Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/docs/Contributing/reference/configuration-for-contributors.md
kilo-code-bot[bot] 7b49a20f7c
Move enable_custom_os_updates_and_filevault and allow_all_declarations to Fleet server configuration (#42938) 
- @noahtalerman: We decided to stop calling the settings experimental
and just warn in the docs what happens if you turn it on. That way we’re
not calling them “experimental” which feels unsafe. They're not
experimental; they're just deliberately allowing custom profiles.
2026-04-13 09:55:18 -04:00

271 lines
9.4 KiB
Markdown
Raw Blame History

# Configuration for contributors
Don't use these Fleet server configuration options. For Fleet server configuration, please use the public [Fleet server configuration documentation](https://fleetdm.com/docs/configuration/fleet-server-configuration) instead. For YAML, please use the [public GitOps documentation](https://fleetdm.com/docs/configuration/yaml-files) instead.
These options in this document are only used when contributing to Fleet. They frequently change to reflect current functionality.
- [Fleet server configuration](#fleet-server-configuration)
- [YAML files](#yaml-files)
## Fleet server configuration
### s3_software_installers_disable_ssl
AWS S3 Disable SSL. Useful for local testing.
- Default value: false
- Environment variable: `FLEET_S3_SOFTWARE_INSTALLERS_DISABLE_SSL`
- Config file format:
```yaml
s3:
software_installers_disable_ssl: false
```
### s3_carves_disable_ssl
- Default value: false
- Environment variable: `FLEET_S3_CARVES_DISABLE_SSL`
- Config file format:
```yaml
s3:
carves_disable_ssl: false
```
### mdm.apple_apns_cert_bytes
The content of the Apple Push Notification service (APNs) certificate. An X.509 certificate, PEM-encoded. Typically generated via `fleetctl generate mdm-apple`.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_APNS_CERT_BYTES`
- Config file format:
```yaml
mdm:
apple_apns_cert_bytes: |
-----BEGIN CERTIFICATE-----
... PEM-encoded content ...
-----END CERTIFICATE-----
```
### mdm.apple_apns_key_bytes
The content of the PEM-encoded private key for the Apple Push Notification service (APNs). Typically generated via `fleetctl generate mdm-apple`.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_APNS_KEY_BYTES`
- Config file format:
```yaml
mdm:
apple_apns_key_bytes: |
-----BEGIN RSA PRIVATE KEY-----
... PEM-encoded content ...
-----END RSA PRIVATE KEY-----
```
### mdm.apple_scep_cert_bytes
The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An X.509 certificate, PEM-encoded. Typically generated via `fleetctl generate mdm-apple`.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_CERT_BYTES`
- Config file format:
```yaml
mdm:
apple_scep_cert_bytes: |
-----BEGIN CERTIFICATE-----
... PEM-encoded content ...
-----END CERTIFICATE-----
```
The SCEP certificate/key pair generated by Fleet expires every 10 years. It's recommended to never change these unless they were compromised.
If your certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' **Host details** page until you turn disk encryption off and back on and the keys are [reset by the end user](https://fleetdm.com/docs/using-fleet/MDM-migration-guide#how-to-turn-on-disk-encryption).
### mdm.apple_scep_key_bytes
The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via `fleetctl generate mdm-apple`.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_KEY_BYTES`
- Config file format:
```yaml
mdm:
apple_scep_key_bytes: |
-----BEGIN RSA PRIVATE KEY-----
... PEM-encoded content ...
-----END RSA PRIVATE KEY-----
```
### mdm.apple_scep_challenge
An alphanumeric secret for the Simple Certificate Enrollment Protocol (SCEP). Define a unique, static secret 32 characters in length and only include alphanumeric characters.
> SCEP is commonly applied to a number of certificate use cases. Notably, Mobile Device Management (MDM) systems like Microsoft Intune and Apple MDM use SCEP for PKI certificate enrollment.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_CHALLENGE`
- Config file format:
```yaml
mdm:
apple_scep_challenge: scepchallenge
```
### mdm.apple_bm_server_token_bytes
This is the content of the Apple Business Manager encrypted server token downloaded from Apple Business Manager.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES`
- Config file format:
```yaml
mdm:
apple_bm_server_token_bytes: |
Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data
Content-Transfer-Encoding: base64
... rest of content ...
```
### mdm.apple_bm_cert_bytes
This is the content of the Apple Business Manager certificate. The certificate is a PEM-encoded X.509 certificate that's typically generated via `fleetctl generate mdm-apple-bm`.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_CERT_BYTES`
- Config file format:
```yaml
mdm:
apple_bm_cert_bytes: |
-----BEGIN CERTIFICATE-----
... PEM-encoded content ...
