Documentation changes for the 4.73.0 release
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Related to:
- #30684
- @noahtalerman: Added a "Variables" section in the YAML reference so we
can link to it.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked table schema to confirm autoupdate
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Documentation changes for 4.72.0
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Summary
• Allow custom CISA vulnerability data source URL to work around blocked
requests
• Updates vulnerability sync logic to use configurable CISA endpoint
• Enables organizations to use CISA mirrors when direct access is
blocked
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This change allows configuring a separate URL for SSO callbacks, which
is useful when organizations have different URLs for admin access vs
agent/API access.
Fixes#31480 the SSO issue where organizations with dual URL setups were
getting 'Destination does not match requested URL' errors after
upgrading to v4.71.0 with the new SAML library.
Video demo: https://www.youtube.com/watch?v=dFzNpUY3XKI
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- Same PR since this is going to be a 4.71.1 patch
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Summary by CodeRabbit
* **New Features**
* Added support for configuring a dedicated SSO URL, allowing
organizations to restrict SSO authentication to a specific URL.
* The new SSO URL option is available in both the UI and API
configuration settings.
* **Documentation**
* Updated configuration and API documentation to include the new SSO URL
option with usage examples.
* **Bug Fixes**
* Resolved authentication issues for organizations using separate URLs
for admin and agent/API access.
* **Tests**
* Added new unit and integration tests to verify SSO behavior with and
without the dedicated SSO URL.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Mark ndes_scep_proxy as experimental.
@rachaelshaw We already discussed this. We forgot to mark this YAML
configuration as experimental, but the API is marked as experimental. We
want to deprecate these and transition to new endpoints, as discussed
during the MDM design review, to enable better scaling of this feature.
Documentation changes for 4.71.0
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
This was required to test https://github.com/fleetdm/fleet/pull/30864 on
Apple Silicon.
I've created https://github.com/fleetdm/fleet/issues/31092 for tracking
purposes.
Fixes:
- Build univeral binary extension on macOS to test on VMs without
Rosetta.
- Add support for linux and Windows arm64. Which is also needed to test
Linux and Windows on UTM on Apple Silicon.
- Add Linux arm64 & Windows arm64 to the test scripts.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [x] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
For #27042.
Ready for review, just missing integration tests that I will be writing
today.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [X] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [X] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [ ] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Added/updated automated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- [ ] For unreleased bug fixes in a release candidate, confirmed that
the fix is not expected to adversely impact load test results or alerted
the release DRI if additional load testing is needed.
- Learned during NYC GitOps training that it's more intuitive to
explicitly set `macos_updates.deadline` to a string
- I think let's pick one of single quotes or double quotes and be
consistent: let's go with double quotes
Docs for the 4.67.0 release.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Eugene <eugene@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Move around some parameters and mark `script_id` required
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Received an error from GitHub Actions stating it was expecting a string
and got a number. Added quotes and it worked. Changing the documentation
to match.
I created and tested the fix before seeing the [comment in this
issue](https://github.com/fleetdm/fleet/issues/24417).
Feel free to merge the fix or close this out but I made this pull
request since we had another customer report this issue today.
For #26716.
Also moves the article to an OS-independent URL, updates links from
elsewhere, and adds a bit more internal-link juice for install
automation.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Closes: #26503
Changes:
- Updated the heading and `<meta>` title of the yaml-files.md
documentation page to be "GitOps" (Note: the URL will not change)
Cleaning up and standardizing use of quotations in YAML.
1. Updated to use single quotes
2. Updated to use double quotes to enclose single quote references.
3. Removed extraneous quotes around strings.
Updated top text area for legibility and to call out what happens to
missing or mispelled settings.
These changes were prompted by
https://github.com/fleetdm/fleet/issues/26450
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Added/updated automated tests
- [ ] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
I came across these changes while getting my gitops flow setup.
1. Changed `logo_url` to `org_logo_url`
2. Fixed indenting on `server_settings` so it's nested under
`org_settings`
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
Docs only change.
#22791
This will prevent the occasional redirect from breaking live queries.
Customers can still disable the redirects by setting
`redis.cluster_follow_redirections` to `false`.
- Updated the query suggested to view all osquery flags
- Added a note that running this query through osqueryi will not reflect
the settings in use by osqueryd.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
Documentation only change
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
for #24967
This PR updates the documentation for the `host_batch_size` for both the
failing policies webhook and the vulnerabilities webhook. The new
documentation matches the actual behavior when `host_batch_size` is set
to 0.
Added ai_features_disabled to the list of server_settings. Fixed two
spelling issues. Made the grammar surrounding each "(default:...)" text
consistent within that section.
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Konstantin Sykulev <konst@sykulev.com>
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Eric <eashaw@sailsjs.com>
This PR brings the "Agent configuration" format/organization closer to
the format we use for all other reference docs (YAML files, REST API,
and Fleet server configuration)
Changes:
- Update page headers so that the right-side navigation includes all the
top-level keys. Similar to the YAML files docs.
- Brings examples to the top of each section after a short description
(if necessary)
- Cut content
- Update "Learn more" links to more recent guides
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Zach Wasserman <zach@fleetdm.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Konstantin Sykulev <konst@sykulev.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
- Add `uninstall_script` for `packages`
- This feature was shipped as part of the following user story: #20320
- Looks like we forgot to merge in the reference docs
- Update section headers so that config options show up in the right
side bar. Today, there's only one header that shows up in the sidebar:
- Remove "Example YAML" sections b/c they're redundant. More to maintain
#21998
While looking through this I noticed a few other issues:
1. We seem to be inconsistent about what time we pick for OS update
deadlines. For profiles [it's noon local
time](2e5bf75b6d/ee/server/service/mdm.go (L1096)),
while for Nudge [it appears to be 4am...server time or
UTC](2e5bf75b6d/server/fleet/nudge.go (L53-L57))?
#9013 also mentions "noon UTC-8/Pacific Standard Time", which is neither
of the above (and means that, if implemented as spec'd, the deadline
would shift by an hour during DST), while docs prior to this PR
mentioned 4am UTC-8. Maybe we don't care enough to fix the Nudge
behavior since macOS 14 (which no longer requires Nudge) came out over a
year ago, but we should at least agree on desired behavior for DDM and
document that (which is what I've done for iOS/iPad OS since they don't
use Nudge).
2. The [REST API
docs](2e5bf75b6d/docs/REST%20API/rest-api.md (L1720-L1757))
don't seem to match the description of macOS behavior in the article;
the former indicates that OS updates pop up with increasing frequency
post-deadline, rather than having an impassible dialog. This may be
because behavior changed from Nudge to DDM, but iOS/iPadOS got
copy-pasted from the macOS REST docs and they never used Nudge. My guess
is that we should describe DDM behavior here.
Tagging in @mna as he looks to have implemented DDM OS updates so should
have some context here, and @noahtalerman to confirm desired behavior,
particularly on the deadline side.
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
- Update guides to reflect use case: automatically run scripts and
install software
- @noahtalerman: I removed top image from "Automatically run scripts"
b/c I think it looked rushed/unexpected
- Update "execute" language to "run" and add "manual" language
- Clarify when a policy's host counts are reset
- Clarify support for policy automations: team v. default (global) v. no
team
- Update `software.packages` example to best practice: separate file
- Inline is supported for backwards compatibility
- Remove `policies` and `controls` call outs about "No team." This info
is covered in the starter filed in fleetdm/gitops. For an example, see
`teams/no-teams.yml` here:
https://github.com/fleetdm/fleet-gitops/blob/main/teams/no-team.yml
