Fixes#31291
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Linux lock now switches Ubuntu + GDM systems to text mode to avoid GUI
issues.
- Persistent lock message is shown and survives reboots.
- Unlock restores the original GUI mode automatically when applicable.
- Bug Fixes
- Prevents black-screen behavior on Ubuntu + GDM after locking by
rebooting to text mode.
- Ensures lock message consistently appears across sessions.
- Improves reliability of session handling during lock/unlock.
- Chores
- Added change note describing the updated Linux lock behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes: #31474
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
### How I tested it
- Ran the unmodified script with `go run cmd/msrc/generate.go`
- Checked the the file `msrc_out/fleet_msrc_Windows_11-2025_08_12.json`
contains CVE-2025-36350 and CVE-2025-36357
I tested the next situations with the feed existing and deleted
- Ran the new code with `go run cmd/msrc/generate.go`
- Checked same file and the two CVE's were not present.
Tested in fleet ui by
- Set up a host with Windows 11 Pro 24H2 10.0.26100.4061 so
CVE-2025-3635(0/7) will show up.
- Manually changed the msrc_Windows11... file in /tmp/vulndbs to the one
generated with the fix.
- Searched in Software > Vulnerabilities and could not find
CVE-2025-3635(0/7) anymore.
---------
Co-authored-by: Anthony Maxwell <133805840+Illbjorn@users.noreply.github.com>
For #29795
Refactored the way we compute the number of failing policies to avoid
discrepancies due to either read replica delays or due to async nature
of the failing policy computation stored in host issues.
Fixes: #4498
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- Added unit test
- Changed existing unit tests to accept empty array instead of null
- [x] QA'd all new/changed functionality manually
- Tested that Fleet UI > host details, returns `software: []` instead of
nothing.
- Tested that with exclude_software=false, software returns the full
array for host.
---------
Co-authored-by: Anthony Maxwell <133805840+Illbjorn@users.noreply.github.com>
Fixes#29894 and probably #31980.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
fixes: #29222
This is a feature branch that was completed last week, but did not get
merged in time.
All pr's going in was approved, and reviewed.
I will after this is merged, do a cherry pick onto the RC 4.73 branch,
and initiate the FR merge process.
---------
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
fixes#31932
The problem here was that `hostInstalledSoftware` returns a slice of
pointers (`[]*hostSoftware`), so when iterating through and assigning
`LastOpenedAt` the original records were getting modified. This code
duplicates the records being put into `bySoftwareTitleID` so that the
records being stored in `bySoftwareID` are the original records.
As a side benefit to this I modified the logic to store the most recent
`LastOpenedAt` for the software title. I think we may be doing something
similar to this on the front end to show the "last used" column when we
have multiple version of a software installed. But this can potentially
be fetched from the API now.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
For #31055.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
For #26382
- Attested the signed Windows Orbit binary instead of the unsigned one.
- For both Fleet desktop and Osquery for macOS and Windows artifacts,
attested the binaries inside archives.
for #31282
# Details
This PR adds the ability to filter hosts by the "incompatible with batch
script" status. These hosts were previously included in the "Error"
state for a batch script when viewing the script summary.
The current script summary modal doesn't include a row for incompatible
(this modal will be replaced in the next iteration of the batch script
scheduling feature). To see the filter at work, you can either use the
API directly, or:
1. View the summary modal for a batch script by clicking on its activity
item in the global feed
2. Click on the number in any row (e.g. "Error" or "Pending")
3. Change the dropdown beneath the team selector to "Incompatible"
<img width="472" height="339" alt="image"
src="https://github.com/user-attachments/assets/04c6bc05-fe88-4be3-91ca-8b7162e1c6f3"
/>
Also renamed `cancelled` to `canceled` in a couple places to make the
spelling consistent.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [X] QA'd all new/changed functionality manually
Fixes#31268.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
relates to #27567
this adds two columns to the certificates table on host details and my
device pages; the issuer cell and the issued cell.
This also makes a change to TooltipTruncateTextCell that set the value
as `---` if the provided value is undefined, null, or empty string. This
still allows the number `0` to be provided
<img width="1205" height="540" alt="image"
src="https://github.com/user-attachments/assets/b712ccda-b5be-422d-9489-612ccdacab79"
/>
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added "Issuer" and "Issued" columns to the certificates table on host
details and my device pages, providing more certificate information.
* **Style**
* Improved table styling with horizontal scrolling for overflowing
content and consistent sizing for status indicators.
* **Bug Fixes**
* Ensured empty or missing table cell values are consistently displayed
with a default placeholder.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Also removed the automatic install flag on YAML FMAs as it's
undocumented/unspec'd
Fixes#25636.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Fleet side of #27902
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually (CentOS 6, 7, 8,
Ubuntu 24)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for tracking and displaying the last opened time for
software installed via DEB and RPM packages on Linux systems.
* **Documentation**
* Updated documentation to include new queries for retrieving last
opened timestamps of Linux software packages.
* **Tests**
* Introduced new tests to verify the correct processing and integration
of last opened timestamps for DEB and RPM software packages.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Ran
```
make update-go version=1.24.6
```
And then updated the `sha256`s manually in the Dockerfiles.
Fixes https://nvd.nist.gov/vuln/detail/CVE-2025-47907
```
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.
```
Fixes#30879
Demo video: https://www.youtube.com/watch?v=jVyh5x8EMnc
I added a `FleetVarName` type, which should improve
safety/maintainability, but that resulted in a lot of files touched.
