#23899 API design (IdP department/group labels)

Dockerfile-desktop-linux

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.24.2-bullseye@sha256:f50ff25f8331682b44c1582974eb9e620fcb08052fc6ed434f93ca24636fc4d6
+FROM --platform=linux/amd64 golang:1.24.4-bullseye@sha256:dfd72198d14bc22f270c9e000c304a2ffd19f5a5f693fad82643311afdc6b568
 LABEL maintainer="Fleet Developers"
 
 RUN mkdir -p /usr/src/fleet

Makefile

@@ -836,4 +836,19 @@ vex-report:
 	sh -c 'echo "## \`fleetdm/fleetctl\` docker image\n" >> security/status.md'
 	sh -c 'go run ./tools/vex-parser ./security/vex/fleetctl >> security/status.md'
 
+# make update-go version=1.24.4
+UPDATE_GO_DOCKERFILES := ./Dockerfile-desktop-linux ./infrastructure/loadtesting/terraform/docker/loadtest.Dockerfile ./tools/mdm/migration/mdmproxy/Dockerfile
+UPDATE_GO_MODS := go.mod ./tools/mdm/windows/bitlocker/go.mod ./tools/snapshot/go.mod ./tools/terraform/go.mod
+update-go:
+	@test $(version) || (echo "Mising 'version' argument, usage: 'make update-go version=1.24.4'" ; exit 1)
+	@for dockerfile in $(UPDATE_GO_DOCKERFILES) ; do \
+		go run ./tools/tuf/replace $$dockerfile "golang:.+-" "golang:$(version)-" ; \
+		echo "Please update sha256 in $$dockerfile" ; \
+	done
+	@for gomod in $(UPDATE_GO_MODS) ; do \
+		go run ./tools/tuf/replace $$gomod "(?m)^go .+$$" "go $(version)" ; \
+	done
+	@echo "* Updated go to $(version)" > changes/update-go-$(version)
+	@cp changes/update-go-$(version) orbit/changes/update-go-$(version)
+
 include ./tools/makefile-support/helpsystem-targets

articles/articles/preventing-mistakes-with-gitops.md

@@ -40,23 +40,23 @@ We will start with a traditional workflow to demonstrate the process used to com
 
 > For all examples in this article we will be using the GitHub Desktop app to do commits. Using `git` in the terminal will of course also work. Use whatever you’re most comfortable with.
 
-![gif-1](../website/assets/images/articles/preventing-mistakes-1-1423x771@2x.gif)
+![gif-1](../website/assets/images/articles/preventing-mistakes-1-711x385@2x.gif)
 
 Here, after making changes to the `passcode.json` file, it has been added to the Team we are configuring under the `macos_settings` section.
 
-![gif-2](../website/assets/images/articles/preventing-mistakes-2-960x540@2x.gif)
+![gif-2](../website/assets/images/articles/preventing-mistakes-2-480x270@2x.gif)
 
 GitHub Desktop will automatically pick up changes. You can review each file and make commit comments. If all looks good, push your changes to the working branch.
 
-![gif-3](../website/assets/images/articles/preventing-mistakes-3-1423x771@2x.gif)
+![gif-3](../website/assets/images/articles/preventing-mistakes-3-711x385@2x.gif)
 
 We create a PR to bring this change into the `main` production branch. In this example, branch protections are off so I can merge right to `main` but further on in the article this will change. 
 
 ## GitOps: The way it was meant to be
 
 Another benefit of a GitOps approach is the ability for members of a team to review changes before they are applied in production. This encourages collaboration while ensuring all modifications to state are following best practices and compliance. In addition, if something breaks (which is inevitable) you have a ‘snapshot’ or point in time with a known working state to which you can easily roll back.
 
-![gif-4](../website/assets/images/articles/preventing-mistakes-4-960x540@2x.gif)
+![gif-4](../website/assets/images/articles/preventing-mistakes-4-480x270@2x.gif)
 
 The newest version of macOS is released and an engineer on your team wants to push a change to require an update of all hosts in the Workstations team. The IT engineer creates a branch to work from and makes the necessary changes, including setting a new target version and deadline.
 
@@ -68,7 +68,7 @@ macos_updates:
 
 Merging is blocked until a member of the team reviews and approves the changes. 
 
