Changes:
- Updated the `receive-redirect-from-microsoft` endpoint to redirect
users to their Fleet instance if an Entra admin did not consent to the
permissions requested by Fleet's compliance partner integration.
- Fixed a bug that prevented users from being redirected to their Fleet
instance if their Entra configuration is missing a required group
- Updated the `receive-redirect-from-microsoft` endpoint to require a
`state` input
Related to: #32228
Changes:
- Updated the `receive-redirect-from-microsoft` endpoint to assign the
created compliance policy to an Entra ID group named "Fleet conditional
access"
Fixes#30483
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a new webhook endpoint to track GitHub Projects v2 item status
changes and record engineering metrics.
* Integrated with Google BigQuery for storing and analyzing issue status
transition data.
* **Chores**
* Introduced a new POST API route for receiving GitHub Projects v2 item
events.
* Added configuration options for GitHub webhook secrets and Google
Cloud service account keys (commented out for future use).
* Added a new dependency for Google BigQuery integration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Related to: https://github.com/fleetdm/fleet/issues/31986
Changes:
- Updated Microsoft proxy endpoints to log API responses from Microsoft
when it runs for Fleet's dogfood integration.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked table schema to confirm autoupdate
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<ins>*🌐 IT and Enablement:*</ins>
- Rename "🌐 Digital Experience" to "🌐 IT and Enablement" dept
- Rename "digital-experience.rituals.yml" to
"it-and-enablement.rituals.yml"
<ins>*🧑🚀 People*</ins>
- Create 🧑🚀 People dept
- Create "people.rituals.yml"
<ins>*🔭 CEO*</ins> (<= WHY? To maintain the [structure of the
handbook](https://fleetdm.com/handbook/company/leadership#outline-of-departmental-page-structure).)
- Create 🔭 CEO page and link to leadership
- Create ceo.rituals.yml
<ins>*💸 Finance*</ins>
- Renamed label "#g-finance" to ":help-finance" to match the rest of the
departmental labels.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Closes: https://github.com/fleetdm/fleet/issues/31506
Changes:
- Updated the `create-android-enterprise` action to return a 409
response if a database record already exists for the Android enterprise.
Closes: https://github.com/fleetdm/confidential/issues/11365
Changes:
- Updated the User model's supported `primaryBuyingSituation` values.
- Updated the /start questionnaire to use the new
`primaryBuyingSituation` values.
- Updated the contact form to use the new `primaryBuyingSituation`
values.
Closes: https://github.com/fleetdm/fleet/issues/30914
Changes:
- Updated the `deliver-apple-csr` endpoint to return a
`csrMissingRequiredValue ` response when the provided unsigned CSR data
does not contain a required value.
Closes#30935
Changes:
- Updated created-android-signup-url to return a bad request response if
a provided callback URL cannot be used to create an Android Enterprise
signup URL.
Changes:
- Updated the `deliver-contact-form-message` action to send contact form
messages to our support email address
- Changed the subject of contact form messages sent by Fleet Premium
subscribers ("New contact form message" » "New Fleet Premium customer
message")
Closes: https://github.com/fleetdm/confidential/issues/11370
Changes:
- Updated the receive-from-zoom webhook to return a 200 response to Zoom
if a call has no transcript (e.g., the host stops the recording at the
start of the meeting).
Changes:
- Added a badRequest exit to the Microsoft compliance proxy's admin
consent redirect endpoint.
- Updated the Microsoft compliance proxy's admin consent redirect
endpoint to use the new exit if a request is missing either a tenant or
state value.
Closes: https://github.com/fleetdm/fleet/issues/30719
Changes:
- Updated the logged warnings in the receive-from-zoom webhook to
include the payload sent by zoom if the zoom API returns a 404 response
when the webhook attempts to get information about the call.
- Updated the receive-from-zoom webhook to log a detailed warning if a
speaker is missing an expected value.
Including Connor Hughes (MunkiMind) in "List of Humans"
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated the list of recognized GitHub bot and maintainer accounts to
include 'MunkiMind'.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes: https://github.com/fleetdm/fleet/issues/30714
Changes:
- Fixed a bug in the policy and query library pages that prevented
multi-platform queries and policies from being displayed in every
platform they are supported on.
Closes: https://github.com/fleetdm/confidential/issues/10867
Changes:
- Updated the route for the /app-library page and app details pages to
be at `/software-catalog` and added redirects.
- Updated places where we mentioned the app library to say "software
catalog" instead.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Updated all references and navigation paths from "app library" to
"software catalog" across the website.
* Updated internal links, breadcrumbs, and share URLs to use the new
"/software-catalog" path.
* Added redirects from old "app-library" URLs to the new
"software-catalog" URLs for seamless navigation.
