* Updated MDM profile verification so that an install profile command will be retried once if the command resulted in an error or if osquery cannot confirm that the expected profile is installed.
* Ensured post-enrollment commands are sent to devices assigned to Fleet in ABM.
* Ensured hosts assigned to Fleet in ABM come back to pending to the right team after they're deleted.
* Added `labels` to the fleetd extensions feature to allow deploying extensions to hosts that belong to certain labels.
* Changed fleetd Windows extensions file extension from `.ext` to `.ext.exe` to allow their execution on Windows devices (executables on Windows must end with `.exe`).
* Surfaced chrome live query errors to Fleet UI (including errors for specific columns while maintaining successful data in results).
* Fixed delivery of fleetd extensions to devices to only send extensions for the host's platform.
* (Premium only) Added `resolved_in_version` to `/fleet/software` APIs pulled from NVD feed.
* Added database migrations to create the new `scripts` table to store saved scripts.
* Allowed specifying `disable_failing_policies` on the `/api/v1/fleet/hosts/report` API endpoint for increased performance. This is useful if the user is not interested in counting failed policies (`issues` column).
* Added the option to use locally-installed WiX v3 binaries when generating the Fleetd installer for Windows on a Windows machine.
* Added CVE descriptions to the `/fleet/software` API.
* Restored the ability to click on and select/copy text from software bundle tooltips while maintaining the abilities to click the software's name to get more details and to click anywhere else in the row to view all hosts with that software installed.
* Stopped 1password from overly autofilling forms.
* Upgraded Go version to 1.21.1.
### Bug Fixes
* Fixed vulnerability mismatch between the flock browser and the discoteq/flock binary.
* Fixed v4.37.0 performance regressions in the following API endpoints:
*`/api/v1/fleet/hosts/report`
*`/api/v1/fleet/hosts` when using `per_page=0` or a large number for `per_page` (in the thousands).
* Fixed script content and output formatting on the scripts detail modal.
* Fixed wrong version numbers for Microsoft Teams in macOS (from invalid format of the form `1.00.XYYYYY` to correct format `1.X.00.YYYYY`).
* Fixed false positive CVE-2020-10146 found on Microsoft Teams.
* Fixed CVE-2013-0340 reporting as a valid vulnerability due to NVD recommendations.
* Fixed save button for a new policy after newly creating another policy.
* Fixed empty query/policy placeholders.
* Fixed used by data when filtering hosts by labels.
* Fixed small copy and alignment issue with status indicators in the Queries page Automations column.
* Fixed strict checks on Windows MDM Automatic Enrollment.
* Fixed software vulnerabilities time ago column for old CVEs.
* Added `/scripts/run` and `scripts/run/sync` API endpoints to send a script to be executed on a host and optionally wait for its results.
* Added `POST /api/fleet/orbit/scripts/request` and `POST /api/fleet/orbit/scripts/result` Orbit-specific API endpoints to get a pending script to execute and send the results back, and added an Orbit notification to let the host know it has scripts pending execution.
* Improved performance at scale when applying hundreds of policies to thousands of hosts via `fleetctl apply`.
- IMPORTANT: In previous versions of Fleet, there was a performance issue (thundering herd) when applying hundreds of policies on a large number of hosts. To avoid this, make sure to deploy this version of Fleet, and make sure Fleet is running for at least 1h (or the configured `FLEET_OSQUERY_POLICY_UPDATE_INTERVAL`) before applying the policies.
* Added pagination to the policies API to increase response time.
* Added policy count endpoints to support pagination on the frontend.
* Added an endpoint to report `fleetd` errors.
* Added logic to report errors during MDM migration.
* Added support in fleetd to execute scripts and send back results (disabled by default).
* Added an activity log when script execution was successfully requested.
* Automatically set the DEP profile to be the same as "no team" (if set) for teams created using the `/match` endpoint (used by Puppet).
* Added JumpCloud to the list of well-known MDM solutions.