-![gif-5](../website/assets/images/articles/preventing-mistakes-5-960x540@2x.gif)
+![gif-5](../website/assets/images/articles/preventing-mistakes-5-480x270@2x.gif)
 
 Our IT manager is listed as the approver for these changes. The approver is notified of a pending PR for review. Is there a problem with some of the changes? Our engineer accidentally put in a version string that is not yet available. This will cause issues for our users when they try to update. The fix? Tag the engineer with some feedback and request changes to be made and re-committed. 
 

articles/config-less-fleetd-agent-deployment.md

@@ -73,6 +73,8 @@ fleetctl package --type=pkg --use-system-configuration --fleet-desktop
 </plist>
 ```
 
+### Using human-device mapping
+
 You can optionally specify the `END_USER_EMAIL` that will be added to the host's [human-device mapping](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping):
 
 ```xml

changes/26519-android

@@ -1 +1 @@
-Enabled Android MDM support. The functionality is limited to turning on Android MDM and enrolling a BYOD device.
+Enabled Android MDM support. The functionality is limited to turning on Android MDM and enrolling a BYOD device. **NOTE:** If your server was already using Android via the experimental DEV_ANDROID_ENABLED=1 flag, please turn off Android MDM before updating your Fleet server.

changes/28687-fma-to-custom

@@ -0,0 +1 @@
+* Uploading a new installer to an Fleet Maintained App no longer reports as Fleet Maintained App

changes/29739-make-password-spaces-consistent

@@ -0,0 +1 @@
+* Make the gap between characters in password fields consistent

changes/update-go-1.24.4

@@ -0,0 +1 @@
+* Updated go to 1.24.4

cmd/osquery-perf/agent.go

@@ -866,8 +866,8 @@ func (a *agent) runMacosMDMLoop() {
 		for mdmCommandPayload != nil {
 			a.stats.IncrementMDMCommandsReceived()
 
-			if mdmCommandPayload.Command.RequestType == "InstallProfile" {
-
+			switch mdmCommandPayload.Command.RequestType {
+			case "InstallProfile":
 				if a.mdmProfileFailureProb > 0.0 && rand.Float64() <= a.mdmProfileFailureProb {
 					errChain := []mdm.ErrorChain{
 						{
@@ -877,21 +877,37 @@ func (a *agent) runMacosMDMLoop() {
 						},
 					}
 					mdmCommandPayload, err = a.macMDMClient.Err(mdmCommandPayload.CommandUUID, errChain)
+					if err != nil {
+						log.Printf("MDM Error request failed: %s", err)
+						a.stats.IncrementMDMErrors()
+						break INNER_FOR_LOOP
+					}
 				} else {
 					mdmCommandPayload, err = a.macMDMClient.Acknowledge(mdmCommandPayload.CommandUUID)
+					if err != nil {
+						log.Printf("MDM Acknowledge request failed: %s", err)
+						a.stats.IncrementMDMErrors()
+						break INNER_FOR_LOOP
+					}
 				}
-
-			} else {
-				mdmCommandPayload, err = a.macMDMClient.Acknowledge(mdmCommandPayload.CommandUUID)
-			}
-
-			if err != nil {
-				log.Printf("MDM Acknowledge request failed: %s", err)
-				a.stats.IncrementMDMErrors()
-				break INNER_FOR_LOOP
-			}
-			if mdmCommandPayload != nil && mdmCommandPayload.Command.RequestType == "DeclarativeManagement" {
+			case "DeclarativeManagement":
+				// Device immediately responds with Acknowledged status and then contacts the Declarations endpoints.
+				nextMdmCommandPayload, err := a.macMDMClient.Acknowledge(mdmCommandPayload.CommandUUID)
+				if err != nil {
+					log.Printf("MDM Acknowledge request failed: %s", err)
+					a.stats.IncrementMDMErrors()
+					break INNER_FOR_LOOP
+				}
+				// Note: Declarative management could happen async while other MDM commands proceed. This is a potential enhancement.
 				a.doDeclarativeManagement(mdmCommandPayload)
+				mdmCommandPayload = nextMdmCommandPayload
+			default:
+				mdmCommandPayload, err = a.macMDMClient.Acknowledge(mdmCommandPayload.CommandUUID)
+				if err != nil {
+					log.Printf("MDM Acknowledge request failed: %s", err)
+					a.stats.IncrementMDMErrors()
+					break INNER_FOR_LOOP
+				}
 			}
 		}
 	}

docs/Configuration/agent-configuration.md

@@ -47,8 +47,8 @@ config:
 
 ### options and command_line_flags
 
-- `options` include the agent settings listed under `osqueryOptions` [here](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These can be updated without a fleetd restart.
-- `command_line_flags` include the agent settings listed under osqueryCommandLineFlags [here](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These are only updated when fleetd restarts. 
+- `options` include the agent settings listed under `osqueryOptions` in [`agent_options_generated.go`](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These can be updated without a fleetd restart.
+- `command_line_flags` include the agent settings listed under osqueryCommandLineFlags in [`agent_options_generated.go`](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These are only updated when fleetd restarts. 
 