I also added the following. However, these are not strictly needed for
this feature (only useful for debug right now). But we are following the
pattern created by MDM team.
1. Add the migration to insert HOST_UUID into fleet_variables
2. Update the Windows profile save logic to populate
mdm_configuration_profile_variables
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host isolation]
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Summary by CodeRabbit
* **New Features**
* Added support for the `$FLEET_VAR_HOST_UUID` variable in Windows MDM
configuration profiles, enabling per-host customization during profile
deployment.
* Enhanced profile delivery by substituting Fleet variables with actual
host data in Windows profiles.
* Introduced a database migration to register the new Fleet variable for
host UUID.
* **Bug Fixes**
* Improved validation and error handling to reject unsupported Fleet
variables in Windows MDM profiles with detailed messages.
* Ensured robust handling of errors during profile command insertion
without aborting the entire reconciliation process.
* **Tests**
* Added extensive tests covering validation, substitution, error
handling, and reconciliation workflows for Windows MDM profiles using
Fleet variables.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#29554
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
for #31623
for #31526
# Details
This PR adds two new endpoints:
* `GET /scripts/batch/:batch_execution_id` returns the status of a
single batch script execution
* `GET /scripts/batch` returns a paginated list of batch script
executions, filtered by team and status
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [X] QA'd all new/changed functionality manually
Added new batch script runs in UI, used Postman to list them and get
details.
#31592
There's still some QA to be done for edge cases and re-connects, but
this is ready for review.
<img width="341" height="103" alt="Screenshot 2025-08-07 at 11 19 33 AM"
src="https://github.com/user-attachments/assets/01e48ca2-8ab1-412c-be01-8e806a5a8b1c"
/>
Changes:
- To improve UX I'm now using `HEAD /api/fleet/device/ping` API every 10
seconds for connectivity/offline check (instead of the expensive
DesktopSummary one every 5 minutes). This is to address feedback from a
customer:
> "If the internet is not connected and we reconnect with an ethernet
connection for example, it would be good to try to see if we can refresh
it text from the offline indicator given that's not the case anymore.
- It might take up to 1m for Fleet Desktop to show the offline indicator
(we check every 10s with ping and now we are adding 6 more requests in 1
minute to make sure just one bad request doesn't unnecessarily display
the offline indicator).
- Requests without proper public IP were being incorrectly rate limited
(all under the same bucket). So we will now not make these requests and
instead log a WARNING. This is a-ok as the recommended approach to
deploy Fleet is with a TLS terminator that will add the public IP of the
request before sending it to Fleet.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved accuracy in identifying client public IP addresses, reducing
incorrect rate limiting for Fleet Desktop users.
* Offline indicator is now less sensitive to brief network
interruptions, reducing false offline signals and allowing faster
recovery when connectivity is restored.
* Updated offline message for clearer status communication.
* **New Features**
* Enhanced error messages and logging for rate limiting events,
providing clearer feedback when limits are reached.
* **Tests**
* Expanded test coverage for rate limiting, including scenarios with
missing public IPs and improved assertions for error handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #31180.
Added new detail query, only executed if TPM PIN enforcement is
required, for determining whether a BitLocker PIN is set. The result of
the new detail query is used for setting the tpm_pin_set column on the
host_disks table.
Fixes#30918
Could not reproduce the issue and do not see the issue in Dogfood logs
anymore. The fix is speculative, but I'm pretty confident.
Added comprehensive tests covering webhook error cases.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved authorization checks for calendar webhook endpoints to
prevent server errors when authorization is missing.
* **Tests**
* Added comprehensive tests covering various error and edge cases for
calendar webhook handling, ensuring improved reliability and robustness.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#31690
No functional changes: extra logging and refactoring
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enhanced error messages for Windows MDM discovery, providing more
detailed information about unsupported request versions.
* **Bug Fixes**
* Improved logging for errors encountered during the Windows MDM
discovery process, aiding in issue diagnosis.
* **Refactor**
* Streamlined the Windows MDM discovery endpoint to centralize
validation and response logic for better maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#31106
Details of the changes done
- for macOS 15:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155384061
- for macOS 14:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155691097
- for macOS 13:
https://github.com/fleetdm/fleet/issues/31106#issuecomment-3155763952
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added new security policies for macOS 15, including controls for Apple
Intelligence features such as external intelligence extensions, writing
tools, mail summarization, and notes summarization.
* Introduced a policy to ensure sleep and display sleep are enabled on
Apple Silicon devices.
* **Improvements**
* Enhanced and clarified descriptions for several existing macOS CIS
policies, including Bluetooth Sharing, Siri, NFS Server, password
policies, and filename extension visibility.
* Updated policy queries and resolutions to align with the latest CIS
Benchmark version 1.1.0 and current macOS settings.
* Standardized resolution instructions and improved contributor
attribution across policies.
* **Bug Fixes**
* Corrected and clarified policy names and descriptions, such as
renaming Siri policy to ensure it is disabled and focusing on
world-writable folders instead of files.
* **Removals**
* Removed the policy requiring auto-update to be enabled for macOS 15.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Putting this up for comments
On certain errors(like a network error, perhaps even Apple ratelimiting)
we previously would drop assignments during the DEP sync and leave the
host_dep_assignments row null and the assignment unset on the Apple
side. Because of how the sync works it is entirely possible when this
happens that we would happily go along, update the cursor and never
return to resync these devices unless and until the admin did something
that forced a resync like changing something about the cloud config
profile.
