diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2e8745665715..f1f4dd2cee3e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,56 @@
+## Fleet 4.57.0 (Sep 23, 2024)
+
+**Endpoint Operations**
+
+- Added support for configuring policy installers via GitOps.
+- Added support for policies in "No team" that run on hosts that belong to "No team".
+- Added reserved team names: "All teams" and "No team".
+- Added support the software status filter for 'No teams' on the hosts page.
+- Enable 'No teams' funcitonality for the policies page and associated workflows.
+- Added reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents.
+- Added support for software installer packages, self-service flag, scripts, pre-install query, and self-service availability to be edited in-place rather than deleted and re-added.
+
+**Device Management (MDM)**
+
+- Added feature allowing automatic installation of software on hosts that fail policies.
+- Added feature for end users to enroll BYOD devices into Fleet MDM.
+- Added the ability to use Fleet to uninstall packages from hosts.
+- Added an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts.
+- Added protocol support for OTA enrollment and automatic team assignment for hosts.
+- Added validation of Setup Assistant profiles on profile upload.
+- Added validation to prevent installing software on a host with a pending installation.
+- Allowed custom SCEP CA certificates with any kind of extendedKeyUsage attributes.
+- Modified `POST /api/latest/fleet/software/batch` endpoint to be asynchronous and added a new endpoint `GET /api/latest/fleet/software/batch/{request_uuid}` to retrieve the result of the batch upload.
+
+**Vulnerability Management**
+
+- Fixed a false negative vulnerability for git.
+- Fixed false positive vulnerabilities for minio.
+- Fixed an issue where virtual box for macOS wasn't matching against the NVD product name.
+- Fixed Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
+
+**Bug fixes and improvements**
+
+- Updated Go to go1.23.1.
+- Removed validation of APNS certificate from server startup.
+- Removed invalid node keys from server logs.
+- Improved the UX of turning off MDM on an offline host.
+- Improved clarity of GitOps VPP app ID type errors.
+- Improved gitops error message about enabling windows MDM.
+- Improved messaging for VPP token constraint errors.
+- Improved loading state for UI tables when no data is present yet.
+- Improved permissions so that hosts can no longer access installers that aren't directly assigned to them.
+- Improved verification of premium license before uploading VPP tokens.
+- Added "0 items" description on empty software tables for UI consistency.
+- Updated the macos target minimum version tooltip.
+- Fixed logic to properly catch and log APNs errors.
+- Fixed UI overflow issues with OS settings table data.
+- Fixed regression for checking email used to get a signed CSR.
+- Fixed bugs on enrollment profiles when the organization name contains invalid XML characters.
+- Fixed an issue with cron profiles delivery failing if a Windows VM is enrolled twice.
+- Fixed issue where Fleet server could start when an expired ABM certificate was provided as server config.
+- Fixed self-service checkbox appearing when iOS or iPadOS app is selected.
+
## Fleet 4.56.0 (Sep 7, 2024)
### Endpoint operations
diff --git a/CODEOWNERS b/CODEOWNERS
index 5f1c7e9bca1e..153161e7ee82 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -66,8 +66,8 @@ go.mod @fleetdm/go
#
# (see website/config/custom.js for DRIs of other paths not listed here)
##############################################################################################
-/docs @rachaelshaw
-/docs/REST\ API/rest-api.md @rachaelshaw # « REST API reference documentation
+/docs @rachaelshaw @lukeheath
+/docs/REST\ API/rest-api.md @rachaelshaw @lukeheath # « REST API reference documentation
/docs/Contributing/API-for-contributors.md @lukeheath # « Advanced / contributors-only API reference documentation
/schema @eashaw # « Data tables (osquery/fleetd schema) documentation
/docs/Deploy/_kubernetes/ @dherder # « Kubernetes best practice
diff --git a/articles/deploy-security-agents.md b/articles/deploy-security-agents.md
deleted file mode 100644
index 20d6cd28abec..000000000000
--- a/articles/deploy-security-agents.md
+++ /dev/null
@@ -1,97 +0,0 @@
-# Deploy security agents
-
-
-
-Fleet [v4.50.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.50.0) introduced the ability to upload and deploy security agents to your hosts. Beyond a [bootstrap package](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#bootstrap-package) at enrollment, deploying security agents allows you to specify and verify device configuration using a pre-enrollment osquery query and customization of the install and post-install scripts, allowing for key and license deployment and configuration. This guide will walk you through the steps to upload, configure, and install a security agent to hosts in your fleet.
-
-## Prerequisites
-
-* Fleet [v4.50.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.50.0).
-* `fleetd` 1.25.0 deployed via MDM or built with the `--scripts-enabled` flag.
-* An S3 bucket [configured](https://fleetdm.com/docs/configuration/fleet-server-configuration#s-3-software-installers-bucket) to store the installers.
-* Increase any load balancer timeouts to at least 5 minutes for the following endpoints:
- * [Add software](https://fleetdm.com/docs/rest-api/rest-api#add-software).
- * [Batch-apply software](https://fleetdm.com/docs/rest-api/rest-api#add-software).
-
-## Step-by-step instructions
-
-### Access security agent installers
-
-To access and manage security agents in Fleet:
-
-* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu.
-* **Select a team**: Click on the dropdown at the top left of the page.
-* **Find your software**: using the filters on the top of the table, you can choose between:
- * “Available for install” filters software that can be installed on your hosts.
- * “Self-service” filters software that end users can install from Fleet Desktop.
-* **Select security agent installer**: Click on a software package to view details and access additional actions for the agent installer.
-
-### Add a security agent to a team
-
-* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu.
-* **Select a team**: Select a team or the "No team" team to add a security agent.
-
-> Security agents cannot be added to "All teams"
-
-* Click the “Add Software” button in the top right corner, and a modal will appear.
-* Choose a file to upload. `.pkg`, `.msi`, `.exe`, or `.deb` files are supported.
-* After selecting a file, a default install script will be pre-filled. If the security agent requires a custom installation process, this script can be edited.
-* To allow users to install the software from Fleet Desktop, check the “Self-service” checkbox.
-* To customize the conditions, click on “Advanced options”:
- * **Pre-install condition**: A pre-install condition is a valid osquery SQL statement that will be evaluated on the host before installing the software. If provided, the installation will proceed only if the query returns any value.
- * **Post-install script** A post-install script will run after the installation is complete, allowing you to configure the security agent right after installation. If this script returns a non-zero exit code, the installation will fail, and `fleetd` will attempt to uninstall the software.
-
-### Install a security agent on a host
-
-After an installer is added to a team, it can be installed on hosts via the UI.
-
-* **Navigate to the Hosts page**: Click on the "Hosts" tab in the main navigation menu.
-* **Navigate to the Host details page**: Click the host you want to install the security agent.
-* **Navigate to the Host software tab**: In the host details, search for the tab named “Software”
-* **Find your security agent**: Use the search bar and filters to search for your security agent.
-* **Install the security agent on the host**: In the leftmost row of the table, click on “Actions” > “Install.”
-* **Track installation status**: by either
- * Checking the “Install status” in the host software table.
- * Navigate to the “Details” tab on the host details page and check the activity log.
-
-### Edit a security agent
-
-Security agent installers can’t be edited via the UI. To modify an installer, remove it from the UI and add a new one.
-
-### Remove a security agent from a team
-
-* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu.
-* **Select a team**: Select a team or the "No team" team to add a security agent.
-* **Find your software**: using the filters on the top of the table, you can choose between:
- * “Available for install” filters software can be installed on your hosts.
- * “Self-service” filters software that users can install from Fleet Desktop.
-* **Select security agent installer**: Click on a software package to view details.
-* **Remove security agent installer**: From the Actions menu, select "Delete." Click the "Delete" button on the modal.
-
-> Removing a security agent from a team will not uninstall the agent from the existing host(s).
-
-### Manage security agents with the REST API
-
-Fleet also provides a REST API for managing software programmatically. The API allows you to add, update, retrieve, list, and delete software. Detailed documentation on Fleet's [REST API is available](https://fleetdm.com/docs/rest-api/rest-api#software).
-
-### Manage security agents with GitOps
-
-Installers for security agents can be managed via `fleetctl` using [GitOps](https://fleetdm.com/docs/using-fleet/gitops).
-
-Please refer to the documentation specific to [managing software with GitOps](https://fleetdm.com/docs/using-fleet/gitops#software). For a real-world example, [see how we manage software at Fleet](https://github.com/fleetdm/fleet/tree/main/it-and-security/teams).
-
-
-## Conclusion
-
-Deploying security agents with Fleet is straightforward and ensures your hosts are protected with the latest security measures. This guide has shown you how to access, add, and install security agents, as well as manage them using the REST API and `fleetctl`. Following these steps can effectively equip your fleet with the necessary security tools.
-
-See Fleet's [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides) for more details on advanced setups, software features, and vulnerability detection.
-
-
-
-
-
-
-
-
-
diff --git a/articles/deploy-software-packages.md b/articles/deploy-software-packages.md
new file mode 100644
index 000000000000..92aa0901ccf1
--- /dev/null
+++ b/articles/deploy-software-packages.md
@@ -0,0 +1,177 @@
+# Deploy software packages
+
+
+
+Fleet [v4.50.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.50.0) introduced the ability to upload and deploy software to your hosts. Fleet [v4.57.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0) added the ability to include an uninstall script and edit software details. Beyond a [bootstrap package](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#bootstrap-package) at enrollment, deploying software allows you to specify and verify device configuration using a pre-install query and customization of the install, post-install, and uninstall scripts, allowing for key and license deployment and configuration. Admins can modify these options and settings after the initial upload. This guide will walk you through the steps to upload, configure, install, and uninstall a software package to hosts in your fleet.
+
+## Prerequisites
+
+* Fleet [v4.57.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0).
+
+* `fleetd` 1.25.0 deployed via MDM or built with the `--scripts-enabled` flag.
+
+> `fleetd` prior to 1.33.0 will use a hard-coded uninstall script to clean up from a failed install. As of 1.33.0, the (default or customized) uninstall script will be used to clean up failed installs.
+
+* An S3 bucket [configured](https://fleetdm.com/docs/configuration/fleet-server-configuration#s-3-software-installers-bucket) to store the installers.
+
+* Increase any load balancer timeouts to at least 5 minutes for the [Add software](https://fleetdm.com/docs/rest-api/rest-api#add-software) endpoint.
+
+## Step-by-step instructions
+
+### Access software packages
+
+To access and manage software in Fleet:
+
+* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu.
+
+* **Select a team**: Click on the dropdown at the top left of the page.
+
+> Software packages are tied to a specific team. This allows you to, for example, test a newer release of an application within your IT team before rolling it out to the rest of your organization, or deploy the appropriate architecture-specific installer to both Intel and Apple Silicon Macs.
+
+* **Find your software**: using the filters on the top of the table, you can choose between:
+
+ * “Available for install” filters software that can be installed on your hosts.
+
+ * “Self-service” filters software that end users can install from Fleet Desktop.
+
+* **Select software package**: Click on a software package to view details and access additional actions for the software.
+
+### Add a software package to a team
+
+* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu.
+
+* **Select a team**: Select a team "No team" to add a software package.
+
+> Software cannot be added to "All teams."
+
+* Click the “Add Software” button in the top right corner, and a dialog will appear.
+
+* Choose a file to upload. `.pkg`, `.msi`, `.exe`, and `.deb` files are supported.
+
+> Software installer uploads will fail if Fleet is unable to extract information from the installer package such bundle ID and version number.
+
+* To allow users to install the software from Fleet Desktop, check the “Self-service” checkbox.
+
+* To customize installer behavior, click on “Advanced options.”
+
+> After the initial package upload, all options can be modified, including the self-service setting, pre-install query, scripts, and even the software package file. When replacing an installer package, the replacement package must be the same type and for the same software as the original package.
+
+#### Pre-install query
+
+A pre-install query is a valid osquery SQL statement that will be evaluated on the host before installing the software. If provided, the installation will proceed only if the query returns any value.
+
+#### Install script
+
+After selecting a file, a default install script will be pre-filled. If the software package requires a custom installation process (for example, if [an EXE-based Windows installer requires custom handling](https://fleetdm.com/learn-more-about/exe-install-scripts)), this script can be edited. When the script is run, the `$INSTALLER_PATH` environment variable will be set by `fleetd` to where the installer is being run.
+
+#### Post-install script
+
+A post-install script will run after the installation, allowing you to, for example, configure the security agent right after installation. If this script returns a non-zero exit code, the installation will fail, and `fleetd` will attempt to uninstall the software.
+
+#### Uninstall script
+
+An uninstall script will run when an admin chooses to uninstall the software from the host on the host details page, or if an install fails for hosts running `fleetd` 1.33.0 or later. Like the install script, a default uninstall script will be pre-filled after selecting a file. This script can be edited if the software package requires a custom uninstallation process.
+
+In addition to the `$INSTALLER_PATH` environment variable supported by install scripts, you can use `$PACKAGE_ID` in uninstall scripts as a placeholder for the package IDs (for .pkg files), package name (for Linux installers), product code (for MSIs), or software name (for EXE installers). The Fleet server will substitute `$PACKAGE_ID` on upload.
