<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35413
Applied the same fix as in
https://github.com/fleetdm/fleet/pull/29186/files:
- Added musl-tools to the container image. This provides musl-gcc, a
compiler that links against musl libc instead of glibc. We use it for
static linking as explained below.
- Added static linking flags (CGO_ENABLED=1 CC=musl-gcc -linkmode
external -extldflags "-static"). This produces a self-contained binary
with all C library code embedded, eliminating runtime dependencies on
the host system's glibc version.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
Steps:
- Started TUF server for the first time. Generated a Linux x86_64 image.
```
SYSTEMS="linux" \
DEB_FLEET_URL=https://nicofleet.ngrok.io \
DEB_TUF_URL=http://nicotuf.ngrok.io \
GENERATE_DEB=1 \
ENROLL_SECRET=tm2CHBEF1I5BVuM1+4hzRRtpC5ZYV8vb \
FLEET_DESKTOP=1 \
DEBUG=1 \
./tools/tuf/test/main.sh
```
- Installed `fleet-osquery_26.1.46030_amd64.deb` generated by the
previous command on a Kubuntu 20.04 x86_64 VM.
- Ran `sudo journalctl -u orbit` to debug logs and verified that the
GLIBC incompatibility error was raised:
```
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 sudo[125623]: pam_unix(sudo:session): session opened for user nicolas by (uid=0)
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125624]: /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop)
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125624]: /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop)
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 sudo[125623]: pam_unix(sudo:session): session closed for user nicolas
tammi 22 15:37:08 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125199]: 2026-01-22T15:37:08+02:00 INF killing any pre-existing fleet-desktop instances
tammi 22 15:37:09 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125199]: 2026-01-22T15:37:09+02:00 INF attempting to get user session type and display id=1000 user=nicolas
tammi 22 15:37:09 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125199]: 2026-01-22T15:37:09+02:00 ERR failed to get X11 display, using default :0 error="display not found on who output"
```
- Built a new version of the agent after applying the fixes on this PR
and pushed it to the TUF server:
```
# 1. Hardcode orbit to a higher version
export ORBIT_VERSION=26.1.46099
#2. Generate new package
FLEET_DESKTOP_VERSION=$ORBIT_VERSION make desktop-linux
#3. Update to TUF server
./tools/tuf/test/push_target.sh linux desktop desktop.tar.gz $ORBIT_VERSION
```
<img width="396" height="179" alt="Screenshot 2026-01-22 at 5 18 25 PM"
src="https://github.com/user-attachments/assets/56182580-1d54-4945-af03-98762e7795e9"
/>
- In the VM, verified that an update for fleet desktop was detected by
running `sudo journalctl -u orbit -g "update detected"`:
```
tammi 22 20:33:32 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[4114]: 2026-01-22T20:33:32+02:00 INF update detected target=desktop
```
- Verified the new version is shown both on the desktop icon and the
Fleet UI:
<img width="1373" height="248" alt="Screenshot 2026-01-22 at 5 22 17 PM"
src="https://github.com/user-attachments/assets/9fac73ac-a3a6-49ed-82c7-261abec43798"
/>
<img width="1420" height="496" alt="Screenshot 2026-01-22 at 5 22 46 PM"
src="https://github.com/user-attachments/assets/55321108-9233-4799-b5e5-0713172c0138"
/>
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Resolves#33762 & #38094
Added a new `alternative-browser-host` global config property for Fleet Desktop, if set, Fleet Desktop will use it over the `--fleet-desktop-alternative-browser-host` env variable to open any Fleet Desktop related links (i.e. My Device, etc).
Resolves#35006.
See
https://github.com/fleetdm/fleet/issues/35006#issuecomment-3693239452.
