Related to https://github.com/fleetdm/confidential/issues/12052
Changes:
- updated the get-enriched helper to use the coresignal's new search API
endpoints
- Updated the `intercept()`s in the get-enriched helper to log warnings
if an error is returned by the coresignal API
Changes:
- Updated the `receive-redirect-from-microsoft` endpoint to redirect
users to their Fleet instance if an Entra admin did not consent to the
permissions requested by Fleet's compliance partner integration.
- Fixed a bug that prevented users from being redirected to their Fleet
instance if their Entra configuration is missing a required group
- Updated the `receive-redirect-from-microsoft` endpoint to require a
`state` input
Related to: #32228
Changes:
- Updated the `receive-redirect-from-microsoft` endpoint to assign the
created compliance policy to an Entra ID group named "Fleet conditional
access"
Fixes#30483
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a new webhook endpoint to track GitHub Projects v2 item status
changes and record engineering metrics.
* Integrated with Google BigQuery for storing and analyzing issue status
transition data.
* **Chores**
* Introduced a new POST API route for receiving GitHub Projects v2 item
events.
* Added configuration options for GitHub webhook secrets and Google
Cloud service account keys (commented out for future use).
* Added a new dependency for Google BigQuery integration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Related to: https://github.com/fleetdm/fleet/issues/31986
Changes:
- Updated Microsoft proxy endpoints to log API responses from Microsoft
when it runs for Fleet's dogfood integration.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked table schema to confirm autoupdate
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<ins>*🌐 IT and Enablement:*</ins>
- Rename "🌐 Digital Experience" to "🌐 IT and Enablement" dept
- Rename "digital-experience.rituals.yml" to
"it-and-enablement.rituals.yml"
<ins>*🧑🚀 People*</ins>
- Create 🧑🚀 People dept
- Create "people.rituals.yml"
<ins>*🔭 CEO*</ins> (<= WHY? To maintain the [structure of the
handbook](https://fleetdm.com/handbook/company/leadership#outline-of-departmental-page-structure).)
- Create 🔭 CEO page and link to leadership
- Create ceo.rituals.yml
<ins>*💸 Finance*</ins>
- Renamed label "#g-finance" to ":help-finance" to match the rest of the
departmental labels.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Closes: https://github.com/fleetdm/fleet/issues/31506
Changes:
- Updated the `create-android-enterprise` action to return a 409
response if a database record already exists for the Android enterprise.
Closes: https://github.com/fleetdm/confidential/issues/11365
Changes:
- Updated the User model's supported `primaryBuyingSituation` values.
- Updated the /start questionnaire to use the new
`primaryBuyingSituation` values.
- Updated the contact form to use the new `primaryBuyingSituation`
values.
Closes: https://github.com/fleetdm/fleet/issues/30914
Changes:
- Updated the `deliver-apple-csr` endpoint to return a
`csrMissingRequiredValue ` response when the provided unsigned CSR data
does not contain a required value.
Closes#30935
Changes:
- Updated created-android-signup-url to return a bad request response if
a provided callback URL cannot be used to create an Android Enterprise
signup URL.
Changes:
- Updated the `deliver-contact-form-message` action to send contact form
messages to our support email address
- Changed the subject of contact form messages sent by Fleet Premium
subscribers ("New contact form message" » "New Fleet Premium customer
message")
Closes: https://github.com/fleetdm/confidential/issues/11370
Changes:
- Updated the receive-from-zoom webhook to return a 200 response to Zoom
if a call has no transcript (e.g., the host stops the recording at the
start of the meeting).
Changes:
- Added a badRequest exit to the Microsoft compliance proxy's admin
consent redirect endpoint.
- Updated the Microsoft compliance proxy's admin consent redirect
endpoint to use the new exit if a request is missing either a tenant or
state value.
Closes: https://github.com/fleetdm/fleet/issues/30719
Changes:
- Updated the logged warnings in the receive-from-zoom webhook to
include the payload sent by zoom if the zoom API returns a 404 response
when the webhook attempts to get information about the call.
- Updated the receive-from-zoom webhook to log a detailed warning if a
speaker is missing an expected value.
Including Connor Hughes (MunkiMind) in "List of Humans"
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated the list of recognized GitHub bot and maintainer accounts to
include 'MunkiMind'.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes: https://github.com/fleetdm/fleet/issues/30714
Changes:
- Fixed a bug in the policy and query library pages that prevented
multi-platform queries and policies from being displayed in every
platform they are supported on.
Closes: https://github.com/fleetdm/confidential/issues/10867
Changes:
- Updated the route for the /app-library page and app details pages to
be at `/software-catalog` and added redirects.
- Updated places where we mentioned the app library to say "software
catalog" instead.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Updated all references and navigation paths from "app library" to
"software catalog" across the website.
* Updated internal links, breadcrumbs, and share URLs to use the new
"/software-catalog" path.
* Added redirects from old "app-library" URLs to the new
"software-catalog" URLs for seamless navigation.
