fleet/docs/Contributing/reference/configuration-for-contributors.md

Configuration for contributors

• Fleet server configuration
• YAML files

This document includes Fleet server configuration settings that are helpful when developing or contributing to Fleet.

Unlike the fleetctl apply format, the files and settings in this document are not recommended for production use. Each setting includes the best practice for being successful in production.

Fleet server configuration

s3_software_installers_disable_ssl

AWS S3 Disable SSL. Useful for local testing.

• Default value: false
• Environment variable: FLEET_S3_SOFTWARE_INSTALLERS_DISABLE_SSL
• Config file format:

  s3:
    software_installers_disable_ssl: false
  

s3_carves_disable_ssl

• Default value: false
• Environment variable: FLEET_S3_CARVES_DISABLE_SSL
• Config file format:

  s3:
    carves_disable_ssl: false
  

mdm.apple_apns_cert_bytes

The content of the Apple Push Notification service (APNs) certificate. An X.509 certificate, PEM-encoded. Typically generated via fleetctl generate mdm-apple.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_APNS_CERT_BYTES
• Config file format:

  mdm:
    apple_apns_cert_bytes: |
      -----BEGIN CERTIFICATE-----
      ... PEM-encoded content ...
      -----END CERTIFICATE-----    
  

mdm.apple_apns_key_bytes

The content of the PEM-encoded private key for the Apple Push Notification service (APNs). Typically generated via fleetctl generate mdm-apple.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_APNS_KEY_BYTES
• Config file format:

  mdm:
    apple_apns_key_bytes: |
      -----BEGIN RSA PRIVATE KEY-----
      ... PEM-encoded content ...
      -----END RSA PRIVATE KEY-----    
  

mdm.apple_scep_cert_bytes

The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An X.509 certificate, PEM-encoded. Typically generated via fleetctl generate mdm-apple.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_SCEP_CERT_BYTES
• Config file format:

  mdm:
    apple_scep_cert_bytes: |
      -----BEGIN CERTIFICATE-----
      ... PEM-encoded content ...
      -----END CERTIFICATE-----    
  

The SCEP certificate/key pair generated by Fleet expires every 10 years. It's recommended to never change these unless they were compromised.

If your certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' Host details page until you turn disk encryption off and back on and the keys are reset by the end user.

mdm.apple_scep_key_bytes

The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via fleetctl generate mdm-apple.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_SCEP_KEY_BYTES
• Config file format:

  mdm:
    apple_scep_key_bytes: |
      -----BEGIN RSA PRIVATE KEY-----
      ... PEM-encoded content ...
      -----END RSA PRIVATE KEY-----    
  

mdm.apple_scep_challenge

An alphanumeric secret for the Simple Certificate Enrollment Protocol (SCEP). Define a unique, static secret 32 characters in length and only include alphanumeric characters.

SCEP is commonly applied to a number of certificate use cases. Notably, Mobile Device Management (MDM) systems like Microsoft Intune and Apple MDM use SCEP for PKI certificate enrollment.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_SCEP_CHALLENGE
• Config file format:

  mdm:
    apple_scep_challenge: scepchallenge
  

mdm.apple_bm_server_token_bytes

This is the content of the Apple Business Manager encrypted server token downloaded from Apple Business Manager.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES
• Config file format:

  mdm:
    apple_bm_server_token_bytes: |
      Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data
      Content-Transfer-Encoding: base64
      ... rest of content ...    
  

mdm.apple_bm_cert_bytes

This is the content of the Apple Business Manager certificate. The certificate is a PEM-encoded X.509 certificate that's typically generated via fleetctl generate mdm-apple-bm.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_BM_CERT_BYTES
• Config file format:

  mdm:
    apple_bm_cert_bytes: |
      -----BEGIN CERTIFICATE-----
      ... PEM-encoded content ...
      -----END CERTIFICATE-----    
  

mdm.apple_bm_key_bytes

This is the content of the PEM-encoded private key for the Apple Business Manager. It's typically generated via fleetctl generate mdm-apple-bm.

• Default value: ""
• Environment variable: FLEET_MDM_APPLE_BM_KEY_BYTES
• Config file format:

  mdm:
    apple_bm_key_bytes: |
      -----BEGIN RSA PRIVATE KEY-----
      ... PEM-encoded content ...
      -----END RSA PRIVATE KEY-----    
  

mdm.sso_rate_limit_per_minute

The number of requests per minute allowed to Initiate SSO during DEP enrollment and Complete SSO during DEP enrollment endpoints, combined.

The best practice is to set this to 3x the number of new employees (end users) that onboard at the same time (ex. 300 if 100 end users setup their Macs simultaneously).

• Default value: 10 (same rate limit for Log in endpoint)
• Environment variable: FLEET_MDM_SSO_RATE_LIMIT_PER_MINUTE
• Config file format:

  mdm:
    sso_rate_limit_per_minute: 200
  

license.enforce_host_limit

Whether Fleet should enforce the host limit of the license, if true, attempting to enroll new hosts when the limit is reached will fail.

• Default value: false
• Environment variable: FLEET_LICENSE_ENFORCE_HOST_LIMIT
• Config file format:

  license:
    enforce_host_limit: true
  

license.enable_analytics

For approved Fleet Premium customers only.

Whether to send anonymous usage statistics. Overrides the value set by enable_analytics in the Modify configuration API endpoint.

• Default value: true
• Environment variable: FLEET_LICENSE_ENABLE_ANALYTICS
• Config file format:

  license:
    enable_analytics: false
  

FLEET_ENABLE_POST_CLIENT_DEBUG_ERRORS

Use this environment variable to allow fleetd to report errors to the server using the endpoint to report an agent error. fleetd agents will always report vital errors to Fleet.

Example YAML

license:
  key: foobar
  enforce_host_limit: false

YAML files

features.detail_query_overrides

This feature can be used to override "detail queries" hardcoded in Fleet.

IMPORTANT: This feature should only be used when debugging issues with Fleet's hardcoded queries. Use with caution as this may break Fleet ingestion of hosts data.

• Optional setting (dictionary of key-value strings)
• Default value: none (empty)
• Config file format:

  features:
    detail_query_overrides:
      # null allows to disable the "users" query from running on hosts.
      users: null
      # this replaces the hardcoded "mdm" detail query.
      mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"