Output when running the dirty check on `main`:
```
make desktop-app-tar-gz
go run ./tools/desktop macos
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_amd64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:38:20-03:00","message":"Build fleet-desktop executable amd64"}
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_arm64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:38:23-03:00","message":"Build fleet-desktop executable arm64"}
{"level":"info","output":"On branch test-branch-dirty\nUntracked files:\n (use \"git add <file>...\" to include in what will be committed)\n\tFleet Desktop.app/\n\nnothing added to commit but untracked files present (use \"git add\" to track)\n","time":"2025-12-30T08:38:26-03:00","message":"git status"}
Error: detected dirty executable: {Path:github.com/fleetdm/fleet/v4 Version:v4.43.5-0.20251230113816-9bae7b475999+dirty Sum: Replace:<nil>}
exit status 1
make: *** [desktop-app-tar-gz] Error 1
```
Output on this branch:
```
make desktop-app-tar-gz
go run ./tools/desktop macos
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_amd64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:39:43-03:00","message":"Build fleet-desktop executable amd64"}
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_arm64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:39:47-03:00","message":"Build fleet-desktop executable arm64"}
Generated desktop.app.tar.gz successfully.
```
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## fleetd/orbit/Fleet Desktop
- [X] Verified that fleetd runs on macOS
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Resolves#37340.
These two issues are present on installations that used `fleetctl` (with
the `.sha512` caching optimization for `.tar.gz`) to generate the fleetd
installers.
I also recently hit this issue while releasing osqueryd to `edge` and
when releasing fleetd.
# Issue 1
First update of a `.tar.gz` component like Fleet Desktop on macOS/Linux
after installation doesn't work; second update after installation does
work:
1. Pushing a first update to TUF after the installation does the removal
of `.sha512` to `.tar.gz`, but contents are not extracted.
2. Pushing a second update to TUF after (1) does the `.tar.gz` update
and correctly updates.
How to reproduce locally:
```
# Create TUF repository
SYSTEMS="macos linux-arm64 windows-arm64" \
PKG_FLEET_URL=https://localhost:8080 \
PKG_TUF_URL=http://localhost:8081 \
DEB_FLEET_URL=https://host.docker.internal:8080 \
DEB_TUF_URL=http://host.docker.internal:8081 \
MSI_FLEET_URL=https://host.docker.internal:8080 \
MSI_TUF_URL=http://host.docker.internal:8081 \
GENERATE_PKG=1 \
GENERATE_DEB_ARM64=1 \
GENERATE_MSI_ARM64=1 \
ENROLL_SECRET=q6BjogOT6E04UmxrtZdXCE54fe89m35J \
FLEET_DESKTOP=1 \
USE_FLEET_SERVER_CERTIFICATE=1 \
DEBUG=1 \
./tools/tuf/test/main.sh
# Remove current installation in macOS.
sudo ./it-and-security/lib/macos/scripts/uninstall-fleetd-macos.sh remove
# Install the package
sudo installer -pkg fleet-osquery.pkg -target /
# Check version shown in Fleet Desktop icon (e.g. N)
# Update "Fleet Desktop" component to N+1.
source ./tools/tuf/test/load_orbit_version_vars.sh
echo $ORBIT_VERSION
FLEET_DESKTOP_VERSION=$ORBIT_VERSION make desktop-app-tar-gz
./tools/tuf/test/push_target.sh macos desktop desktop.app.tar.gz $ORBIT_VERSION
# Check version shown in Fleet Desktop icon, and it doesn't update (that's the bug).
# Update "Fleet Desktop" component to N+2.
source ./tools/tuf/test/load_orbit_version_vars.sh
echo $ORBIT_VERSION
FLEET_DESKTOP_VERSION=$ORBIT_VERSION make desktop-app-tar-gz
./tools/tuf/test/push_target.sh macos desktop desktop.app.tar.gz $ORBIT_VERSION
# Check version shown in Fleet Desktop icon, and now it updated to N+2.
```
# Issue 2
Installing on top of existing installation (re-install). Less likely to
happen but still an issue.
Re-installation of packages does not delete existing stuff at
`/opt/orbit/bin/`/`C:\Program Files\Orbit`.
So, e.g. `ls /opt/orbit/bin/desktop/macos/stable/` after a re-install
shows:
- desktop.app.tar.gz from before the installation.
- sha512 of the installed package.
- Fleet Desktop/ of the installed package..
It runs the version that came with the package, but not the updated
version.
This is fixed by a subsequent update after the re-install.