* **Style**
* Updated descriptive text and metadata to reflect the new "software
catalog" terminology throughout the site.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes https://github.com/fleetdm/confidential/issues/11135
Closes https://github.com/fleetdm/confidential/issues/11134
Changes:
- Added two new testimonials to the /testimonials and /device-management
pages
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added two new testimonials focused on Linux desktop management,
enhancing the "Device management" section.
* Updated testimonial display order to include the new authors for
improved visibility in the relevant category.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Changes:
- Added `articles` to the list of supported article categories in the
build-static-content script.
- Added a route for articles in the articles category.
- Updated the `view-basic-article` action to support the new `articles`
category.
Changes:
- Added a script that sets a `fleetPremiumTrialLicenseKey` and
`fleetPremiumTrialLicenseKeyExpiresAt` values on all User records.
- Added a new email template to inform users that they have a new Fleet
premium trial available.
- Added the announcement banner to the /login, /register, and /try-fleet
pages.
Closes: https://github.com/fleetdm/confidential/issues/11058
Changes:
- Updated the receive from clay webhook to log a warning and return a
`couldNotCreateActivity` response if it receives information about a
contact record with no account record associated with it.
Closes: https://github.com/fleetdm/confidential/issues/10675
Changes:
- Added a new webhook: `receive-from-zoom`. When this webhook receives
an event indicating that a call recording is done processing, this
webhook will build the transcript and send it and information about the
call to a Zapier webhook, where it will be added to a new Google doc.
Related to: https://github.com/fleetdm/fleet/issues/26521
Changes:
- Added two pages that will be used for the Microsoft compliance proxy
(`/microsoft-compliance-partner/turn-on-mdm` &
`/microsoft-compliance-partner/remediate`)
Related to: https://github.com/fleetdm/fleet/issues/26270
Changes:
- Added a new database model: `AndroidEnterprise`
- Added one new website dependency: `googleapis@148.0.0`
- Added `android-proxy/create-android-signup-url`: an endpoint that
returns a signup url used to grant access to Fleet's Android MDM
integration.
- Added `android-proxy/create-android-enterprise`: An endpoint that
creates an Android enterprise for a Fleet server
- Added `android-proxy/create-android-enrollment-token`: An endpoint
that returns an enrollment token for an Android enterprise
- Added `android-proxy/modify-android-policies`: An endpoint used to
update policies of an Android enterprise
- Added `android-proxy/delete-one-android-enterprise`: an endpoint that
deletes an Android enterprise
---------
Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com>
Changes:
- Created a new database model: `MicrosoftComplianceTenant`. A model
that stores information about complaince tenants
- Added `/policies/is-cloud-customer`: a policy that blocks requests to
microsoft proxy endpoints if a `MS API KEY` header is missing or does
not match a new config variable
(`sails.custom.config.cloudCustomerCompliancePartnerSharedSecret`)
- Added `microsoft-proxy/create-compliance-partner-tenant`: an action
that creates a database record for a new compliance tenant and generates
an API key that is used to authenticate future requests to microsoft
proxy endpoints for an entra tenant.
- Added `microsoft-proxy/get-compliance-partner-settings`: an action
that returns information about Fleet's complaince partner entra
application and the entra tenant's admin consent status (whether or not
a tenant's entra admin has granted permissions to Fleet's compliance
partner application)
- Added `microsoft-proxy/get-tenants-admin-consent-status`: an action
that updates the admin consent status of a compliance tenant record.
- Added `microsoft-proxy/setup-compliance-partner-tenant`: an action
that provisions a compliance tenant, creates a complaince policy for
macOS devices assigns the created policy to the built-in "All users"
user group on the tenants entra instance.
- Added `microsoft-proxy/update-one-devices-compliance-status`: an
action that receives information about a device on a compliance tenant's
Fleet instance, sends that information to their Entra instance, and
returns the messsage ID returned by the asynchronus Entra API.
- Added `microsoft-proxy/get-one-compliance-status-result`: an action
that returns the result of a compliance status update from the Entra
API.
- Added `sails.helpers.microsoft-proxy.get-access-token-and-api-urls` A
helper that gets an access token for a tenant's entra instance and the
URLs of the API endpoints the microsoft proxy actions use for a tenant.
- Added `scripts/send-entra-heartbeat-requests` A script that will run
daily to keep all microsoft compliance integrations provisioned.
-
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
Closes: https://github.com/fleetdm/confidential/issues/10921
Changes:
- Updated the registration form to direct users who don't have a work
email or don't want to create an account to the /try-fleet page.
- Updated the try-fleet page to have a box directing users who want to
demo Fleet Premium features to sign up for an account.
- Updated the try-fleet page's view action to generate trial licenses
for logged-in users who do not have a trial license key.
