<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43273
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- Added new test for this case (policies without software automation
being pushed by two different users), verified it fails on main and
passes on this branch
- [X] QA'd all new/changed functionality manually
- [X] Verified that changing `webhooks_and_tickets_enabled` on a policy
AND running gitops as another user doesn't wipe stats
- [X] Verified that changing `query` on a policy and running gitops does
wipe stats
- [X] Verified that changing `query` on a policy and running gitops does
wipe stats
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where policy stats were incorrectly reset during GitOps
policy updates. Policy statistics now remain accurate when policies are
re-applied without modification to installation or script
configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41484
Unreleased bug.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **License Enforcement Updates**
* Team-scoped Mobile Device Management operations now require a premium
license. Free-tier users will receive an error when attempting to create
or manage team-level MDM declarations and profiles.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Register AWS VPN Client in fleet configs: add an IdP group label (IdP
group: SAML-aws-vpn), include that label in default.yml, and add
aws-vpn-client/darwin to fleet_maintained_apps (self_service=true,
labeled for the SAML-aws-vpn group). Add a dynamic label for macOS hosts
with AWS VPN Client installed (bundle id com.amazonaws.acvc.osx) and add
a macOS patch policy to surface/update hosts with out-of-date AWS VPN
Client. These changes enable inventorying, self-service installation,
and patch tracking for the AWS VPN Client.
Remove wording that suggested deleting/uninstalling apps from resolution
text in fleet-maintained app patch policies. Updated macOS and Windows
policy files to only advise updating via Self-service or each app's
built-in update functionality (no mention of deleting/uninstalling).
Affected files:
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml and
it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml.
Update .github/workflows/dogfood-gitops.yml to raise the fleet-gitops
job timeout from 10 to 30 minutes. This prevents premature cancellation
for longer-running steps (e.g., runner hardening and related tasks).
Our workflow is starting to timeout now that we have more apps being
applied via GitOps.
## Summary
- Adds a new commented-out testimonial entry to
`handbook/company/testimonials.yml` sourced from a LinkedIn comment (URN
7279546151945519104) on Mike Meyer's Foursquare-to-Fleet migration post.
- The entry is commented out per handbook instructions since it contains
TODO placeholders that need to be filled in manually from the LinkedIn
comment (requires authentication to access).
- The LinkedIn comment URL:
https://www.linkedin.com/feed/update/urn:li:activity:7267672056970788866/?dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287279546151945519104%2Curn%3Ali%3Aactivity%3A7267672056970788866%29
## TODO before merging
The following fields need to be filled in from the LinkedIn comment
(requires logging in to LinkedIn to view):
1. `quote` - The text of the comment
2. `quoteAuthorName` - The commenter's name
3. `quoteAuthorJobTitle` - The commenter's job title
4. `quoteAuthorProfileImageFilename` - Upload the commenter's profile
image and update the filename
5. `productCategories` - Verify the correct category (currently set to
`[Device management]`)
6. `quoteLinkUrl` - Verify or update to the commenter's LinkedIn profile
URL if preferred
---
Built for [Dan
Gordon](https://fleetdm.slack.com/archives/C0AN44FQC01/p1775665779923419?thread_ts=1775661619.633759&cid=C0AN44FQC01)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Dan Gordon <daniel@fleetdm.com>
Co-authored-by: Ashish Kuthiala <53918208+akuthiala@users.noreply.github.com>
Bumps
[github.com/aws/aws-sdk-go-v2/service/lambda](https://github.com/aws/aws-sdk-go-v2)
from 1.72.0 to 1.88.5.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b9b0c6553b"><code>b9b0c65</code></a>
Release 2025-10-16</li>
<li><a
href="e2bc8a0ec6"><code>e2bc8a0</code></a>
Regenerated Clients</li>
<li><a
href="8691ee380a"><code>8691ee3</code></a>
Update API model</li>
<li><a
href="51e8a3fe03"><code>51e8a3f</code></a>
bump to go1.23 (<a
href="https://redirect.github.com/aws/aws-sdk-go-v2/issues/3211">#3211</a>)</li>
<li><a
href="ad2d36cba7"><code>ad2d36c</code></a>
Release 2025-10-15</li>
<li><a
href="19a35d639f"><code>19a35d6</code></a>
Regenerated Clients</li>
<li><a
href="35cb02fd50"><code>35cb02f</code></a>
Update endpoints model</li>
<li><a
href="f673a1b0a8"><code>f673a1b</code></a>
Update API model</li>
<li><a
href="48421fd812"><code>48421fd</code></a>
Release 2025-10-14</li>
<li><a
href="fedcba778c"><code>fedcba7</code></a>
Regenerated Clients</li>
<li>Additional commits viewable in <a
href="https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.72.0...service/s3/v1.88.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/fleetdm/fleet/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump Cursor to 3.0.12 and Docker to 4.67.0: update installer URLs and
SHA256 hashes, add 'patched' SQL queries for version checks in Windows
outputs, and normalize default_categories from "Developer Tools" to
"Developer tools" in winget inputs and outputs.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42512
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** For #40015
* Moves repeated empty mocks into a new `setupEmptyGitOpsMocks` method
* Adds new "deprecation" tests:
* In TestGitOpsFullGlobal, TestGitOpsFullTeam and
TestGitOpsFullGlobalAndTeam tests "kitchen sink" with both new and
deprecated keys
* Added keys and checks to verify `setup_experience`,
`apple_business_manager` and `volume_purchasing_program` configs
* Consolidated map of deprecated -> new GitOps keys in one place
Related to #40309
Changes:
- Added ee/fleet-agent-downloader/ - A Sails app that has a single page
locked behind SSO that end-users can use to download a Fleet installer
hosted in an S3 bucket.
