Add applied_spec_software for YAML software updates

.github/scripts/update_osquery_versions.py

@@ -1,15 +1,21 @@
 import os
-import requests
 import re
+import json
+import http.client
 
 # Use GITHUB_WORKSPACE to get the root of your repository
 repo_root = os.environ.get('GITHUB_WORKSPACE', '')
 FILE_PATH = os.path.join(repo_root, 'frontend', 'utilities', 'constants.tsx')
 
 
 def fetch_osquery_versions():
-    response = requests.get('https://api.github.com/repos/osquery/osquery/releases')
-    releases = response.json()
+    conn = http.client.HTTPSConnection('api.github.com')
+    conn.request('GET', '/repos/osquery/osquery/releases', headers={"User-Agent": "Fleet/osquery-checker"})
+    resp = conn.getresponse()
+    content = resp.read()
+    conn.close()
+    releases = json.loads(content.decode('utf-8'))
+
     return [release['tag_name'] for release in releases if not release['prerelease']]
 
 def update_min_osquery_version_options(new_versions):

.github/workflows/update-osquery-versions.yml

@@ -16,9 +16,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: "3.x"
-      - name: Install dependencies
-        run: pip install requests
+          python-version: "3.13.1"
       - name: Update Osquery versions in UI
         run: python .github/scripts/update_osquery_versions.py
       - name: PR changes

CHANGELOG.md

@@ -1,3 +1,72 @@
+## Fleet 4.61.0 (Dec 17, 2024)
+
+## Endpoint operations
+- Added support to require email verification (MFA) on each login when setting up a Fleet user outside SSO.
+- Extended Linux encryption key escrow support to Ubuntu 20.04.6.
+- Added missing APM instrumentation for Fleet API routes.
+- Improved label validation when running live queries. Previously, when passing label(s) that do not exist, the labels were ignored. Now, an error is returned indicating which labels were not found. This change affects both the API and `fleetctl query` command.
+
+## Device management (MDM)
+- Added functionality for creating an automatic install policy for Fleet-maintained apps.
+- Replaced Zoom Fleet-maintained app with Zoom for IT, which does not open any windows during installation.
+- Added support for the new `windows_migration_enabled` setting (can be set via `fleetctl`, the `PATCH /api/latest/fleet/config` API endpoint and the UI). Requires a premium license.
+- Updated to only show the "follow instructions on My device" banner for Linux hosts whose disks are encrypted but for which Fleet hasn't escrowed a valid key.
+- Added App Store app UI: Added different empty state when VPP token is not added at all vs. when it's not assigned to a team to prevent confusion.
+- Allowed APNS key to be in unencrypted PKCS8 format, which may happen when migrating from another MDM.
+- Allowed calling `/api/v1/fleet/software/fleet_maintained_apps` with no team ID to retrieve the full global list of maintained apps.
+- Added UI changes for windows MDM page and allow for automatic migration for windows hosts.
+- Bypassed the setup experience UI if there is no setup experience item to process (no software to install, no script to execute), so that releasing the device is done without going through that window.
+
+## Vulnerability management
+- Added `without_vulnerability_details` to software versions endpoint (/api/latest/fleet/software/versions) so CVE details can be truncated when on Fleet Premium.
+- Fixed an issue where the github cli software name was not matching against the cpe vulnerability name.
+
+## Bug fixes and improvements
+- Updated Go version to 1.23.4.
+- Update help text for policy automation Install software and run script modals.
+- Updated to display Windows MDM WSTEP flags in `fleet --help`.
