<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33418 (this OS update change is unrelated
to the bigger Windows delete part of the story)
<img width="598" height="438" alt="image"
src="https://github.com/user-attachments/assets/7dca50c6-5ca4-4c54-b57f-c98dda5fb4d1"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Windows update deadline and grace period settings can now be cleared,
allowing removal of update enforcement policies.
* **Bug Fixes**
* Updated validation logic to properly handle empty deadline and grace
period fields.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42311
- Fixes ID collision on Users table (causing users to not be rendered
when an existing user's ID matches an invited user's ID).
- Fixes total users count.
- Fixes `isResettingCurrentUser` check.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
#### Before
- ID collision caused the admin user to not be rendered on the table
(see the user with Invite pending which has id=1 as the admin does).
- Notice that we have a total of 3 users counting the response from
`users` and `invites` endpoints.
<img width="2557" height="477" alt="Screenshot 2026-03-25 at 2 46 31 PM"
src="https://github.com/user-attachments/assets/833b07f5-a0ce-4f15-94bf-79040bd03dba"
/>
<img width="2555" height="722" alt="Screenshot 2026-03-25 at 2 46 26 PM"
src="https://github.com/user-attachments/assets/5707ab37-b060-40b4-913f-864b2254076d"
/>
#### After
- All users showing.
- Updated count to reflect the sum of users + invited users above the
table.
<img width="1358" height="432" alt="Screenshot 2026-03-25 at 2 53 24 PM"
src="https://github.com/user-attachments/assets/2a995e78-0ae8-4846-a8b1-b35edd61cb02"
/>
## Summary
- Remove incorrect `color: $ui-fleet-black-75` override on `h2` elements
in the Windows automatic enrollment page
(`/settings/integrations/automatic-enrollment/windows`)
- Section headings ("MDM URLs", "Entra tenants") now inherit the global
heading color (`$core-fleet-black` / `#192147`) instead of the muted
body text color (`$ui-fleet-black-75` / `#515774`)
- This aligns the Windows page with the `SectionHeader` component
pattern and all other MDM settings pages in the Fleet UI
## Details
The `_styles.scss` for the Windows automatic enrollment page had an
explicit `color: $ui-fleet-black-75` on `h2` elements, which overrode
the global heading color set in `_global.scss` (`h1, h2, h3 { color:
$core-fleet-black; }`). This made the section headings appear in the
subdued gray color meant for body text rather than the darker color used
for all other headings across the settings UI.
### Changes
-
`frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/_styles.scss`:
Removed `color: $ui-fleet-black-75` from `h2` rule
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773759260523069)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#29657
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This commit introduces support for Python (.py) scripts on macOS and
Linux, including validation for Python shebangs and updates to
documentation, UI, error messages, and backend validation logic. It also
updates tests and file upload handling to recognize and properly process
Python scripts alongside existing shell (.sh) and PowerShell (.ps1)
scripts.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41533
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/64a5f726-1e9f-4508-8726-6227813dcc77
Below I show the `Report clipped` and the `X additional results not
shown` states. For that, I manually inserted records in my DB:
```sql
-- make "clipped"
INSERT INTO query_results (query_id, host_id, last_fetched, data)
SELECT 1, t.n + 1000, NOW(), '{"fake_key": "fake_value"}'
FROM (
SELECT a.N + b.N * 10 + c.N * 100 AS n
FROM (SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) a,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) b,
(SELECT 0 AS N UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION
SELECT 9) c
) t
WHERE t.n BETWEEN 1 AND 999;
-- populate extra query results
INSERT INTO query_results (query_id, host_id, last_fetched, data)
VALUES
(1, 2, NOW(), '{"pid": "9999", "version": "5.21.0"}'),
(1, 2, NOW(), '{"pid": "8888", "version": "5.20.0"}');
```
https://github.com/user-attachments/assets/8056ea4c-b042-47cf-a05f-ee9d8621252a
Pagination (manually changed to 3 items per page for testing purposes)
https://github.com/user-attachments/assets/87a97259-0821-4659-a612-c952e98a158c
## Summary
- Changed all modal "Done" dismiss/close button labels to "Close" across
48 frontend component files
- Updated instructional text in `AutoEnrollMdmModal` that referenced the
"Done" button to say "Close" instead
- Updated 7 test files to assert "Close" instead of "Done" for modal
button names
## Excluded (intentionally not changed)
- `LiveResultsHeading.tsx` — "Done" button is a page-level navigation
action, not a modal dismiss
- `AddAbmModal.tsx` — Instructional text referencing Apple Business
Manager's "Done" button
- `Calendars.tsx` — Instructional text referencing Google Calendar's
"Done" button
- `ModalFooter.stories.tsx` — Storybook demo example
Built for
[Mel](https://fleetdm.slack.com/archives/D0AKX7DJFCN/p1773674157011109?thread_ts=1773673149.649299&cid=D0AKX7DJFCN)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: melpike <mel@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
## Summary
- Adds Proxyman (macOS) to the Fleet maintained apps catalog
- Input: `ee/maintained-apps/inputs/homebrew/proxyman.json`
- Output generated via ingester script
## Validation checklist
- [ ] App can be downloaded using manifest URL
- [ ] App installs successfully using manifest install script
- [ ] App exists in software inventory after install
- [ ] App uninstalls successfully using manifest uninstall script
Note: @mention #g-software Product Designer in a comment pointing to the
new icon once added.