* **Style**
* Updated descriptive text and metadata to reflect the new "software
catalog" terminology throughout the site.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes https://github.com/fleetdm/confidential/issues/11135
Closes https://github.com/fleetdm/confidential/issues/11134
Changes:
- Added two new testimonials to the /testimonials and /device-management
pages
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added two new testimonials focused on Linux desktop management,
enhancing the "Device management" section.
* Updated testimonial display order to include the new authors for
improved visibility in the relevant category.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Changes:
- Added `articles` to the list of supported article categories in the
build-static-content script.
- Added a route for articles in the articles category.
- Updated the `view-basic-article` action to support the new `articles`
category.
Changes:
- Added a script that sets a `fleetPremiumTrialLicenseKey` and
`fleetPremiumTrialLicenseKeyExpiresAt` values on all User records.
- Added a new email template to inform users that they have a new Fleet
premium trial available.
- Added the announcement banner to the /login, /register, and /try-fleet
pages.
Closes: https://github.com/fleetdm/confidential/issues/11058
Changes:
- Updated the receive from clay webhook to log a warning and return a
`couldNotCreateActivity` response if it receives information about a
contact record with no account record associated with it.
Closes: https://github.com/fleetdm/confidential/issues/10675
Changes:
- Added a new webhook: `receive-from-zoom`. When this webhook receives
an event indicating that a call recording is done processing, this
webhook will build the transcript and send it and information about the
call to a Zapier webhook, where it will be added to a new Google doc.
Related to: https://github.com/fleetdm/fleet/issues/26521
Changes:
- Added two pages that will be used for the Microsoft compliance proxy
(`/microsoft-compliance-partner/turn-on-mdm` &
`/microsoft-compliance-partner/remediate`)
Related to: https://github.com/fleetdm/fleet/issues/26270
Changes:
- Added a new database model: `AndroidEnterprise`
- Added one new website dependency: `googleapis@148.0.0`
- Added `android-proxy/create-android-signup-url`: an endpoint that
returns a signup url used to grant access to Fleet's Android MDM
integration.
- Added `android-proxy/create-android-enterprise`: An endpoint that
creates an Android enterprise for a Fleet server
- Added `android-proxy/create-android-enrollment-token`: An endpoint
that returns an enrollment token for an Android enterprise
- Added `android-proxy/modify-android-policies`: An endpoint used to
update policies of an Android enterprise
- Added `android-proxy/delete-one-android-enterprise`: an endpoint that
deletes an Android enterprise
---------
Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com>
Changes:
- Created a new database model: `MicrosoftComplianceTenant`. A model
that stores information about complaince tenants
- Added `/policies/is-cloud-customer`: a policy that blocks requests to
microsoft proxy endpoints if a `MS API KEY` header is missing or does
not match a new config variable
(`sails.custom.config.cloudCustomerCompliancePartnerSharedSecret`)
- Added `microsoft-proxy/create-compliance-partner-tenant`: an action
that creates a database record for a new compliance tenant and generates
an API key that is used to authenticate future requests to microsoft
proxy endpoints for an entra tenant.
- Added `microsoft-proxy/get-compliance-partner-settings`: an action
that returns information about Fleet's complaince partner entra
application and the entra tenant's admin consent status (whether or not
a tenant's entra admin has granted permissions to Fleet's compliance
partner application)
- Added `microsoft-proxy/get-tenants-admin-consent-status`: an action
that updates the admin consent status of a compliance tenant record.
- Added `microsoft-proxy/setup-compliance-partner-tenant`: an action
that provisions a compliance tenant, creates a complaince policy for
macOS devices assigns the created policy to the built-in "All users"
user group on the tenants entra instance.
- Added `microsoft-proxy/update-one-devices-compliance-status`: an
action that receives information about a device on a compliance tenant's
Fleet instance, sends that information to their Entra instance, and
returns the messsage ID returned by the asynchronus Entra API.
- Added `microsoft-proxy/get-one-compliance-status-result`: an action
that returns the result of a compliance status update from the Entra
API.
- Added `sails.helpers.microsoft-proxy.get-access-token-and-api-urls` A
helper that gets an access token for a tenant's entra instance and the
URLs of the API endpoints the microsoft proxy actions use for a tenant.
- Added `scripts/send-entra-heartbeat-requests` A script that will run
daily to keep all microsoft compliance integrations provisioned.
-
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
Closes: https://github.com/fleetdm/confidential/issues/10921
Changes:
- Updated the registration form to direct users who don't have a work
email or don't want to create an account to the /try-fleet page.
- Updated the try-fleet page to have a box directing users who want to
demo Fleet Premium features to sign up for an account.
- Updated the try-fleet page's view action to generate trial licenses
for logged-in users who do not have a trial license key.
Closes: https://github.com/fleetdm/confidential/issues/10697
Changes:
- Updated the update-or-create-contact-and-account helper to handle
duplicate record errors returned from the CRM. It will now use the first
duplicate record returned by the CRM and update it so it will be
correctly matched on subsequent runs of the helper.
