fleet/docs/Contributing/reference/configuration-for-contributors.md

# Configuration for contributors

Don't use these Fleet server configuration options. For Fleet server configuration, please use the public [Fleet server configuration documentation](https://fleetdm.com/docs/configuration/fleet-server-configuration) instead. For YAML, please use the [public GitOps documentation](https://fleetdm.com/docs/configuration/yaml-files) instead.

These options in this document are only used when contributing to Fleet. They frequently change to reflect current functionality.

- [Fleet server configuration](#fleet-server-configuration)
- [YAML files](#yaml-files)

## Fleet server configuration

### s3_software_installers_disable_ssl

AWS S3 Disable SSL. Useful for local testing.

- Default value: false
- Environment variable: `FLEET_S3_SOFTWARE_INSTALLERS_DISABLE_SSL`
- Config file format:
  ```yaml
  s3:
    software_installers_disable_ssl: false
  ```

### s3_carves_disable_ssl

- Default value: false
- Environment variable: `FLEET_S3_CARVES_DISABLE_SSL`
- Config file format:
  ```yaml
  s3:
    carves_disable_ssl: false
  ```

### mdm.apple_apns_cert_bytes

The content of the Apple Push Notification service (APNs) certificate. An X.509 certificate, PEM-encoded. Typically generated via `fleetctl generate mdm-apple`.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_APNS_CERT_BYTES`
- Config file format:
  ```yaml
  mdm:
    apple_apns_cert_bytes: |
      -----BEGIN CERTIFICATE-----
      ... PEM-encoded content ...
      -----END CERTIFICATE-----
  ```

### mdm.apple_apns_key_bytes

The content of the PEM-encoded private key for the Apple Push Notification service (APNs). Typically generated via `fleetctl generate mdm-apple`.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_APNS_KEY_BYTES`
- Config file format:
  ```yaml
  mdm:
    apple_apns_key_bytes: |
      -----BEGIN RSA PRIVATE KEY-----
      ... PEM-encoded content ...
      -----END RSA PRIVATE KEY-----
  ```

### mdm.apple_scep_cert_bytes

The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An X.509 certificate, PEM-encoded. Typically generated via `fleetctl generate mdm-apple`.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_CERT_BYTES`
- Config file format:
  ```yaml
  mdm:
    apple_scep_cert_bytes: |
      -----BEGIN CERTIFICATE-----
      ... PEM-encoded content ...
      -----END CERTIFICATE-----
  ```

The SCEP certificate/key pair generated by Fleet expires every 10 years. It's recommended to never change these unless they were compromised.

If your certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' **Host details** page until you turn disk encryption off and back on and the keys are [reset by the end user](https://fleetdm.com/docs/using-fleet/MDM-migration-guide#how-to-turn-on-disk-encryption).

### mdm.apple_scep_key_bytes

The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via `fleetctl generate mdm-apple`.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_KEY_BYTES`
- Config file format:
  ```yaml
  mdm:
    apple_scep_key_bytes: |
      -----BEGIN RSA PRIVATE KEY-----
      ... PEM-encoded content ...
      -----END RSA PRIVATE KEY-----
  ```

### mdm.apple_scep_challenge

An alphanumeric secret for the Simple Certificate Enrollment Protocol (SCEP). Define a unique, static secret 32 characters in length and only include alphanumeric characters.

> SCEP is commonly applied to a number of certificate use cases. Notably, Mobile Device Management (MDM) systems like Microsoft Intune and Apple MDM use SCEP for PKI certificate enrollment.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_CHALLENGE`
- Config file format:
  ```yaml
  mdm:
    apple_scep_challenge: scepchallenge
  ```

### mdm.apple_bm_server_token_bytes

This is the content of the Apple Business Manager encrypted server token downloaded from Apple Business Manager.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES`
- Config file format:
  ```yaml
  mdm:
    apple_bm_server_token_bytes: |
      Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data
      Content-Transfer-Encoding: base64
      ... rest of content ...
  ```

### mdm.apple_bm_cert_bytes

This is the content of the Apple Business Manager certificate. The certificate is a PEM-encoded X.509 certificate that's typically generated via `fleetctl generate mdm-apple-bm`.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_CERT_BYTES`
- Config file format:
  ```yaml
  mdm:
    apple_bm_cert_bytes: |
      -----BEGIN CERTIFICATE-----
      ... PEM-encoded content ...
      -----END CERTIFICATE-----
  ```

### mdm.apple_bm_key_bytes

This is the content of the PEM-encoded private key for the Apple Business Manager. It's typically generated via `fleetctl generate mdm-apple-bm`.

- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_KEY_BYTES`
- Config file format:
  ```yaml
  mdm:
    apple_bm_key_bytes: |
      -----BEGIN RSA PRIVATE KEY-----
      ... PEM-encoded content ...
      -----END RSA PRIVATE KEY-----
  ```

### license.enforce_host_limit

Whether Fleet should enforce the host limit of the license, if true, attempting to enroll new hosts when the limit is reached will fail.

- Default value: `false`
- Environment variable: `FLEET_LICENSE_ENFORCE_HOST_LIMIT`
- Config file format:
  ```yaml
  license:
    enforce_host_limit: true
  ```

### license.enable_analytics

For approved Fleet Premium customers only.

Whether to send anonymous usage statistics. Overrides the value set by `enable_analytics` in the [Modify configuration](https://fleetdm.com/docs/rest-api/rest-api#modify-configuration) API endpoint.

- Default value: `true`
- Environment variable: `FLEET_LICENSE_ENABLE_ANALYTICS`
- Config file format:
  ```yaml
  license:
    enable_analytics: false
  ```

### microsoft_compliance_partner.proxy_api_key

For managed cloud customers only. The Fleet team sets this key.

Key that allows the Fleet server to communicate to the Microsoft compliance partner proxy on fleetdm.com.

- Default value: ""
- Environment variable: `FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY`
- Config file format:
  ```yaml
  microsoft_compliance_partner:
    proxy_api_key: foobar
  ```

### mdm.enable_custom_os_updates_and_filevault

Documentation for setting has moved to the [Fleet server configuration](https://fleetdm.com/docs/configuration/fleet-server-configuration#mdm-enable_custom_os_updates_and_filevault) reference.

### logging.tracing_enabled

Enables OpenTelemetry tracing and metrics export. When enabled, traces and metrics are sent to the OTLP endpoint configured via the standard `OTEL_EXPORTER_OTLP_ENDPOINT` environment variable.

By default, OpenTelemetry is used. Set `tracing_type` to `elasticapm` only if you want to use Elastic APM instead.

- Default value: `false`
- Environment variable: `FLEET_LOGGING_TRACING_ENABLED`
- Config file format:
  ```yaml
  logging:
    tracing_enabled: true
    # tracing_type: elasticapm  # Only set if using Elastic APM instead of OpenTelemetry
  ```

### logging.otel_logs_enabled

Enables exporting logs to an OpenTelemetry collector in addition to stderr output. When enabled, logs are sent to the OTLP endpoint configured via the standard `OTEL_EXPORTER_OTLP_ENDPOINT` environment variable. Logs are automatically correlated with traces via `trace_id` and `span_id` attributes.

> **Note:** All log levels, including debug, are always sent to the OpenTelemetry collector regardless of the `logging.debug` setting. The `logging.debug` flag only controls what appears in stderr output.

> **Note:** This option requires `logging.tracing_enabled` to be set to `true`. Fleet will fail to start if `otel_logs_enabled` is `true` but `tracing_enabled` is `false`.

- Default value: `false`
- Environment variable: `FLEET_LOGGING_OTEL_LOGS_ENABLED`
- Config file format:
  ```yaml
  logging:
    tracing_enabled: true
    otel_logs_enabled: true
  ```

### mdm.allow_all_declarations

Documentation for setting has moved to the [Fleet server configuration](https://fleetdm.com/docs/configuration/fleet-server-configuration#mdm-allow-all-declarations) reference.

### FLEET_ENABLE_POST_CLIENT_DEBUG_ERRORS

Use this environment variable to allow `fleetd` to report errors to the server using the [endpoint to report an agent error](./API-for-contributors.md#report-an-agent-error). `fleetd` agents will always report vital errors to Fleet.

##### Example YAML

```yaml
license:
  key: foobar
  enforce_host_limit: false
```

## YAML files

### features.detail_query_overrides

This feature can be used to override "detail queries" hardcoded in Fleet.

> IMPORTANT: This feature should only be used when debugging issues with Fleet's hardcoded queries.
Use with caution as this may break Fleet ingestion of hosts data.

- Optional setting (dictionary of key-value strings)
- Default value: none (empty)
- Config file format:
  ```yaml
  features:
    detail_query_overrides:
      # null allows to disable the "users" query from running on hosts.
      users: null
      # this replaces the hardcoded "mdm" detail query.
      mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"
  ```

<meta name="pageOrderInSection" value="1100">
<meta name="description" value="Learn about the configuration files and settings that are helpful when developing or contributing to Fleet.">