fleetdm/fleet fleet-v4.29.0

on GitHub

Changes

• Added implementation of Fleetd for Chrome.

• Added the mdm.macos_settings.enable_disk_encryption option to the fleetctl apply configuration
  files of "config" and "team" kind as a Fleet Premium feature.

• Added mdm.macos_settings.disk_encryption and mdm.macos_settings.action_required status fields in the response for a single host (GET /hosts/{id} and GET /device/{token} endpoints).

• Added MDM solution name to host.mdmin API responses.

• Added support for fleetd to enroll a device using its serial number (in addition to its system
  UUID) to help avoid host-matching issues when a host is first created in Fleet via the MDM
  automatic enrollment (Apple Business Manager).

• Added ability to filter data under the Hosts tab by the aggregate status of hosts' MDM-managed macos
  settings.

• Added activity feed items for enabling and disabling disk encryption with MDM.

• Added FileVault banners on the Host Details and My Device pages.

• Added activities for when macOS disk encryption setting is enabled or disabled.

• Added UI for fleet mdm managed disk encryption toggling and the disk encryption aggregate data.

• Added support to update a team's disk encryption via the Modify Team (PATCH /api/latest/fleet/teams/{id}) endpoint.

• Added a new API endpoint to gate access to an enrollment profile behind Okta authentication.

• Added new configuration values to integrate Okta in the DEP MDM flow.

• Added GET /mdm/apple/profiles/summary endpoint.

• Updated API endpoints that use team_id query parameter so that team_id=0
  filters results to include only hosts that are not assigned to any team.

• Adjusted the aggregated_stats table to compute and store statistics for "no team" in addition to
  per-team and for all teams.

• Added MDM profiles status filter to hosts endpoints.

• Added indicators of aggregate host count for each possible status of MDM-enforced mac settings
  (hidden until 4.30.0).

• As part of JIT provisioning, read user roles from SAML custom attributes.

• Added Win 10 policies for CIS Benchmark 18.x.

• Added Win 10 policies for CIS Benchmark 2.3.17.x.

• Added Win 10 policies for CIS Benchmark 2.3.10.x.

• Documented CIS Windows10 Benchmarks 9.2.x to cis policy queries.

• Document CIS Windows10 Benchmarks 9.3.x to cis policy queries.

• Added button to show query on policy results page.

• Run periodic cleanup of pending cron_stats outside the schedule package to prevent Fleet outages from breaking cron jobs.

• Added an invitation for users to upgrade to Premium when viewing the Premium-only "macOS updates"
  feature.

• Added an icon on the policy table to indicate if a policy is marked critical.

• Added "instanceID" (aka owner of locks) to schedule logging (to help troubleshooting when
  running multiple Fleet instances).

• Introduce UUIDs to Fleet errors and logs.

• Added EndeavourOS, Manjaro, openSUSE Leap and Tumbleweed to HostLinuxOSs.

• Global observer can view settings for all teams.

• Team observers can view the team's settings.

• Updated translation rules so that Docker Desktop can be mapped to the correct CPE.

• Pinned Docker image hashes in Dockerfiles for increased security.

• Remove the ATTACH check on SQL osquery queries (osquery bug fixed a while ago in 4.6.0).

• Don't return internal error information on Fleet API requests (internal errors are logged to stderr).

• Fixed an issue when applying the configuration YAML returned by fleetctl get config with
  fleetctl apply when MDM is not enabled.

• Fixed a bug where fleetctl trigger doesn't release the schedule lock when the triggered run
  spans the regularly scheduled interval.

• Fixed a bug that prevented starting the Fleet server with MDM features if Apple Business Manager
  (ABM) was not configured.

• Fixed incorrect MDM-related settings documentation and payload response examples.

• Fixed bug to keep team when clicking on policy tab twice.

• Fixed software table links that were cutting off tooltip.

• Fixed authorization action used on host/search endpoint.

