c48e13896a
- Make experimental `allow_all_declarations` use language that's consistent w/ the FileVault/OS updates experimental config
12 KiB
Configuration for contributors
Don't use these Fleet server configuration options. For Fleet server configuration, please use the public Fleet server configuration documentation instead. For YAML, please use the public GitOps documentation instead.
These options in this document are only used when contributing to Fleet. They frequently change to reflect current functionality.
Fleet server configuration
s3_software_installers_disable_ssl
AWS S3 Disable SSL. Useful for local testing.
- Default value: false
- Environment variable:
FLEET_S3_SOFTWARE_INSTALLERS_DISABLE_SSL - Config file format:
s3: software_installers_disable_ssl: false
s3_carves_disable_ssl
- Default value: false
- Environment variable:
FLEET_S3_CARVES_DISABLE_SSL - Config file format:
s3: carves_disable_ssl: false
mdm.apple_apns_cert_bytes
The content of the Apple Push Notification service (APNs) certificate. An X.509 certificate, PEM-encoded. Typically generated via fleetctl generate mdm-apple.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_APNS_CERT_BYTES - Config file format:
mdm: apple_apns_cert_bytes: | -----BEGIN CERTIFICATE----- ... PEM-encoded content ... -----END CERTIFICATE-----
mdm.apple_apns_key_bytes
The content of the PEM-encoded private key for the Apple Push Notification service (APNs). Typically generated via fleetctl generate mdm-apple.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_APNS_KEY_BYTES - Config file format:
mdm: apple_apns_key_bytes: | -----BEGIN RSA PRIVATE KEY----- ... PEM-encoded content ... -----END RSA PRIVATE KEY-----
mdm.apple_scep_cert_bytes
The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An X.509 certificate, PEM-encoded. Typically generated via fleetctl generate mdm-apple.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_SCEP_CERT_BYTES - Config file format:
mdm: apple_scep_cert_bytes: | -----BEGIN CERTIFICATE----- ... PEM-encoded content ... -----END CERTIFICATE-----
The SCEP certificate/key pair generated by Fleet expires every 10 years. It's recommended to never change these unless they were compromised.
If your certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' Host details page until you turn disk encryption off and back on and the keys are reset by the end user.
mdm.apple_scep_key_bytes
The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via fleetctl generate mdm-apple.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_SCEP_KEY_BYTES - Config file format:
mdm: apple_scep_key_bytes: | -----BEGIN RSA PRIVATE KEY----- ... PEM-encoded content ... -----END RSA PRIVATE KEY-----
mdm.apple_scep_challenge
An alphanumeric secret for the Simple Certificate Enrollment Protocol (SCEP). Define a unique, static secret 32 characters in length and only include alphanumeric characters.
SCEP is commonly applied to a number of certificate use cases. Notably, Mobile Device Management (MDM) systems like Microsoft Intune and Apple MDM use SCEP for PKI certificate enrollment.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_SCEP_CHALLENGE - Config file format:
mdm: apple_scep_challenge: scepchallenge
mdm.apple_bm_server_token_bytes
This is the content of the Apple Business Manager encrypted server token downloaded from Apple Business Manager.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES - Config file format:
mdm: apple_bm_server_token_bytes: | Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data Content-Transfer-Encoding: base64 ... rest of content ...
mdm.apple_bm_cert_bytes
This is the content of the Apple Business Manager certificate. The certificate is a PEM-encoded X.509 certificate that's typically generated via fleetctl generate mdm-apple-bm.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_BM_CERT_BYTES - Config file format:
mdm: apple_bm_cert_bytes: | -----BEGIN CERTIFICATE----- ... PEM-encoded content ... -----END CERTIFICATE-----
mdm.apple_bm_key_bytes
This is the content of the PEM-encoded private key for the Apple Business Manager. It's typically generated via fleetctl generate mdm-apple-bm.
- Default value: ""
- Environment variable:
FLEET_MDM_APPLE_BM_KEY_BYTES - Config file format:
mdm: apple_bm_key_bytes: | -----BEGIN RSA PRIVATE KEY----- ... PEM-encoded content ... -----END RSA PRIVATE KEY-----
license.enforce_host_limit
Whether Fleet should enforce the host limit of the license, if true, attempting to enroll new hosts when the limit is reached will fail.
- Default value:
false - Environment variable:
FLEET_LICENSE_ENFORCE_HOST_LIMIT - Config file format:
license: enforce_host_limit: true
license.enable_analytics
For approved Fleet Premium customers only.