Now any devices that for any reason don't get returned by the response
get marked as failed so that our logic for retrying and processing
cooldowns picks them up for later retry.
Explanation here as far as what I think is going wrong:
https://github.com/fleetdm/fleet/issues/31385#issuecomment-3145117080
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
fixes: #30857
This PR also adds the canceled check for Lock and Wipe scripts, even
though they can not be canceled as it stands today.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Fixes#31591 by increasing the timeout to better support `customer-numa`
github workflow
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
- [x] QA'd all new/changed functionality manually
fixes#29833
Checks if the error is a not found error and then return a notFoundError
that does not get logged as an error but as an info log instead.
`level=info ts=2025-08-05T10:46:06.237581Z component=http
path=/api/latest/fleet/setup_experience/eula/metadata took=1.939958ms
uuid=0ab0c579-07c5-48be-b6bd-5e4ebd81212d err="not found"`
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Fixes#31545
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Resolved issues with Single Sign-On (SSO) and Mobile Device Management
(MDM) SSO authentication failures caused by trailing slashes in URLs,
ensuring proper URL formatting and preventing authentication errors.
* **Tests**
* Added tests to verify correct handling of trailing slashes in SSO URLs
and to ensure errors are properly returned for invalid SSO URL
configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#31444
The changes are primarily in tests. The only changes in production code
are a couple validations/checks for invalid values in:
- mysql/apple_mdm.go
- mysql/hosts.go
- mysql/queries.go
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved handling of timestamp and default values across various
features to prevent database errors and warnings.
* Enhanced validation and data consistency for Apple Business Manager
tokens and MDM profiles.
* Updated test data and logic to comply with stricter database
constraints and realistic scenarios, including date handling and field
lengths.
* **Chores**
* Updated test setups to reflect schema changes, improve data integrity,
and avoid future compatibility issues.
* Standardized SQL mode and timestamp usage in test environments.
* Refined test data for VPP apps, software installers, and device
enrollments for better reliability.
* **Tests**
* Expanded and updated tests to cover new fields, stricter validation,
and more accurate simulation of real-world conditions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
# #30860
## Summary
* **New Features**
* Introduced dedicated modals for viewing install and uninstall details
for both VPP and non-VPP software, providing clearer and more consistent
information.
* Added support for displaying detailed install information for VPP host
software and improved handling of install status actions.
* Added an Inventory Versions modal to display detailed version history
for installed software on a host.
* **Improvements**
* Standardized and improved the design and behavior of install/uninstall
detail modals across the app.
* Refined callbacks and state management for launching modals from host
and self-service software tables.
* **Bug Fixes**
* Addressed issues with property naming and callback signatures in
install status handling.
* Addressed inconsistencies in displaying software details and status
across different components.
* **Refactor**
* Streamlined component props, callback signatures, and data models for
improved maintainability.
* Updated test cases and interfaces to align with the new modal and
callback structure.
* Removed legacy software details modal and related code, streamlining
the user interface.
* **Style**
* Updated modal and table styles for improved readability and
consistency.
## *Important note: Host software library modals for VPP apps currently
show only installed versions due to [an API bug that is being
addressed](https://github.com/fleetdm/fleet/issues/31459)
## Install details modal in various locations and states :
### Activity feeds (global, host details), non-VPP:
### Device user page self-service, non-VPP (with Retry functionality):
### Host software library, non-VPP:
### Activity feeds (global, host details), VPP apps:
### Device user page self-service, VPP apps (with Retry functionality):
### Uninstall modal samples - TODO
- [x] Changes file added for user-visible changes in `changes/`
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: RachelElysia <rachel@fleetdm.com>
This change allows configuring a separate URL for SSO callbacks, which
is useful when organizations have different URLs for admin access vs
agent/API access.
Fixes#31480 the SSO issue where organizations with dual URL setups were
getting 'Destination does not match requested URL' errors after
upgrading to v4.71.0 with the new SAML library.
Video demo: https://www.youtube.com/watch?v=dFzNpUY3XKI
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- Same PR since this is going to be a 4.71.1 patch
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Summary by CodeRabbit
* **New Features**
* Added support for configuring a dedicated SSO URL, allowing
organizations to restrict SSO authentication to a specific URL.
* The new SSO URL option is available in both the UI and API
configuration settings.
* **Documentation**
* Updated configuration and API documentation to include the new SSO URL
option with usage examples.
* **Bug Fixes**
* Resolved authentication issues for organizations using separate URLs
for admin and agent/API access.
* **Tests**
* Added new unit and integration tests to verify SSO behavior with and
without the dedicated SSO URL.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #31193.
Added a new detail query used for determining whether the user is able to set up a TPM PIN protector, if not able, an MDM command is queued up to apply the proper policy on the host.
fixes#29410
quick update to the turn on mdm button in the info banner.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
Done by not allowing any deferrals as before one deferral was allowed
fixes: #29250
_There is no doc change as we nowhere state that we allow one deferral,
let me know if we want to write somewhere that this is now the standard
behaviour._
_I also investigated trying to force it directly when the profile
arrived but without any luck, so still need a logout/login to get
filevault enabled, but it's no longer possible to cancel/defer it._
**Do verify when testing in automatic enrollment that FileVault is still
enforced as I can't test Automatic enrollment yet.**
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] If database migrations are included, checked table schema to
confirm autoupdate **not relevant as it does not update any schema just
modifies existing entries.**
- For database migrations:
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#30390
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked table schema to confirm autoupdate
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Expanded support for certificate country codes up to 32 characters,
allowing non-standard country code values.