Related to: https://github.com/fleetdm/fleet/issues/42738
Changes:
- Uncommented and updated the code that replaces text content in double
parentheses with `<bubble>` elements in build-static-content to not
replace content inside of `<code>` elements
- Created a `<bubble>` component based on the ((bubbles)) in the
Sails.js docs.
Fixed filename which was breaking rendering of the page. Fixed extra
spaces on code blocks. Also added more headers for cleaner reading, and
added a link to the end of the page to get to the raw text for easy
copying that can be dropped right in for AI input.
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42680
This manually modified outputs/apps.json since currently it only adds
new FMAs and cannot update existing ones from ingestion. It looks like
the install/uninstall scripts changed a bit, but I was able to install
and uninstall it successfully on a VM.
<img width="1150" height="48" alt="image"
src="https://github.com/user-attachments/assets/dad9f5f6-1f21-4169-aed5-33fb25cb666b"
/>
Patch policy for up to date version seems to work too.
<img width="863" height="49" alt="image"
src="https://github.com/user-attachments/assets/a706794d-885f-4a5c-abc5-b65c26ba7733"
/>
This pull request enhances the safety of the `linux_wipe.sh` script by
ensuring that destructive file operations do not affect network-mounted
filesystems. The changes introduce checks to detect network filesystems,
prevent accidental deletion of remote data, and improve the reliability
of wipe operations by avoiding crossing filesystem boundaries.
**Network filesystem safety improvements:**
* Added a `NETWORK_FS_TYPES` variable and functions to detect and
unmount network filesystems, preventing the script from deleting data on
NFS, CIFS, SMB, SSHFS, and similar mounts.
(`ee/server/service/embedded_scripts/linux_wipe.sh`)
[[1]](diffhunk://#diff-7ac85220cbd45e63481837a405dacf198822a4fbf885b88f89b9bc870c947fccR3-R4)
[[2]](diffhunk://#diff-7ac85220cbd45e63481837a405dacf198822a4fbf885b88f89b9bc870c947fccR17-R84)
* Introduced an `unmount_network_filesystems` function called before
wiping operations to unmount all detected network filesystems.
(`ee/server/service/embedded_scripts/linux_wipe.sh`)
* Added an `is_network_mount` function to skip wiping any path residing
on a network filesystem.
(`ee/server/service/embedded_scripts/linux_wipe.sh`)
**Safe file deletion enhancements:**
* Implemented a `safe_rm` function that ensures file deletions do not
cross filesystem boundaries, using `rm --one-file-system` or `find
-xdev` as a fallback. All destructive operations now use this wrapper.
(`ee/server/service/embedded_scripts/linux_wipe.sh`)
* Updated `wipe_non_essential_data` and `wipe_system_files` to use
`safe_rm` and to skip paths on network filesystems.
(`ee/server/service/embedded_scripts/linux_wipe.sh`)
These changes significantly reduce the risk of deleting data on remote
or shared filesystems during a wipe operation.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
## Changes
- Added `FLEET_OSQUERY_POLICY_UPDATE_INTERVAL` environment variable set
to `30m` in the dogfood Terraform configuration
- This configures osquery policy updates to occur every 30 minutes in
the dogfood environment
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42841
This change is just new columns in a table. No other functional changes.
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added tracking for Windows device enrollment configuration status,
including timestamps indicating when devices entered the
awaiting-configuration state to improve enrollment lifecycle management.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