+
+### Install a software package on a host
+
+After a software package is added to a team, it can be installed on hosts via the UI.
+
+* **Navigate to the Hosts page**: Click on the "Hosts" tab in the main navigation menu.
+
+* **Navigate to the Host details page**: Click the host you want to install the software package.
+
+* **Navigate to the Host software tab**: In the host details, search for the tab named “Software.”
+
+* **Find your software package**: Use the dropdown to select software “Available for install” or use the search bar to search for your software package by name.
+
+* **Install the software package on the host**: In the rightmost column of the table, click on “Actions” > “Install.” Installation will happen automatically or when the host comes online.
+
+* **Track installation status**: by either
+
+ * Checking the status column in the host software table.
+
+ * Navigate to the “Details” tab on the host details page and check the activity log.
+
+### Edit a software package
+
+* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu.
+
+* **Select a team**: Select a team (or "No team") to switch to the team whose software you want to edit.
+
+* **Find your software**: using the filters on the top of the table, you can choose between:
+
+ * “Available for install” filters software can be installed on your hosts.
+
+ * “Self-service” filters software that users can install from Fleet Desktop.
+
+* **Select software package**: Click on a software package to view details.
+
+* **Edit software package**: From the Actions menu, select "Edit."
+
+> Editing the pre-install query, install script, post-install script, or uninstall script cancels all pending installations and uninstallations for that package, except for installs and uninstalls that are currently running on a host. If a new software package is uploaded, in addition to canceling pending installs and uninstalls, host counts (for installs and pending and failed installs and uninstalls) will be reset to zero, so counts reflect the currently uploaded version of the package.
+
+### Uninstall a software package on a host
+
+After a software package is installed on a host, it can be uninstalled on the host via the UI.
+
+* **Navigate to the Hosts page**: Click on the "Hosts" tab in the main navigation menu.
+
+* **Navigate to the Host details page**: Click the host you want to uninstall the software package.
+
+* **Navigate to the Host software tab**: In the host details, search for the tab named “Software.”
+
+* **Find your software package**: Use the dropdown to select software “Available for install” or use the search bar to search for your software package by name.
+
+* **Uninstall the software package from the host**: In the rightmost column of the table, click on “Actions” > “Uninstall.” Uninstallation will happen automatically or when the host comes online.
+
+* **Track uninstallation status**: by either
+
+ * Checking the status column in the host software table.
+
+ * Navigate to the “Details” tab on the host details page and check the activity log.
+
+### Remove a software package from a team
+
+* **Navigate to the Software page**: Click on the "Software" tab in the main navigation menu.
+
+* **Select a team**: Select a team (or "No team") to switch to the team whose software you want to remove.
+
+* **Find your software**: using the filters on the top of the table, you can choose between:
+
+ * “Available for install” filters software can be installed on your hosts.
+
+ * “Self-service” filters software that users can install from Fleet Desktop.
+
+* **Select software package**: Click on a software package to view details.
+
+* **Remove software package**: From the Actions menu, select "Delete." Click the "Delete" button on the dialog.
+
+> Removing a software package from a team will cancel pending installs for hosts that are not in the middle of installing the software but will not uninstall the software from hosts where it is already installed.
+
+### Manage software with the REST API
+
+Fleet also provides a REST API for managing software programmatically. The API allows you to add, update, retrieve, list, and delete software. Detailed documentation on Fleet's [REST API is available]([https://fleetdm.com/docs/rest-api/rest-api#software](https://fleetdm.com/docs/rest-api/rest-api#software)), including endpoints for installing and uninstalling packages.
+
+### Manage software with GitOps
+
+Software packages can be managed via `fleetctl` using [GitOps](https://fleetdm.com/docs/using-fleet/gitops).
+
+Please refer to the documentation for [managing software with GitOps](https://fleetdm.com/docs/using-fleet/gitops#software), for a real-world example, [see how we manage software at Fleet](https://github.com/fleetdm/fleet/tree/main/it-and-security/teams).
+
+> When managing software installers via GitOps, the Fleet server receiving GitOps requests (**not** the machine running fleetctl as part of the GitOps workflow) will download installers from the specified URLs directly.
+
+## Conclusion
+
+Managing software with Fleet is straightforward and ensures your hosts are equipped with the latest tools. This guide has outlined how to access, add, edit, and remove software packages from a team, install and uninstall from specific hosts, and use the REST API and `fleetctl` to manage software packages. By following these steps, you can effectively maintain software packages across your fleet.
+
+For more information on advanced setups and features, explore Fleet’s [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides).
+
+
+
+
+
+
+
+
diff --git a/articles/enable-okta-verify-on-macOS-with-configuration-profile.md b/articles/enable-okta-verify-on-macOS-with-configuration-profile.md
new file mode 100644
index 000000000000..19bd9c5c9ef4
--- /dev/null
+++ b/articles/enable-okta-verify-on-macOS-with-configuration-profile.md
@@ -0,0 +1,130 @@
+# Enable Okta Verify on macOS using configuration profile
+
+## Introduction
+
+This guide will show you how to install [Okta Verify](https://help.okta.com/en-us/content/topics/mobile/okta-verify-overview.htm) on your macOS hosts and set them as managed by issuing a SCEP certificate via a configuration profile [managed through Fleet](https://fleetdm.com/guides/custom-os-settings).
+
+By following these steps, you can automate the deployment of Okta Verify across your devices. This will allow you to enforce multifactor authentication policies, improve device security, and manage user access seamlessly.
+
+## Prerequisites
+
+* MDM enabled and configured
+
+## Step-by-Step Instructions
+
+### **Step 1: Install Okta Verify on your hosts**
+
+Okta Verify can be installed:
+
+* As a Volume Purchasing Program (VPP) application, follow [these steps to install VPP apps](https://fleetdm.com/guides/install-vpp-apps-on-macos-using-fleet).
+* As a *.pkg *file download the [installer from Okta](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/ov-install-options-macos.htm) and [deploy the installer using Fleet](https://fleetdm.com/guides/deploy-security-agents).
+
+After installing Okta Verify on the host, the device will be registered in Okta.
+
+### **Step 2: Issue a SCEP certificate for management attestation**
+
+The next step to ensure Okta detects the device as managed is to issue a SCEP certificate.
+
+* Follow the instructions on the Okta documentation to [configure a certificate authority](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/configure-ca-main.htm) using a **static** SCEP challenge.
+* In your text editor, copy and paste the following configuration profile and edit the relevant values:
+ * `[REPLACE_WITH_CHALLENGE] `with the SCEP challenge you generated in the previous step.
+ * `[REPLACE_WITH_URL]`with the URL to your SCEP server.
+ * Adjust the `CN `value according to your organization's needs. You can use any of the [profile variables](https://support.apple.com/en-my/guide/deployment/dep04666af94/1/web/1.0) to uniquely identify your device. In the example `%ComputerName%` `managementAttestation` `%HardwareUUID%,` the certificate Common Name (CN) will contain both the computer name and the hardware UUID.
+
+```xml
+
+
+
+
+
+ PayloadVersion
+ 1
+ PayloadType
+ Configuration
+ PayloadIdentifier
+ Ignored
+ PayloadUUID
+ Ignored
+ PayloadDisplayName
+ SCEP device attestation
+ PayloadContent
+
+
+ PayloadContent
+
+ Key Type
+ RSA
+ Challenge
+ [REPLACE_WITH_CHALLENGE]
+ Key Usage
+ 1
+ Keysize
+ 2048
+ URL
+ [REPLACE_WITH_URL]
+ AllowAllAppsAccess
+
+ KeyIsExtractable
+
+ Subject
+
+
+
+ O
+ Fleet
+
+
+
+
+ CN
+ %ComputerName% managementAttestation %HardwareUUID%
+
+
+
+
+ PayloadIdentifier
+ com.apple.security.scep.C2D94E67-4F1A-4A3C-8142-7523A8D35713
+ PayloadType
+ com.apple.security.scep
+ PayloadUUID
+ 632289FA-C3E0-481A-A417-BF40012FB729
+ PayloadVersion
+ 1
+
+
+
+
+
+```
+
+* Enforce the configuration profile on your hosts. You can follow [this guide on enforcing custom OS settings in Fleet](https://fleetdm.com/guides/custom-os-settings).
+* You can optionally verify the issued certificate by opening Keychain Access on the device or by running a [live query](https://fleetdm.com/guides/get-current-telemetry-from-your-devices-with-live-queries):
+
+```sql
+SELECT * FROM certificates where common_name like '%managementAttestation%';
+```
+
+### **Step 3: Configure device management in Okta**
+
+With Okta Verify installed and an attestation certificate in place, all left is to configure Okta and the device for device management, useful links from the Okta documentation are:
+
+* [Managed devices](https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/managed-main.htm)
+* [Enable and configure Okta Verify](https://help.okta.com/en-us/content/topics/mobile/okta-verify-overview.htm)
+
+Make sure the device is properly set up in Okta and that the user has used Okta FastPass at least once to see it as managed on the Okta dashboard.
+
+## Conclusion
+
+This guide covered how to install Okta Verify on your macOS hosts, issue a SCEP certificate for management attestation, and configure device management in Okta. By automating this process through Fleet, you can enforce multi-factor authentication, improve device security, and ensure that devices accessing your organization’s resources are properly managed.
+
+For more detailed information on managing devices and using Okta Verify, explore the Okta documentation and Fleet’s guides to optimize your device management strategy further.
+
+See Fleet's [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides) for more details on advanced setups, software features, and vulnerability detection.
+
+
+
+
+
+
+
+
diff --git a/articles/enforce-os-updates.md b/articles/enforce-os-updates.md
index 3db4862a8768..de3fdbc83de3 100644
--- a/articles/enforce-os-updates.md
+++ b/articles/enforce-os-updates.md
@@ -2,7 +2,7 @@
_Available in Fleet Premium_
-In Fleet you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops).
+In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops).
Fleet UI:
@@ -18,30 +18,22 @@ Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-ap
### macOS
-When a minimum version is enforced, the end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes, and then every 10 minutes.
+When a minimum version is enforced, the end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.
If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on.
-For macOS devices that use Automated Device Enrollment (ADE), if the device is below the specified
-minimum version, it will be required to update to the very latest OS version during ADE before
-device setup and enrollment can proceed.
+For macOS devices that use Automated Device Enrollment (ADE), if the device is below the specified minimum version, it will be required to update to the latest [available version](#available-macos-ios-and-ipados-versions) during ADE before device setup and enrollment can proceed.
-### macOS (below version 14.0)
-
-End users are encouraged to update macOS (via [Nudge](https://github.com/macadmins/nudge)).
+### iOS and iPadOS
-
+End users will see a notification in their Notification Center after the deadline when a minimum version is enforced. They can’t use their iPhone or iPad until the OS update is installed.
-| | > 1 day before deadline | < 1 day before deadline | Past deadline |
-| ------------------------------------ | ----------------------- | ----------------------- | --------------------- |
-| Nudge window frequency | Once a day at 8pm GMT | Once every 2 hours | Immediately on login |
-| End user can defer | ✅ | ✅ | ❌ |
-| Nudge window is dismissible | ✅ | ✅ | ❌ |
+For iOS and iPadOS devices that use Automated Device Enrollment (ADE), if the device is below the specified
+minimum version, it will be required to update to the latest [available version](#available-macos-ios-and-ipados-versions) during ADE before device setup and enrollment can proceed.
-### iOS and iPadOS (version 17.0 and above)
+### Available macOS, iOS, and iPadOS versions
-For iOS and iPadOS devices that use Automated Device Enrollment (ADE), if the device is below the specified
-minimum version, it will be required to update to the very latest OS version during ADE before device setup and enrollment can proceed.
+The Apple Software Lookup Service (available at [https://gdmf.apple.com/v2/pmv](https://gdmf.apple.com/v2/pmv)) is the official resource for obtaining a list of publicly available updates, upgrades, and Rapid Security Responses. Make sure to use versions available in GDMF; otherwise, the update will not be scheduled.
### Windows
@@ -55,9 +47,17 @@ If an end user was on vacation when the deadline passed, the end user is given a
Fleet enforces OS updates for quality and feature updates. Read more about the types of Windows OS updates in the Microsoft documentation [here](https://learn.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates).
-### iOS and iPadOS
+### macOS (below version 14.0)
+
+End users are encouraged to update macOS (via [Nudge](https://github.com/macadmins/nudge)).
+
+
-When a minimum version is enforced, end users will see a notification in their Notification Center after the deadline. They can’t use their iPhone or iPad until the OS update is installed.
+| | > 1 day before deadline | < 1 day before deadline | Past deadline |
+| ------------------------------------ | ----------------------- | ----------------------- | --------------------- |
+| Nudge window frequency | Once a day at 8pm GMT | Once every 2 hours | Immediately on login |
+| End user can defer | ✅ | ✅ | ❌ |
+| Nudge window is dismissible | ✅ | ✅ | ❌ |
diff --git a/articles/enroll-byod-ios-ipados-hosts.md b/articles/enroll-byod-ios-ipados-hosts.md
new file mode 100644
index 000000000000..31c070b2d5e7
--- /dev/null
+++ b/articles/enroll-byod-ios-ipados-hosts.md
@@ -0,0 +1,42 @@
+# Enroll BYOD iOS/iPadOS hosts
+
+This guide will walk you through the process of inviting BYOD (Bring Your Own Device) iPhones and iPads to enroll in Fleet.