* **Bug Fixes**
* Improved certificate ingestion to handle and log fields that exceed
maximum allowed lengths instead of causing failures.
* **Tests**
* Added tests to verify handling of long country codes and truncation of
overly long certificate fields.
* **Chores**
* Updated database schema to increase the allowed length for country
code fields in certificates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR addresses the concern of potentially being able to release a
device before any profile is sent, and the check thinking there is no
pending. It addresses both the release worker, but also the orbit setup
experience endpoint, even though that is less likely.
_Checked the query against my host on dogfood where it took 0.1 seconds,
with the single host._
fixes: #31143
_I also ended up putting my main test in a new file
`integration_mdm_release_worker_test.go` and decided not to do fancy
setup, as there is only one test so no recurring things, and based on
our retro talk also moved the setup experience related tests inside of
`integration_mdm_dep_test.go` into their separate file
`integration_mdm_setup_experience_test.go`_
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually (No, since this one is
hard to reproduce, but instead wrote an integration test before doing
the change to verify the behaviour.)
fixes#25367
this doesnt show the os updates page for users who are not global admins
or the current team admin. we also redirect users to the os settings
page if they try to navigate to the os updates page and dont have
permission
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] QA'd all new/changed functionality manually
Fixes#30853
Install and uninstall scripts that contain fleet secrets do not need to
be validated in the `batchSetSoftwareInstallersEndpoint` during gitops
dry runs. These secrets are already validated on the gitops side.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Fixes#31232
The Microsoft documentation does not directly address
RequestVersion/EnrollmentVersion 7.0 in the allowed versions lists but
grepping the MS-MDE2 protocol docs for EnrollmentVersion finds a few
references related to Federated Authentication and this specifically
seems to be a changeset introduced for AzureAD/Intune related features
and does not impact how we do enrollments, as best I can tell.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
For #30476
Contributor doc updates: https://github.com/fleetdm/fleet/pull/31371
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Automated certificate renewal is now supported, including
proof-of-possession for enhanced security.
* Certificate renewal can be triggered when the existing certificate is
within 180 days of expiration.
* Dynamic configuration of certificate validity period via environment
variable.
* Improved TPM hardware integration for certificate management.
* **Bug Fixes**
* Enhanced error handling and logging for TPM device closure and
certificate operations.
* **Tests**
* Extended integration tests to cover certificate renewal flows, host
deletion, and TPM-based scenarios for improved reliability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #31065
Added new orbit config flag 'EnableBitLockerPINProtectorConfig' set iff Disk encryption is enforced and the RequireBitLockerPIN server config flag is set.
Fixes#26404.
This means that for long vulns runs vulns will stick around longer, so
we don't wind up nuking vulns that were added earlier in the run, and in
cases where the vulns run takes less than 2h we'll see vulns clear
cleanly more quickly.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Add the capability to build a request body with `fleetctl api`,
including uploading files.
Example command to upload a software package:
```sh
fleetctl api --debug -X POST -F team_id=0 -F 'software=@./server/service/testdata/software-installers/ruby.deb' software/package
```
Unit tests are included for both simple POST requests and file uploads.
Closes#21754.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#30565. Applies to FMA-only extensions (DMG, ZIP), EXEs, and
tarballs. This means that MSI/PKG FMAs will still have package IDs
populated a day after server start if they aren't filled in, on the off
chance that admins use $PACKAGE_ID on uninstall scripts on either of
those, replicating existing behavior.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
for #30109
# Details
This PR fixes an issue in our current SQL parsing library that was
causing queries like this to be marked invalid:
```
SELECT * FROM table_name WHERE column_name LIKE '\_%' ESCAPE '\'
```
This is valid in SQLite because the `\` is not considered an escape
character by default. From [the SQLite
docs](https://www.sqlite.org/lang_expr.html) (see section 3 "Literal
Values (Constants)"; emphasis mine):
> A string constant is formed by enclosing the string in single quotes
('). A single quote within the string can be encoded by putting two
single quotes in a row - as in Pascal. C-style escapes using the
backslash character are not supported because they are not standard SQL.
# Use of forked code
Part of the fix for this was [submitted as a PR to the node-sql-parser
library](https://github.com/taozhi8833998/node-sql-parser/pull/2496) we
now use, and merged. I then found that another fix was needed, which I
submitted as [a separate
PR](https://github.com/taozhi8833998/node-sql-parser/pull/2512). As
these fixes have yet to be made part of an official release of the
library, I made a fork off of the release we were using (5.3.10) and
bundled the necessary build artifacts with Fleet. We have an [ADR
proposing the use of submodules for this
purpose](https://github.com/fleetdm/fleet/pull/31079); I'm happy to
implement that instead if we approve that, although for a front-end
module with a build step it's a bit more complicated. Hopefully this
code will be released in `node-sql-parser` soon and we can revert back
to using the dependency.
Here is the [full set of
changes](https://github.com/taozhi8833998/node-sql-parser/compare/master...sgress454:node-sql-parser:5.3.10-plus).
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Manual QA for all new/changed functionality
We'll want to pull this into a feed so fixes don't take a Fleet release
to propagate, and some fixes currently in the vulns mutations list
should probably move over here (as they're also dealing with non-semver
versions), but that's out of scope for this particular fix.
Fixes#31123.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
for #29451
# Details
This PR does a slight refactor of the MainContent, HostDetailsBanners
and HostDetailsPage components to prevent host-details-specific banner
from being shown on the Host Details page if any app-wide banners are
being displayed.