+- Added language in email templates indicating that users should not reply to the automated emails.
+- Added better information on what deleting a host does.
+- Added a clearer error message when users attempt to turn MDM off on a Windows host.
+- Improved side nav empty state UI under `/settings`.
+- Added missing loading spinner for delete modals (delete configuration profile, delete script, delete setup script and delete software).
+- Improved performance of updating the `nano_enrollments.last_seen_at` timestamp of Apple MDM devices by an order of magnitude under load.
+- Improved MDM `SELECT FROM nano_enrollment_queue` MySQL query performance, including calling it on DB reader much of the time.
+- Updated Inter font to latest version for woff2 files.
+- Added better documentation around how the --label flag works in the fleetctl query command.
+- Switched Twitter logo to X logo in Fleet-initiated automated emails.
+- Removed duplicate indexes from the database schema..
+- Added cleanup job to delete stuck pending Apple profiles, and requeue them.
+- Exclude any custom sourced "users" from the host details "used by" display if Fleet doesn't have an email for them.
+- Replaced the internal use of the deprecated `go.mozilla.org/pkcs7` package with the maintained fork `github.com/smallstep/pkcs7`.
+- Switched email template font to Inter to match previous changes in the rest of the UI.
+- Updated resend config profile API from `hosts/[hostid}/configuration_profiles/resend/{uuid}` to `hosts/{hostid}/configuration_profiles/{uuid}/resend`.
+- Update nanomdm dependency with latest bug fixes and improvements.
+- Updated documentation to include `firefox_preferences` table for Linux and Windows platforms.
+- Restored the user's previous scroll, if any, when they change the filter on the host software table.
+- Updated a link in the Fleet-maintained apps UI to point to the correct place.
+- Removed image borders that are included in Apple's app store icons.
+- Redirect when user provides an invalid URL param for fleet-maintained software id.
+- Added additional statistics item for number of saved queries.
+- Fixed a bug where the name of the setup experience script was not showing up in the activity for that script execution.
+- Present a nicely formatted and more informative UI for log destination in two places.
+- Fixed bug in `fleetdm/fleetctl` docker image where the `build` directory does not exist when generating deb/rpm packages.
+- Fixed missing read permission for team maintainers and admins on Fleet maintained apps.
+- Fixed a bug that would add "Fleet" to activities where it shouldn't be.
+- Fixed ability to clear policy automation that empties webhook URL.
+- Fixes a bug with pagination in the profiles and scripts lists.
+- Fixed duplicate queries in query stats list in host details.
+- Fixed zip and dmg automations showing null platform for installer
+- Fixed a typo in the loading modal when adding a Fleet-maintained app.
+- Fixed UI bug where "Actions" dropdown on host software page included "Install" and "Uninstall" options for software that is not able to be installed via Fleet.
+- Fixed a bug where the HTTP client used for MDM APNs push notifications did not support using a configured proxy.
+- Fixed potential deadlocks when deploying Apple configuration profiles.
+- Fixed releasing a DEP-enrolled macOS device if mTLS is configured for `fleetd`.
+- Fixed learn more about JIT provisioning link.
+- Fixed an issue with the copy for the activity generated by viewing a locked macOS host's PIN.
+- Fixed breaking with gitops user role running `fleetctl gitops` command when MDM is enabled.
+- Fixed responsive styles for the ADM table.
+
 ## Fleet 4.60.1 (Dec 03, 2024)
 
