Merge branch 'jspenc72/25077-apple-mdm-remove-application' of https:/…

…/github.com/jspenc72/fleet into jspenc72/25077-apple-mdm-remove-application

.github/pull_request_template.md

@@ -8,13 +8,14 @@ If some of the following don't apply, delete the relevant line.
   See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information.
 - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)
 - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.
-- [ ] Added/updated tests
 - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes
 - [ ] If database migrations are included, checked table schema to confirm autoupdate
 - For database migrations:
   - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.
   - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
   - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`).
+- [ ] Added/updated automated tests
+- [ ] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it)
 - [ ] Manual QA for all new/changed functionality
 - For Orbit and Fleet Desktop changes:
    - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`).

.github/scripts/update_osquery_versions.py

@@ -14,9 +14,8 @@ def fetch_osquery_versions():
     resp = conn.getresponse()
     content = resp.read()
     conn.close()
-    releases = json.loads(content.decode('utf-8'))
 
-    return [release['tag_name'] for release in releases if not release['prerelease']]
+    return [release['tag_name'] for release in json.loads(content.decode('utf-8'))]
 
 def update_min_osquery_version_options(new_versions):
     with open(FILE_PATH, 'r') as file:

.github/workflows/dogfood-deploy.yml

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       DOCKER_IMAGE:
-        description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.30.0). Note: do not use fleetdm/fleet:main directly.  Use the short hash instead.  If pull-rate limited, try using the quay.io/fleetdm/fleet mirror.'
+        description: "The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.30.0). Note: do not use fleetdm/fleet:main directly.  Use the short hash instead.  If pull-rate limited, try using the quay.io/fleetdm/fleet mirror."
         required: true
 
 # This allows a subsequently queued workflow run to interrupt previous runs
@@ -26,7 +26,8 @@ env:
   TF_WORKSPACE: fleet
   TF_VAR_fleet_image: ${{ github.event.inputs.DOCKER_IMAGE || 'fleetdm/fleet:main' }}
   TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}
-  TF_VAR_slack_webhook: ${{ secrets.SLACK_G_HELP_P1_WEBHOOK_URL }}
+  TF_VAR_slack_p1_webhook: ${{ secrets.SLACK_G_HELP_P1_WEBHOOK_URL }}
+  TF_VAR_slack_p2_webhook: ${{ secrets.SLACK_G_HELP_P2_WEBHOOK_URL }}
   TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}
   TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}
   TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}
@@ -64,7 +65,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
         with:
-          terraform_version: 1.6.3
+          terraform_version: 1.10.2
           terraform_wrapper: false
       - name: Terraform Init
         id: init

.github/workflows/test-go.yaml

@@ -44,7 +44,13 @@ jobs:
       matrix:
         suite: ["integration", "core"]
         os: [ubuntu-latest]
-        mysql: ["mysql:8.0.36", "mysql:8.4.3"] # make sure to update supported versions docs when this changes
+        mysql: ["mysql:8.0.36", "mysql:8.4.3", "mysql:9.1.0"] # make sure to update supported versions docs when this changes
+        isCron:
+          - ${{ github.event_name == 'schedule' }}
+        # Only run MySQL 9 tests on cron schedule
+        exclude:
+          - isCron: false
+            mysql: "mysql:9.1.0"
     continue-on-error: ${{ matrix.suite == 'integration' }} # Since integration tests have a higher chance of failing, often for unrelated reasons, we don't want to fail the whole job if they fail
     runs-on: ${{ matrix.os }}
 

.github/workflows/verify-fleetd-base.yml

@@ -114,9 +114,7 @@ jobs:
           Start-Sleep -Seconds 5
           cd "C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs"
           Get-ChildItem
-          if (!(Test-Path
-          "C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log"
-          -PathType Leaf)) { exit 1 }
+          if (!(Test-Path "C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log" -PathType Leaf)) { exit 1 }
       - name: Slack Notification
         if: failure()
         uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0