It does this by allowing the child of a `<MainContent>` node to be a
function which takes a parameter indicating whether app-wide banners are
present. The HostDetailsPage uses this new functionality to suppress
host details banners when that's the case. The HostDetailsBanners
component is updated to remove logic that previously attempted to detect
app-wide banners, using similar logic to what MainContent does to decide
whether to show banners. Instead of repeating this logic in two places,
HostDetailsBanners now just renders banners.
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Manual QA for all new/changed functionality
I tested this by temporarily forcing an app-wide banner (by setting
[this
code](52cd0588b6/frontend/components/MainContent/MainContent.tsx (L61))
to `if (true)`), then similarly doing the same for host banners by
changing [this
code](89cdf9f61a/frontend/pages/hosts/details/HostDetailsPage/components/HostDetailsBanners/HostDetailsBanners.tsx (L79-L85))
to always run.
On the main branch, this shows two banners:
<img width="1142" height="186" alt="image"
src="https://github.com/user-attachments/assets/30645470-d1db-476d-bb76-2b48fedcc75a"
/>
On this branch, only the app-wide banner is shown.
Note that this was _only_ happening in the case of the disk encryption
banner, since there was logic in place in HostDetailsBanners to prevent
showing host banners if an app-wide banner was present. That logic was
just missing from the disk encryption case, and we'd have to continue to
keep that logic in sync with the login in MainContent any time we added
a new host banner. This refactor DRYs out the code a bit so we don't
have that concern going forward.
Closes#31077.
- Added logic to wait for the uninstall command to finish running before
exiting the script.
- Also added the `/norestart` flag so users who click uninstall in
self-service aren't at risk of a sudden and unintentional reboot as the
result of software uninstalling.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
Fixes: #29824
This PR fixes a situtation where Apple Declarations could be lingering
around for hosts, if they were offline when the decl. was added and
removed, and no further declaration config is pushed to force a status
update.
It tackles it by deleting the pending and failed installs from the
table, before setting the remaining (verified and verifying) to be
remove operation, as those have hit the host.
I couldn't come up with a way that would auto-fix the hosts we see in
dogfood, as those have the same declaration identifier and token for
both an install row and pending remove row. Those needs to manually be
adjusted and then it should be good.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
This was required to test https://github.com/fleetdm/fleet/pull/30864 on
Apple Silicon.
I've created https://github.com/fleetdm/fleet/issues/31092 for tracking
purposes.
Fixes:
- Build univeral binary extension on macOS to test on VMs without
Rosetta.
- Add support for linux and Windows arm64. Which is also needed to test
Linux and Windows on UTM on Apple Silicon.
- Add Linux arm64 & Windows arm64 to the test scripts.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [x] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
For [#30782](https://github.com/fleetdm/fleet/issues/30782)
This contains UI wide updates to support personal devices enrolled into
MDM. This includes:
**host details about card updates**
<img width="536" height="169" alt="image"
src="https://github.com/user-attachments/assets/a6e608e2-28b3-4bcc-ac03-4c45128bae66"
/>
**host details host actions dropdown updates (we will only show transfer
and delete for host
personal devices enrolled into MDM**
<img width="217" height="193" alt="image"
src="https://github.com/user-attachments/assets/7295e91a-7ceb-49f9-8351-5f2f4de7c450"
/>
**dashboard page MDM card updates. We've added a new row for personal
devices enrolled in mdm**
<img width="775" height="448" alt="image"
src="https://github.com/user-attachments/assets/ee819f16-faa4-437f-a6e8-2f6f8e6535dc"
/>
## NOTE
**We've also changed all instances of `On (automatic)` to `On
(company-owned)`. The API still returns `On (automatic)` so this is done
on the client side.**
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
#30461
This PR contains the changes for the happy path.
On a separate PR we will be adding tests and further fixes for edge
cases.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)).
- [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for using a TPM-backed key and SCEP-issued certificate
to sign HTTP requests, enhancing security through hardware-based key
management.
* Introduced new CLI and environment flags to enable TPM-backed client
certificates for Linux packages and Orbit.
* Added a local HTTPS proxy that automatically signs requests using the
TPM-backed key.
* **Bug Fixes**
* Improved cleanup and restart behavior when authentication fails with a
host identity certificate.
* **Tests**
* Added comprehensive tests for SCEP client functionality and TPM
integration.
* **Chores**
* Updated scripts and documentation to support TPM-backed client
certificate packaging and configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes: #30359
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality (@ghernandez345
verified the EULA after automatic enrolment SSO still worked)
## For #30749, #31013
This PR implements changes to the UI and back end to accommodate
Software automations and Failing policy Ticket and Webhook automations
when Fleet is in Primo mode. Follow-up to
https://github.com/fleetdm/fleet/pull/30291
### Software automations
- When on the `/software` page and in Primo mode, the UI is, under the
hood, on "No team," though any reference to "team"s is hidden as much as
possible. In "normal" Fleet, Software automations can only be accessed
when on "All teams." This PR implements a special case in Primo mode:
when on No team and Primo mode is enabled, the user can now access the
"Software automations" modal to configure automation settings, which are
global.
- Simplified some conditions
- Moved logic living in the parent Software page that was specific to
the `SoftwareAutomations` modal into the modal for better encapsulation.
