Merge branch 'main' into docs-v4.58.0

.github/workflows/dogfood-gitops.yml

@@ -69,6 +69,7 @@ jobs:
           DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
           DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }}
           DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }}
+          DOGFOOD_MDM_SSO_METADATA_URL: ${{ secrets.DOGFOOD_MDM_SSO_METADATA_URL }}
           DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
           DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
           DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}

.github/workflows/test-db-changes.yml

@@ -10,7 +10,7 @@ on:
     paths:
       - '**.go'
       - 'server/datastore/mysql/schema.sql'
-      - '.github/workflows/test-schema-changes.yml'
+      - '.github/workflows/test-db-changes.yml'
   workflow_dispatch: # Manual
 
 # This allows a subsequently queued workflow run to interrupt previous runs
@@ -49,6 +49,15 @@ jobs:
       # Use & to background this
       run: docker compose up -d mysql_test &
 
+    - name: Wait for mysql
+      run: |
+        echo "waiting for mysql..."
+        until docker compose exec -T mysql_test sh -c "mysql -uroot -p\"\${MYSQL_ROOT_PASSWORD}\" -e \"SELECT 1=1\" fleet" &> /dev/null; do
+            echo "."
+            sleep 1
+        done
+        echo "mysql is ready"
+
     - name: Verify test schema changes
       run: |
         make dump-test-schema

CHANGELOG.md

@@ -1,4 +1,11 @@
-## Fleet 4.55.1 (Aug 15, 2024)
+## Fleet 4.55.2 (Sep 05, 2024)
+
+### Bug fixes
+
+* Removed validation of APNS certificate from server startup. This was no longer necessary because we now allow for APNS certificates to be renewed in the UI.
+* Fixed logic to properly catch and log APNs errors.
+
+## Fleet 4.55.1 (Aug 14, 2024)
 
 ### Bug fixes
 
@@ -13,16 +20,11 @@
 * Added index to query_results DB table to speed up finding the last query timestamp for a given query and host.
 * Displayed the label names in case-insensitive alphabetical order in the fleet UI.
 
-## Fleet 4.55.0 (Aug 9, 2024)
+## Fleet 4.55.0 (Aug 8, 2024)
 
 **NOTE:** Beginning with v4.55.0, Fleet no longer supports MySQL 5.7 because it has reached [end of life](https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-today/#:~:text=In%20October%202023%2C%20MySQL%205.7,to%20upgrade%20to%20MySQL%208.). The minimum version supported is MySQL 8.0.36.
 
-**NOTE:** Changes to software field in [GitOps](https://fleetdm.com/docs/using-fleet/gitops):
-- `software` field is optional for TEAMs in 4.54.1 and lower
-- `software` field should NOT be added to NO-TEAM before 4.55.0
-- `software` field is mandatory for NO-TEAM and TEAMs in 4.55.0 and up
-
-### Endpoint operations
+### Endpoint Operations
 
 - Added support for generating `fleetd` packages for Linux ARM64.
 - Added new `fleetctl package` --arch flag.
@@ -32,7 +34,7 @@
   - Fleet server watches for potential changes for up to 1 week after original event time. If event is moved forward more than 1 week, then after 1 week Fleet server will check for event changes once every 30 minutes.
   - **NOTE:** These near real-time updates may add additional load to the Google Calendar API, so it is recommended to use API usage alerts or other monitoring methods.
 
-### Device management
+### Device Management
 
 - Integrated [Escrow Buddy](https://github.com/macadmins/escrow-buddy) to add enforcement of FileVault during the MacOS Setup Assistant process for hosts that are 
 enrolled into teams (or no team) with disk encryption turned on. Thank you [homebysix](https://github.com/homebysix) and team!
@@ -63,7 +65,7 @@ enrolled into teams (or no team) with disk encryption turned on. Thank you [home
 - Added a special-case to properly name the Notion .exe Windows installer the same as how it will be reported by osquery post-install.
 - Increased threshold to renew Apple SCEP certificates for MDM enrollments to 180 days.
 
