<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39304 (part of #25080)
Implemented similar approach to
https://github.com/fleetdm/fleet/pull/39302, with the difference that
the list policies endpoint does not include a count, and there is a
separate endpoint. I extended the count policies endpoint to include an
`inherited_policy_count`.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#34521
Updated NDES add/edit modal:
<img width="649" height="592" alt="Screenshot 2026-01-27 at 11 29 20 PM"
src="https://github.com/user-attachments/assets/88a083e5-0ba3-40b9-9668-5cd0bfa427a1"
/>
Also - CA descriptions made consistent between modal and list:
<img width="1424" height="934" alt="Screenshot 2026-01-28 at 10 13
43 AM"
src="https://github.com/user-attachments/assets/b2266e45-30e7-40ad-b5b1-d1fa2cf97952"
/>
<img width="738" height="572" alt="Screenshot 2026-01-28 at 11 19 13 AM"
src="https://github.com/user-attachments/assets/b7e133a8-a055-41f7-b074-2f0db74f257c"
/>
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for dynamic SCEP challenges for Okta certificates.
* **Improvements**
* Enhanced help text for NDES form fields with clearer references to
Network Device Enrollment Service configuration details.
* Align CA descriptions between cert list and cert options dropdown in
Add/Edit CA modal
* Improve organization of relevant code
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37008
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Resolves#33762 & #38094
Added a new `alternative-browser-host` global config property for Fleet Desktop, if set, Fleet Desktop will use it over the `--fleet-desktop-alternative-browser-host` env variable to open any Fleet Desktop related links (i.e. My Device, etc).
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #33391
## Testing
- [X] Added/updated automated tests
there's a number of tests for this, if they still pass we're in good
shape
- [X] QA'd all new/changed functionality manually
I tested the front-end successfully, and saw an auto-update go through
on an ipad. Also verified that the activity metadata is correct.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33509
All changes were approved in PRs to this feature branch.
---------
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
**Related issue:** Resolves#33512
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves
[34890](https://github.com/fleetdm/fleet/issues/34890)
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
## New Fleet configuration settings
Looking at other log destinations, I couldn't find anything relevant in
GitOps. Please let me know if I missed something, however.
## fleetd/orbit/Fleet Desktop
I've tested this on both Linux and MacOS.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Co-authored-by: nulmete <nicoulmete1@gmail.com>
Due to a fundamental OS limitation with macos, when trying to update an
application via mdm, the os cannot replace app files while the app is
running. When this state is detected explicitly raise an error message
stating that the application needs to be closed prior to updating.
**Related issue:** Resolves#31972
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Scott Gress <scottmgress@gmail.com>
This pull request adds support for two new software categories,
"Security" and "Utilities", across the application. The changes ensure
these categories are available in the database, frontend type
definitions, UI elements, documentation, and are fully tested in both
migration and integration test suites.
**Database and Migration Updates:**
* Added "Security" and "Utilities" entries to the `software_categories`
table and updated initial data in `schema.sql`.
* Introduced a new migration
(`20251210000000_AddSecurityAndUtilitiesCategories.go`) to insert/remove
these categories, with an accompanying test to verify migration
behavior.
[[1]](diffhunk://#diff-57da59e73fff8f2ffccd167299027899614281c591b79715b7000bed0e9d8516R1-R31)
[[2]](diffhunk://#diff-5e6db34b45e83ec5cf2b9cb41e4bfd4ee934f456dd9c0ae4313a448d39319c72R1-R28)
**Frontend and Documentation Updates:**
* Updated the `SoftwareCategory` type and category lists to include
"Security" and "Utilities", ensuring they appear in the UI and are
selectable.
[[1]](diffhunk://#diff-4297079e443d574eb530c70ef48de3cab80e56f783c7b395d58c31c29be6bb0eL77-R79)
[[2]](diffhunk://#diff-405dcd4f0bd6881e4b20a75212467d13c143ddc486b5c9d29ed9035033c32361R25-R26)
* Added documentation for the new categories in `yaml-files.md`.
**Testing Enhancements:**
* Added and updated tests to verify the new categories are displayed and
handled correctly in both frontend and backend integration tests.