### Policy automations
The calendar, software, and scripts failing policy automations are
currently only configurable on a team (including No team) and not for
All teams. Ticket and webhook automations, accessible via the "Other
workflows" modal, by contrast, are only configurable for All teams and
teams other than No team, but not for No team. This PR updates the
Policies page, when in Primo mode (and therefore forced to be on "No
team") to:
- Continue providing "No team" data to the first 3 mentioned policy
automations modals.
- Include an enabled Other workflows option in the automations dropdown
- Update the submission handler of the Other workflows modal to update
the relevant _global_ config values
- The backend is updated to recognize this case (Failing policy webhook
/ ticket destination, policy on No team, in Primo mode) and handle it
using the global config, making the above logic sound
_Product should consider if any of these changes should be implemented
for "normal" Fleet_
### Listing and deleting policies
- Primo mode presents a pseudo-team-less UX. However, it is still
possible for earlier clients to have policies on "All teams." This
implements the ability to both see and delete "teamless" (No team under
the hood) policies and any such inherited global policies
### Other UI considerations
- Remove teams-related functionality in a couple more places - see
#31013
### Demos
- [Deleting policies, including any potentially inherited from All teams
(possible from before Primo
mode)](https://drive.google.com/file/d/1ZI4MNM3bkiOtD5MInAU32htQw8kDEupK/view?usp=drive_link)
- [x] Changes file added for user-visible changes in `changes/
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Fixes#27580.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
> Closes#27447
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
Fixes#27758.
<img width="807" height="303" alt="image"
src="https://github.com/user-attachments/assets/58e5b9bc-42d6-4195-868e-bf6206ec9cd5"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#30473
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Added/updated automated tests
- [ ] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for TPM-backed host identity certificates enabling
hardware-backed HTTP signature authentication for hosts.
* Introduced HTTP signature verification middleware for API requests,
applied conditionally for premium licenses.
* Hosts presenting identity certificates must authenticate with matching
HTTP message signatures during enrollment and authentication.
* Added SCEP-based certificate issuance for secure host identity
management.
* Updated enrollment endpoints to use standardized request/response
contract types.
* **Bug Fixes**
* Enhanced authentication logic to verify consistency between host
identity certificates and host records, preventing duplicate or
mismatched identities.
* **Chores**
* Updated dependencies and test infrastructure to support HTTP signature
verification and host identity certificate workflows.
* Added comprehensive integration and datastore tests for host identity
certificate issuance, storage, and authentication.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Profile status respect remove operation for pending and failed status,
where the declarations did not, meaning the host would show up with a
wrong status if only a declaration was pending or failed removal.
This was also affecting the `os_setting` api filter option for list
hosts (maybe elsewhere), which is also fixed by this change.
A part of #29824
Fixes#29849.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#27061.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes 30636
I am adding a handful of additional unit tests but this is ready for
review now. Integrates changes from Victor's PoC for Account Driven User
Enrollment including a nice end to end integration test including the
SAML portion
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#30435.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
## #30730
- Update Go version
- Update the docs for this process
- Confirmed `fleet`, `fleetctl`, and related docker images build
successfully
- Note that failing tests are unrelated: see [Slack
thread](https://fleetdm.slack.com/archives/C019WG4GH0A/p1752175318523689)
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Fixes https://github.com/fleetdm/fleet/issues/29315
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* The "created_at" label no longer affects manual label scoping for
software packages, ensuring more accurate filtering.
* Device authentication tokens are now validated solely by their value,
not by their expiration time.
* **Tests**
* Added new tests to verify label scoping logic, ensuring correct
handling of dynamic and manual labels based on timestamps.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
> Closes#26618
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#29988.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#25587. SubEthaEdit packgeInfo file is a bit bigger, but the only
thing different is the list of package IDs included, and that's not what
was broken/fixed here, so went with an abbreviated version that better
demonstrates what got fixed here.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved extraction of application names from uploaded PKG packages by
using the install path as a fallback method.
* **Tests**
* Added a new test case to verify correct name extraction from PKG
packages using the install path.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For https://github.com/fleetdm/confidential/issues/9931.
[Here](ec3e8edbdc/docs/Contributing/Testing-and-local-development.md (L339))'s
how to test SAML locally with SimpleSAML.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Improved SSO and SAML integration with enhanced session management
using secure cookies.
* Added support for IdP-initiated login flows.
* Introduced new tests covering SSO login flows, metadata handling, and
error scenarios.
* **Bug Fixes**
* Enhanced validation and error handling for invalid or tampered SAML
responses.
* Fixed session cookie handling during SSO and Apple MDM SSO flows.
* **Refactor**
* Replaced custom SAML implementation with the crewjam/saml library for
improved reliability.
* Simplified SAML metadata parsing and session store management.
* Streamlined SSO authorization request and response processing.
* Removed deprecated fields and redundant code related to SSO.
* **Documentation**
* Updated testing and local development docs with clearer instructions
for SSO and IdP-initiated login.
* **Chores**
* Upgraded dependencies including crewjam/saml and related packages.
* Cleaned up tests and configuration by removing deprecated fields and
unused imports.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fixes: #30325
Related to incorrect behavior introduced at
https://github.com/fleetdm/fleet/pull/28945
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* When uploading software batches, if the installer SHA is set to
"no_check," the system will now automatically generate and use the
SHA256 checksum of the installer file.
* **Bug Fixes**
* Fixed an issue ensuring the latest Google Chrome version is pulled
during Fleet-maintained app updates.
* Corrected the display of the SHA256 hash in the UI and API to show
valid values.
* Improved handling of installer uploads to ensure a valid SHA256
checksum is always applied, even when "no_check" is specified.
