<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33416
It's been decided to ship the feature and in the guide mention the apple
bug, that we are currently tracking.
[Slack
🧵](https://fleetdm.slack.com/archives/C03C41L5YEL/p1760448150025089?thread_ts=1760433366.092499&cid=C03C41L5YEL)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* New Features
* Added Lost Mode support to lock iOS and iPadOS devices.
* Added ability to disable Lost Mode to unlock iOS/iPadOS devices.
* Improvements
* More consistent lock/unlock experience across macOS, iOS/iPadOS,
Windows, and Linux, with clearer status and activity updates.
* iOS/iPadOS now shows pending unlock status while Lost Mode disable is
in progress.
* Tests
* Added comprehensive end-to-end tests covering lock/unlock/wipe across
Apple, Windows, and Linux devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#26879
We decided to opt for a sticky enrollment approach, and I opted for
using redis, so this PR also adds a redis key value store to the free
service to use.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Prevents Orbit enrollment from undoing team transfers triggered during
MDM enrollment, preserving the correct team assignment on re-enrollment.
- Introduces a temporary “sticky” enrollment period (~30 minutes) during
Apple MDM check-in and Orbit enrollment to reduce unintended team
changes.
- Improves reliability of team-scoped enroll secrets and host transfers
in short re-enrollment windows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33110
**Related issue:** Resolves#33109
# Details
This PR implements the new "cancel setup if any software fails on macos"
flag, including both backend and frontend logic.
Half of the file changes are updating test expectations / auto-generated
schema.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
`macos_setup` is still excluded from generate-girtops
- [X] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
Documented [here](https://github.com/fleetdm/fleet/pull/33016/files)
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [X] Verified that any relevant UI is disabled when GitOps mode is
enabled
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added a macOS setup option: “Cancel setup if software install fails.”
- Configure at global or team level; team settings override global.
- Toggle available in Setup Experience > Install software > Advanced
options.
- Saved state persists and can be updated without leaving the page.
- Devices honor the resolved setting during provisioning.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33173
# Details
This PR updates the "Setting up your device" page which appears in Linux
and Windows (and as of https://github.com/fleetdm/fleet/issues/30117,
MacOS) setup experiences. Front-end updates:
* Lots of renaming of things that were software-specific to now more
generically refer to "setup step"
* Removed the "My Device" heading
* Moved the info button inside the table header
* Added status of setup script run to the table
* Updated the empty state to not refer specifically to software
* Added optional `setup_only` query param to the `/device` page which,
if set, will always show the "setting up your device" page even if all
setup is complete. Normally as soon as setup finishes, the front-end
redirects to the regular My Device page. In the case of MacOS setup
experience, we don't want this to happen as we expect to either 1) keep
the setup experience up indefinitely if we're blocking device setup on
software install failure, or 2) close the setup dialog on successful
completion. This query param is also handy for testing.
* Added new "Configuration complete" state to be shown when all setup
steps are finished (successfully or not). This is only applicable on
MacOS, since other platforms will redirect to the My Device page when
finished.
This PR also includes one small backend change to the
`/device/{token}/setup_experience/status` API endpoint, to have it
return a `scripts` array alongside the existing `software` array. This
endpoint is not documented publicly.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] Added/updated automated tests
Updated existing DeviceUserPage tests that check the SettingUpYourDevice
content, and added new tests for the new scripts content and the new
query param.
- [X] QA'd all new/changed functionality manually
<img width="1028" height="867" alt="Screenshot 2025-10-02 at 7 20 28 PM"
src="https://github.com/user-attachments/assets/7adab2c2-dac1-4463-96fc-13094da2c379"
/>
(note that as of now we'd only have at most one script, showing multiple
here to demonstrate the different states)
<img width="1031" height="524" alt="Screenshot 2025-10-02 at 7 22 01 PM"
src="https://github.com/user-attachments/assets/bedaa840-d7ef-4b6f-8daf-6ac3b447594f"
/>
<img width="1222" height="760" alt="image"
src="https://github.com/user-attachments/assets/42cf82d5-53e0-4c4d-b60e-9ac2cc86af68"
/>
---------
Co-authored-by: Ian Littman <iansltx@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#31636 QA finding
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#32432
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Fixes#31897.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [ ] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- GitOps now supports software icons: generate and include icon
files/paths in specs for packages and App Store apps.
- CLI adds flags to control concurrent icon uploads/updates.
- Icons are uploaded, updated, or deleted automatically during GitOps
runs.
- UI YAML modal now includes icon_url and offers icon download.
- Improvements
- Robust path resolution for icon assets across specs.
- Non-YAML outputs handle both string and byte file contents.
- Bug Fixes
- Removes stale icons after App Store app re-association.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Scott Gress <scott@fleetdm.com>
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33381 unreleased Linux unlock bug.
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#33351
Resolves an unreleased bug with Gitops validation of CA names.
Previously only gitops path was validating that a CA didn't have the
same name as another CA(I.e. Hydrant didn't have same name as digicert)
whereas correct validation per PM is only within a given type of CA,
i.e. can't have 2 hydrant with same name. Will also need cherrypick to
4.74.
No changes file sinec this is an unreleased bug in the overall Hydrant
CA story.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [x] Alerted the release DRI if additional load testing is needed
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Followup fix for #30888
See
https://github.com/fleetdm/fleet/issues/30888#issuecomment-3321700108
Needs to be cherry-picked into 4.74
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This PR adds Adobe Creative Cloud as a new maintained app for macOS. The
app is available through homebrew and is used for creative software
management and installation, including access to Adobe’s suite of tools
like Photoshop, Illustrator, and Premiere Pro.
Co-authored-by: Kenny Botelho <kbotelho@nvidia.com>
This PR adds P4V as a new maintained app for macOS. The app is available
through homebrew and is used for accessing and managing Perforce version
control repositories via a graphical interface.
---------
Co-authored-by: Kenny Botelho <kbotelho@nvidia.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
Fixes#32331
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Expanded OpenTelemetry coverage to include scheduled jobs for improved
tracing of cron executions.
- Documentation
- Updated changelog to reflect expanded OpenTelemetry coverage.
- Refactor
- Updated scheduled job processing to use contextual tracing across
operations with improved span lifecycle handling.
- Tests
- Adjusted tests to pass context into scheduled job runs.
- Chores
- Removed obsolete commented debug logs in SCIM middleware.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
For #32788.
## Testing
- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Enhanced Linux setup experience: persists status on disk, resumes
automatically, and completes when software/scripts finish.
- Opens the “My Device” page only when desktop is enabled, using a
user-aware launcher on Linux.
- Linux setup status now focuses on software progress for faster,
clearer feedback.
- Bug Fixes
- Corrected auth/MDM checks: macOS requires Apple MDM; Linux no longer
blocked by MDM configuration on shared endpoints.
- Improved reliability and logging around software installation and
temporary directory cleanup.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#32331
Manually tested all paths. `/test` path removed in
https://github.com/fleetdm/fleet/pull/32962
Also added support for sending errors to OpenTelemetry, like we do for
APM/Sentry.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added OpenTelemetry tracing across core HTTP endpoints (health,
version, assets, metrics, enroll/root, debug, Apple MDM, SCEP, SCIM)
with dynamic per-request route instrumentation.
* Enhanced error reporting to include OpenTelemetry spans/events with
contextual user/host attributes.
* **Tests**
* Added unit tests validating SCIM and error-handling telemetry, span
naming, and sensitive-data redaction.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
