Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/docs/Contributing/reference/configuration-for-contributors.md

8.8 KiB
Raw Blame History

Configuration for contributors

Don't use these Fleet server configuration options. For Fleet server configuraiton, please use the public Fleet server configuration documentation instead. For YAML, please use the public GitOps documentation instead.

These options in this document are only used when contributing to Fleet. They frequently change to reflect current functionality.

Fleet server configuration

s3_software_installers_disable_ssl

AWS S3 Disable SSL. Useful for local testing.

  • Default value: false
  • Environment variable: FLEET_S3_SOFTWARE_INSTALLERS_DISABLE_SSL
  • Config file format: 
    s3:
  software_installers_disable_ssl: false

s3_carves_disable_ssl

  • Default value: false
  • Environment variable: FLEET_S3_CARVES_DISABLE_SSL
  • Config file format: 
    s3:
  carves_disable_ssl: false

mdm.apple_apns_cert_bytes

The content of the Apple Push Notification service (APNs) certificate. An X.509 certificate, PEM-encoded. Typically generated via fleetctl generate mdm-apple.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_APNS_CERT_BYTES
  • Config file format: 
    mdm:
  apple_apns_cert_bytes: |
    -----BEGIN CERTIFICATE-----
    ... PEM-encoded content ...
    -----END CERTIFICATE-----

mdm.apple_apns_key_bytes

The content of the PEM-encoded private key for the Apple Push Notification service (APNs). Typically generated via fleetctl generate mdm-apple.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_APNS_KEY_BYTES
  • Config file format: 
    mdm:
  apple_apns_key_bytes: |
    -----BEGIN RSA PRIVATE KEY-----
    ... PEM-encoded content ...
    -----END RSA PRIVATE KEY-----

mdm.apple_scep_cert_bytes

The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An X.509 certificate, PEM-encoded. Typically generated via fleetctl generate mdm-apple.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_SCEP_CERT_BYTES
  • Config file format: 
    mdm:
  apple_scep_cert_bytes: |
    -----BEGIN CERTIFICATE-----
    ... PEM-encoded content ...
    -----END CERTIFICATE-----

The SCEP certificate/key pair generated by Fleet expires every 10 years. It's recommended to never change these unless they were compromised.

If your certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' Host details page until you turn disk encryption off and back on and the keys are reset by the end user.

mdm.apple_scep_key_bytes

The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via fleetctl generate mdm-apple.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_SCEP_KEY_BYTES
  • Config file format: 
    mdm:
  apple_scep_key_bytes: |
    -----BEGIN RSA PRIVATE KEY-----
    ... PEM-encoded content ...
    -----END RSA PRIVATE KEY-----

mdm.apple_scep_challenge

An alphanumeric secret for the Simple Certificate Enrollment Protocol (SCEP). Define a unique, static secret 32 characters in length and only include alphanumeric characters.

SCEP is commonly applied to a number of certificate use cases. Notably, Mobile Device Management (MDM) systems like Microsoft Intune and Apple MDM use SCEP for PKI certificate enrollment.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_SCEP_CHALLENGE
  • Config file format: 
    mdm:
  apple_scep_challenge: scepchallenge

mdm.apple_bm_server_token_bytes

This is the content of the Apple Business Manager encrypted server token downloaded from Apple Business Manager.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES
  • Config file format: 
    mdm:
  apple_bm_server_token_bytes: |
    Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data
    Content-Transfer-Encoding: base64
    ... rest of content ...

mdm.apple_bm_cert_bytes

This is the content of the Apple Business Manager certificate. The certificate is a PEM-encoded X.509 certificate that's typically generated via fleetctl generate mdm-apple-bm.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_BM_CERT_BYTES
  • Config file format: 
    mdm:
  apple_bm_cert_bytes: |
    -----BEGIN CERTIFICATE-----
    ... PEM-encoded content ...
    -----END CERTIFICATE-----

mdm.apple_bm_key_bytes

This is the content of the PEM-encoded private key for the Apple Business Manager. It's typically generated via fleetctl generate mdm-apple-bm.

  • Default value: ""
  • Environment variable: FLEET_MDM_APPLE_BM_KEY_BYTES
  • Config file format: 
    mdm:
  apple_bm_key_bytes: |
    -----BEGIN RSA PRIVATE KEY-----
    ... PEM-encoded content ...
    -----END RSA PRIVATE KEY-----

license.enforce_host_limit

Whether Fleet should enforce the host limit of the license, if true, attempting to enroll new hosts when the limit is reached will fail.

  • Default value: false
  • Environment variable: FLEET_LICENSE_ENFORCE_HOST_LIMIT
  • Config file format: 
    license:
  enforce_host_limit: true

license.enable_analytics

For approved Fleet Premium customers only.

Whether to send anonymous usage statistics. Overrides the value set by enable_analytics in the Modify configuration API endpoint.

  • Default value: true
  • Environment variable: FLEET_LICENSE_ENABLE_ANALYTICS
  • Config file format: 
    license:
  enable_analytics: false

microsoft_compliance_partner.proxy_api_key

For managed cloud customers only. The Fleet team sets this key.

Key that allows the Fleet server to communicate to the Microsoft compliance partner proxy on fleetdm.com.

  • Default value: ""
  • Environment variable: FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY
  • Config file format: 
    microsoft_compliance_partner:
  proxy_api_key: foobar

mdm.enable_custom_os_updates_and_filevault

Experimental feature. This feature will be removed when Fleet adds the ability to add custom OS update and FileVault profiles via Fleet's UI, API, and YAML.

This configuration option is not production ready. There will be conflicts between custom OS updates / FileVault configuration profiles and the profiles Fleet for these features under-the-hood. This haven't been tested by Fleet.

If set to true, Fleet allows users to add the SoftwareUpdateEnforcementSpecific declaration (DDM) profile, FDEFileVault, FDEFileVaultOptions, FDERecoveryKeyEscrow, and /Vendor/MSFT/Policy/Config/Update/ configuration profiles.

  • Default value: false
  • Environment variable: FLEET_MDM_ENABLE_CUSTOM_OS_UPDATES_AND_FILEVAULT
  • Config file format: 
    mdm:
  enable_custom_os_updates_and_filevault: true

FLEET_ENABLE_POST_CLIENT_DEBUG_ERRORS

Use this environment variable to allow fleetd to report errors to the server using the endpoint to report an agent error. fleetd agents will always report vital errors to Fleet.

Example YAML
license:
  key: foobar
  enforce_host_limit: false

YAML files

features.detail_query_overrides

This feature can be used to override "detail queries" hardcoded in Fleet.

IMPORTANT: This feature should only be used when debugging issues with Fleet's hardcoded queries. Use with caution as this may break Fleet ingestion of hosts data.

  • Optional setting (dictionary of key-value strings)
  • Default value: none (empty)
  • Config file format: 
    features:
  detail_query_overrides:
    # null allows to disable the "users" query from running on hosts.
    users: null
    # this replaces the hardcoded "mdm" detail query.
    mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"