.prettierignore

@@ -34,3 +34,6 @@ website/
 # certain frontend files that are not meant to be formatted
 frontend/components/FleetAce/mode.ts
 frontend/components/FleetAce/theme.ts
+
+# github workflow yaml, which may contain shell scripts that shouldn't be formatted
+.github/workflows/*

CODEOWNERS

@@ -65,9 +65,9 @@ go.mod @fleetdm/go
 #
 # (see website/config/custom.js for DRIs of other paths not listed here)
 ##############################################################################################
-/docs                                           @eashaw
-/docs/REST\ API/rest-api.md                     @iansltx # « REST API reference documentation
-/docs/Contributing/API-for-contributors.md      @iansltx # « Advanced / contributors-only API reference documentation
+/docs                                           @rachaelshaw
+/docs/REST\ API/rest-api.md                     @rachaelshaw # « REST API reference documentation
+/docs/Contributing/API-for-contributors.md      @rachaelshaw # « Advanced / contributors-only API reference documentation
 /schema                                         @eashaw # « Data tables (osquery/fleetd schema) documentation
 /render.yaml                                    @edwardsb
 

articles/automatic-install-fleet-software

@@ -0,0 +1,35 @@
+# Automatic Installation for Fleet-Maintained Apps
+
+Fleet can now help simplify software deployment for IT admins with automatic installation of
+Fleet-maintained apps. This update eliminates the need for manual installation on individual hosts,
+saving time and effort when deploying new software across your organization. Here's how it works:
+
+1. **Select the App:** Navigate to the **Software** page and click the "Add software". Then choose
+   the **Fleet-maintained** section and select the desired Fleet-maintained app (e.g., Notion).
+2. **Choose Installation Method:** You'll now see a new option: an **Install** section with "Manual" and "Automatic" options. Selecting "Automatic" will create a policy to automatically install the app on hosts that don't currently have it.
+3. **Add Software:** Click "Add Software" to initiate the automatic installation process.
+
+## Key Benefits
+
+* **Simplified Deployment:** Deploy apps to multiple hosts with a single click, eliminating manual installation on each machine.
+* **Automated Policy Creation:** The system automatically creates the necessary policy to manage the installations, removing the need for manual policy creation.
+* **Automatic Reinstallation:** If a user uninstalls the app, the policy will automatically reinstall it on the next policy run, ensuring consistent deployment.
+* **Clear Visibility:** A badge on the app listing indicates which apps are configured for automatic installation. The app's details page also clearly states its automatic installation status and provides a link to the associated policy.
+
+## How to Manage Automatic Installations
+
+* **View Policies:** Clicking on the automatic installation indicator on the app details page will
+  take you to the relevant policy's details view. You can also find the policy listed on the **Policies** page under the relevant team.
+* **Monitor Installation Status:** Fleet provides real-time feedback on the installation process.
+  You can monitor the installation status on the **Host Details** page under the "Activity" section, which shows queued installations and
+  any potential failures.
+* **Prevent Accidental Deletion:** If you attempt to delete an app that has an automatic
+  installation policy associated with it, the system will prevent the deletion until the policy is
+  removed. This prevents accidental disruption of app deployments.
+
+## Important Considerations
+
+**GitOps Compatibility:** Currently, Fleet-maintained apps are not fully compatible with GitOps. This means these automatically generated policies will be affected by GitOps runs. We are working on improving GitOps support for Fleet-maintained apps in future releases. For now, using uploaded packages and VPP is the recommended approach for GitOps workflows.
+
+This new feature simplifies app deployment, saving you time and ensuring consistent application
+availability across your organization. We encourage you to try it out and reach out to us with any feedback.

articles/enforce-os-updates.md

@@ -34,7 +34,9 @@ OS version enforcement options are declared within the [controls](https://fleetd
 
 ### macOS
 
-When a minimum version is enforced, end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.   
+When a minimum version is enforced, end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.
+
+> Certain user preferences may suppress macOS update notifications. To prevent users from being surprised by a forced update or unexpected restart, consider communicating OS update deadlines through additional channels.
 