**Related issue:** Resolves#38546
This fixes a quick error message flash on the mdm settings page when
apple mdm is turned off. We have a finally fixed an issue of stale data
on the integration page getting passed down to the mdm card when turning
apple mdm off. We now invalidate the cache of the config when apple mdm
is turned off, that way we make a request to get the most recent config
which will have the up to date data for `mdm.enabled_and_configured`.
# Checklist for submitter
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40724
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Resolves#36312
- Validate and trim fleet names in NewTeam, ModifyTeam, and
ApplyTeamSpecs
- Trim fleet names in gitops YAML parsing (parseName)
- Disable submit button in CreateTeamModal and RenameTeamModal when name
is whitespace-only
Adds Tor Browser as a Fleet-maintained app for macOS only.
## Changes
- **macOS**: Homebrew cask `tor-browser`, DMG installer, bundle
identifier `org.torproject.torbrowser`
- Icon sourced from the official Tor Project GitHub at 128x128
- Added to `apps.json` catalog in alphabetical order
**Note:** Windows support was dropped. Tor Browser for Windows uses a
portable installer that installs to `%LOCALAPPDATA%` (not `C:\Program
Files`), which is outside the scope of what Fleet's CI validator and
Windows install validation can detect. macOS-only is the correct scope
for this app.
## Test plan
- [ ] Verify `go run cmd/maintained-apps/main.go
--slug="tor-browser/darwin"` produces valid output
- [ ] Confirm icon renders correctly in the software catalog UI
- [ ] Confirm macOS install/uninstall scripts work on a test device
## Summary
Adds [Charles Proxy](https://www.charlesproxy.com/) as a
Fleet-maintained app for macOS.
Charles is an HTTP proxy, monitor, and reverse proxy that lets
developers view all HTTP and HTTPS traffic between their machine and the
internet. It's commonly used for debugging, testing, and network
analysis.
- macOS: DMG installer via Homebrew cask `charles`, bundle ID
`com.xk72.Charles`
- Windows: Not included — the WinGet package (`XK72.Charles`) uses an
`appx` installer type, which is not supported by Fleet's winget ingester
## Test plan
- [ ] Install Charles on a macOS host via Fleet self-service and confirm
it installs to `/Applications/Charles.app`
- [ ] Confirm `SELECT 1 FROM apps WHERE bundle_identifier =
'com.xk72.Charles';` returns a result after installation
- [ ] Uninstall Charles via Fleet and confirm the app is removed
- [ ] Confirm the Charles icon appears correctly in the Fleet UI
software catalog
- [ ] Run `go run cmd/maintained-apps/main.go --slug="charles/darwin"
--debug` and confirm no errors
Adds Krita (free and open-source digital painting application) as a
Fleet Maintained App for macOS and Windows.
## Changes
- **macOS**: Homebrew cask `krita`, DMG installer, bundle ID
`org.kde.krita`
- **Windows**: WinGet `KDE.Krita`, NSIS EXE installer with custom silent
install/uninstall scripts
- Icon generated from KDE official icon (128x128 PNG), added to icon
index
- Both platforms added to `apps.json` alphabetically (after Keka, before
LastPass)
## Testing
- macOS ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/darwin" --debug`
- Windows ingester ran successfully: `go run cmd/maintained-apps/main.go
--slug="krita/windows" --debug`
- Output files generated: `ee/maintained-apps/outputs/krita/darwin.json`
and `windows.json`
## Related issue
Add Krita FMA
## Summary
- Adds Arduino IDE (macOS only) as a Fleet maintained app using Homebrew
cask `arduino-ide`
- Bundle identifier: `cc.arduino.IDE2`, installer format: DMG, version
2.3.8
- Includes app icon, install/uninstall scripts, catalog entry, and icon
component
## Test plan
- [ ] Install Arduino IDE via Fleet on a macOS device and verify it
launches
- [ ] Uninstall Arduino IDE via Fleet and verify the app and user data
are removed
- [ ] Verify the Arduino IDE icon renders correctly in the software
catalog UI
- [ ] Confirm the entry appears alphabetically in the software catalog
(after Archaeology, before Asana)
Relates to #
Resloves: #41820
## Summary
- Adds `1.5rem` vertical margin to the GitOps mode info banner on the
**Software > Add Software > Custom Packages** page
- Uses an instance-level `className` prop
(`software-custom-package__gitops-banner`) and a page-scoped SCSS rule,
following existing codebase patterns for instance-specific spacing
- Does **not** modify the shared `InfoBanner` component styles
## Changes
-
`frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareCustomPackage/SoftwareCustomPackage.tsx`
— Added `className` prop to the GitOps `InfoBanner` instance
-
`frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareCustomPackage/_styles.scss`
— Added `&__gitops-banner` rule with `margin: 1.5rem 0`
---
Built for [Marko
Lisica](https://fleetdm.slack.com/archives/D0AFA3M07AP/p1773750050662559?thread_ts=1773749619.263099&cid=D0AFA3M07AP)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41742
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed crashes on the "My device" page for Fleet Free instances when a
host is assigned to a team.
* Improved error handling to prevent application crashes when policy
data is unavailable.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41652
Solution is to not pass `labels_include_any` to the payload of the PATCH
endpoint request.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
https://github.com/user-attachments/assets/7c825b92-0b03-448a-8e42-83e39a2acdf6
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41532
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved error messaging when deleting a certificate authority that is
referenced by certificate templates. Users now receive a clear,
user-friendly message instead of a generic database error.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
This PR contains identical frontend changes to those currently in
`recovery-pw-feature` - this allows separate frontend review of the code
- [x] QA'd all new/changed functionality manually