* Added `fleetctl run-script` command.
* Made all table links right-clickable.
* Improved the layout of the MDM SSO pages.
* Stored user email when a user turned on MDM features with SSO enabled.
* Updated the copy and image displayed on the MDM migration modal.
* Upgraded Go to v1.19.12.
* Updated the macadmins/osquery-extension to v0.0.15.
* Updated nanomdm dependency.
### Bug Fixes
* Fixed a bug where live query UI and export data tables showed all returned columns.
* Fixed a bug where Jira and/or Zendesk integrations were being removed when an unrelated setting was changed.
* Fixed software ingestion to not re-insert software when incoming fields from hosts were longer than what Fleet supports. This bug caused some CVEs to be reported every time the vulnerability cron ran.
- IMPORTANT: After deploying this fix, the vulnerability cron will report the CVEs one last time, and subsequent cron runs will not report the CVE (as expected).
* Fixed duplicate policy names in `ee/cis/win-10/cis-policy-queries.yml`.
* Fixed typos in policy queries in the Windows CIS policies YAML (`ee/cis/win-10/cis-policy-queries.yml`).
* Fixed a bug where query stats (aka `Performance impact`) were not being populated in Fleet.
* Added validation to `fleetctl apply` for duplicate policy names in the YAML file and attempting to change the team of an existing policy.
* Optimized host queries when using policy statuses.
* Changed the authentication method during Windows MDM enrollment to use `LoadHostByOrbitNodeKey` instead of `HostByIdentifier`.
* Fixed alignment on long label names on host details label filter dropdown.
* Added UI for script run activity and script details modal.
* Fixed queries navigation bar bug where if in query detail, you could not navigate back to the manage queries table.
* Made policy resolutions that include URLs clickable in the UI.
* Fixed Fleet UI custom query frequency display.
* Fixed live query filter icon and various other live query icons.
* Fixed Fleet UI tabs highlight while tabbing but not on multiple clicks.
* Added the `fleetctl upgrade-packs` command to migrate 2017 packs to the new combined schedule and query concept.
* Updated `fleetctl convert` to convert packs to the new combined schedule and query format.
* Updated the `POST /mdm/apple/profiles/match` endpoint to set the bootstrap package and enable end user authentication settings for each new team created via the endpoint to the corresponding values specified in the app config as of the time the applicable team is created.
* Added enroll secret for a new team created with `fleetctl apply` if none is provided.
* Improved SQL autocomplete with dynamic column, table names, and shown metadata.
* Cleaned up styling around table search bars.
* Updated MDM profile verification to fix issue where profiles were marked as failed when a host
is transferred to a newly created team that has an identical profile as an older team.
* Added windows MDM automatic enrollment setup pages to Fleet UI.
* (Beta) Allowed configuring Windows MDM certificates using their contents.
* Updated the icons on the dashboard to new grey designs.
* Ensured DEP profiles are assigned even for devices that already exist and have an op type = "modified".
* Disabled save button for invalid query or policy SQL & missing name.
* Users with no global or team role cannot access the UI.
* Text cells truncate with ellipses if longer than column width.
**Bug Fixes:**
* Fixed styling issue of the active settings tab.
* Fixed response status code to 403 when a user cannot change their password either because they were not requested to by the admin or they have Single-Sign-On (SSO) enabled.
* Fixed issues with end user migration flow.
* Fixed login form cut off when viewport is too short.
* Fixed bug where `os_version` endpoint returned 404 for `no teams` on controls page.
* Fixed delays applying profiles when the Puppet module is used in distributed scenarios.
* Fixed a style issue in the filter host by status dropdown.
* Fixed an issue when a user with `gitops` role was used to validate a configuration with `fleetctl apply --dry-run`.
* Fixed jumping text on the host page label filter dropdown at low viewport widths.
* Fixed a migration to account for columns with NULL values as a result of either creating schedules via the API without providing all values or by a race condition with database replicas.
* Fixed a bug that occurred when a user tried to create a custom query from the "query" action on a host's details page.
