7849306684
[API reference] Fix broken "filters" anchor link (#34608) 2025-10-22 14:55:47 -05:00
Matt Rebelo
a029dcfa3e
Update single-sign-on-sso.md (#34651)
adding end user authentication dialog to Google Workspace configuration
section as well

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [ ] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed

## Database migrations

- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).

## New Fleet configuration settings

- [ ] Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for
GitOps-enabled settings:

- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled

## fleetd/orbit/Fleet Desktop

- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
2025-10-22 14:54:51 -05:00
Mason Buettner
b3fa01a144
Add disable-insider-ui-page.ps1 (#34499)
This script disables the UI page where users can opt into the Windows
insider program.


# Checklist for submitter

If some of the following don't apply, delete the relevant line.

## Testing

- [x] QA'd all new/changed functionality manually

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-22 13:57:12 -04:00
Graham Williams
4dc76ec838
Create windows-device-privacy-speechrecognition-disabled.xml (#34505)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the setting as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors
- Ability to enable service disabled

<img width="1025" height="406" alt="image"
src="https://github.com/user-attachments/assets/13efdd05-7248-4dc5-b41f-0d550b3c3f0e"
/>

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-22 13:02:55 -04:00
Brock Walters
d4dabf4783
Add configuration to block user account details on sign-in (#34622) 2025-10-22 12:59:12 -04:00
Harrison Ravazzolo
bb4717da1f
Enable SmartScreen, Prompt for user elevation CSP (#34445) 2025-10-22 12:51:25 -04:00
Graham Williams
27bbebc122
Create windows-device-systemservices-simptcp-disabled.xml (#34502)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the setting as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization)
- Profiles return as **Verified** in FleetUI (Requires device restart)
- Event Viewer shows no errors
- Service shows as disabled
2025-10-22 10:09:59 +01:00
Graham Williams
e08b34c8e2
Create windows-device-remoteassistance-disabled.xml (#34503)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the setting as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#bootstartdriverinitialization)
- Profiles return as **Verified** in FleetUI (Requires device restart)
- Event Viewer shows no errors
- Requesting Remote Assist fails

<img width="1461" height="1034" alt="image"
src="https://github.com/user-attachments/assets/3eb29616-0dbc-495a-bf35-51b60d49bd11"
/>

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-22 10:09:36 +01:00
Graham Williams
3144b1eacc
Create windows-device-networkaccess-everyonepermissions.xml (#34508)
- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the setting as required based on
[Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#networkaccess_leteveryonepermissionsapplytoanonymoususers)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors

<img width="1468" height="296" alt="image"
src="https://github.com/user-attachments/assets/cfd23f13-c47a-4aa7-a7b3-604ec7421a15"
/>

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
2025-10-22 10:09:21 +01:00
Dale Ribeiro
b0895b9e23
Added acccount-lock-out.xml (#34619) 2025-10-21 18:02:44 -04:00
Noah Talerman
3b2717f4fd
YAML reference (#34604)
Use serial numbers for labels example. Serial numbers is best practice.
2025-10-21 14:15:57 -05:00
Harrison Ravazzolo
fdc184fe58
Windows CSP - Spotlight config + Okta scep (#34589) 2025-10-21 08:47:50 -07:00
George Karr
33650644c8
Update sprint retrospective guidelines with tool recommendations (#34543) 2025-10-20 15:22:43 -05:00
Rachael Shaw
7ed4aac2b8
Docs v4.75.0 (#34443)
Documentation changes for the 4.75 release

---------

Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Tim Lee <timlee@fleetdm.com>
Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com>
Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
2025-10-17 17:45:52 -05:00
jacobshandling
5f626e2a8c
Add gigs_all_disk_space vital collection, storage, service, and UI rendering for Linux hosts (#34077)
## Addresses #31671 

- [x] Changes file added for user-visible changes in `changes/`
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

## Database migrations

- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added total disk space metrics for all partitions on Linux hosts. The
disk space indicator now displays comprehensive storage information
including root partition and all other partitions, improving visibility
into host storage capacity.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2025-10-17 08:24:23 -07:00
RachelElysia
1ef91fe4e3
Feature: Script only package e2e followup (#34271)
Co-authored-by: Carlo DiCelico <carlo@fleetdm.com>
2025-10-17 10:54:00 -04:00
Allen Houchins
6a04a40c9a
Refine JIT user provisioning description in SSO docs (#34434)
Clarified explanation of JIT user provisioning and account creation
process.
2025-10-17 09:08:33 -05:00
Zach Wasserman
004e473887
Add query for MCP configurations (#34404)
**Related issue:** Part of #29969
2025-10-16 17:55:55 -05:00
Brock Walters
92a58851fa
Added new Set_ScreenSaverGracePeriod.ps1 script (#34340)
This script is part of the CSA project to create Windows controls for
customer-rembrandt.
2025-10-16 11:08:36 -05:00
Graham Williams
2f6cacb09d
Create Profile: Disable Local Administrator (#34344)
- Administrator account starts as enabled: True
- Profile verifies: True
- Administrator account disabled after apply: True