* **Tests**
* Added a test to verify correct SHA256 hash calculation for installer
files.
* Extended integration tests to validate batch software installer
operations for maintained apps with SHA256 hash checks.
* Added tests covering behavior when SHA256 checksum is marked as
"no_check" for maintained apps.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
## #16846
[Demo](https://drive.google.com/file/d/1xocZDfOUbu29tPpf2J6dngy3pLACIe62/view?usp=drivesdk)
- [x] Changes file added for user-visible changes in `changes/`
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added tooltips to navigation and category menu items for improved
accessibility and clarity.
* Introduced a new optional tooltip position setting, allowing tooltips
to appear on any side of the element.
* Expanded the color palette with a new light shade option.
* **Style**
* Refactored navigation and category menu styles to use centralized,
reusable mixins for a more consistent appearance.
* Updated navigation and category menu layouts for better structure and
maintainability.
* **Chores**
* Added new SCSS mixins for navigation styling, improving code
maintainability and consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Fixes#30393.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Increased the number of software versions displayed per page from 5 to
10 on the software view page.
* **Tests**
* Updated tests to reflect the increased number of displayed versions
and adjusted assertions accordingly.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#30574.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Resolved issues with recording host certificate sources when multiple
hosts share the same certificate but have different usernames, improving
accuracy and performance.
* Addressed related performance and database load problems for these
scenarios.
* **Tests**
* Added new tests to ensure certificate source records remain properly
isolated per host, even when certificates are shared across hosts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Increased the frequency of checks for new Fleet-maintained
applications from once per day to once per hour.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## #14801
### [Demo
video](https://drive.google.com/file/d/1Lovk7iwvgUv1NpfsqSt-Is0yTBt0SZ5O/view?usp=sharing)
<img width="1624" alt="Screenshot 2025-07-02 at 4 58 33 PM"
src="https://github.com/user-attachments/assets/86c7b214-e8e4-4e58-9969-b1373ed97691"
/>
* **New Features**
* Added the ability to select a team and update the name when saving a
query as a new copy, using a dedicated modal dialog.
* **Improvements**
* Enhanced the team selection dropdown with new styling options and
clarified prop names.
* Updated query editing workflow to use a modal for "Save as new"
actions.
* Improved type safety and clarity in several interfaces and utility
functions.
* **Bug Fixes**
* Fixed inconsistencies in prop naming for team dropdown components.
* Ensured "Discard data" setting is maintained when "Save as new"ing a
query - it was previously not maintained correctly
* **Tests**
* Updated and removed tests to align with the new "Save as new" query
workflow and prop changes.
* Added utilities for creating mock location objects in tests.
* **Style**
* Added a new light grey color to the UI color palette.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
For #29400.
Added test fails without the change to retry upon deadlocks.
How to reproduce in UI:
1. Create 10 policies on a team.
2. Refetch host to have results for the policies.
3. Add (could be the same) or update the installer associated to the 10
policies in "Manage automations" > "Software".
4. Hit `Save`.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved the reliability of policy updates on the "Manage automations"
page by automatically retrying requests in case of deadlock errors.
* **Tests**
* Added a test to verify that concurrent policy updates handle deadlocks
correctly and complete without errors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#29916.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Host vitals data now refreshes automatically after successful software
installation or uninstallation, ensuring up-to-date status information.
* **Tests**
* Enhanced tests to verify that host vitals are only refreshed after
successful software changes, improving reliability and accuracy of the
system’s behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #30385.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality
Fixes#30522.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [ ] Manual QA for all new/changed functionality
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Resolved an issue where host software counts were not updated if the
database contained rows with a zero software ID.
* **Tests**
* Enhanced tests to verify correct handling of host software records
with a zero software ID.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#29505
This adds a premium permission tier message to the UI for the
certificates section in the ingrations page
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Manual QA for all new/changed functionality
For #29867 . Includes latest copy requested by product.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
for #30502
# Details
This PR fixes an issue where `fleetctl generate-gitops` would not always
add a `macos_setup` setting to a .yml file even if the team had a setup
experience configured. This was due to relying on the `MacOSSetup`
config returned by app/team config APIs to have this data populated,
which turned out to be an incorrect assumption. Instead, we now utilize
various APIs to check for the presence of setup software, scripts,
bootstrap packages and profiles.
Note that for now, `generate-gitops` will only output a `TODO` line if
setup experience is detected;
https://github.com/fleetdm/fleet/issues/30210 is open to flesh this out.
In the meantime `fleetctl gitops` will fail if this TODO is inserted, so
that the user must go and fix it manually.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
# Testing
I set up MDM on a local instance and tried the following both on No Team
and a regular team:
* Turned "End user authentication on", verified that `fleetctl
generate-gitops` output a `macos_setup` setting for the team. Turned it
back off and verified that `macos_setup` was no longer exported by
`fleetctl generate-gitops`.
* Did the same for bootstrap package.
* Did the same for install software, and additionally verified that
having software available but _not_ selected did not cause `macos_setup`
to be exported. Same for teams with no software available at all.
* Did the same for setup assistant.
I also tested that changes to No Team didn't affect the output when
exporting a regular team.
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
I tested the uninstall script by:
- Making a new agent package and installing it
- Checking with `dpkg --get-selections | grep 'fleet'` that
fleet-osquery is installed
- Checking with `sudo systemctl list-units | grep 'orbit'` that
orbit.service is running
- Uninstalling the package with uninstall-fleetd-linux.sh
- Checking the above commands again to see that fleet-osquery and
orbit.service are uninstalled.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- For Orbit and Fleet Desktop changes:
- [x] Manual QA done on one Linux machine (Ubuntu 24 on HP laptop).