-### Vulnerability management
+### Vulnerability Management
 
 - Fixed CVEs identified as 'Rejected' in NVD not matching against software.
 - Fixed false negative vulnerabilities with IntelliJ IDEA CE and PyCharm CE installed via Homebrew.
@@ -93,13 +95,13 @@ enrolled into teams (or no team) with disk encryption turned on. Thank you [home
 
 ### Bug fixes
 
-* Fixed a startup bug by performing an early restart of orbit if an agent options setting has changed.
-* Implemented a small refactor of orbit subsystems.
-* Removed the `--version` flag from the `fleetctl package` command. The version of the package can now be controlled by the `--orbit-channel` flag.
-* Fixed a bug that set `last_enrolled_at` during orbit re-enrollment, which caused osquery enroll failures when `FLEET_OSQUERY_ENROLL_COOLDOWN` is set .
-* In `fleetctl package` command, removed the `--version` flag. The version of the package can be controlled by `--orbit-channel` flag.
-* Fixed a bug where Fleet google calendar events generated by Fleet <= 4.53.0 were not correctly processed by 4.54.0.
-* Re-enabled cached logins after windows Unlock.
+- Fixed a startup bug by performing an early restart of orbit if an agent options setting has changed.
+- Implemented a small refactor of orbit subsystems.
+- Removed the `--version` flag from the `fleetctl package` command. The version of the package can now be controlled by the `--orbit-channel` flag.
+- Fixed a bug that set `last_enrolled_at` during orbit re-enrollment, which caused osquery enroll failures when `FLEET_OSQUERY_ENROLL_COOLDOWN` is set .
+- In `fleetctl package` command, removed the `--version` flag. The version of the package can be controlled by `--orbit-channel` flag.
+- Fixed a bug where Fleet google calendar events generated by Fleet <= 4.53.0 were not correctly processed by 4.54.0.
+- Re-enabled cached logins after windows Unlock.
 
 ## Fleet 4.54.0 (Jul 17, 2024)
 
@@ -186,19 +188,19 @@ enrolled into teams (or no team) with disk encryption turned on. Thank you [home
 
 ### Bug fixes
 
-* Updated fleetctl get queries/labels/hosts descriptions.
-* Fixed exporting CSVs with fields that contain commas to render properly.
-* Fixed link to fleetd uninstall instructions in "Delete device" modal.
-* Rendered only one banner on the my device page based on priority order.
-* Hidden query delete checkboxes from team observers.
-* Fixed issue where the Fleet UI could not be used to renew the ABM token after the ABM user who created the token was deleted.
-* Fixed an issue where special characters in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall broke the "installer_utils.ps1 -uninstallOrbit" step in the Windows MSI installer.
-* Fixed counts for hosts with low disk space in summary page.
-* Fleet UI fixes: Hide CTA on inherited queries/policies from team level users.
-* Updated software updated timestamp tooltip.
-* Fixed issue where some Windows applications were getting matched against Windows OS vulnerabilities.
-* Fixed crash in `fleetd` installer on Windows if there are registry keys with special characters on the system.
-* Fixed UI capitalizations.
+- Updated fleetctl get queries/labels/hosts descriptions.
+- Fixed exporting CSVs with fields that contain commas to render properly.
+- Fixed link to fleetd uninstall instructions in "Delete device" modal.
+- Rendered only one banner on the my device page based on priority order.
+- Hidden query delete checkboxes from team observers.
+- Fixed issue where the Fleet UI could not be used to renew the ABM token after the ABM user who created the token was deleted.
+- Fixed an issue where special characters in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall broke the "installer_utils.ps1 -uninstallOrbit" step in the Windows MSI installer.
+- Fixed counts for hosts with low disk space in summary page.
+- Fleet UI fixes: Hide CTA on inherited queries/policies from team level users.
+- Updated software updated timestamp tooltip.
+- Fixed issue where some Windows applications were getting matched against Windows OS vulnerabilities.
+- Fixed crash in `fleetd` installer on Windows if there are registry keys with special characters on the system.
+- Fixed UI capitalizations.
 
 ## Fleet 4.53.0 (Jun 25, 2024)
 
@@ -756,7 +758,6 @@ enrolled into teams (or no team) with disk encryption turned on. Thank you [home
 * Fixed an issue where software from a Parallels VM on a MacOS host would show up in Fleet as if it were the host's software.
 * Removed unnecessary nested database transactions in batch-setting of MDM profiles.
 * Added count of upcoming activities to host vitals UI.
-* Fixed a bug where the manage query automations modal would lose its state when the user clicks "Preview data".
 