* Combined the query and schedule features to provide a single interface for creating, scheduling, and tweaking queries at the global and team level.
* Merged all functionality of the schedule page into the queries page.
* Updated the save query modal to include scheduling-related fields.
* Updated queries table schema to allow storing scheduling information and configuration in the queries table.
* Users now able to manage scheduled queries using automations modal.
* The `osquery/config` endpoint now includes scheduled queries for the host's team stored in the `queries` table.
* Query editor now includes frequency and other advanced options.
* Updated macOS MDM setup UI in Fleet UI.
* Changed how team assignment works for the Puppet module, for more details see the [README](https://github.com/fleetdm/fleet/blob/main/ee/tools/puppet/fleetdm/README.md).
* Allow the Puppet module to read different Fleet URL/token combinations for different environments.
* Updated server logging for webhook requests to mask URL query values if the query param name includes "secret", "token", "key", "password".
* Added support for Azure JWT tokens.
* Set `DeferForceAtUserLoginMaxBypassAttempts` to `1` in the default FileVault profile installed by Fleet.
* Added dark and light mode logo uploads and show the appropriate logo to the macOS MDM migration flow.
* Added MSI installer deployement support through MS-MDM.
* Added support for Windows MDM STS Auth Endpoint.
* Added support for installing Fleetd after enrolling through Azure account.
* Added support for MDM TOS endpoint.
* Updated the "Platforms" column to the more explicit "Compatible with".
* Improved delivery of Apple MDM profiles by not re-sending `InstallProfile` commands if a host switches teams but the profile contents are the same.
* Improved error handling and messaging of SSO login during AEP(DEP) enrollments.
* Improved the reporting of the Puppet module to only report as changed profiles that actually changed during a run.
* Updated ingestion of host detail queries for MDM so hosts that report empty results are counted as "Off".
* Upgraded Go version to v1.19.11.
* If a policy was defined with an invalid query, the desktop endpoint now counts that policy as a failed policy.
* Fixed issue where Orbit repeatedly tries to launch Nudge in the event of a launch error.
* Fixed Observer + should be able to run any query by clicking create new query.
* Fixed the styling of the initial setup flow.
* Fixed URL used to check Gravatar network availability.
* Added execution of programmatic Windows MDM enrollment on eligible devices when Windows MDM is enabled.
* Microsoft MDM Enrollment Protocol: Added support for the RequestSecurityToken messages.
* Microsoft MDM Enrollment Protocol: Added support for the DiscoveryRequest messages.
* Microsoft MDM Enrollment Protocol: Added support for the GetPolicies messages.
* Added `enabled_windows_mdm` and `disabled_windows_mdm` activities when a user turns on/off Windows MDM.
* Added support to enable and configure Windows MDM and to notify devices that are able to programmatically enroll.
* Added ability to turn Windows MDM on and off from the Fleet UI.
* Added enable and disable Windows MDM activity UI.
* Updated MDM detail query ingestion to switch MDM profiles from "verifying" or "verified" status to "failed" status when osquery reports that this profile is not installed on the host.
* Added notification and execution of programmatic Windows MDM unenrollment on eligible devices when Windows MDM is disabled.
* Added the `FLEET_DEV_MDM_ENABLED` environment variable to enable the Windows MDM feature during its development and beta period.
* Added the `mdm_enabled` feature flag information to the response payload of the `PATCH /config` endpoint.
* When creating a PolicySpec, return the proper HTTP status code if the team is not found.
* Added CPEMatchingRule type, used for correcting false positives caused by incorrect entries in the NVD dataset.
* Optimized macOS CIS query "Ensure Appropriate Permissions Are Enabled for System Wide Applications" (5.1.5).
* Updated macOS CIS policies 5.1.6 and 5.1.7 to use a new fleetd table `find_cmd` instead of relying on the osquery `file` table to improve performance.
* Implemented the privacy_preferences table for the Fleetd Chrome extension.