 If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on.
 

articles/queries.md

@@ -35,12 +35,6 @@ How to create a query:
 
 ## View a query report
 
-Fleet will store up to 1000 results for each scheduled query to give users a snapshot of query results. If the number of results for a scheduled query is below 1000, then the results will continuously get updated every time the hosts send results to Fleet.
-
-As you enable query reports, it is advisable to monitor your database to determine if it needs to be scaled up. As an alternative, you can disable query reports.
-
-> To disable query reports globally, modify `server_settings.query_reports_disabled` field in the global configuration. To disable reports for individual queries, use the `discard_data` field.
-
 How to view a query report:
 
 1. In the top navigation, select **Queries**.
@@ -49,6 +43,16 @@ How to view a query report:
 
 3. If you want to download the query report, select **Export results** to save it as a CSV.
 
+Fleet will store up to 1000 results for each scheduled query to give users a snapshot of query results. If the number of results for a scheduled query is below 1000, then the results will continuously get updated every time the hosts send results to Fleet.
+
+> You can tell Fleet to store more than 1000 results in query reports by setting [`server_settings.query_report_cap`](https://fleetdm.com/docs/rest-api/rest-api#server-settings) via [the Modify configuration API endpoint](https://fleetdm.com/docs/rest-api/rest-api#modify-configuration).
+
+Persisting query reports within Fleet creates load on the database, so you'll want to monitor database load as you add queries. If needed, you can disable query reports either globally or per-query.
+
+* Globally via the UI: **Settings** > **Advanced options** > **Disable query reports**
+* Globally via the API: set [`server_settings.query_reports_disabled`](https://fleetdm.com/docs/rest-api/rest-api#server-settings) via [the Modify configuration endpoint](https://fleetdm.com/docs/rest-api/rest-api#modify-configuration)
+* Per-query via the UI: **Edit query** > **Show advanced options** > **Discard data**
+* Per-query via the API: Set the `discard_data` field when [creating](https://fleetdm.com/docs/rest-api/rest-api#create-query) or [modifying](https://fleetdm.com/docs/rest-api/rest-api#modify-query) the query
 
 ## Run a query
 
@@ -74,8 +78,6 @@ The query may take several seconds to complete because Fleet has to wait for the
 
 ## Schedule a query
 
-*In Fleet 4.35.0, the "Schedule" page was removed, and query automations are now configured on the "Queries" page. Instructions for scheduling queries in earlier versions of Fleet can be found [here](https://github.com/fleetdm/fleet/blob/ac797c8f81ede770853c25fd04102da9f5e109bf/docs/Using-Fleet/Fleet-UI.md#schedule-a-query).*
-
 Fleet allows you to schedule queries to run at a set frequency. By default, queries that run on a schedule will only target platforms compatible with that query. This behavior can be overridden by setting the platforms in **Advanced options** when saving a query.
 
 Scheduled queries will send data to Fleet and/or your [log destination](https://fleetdm.com/docs/using-fleet/log-destinations) automatically. Query automations can be turned off in **Advanced options** or using the bulk query automations UI.
@@ -103,6 +105,6 @@ How to configure query automations in bulk:
 <meta name="category" value="guides">
 <meta name="authorGitHubUsername" value="noahtalerman">
 <meta name="authorFullName" value="Noah Talerman">
-<meta name="publishedOn" value="2024-08-09">
+<meta name="publishedOn" value="2025-01-01">
 <meta name="articleTitle" value="Queries">
 <meta name="description" value="Learn how to create, run, and schedule queries, as well as update agent options in the Fleet user interface.">

articles/role-based-access.md

@@ -34,7 +34,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
 ## User permissions
 