-----END CERTIFICATE-----
```
### mdm.apple_bm_key_bytes
This is the content of the PEM-encoded private key for the Apple Business Manager. It's typically generated via `fleetctl generate mdm-apple-bm`.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_KEY_BYTES`
- Config file format:
```yaml
mdm:
apple_bm_key_bytes: |
-----BEGIN RSA PRIVATE KEY-----
... PEM-encoded content ...
-----END RSA PRIVATE KEY-----
```
### license.enforce_host_limit
Whether Fleet should enforce the host limit of the license, if true, attempting to enroll new hosts when the limit is reached will fail.
- Default value: `false`
- Environment variable: `FLEET_LICENSE_ENFORCE_HOST_LIMIT`
- Config file format:
```yaml
license:
enforce_host_limit: true
```
### license.enable_analytics
For approved Fleet Premium customers only.
Whether to send anonymous usage statistics. Overrides the value set by `enable_analytics` in the [Modify configuration](https://fleetdm.com/docs/rest-api/rest-api#modify-configuration) API endpoint.
- Default value: `true`
- Environment variable: `FLEET_LICENSE_ENABLE_ANALYTICS`
- Config file format:
```yaml
license:
enable_analytics: false
```
### microsoft_compliance_partner.proxy_api_key
For managed cloud customers only. The Fleet team sets this key.
Key that allows the Fleet server to communicate to the Microsoft compliance partner proxy on fleetdm.com.
- Default value: ""
- Environment variable: `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY`
- Config file format:
```yaml
microsoft_compliance_partner:
proxy_api_key: foobar
```
### mdm.enable_custom_os_updates_and_filevault
Documentation for setting has moved to the [Fleet server configuration](https://fleetdm.com/docs/configuration/fleet-server-configuration#mdm-enable_custom_os_updates_and_filevault) reference.
### logging.tracing_enabled
Enables OpenTelemetry tracing and metrics export. When enabled, traces and metrics are sent to the OTLP endpoint configured via the standard `OTEL_EXPORTER_OTLP_ENDPOINT` environment variable.
By default, OpenTelemetry is used. Set `tracing_type` to `elasticapm` only if you want to use Elastic APM instead.
- Default value: `false`
- Environment variable: `FLEET_LOGGING_TRACING_ENABLED`
- Config file format:
```yaml
logging:
tracing_enabled: true
# tracing_type: elasticapm # Only set if using Elastic APM instead of OpenTelemetry
```
### logging.otel_logs_enabled
Enables exporting logs to an OpenTelemetry collector in addition to stderr output. When enabled, logs are sent to the OTLP endpoint configured via the standard `OTEL_EXPORTER_OTLP_ENDPOINT` environment variable. Logs are automatically correlated with traces via `trace_id` and `span_id` attributes.
> **Note:** All log levels, including debug, are always sent to the OpenTelemetry collector regardless of the `logging.debug` setting. The `logging.debug` flag only controls what appears in stderr output.
> **Note:** This option requires `logging.tracing_enabled` to be set to `true`. Fleet will fail to start if `otel_logs_enabled` is `true` but `tracing_enabled` is `false`.
- Default value: `false`
- Environment variable: `FLEET_LOGGING_OTEL_LOGS_ENABLED`
- Config file format:
```yaml
logging:
tracing_enabled: true
otel_logs_enabled: true
```
### mdm.allow_all_declarations
Documentation for setting has moved to the [Fleet server configuration](https://fleetdm.com/docs/configuration/fleet-server-configuration#mdm-allow_all_declarations) reference.
### FLEET_ENABLE_POST_CLIENT_DEBUG_ERRORS
Use this environment variable to allow `fleetd` to report errors to the server using the [endpoint to report an agent error](./API-for-contributors.md#report-an-agent-error). `fleetd` agents will always report vital errors to Fleet.
##### Example YAML
```yaml
license:
key: foobar
enforce_host_limit: false
```
## YAML files
### features.detail_query_overrides
This feature can be used to override "detail queries" hardcoded in Fleet.
> IMPORTANT: This feature should only be used when debugging issues with Fleet's hardcoded queries.
Use with caution as this may break Fleet ingestion of hosts data.
- Optional setting (dictionary of key-value strings)
- Default value: none (empty)
- Config file format:
```yaml
features:
detail_query_overrides:
# null allows to disable the "users" query from running on hosts.
users: null
# this replaces the hardcoded "mdm" detail query.
mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"
```
<meta name="pageOrderInSection" value="1100">
<meta name="description" value="Learn about the configuration files and settings that are helpful when developing or contributing to Fleet.">
Reference in a new issue View git blame Copy permalink