 ### Bug fixes

articles/consolidate-multiple-tools-with-fleet.md

@@ -88,3 +88,4 @@ To learn more about how Fleet can support your organization, visit [fleetdm.com/
 <meta name="publishedOn" value="2024-12-06">
 <meta name="articleTitle" value="Leading financial company consolidates multiple tools with Fleet">
 <meta name="description" value="Leading financial company consolidates multiple tools with Fleet">
+<meta name="showOnTestimonialsPageWithEmoji" value="🥀">

articles/deputy-achieves-compliance-and-clarity-with-fleet.md

@@ -0,0 +1,68 @@
+# How Deputy achieved compliance and clarity with Fleet—keeping shift work in sync
+
+## Challenge
+
+[Deputy](https://www.deputy.com/), a global leader in workforce management software, needed a reliable way to capture device telemetry, troubleshoot issues, and ensure accurate reporting on OS and software updates to maintain SLA compliance. The increasing number of software applications and browser extensions introduced additional complexity, leading to compliance challenges and gaps across cross-functional teams.
+
+## Solution
+Deputy immediately leveraged Fleet’s robust [API](https://fleetdm.com/docs/rest-api/rest-api) to streamline reporting and enhance visibility across their infrastructure. The engineering team quickly automated reporting processes, delivering regular snapshots of their hosts directly into [Slack](https://slack.com/) channels. This provided security and operations teams with the transparency needed to monitor system health effectively. Using creative solutions, the team built a ‘rolling’ delta to track changes as OS updates were released and patched, enabling real-time updates to the Director of Security.
+
+Previously reliant on [Kolide](https://www.kolide.com/), Deputy reduced costs by transitioning to Fleet while benefiting from hands-on support and direct access to Fleet’s engineers. They spun up a [dedicated Fleet instance](https://fleetdm.com/docs/deploy/deploy-fleet) on their managed infrastructure, tailoring configurations and deployments to meet the unique needs of their organization.
+
+## Results
+
+<div purpose="checklist">
+
+Automated reporting and transparency
+
+OS change tracking 
+
+Quick troubleshooting of host issues
+
+Cost savings and efficiency
+</div>
+
+Fleet provided [real-time visibility](https://fleetdm.com/orchestration) into security posture and operational performance, enabling the IT operations team to proactively address issues and stay ahead of potential risks. Fleet also streamlined processes, allowing Deputy to maintain consistency and control across their rapidly expanding fleet of global devices, supporting their diverse teams with a unified approach to security and compliance. End user experience is always top of mind at Deputy, and Fleets lightweight agent and minimal performance impact allowed the agent to be deployed quickly and confidently.
+
+
+## Deputy’s Story
+
+Headquartered in Australia, Deputy is rapidly expanding its global presence with offices in Sydney, San Francisco, and London. With a growing, diverse workforce, they needed a centralized platform to provide comprehensive insights into the health and security posture of their operations worldwide. By switching to Fleet, Deputy gained a new level of visibility and control over their devices, enabling them to save time on implementing new processes and proactively managing their fleet.
+
+They achieved this through:
+
+- API-Driven reporting and automation
+- Comprehensive device health querying
+- Enhanced endpoint visibility
+- Flexible deployment options
+
+### API-driven reporting and automation
+
+Deputy’s Corporate Engineering team recognized the potential of automating routine compliance and reporting tasks. With Fleet, they streamlined their reporting workflows, enabling quick generation of [compliance](https://fleetdm.com/queries) reports and real-time tracking of device status. This automation significantly reduced manual effort and made it easier to respond to auditor requests for [ISO27001](https://www.iso.org/standard/75652.html) and [SOC2](https://en.wikipedia.org/wiki/System_and_Organization_Controls) compliance documentation.
+
+### Comprehensive device health querying
+
+With Fleet’s robust osquery capabilities and extensive library of pre-built queries, Deputy was able to ask questions about a device that was previously not available as easily. Engineers could now easily check the status of EDR tools, monitor memory-intensive processes, assess battery health and cycle counts, and much more - enabling them to quickly address issues as soon as they appeared in the helpdesk.
+
+### Enhanced endpoint visibility
+
+For Deputy’s CorpEng and Trust teams, having visibility into the software and packages installed on every device is essential for proactive security. Fleet’s aggregation of installed software helped Deputy quickly identify and [mitigate vulnerabilities](https://fleetdm.com/software-management), including high-priority zero-day exploits like the [XZ Utils issue](https://en.wikipedia.org/wiki/XZ_Utils_backdoor), ensuring a rapid response to threats.
+
+### Flexible deployment options
+
+When evaluating tools, Deputy wanted the ability to manage their own infrastructure in AWS, ensuring a flexible deployment path that aligned with their infrastructure-as-code approach. This allowed them to right-size their deployment, optimizing costs and resources. The self-hosting option allowed Deputy security teams to wire in existing Cloud Security Posture Management tools to observe misconfiguration detection and continuous monitoring of cloud resources.
+
+
+## Conclusion
+
+By switching to Fleet, Deputy gained a powerful, flexible solution that addressed their need for centralized device visibility, streamlined compliance reporting, and proactive security management. Fleet’s robust API, real-time telemetry, and flexible deployment options empowered Deputy to automate processes, reduce operational overhead, and improve their security posture. With greater insight into their devices, Deputy can confidently support their growing global workforce.
+
+<call-to-action></call-to-action>
+
+<meta name="category" value="announcements">
+<meta name="authorGitHubUsername" value="harrisonravazzolo">
+<meta name="authorFullName" value="Harrison Ravazzolo">
+<meta name="publishedOn" value="2024-12-17">
+<meta name="articleTitle" value="How Deputy achieved compliance and clarity with Fleet—keeping shift work in sync">
+<meta name="description" value="How Deputy achieved compliance and clarity with Fleet—keeping shift work in sync">
+<meta name="showOnTestimonialsPageWithEmoji" value="🚪">

articles/fleet-4.61.0.md

@@ -1,5 +1,9 @@
 # Fleet 4.61.0 | Auto-install software, email two-factor authentication (2FA), automatic Windows migration
 
+<div purpose="embedded-content">
+   <iframe src="https://www.youtube.com/embed/f_uopfwa3ys?si=taTKh9l8iXJ-sC88" frameborder="0" allowfullscreen></iframe>
+</div>
+
 Fleet 4.61.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.61.0) or continue reading to get the highlights.
 For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.
 