<img width="1654" height="1113" alt="image"
src="https://github.com/user-attachments/assets/9551d87a-341a-49e3-8d0b-15c86ea1b81c"
/>

<img width="2043" height="424" alt="image"
src="https://github.com/user-attachments/assets/acbfa66d-2684-43b8-a964-f7679fd861e8"
/>
2025-10-16 11:08:04 -05:00
Ian Littman
e48d8033a9
Map manjaro-arm platform (#34357)
Resolves #34318. Thx @jmwatts for the QA on this!

- [x] QA'd all new/changed functionality manually
2025-10-16 11:00:05 -05:00
Noah Talerman
0e9bba4774
YAML reference: Typo: "self_service" (#34202) 2025-10-14 17:06:25 -05:00
jacobshandling
05b8ba4a32
Update gitops labels docs (#34207)
Small docs fixes
2025-10-14 17:06:01 -05:00
Tim Lee
2b18caaee1
Add Jetbrains plugins (#34024) 2025-10-14 09:01:45 -06:00
Ian Littman
bbc36bbc83
Fall back to app filename when ingesting macOS apps that have no display name/bundle name and run.sh as the bundle executable (#34176)
Fixes #34157. Seen on Steam games, which also don't have a bundle ID.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] QA'd all new/changed functionality manually
2025-10-13 17:33:20 -05:00
Mason Buettner
e78ad1b9ca
Fix typo in REST API "Request certificate" (#34092)
Changes:
 - Changed "isseud" to "issued" in `idp_client_id`.
2025-10-10 12:06:02 -05:00
Noah Talerman
9034d13b65
API reference: Clarify 'pending' (#33960) 2025-10-08 16:47:31 -04:00
Victor Lyuboslavsky
e274738b9d
Instructions to create a public mTLS reverse proxy (#33906)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #33165

Doc updates only.
2025-10-08 14:46:33 -05:00
Zach Wasserman
41c53860e3
Add support for VSCode fork extensions in software inventory (#33595)
**Related issue:** Resolves #31397

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] Added/updated automated tests

- [x] QA'd all new/changed functionality manually

---------

Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2025-10-07 14:05:22 -07:00
Harrison Ravazzolo
9e3cab666e
Update doc assets (#33740)
After talking with eng team and @nonpunctual, the /assets folder is
reserved for things inside the fleet app, so creating a new folder in
`/docs/solutions`

@AdamBaali - I updated your article paths and moved the assets to the
new folder, do you mind taking a peek and making sure it looks good?

Note: brock, we should also update handbook for new ritual to add
articles with assets like this.

---------

Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
2025-10-07 13:02:36 -06:00
Rachael Shaw
75104bfbcb
Rename "Single sign-on options" settings page to "Single sign-on (SSO)" (#33946)
As part of https://github.com/fleetdm/fleet/issues/25798, we planned to
rename "Single sign-on options" to "Single sign-on (SSO)". However, we
missed adding a check for the copy change in the test plan, so we didn't
catch that the change didn't make it in.

The documentation/guide changes referencing the new page name were
already merged as part of 4.71.
2025-10-07 13:38:37 -05:00
Rachael Shaw
b94aba24aa
Remove duplicate certificate authorities example from YAML docs (#33931)
There was an extra one left over from merging in doc updates.
2025-10-07 08:59:30 -05:00
Gabriel Hernandez
95c559fbab
Add host platform to mdm enrolled and mdm unenrolled activity details (#33858)
**Related issue:** Fixes #33807

Adds missing host platform key to mdm enrolled and mdm unenrolled
activity details api response data. This allows the UI to display the
activities properly

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
2025-10-07 14:22:37 +01:00
Rachael Shaw
48cb0908cd
Docs v4.74.0 (#33879)
Documentation changes for 4.74

---------

Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
2025-10-06 17:03:10 -05:00
Noah Talerman
46df8f8274
API reference: Remove errant key (#33898) 2025-10-06 17:01:11 -05:00
Noah Talerman
e1ca48f549
Supported host operating systems (#33861)
- openSUSE 15.6+
- Lowercase "openSUSE"

Supported added in the following user story:
- #32778
2025-10-06 11:59:35 -05:00
Lucas Manuel Rodriguez
527c2230e9
Add support for legacy Company portal SSO extension (#33796)
Resolves #33319

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] QA'd all new/changed functionality manually
2025-10-03 17:56:38 -03:00