+
+By enrolling BYOD iPhones and iPads in Fleet, IT admins can manage software installations, enforce settings, and ensure devices comply with company policies. By adding BYOD devices, you can monitor, enforce settings, and manage security on BYOD iPhones and iPads in real-time, providing enhanced control without compromising user autonomy. This helps secure access to organizational resources while maintaining control over device configurations.
+
+## Prerequisites
+
+* Fleet [v4.57.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0).
+* [MDM enabled and configured](https://fleetdm.com/guides/macos-mdm-setup)
+
+## Enrolling BYOD iPad/iOS devices in Fleet
+
+* **Step 1: Navigate to the manage hosts page**
+ * Click “Hosts” in the top navigation bar
+* **Step 2: Choose the team**
+ * Select the desired [team](https://fleetdm.com/guides/teams) from the menu at the top of the screen
+* **Step 3: Get a link to share with your end users**
+ * Click on “Add hosts.”
+ * In the modal, select the **iOS & iPadOS** tab.
+ * Copy the link to enroll hosts.
+* **Step 4: Distribute the link**
+ * Share the link with your end users using an introductory email or message.
+ * The link provides instructions to guide users through downloading and installing Fleet’s enrollment profile.
+
+> Each team has a unique URL that includes the team's enrollment secret. This enrollment secret ensures that devices are assigned to the correct team during enrollment. When an incorrect enroll secret is provided, users can still download the enrollment profile, but the enrollment itself will fail (403 error).
+
+## Conclusion
+
+This guide covered how to invite and enroll BYOD iPhones and iPads into Fleet. This allows IT admins to manage software, enforce settings, and ensure compliance with organizational policies. Streamlining the enrollment process will enable you to secure access to company resources while maintaining control over end-user devices.
+
+For more information on device management and other features, explore Fleet’s documentation and guides to optimize your setup and keep your devices fully secure.
+
+See Fleet's [documentation](https://fleetdm.com/docs/using-fleet) and additional [guides](https://fleetdm.com/guides) for more details on advanced setups, software features, and vulnerability detection.
+
+
+
+
+
+
+
+
diff --git a/articles/fleet-4.57.0.md b/articles/fleet-4.57.0.md
new file mode 100644
index 000000000000..4c9f959f9a44
--- /dev/null
+++ b/articles/fleet-4.57.0.md
@@ -0,0 +1,97 @@
+# Fleet 4.57.0 | Software improvements, policy automation, GitLab support.
+
+
+
+Fleet 4.57.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.57.0) or continue reading to get the highlights.
+For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.
+
+## Highlights
+* Software improvements
+* Policy automation: install software
+* iPhone/iPad BYOD
+* GitLab pipelines for GitOps
+
+### Software improvements
+
+Fleet allows admins to edit software items directly, offering greater control over software management across hosts. This feature allows IT teams to modify details such as software names or versions, ensuring the software inventory remains accurate and aligned with organizational needs. Additionally, Fleet has introduced the option to uninstall software from hosts, simplifying the removal of unwanted or outdated applications.
+
+For most cases, Fleet handles the uninstall process automatically, with the uninstall script conveniently located under “Advanced options.” However, Fleet stands out by allowing administrators to view and tweak the script if needed. This flexibility is beneficial when a host is in a unique state or the automatic uninstall process encounters issues. Fleet strives to provide full transparency into what’s under the hood, enabling IT teams to make necessary adjustments for specific scenarios. These updates enhance the efficiency of software management while maintaining flexibility, reflecting Fleet’s commitment to providing user-centric and adaptable solutions.
+
+### Policy automation: install software
+
+Admins can automatically trigger software installations when a policy fails, adding a proactive approach to maintaining compliance and security. This feature is handy when a device is found to have a vulnerable version of software installed. If a policy detects this vulnerability, Fleet can automatically install a secure, updated version of the software to remediate the issue and bring the host back into compliance. This automation helps IT teams address vulnerabilities quickly and efficiently, without manual intervention, ensuring that devices across the fleet remain secure and up-to-date. It highlights Fleet’s commitment to streamlining device management and enhancing security through automation.
+
+### iPhone/iPad BYOD
+
+Fleet now supports Bring Your Own Device (BYOD) enrollment for iPhone (iOS) and iPad (iPadOS) devices, providing organizations with a more flexible approach to managing employee-owned devices. This feature allows employees to enroll personal iPhones and iPads into Fleet’s Mobile Device Management (MDM) system, enabling IT teams to enforce security policies, manage configurations, and ensure compliance without needing complete control over the entire device. With BYOD enrollment, companies can balance security and privacy, seamlessly managing work-related configurations on personal devices while respecting the end user’s control over their personal data. This update enhances Fleet’s capabilities for managing various devices and supports organizations with modern, flexible workforce environments.
+
+### GitLab pipelines for GitOps
+
+Fleet now supports GitLab pipelines for its [GitOps integration](https://github.com/fleetdm/fleet-gitops), expanding the flexibility of how organizations manage their device configurations and policies through version control. With GitLab pipelines, IT teams can automate the deployment and management of Fleet configurations directly from their GitLab repositories, streamlining workflows and ensuring that changes are tracked, tested, and deployed consistently across their fleet. This integration enhances the automation and reliability of device management, enabling teams to adopt a more scalable and auditable approach to managing their Fleet environment. By supporting both GitLab and existing CI/CD tools, Fleet continues to empower organizations to implement modern, efficient workflows for managing configurations and policies.
+
+## Changes
+
+**NOTE:** Beginning with Fleet v4.55.0, Fleet no longer supports MySQL 5.7 because it has reached [end of life](https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-today/#:~:text=In%20October%202023%2C%20MySQL%205.7,to%20upgrade%20to%20MySQL%208.). The minimum version supported is MySQL 8.0.36.
+
+**Endpoint Operations**
+
+- Added support for configuring policy installers via GitOps.
+- Added support for policies in "No team" that run on hosts that belong to "No team".
+- Added reserved team names: "All teams" and "No team".
+- Added support the software status filter for 'No teams' on the hosts page.
+- Enable 'No teams' funcitonality for the policies page and associated workflows.
+- Added reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents.
+- Added support for software installer packages, self-service flag, scripts, pre-install query, and self-service availability to be edited in-place rather than deleted and re-added.
+
+**Device Management (MDM)**
+
+- Added feature allowing automatic installation of software on hosts that fail policies.
+- Added feature for end users to enroll BYOD devices into Fleet MDM.
+- Added the ability to use Fleet to uninstall packages from hosts.
+- Added an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts.
+- Added protocol support for OTA enrollment and automatic team assignment for hosts.
+- Added validation of Setup Assistant profiles on profile upload.
+- Added validation to prevent installing software on a host with a pending installation.
+- Allowed custom SCEP CA certificates with any kind of extendedKeyUsage attributes.
+- Modified `POST /api/latest/fleet/software/batch` endpoint to be asynchronous and added a new endpoint `GET /api/latest/fleet/software/batch/{request_uuid}` to retrieve the result of the batch upload.
+
+**Vulnerability Management**
+
+- Fixed a false negative vulnerability for git.
+- Fixed false positive vulnerabilities for minio.
+- Fixed an issue where virtual box for macOS wasn't matching against the NVD product name.
+- Fixed Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
+
+**Bug fixes and improvements**
+
+- Updated Go to go1.23.1.
+- Removed validation of APNS certificate from server startup.
+- Removed invalid node keys from server logs.
+- Improved the UX of turning off MDM on an offline host.
+- Improved clarity of GitOps VPP app ID type errors.
+- Improved gitops error message about enabling windows MDM.
+- Improved messaging for VPP token constraint errors.
+- Improved loading state for UI tables when no data is present yet.
+- Improved permissions so that hosts can no longer access installers that aren't directly assigned to them.
+- Improved verification of premium license before uploading VPP tokens.
+- Added "0 items" description on empty software tables for UI consistency.
+- Updated the macos target minimum version tooltip.
+- Fixed logic to properly catch and log APNs errors.
+- Fixed UI overflow issues with OS settings table data.
+- Fixed regression for checking email used to get a signed CSR.
+- Fixed bugs on enrollment profiles when the organization name contains invalid XML characters.
+- Fixed an issue with cron profiles delivery failing if a Windows VM is enrolled twice.
+- Fixed issue where Fleet server could start when an expired ABM certificate was provided as server config.
+- Fixed self-service checkbox appearing when iOS or iPadOS app is selected.
+
+
+## Ready to upgrade?
+
+Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.57.0.
+
+
+
+
+
+
+
diff --git a/articles/role-based-access.md b/articles/role-based-access.md
index 95fc712c5252..fcdae9a8d421 100644
--- a/articles/role-based-access.md
+++ b/articles/role-based-access.md
@@ -79,9 +79,10 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
| Edit agent options for hosts assigned to teams\* | | | | ✅ | ✅ |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
| Retrieve contents from file carving | | | | ✅ | |
-| View Apple mobile device management (MDM) certificate information | | | | ✅ | |
-| View Apple business manager (BM) information | | | | ✅ | |
-| Generate Apple mobile device management (MDM) certificate signing request (CSR) | | | | ✅ | |
+| Create Apple Push Certificates service (APNs) certificate signing request (CSR) | | | | ✅ | |
+| View, edit, and delete APNs certificate | | | | ✅ | |
+| View, edit, and delete Apple Business Manager (ABM) connections | | | | ✅ | |
+| View, edit, and delete Volume Purchasing Program (VPP) connections | | | | ✅ | |
| View disk encryption key for macOS and Windows hosts | ✅ | ✅ | ✅ | ✅ | |
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | ✅ | ✅ | ✅ |
| Create, edit, resend and delete configuration profiles for macOS and Windows hosts | | | ✅ | ✅ | ✅ |
diff --git a/changes/17558-validation-errs b/changes/17558-validation-errs
deleted file mode 100644
index 115c9bf14e03..000000000000
--- a/changes/17558-validation-errs
+++ /dev/null
@@ -1,2 +0,0 @@
-- Adds validation of Setup Assistant profiles on profile upload, giving users immediate feedback on
-the validity of the profile.
\ No newline at end of file
diff --git a/changes/18897-shoe-zeroes b/changes/18897-shoe-zeroes
deleted file mode 100644
index 7faddd522dd6..000000000000
--- a/changes/18897-shoe-zeroes
+++ /dev/null
@@ -1 +0,0 @@
-Added "0 items" description on empty software tables for UI consistency
diff --git a/changes/19442-ubuntu-python-packages b/changes/19442-ubuntu-python-packages
deleted file mode 100644
index 0be7e95616a1..000000000000
--- a/changes/19442-ubuntu-python-packages
+++ /dev/null
@@ -1 +0,0 @@
-- Addressing Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
\ No newline at end of file
diff --git a/changes/19551-policy-software-automations b/changes/19551-policy-software-automations
deleted file mode 100644
index 4b88cb4c1fba..000000000000
--- a/changes/19551-policy-software-automations
+++ /dev/null
@@ -1 +0,0 @@
-* Implement features allowing automatic installation of software on hosts that fail policies.
diff --git a/changes/19808-prof b/changes/19808-prof
deleted file mode 100644
index 71d19f8c4bc3..000000000000
--- a/changes/19808-prof
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed bugs on enrollment profiles when the organization name contains invalid XML characters.
diff --git a/changes/20320-uninstall-packages b/changes/20320-uninstall-packages
deleted file mode 100644
index 89ab8928419c..000000000000
--- a/changes/20320-uninstall-packages
+++ /dev/null
@@ -1 +0,0 @@
-* Implement the ability to use Fleet to uninstall packages from hosts.