Whether to send anonymous usage statistics. Overrides the value set by enable_analytics in the Modify configuration API endpoint.
- Default value:
true - Environment variable:
FLEET_LICENSE_ENABLE_ANALYTICS - Config file format:
license: enable_analytics: false
microsoft_compliance_partner.proxy_api_key
For managed cloud customers only. The Fleet team sets this key.
Key that allows the Fleet server to communicate to the Microsoft compliance partner proxy on fleetdm.com.
- Default value: ""
- Environment variable:
FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY - Config file format:
microsoft_compliance_partner: proxy_api_key: foobar
mdm.enable_custom_os_updates_and_filevault
Experimental feature. This feature will be removed when Fleet adds the ability to add custom OS update and FileVault profiles via Fleet's UI, API, and YAML.
This configuration option is not production ready. It hasn't been tested by Fleet. There will be conflicts between custom OS updates / FileVault configuration profiles and the profiles Fleet uses for these features under-the-hood.
If set to true, Fleet allows users to add the SoftwareUpdateEnforcementSpecific declaration (DDM) profile, FDEFileVault, FDEFileVaultOptions, FDERecoveryKeyEscrow, and /Vendor/MSFT/Policy/Config/Update/ configuration profiles.
- Default value:
false - Environment variable:
FLEET_MDM_ENABLE_CUSTOM_OS_UPDATES_AND_FILEVAULT - Config file format:
mdm: enable_custom_os_updates_and_filevault: true
logging.tracing_enabled
Enables OpenTelemetry tracing and metrics export. When enabled, traces and metrics are sent to the OTLP endpoint configured via the standard OTEL_EXPORTER_OTLP_ENDPOINT environment variable.
By default, OpenTelemetry is used. Set tracing_type to elasticapm only if you want to use Elastic APM instead.
- Default value:
false - Environment variable:
FLEET_LOGGING_TRACING_ENABLED - Config file format:
logging: tracing_enabled: true # tracing_type: elasticapm # Only set if using Elastic APM instead of OpenTelemetry
logging.otel_logs_enabled
Enables exporting logs to an OpenTelemetry collector in addition to stderr output. When enabled, logs are sent to the OTLP endpoint configured via the standard OTEL_EXPORTER_OTLP_ENDPOINT environment variable. Logs are automatically correlated with traces via trace_id and span_id attributes.
Note: All log levels, including debug, are always sent to the OpenTelemetry collector regardless of the
logging.debugsetting. Thelogging.debugflag only controls what appears in stderr output.
Note: This option requires
logging.tracing_enabledto be set totrue. Fleet will fail to start ifotel_logs_enabledistruebuttracing_enabledisfalse.
- Default value:
false - Environment variable:
FLEET_LOGGING_OTEL_LOGS_ENABLED - Config file format:
logging: tracing_enabled: true otel_logs_enabled: true
mdm.allow_all_declarations
Experimental feature. This feature will be removed when Fleet adds the ability to add any declaration via Fleet's UI, API, and YAML.
This configuration option is not production ready. It hasn't been tested by Fleet. Enabling this option bypasses all safety checks for declarations, including checks for forbidden declaration types, reserved identifiers, and required prefixes. Use only when you need to deploy declarations that Fleet would otherwise block.
If set to true, you can add all types of Apple declaration profiles. By default, Fleet doesn't allow these configurations.
Asset declarations require additional infrastructure. You need to self-host the asset and include the URL in the declaration.
- Default value:
false - Environment variable:
FLEET_MDM_ALLOW_ALL_DECLARATIONS - Config file format:
mdm: allow_all_declarations: true
FLEET_ENABLE_POST_CLIENT_DEBUG_ERRORS
Use this environment variable to allow fleetd to report errors to the server using the endpoint to report an agent error. fleetd agents will always report vital errors to Fleet.
Example YAML
license:
key: foobar
enforce_host_limit: false
YAML files
features.detail_query_overrides
This feature can be used to override "detail queries" hardcoded in Fleet.
IMPORTANT: This feature should only be used when debugging issues with Fleet's hardcoded queries. Use with caution as this may break Fleet ingestion of hosts data.
- Optional setting (dictionary of key-value strings)
- Default value: none (empty)
- Config file format:
features: detail_query_overrides: # null allows to disable the "users" query from running on hosts. users: null # this replaces the hardcoded "mdm" detail query. mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"