How to reproduce locally:
```
# Create TUF repository.
SYSTEMS="macos linux-arm64 windows-arm64" \
PKG_FLEET_URL=https://localhost:8080 \
PKG_TUF_URL=http://localhost:8081 \
DEB_FLEET_URL=https://host.docker.internal:8080 \
DEB_TUF_URL=http://host.docker.internal:8081 \
MSI_FLEET_URL=https://host.docker.internal:8080 \
MSI_TUF_URL=http://host.docker.internal:8081 \
GENERATE_PKG=1 \
GENERATE_DEB_ARM64=1 \
GENERATE_MSI_ARM64=1 \
ENROLL_SECRET=q6BjogOT6E04UmxrtZdXCE54fe89m35J \
FLEET_DESKTOP=1 \
USE_FLEET_SERVER_CERTIFICATE=1 \
DEBUG=1 \
./tools/tuf/test/main.sh
# Remove and install the package in macOS
sudo ./it-and-security/lib/macos/scripts/uninstall-fleetd-macos.sh remove
sudo installer -pkg fleet-osquery.pkg -target /
# Push a new update for "Fleet Desktop" (e.g. N+1).
source ./tools/tuf/test/load_orbit_version_vars.sh
echo $ORBIT_VERSION
FLEET_DESKTOP_VERSION=$ORBIT_VERSION make desktop-app-tar-gz
./tools/tuf/test/push_target.sh macos desktop desktop.app.tar.gz $ORBIT_VERSION
# Re-install the original installer
sudo installer -pkg fleet-osquery.pkg -target /
# Check version shown in Fleet Desktop icon, it says N instead of N+1 (that's the bug).
# A new push to TUF of N+2 fixes the issue.
```
# More info
Both issues happen also with `osqueryd` in macOS which comes bundled as
a `osqueryd.app.tar.gz`.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [X] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [X] Verified that fleetd runs on macOS, Linux and Windows
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed auto-update mechanism for .tar.gz components to properly manage
cached hashes and ensure stale extracted contents are cleaned up during
re-downloads following hash mismatches.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35852
Tested by adding a small(100ms but even smaller should work) sleep in
the goroutine before calling renewReceiver.Run() which simulates the
active goroutine being preempted and the other running before it gets
scheduled again. When I did this it would hang and timeout every time
before the fix. AFter the fix I never saw a timeout over 500 runs with
the sleep added and without
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Fixing the following warning:
```
$ make fleet
[...]
# github.com/shoenig/go-m1cpu
../../gopath/pkg/mod/github.com/shoenig/go-m1cpu@v0.1.6/cpu.go:75:17: warning: variable length array folded to constant array as an extension [-Wgnu-folding-constant]
../../gopath/pkg/mod/github.com/shoenig/go-m1cpu@v0.1.6/cpu.go:77:16: warning: variable length array folded to constant array as an extension [-Wgnu-folding-constant]
```
PS: This warning happens when building fleet because we need to decouple
the client code from `server/service`... (hopefully to be done as part
of https://github.com/fleetdm/fleet/issues/36087)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37134, resolves#37127
# Details
This PR turns off Orbit's end-user authentication features for macOS
(leaving them in place for Windows and Linux). macOS has its own
end-user auth flows (either through ADE or through the /enroll
endpoint), and the one put in place for Windows/Linux was interfering
with those. It would be good to get this properly sorted out so that all
devices are gated at the same point (currently manually-enrolled macOS
devices enroll to Fleet prior to end-user auth, rather than after) but
we need to unblock enrollment for macs in the meantime!
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] QA'd all new/changed functionality manually
- [X] mac
- [x] linux
- [x] windows
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
UPDATE: @noahtalerman: I updated this PR to just include the contributor
example. I assigned myself the guide update issue:
- #34279
For the guide, we want to open a PR agains the `docs-v4.77.0` branch
instead of main.
---
**Related issue:** Wont resolve: #34279
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Fixes#33793.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#31924
# Details
This fixes an unreleased issue that caused Orbit to silently fail to
open a browser window on Windows. This was originally tested by running
Orbit from source on Windows, which did not reproduce the issue because
I was running it as the logged-in user rather than as the administrator.