\ No newline at end of file
diff --git a/changes/20404-edit-software b/changes/20404-edit-software
deleted file mode 100644
index ec65b392b41a..000000000000
--- a/changes/20404-edit-software
+++ /dev/null
@@ -1 +0,0 @@
-* Software installer packages, self-service flag, scripts, pre-install query, and self-service availability can now be edited in-place rather than needing to be deleted and re-added.
diff --git a/changes/20535-sw-table-loading b/changes/20535-sw-table-loading
deleted file mode 100644
index d144ce782cce..000000000000
--- a/changes/20535-sw-table-loading
+++ /dev/null
@@ -1 +0,0 @@
-* Improve loading state for DataTables when no data is present yet
\ No newline at end of file
diff --git a/changes/20757-profiles-batch-activity b/changes/20757-profiles-batch-activity
deleted file mode 100644
index 6b110b87c768..000000000000
--- a/changes/20757-profiles-batch-activity
+++ /dev/null
@@ -1 +0,0 @@
-API endpoint `/api/v1/fleet/mdm/profiles/batch` will now not log an activity for profile types that did not change in the database (Apple configuration profiles, Windows configuration profiles, or Apple declarations).
diff --git a/changes/20764-fix-cron-with-duplicate-host-uuid-windows-mdm b/changes/20764-fix-cron-with-duplicate-host-uuid-windows-mdm
deleted file mode 100644
index df19c08bc84b..000000000000
--- a/changes/20764-fix-cron-with-duplicate-host-uuid-windows-mdm
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed an issue where cron profiles delivery fails if a Windows VM is enrolled twice with the same `host_uuid` / `mdm_device_id`.
diff --git a/changes/20828-better-appid-error b/changes/20828-better-appid-error
deleted file mode 100644
index 540c8fcbfa28..000000000000
--- a/changes/20828-better-appid-error
+++ /dev/null
@@ -1 +0,0 @@
-- Improve clarity of gitops VPP app ID type errors
diff --git a/changes/20846-vuln-virtual-box b/changes/20846-vuln-virtual-box
deleted file mode 100644
index 225dd0be2274..000000000000
--- a/changes/20846-vuln-virtual-box
+++ /dev/null
@@ -1 +0,0 @@
-- resolved an issue where virtual box for macOS wasn't matching against the vm_virtualbox NVD product name
\ No newline at end of file
diff --git a/changes/20868-turn-off-mdm b/changes/20868-turn-off-mdm
deleted file mode 100644
index bfcd35d3150b..000000000000
--- a/changes/20868-turn-off-mdm
+++ /dev/null
@@ -1 +0,0 @@
-- Improves the UX of turning off MDM on an offline host (endpoint doesn't error anymore)
\ No newline at end of file
diff --git a/changes/20895-policy-software-install-gitops b/changes/20895-policy-software-install-gitops
deleted file mode 100644
index 774f6a4bfe35..000000000000
--- a/changes/20895-policy-software-install-gitops
+++ /dev/null
@@ -1 +0,0 @@
-* Added support for configuring policy installers via GitOps.
diff --git a/changes/21019-ota-enrollment b/changes/21019-ota-enrollment
deleted file mode 100644
index b43db060a77f..000000000000
--- a/changes/21019-ota-enrollment
+++ /dev/null
@@ -1 +0,0 @@
-* Implement protocol support for OTA enrollment and automatic team assignment for hosts.
diff --git a/changes/21264-fix-reserved-team-names b/changes/21264-fix-reserved-team-names
deleted file mode 100644
index 6363b8186977..000000000000
--- a/changes/21264-fix-reserved-team-names
+++ /dev/null
@@ -1,2 +0,0 @@
-- Prevents teams with the name "All teams" or "No team" from being created (these are reserved team
- names in Fleet).
\ No newline at end of file
diff --git a/changes/21315-vpp-premium-license b/changes/21315-vpp-premium-license
deleted file mode 100644
index 2fd081703e47..000000000000
--- a/changes/21315-vpp-premium-license
+++ /dev/null
@@ -1 +0,0 @@
-- Verify user has premium license before uploading VPP tokens
diff --git a/changes/21402-improve-windows-mdm-enabled-error-message b/changes/21402-improve-windows-mdm-enabled-error-message
deleted file mode 100644
index 36dc6082f6e3..000000000000
--- a/changes/21402-improve-windows-mdm-enabled-error-message
+++ /dev/null
@@ -1 +0,0 @@
-- Improve gitops error message about enabling windows MDM
diff --git a/changes/21404-minio-false-positive b/changes/21404-minio-false-positive
deleted file mode 100644
index 57b4245e45d2..000000000000
--- a/changes/21404-minio-false-positive
+++ /dev/null
@@ -1 +0,0 @@
-- resolved issue where minio was reporting false positive vulnerabilities due to a mismatch in version strings
\ No newline at end of file
diff --git a/changes/21412-remove-node-key-from-server-logs b/changes/21412-remove-node-key-from-server-logs
deleted file mode 100644
index c6555bd5bc99..000000000000
--- a/changes/21412-remove-node-key-from-server-logs
+++ /dev/null
@@ -1 +0,0 @@
-* Removed invalid node keys from server logs.
diff --git a/changes/21428-policy-automatic-install-software b/changes/21428-policy-automatic-install-software
deleted file mode 100644
index e61dc2a9eadc..000000000000
--- a/changes/21428-policy-automatic-install-software
+++ /dev/null
@@ -1 +0,0 @@
-* Added automatic installation of software packages using policy automations.
diff --git a/changes/21428-prevent-install-when-already-pending b/changes/21428-prevent-install-when-already-pending
deleted file mode 100644
index d01006d6f91d..000000000000
--- a/changes/21428-prevent-install-when-already-pending
+++ /dev/null
@@ -1 +0,0 @@
-* Added validation to `POST /api/_version_/fleet/hosts/{host_id}/software/install/{software_title_id}` to prevent installing on a host that already has a pending installation for that software title.
diff --git a/changes/21462-host-vulnerability-filter b/changes/21462-host-vulnerability-filter
deleted file mode 100644
index e55fb8c8363b..000000000000
--- a/changes/21462-host-vulnerability-filter
+++ /dev/null
@@ -1 +0,0 @@
-- fixed issue where the vulnerability filter was returning software not vulnerable for the currently selected host
\ No newline at end of file
diff --git a/changes/21467-policies-for-no-team b/changes/21467-policies-for-no-team
deleted file mode 100644
index 4613cd39edaf..000000000000
--- a/changes/21467-policies-for-no-team
+++ /dev/null
@@ -1 +0,0 @@
-* Added support for policies in "No team" that run on hosts that belong to "No team".
diff --git a/changes/21468-no-teams-policies b/changes/21468-no-teams-policies
deleted file mode 100644
index d11adda1b8c8..000000000000
--- a/changes/21468-no-teams-policies
+++ /dev/null
@@ -1 +0,0 @@
-* Enable 'No teams' funcitonality for the policies page and associated workflows.
\ No newline at end of file
diff --git a/changes/21557-ota-profile-endpoint b/changes/21557-ota-profile-endpoint
deleted file mode 100644
index 4acf2bbcf5e9..000000000000
--- a/changes/21557-ota-profile-endpoint
+++ /dev/null
@@ -1 +0,0 @@
-- Adds an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts.
\ No newline at end of file
diff --git a/changes/21559-add-end-user-enrolment-page b/changes/21559-add-end-user-enrolment-page
deleted file mode 100644
index 427f1c5beb06..000000000000
--- a/changes/21559-add-end-user-enrolment-page
+++ /dev/null
@@ -1 +0,0 @@
-- add feature for end users to enroll their device into fleet mdm
diff --git a/changes/21612-edit-software-gitops b/changes/21612-edit-software-gitops
deleted file mode 100644
index 9a157286d49b..000000000000
--- a/changes/21612-edit-software-gitops
+++ /dev/null
@@ -1 +0,0 @@
-* Reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents
diff --git a/changes/21683-apns-cert-validation-on-start b/changes/21683-apns-cert-validation-on-start
deleted file mode 100644
index 9f1714359931..000000000000
--- a/changes/21683-apns-cert-validation-on-start
+++ /dev/null
@@ -1,2 +0,0 @@
-- Removed validation of APNS certificate from server startup. This was no longer necessary because
- we now allow for APNS certificates to be renewed in the UI.
diff --git a/changes/21779-git-false-negative b/changes/21779-git-false-negative
deleted file mode 100644
index 080dfe1a4ea7..000000000000
--- a/changes/21779-git-false-negative
+++ /dev/null
@@ -1 +0,0 @@
-- fixed a false negative vulnerability for git
\ No newline at end of file
diff --git a/changes/21813-email-err b/changes/21813-email-err
deleted file mode 100644
index a9d25ecc2195..000000000000
--- a/changes/21813-email-err
+++ /dev/null
@@ -1,2 +0,0 @@
-- Fixed regression: we now check if the email used to get a signed CSR is invalid (i.e. is an email
- from a free email provider).
\ No newline at end of file
diff --git a/changes/21866-startup-expired-abm-cert b/changes/21866-startup-expired-abm-cert
deleted file mode 100644
index f9e74bb6413c..000000000000
--- a/changes/21866-startup-expired-abm-cert
+++ /dev/null
@@ -1,2 +0,0 @@
-- Fixed issue where Fleet server could start when expired ABM cerfificate was provided as server
- config options.
diff --git a/changes/21890-vpp-token-error b/changes/21890-vpp-token-error
deleted file mode 100644
index da03734ecabd..000000000000
--- a/changes/21890-vpp-token-error
+++ /dev/null
@@ -1 +0,0 @@
-- Improve messaging for VPP token constraint errors
diff --git a/changes/21976-update-macos-target-version-tooltip b/changes/21976-update-macos-target-version-tooltip
deleted file mode 100644
index 5ae1a5ffdf3b..000000000000
--- a/changes/21976-update-macos-target-version-tooltip
+++ /dev/null
@@ -1 +0,0 @@
-- update the macos target minimum version tooltip
diff --git a/changes/22069-gitops-async-software-batch b/changes/22069-gitops-async-software-batch
deleted file mode 100644
index 35f0652fe209..000000000000
--- a/changes/22069-gitops-async-software-batch
+++ /dev/null
@@ -1 +0,0 @@
-* Modified `POST /api/latest/fleet/software/batch` endpoint to be asynchronous and added a new endpoint `GET /api/latest/fleet/software/batch/{request_uuid}` to retrieve the result of the batch upload.
diff --git a/changes/22136-software-status-no-teams-hosts-page b/changes/22136-software-status-no-teams-hosts-page
deleted file mode 100644
index 6ede2684710d..000000000000
--- a/changes/22136-software-status-no-teams-hosts-page
+++ /dev/null
@@ -1 +0,0 @@
-* Support the software status filter for 'No teams' on the hosts page
\ No newline at end of file
diff --git a/changes/22158-scep b/changes/22158-scep
deleted file mode 100644
index ab7557468018..000000000000
--- a/changes/22158-scep
+++ /dev/null
@@ -1 +0,0 @@
-* Allow custom SCEP CA certificates with any kind of extendedKeyUsage attributes.
diff --git a/changes/7476-fix-ui-overflow-os-settings-table b/changes/7476-fix-ui-overflow-os-settings-table
deleted file mode 100644
index 6c95925de8f5..000000000000
--- a/changes/7476-fix-ui-overflow-os-settings-table
+++ /dev/null
@@ -1 +0,0 @@
-- fixes UI overflow issues with OS settings table data
diff --git a/changes/apns-errors b/changes/apns-errors
deleted file mode 100644
index 6de48617a1c1..000000000000
--- a/changes/apns-errors
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed logic to properly catch and log APNs errors.
diff --git a/changes/hosts-can-access-any-software b/changes/hosts-can-access-any-software
deleted file mode 100644
index 0fbcae035acd..000000000000
--- a/changes/hosts-can-access-any-software
+++ /dev/null
@@ -1 +0,0 @@
-- Hosts can no longer access installers that aren't directly assigned to it
diff --git a/changes/update-go1.23.1 b/changes/update-go1.23.1
deleted file mode 100644
index 22a59cdc400b..000000000000
--- a/changes/update-go1.23.1
+++ /dev/null
@@ -1 +0,0 @@
-* Updated Go to go1.23.1
diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml
index adc22108c2d0..c23438bf22aa 100644
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@@ -8,7 +8,7 @@ version: v6.2.0
home: https://github.com/fleetdm/fleet
sources:
- https://github.com/fleetdm/fleet.git
-appVersion: v4.56.0
+appVersion: v4.57.0
dependencies:
- name: mysql
condition: mysql.enabled
diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml
index 040a539a8376..03539df9da98 100644
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@@ -3,7 +3,7 @@
hostName: fleet.localhost
replicas: 3 # The number of Fleet instances to deploy
imageRepository: fleetdm/fleet
-imageTag: v4.56.0 # Version of Fleet to deploy
+imageTag: v4.57.0 # Version of Fleet to deploy
podAnnotations: {} # Additional annotations to add to the Fleet pod
serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
resources:
diff --git a/docs/Configuration/yaml-files.md b/docs/Configuration/yaml-files.md
index f66c79f1e751..7599fd259f9a 100644
--- a/docs/Configuration/yaml-files.md
+++ b/docs/Configuration/yaml-files.md
@@ -6,14 +6,16 @@ To learn how to set up a GitOps workflow see the [Fleet GitOps repo](https://git
## File structure
-- `default.yml`- File where you define the queries, policies, controls, and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams"). Controls and agent options are defined for hosts on "No team."
-- `teams/` - Folder where you define your teams in Fleet. These `teams/team-name.yml` files define the controls, queries, policies, and agent options for hosts assigned to the specified team. Teams are available in Fleet Premium.
+- `default.yml` - File where you define the queries, policies and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams").
+- `teams/no-team.yml` - File where you define the policies, controls, and software for hosts on "No team". Available in Fleet Premium.
+- `teams/` - Folder where you define your teams in Fleet. These `teams/team-name.yml` files define the controls, queries, policies, software, and agent options for hosts assigned to the specified team. Available in Fleet Premium.
- `lib/` - Folder where you define policies, queries, configuration profiles, scripts, and agent options. These files can be referenced in top level keys in the `default.yml` file and the files in the `teams/` folder.
- `.github/workflows/workflow.yml` - The GitHub workflow file where you can add [environment variables](https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow).
-The following files are responsible for running the GitHub action. Most users don't need to edit these files.
+The following files are responsible for running the GitHub action or GitLab CI/CD. Most users don't need to edit these files.
- `gitops.sh` - The bash script that applies the latest configuration to Fleet. This script is used in the GitHub action file.
