Merge branch 'main' into docs-v4.64.0

CHANGELOG.md

@@ -1,3 +1,10 @@
+## Fleet 4.62.2 (Jan 17, 2025)
+
+### Bug fixes
+
+* Removed request timeout on bootstrap package uploads for consistency with software package upload endpoints.
+* Fixed bug where iOS devices were being removed prematurely by expiration policy.
+
 ## Fleet 4.62.1 (Jan 14, 2025)
 
 ### Bug fixes

articles/enforce-disk-encryption.md

@@ -8,7 +8,7 @@ In Fleet, you can enforce disk encryption for your macOS and Windows hosts, and
 
 When disk encryption is enforced, hosts' disk encryption keys will be stored in Fleet.
 
-For macOS hosts that automatically enroll, disk encryption is enforced during Setup Assistant. For Windows, disk encryption is enforced on the C: volume (default system/OS drive). On Linux, encryption requires user interaction to encrypt the device with LUKS.
+For macOS hosts that automatically enroll, disk encryption is enforced during Setup Assistant. For Windows, disk encryption is enforced on the C: volume (default system/OS drive). For Linux, encryption requires end user interaction.
 
 ## Enforce disk encryption
 
@@ -48,7 +48,7 @@ You can click each status to view the list of hosts for that status.
 
 ## Enforce disk encryption on Linux
 
-Fleet supports Linux Unified Key Setup (LUKS) for encrypting volumes to enforce disk encryption on Ubuntu Linux, Kubuntu Linux, and Fedora Linux devices. Support for Ubuntu 20.04 will be available soon.
+Fleet supports Linux Unified Key Setup (LUKS) for encrypting volumes to enforce disk encryption on Ubuntu Linux, Kubuntu Linux, and Fedora Linux hosts.
 
 1. Share [this step-by-step guide](https://fleetdm.com/learn-more-about/encrypt-linux-device) with end users setting up a work computer running Ubuntu Linux, Kubuntu Linux or Fedora Linux.
 
@@ -76,7 +76,7 @@ How to view the disk encryption key:
 
 ## Migrate macOS hosts
 
-When migrating macOS hosts from another MDM solution, in order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must log out or restart their device.
+When migrating macOS hosts from another MDM solution, in order to complete the process of encrypting the hard drive and escrowing the key in Fleet, your end users must log out or restart their Mac.
 
 Share [these guided instructions](https://fleetdm.com/guides/mdm-migration#how-to-turn-on-disk-encryption) with your end users.
 

articles/enroll-hosts.md

@@ -27,6 +27,8 @@ The `--type` flag is used to specify the fleetd installer type.
 
 A `--fleet-url` (Fleet instance URL) and `--enroll-secret` (Fleet enrollment secret) must be specified in order to communicate with Fleet instance.
 
+To build an installer for ARM-based Linux, use the `--arch=arm64` flag with fleetctl.
+
 #### Example
 
 Generate fleetd on macOS (.pkg)

articles/fleet-4.62.0.md

@@ -22,7 +22,7 @@ Fleet now creates policies automatically when you add a custom package. This eli
 
 ### Hide secrets in configuration profiles and scripts
 
-Fleet ensures that GitHub or GitLab secrets, like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. Learn more about secrets [here](https://fleetdm.com/guides/secret-variables).
+Fleet ensures that GitHub or GitLab secrets, like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. Learn more about secrets [here](https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles).
 