The fix is to use existing code in the main Orbit code to open the
browser window using the `execUser` package, rather than using the
`open` package which doesn't attempt to run as the GUI user.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [X] QA'd all new/changed functionality manually
Tested on both Windows and Linux using TUF-installed packages, verified
that the SSO window opens as expected when end-user auth is turned on
and user is not logged in, and that setup experience window opens as
expected after SSO is complete, and that it opens when SSO is not
needed.
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35548
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually (QAed on macOS)
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] Verified that fleetd runs on macOS, Linux and Windows (Not
manually checked, but this change should not impact it)
Fixes#32239.
This changes tags to return a comma-delimited list on multiple tags, the
single tag when there's only one, and "is not set" (similar to other
values) when no tags are set.
Confirmed that this allows us to run `SELECT * FROM falconctl_options`
without issue on various configurations of Crowdstrike Falcon on Linux.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #34528
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
Fixes#33967, #33193, #35149.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux (skipped WIndows due to
runtime.GOOS gating)
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34528
# Details
This PR implements the agent changes for allowing Fleet admins to
require that users authenticate with an IdP prior to having their
devices set up. I'll comment on changes inline but the high-level is:
1. Orbit calls the enroll endpoint as usual. This is triggered lazily by
any one of a number of subsystems like device token rotation or
requesting Fleet config
2. If the enroll endpoint returns the new `ErrEndUserAuthRequired`
response, then it opens a window to the `/mdm/sso` Fleet page and
retries the enroll endpoint every 30 seconds indefinitely.
3. Any other non-200 response to the enroll request is treated as before
(limited # of retries, with backoff)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-
changes.md#changes-files) for more information.
Will add changelog when story is one.
## Testing
- [X] Added/updated automated tests
Added test for new retry logic
- [X] QA'd all new/changed functionality manually
This is kinda hard to test without the associated backend PR:
https://github.com/fleetdm/fleet/pull/34835
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
This is compatible with all Fleet versions, since older ones won't send
the new error.
- [X] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
This is compatible with all platforms, although it currently should only
ever run on Windows and Linux since macOS devices will have end-user
auth taken care of before they even download Orbit.
- [ ] Verified that fleetd runs on macOS, Linux and Windows
Testing this now.
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added SSO (Single Sign-On) enrollment support for end-user
authentication
* Enhanced error messaging for authentication-required scenarios
* **Bug Fixes**
* Improved error handling and retry logic for enrollment failures
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Fixes#32902
This changes the error message swift dialog popup for macos mdm
migration. it will not correctly show file protocol URLs and makes the
"Contact IT" the primary button action on this popup.
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
**Related issue:** Resolves#34330
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually (so far just macOS)
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] Verified that fleetd runs on macOS, Linux and Windows
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a built-in mcp_listening_servers table to discover MCP servers
by inspecting listening ports and probing endpoints; returns process
info, server metadata, capabilities, tools, prompts, and resources
(supports macOS, Windows, Linux).
* **Tests**
* Added comprehensive unit tests covering detection, IPv6 handling, SSE
responses, and session lifecycle.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34596
# Details
This PR adds back the "legacy" macOS setup experience, and a new
`CapabilityMacOSWebSetupExperience` capability check. The legacy
experience will be shown whenever the
`CapabilityMacOSWebSetupExperience` capability is _not_ detected in the
Fleet server response.
The majority of the code is just copying the `Run` and
`startSwiftDialog` from the [4.75.1 patch
release](https://github.com/fleetdm/fleet/blob/rc-patch-fleet-v4.75.1/orbit/pkg/setup_experience/setup_experience.go)
and adding them back as `RunLegacy` and `startSwiftDialogLegacy`, then
adding the little bit of plumbing to have `Run()` call `RunLegacy()`
when the new capability is not detected.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [X] QA'd all new/changed functionality manually
Tested on a VM that the setup experience starts in "legacy" mode if
`CapabilityMacOSWebSetupExperience` is not set in the server, and that
it starts in the new web view if the capability _is_ set.