@@ -98,4 +102,4 @@ Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in
 <meta name="authorGitHubUsername" value="noahtalerman">
 <meta name="publishedOn" value="2024-12-17">
 <meta name="articleTitle" value="Fleet 4.61.0 | Auto-install software, email two-factor authentication (2FA), automatic Windows migration">
-<meta name="articleImageUrl" value="../website/assets/images/articles/[email protected]">
+<meta name="articleImageUrl" value="../website/assets/images/articles/[email protected]">

articles/foursquare-quickly-migrates-to-fleet.md

@@ -87,3 +87,4 @@ Foursquare’s migration to Fleet for device management highlights its commitmen
 <meta name="publishedOn" value="2024-12-13">
 <meta name="articleTitle" value="Foursquare quickly migrates to Fleet for Device Management">
 <meta name="description" value="Foursquare quickly migrates to Fleet for Device Management">
+<meta name="showOnTestimonialsPageWithEmoji" value="🚪">

articles/global-cloud-platform-simplifies-device-management-with-fleet.md

@@ -95,3 +95,4 @@ I love Fleet.
 <meta name="publishedOn" value="2024-12-09">
 <meta name="articleTitle" value="Global edge cloud platform simplifies device management with Fleet">
 <meta name="description" value="Global edge cloud platform simplifies device management">
+<meta name="showOnTestimonialsPageWithEmoji" value="🪟">

articles/global-social-media-platform-switches-to-fleet.md

@@ -77,3 +77,5 @@ Transitioning to Fleet provided the platform with a strategic solution that addr
 <meta name="publishedOn" value="2024-12-16">
 <meta name="articleTitle" value="Global social media platform migrates to Fleet">
 <meta name="description" value="Global social media platform migrates to Fleet">
+<meta name="showOnTestimonialsPageWithEmoji" value="🥀">
+

articles/large-gaming-company-enhances-server-observability-with-fleet.md

@@ -78,3 +78,4 @@ By adopting Fleet for server observability, they've successfully addressed scala
 <meta name="publishedOn" value="2024-12-11">
 <meta name="articleTitle" value="Large gaming company enhances server observability with Fleet">
 <meta name="description" value="Large gaming company enhances server observability with Fleet">
+<meta name="showOnTestimonialsPageWithEmoji" value="🔌">

articles/vehicle-manufacturer-transitions-to-fleet-for-endpoint-security.md

@@ -82,3 +82,4 @@ The decision to purchase Fleet was driven by the need for a more reliable, compr
 <meta name="publishedOn" value="2024-12-12">
 <meta name="articleTitle" value="Vehicle manufacturer transitions to Fleet for endpoint security">
 <meta name="description" value="Vehicle manufacturer transitions to Fleet for endpoint security">
+<meta name="showOnTestimonialsPageWithEmoji" value="🚪">

articles/worldwide-security-and-authentication-platform-chooses-fleet-for-linux.md

@@ -87,3 +87,4 @@ To learn more about how Fleet can support your organization, visit [fleetdm.com/
 <meta name="publishedOn" value="2024-12-10">
 <meta name="articleTitle" value="Worldwide security and authentication platform chooses Fleet for Linux management">
 <meta name="description" value="Worldwide security and authentication platform switches to Fleet for Linux device management">
+<meta name="showOnTestimonialsPageWithEmoji" value="🚪">

changes/23238-use-secrets-in-scripts-profiles

@@ -1,3 +1,4 @@
 Added ability to use secrets ($FLEET_SECRET_YOURNAME) in scripts and profiles.
 - Added `/fleet/spec/secret_variables` API endpoint.
 - fleetctl gitops identifies secrets in scripts and profiles and saves them on the Fleet server.
+- secret values are populated when scripts and profiles are sent to devices.