- `.github/gitops-action/action.yml` - The GitHub action that runs `gitops.sh`. This action is used in the GitHub workflow file. It can also be used in other workflows.
+- `.gitlab-ci.yml` - The GitLab CI/CD file that applies the latest configuration to Fleet.
## Configuration options
@@ -24,8 +26,7 @@ name: # Only teams/team-name.yml. To edit a team's name, change `name` but don't
policies:
queries:
agent_options:
-controls:
-software:
+controls: # Can be defined in teams/no-team.yml too.
org_settings: # Only default.yml
team_settings: # Only teams/team-name.yml
```
@@ -40,6 +41,8 @@ team_settings: # Only teams/team-name.yml
### policies
Polcies can be specified inline in your `default.yml` file or `teams/team-name.yml` files. They can also be specified in separate files in your `lib/` folder.
+Policies defined in `default.yml` run on **all** hosts.
+Policies defined in `teams/no-team.yml` run on hosts that belong to "No team".
#### Options
@@ -81,9 +84,16 @@ policies:
platform: darwin
critical: false
calendar_event_enabled: false
+- name: Firefox on Linux installed and up to date
+ platform: linux
+ description: "This policy checks that Firefox is installed and up to date."
+ resolution: "Install Firefox version 129.0.2 or higher."
+ query: "SELECT 1 FROM deb_packages WHERE name = 'firefox' AND version_compare(version, '129.0.2') >= 0;"
+ install_software:
+ package_path: "../lib/linux-firefox.deb.package.yml"
```
-`default.yml` or `teams/team-name.yml`
+`default.yml`, `teams/team-name.yml`, or `teams/no-team.yml`
```yaml
policies:
@@ -210,6 +220,8 @@ queries:
The `controls` section allows you to configure scripts and device management (MDM) features in Fleet.
+Controls for hosts that are in "No team" can be defined in `default.yml` or in `teams/no-team.yml` (but not in both files).
+
- `scripts` is a list of paths to macOS, Windows, or Linux scripts.
- `windows_enabled_and_configured` specifies whether or not to turn on Windows MDM features (default: `false`). Can only be configured for all teams (`default.yml`).
- `enable_disk_encryption` specifies whether or not to enforce disk encryption on macOS and Windows hosts (default: `false`).
@@ -304,11 +316,15 @@ Can only be configure for all teams (`default.yml`).
> **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
The `software` section allows you to configure packages and Apple App Store apps that you want to install on your hosts.
+Software for hosts that belong to "No team" have to be defined in `teams/no-team.yml`.
+Software can also be specified in separate files in your `lib/` folder.
- `packages` is a list of software packages (.pkg, .msi, .exe, or .deb) and software specific options.
- `app_store_apps` is a list of Apple App Store apps.
-##### Example
+#### Example
+
+##### Inline
```yaml
software:
@@ -326,7 +342,7 @@ software:
- app_store_id: '1091189122'
```
-#### packages
+##### packages
- `url` specifies the URL at which the software is located. Fleet will download the software and upload it to S3 (default: `""`).
- `install_script.path` specifies the command Fleet will run on hosts to install software. The [default script](https://github.com/fleetdm/fleet/tree/main/pkg/file/scripts) is dependent on the software type (i.e. .pkg).
@@ -334,12 +350,41 @@ software:
- `post_install_script.path` is the script Fleet will run on hosts after intalling software (default: `""`).
- `self_service` specifies whether or not end users can install from **Fleet Desktop > Self-service**.
-#### app_store_apps
+##### app_store_apps
- `app_store_id` is the ID of the Apple App Store app. You can find this at the end of the app's App Store URL. For example, "Bear - Markdown Notes" URL is "https://apps.apple.com/us/app/bear-markdown-notes/id1016366447" and the `app_store_id` is `1016366447`.
> Make sure to include only the ID itself, and not the `id` prefix shown in the URL. The ID must be wrapped in quotes as shown in the example so that it is processed as a string.
+##### Separate file
+
+`lib/software-name.package.yml`:
+
+```yaml
+url: https://dl.tailscale.com/stable/tailscale-setup-1.72.0.exe
+install_script:
+ path: ../lib/software/tailscale-install-script.ps1
+self_service: true
+```
+
+`lib/software/tailscale-install-script.ps1`
+
+```yaml
+$exeFilePath = "${env:INSTALLER_PATH}"
+$installProcess = Start-Process $exeFilePath `
+ -ArgumentList "/quiet /norestart" `
+ -PassThru -Verb RunAs -Wait
+```
+
+`default.yml`, `teams/team-name.yml`, or `teams/no-team.yml`
+
+```yaml
+software:
+ packages:
+ - path: ../lib/software-name.package.yml
+# path is relative to default.yml or teams/team-name.yml
+```
+
### org_settings and team_settings
#### features
@@ -640,6 +685,19 @@ Once the IdP settings are configured, you can use the [`controls.macos_setup.ena
Can only be configured for all teams (`org_settings`).
+##### end_user_authentication
+
+The `end_user_authentication` section lets you define the identity provider (IdP) settings used for end user authentication during Automated Device Enrollment (ADE). Learn more about end user authentication in Fleet [here](https://fleetdm.com/guides/macos-setup-experience#end-user-authentication-and-eula).
+
+Once the IdP settings are configured, you can use the [`controls.macos_setup.enable_end_user_authentication`](#macos_setup) key to control the end user experience during ADE.
+
+- `idp_name` is the human-friendly name for the identity provider that will provide single sign-on authentication (default: `""`).
+- `entity_id` is the entity ID: a Uniform Resource Identifier (URI) that you use to identify Fleet when configuring the identity provider. It must exactly match the Entity ID field used in identity provider configuration (default: `""`).
+- `metadata` is the metadata (in XML format) provided by the identity provider. (default: `""`)
+- `metadata_url` is the URL that references the identity provider metadata. Only one of `metadata` or `metadata_url` is required (default: `""`).
+
+Can only be configured for all teams (`org_settings`).
+
diff --git a/docs/Contributing/API-for-contributors.md b/docs/Contributing/API-for-contributors.md
index ec39149199a1..2ba361b2c3a7 100644
--- a/docs/Contributing/API-for-contributors.md
+++ b/docs/Contributing/API-for-contributors.md
@@ -543,11 +543,13 @@ The MDM endpoints exist to support the related command-line interface sub-comman
- [Batch-apply MDM custom settings](#batch-apply-mdm-custom-settings)
- [Initiate SSO during DEP enrollment](#initiate-sso-during-dep-enrollment)
- [Complete SSO during DEP enrollment](#complete-sso-during-dep-enrollment)
+- [Over the air enrollment](#over-the-air-enrollment)
- [Preassign profiles to devices](#preassign-profiles-to-devices)
- [Match preassigned profiles](#match-preassigned-profiles)
- [Get FileVault statistics](#get-filevault-statistics)
- [Upload VPP content token](#upload-vpp-content-token)
- [Disable VPP](#disable-vpp)
+- [Get an over the air (OTA) enrollment profile](#get-an-over-the-air-ota-enrollment-profile)
### Generate Apple Business Manager public key (ADE)
@@ -1029,6 +1031,34 @@ If the credentials are valid, the server redirects the client to the Fleet UI. T
- `profile_token` is a token that can be used to download an enrollment profile (.mobileconfig).
- `eula_token` (optional) if an EULA was uploaded, this contains a token that can be used to view the EULA document.
+### Over the air enrollment
+
+This endpoint handles over the air (OTA) MDM enrollments
+
+`POST /api/v1/fleet/ota_enrollment`
+
+#### Parameters
+
+| Name | Type | In | Description |
+| ------------------- | ------ | ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| enroll_secret | string | url | **Required** Assigns the host to a team with a matching enroll secret |
+| XML device response | XML | body | **Required**. The XML response from the device. Fields are documented [here](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/ConfigurationProfileExamples/ConfigurationProfileExamples.html#//apple_ref/doc/uid/TP40009505-CH4-SW7) |
+
+> Note: enroll secrets can contain special characters. Ensure any special characters are [properly escaped](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding).
+
+#### Example
+
+`POST /api/v1/fleet/ota_enrollment?enroll_secret=0Z6IuKpKU4y7xl%2BZcrp2gPcMi1kKNs3p`
+
+##### Default response
+
+`Status: 200`
+
+Per [the spec](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505-CH1-SW1), the response is different depending on the signature of the XML device response:
+
+- If the body is signed with a certificate that can be validated by our root SCEP certificate, it returns an enrollment profile.
+- Otherwise, it returns a SCEP payload.
+
### Preassign profiles to devices
_Available in Fleet Premium_
@@ -1453,12 +1483,14 @@ NOTE: when updating a policy, team and platform will be ignored.
"name": "new policy",
"description": "This will be a new policy because a policy with the name 'new policy' doesn't exist in Fleet.",
"query": "SELECT * FROM osquery_info",
+ "team": "No team",
"resolution": "some resolution steps here",
"critical": false
},
{
"name": "Is FileVault enabled on macOS devices?",
"query": "SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT “” AND filevault_status = ‘on’ LIMIT 1;",
+ "team": "Workstations",
"description": "Checks to make sure that the FileVault feature is enabled on macOS devices.",
"resolution": "Choose Apple menu > System Preferences, then click Security & Privacy. Click the FileVault tab. Click the Lock icon, then enter an administrator name and password. Click Turn On FileVault.",
"platform": "darwin",
@@ -3293,36 +3325,7 @@ If both `team_id` and `team_name` parameters are included, this endpoint will re
`Status: 204`
-## Software
-
-### Batch-apply software
-
-_Available in Fleet Premium._
-
-`POST /api/v1/fleet/software/batch`
-
-#### Parameters
-
-| Name | Type | In | Description |
-| --------- | ------ | ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| team_id | number | query | The ID of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request, omit this parameter if using `team_name`. Ommitting these parameters will add software to 'No Team'. |
-| team_name | string | query | The name of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request, omit this parameter if using `team_id`. Ommitting these parameters will add software to 'No Team'. |
-| dry_run | bool | query | If `true`, will validate the provided software packages and return any validation errors, but will not apply the changes. |
-| software | object | body | The team's software that will be available for install. |
-| software.packages | list | body | An array of objects. Each object consists of:`url`- URL to the software package (PKG, MSI, EXE or DEB),`install_script` - command that Fleet runs to install software, `pre_install_query` - condition query that determines if the install will proceed, `post_install_script` - script that runs after software install, and `uninstall_script` - command that Fleet runs to uninstall software. |
-| software.app_store_apps | list | body | An array objects. Each object consists of `app_store_id` - ID of the App Store app. |
-
-If both `team_id` and `team_name` parameters are included, this endpoint will respond with an error. If no `team_name` or `team_id` is provided, the scripts will be applied for **all hosts**.
-
-#### Example
-
-`POST /api/v1/fleet/software/batch`
-
-##### Default response
-
-`Status: 204`
-
- ### Run live script
+### Run live script
Run a live script and get results back (5 minute timeout). Live scripts only runs on the host if it has no other scripts running.
@@ -3361,62 +3364,3 @@ Run a live script and get results back (5 minute timeout). Live scripts only run
"exit_code": 0
}
```
-
-### Get token to download package
-
-_Available in Fleet Premium._
-
-`POST /api/v1/fleet/software/titles/:software_title_id/package/token?alt=media`
-
-The returned token is a one-time use token that expires after 10 minutes.
-
-#### Parameters
-
-| Name | Type | In | Description |
-|-------------------|---------|-------|------------------------------------------------------------------|
-| software_title_id | integer | path | **Required**. The ID of the software title for software package. |
-| team_id | integer | query | **Required**. The team ID containing the software package. |
-| alt | integer | query | **Required**. Must be specified and set to "media". |
-
-#### Example
-
-`POST /api/v1/fleet/software/titles/123/package/token?alt=media&team_id=2`
-
-##### Default response
-
-`Status: 200`
-
-```json
-{
- "token": "e905e33e-07fe-4f82-889c-4848ed7eecb7"
-}
-```
-
-### Download package using a token
-
-_Available in Fleet Premium._
-
-`GET /api/v1/fleet/software/titles/:software_title_id/package/token/:token?alt=media`
-
-#### Parameters
-
-| Name | Type | In | Description |
-|-------------------|---------|------|--------------------------------------------------------------------------|
-| software_title_id | integer | path | **Required**. The ID of the software title to download software package. |
-| token | string | path | **Required**. The token to download the software package. |
-
-#### Example
-
-`GET /api/v1/fleet/software/titles/123/package/token/e905e33e-07fe-4f82-889c-4848ed7eecb7`
-
-##### Default response
-
-`Status: 200`
-
-```http
-Status: 200
-Content-Type: application/octet-stream
-Content-Disposition: attachment
-Content-Length:
-Body:
-```
diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md
index c160aac679ff..638728015b9d 100644
--- a/docs/REST API/rest-api.md
+++ b/docs/REST API/rest-api.md
@@ -484,6 +484,22 @@ for pagination. For a comprehensive list of activity types and detailed informat
```json
{
"activities": [
+ {
+ "created_at": "2023-07-27T14:35:08Z",
+ "id": 25,
+ "actor_full_name": "Anna Chao",
+ "actor_id": 3,
+ "actor_gravatar": "",
+ "actor_email": "",
+ "type": "uninstalled_software",
+ "details": {
+ "host_id": 1,
+ "host_display_name": "Marko's MacBook Pro",
+ "software_title": "Adobe Acrobat.app",
+ "script_execution_id": "eeeddb94-52d3-4071-8b18-7322cd382abb",
+ "status": "failed"
+ }
+ },
{
"created_at": "2021-07-30T13:41:07Z",
"id": 24,
@@ -4241,7 +4257,7 @@ Resends a configuration profile for the specified host.