## Issue
Closes#29893
## Description
- Update text for VPP command for pending_install and failed_install to
include verification nuance
- Add related tests
## Note
- Original PR pointing to `vpp-verify-followup` but should be repointed
to `main` once that branch is merged in
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Added/updated automated tests
- [ ] Manual QA for all new/changed functionality
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
relates to [#28691](https://github.com/fleetdm/fleet/issues/28691)
This adds the ability to upload the EULA users see during the setup
experience via gitops. It follows patterns used for uploading the
bootstrap package via gitops.
I've also added a sha256 column to the `eulas` table in order to easily
compare the existing eula with a new one to see if we need to perform an
upload.
Finally I added the support to generate this new gitops setting with the
`generate-gitops` command
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [x] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
This PR specifies a binary identifier for `fleetctl` on macOS, which
resolves the codesignature testing issue from #30352.
# Tests
To test this, I unsigned an affected version of `fleetctl`:
```shell
codesign --remove-signature fleetctl
```
I then installed `rcodesign` 0.29.0, and signed the binary myself, with
the added `--binary-identifier` flag:
```shell
./rcodesign sign --p12-file Certificates.p12 --p12-password-file=.p12_password --for-notarization --binary-identifier com.fleetdm.fleetctl fleetctl
```
Then, I obtained the codesigning requirement from my newly signed
binary:
```shell
$ codesign -d -r- fleetctl
Executable=/Users/jacob.burley/Downloads/fleetctl_v4.67.3_macos/fleetctl
designated => identifier "com.fleetdm.fleetctl" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "XXXXXXXXXX"
```
I then tested the code signature with the designated requirement given:
```shell
$ codesign --test-requirement='=identifier "com.fleetdm.fleetctl" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "XXXXXXXXXX"' --verbose=2 --verify fleetctl
fleetctl: valid on disk
fleetctl: satisfies its Designated Requirement
fleetctl: explicit requirement satisfied
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
#29482
[Migrate to the AWS SDK for Go
v2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/migrate-gosdk.html)
documents how to migrate codebases.
QA on features that use AWS SDK Go:
- Bootstrap package:
- upload: ✅
- download: ✅
- cleanup: ✅
- Software (upload, download, installation, etc.) ✅
- Cloudfront: Luckly, this feature was already using aws-sdk-go-v2.
- Carves ✅
- Logging:
- Firehose ✅
- Kinesis ✅
- Lambda ✅ (tested result logs to a lambda function on our AWS Dogfood
account)
- Email:
- Amazon SES TODO ⚠️ (this is what Dogfood uses and a few customers)
- We cannot easily test locally, we can use dogfood or load testing
(AWS) environments.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Manual QA for all new/changed functionality
# Details
This PR adds on to the https://github.com/fleetdm/fleet/pull/30278 which
added support for host vitals labels, by adding a cron job which updates
host vitals label membership every 5 minutes.
Unlike "dynamic" label types, where the hosts determine membership
themselves and report their decision to Fleet when they check in, "host
vitals" label membership is determine by Fleet. This means they can be
applied to hosts which don't check in at the `/distributed/write`
endpoint (like mobile devices).
The mechanism in the cron job is pretty naïve, it just lists all the
labels, post-filters for "host vitals" labels and updates membership for
each. Since the # of labels on an instance tends not to be excessive,
and since updating membership consists of one `DELETE` query and one
`INSERT...SELECT` query, this is not expected to contribute significant
load, but load testing should verify this.
# Checklist for submitter
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
# Testing
Tested by manually adding scim groups, users etc. in the db and adding a
couple of new host vitals labels using the API. I've uploaded a folder
containing a db snapshot and creds to [Google Drive](
https://drive.google.com/drive/folders/1pDlg2XtS139d3sxq9iFqFs6vez8LeUgg?usp=sharing).
To use it, create a new folder
`~/.fleet/snapshots/test_host_vitals_labels`, download the `db.sql.gz`
file into it, then do `fdm restore --prep` and select
"test_host_vitals_labels". After starting the server you can trigger the
new job using `fleetctl trigger --name host_vitals_label_membership` or
wait five minutes.
New automated tests were added for a small change to the `GetLabels()`
method, and for the new cron job. Tests for other functionality were
added in https://github.com/fleetdm/fleet/pull/30278.
#29609
Verified the changes with [Entra ID's
validator](https://scimvalidator.microsoft.com/) and adding the
department attribute to the tester:
<img width="1312" alt="Screenshot 2025-06-27 at 8 54 32 AM"
src="https://github.com/user-attachments/assets/45a5deb8-7c65-49df-b3e8-eb05bea11f6b"
/>
<img width="1312" alt="Screenshot 2025-06-27 at 8 54 21 AM"
src="https://github.com/user-attachments/assets/91b554b5-b0b9-4bb6-a0cf-4e3b40e6ce21"
/>
- Tested with Okta
- TODO: Test with Entra ID and Google Workspace.
- I decided to not fail profile deployment if a user has no department
because it's not a required attribute, instead the
`FLEET_VAR_HOST_END_USER_IDP_DEPARTMENT` will be replaced with the empty
string.
---
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] If database migrations are included, checked table schema to
confirm autoupdate
(https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [X] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- For database migrations:
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
Fixes#29618, #30282.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