Fleet 4.28.1 (March 14, 2023)

• Fixed a bug that prevented starting the Fleet server with MDM features if Apple Business Manager (ABM) was not configured.

Fleet 4.28.0 (Feb 24, 2023)

• Added logic to ingest and decrypt FileVault recovery keys on macOS if Fleet's MDM is enabled.

• Create activity feed types for the creation, update, and deletion of macOS profiles (settings) via
  MDM.

• Added an API endpoint to retrieve a host disk encryption key for macOS if Fleet's MDM is enabled.

• Added UI implementation for users to upload, download, and deleted macos profiles.

• Added activity feed types for the creation, update, and deletion of macOS profiles (settings) via
  MDM.

• Added API endpoints to create, delete, list, and download MDM configuration profiles.

• Added "edited macos profiles" activity when updating a team's (or no team's) custom macOS settings via fleetctl apply.

• Enabled installation and auto-updates of Nudge via Orbit.

• Added support for providing macos_settings.custom_settings profiles for team (with Fleet Premium) and no-team levels via fleetctl apply.

• Added --policies-team flag to fleetctl apply to easily import a group of policies into a team.

• Remove requirement for Rosetta in installation of macOS packages on Apple Silicon. The binaries have been "universal" for a while now, but the installer still required Rosetta until now.

• Added max height on org logo image to ensure consistent height of the nav bar.

• UI default policies pre-select targeted platform(s) only.

• Parse the Mac Office release notes and use that for doing vulnerability processing.

• Only set public IPs on the host.public_ip field and add documentation on how to properly configure the deployment to ingest correct public IPs from enrolled devices.

• Added tooltip with link to UI when Public IP address cannot be determined.

• Update to better URL validation in UI.

• Set policy platforms using the platform checkboxes as a user would expect the options to successfully save.

• Standardized on a default value for empty cells in the UI.

• Added link to query table in UI source (fleetdm.com/tables/table_name).

• Added live query distributed interval warnings on select targets picker and live query result page.

• Added a macOS settings indicator and modal on the host details and device user pages.

• Added configuration parameters for the filesystem logging destination -- max_size, max_age, and max_backups are now configurable rather than hardcoded values.

• Live query/policy selecting "All hosts" is mutually exclusive from other filters.

• Minor server changes to support Fleetd for ChromeOS (to be released soon).

• Fixed network_interface_unix and network_interface_windows to ingest "Private IPs" only
  (filter out "Public IPs").

• Fixed how the Fleet MDM server URL is generated when stored for hosts enrolled in Fleet MDM.

• Fixed a panic when loading information for a host enrolled in MDM and its is_server field is
  NULL.

• Fixed bug with host count on hosts filtered by operating system version.

• Fixed permissions warnings reported by Suspicious Package in macos pkg installers. These warnings
  appeared to be purely cosmetic.

• Fixed UI bug: Long words in activity feed wrap within the div.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

2dee40746d565ae0294c417deabfd151587e14d2702fc2960119f0103d363b25 fleetctl_v4.29.0_linux.tar.gz
37a83abb7852da9b51059c449a2684f5f3c96a2784345091614d691ba84799e0 fleetctl_v4.29.0_linux.zip
62fe66bebdc86de466965bbc2f2da7cb1a3452ea7ba2edb821fc8a46d55a5224 fleet_v4.29.0_linux.tar.gz
83641dbb578de93b35f55a3f69f02d5a9b8042d8ad3454dc41d23ab257c83959 fleetctl_v4.29.0_macos.tar.gz
ad0968185cf8bfda16727223b5a5716eae443f72df0bdd1d93d41dcf30f40a7f fleetctl_v4.29.0_macos.zip
b351df4a1dd5eb55e567db259cce1e9d1e37fab858ae208b58b83d2519a0b97c fleetctl_v4.29.0_windows.zip
cf8f39045e06a45aaa18772476342f4c6871ae236b8d8fed16dbf3db5857f7b9 fleetctl_v4.29.0_windows.tar.gz