 ## Changes
 

articles/fleet-software-attestation.md

@@ -0,0 +1,17 @@
+# Fleet software attestation
+
+At Fleet, we understand the importance of having a secure software supply chain.  Our core value of 🟣 [Openness](https://fleetdm.com/handbook/company#openness) extends to ensuring that our users can verify the provenance and authenticity of any Fleet software they install.  With that in mind, as of version 4.63.0 Fleet we will be adding [SLSA attestations](https://slsa.dev/) to our released binaries and container images.  This includes the Fleet and Fleetctl server software, the Orbit and Fleet Desktop software for hosts, and the osqueryd updates periodically downloaded by hosts.
+
+## What is software attestation?
+
+A software attestation is a cryptographically-signed statement provided by a software creator that certifies the build process and provenance of one or more software _artifacts_ (which might be files, container images, or other outputs). In other words, it's a promise to our users that the software we're providing was built by us, using a process that they can trust and verify. We utilize the SLSA framework for attestations which you can read more about [here](https://slsa.dev/).  After each release, attestations are added to https://github.com/fleetdm/fleet/attestations.
+
+## Verifying our release artifacts
+
+Any product of a Fleet release can be _verified_ to prove that it was indeed created by Fleet, using the `gh` command line tool from Github.  See the [`gh attestation verify`](https://cli.github.com/manual/gh_attestation_verify) docs for more info.
+
+<meta name="authorGitHubUsername" value="sgress454">
+<meta name="authorFullName" value="Scott Gress">
+<meta name="publishedOn" value="2025-01-14">
+<meta name="articleTitle" value="Fleet software attestation">
+<meta name="category" value="guides">

articles/secrets-in-scripts-and-configuration-profiles.md

@@ -0,0 +1,90 @@
+# Hide secrets in scripts in configuration profiles
+
+In Fleet you can hide secrets, like API tokens or software license keys, in Fleet [scripts](https://fleetdm.com/guides/scripts) and [configuration profiles](https://fleetdm.com/guides/custom-os-settings). Secrets are encrypted and stored securely in Fleet, until they're delivered to the host. Secrets are hidden in when the script or configuration profile is viewed in the Fleet UI or API.
+
+Currently, hiding secrets is only available using [Fleet's YAML (GitOps)](https://fleetdm.com/docs/configuration/yaml-files).
+
+## How to specify a secret
+
+A secret can be used in a script or configuration profile by specifying a variable in the format `$FLEET_SECRET_MYNAME` or `${FLEET_SECRET_MYNAME}`. When the script or profile is sent to the host, Fleet will replace the variable with the actual secret value. The prefix `FLEET_SECRET_` is required to indicate that the variable is a secret, and Fleet reserves this prefix for secret variables.
+
+For macOS and Linux scripts, if a secret doesn't have the `$FLEET_SECRET_` prefix, it will be treated as a [local environment variable](https://support.apple.com/en-my/guide/terminal/apd382cc5fa-4f58-4449-b20a-41c53c006f8f/mac).
+
+1. You must add the secret to your repository's secrets to use them in GitOps.
+
+2. For the GitHub GitOps flow, they must also be added to the `env` section of your workflow file, as shown below:
+
+```yaml
+    env:
+      FLEET_URL: ${{ secrets.FLEET_URL }}
+      FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
+      FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
+      FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
+      FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
+      FLEET_SECRET_CERT_PASSWORD: ${{ secrets.FLEET_SECRET_CERT_PASSWORD }}
+      FLEET_SECRET_CERT_BASE64: ${{ secrets.FLEET_SECRET_CERT_BASE64 }}
+```
+
+3. Add your script or profile. Here's an example profile with `$FLEET_SECRET_CERT_PASSWORD` and `$FLEET_SECRET_CERT_BASE64` secrets:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>PayloadDisplayName</key>
+    <string>Certificate PKCS12</string>
+    <key>PayloadIdentifier</key>
+    <string>com.example.certificate</string>
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadUUID</key>
+    <string>918ee83d-ebd5-4192-bcd4-8b4feb750e4b</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+    <key>PayloadContent</key>
+    <array>
+      <dict>
+            <key>Password</key>
+            <string>$FLEET_SECRET_CERT_PASSWORD</string>
+            <key>PayloadContent</key>
+            <data>$FLEET_SECRET_CERT_BASE64</data>
+            <key>PayloadDisplayName</key>
+            <string>Certificate PKCS12</string>
+            <key>PayloadIdentifier</key>
+            <string>com.example.certificate</string>
+            <key>PayloadType</key>
+            <string>com.apple.security.pkcs12</string>
+            <key>PayloadUUID</key>
+            <string>25cdd076-f1e7-4932-aa30-1d4240534fb0</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
+    </array>
+</dict>
+</plist>
+```
+
+When GitOps syncs the configuration, it looks for secret variables in scripts and profiles, extracts the secret values from the environment, and uploads them to Fleet.
+
+On subsequent GitOps syncs, if a secret variable used by a configuration profile has been updated, the profile will be resent to the host device(s).
+
+> Profiles with secret variables are not entirely validated during a GitOps dry run because secret variables may not be present/correct in the database during the dry run. Hence, there is an increased chance of GitOps non-dry run failure when using a profile with a secret variable. Try uploading this profile to a test team first.
+
+## Escaping and interpolation
+
+The dollar sign (`$`) can be escaped so it's not considered a variable by using a backslash (e.g. `\$100`). Additionally, `MY${variable}HERE` syntax can be used to put strings around the variable.
+
+## Known limitations and issues
+
+- Windows profiles are currently not re-sent to the device when the GitHub action (or GitLab pipeline) runs: [issue #25030](https://github.com/fleetdm/fleet/issues/25030)
+- Fleet does not hide the secret in script results. DO NOT print/echo your secrets to the console output.
+- There is no way to explicitly delete a secret variable. Instead, you can overwrite it with any value.
+- Do not use deprecated API endpoint(s) to upload profiles containing secret variables. Use endpoints documented in [Fleet's REST API](https://fleetdm.com/docs/rest-api/rest-api).
+
+<meta name="articleTitle" value="Hide secrets in scripts in configuration profiles">
+<meta name="authorFullName" value="Victor Lyuboslavsky">
+<meta name="authorGitHubUsername" value="getvictor">
+<meta name="category" value="guides">
+<meta name="publishedOn" value="2025-01-02">
+<meta name="description" value="A guide on using secrets in scripts and configuration profiles.">