"last_install": {
"install_uuid": "8bbb8ac2-b254-4387-8cba-4d8a0407368b",
"installed_at": "2024-05-15T15:23:57Z"
- },
+ }
},
"app_store_app": null
"source": "apps",
@@ -4262,10 +4278,16 @@ Resends a configuration profile for the specified host.
"name": "FalconSensor-6.44.pkg"
"self_service": false,
"last_install": null
+ "last_install": null,
+ "last_uninstall": {
+ "script_execution_id": "ed579e73-0f41-46c8-aaf4-3c1e5880ed27",
+ "uninstalled_at": "2024-05-15T15:23:57Z"
+ }
},
"app_store_app": null
"source": "",
"status": null,
+ "status": "pending_uninstall",
"installed_versions": [],
},
{
@@ -4546,6 +4568,38 @@ To wipe a macOS, iOS, iPadOS, or Windows host, the host must have MDM turned on.
```json
{
"activities": [
+ {
+ "created_at": "2023-07-27T14:35:08Z",
+ "actor_id": 1,
+ "actor_full_name": "Anna Chao",
+ "id": 4,
+ "actor_gravatar": "",
+ "actor_email": "",
+ "type": "uninstalled_software",
+ "details": {
+ "host_id": 1,
+ "host_display_name": "Marko’s MacBook Pro",
+ "software_title": "Adobe Acrobat.app",
+ "script_execution_id": "ecf22dba-07dc-40a9-b122-5480e948b756",
+ "status": "failed"
+ }
+ },
+ {
+ "created_at": "2023-07-27T14:35:08Z",
+ "actor_id": 1,
+ "actor_full_name": "Anna Chao",
+ "id": 3,
+ "actor_gravatar": "",
+ "actor_email": "",
+ "type": "uninstalled_software",
+ "details": {
+ "host_id": 1,
+ "host_display_name": "Marko’s MacBook Pro",
+ "software_title": "Adobe Acrobat.app",
+ "script_execution_id": "ecf22dba-07dc-40a9-b122-5480e948b756",
+ "status": "uninstalled"
+ }
+ },
{
"created_at": "2023-07-27T14:35:08Z",
"id": 2,
@@ -4610,6 +4664,23 @@ To wipe a macOS, iOS, iPadOS, or Windows host, the host must have MDM turned on.
{
"count": 3,
"activities": [
+ {
+ "created_at": "2023-07-27T14:35:08Z",
+ "actor_id": 1,
+ "actor_full_name": "Anna Chao",
+ "uuid": "cc081637-fdf9-4d44-929f-96dfaec00f67",
+ "actor_gravatar": "",
+ "actor_email": "",
+ "type": "uninstalled_software",
+ "fleet_initiated_activity": false,
+ "details": {
+ "host_id": 1,
+ "host_display_name": "Marko's MacBook Pro",
+ "software_title": "Adobe Acrobat.app",
+ "script_execution_id": "ecf22dba-07dc-40a9-b122-5480e948b756",
+ "status": "pending_uninstall",
+ }
+ },
{
"created_at": "2023-07-27T14:35:08Z",
"uuid": "d6cffa75-b5b5-41ef-9230-15073c8a88cf",
@@ -6812,6 +6883,29 @@ Team policies work the same as policies, but at the team level.
"failing_host_count": 0,
"host_count_updated_at": "2023-12-20T15:23:57Z",
"calendar_events_enabled": false
+ },
+ {
+ "id": 3,
+ "name": "macOS - install/update Adobe Acrobat",
+ "query": "SELECT 1 FROM apps WHERE name = \"Adobe Acrobat.app\" AND bundle_short_version != \"24.002.21005\";",
+ "description": "Checks if the hard disk is encrypted on Windows devices",
+ "critical": false,
+ "author_id": 43,
+ "author_name": "Alice",
+ "author_email": "alice@example.com",
+ "team_id": 1,
+ "resolution": "Resolution steps",
+ "platform": "darwin",
+ "created_at": "2021-12-16T14:37:37Z",
+ "updated_at": "2021-12-16T16:39:00Z",
+ "passing_host_count": 2300,
+ "failing_host_count": 3,
+ "host_count_updated_at": "2023-12-20T15:23:57Z",
+ "calendar_events_enabled": false,
+ "install_software": {
+ "name": "Adobe Acrobat.app",
+ "software_title_id": 1234
+ }
}
],
"inherited_policies": [
@@ -6993,6 +7087,7 @@ The semantics for creating a team policy are the same as for global policies, se
| resolution | string | body | The resolution steps for the policy. |
| platform | string | body | Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms. |
| critical | boolean | body | _Available in Fleet Premium_. Mark policy as critical/high impact. |
+| software_title_id | integer | body | _Available in Fleet Premium_. ID of software title to install if the policy fails. |
Either `query` or `query_id` must be provided.
@@ -7036,7 +7131,11 @@ Either `query` or `query_id` must be provided.
"passing_host_count": 0,
"failing_host_count": 0,
"host_count_updated_at": null,
- "calendar_events_enabled": false
+ "calendar_events_enabled": false,
+ "install_software": {
+ "name": "Adobe Acrobat.app",
+ "software_title_id": 1234
+ }
}
}
```
@@ -7091,6 +7190,7 @@ Either `query` or `query_id` must be provided.
| platform | string | body | Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms. |
| critical | boolean | body | _Available in Fleet Premium_. Mark policy as critical/high impact. |
| calendar_events_enabled | boolean | body | _Available in Fleet Premium_. Whether to trigger calendar events when policy is failing. |
+| software_title_id | integer | body | _Available in Fleet Premium_. ID of software title to install if the policy fails. |
#### Example
@@ -7132,7 +7232,11 @@ Either `query` or `query_id` must be provided.
"passing_host_count": 0,
"failing_host_count": 0,
"host_count_updated_at": null,
- "calendar_events_enabled": true
+ "calendar_events_enabled": true,
+ "install_software": {
+ "name": "Adobe Acrobat.app",
+ "software_title_id": 1234
+ }
}
}
```
@@ -8300,12 +8404,15 @@ Gets the result of a script that was executed.
"host_timeout": false,
"host_id": 1,
"execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002",
- "runtime": 20
+ "runtime": 20,
+ "created_at": "2024-09-11T20:30:24Z"
}
```
> Note: `exit_code` can be `null` if Fleet hasn't heard back from the host yet.
+> Note: `created_at` is the creation timestamp of the script execution request.
+
### Add script
Uploads a script, making it available to run on hosts assigned to the specified team (or no team).
@@ -8539,10 +8646,15 @@ Deletes the session specified by ID. When the user associated with the session n
- [Add package](#add-package)
- [List App Store apps](#list-app-store-apps)
- [Add App Store app](#add-app-store-app)
+- [Add Fleet library app](#add-fleet-library-app)
- [Install package or App Store app](#install-package-or-app-store-app)
- [Get package install result](#get-package-install-result)
- [Download package](#download-package)
- [Delete package or App Store app](#delete-package-or-app-store-app)
+- [Batch-apply software](#batch-apply-software)
+- [Batch-apply app store apps](#batch-apply-app-store-apps)
+- [Get token to download package](#get-token-to-download-package)
+- [Download package using a token](#download-package-using-a-token)
### List software
@@ -8854,14 +8966,17 @@ Returns information about the specified software. By default, `versions` are sor
"installer_id": 23,
"team_id": 3,
"uploaded_at": "2024-04-01T14:22:58Z",
- "install_script": "sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /",
+ "install_script": "sudo installer -pkg '$INSTALLER_PATH' -target /",
"pre_install_query": "SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';",
"post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
+ "uninstall_script": "/Library/CS/falconctl uninstall",
"self_service": true,
"status": {
"installed": 3,
- "pending": 1,
- "failed": 2,
+ "pending_install": 1,
+ "failed_install": 0,
+ "pending_uninstall": 2,
+ "failed_uninstall": 1
}
},
"app_store_app": null,
@@ -9067,7 +9182,7 @@ Add a package (.pkg, .msi, .exe, .deb) to install on macOS, Windows, or Linux (U
| ---- | ------- | ---- | -------------------------------------------- |
| software | file | form | **Required**. Installer package file. Supported packages are PKG, MSI, EXE, and DEB. |
| team_id | integer | form | **Required**. The team ID. Adds a software package to the specified team. |
-| install_script | string | form | Command that Fleet runs to install software. If not specified Fleet runs [default install command](https://github.com/fleetdm/fleet/tree/f71a1f183cc6736205510580c8366153ea083a8d/pkg/file/scripts) for each package type. |
+| install_script | string | form | Script that Fleet runs to install software. If not specified Fleet runs [default install script](https://github.com/fleetdm/fleet/tree/f71a1f183cc6736205510580c8366153ea083a8d/pkg/file/scripts) for each package type. |
| pre_install_query | string | form | Query that is pre-install condition. If the query doesn't return any result, Fleet won't proceed to install. |
| post_install_script | string | form | The contents of the script to run after install. If the specified script fails (exit code non-zero) software install will be marked as failed and rolled back. |
| self_service | boolean | form | Self-service software is optional and can be installed by the end user. |
@@ -9112,6 +9227,87 @@ Content-Type: application/octet-stream
`Status: 200`
+### Modify package
+
+_Available in Fleet Premium._
+
+Update a package to install on macOS, Windows, or Linux (Ubuntu) hosts.
+
+`PATCH /api/v1/fleet/software/titles/:title_id/package`
+
+#### Parameters
+
+| Name | Type | In | Description |
+| ---- | ------- | ---- | -------------------------------------------- |
+| software | file | form | Installer package file. Supported packages are PKG, MSI, EXE, and DEB. |
+| team_id | integer | form | **Required**. The team ID. Updates a software package in the specified team. |
+| install_script | string | form | Command that Fleet runs to install software. If not specified Fleet runs the [default install command](https://github.com/fleetdm/fleet/tree/f71a1f183cc6736205510580c8366153ea083a8d/pkg/file/scripts) for each package type. |
+| pre_install_query | string | form | Query that is pre-install condition. If the query doesn't return any result, the package will not be installed. |
+| post_install_script | string | form | The contents of the script to run after install. If the specified script fails (exit code non-zero) software install will be marked as failed and rolled back. |
+| self_service | boolean | form | Whether this is optional self-service software that can be installed by the end user. |
+
+> Changes to the installer package will reset installation counts. Changes to any field other than `self_service` will cancel pending installs for the old package.
+#### Example
+
+`PATCH /api/v1/fleet/software/titles/1/package`
+
+##### Request header
+
+```http
+Content-Length: 8500
+Content-Type: multipart/form-data; boundary=------------------------d8c247122f594ba0
+```
+
+##### Request body
+
+```http
+--------------------------d8c247122f594ba0
+Content-Disposition: form-data; name="team_id"
+1
+--------------------------d8c247122f594ba0
+Content-Disposition: form-data; name="self_service"
+true
+--------------------------d8c247122f594ba0
+Content-Disposition: form-data; name="install_script"
+sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /
+--------------------------d8c247122f594ba0
+Content-Disposition: form-data; name="pre_install_query"
+SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';
+--------------------------d8c247122f594ba0
+Content-Disposition: form-data; name="post_install_script"
+sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX
+--------------------------d8c247122f594ba0
+Content-Disposition: form-data; name="software"; filename="FalconSensor-6.44.pkg"
+Content-Type: application/octet-stream
+
+--------------------------d8c247122f594ba0
+```
+
+##### Default response
+
+`Status: 200`
+
+```json
+{
+ "software_package": {
+ "name": "FalconSensor-6.44.pkg",
+ "version": "6.44",
+ "installer_id": 23,
+ "team_id": 3,
+ "uploaded_at": "2024-04-01T14:22:58Z",
+ "install_script": "sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /",
+ "pre_install_query": "SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';",
+ "post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
+ "self_service": true,
+ "status": {
+ "installed": 0,
+ "pending": 0,
+ "failed": 0
+ }
+ }
+}
+```
+
### List App Store apps
> **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
@@ -9238,9 +9434,31 @@ _Available in Fleet Premium._
Install software (package or App Store app) on a macOS, iOS, iPadOS, Windows, or Linux (Ubuntu) host. Software title must have a `software_package` or `app_store_app` added to be installed.
-> Note: Fleet's agent (fleetd) only installs software it has been asked to install, but technically has access to all installer executables.
+`POST /api/v1/fleet/hosts/:id/software/:software_title_id/install`
+
+#### Parameters
+
+| Name | Type | In | Description |
+| --------- | ---------- | ---- | -------------------------------------------- |
+| id | integer | path | **Required**. The host's ID. |
+| software_title_id | integer | path | **Required**. The software title's ID. |
+
+#### Example
+
+`POST /api/v1/fleet/hosts/123/software/3435/install`
+
+##### Default response
+
+`Status: 202`
+
+### Uninstall package
-`POST /api/v1/fleet/hosts/:id/software/install/:software_title_id`
+> **Experimental feature**. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.