[[1]](diffhunk://#diff-d151ee297fdaf54f8ea7027bc46de12247c43406b464265f24ade5a49cb19e49R210-R211)
[[2]](diffhunk://#diff-bbd0c5a6bc2f9a24e633031d4c6a3f5b0be7cbfe78ef1b56cdf9a7a2c32e21e2R19358-R19365)
[[3]](diffhunk://#diff-2bd8ca2ddaad7aac0c438a2afd76a26872378249f757c9c81a31005d0e57cf1fR18447-R18460)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37305
Resolves issue that conditional access modal was not visible for
self-hosted and contained wrong copy.
## Testing
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Improvements**
* "Conditional access" automation option is now available to all users
without license restrictions.
* Enhanced conditional access detection for both Okta and Microsoft
Entra identity providers.
* Improved conditional access setup process with clearer provider
information display based on your configuration.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36683
# Checklist for submitter
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
**Related issue:** Resolves#36701
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added activity tracking for Android certificate template edits and
deletions via GitOps.
* **Chores**
* Updated certificate template batch operations to track which teams
were affected by changes.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#36867
This updates the UI to show the mdm commands for the past and upcoming
tabs in the activity card on the host details page.
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
**Related issue:** Resolves#36689
<img width="1840" height="1196" alt="Screenshot 2025-12-15 at 5 08
02 PM"
src="https://github.com/user-attachments/assets/4f491c80-403f-4188-8cab-552e997c6e9c"
/>
<img width="1840" height="1196" alt="Screenshot 2025-12-15 at 5 09
18 PM"
src="https://github.com/user-attachments/assets/b6e4d9ad-40c1-45c3-8b77-e14d17a2bc7e"
/>
<img width="1840" height="1196" alt="Screenshot 2025-12-15 at 5 09
22 PM"
src="https://github.com/user-attachments/assets/661beee2-3ee2-4269-ab0b-ca070c1a40b8"
/>
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added comprehensive Android certificate management in OS Settings with
create, list, and delete operations
* Integrated certificate management with premium tier gating and MDM
enablement checks
* Supports team-scoped certificates with pagination controls
* Includes validation for certificate names and certificate authority
selection
* **Refactor**
* Generalized heading component to support multiple entity types beyond
configuration profiles
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Summary
This PR adds support for `.zip` files as Windows Fleet Managed Apps
(FMAs). Zip files on Windows are treated similarly to `.exe` files and
require custom install/uninstall scripts, typically used for AppX/MSIX
packages that are distributed as zip archives.
### Changes
**Backend:**
- Added `.zip` as a supported Windows package type in
`SoftwareInstallerPlatformFromExtension`
- Updated validation to require install/uninstall scripts for zip files
(similar to `.exe` files)
- Added `addZipPackageMetadata` function to handle zip file metadata
extraction
- Updated error messages to include `.zip` in the list of supported file
types
- Enhanced `appExists` validation to detect provisioned AppX packages
(packages that are provisioned for all users but don't show up in the
programs table until a user logs in)
- Added version normalization logic to handle version string differences
(e.g., "11.2.1495.0" vs "11.2.1495")
- Updated winget ingester to recognize zip files and default to user
scope for MSIX/zip installers
**Frontend:**
- Added `.zip` to `windowsPackageTypes` in `package_type.ts`
- Updated `PackageAdvancedOptions` component to require
install/uninstall scripts for zip files
- Added validation rules for zip files in `PackageForm/helpers.tsx`
- Updated help text and tooltips to indicate script requirements for zip
packages
- Updated `software_install_scripts.ts` to include zip in default script
handling
**Maintained Apps:**
- Added Microsoft Company Portal as a maintained app example using zip
files
- Created install/uninstall PowerShell scripts that:
- Extract zip files containing AppX packages
- Provision packages for all future users (works in headless
environments)
- Install packages for the current user
- Handle both provisioned and installed package detection
**Tests:**
- Updated integration tests to include `.zip` in supported file type
error messages
- Updated unit tests for `SoftwareInstallerPlatformFromExtension` and
`SofwareInstallerSourceFromExtensionAndName`
### Use Case
This enables distribution of Windows AppX/MSIX packages that are
packaged as zip files (common for Microsoft Store apps like Company
Portal). The implementation handles both provisioned packages (for all
users) and user-installed packages, ensuring detection works in both
headless and interactive environments.