changes/24790-admx-policies

@@ -0,0 +1 @@
+Fixes issue verifying Windows CSP profiles that contain ADMX policies.

charts/fleet/Chart.yaml

@@ -4,11 +4,11 @@ name: fleet
 keywords:
   - fleet
   - osquery
-version: v6.3.2
+version: v6.3.3
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.62.1
+appVersion: v4.62.2
 dependencies:
   - name: mysql
     condition: mysql.enabled

charts/fleet/values.yaml

@@ -3,7 +3,7 @@
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
 imageRepository: fleetdm/fleet
-imageTag: v4.62.1 # Version of Fleet to deploy
+imageTag: v4.62.2 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAnnotations: {} # Additional annotations to add to the Fleet service
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account

cmd/fleet/serve.go

@@ -1203,10 +1203,11 @@ the way that the Fleet server works.
 				}
 
 				if (req.Method == http.MethodPost && strings.HasSuffix(req.URL.Path, "/fleet/software/package")) ||
-					(req.Method == http.MethodPatch && strings.HasSuffix(req.URL.Path, "/package") && strings.Contains(req.URL.Path, "/fleet/software/titles/")) {
+					(req.Method == http.MethodPatch && strings.HasSuffix(req.URL.Path, "/package") && strings.Contains(req.URL.Path, "/fleet/software/titles/")) ||
+					(req.Method == http.MethodPost && strings.HasSuffix(req.URL.Path, "/bootstrap")) {
 					var zeroTime time.Time
 					rc := http.NewResponseController(rw)
-					// For large software installers, the server time needs time to read the full
+					// For large software installers and bootstrap packages, the server time needs time to read the full
 					// request body so we use the zero value to remove the deadline and override the
 					// default read timeout.
 					// TODO: Is this really how we want to handle this? Or would an arbitrarily long

frontend/pages/SoftwarePage/SoftwareAddPage/SoftwareFleetMaintained/FleetMaintainedAppDetailsPage/FleetAppDetailsForm/FleetAppDetailsForm.tsx

@@ -91,7 +91,7 @@ export const InstallTypeSection = ({
           onChange={onChangeInstallType}
           helpText={
             <>
-              Manually install on <b>Host details</b> page for each host.
+              Manually install on the <b>Host details</b> page for each host.
             </>
           }
         />