+_Available in Fleet Premium._
+
+Uninstall software (package) on a macOS, Windows, or Linux (Ubuntu) host. Software title must have a `software_package` added to be uninstalled.
+
+`POST /api/v1/fleet/hosts/:id/software/:software_title_id/uninstall`
#### Parameters
@@ -9251,7 +9469,7 @@ Install software (package or App Store app) on a macOS, iOS, iPadOS, Windows, or
#### Example
-`POST /api/v1/fleet/hosts/123/software/install/3435`
+`POST /api/v1/fleet/hosts/123/software/3435/uninstall`
##### Default response
@@ -9263,7 +9481,7 @@ Install software (package or App Store app) on a macOS, iOS, iPadOS, Windows, or
_Available in Fleet Premium._
-`GET /api/v1/fleet/software/install/results/:install_uuid`
+`GET /api/v1/fleet/software/install/:install_uuid/results`
Get the results of a software package install.
@@ -9275,7 +9493,7 @@ To get the results of an App Store app install, use the [List MDM commands](#lis
#### Example
-`GET /api/v1/fleet/software/install/results/b15ce221-e22e-4c6a-afe7-5b3400a017da`
+`GET /api/v1/fleet/software/install/b15ce221-e22e-4c6a-afe7-5b3400a017da/results`
##### Default response
@@ -9321,6 +9539,117 @@ Deletes software that's available for install (package or App Store app).
`Status: 204`
+### Batch-apply software
+
+_Available in Fleet Premium._
+
+`POST /api/v1/fleet/software/batch`
+
+#### Parameters
+
+| Name | Type | In | Description |
+| --------- | ------ | ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| team_id | number | query | The ID of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request; omit this parameter if using `team_name`. Omitting these parameters will add software to "No Team". |
+| team_name | string | query | The name of the team to add the software package to. Only one team identifier (`team_id` or `team_name`) can be included in the request; omit this parameter if using `team_id`. Omitting these parameters will add software to "No Team". |
+| dry_run | bool | query | If `true`, will validate the provided software packages and return any validation errors, but will not apply the changes. |
+| software | object | body | The team's software that will be available for install. |
+| software.packages | list | body | An array of objects. Each object consists of:`url`- URL to the software package (PKG, MSI, EXE or DEB),`install_script` - command that Fleet runs to install software, `pre_install_query` - condition query that determines if the install will proceed, `post_install_script` - script that runs after software install, and `uninstall_script` - command that Fleet runs to uninstall software. |
+| software.app_store_apps | list | body | An array objects. Each object consists of `app_store_id` - ID of the App Store app. |
+
+If both `team_id` and `team_name` parameters are included, this endpoint will respond with an error. If no `team_name` or `team_id` is provided, the scripts will be applied for **all hosts**.
+
+#### Example
+
+`POST /api/v1/fleet/software/batch`
+
+##### Default response
+
+`Status: 204`
+
+### Batch-apply app store apps
+
+_Available in Fleet Premium._
+
+`POST /api/v1/fleet/software/app_store_apps/batch`
+
+#### Parameters
+
+| Name | Type | In | Description |
+|-----------------|---------|-------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| team_name | integer | query | **Required**. The name of the team to add the app to. |
+| dry_run | bool | query | If `true`, will validate the provided apps and return any validation errors, but will not apply the changes. |
+| apps_store_apps | list | body | The list of objects containing `app_store_id`: a string representation of the app's App ID, `self_service`: a bool indicating if the app's installation can be initiated by end users. |
+
+> Note that this endpoint replaces all apps associated with a team.
+
+#### Example
+
+`POST /api/v1/fleet/software/app_store_apps/batch`
+
+#### Default response
+
+`Status: 204`
+
+### Get token to download package
+
+_Available in Fleet Premium._
+
+`POST /api/v1/fleet/software/titles/:software_title_id/package/token?alt=media`
+
+The returned token is a one-time use token that expires after 10 minutes.
+
+#### Parameters
+
+| Name | Type | In | Description |
+|-------------------|---------|-------|------------------------------------------------------------------|
+| software_title_id | integer | path | **Required**. The ID of the software title for software package. |
+| team_id | integer | query | **Required**. The team ID containing the software package. |
+| alt | integer | query | **Required**. Must be specified and set to "media". |
+
+#### Example
+
+`POST /api/v1/fleet/software/titles/123/package/token?alt=media&team_id=2`
+
+##### Default response
+
+`Status: 200`
+
+```json
+{
+ "token": "e905e33e-07fe-4f82-889c-4848ed7eecb7"
+}
+```
+
+### Download package using a token
+
+_Available in Fleet Premium._
+
+`GET /api/v1/fleet/software/titles/:software_title_id/package/token/:token?alt=media`
+
+#### Parameters
+
+| Name | Type | In | Description |
+|-------------------|---------|------|--------------------------------------------------------------------------|
+| software_title_id | integer | path | **Required**. The ID of the software title to download software package. |
+| token | string | path | **Required**. The token to download the software package. |
+
+#### Example
+
+`GET /api/v1/fleet/software/titles/123/package/token/e905e33e-07fe-4f82-889c-4848ed7eecb7`
+
+##### Default response
+
+`Status: 200`
+
+```http
+Status: 200
+Content-Type: application/octet-stream
+Content-Disposition: attachment
+Content-Length:
+Body:
+```
+
+
## Vulnerabilities
- [List vulnerabilities](#list-vulnerabilities)
diff --git a/frontend/pages/SoftwarePage/components/AppStoreVpp/AppStoreVpp.tsx b/frontend/pages/SoftwarePage/components/AppStoreVpp/AppStoreVpp.tsx
index ffde9220a271..12664495fe0e 100644
--- a/frontend/pages/SoftwarePage/components/AppStoreVpp/AppStoreVpp.tsx
+++ b/frontend/pages/SoftwarePage/components/AppStoreVpp/AppStoreVpp.tsx
@@ -177,6 +177,9 @@ const AppStoreVpp = ({
const onSelectApp = (app: IVppApp) => {
setIsSubmitDisabled(false);
setSelectedApp(app);
+ if (app.platform === "ios" || app.platform === "ipados") {
+ setIsSelfService(false);
+ }
};
const onAddSoftware = async () => {
@@ -209,6 +212,27 @@ const AppStoreVpp = ({
onExit();
};
+ const renderSelfServiceContent = (platform: string) => {
+ if (platform !== "ios" && platform !== "ipados") {
+ return (
+ setIsSelfService(newVal)}
+ className={`${baseClass}__self-service-checkbox`}
+ tooltipContent={
+ <>
+ End users can install from Fleet Desktop {">"}{" "}
+ Self-service.
+
+ }
+ >
+ Self-service
+
+ );
+ }
+ return null;
+ };
+
const renderContent = () => {
if (isLoadingVppInfo || isLoadingVppApps) {
return ;
@@ -238,19 +262,9 @@ const AppStoreVpp = ({
apps, head to{" "}
- setIsSelfService(newVal)}
- className={`${baseClass}__self-service-checkbox`}
- tooltipContent={
- <>
- End users can install from Fleet Desktop {">"}{" "}
- Self-service.
-
- }
- >
- Self-service
-
+ {renderSelfServiceContent(
+ (selectedApp && selectedApp.platform) || ""
+ )}
);
}
diff --git a/frontend/pages/SoftwarePage/components/AppStoreVpp/helpers.tsx b/frontend/pages/SoftwarePage/components/AppStoreVpp/helpers.tsx
index 76c131769fa1..8d8c5a171d89 100644
--- a/frontend/pages/SoftwarePage/components/AppStoreVpp/helpers.tsx
+++ b/frontend/pages/SoftwarePage/components/AppStoreVpp/helpers.tsx
@@ -35,13 +35,15 @@ const generateAlreadyAvailableMessage = (msg: string) => {
// eslint-disable-next-line import/prefer-default-export
export const getErrorMessage = (e: unknown) => {
- const reason = getErrorReason(e);
-
+ let reason = getErrorReason(e);
// software is already available for install
if (reason.toLowerCase().includes("already")) {
return generateAlreadyAvailableMessage(reason);
}
- return DEFAULT_ERROR_MESSAGE;
+ if (reason && !reason.endsWith(".")) {
+ reason += ".";
+ }
+ return reason || DEFAULT_ERROR_MESSAGE;
};
export const getUniqueAppId = (app: IVppApp) =>
diff --git a/handbook/company/leadership.md b/handbook/company/leadership.md
index d89b81639f1a..1cad2e84de28 100644
--- a/handbook/company/leadership.md
+++ b/handbook/company/leadership.md
@@ -414,7 +414,6 @@ Although it's sad to see someone go, Fleet understands that not everything is me
4. **CEO**: The CEO will make an announcement during the "🌈 Weekly Update" post on Friday in the `#general` channel on Slack.
-<<<<<<< HEAD
## Changing someone's position
From time to time, someone's job title changes. To do this, reach out to [Digital Experience](https://fleetdm.com/handbook/digital-experience).
diff --git a/handbook/digital-experience/README.md b/handbook/digital-experience/README.md
index 1fec6328ca71..34f77f2b9fe3 100644
--- a/handbook/digital-experience/README.md
+++ b/handbook/digital-experience/README.md
@@ -450,7 +450,11 @@ Here are the steps we take to grant appropriate Salesforce licenses to a new hir
- Sign DocuSign sent to the email.
- The order will be processed in ~30m.
- Once the basic license has been added, you can create a new user using the new team member's `@fleetdm.com` email and assign a license to it.
-- To also assign a user an "Inbox license", go to the ["Setup" page](https://fleetdm.lightning.force.com/lightning/setup/SetupOneHome/home) and select "User > Permission sets". Find the [inbox permission set](https://fleetdm.lightning.force.com/lightning/setup/PermSets/page?address=%2F005%3Fid%3D0PS4x000002uUn2%26isUserEntityOverride%3D1%26SetupNode%3DPermSets%26sfdcIFrameOrigin%3Dhttps%253A%252F%252Ffleetdm.lightning.force.com%26clc%3D1) and assign it to the new team member.
+ - To enable email sync for a user:
+ - Navigate to the [user’s record](https://fleetdm.lightning.force.com/lightning/setup/ManageUsers/home) and scroll to the bottom of the permission set section.
+ - Add the “Inbox with Einstein Activity Capture” permission set and save.
+ - Navigate to the ["Einstein Activity Capture Settings"](https://fleetdm.lightning.force.com/lightning/setup/ActivitySyncEngineSettingsMain/home) and click the "Configurations" tab.
+ - Select "Edit", under "User and Profile Assignments" move the new user's name from "Available" to "Selected", scroll all the way down and click save.
### Change the "Integrations admin" Salesforce account password
diff --git a/handbook/sales/README.md b/handbook/sales/README.md
index c27cbc8785ec..46688864e581 100644
--- a/handbook/sales/README.md
+++ b/handbook/sales/README.md
@@ -10,6 +10,7 @@ This handbook page details processes specific to working [with](#contact-us) and
| Chief Revenue Officer (CRO) | [Alex Mitchell](https://www.linkedin.com/in/alexandercmitchell/) _([@alexmitchelliii](https://github.com/alexmitchelliii))_
| Solutions Consulting (SC) | [Dave Herder](https://www.linkedin.com/in/daveherder/) _([@dherder](https://github.com/dherder))_
[Zach Wasserman](https://www.linkedin.com/in/zacharywasserman/) _([@zwass](https://github.com/zwass))_
[Allen Houchins](https://www.linkedin.com/in/allenhouchins/) _([@allenhouchins](https://github.com/allenhouchins))_
[Harrison Ravazzolo](https://www.linkedin.com/in/harrison-ravazzolo/) _([@harrisonravazzolo](https://github.com/harrisonravazzolo))_
| Channel Sales | [Tom Ostertag](https://www.linkedin.com/in/tom-ostertag-77212791/) _([@tomostertag](https://github.com/TomOstertag))_
+| Sr. Account Executive | [Kendra McKeever](https://www.linkedin.com/in/kendramckeever/) _([@KendraAtFleet](https://github.com/KendraAtFleet))_
| Account Executive (AE) | [Patricia Ambrus](https://www.linkedin.com/in/pambrus/) _([@ambrusps](https://github.com/ambrusps))_
[Anthony Snyder](https://www.linkedin.com/in/anthonysnyder8/) _([@anthonysnyder8](https://github.com/AnthonySnyder8))_
[Paul Tardif](https://www.linkedin.com/in/paul-t-750833/) _([@phtardif1](https://github.com/phtardif1))_
diff --git a/infrastructure/dogfood/terraform/aws/variables.tf b/infrastructure/dogfood/terraform/aws/variables.tf
index db7a79e5e140..2020de2f8306 100644
--- a/infrastructure/dogfood/terraform/aws/variables.tf
+++ b/infrastructure/dogfood/terraform/aws/variables.tf
@@ -56,7 +56,7 @@ variable "database_name" {
variable "fleet_image" {
description = "the name of the container image to run"
- default = "fleetdm/fleet:v4.56.0"
+ default = "fleetdm/fleet:v4.57.0"
}
variable "software_inventory" {
diff --git a/infrastructure/dogfood/terraform/gcp/variables.tf b/infrastructure/dogfood/terraform/gcp/variables.tf
index ba81f4af537b..906a58c153f8 100644
--- a/infrastructure/dogfood/terraform/gcp/variables.tf
+++ b/infrastructure/dogfood/terraform/gcp/variables.tf
@@ -68,7 +68,7 @@ variable "redis_mem" {
}
variable "image" {
- default = "fleetdm/fleet:v4.56.0"
+ default = "fleetdm/fleet:v4.57.0"
}
variable "software_installers_bucket_name" {
diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml
index 353f9c8500f3..1d7ea397107c 100644
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@@ -138,6 +138,20 @@ policies:
resolution: We will perform system maintenance on your device.
platform: darwin
calendar_events_enabled: true
+ - name: macOS - Upgrade Firefox
+ query: SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '130.0.1') >= 0;
+ critical: false
+ description: The host may have an outdated or non-existent version of Firefox, potentially risking security vulnerabilities or compatibility issues.