 To see a description for all available settings, first [enroll your host](https://fleetdm.com/guides/enroll-hosts) to Fleet. Then, open your **Terminal** app and run `sudo orbit shell` to open an interactive osquery shell. Then run the following osquery query:
 
@@ -78,11 +78,11 @@ In the `decorators` key, you can specify queries to include additional informati
 
 ### yara
 
-You can use Fleet to configure the `yara` and `yara_events` osquery tables. Learn more about YARA configuration and continuous monitoring [here](https://fleetdm.com/guides/remote-yara-rules#basic-article).
+You can use Fleet to configure the `yara` and `yara_events` osquery tables, used to administer [YARA rules]((https://fleetdm.com/guides/remote-yara-rules) for continuous monitoring.
 
 ## extensions
 
-> This feature requires a custom TUF auto-update server (available in Fleet Premium). Learn more [here](https://fleetdm.com/guides/fleetd-updates).
+> This feature requires a custom TUF [auto-update server](https://fleetdm.com/guides/fleetd-updates) (available in Fleet Premium).
 
 The `extensions` key inside of `agent_options` allows you to remotely manage and deploy osquery extensions. Just like other `agent_options` the `extensions` key can be applied either to a team specific one or the global one.
 
@@ -179,7 +179,7 @@ In the above example:
 
 _Available in Fleet Premium_
 
-Users can configure fleetd component TUF auto-update channels from Fleet's agent options. The components that can be configured are `orbit`, `osqueryd` and `desktop` (Fleet Desktop). When one of these components is omitted in `update_channels` then `stable` is assumed as the value for such component. Available options for update channels can be viewed [here](https://fleetdm.com/docs/using-fleet/enroll-hosts#specifying-update-channels).
+Users can configure fleetd component TUF [auto-update channels](https://fleetdm.com/docs/using-fleet/enroll-hosts#specifying-update-channels) from Fleet's agent options. The components that can be configured are `orbit`, `osqueryd` and `desktop` (Fleet Desktop). When one of these components is omitted in `update_channels` then `stable` is assumed as the value for such component.
 
 #### Examples
 

docs/Configuration/fleet-server-configuration.md

@@ -1880,8 +1880,7 @@ This flag only has effect if one of the following is true:
 - `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kafkarest`.
 - `activity_audit_log_plugin` is set to `kafkarest` and `activity_enable_audit_log` is set to `true`.
 
-The value of the Content-Type header to use in Kafka REST Proxy API calls. More information about available versions
-can be found [here](https://docs.confluent.io/platform/current/kafka-rest/api.html#content-types). _Note: only JSON format is supported_
+The value of the Content-Type header to use in [Kafka REST Proxy API calls](https://docs.confluent.io/platform/current/kafka-rest/api.html#content-types). _Note: only JSON format is supported_
 
 - Default value: application/vnd.kafka.json.v1+json
 - Environment variable: `FLEET_KAFKAREST_CONTENT_TYPE_VALUE`
@@ -2124,11 +2123,9 @@ or running S3 locally with localstack. Leave this blank to use the default S3 se
 
 AWS S3 Force S3 Path Style. Set this to `true` to force the request to use path-style addressing,
 i.e., `http://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client
-will use virtual hosted bucket addressing when possible
+will use [virtual hosted bucket addressing](http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html) when possible
 (`http://BUCKET.s3.amazonaws.com/KEY`).
 
-See [here](http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html) for details.
-
 - Default value: false
 - Environment variable: `FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE`
 - Config file format:
@@ -2729,7 +2726,7 @@ Minio users must set this to any non-empty value (e.g., `minio`), as Minio does
 
 > The [`server_private_key` configuration option](#server_private_key) is required for macOS MDM features.
 
-> The Apple Push Notification service (APNs), Simple Certificate Enrollment Protocol (SCEP), and Apple Business Manager (ABM) [certificate and key configuration](https://github.com/fleetdm/fleet/blob/fleet-v4.51.0/docs/Contributing/reference/configuration-for-contributors.md#mobile-device-management-mdm) are deprecated as of Fleet 4.51. They are maintained for backwards compatibility. Please upload your APNs certificate and ABM token. Learn how [here](https://fleetdm.com/docs/using-fleet/mdm-setup).
+> The Apple Push Notification service (APNs), Simple Certificate Enrollment Protocol (SCEP), and Apple Business Manager (ABM) [certificate and key configuration](https://github.com/fleetdm/fleet/blob/fleet-v4.51.0/docs/Contributing/reference/configuration-for-contributors.md#mobile-device-management-mdm) are deprecated as of Fleet 4.51. They are maintained for backwards compatibility. Please [upload your APNs certificate and ABM token](https://fleetdm.com/docs/using-fleet/mdm-setup).
 
 ### mdm.apple_scep_signer_validity_days