 ## Fleet 4.44.0 (Jan 31, 2024)
 

Dockerfile-desktop-linux

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.22.6-bullseye@sha256:37f09f0c199a07c2e72ae2cfd758681fae0681240c71d6fad42d9d090c437c38
+FROM --platform=linux/amd64 golang:1.23.1-bullseye@sha256:45b43371f21ec51276118e6806a22cbb0bca087ddd54c491fdc7149be01035d5
 LABEL maintainer="Fleet Developers"
 
 RUN mkdir -p /usr/src/fleet

articles/discovering-chrome-ai-using-fleet.md

@@ -0,0 +1,67 @@
+# Discovering Chrome AI using Fleet
+
+![Discovering Chrome AI using Fleet](../website/assets/images/articles/discovering-chrome-ai-using-fleet-1600x900@2x.jpg)
+
+# Discovering AI in Chrome with Fleet
+
+Staying ahead of technological innovations is crucial for individuals and organizations. Google Chrome, one of the most widely used web browsers, continually evolves to incorporate new features, including artificial intelligence (AI). This article will guide you through detecting if AI capabilities have been enabled in Chrome using Fleet.
+
+## Introduction to Chrome AI innovations
+
+Google Chrome has integrated AI to enhance user experience by providing intelligent suggestions, improving search results, and offering in-browser assistance. Visit the [Chrome AI Innovations page](https://www.google.com/chrome/ai-innovations/) for more infomration.
+
+## Using Fleet to detect AI features in Chrome
+
+Fleet, a comprehensive device management and security tool, allows you to monitor various aspects of your devices, including software configurations and enabled features. Using Fleet, you can detect whether AI features are enabled in Chrome by querying device settings, specifically in the Chrome "Preferences" JSON file.
+
+### Step 1: Understanding Chrome's preferences JSON file
+
+Chrome stores user settings and configurations in a JSON file at the following path:
+
+```
+/Users/<user>/Library/Application Support/Google/Chrome/Default/Preferences
+```
+
+### Step 2: Identifying AI-related settings
+
+AI-related features are stored in the `optimization_guide` section of the preferences. The `tab_organization_setting_state` field will tell you if AI-based tab management features are enabled:
+
+`> jq` is a lightweight and powerful command-line tool for parsing, filtering, and manipulating JSON data. It allows you to extract specific information from JSON files efficiently. In this case, we use `jq` to locate and read the value of the `tab_organization_setting_state` key within Chrome's preference file which will help us understand how to craft our Fleet query for reporting the state of this setting.
+
+- If enabled, the setting will return `1`.
+
+![Chrome settings UI with Chrome AI enabled](../website/assets/images/articles/discovering-chrome-ai-using-fleet-1-1472x370@2x.png)
+
+```
+% jq '.optimization_guide.tab_organization_setting_state'  /Users/<user>/Library/Application\ Support/Google/Chrome/Default/Preferences                                      
+1
+```
+
+- If disabled, the setting will return `2`.
+
+![Chrome settings UI with Chrome AI disabled](../website/assets/images/articles/discovering-chrome-ai-using-fleet-2-1474x276@2x.png)
+
+```
+% jq '.optimization_guide.tab_organization_setting_state'  /Users/<user>/Library/Application\ Support/Google/Chrome/Default/Preferences                                      
+2
+```
+
+### Step 3: Query the JSON file with Fleet
+
+To query the JSON file and detect AI features using Fleet, you can use the following SQL query:
+
+```
+SELECT fullkey,path FROM parse_json WHERE path LIKE '/Users/%/Library/Application Support/Google/Chrome/Default/Preferences' AND fullkey='optimization_guide/tab_organization_setting_state';
+```
+
+### Conclusion
+
+Following this guide, you've learned to detect whether AI features are enabled in Google Chrome using Fleet. Fleet's powerful querying abilities allow you to monitor these features across multiple devices, ensuring your organization's preferences and practices align.
+
+<meta name="articleTitle" value="Discovering Chrome AI using Fleet">
+<meta name="authorFullName" value="Brock Walters">
+<meta name="authorGitHubUsername" value="nonpunctual">
+<meta name="category" value="guides">
+<meta name="publishedOn" value="2024-09-06">
+<meta name="articleImageUrl" value="../website/assets/images/articles/discovering-chrome-ai-using-fleet-1600x900@2x.jpg">
+<meta name="description" value="Use Fleet to detect and monitor settings enabled in Google Chrome by querying Chrome's preferences JSON file.">

articles/enforce-os-updates.md

@@ -22,6 +22,10 @@ When a minimum version is enforced, the end users see a native macOS notificatio
 
 If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on.
 