+ resolution: During maintenance, the Firefox app could be updated to the correct version or installed if it's missing.
+ platform: darwin
+ calendar_events_enabled: false
+ - name: macOS - Upgrade Slack
+ query: SELECT 1 FROM apps WHERE name = 'Slack.app' AND version_compare(bundle_short_version, '4.40.126') >= 0;
+ critical: false
+ description: The host may be running an outdated version of Slack, which could pose security vulnerabilities or compatibility issues.
+ resolution: The host's Slack application will likely be updated to a version that is greater than or equal to '4.40.126'.
+ platform: darwin
+ calendar_events_enabled: false
queries:
- path: ../lib/collect-failed-login-attempts.queries.yml
- path: ../lib/collect-fleetd-information.yml
diff --git a/orbit/pkg/update/escrow_buddy.go b/orbit/pkg/update/escrow_buddy.go
index e1f6fdf1160d..b226da9a24ce 100644
--- a/orbit/pkg/update/escrow_buddy.go
+++ b/orbit/pkg/update/escrow_buddy.go
@@ -5,8 +5,9 @@ import (
"sync"
"time"
- "github.com/fleetdm/fleet/v4/server/fleet"
"github.com/rs/zerolog/log"
+
+ "github.com/fleetdm/fleet/v4/server/fleet"
)
// EscrowBuddyRunner sets up [Escrow Buddy][1] to rotate FileVault keys on
@@ -86,6 +87,13 @@ func (e *EscrowBuddyRunner) Run(cfg *fleet.OrbitConfig) error {
}
}
+ // Some macOS updates and upgrades reset the authorization database to its default state
+ // which will deactivate Escrow Buddy and prevent FileVault key generation upon next login.
+ log.Debug().Msg("EscrowBuddyRunner: re-enable Escrow Buddy in the authorization database")
+ if err := e.setAuthDBSetup(); err != nil {
+ return fmt.Errorf("failed to re-enable Escrow Buddy in the authorization database, err: %w", err)
+ }
+
log.Debug().Msg("EscrowBuddyRunner: enabling disk encryption rotation")
if err := e.setGenerateNewKeyTo(true); err != nil {
return fmt.Errorf("enabling disk encryption rotation: %w", err)
@@ -118,3 +126,13 @@ func (e *EscrowBuddyRunner) setGenerateNewKeyTo(enabled bool) error {
}
return fn("sh", "-c", cmd)
}
+
+func (e *EscrowBuddyRunner) setAuthDBSetup() error {
+ log.Debug().Msg("ready to re-enable Escrow Buddy in the authorization database")
+ cmd := "/Library/Security/SecurityAgentPlugins/Escrow\\ Buddy.bundle/Contents/Resources/AuthDBSetup.sh"
+ fn := e.runCmdFunc
+ if fn == nil {
+ fn = runCmdCollectErr
+ }
+ return fn("sh", "-c", cmd)
+}
diff --git a/terraform/addons/vuln-processing/variables.tf b/terraform/addons/vuln-processing/variables.tf
index feb850667dcc..8d296903fdc4 100644
--- a/terraform/addons/vuln-processing/variables.tf
+++ b/terraform/addons/vuln-processing/variables.tf
@@ -24,7 +24,7 @@ variable "fleet_config" {
vuln_processing_cpu = optional(number, 2048)
vuln_data_stream_mem = optional(number, 1024)
vuln_data_stream_cpu = optional(number, 512)
- image = optional(string, "fleetdm/fleet:v4.56.0")
+ image = optional(string, "fleetdm/fleet:v4.57.0")
family = optional(string, "fleet-vuln-processing")
sidecars = optional(list(any), [])
extra_environment_variables = optional(map(string), {})
@@ -82,7 +82,7 @@ variable "fleet_config" {
vuln_processing_cpu = 2048
vuln_data_stream_mem = 1024
vuln_data_stream_cpu = 512
- image = "fleetdm/fleet:v4.56.0"
+ image = "fleetdm/fleet:v4.57.0"
family = "fleet-vuln-processing"
sidecars = []
extra_environment_variables = {}
diff --git a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
index 0270c8fb5219..27565cb90fa8 100644
--- a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
+++ b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
@@ -16,7 +16,7 @@ variable "fleet_config" {
mem = optional(number, 4096)
cpu = optional(number, 512)
pid_mode = optional(string, null)
- image = optional(string, "fleetdm/fleet:v4.56.0")
+ image = optional(string, "fleetdm/fleet:v4.57.0")
family = optional(string, "fleet")
sidecars = optional(list(any), [])
depends_on = optional(list(any), [])
@@ -119,7 +119,7 @@ variable "fleet_config" {
mem = 512
cpu = 256
pid_mode = null
- image = "fleetdm/fleet:v4.56.0"
+ image = "fleetdm/fleet:v4.57.0"
family = "fleet"
sidecars = []
depends_on = []
diff --git a/terraform/byo-vpc/byo-db/variables.tf b/terraform/byo-vpc/byo-db/variables.tf
index 0044e48e5c8c..041ff9d0f861 100644
--- a/terraform/byo-vpc/byo-db/variables.tf
+++ b/terraform/byo-vpc/byo-db/variables.tf
@@ -77,7 +77,7 @@ variable "fleet_config" {
mem = optional(number, 4096)
cpu = optional(number, 512)
pid_mode = optional(string, null)
- image = optional(string, "fleetdm/fleet:v4.56.0")
+ image = optional(string, "fleetdm/fleet:v4.57.0")
family = optional(string, "fleet")
sidecars = optional(list(any), [])
depends_on = optional(list(any), [])
@@ -205,7 +205,7 @@ variable "fleet_config" {
mem = 512
cpu = 256
pid_mode = null
- image = "fleetdm/fleet:v4.56.0"
+ image = "fleetdm/fleet:v4.57.0"
family = "fleet"
sidecars = []
depends_on = []
diff --git a/terraform/byo-vpc/example/main.tf b/terraform/byo-vpc/example/main.tf
index 887b907b303a..3176d07def1f 100644
--- a/terraform/byo-vpc/example/main.tf
+++ b/terraform/byo-vpc/example/main.tf
@@ -17,7 +17,7 @@ provider "aws" {
}
locals {
- fleet_image = "fleetdm/fleet:v4.56.0"
+ fleet_image = "fleetdm/fleet:v4.57.0"
domain_name = "example.com"
}
diff --git a/terraform/byo-vpc/variables.tf b/terraform/byo-vpc/variables.tf
index cba22bf845ca..ce2a81f88c41 100644
--- a/terraform/byo-vpc/variables.tf
+++ b/terraform/byo-vpc/variables.tf
@@ -170,7 +170,7 @@ variable "fleet_config" {
mem = optional(number, 4096)
cpu = optional(number, 512)
pid_mode = optional(string, null)
- image = optional(string, "fleetdm/fleet:v4.56.0")
+ image = optional(string, "fleetdm/fleet:v4.57.0")
family = optional(string, "fleet")
sidecars = optional(list(any), [])
depends_on = optional(list(any), [])
@@ -298,7 +298,7 @@ variable "fleet_config" {
mem = 512
cpu = 256
pid_mode = null
- image = "fleetdm/fleet:v4.56.0"
+ image = "fleetdm/fleet:v4.57.0"
family = "fleet"
sidecars = []
depends_on = []
diff --git a/terraform/example/main.tf b/terraform/example/main.tf
index 33b6f5221ea3..2b2112517925 100644
--- a/terraform/example/main.tf
+++ b/terraform/example/main.tf
@@ -63,8 +63,8 @@ module "fleet" {
fleet_config = {
# To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror
- # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.56.0"
- image = "fleetdm/fleet:v4.56.0" # override default to deploy the image you desire
+ # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.57.0"
+ image = "fleetdm/fleet:v4.57.0" # override default to deploy the image you desire
# See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling
# memory and cpu.
autoscaling = {
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 5933307f11f5..7dc798cf63d8 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -218,7 +218,7 @@ variable "fleet_config" {
mem = optional(number, 4096)
cpu = optional(number, 512)
pid_mode = optional(string, null)
- image = optional(string, "fleetdm/fleet:v4.56.0")
+ image = optional(string, "fleetdm/fleet:v4.57.0")
family = optional(string, "fleet")
sidecars = optional(list(any), [])
depends_on = optional(list(any), [])
@@ -346,7 +346,7 @@ variable "fleet_config" {
mem = 512
cpu = 256
pid_mode = null
- image = "fleetdm/fleet:v4.56.0"
+ image = "fleetdm/fleet:v4.57.0"
family = "fleet"
sidecars = []
depends_on = []
diff --git a/tools/fleetctl-npm/package.json b/tools/fleetctl-npm/package.json
index 0db37e98d5d1..96a4dcd08170 100644
--- a/tools/fleetctl-npm/package.json
+++ b/tools/fleetctl-npm/package.json
@@ -1,6 +1,6 @@
{
"name": "fleetctl",
- "version": "v4.56.0",
+ "version": "v4.57.0",
"description": "Installer for the fleetctl CLI tool",
"bin": {
"fleetctl": "./run.js"
diff --git a/website/assets/images/articles/fleet-4.57.0-1600x900@2x.png b/website/assets/images/articles/fleet-4.57.0-1600x900@2x.png
new file mode 100644
index 000000000000..ec48ddd12ae9
Binary files /dev/null and b/website/assets/images/articles/fleet-4.57.0-1600x900@2x.png differ
diff --git a/website/config/routes.js b/website/config/routes.js
index 8c9991200f3a..28fdbbf106ed 100644
--- a/website/config/routes.js
+++ b/website/config/routes.js
@@ -324,6 +324,7 @@ module.exports.routes = {
'GET /use-cases/get-and-stay-compliant-across-your-devices-with-fleet': '/securing/get-and-stay-compliant-across-your-devices-with-fleet',
'GET /use-cases/import-and-export-queries-and-packs-in-fleet': '/guides/import-and-export-queries-and-packs-in-fleet',
'GET /guides/import-and-export-queries-and-packs-in-fleet': '/guides/import-and-export-queries-in-fleet',
+ 'GET /guides/deploy-security-agents': '/guides/deploy-software-packages',
'GET /use-cases/locate-assets-with-osquery': '/guides/locate-assets-with-osquery',
'GET /use-cases/osquery-a-tool-to-easily-ask-questions-about-operating-systems': '/guides/osquery-a-tool-to-easily-ask-questions-about-operating-systems',
'GET /use-cases/osquery-consider-joining-against-the-users-table': '/guides/osquery-consider-joining-against-the-users-table',
@@ -559,10 +560,15 @@ module.exports.routes = {
'GET /learn-more-about/host-identifiers': '/docs/rest-api/rest-api#get-host-by-identifier',
'GET /learn-more-about/uninstall-fleetd': '/docs/using-fleet/faq#how-can-i-uninstall-fleetd',
'GET /learn-more-about/vulnerability-processing': '/docs/using-fleet/vulnerability-processing',
+ 'GET /learn-more-about/dep-profile': 'https://developer.apple.com/documentation/devicemanagement/define_a_profile',
'GET /learn-more-about/apple-business-manager-tokens-api': '/docs/rest-api/rest-api#list-apple-business-manager-abm-tokens',
'GET /learn-more-about/apple-business-manager-teams-api': 'https://github.com/fleetdm/fleet/blob/main/docs/Contributing/API-for-contributors.md#update-abm-tokens-teams',
'GET /learn-more-about/apple-business-manager-gitops': '/docs/using-fleet/gitops#apple-business-manager',
'GET /learn-more-about/s3-bootstrap-package': '/docs/configuration/fleet-server-configuration#s-3-software-installers-bucket',
+ 'GET /learn-more-about/exe-install-scripts': '/guides/exe-install-scripts',
+ 'GET /learn-more-about/install-scripts': '/guides/deploy-software-packages#install-script',
+ 'GET /learn-more-about/uninstall-scripts': '/guides/deploy-software-packages#uninstall-script',
+ 'GET /learn-more-about/read-package-version': '/guides/deploy-software-packages##add-a-software-package-to-a-team',
// Sitemap
// =============================================================================================================