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
I have not re-verified this, but the changes will only run on macOS
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
This should not be affected.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33173
**Related issue:** Resolves#33111
# Details
This is the remaining work to implement the "Stop the setup experience
when required software fails to install" feature. This didn't turn out
to be quite as straightforward as expected so I ended up doing a bit of
design-by-code and expect some feedback on the approach. I tried to make
it as low-touch as possible. The general design is:
1. In the `maybeUpdateSetupExperienceStatus` function which is called in
various places when a setup experience step is marked as completed, call
a new `maybeCancelPendingSetupExperienceSteps` function if the setup
step was marked as failed. Similarly call
`maybeCancelPendingSetupExperienceSteps` if a VPP app install fails to
enqueue.
2. In `maybeCancelPendingSetupExperienceSteps`, check whether the
specified host is MacOS and whether the "RequireAllSoftwareMacOS" flag
is set in the team (or global) config. If so, mark the remaining setup
experience items as canceled and cancel any upcoming activities related
to those steps.
3. On the front-end, if the `require_all_software_macos` is set and a
software step is marked as failed, show a new failure page indicating
that setup has failed and showing details of the failed software.
4. On the agent side, when checking setup experience status, send a
`reset_after_failure` flag _only the first time_. If this flag is set,
then the code in the `/orbit/setup_experience/status` handler will clear
and re-queue any failed setup experience steps (but leave successful
steps to avoid re-installing already-installed software). This
facilitates re-starting the setup experience when the host is rebooted.
I also updated the way that software (packages and VPP) is queued up for
the setup experience to be ordered alphabetically, to make it easier to
test _and_ because this is a desired outcome for a future story. Since
the order is not deterministic now, this update shouldn't cause any
problems (aside from a couple of test updates), but I'm ok taking it out
if desired.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
* Added a new integration test for software packages, testing that a
failed software package causes the rest of the setup experience to be
marked as failed when `require_all_software_macos` is set, and testing
that the "reset after failure" code works.
* Added a new integration test for VPP packages, testing that a failed
VPP enqueue causes the same halting of the setup experience.
I _don't_ have test for a failure _during_ a VPP install. It should go
through the same code path as the software package failure, so it's not
a huge gap.
- [ ] QA'd all new/changed functionality manually
Working on it
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [X] Verified that fleetd runs on macOS, Linux and Windows
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Configurable option to halt macOS device setup if any software install
fails.
- Device setup page now shows a clear “Device setup failed” state with
expandable error details when all software is required on macOS.
- Improvements
- Setup status now includes per-step error messages for better
troubleshooting.
- Pending setup steps are automatically canceled after a failure when
applicable, with support to reset and retry the setup flow as
configured.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #33111
Fixes a possible race condition introduced in
https://github.com/fleetdm/fleet/issues/33884 which saw a test failure
[here](https://github.com/fleetdm/fleet/actions/runs/18454713591/job/52574112376#step:14:3571).
# Checklist for submitter
## Testing
- [ ] Added/updated automated tests
Existing test is sufficient, will circle back if it fails again.
- [X] QA'd all new/changed functionality manually
Verified that Fleet Desktop still opens My Device page correctly and
token rotation logs are still seen.
For unreleased bug fixes in a release candidate, one of:
- [X] Confirmed that the fix is not expected to adversely impact load
test results
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #33111
# Details
This PR updates the setup experience for MacOS to use a web view pointed
at the device's "Setting up your device" page rather than using native
MacOS UI elements, bringing it more in line with Linux and Windows setup
experiences.
This covers only the new web UI for the setup experience progress, _not_
the UI for the new case of blocking the device when a piece of software
fails to install. I'll add that in a separate PR.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Added tests for the updates to the token rotation code.
- [X] QA'd all new/changed functionality manually
A new tool is provided to allow testing this code against a virtual
machine if a separate host that you can wipe and run setup on is not
available. See
https://github.com/fleetdm/fleet/blob/sgress454/new-setup-experience/tools/mdm/apple/setupexperience/README.md
for details.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- macOS setup experience moved to a new web-based UI.
- Automatic device token rotation during setup to keep sessions valid.
- Bug Fixes
- More reliable setup flow with improved dialog lifecycle and cleaner
handoff to web content.
- Dialog elements hidden/cleared appropriately when transitioning to the
browser.
- Documentation
- Added guide and tool to simulate the macOS setup experience on a VM,
with prerequisites and usage steps.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