### Testing
- Updated existing tests to include zip file support
- Added Microsoft Company Portal as a maintained app example with full
install/uninstall scripts
---
**Note:** This PR follows the same pattern as `.exe` file support,
requiring custom install/uninstall scripts since zip files can contain
various content types that need custom handling.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36088
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
Saving this value currently results in a 400 response from the server
since it's not a valid key yet. We can keep this in draft until the
backend is merged if we want to e2e test with it.
### Controls -> OS Settings "Target" section
#### All platforms
- [X] Update success banner message to "Successfully updated."
<img width="200" alt="image"
src="https://github.com/user-attachments/assets/bc43ec79-41d1-4dd3-947c-8152051fd209"
/>
#### macOS / iOS / iPadOS
- [X] Update tooltip text for "Minimum version" to `Enrolled hosts are
updated to exactly this version.`
<img width="250" alt="Image"
src="https://github.com/user-attachments/assets/7d870224-395e-4bc9-937e-be599da57a97"
/>
- [X] Make "available from Apple" a link, replacing "Learn more", and
link to https://fleetdm.com/learn-more-about/apple-available-os-updates
<img width="250" height="363" alt="image"
src="https://github.com/user-attachments/assets/8191ec2d-bf0a-4cf6-9b1a-1272c0ff69b0"
/>
> Note - this URL is current a 404
- [X] Remove text referring to platform from "End user experience"
heading, i.e. it should just say "End user experience" for all platforms
where it appears, not e.g. "End user experience on macOS"
#### macOS Only
- [X] Add new "Update new hosts to latest" checkbox
<img width="316" height="406" alt="Image"
src="https://github.com/user-attachments/assets/71aec05a-b809-436d-8bfd-cd3e14b27ea1"
/>
- [X] Reflects the `macos_updates.update_new_hosts` setting for the team
or (for no team) global config (only testable via automated tests right
now)
- [X] Update End user experience text to "When a minimum version is
enforced, end users see a native macOS notification (DDM) once per day."
(see above)
### Global activity feed
- [X] When "Update new hosts to latest" is enabled, activity should say
`[Actor's name] enabled OS updates for all new macOS hosts on the [team
name] team. macOS hosts will upgrade to the lastest version when they
enroll.`
- [X] When "Update new hosts to latest" is disabled, activity should say
`[Actor's name] disabled updates for all new macOS hosts on the [team
name] team.`
(tested via automated tests)
**Related issue:** Resolves#35310
This adds the UI for the new windows mdm page. This adds an option to
allow windows hosts to manually enroll into fleet mdm.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [ ] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34539
Figma:
https://www.figma.com/design/OgQ8SyLK8Sw5thXtF1eiNP/-31909-Conditional-access-w--Okta
Requires backend PR https://github.com/fleetdm/fleet/pull/35526 to view
Apple profile.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added Okta as a conditional access provider alongside Microsoft Entra
* Users can now configure both identity providers simultaneously or use
either independently
* Updated configuration interface with new Okta-specific settings
* Redesigned UI with separate provider cards for improved clarity
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jacob Shandling <jacob@shandling.dev>
For #33193. No changes file as this is just documentation for the table
shipping in fleetd 1.50, which has a changes file of its own.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34500 and Resolves#33758
Video demo: https://www.youtube.com/watch?v=4HZlKG0G1B0
- Added a new aggregation table
`operating_system_version_vulnerabilities` for faster queries. The table
is currently used only for Linux vulnerabilities, but could be used for
other OS vulnerabilities.
- Added `max_vulnerabilities` parameter per [API
doc](https://github.com/fleetdm/fleet/pull/33533)
- Also added `max_vulnerabilities` parameter to `os_versions/{id}`
endpoint, but not making it public since that endpoint is still slow and
needs other API changes. bug #34974
- Removed `"kernels": []` from `os_versions` endpoint result
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added ability to limit the number of vulnerabilities displayed for
operating system versions via an optional parameter.
* Introduced vulnerability count tracking for operating system versions,
now visible in API responses and UI displays.
* Enhanced operating system vulnerability visualization with improved
count-based rendering.
* **Tests**
* Added comprehensive test coverage for vulnerability limiting behavior
across multiple operating system versions and architectures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