+For macOS devices that use Automated Device Enrollment (ADE), if the device is below the specified
+minimum version, it will be required to update to the very latest OS version during ADE before
+device setup and enrollment can proceed.
+
 ### macOS (below version 14.0)
 
 End users are encouraged to update macOS (via [Nudge](https://github.com/macadmins/nudge)).
@@ -34,6 +38,11 @@ End users are encouraged to update macOS (via [Nudge](https://github.com/macadmi
 | End user can defer                   | ✅                      | ✅                      | ❌                    |
 | Nudge window is dismissible          | ✅                      | ✅                      | ❌                    |
 
+### iOS and iPadOS (version 17.0 and above)
+
+For iOS and iPadOS devices that use Automated Device Enrollment (ADE), if the device is below the specified
+minimum version, it will be required to update to the very latest OS version during ADE before device setup and enrollment can proceed.
+
 ### Windows
 
 End users are encouraged to update Windows via the native Windows dialog.

articles/filtering-software-by-vulnerability.md

@@ -0,0 +1,44 @@
+# Filtering software by vulnerability in Fleet
+
+![Filtering software by vulnerability in Fleet](../website/assets/images/articles/discovering-geacon-using-fleet-1600x900@2x.jpg)
+
+## Introduction
+
+Fleet has introduced a powerful new feature that allows you to filter software by its associated vulnerabilities, helping you prioritize patches more effectively. Whether you're managing hundreds or thousands of software titles, this feature makes it easier to identify and address the most critical vulnerabilities in your environment.
+
+This filtering capability is particularly useful in environments where patch management is critical to your security posture. By filtering software based on vulnerability severity and known exploits, you can first ensure that the most critical issues are addressed, enhancing your overall security strategy.
+
+## Prerequisites
+
+* Fleet version 4.56 or later
+* Premium users have access to advanced filters by severity level and known exploited vulnerabilities
+
+### Filtering Software by Vulnerability
+
+1. **Navigate to the Software page**: In your Fleet dashboard, go to the **Software** tab. This will display a list of all the software detected in your environment.
+
+2. **Add filters**: Click on the **Add Filters** button. This will open options for filtering the software list based on specific criteria.
+
+3. **Choose severity level**: From the dropdown menu, select the **Severity level** of vulnerabilities you're interested in. This allows you to focus on software with the highest severity of vulnerabilities, such as "Critical" or "High."
+
+4. **Toggle "Has known exploit"**: You can refine your filter by toggling the **Has known exploit** option. This will filter the software list to show only those with vulnerabilities that have known exploits, enabling you to prioritize these for patching.
+
+5. **Review filtered results**: Once you've applied your filters, the software list will update to show only the software that meets your criteria. This filtered view will help you prioritize which software needs immediate attention in your patching strategy.
+
+### Using the REST API to filter software for vulnerabilities
+
+Fleet provides a REST API to filter software for vulnerabilities, allowing you to integrate this functionality into your automated workflows. Learn more about Fleet's [REST API](https://fleetdm.com/docs/rest-api/rest-api#vulnerabilities).
+
+## Conclusion
+
+The new software filtering feature in Fleet makes it easier than ever to manage vulnerabilities in your software environment. You can better protect your organization from potential threats by prioritizing patches based on severity and known exploits. Explore the API capabilities to integrate this feature into your broader security workflows.
+
+For more tips and detailed guides, don’t forget to check out the Fleet [documentation](https://fleetdm.com/docs/get-started/why-fleet).
+
+<meta name="articleTitle" value="Filtering software by vulnerability in Fleet">
+<meta name="authorFullName" value="Tim Lee">
+<meta name="authorGitHubUsername" value="mostlikelee">
+<meta name="category" value="guides">
+<meta name="publishedOn" value="2024-08-30">
+<meta name="articleImageUrl" value="../website/assets/images/articles/discovering-geacon-using-fleet-1600x900@2x.jpg">
+<meta name="description" value="Filter software by vulnerability in Fleet to prioritize critical patches and enhance your organization's security posture.">