 | **Action**                                                                                                                                 | Observer | Observer+* | Maintainer | Admin | GitOps* |
-| ------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ---------- | ---------- | ----- | ------- |
+| ------------------------------------------------------------------------------------------------------------------------------------------ | :------: | :--------: | :--------: | :---: | :-----: |
 | View all [activity](https://fleetdm.com/docs/using-fleet/rest-api#activities)                                                              | ✅       | ✅         | ✅         | ✅    |         |
 | Manage [activity automations](https://fleetdm.com/docs/using-fleet/audit-logs)                                 |               |                |                 | ✅         | ✅          |
 | View all hosts                                                                                                                             | ✅       | ✅         | ✅         | ✅    |         |
@@ -123,7 +123,7 @@ Users can be assigned to multiple teams in Fleet.
 Users with access to multiple teams can be assigned different roles for each team. For example, a user can be given access to the "Workstations" team and assigned the "Observer" role. This same user can be given access to the "Servers" team and assigned the "Maintainer" role.
 
 | **Action**                                                                                                                       | Team observer | Team observer+ | Team maintainer | Team admin | Team GitOps |
-| -------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------- | --------------- | ---------- | ----------- |
+| -------------------------------------------------------------------------------------------------------------------------------- | :-----------: | :------------: | :-------------: | :--------: | :---------: |
 | View hosts                                                                                                                       | ✅            | ✅             | ✅              | ✅         |             |
 | View a host by identifier                                                                                                        | ✅            | ✅             | ✅              | ✅         | ✅          |
 | Filter hosts using [labels](https://fleetdm.com/docs/using-fleet/rest-api#labels)                                                | ✅            | ✅             | ✅              | ✅         |             |

changes/21827-edit-vpp-teams

@@ -0,0 +1 @@
+- Fleet UI: Clarify editing VPP teams will remove App Store apps available to team, not uninstalling apps from hosts.

changes/23302-fma-click-bug

@@ -0,0 +1 @@
+- Fleet UI: Fixed redirect when clicking on any column in the Fleet Maintained Apps table

changes/23512-clarify-expected-behavior-of-host-counts

@@ -0,0 +1,2 @@
+- Clarify expected behavior of policy host counts, dashboard controls software count, and controls
+  os updates versions count.

changes/23823-cloudfront-cdn

@@ -0,0 +1,4 @@
+Allow delivery of bootstrap packages and software installers using signed URLs from CloudFront CDN. To enable, configure server settings:
+- s3_software_installers_cloudfront_url
+- s3_software_installers_cloudfront_url_signing_public_key_id
+- s3_software_installers_cloudfront_url_signing_private_key

changes/24335-dropdown-styling-bug

@@ -0,0 +1 @@
+- Fleet UI: Fix software actions dropdown styling bug

changes/24418-bad-links

@@ -0,0 +1 @@
+- Fleet UI: Fixed two broken links in Setup experience

changes/24653-live-query-from-edit-affects-performance-stats

@@ -0,0 +1,2 @@
+- When running a live query from the edit query form, consider the results of the run in calculating
+  an existing query's performance impact if the user didn't change the query from the stored version.

changes/24720-msi-large-interned-strings

@@ -0,0 +1 @@
+* Fixed MSI parsing for packages including long interned strings (e.g. licenses for the OpenVPN Connect installer)

changes/25004-fleetctl-packge-cli-instructions

@@ -0,0 +1 @@
+- Display command line installation instructions when a package is generated

changes/25009-smtp-page-validation

@@ -0,0 +1 @@
+- Improve validation workflow on SMTP settings page

changes/25075-false-positive

@@ -0,0 +1 @@
+* Fixed CVE-2024-10327 false positive on Fleet-supported platforms (vuln is iOS-only and iOS vuln checking is not supported)

changes/25144-uninstall-after-mdm-action

@@ -0,0 +1 @@
+* Fixed reporting of software uninstall results after a host has been locked/unlocked

changes/osquery-constant-prerelease

@@ -0,0 +1 @@
+* Included osquery pre-releases in daily UI constant update GitHub Actions job