* Warnings in fleetctl now go to stderr instead of stdout.
* Updated UI for transferred hosts activity items.
* Added Organization support URL input on the setting page organization info form.
* Added improved ABM 400 error message to the UI.
* Hide any osquery tables or columns from Fleet UI that has hidden set to true to match Fleet website.
* Ignore casing in SAML response for display name. For example the display name attribute can be provided now as `displayname` or `displayName`.
* Provide feedback to users when `fleetctl login` is using EMAIL and PASSWORD environment variables.
* Added a new activity `transferred_hosts` created when hosts are transferred to a new team (or no team).
* Added milliseconds to the timestamp of auto-generated team name when creating a new team in `GET /mdm/apple/profiles/match`.
* Improved dashboard loading states.
* Improved UI for selecting targets.
* Made sure that all configuration profiles and commands are sent to devices if MDM is turned on, even if the device never turned off MDM.
* Fixed bug when reading filevault key in osquery and created new Fleet osquery extension table to read the file directly rather than via filelines table.
* Fixed UI bug on host details and device user pages that caused the software search to not work properly when searching by CVE.
* Fixed not validating the schema used in the Metadata URL.
* Fixed improper HTTP status code if SMTP is invalid.
* Fixed false positives for iCloud on macOS.
* Fixed styling of copy message when copying fields.
* Fixed a bug where an empty file uploaded to `POST /api/latest/fleet/mdm/apple/setup/eula` resulted in a 500; now returns a 400 Bad Request.
* Fixed vulnerability dropdown that was hiding if no vulnerabilities.
* Fixed scroll behavior with disk encryption status.
* Fixed empty software image in sandbox mode.
* Fixed improper HTTP status code when `fleet/forgot_password` endpoint is rate limited.
* Fixed MaxBurst limit parameter for `fleet/forgot_password` endpoint.
* Fixed a bug where reading from the replica would not read recent writes when matching a set of MDM profiles to a team (the `GET /mdm/apple/profiles/match` endpoint).
* Fixed an issue that displayed Nudge to macOS hosts if MDM was configured but MDM features weren't turned on for the host.
* Fixed tooltip word wrapping on the error cell in the macOS settings table.
* Fixed extraneous loading spinner rendering on the software page.
* Fixed styling bug on setup caused by new font being much wider.
* Added instructions to inform users how to add ChromeOS hosts.
* Added ChromeOS details to the dashboard, manage hosts, and host details pages.
* Added ability for users to create policies that target ChromeOS.
* Added built-in label for ChromeOS.
* Added query to fill in `device_mapping` from ChromeOS hosts.
* Improved the performance of live query results rendering to address usability issues when querying tens of thousands of hosts.
* Reduced size of live query websocket message by removing unused host data.
* Added the `POST /fleet/mdm/apple/profiles/preassign` endpoint to store profiles to be assigned to a host for subsequent matching with an existing (or new) team.
* Added the `POST /fleet/mdm/apple/profiles/match` endpoint to match pre-assigned profiles to an existing team or create one if needed, and assign the host to that team.
* Updated `GET /mdm/apple/profiles` endpoint to return empty array instead of null if no profiles are found.
* Improved ingestion of MDM devices from ABM:
- If a device's operation_type is `modified`, but the device doesn't exist in Fleet yet, a DEP profile will be assigned to the device and a new record will be created in Fleet.
- If a device's operation_type is `deleted`, the device won't be prompted to migrate to Fleet if the feature has been configured.
* Added "Verified" profile status for profiles verified with osquery.
* Added "Action required" status for disk encryption profile in UI for host details and device user pages.
* Added UI for the end user authentication page for MDM macos setup.
* Added new host detail query to verify MDM profiles and updated API to include verified status.
* Added documentation in the guide for `fleetctl get mdm-commands`.
* Moved post-DEP (automatic) MDM enrollment to a worker job for increased resiliency with retries.
* Added better UI error for manual enroll MDM modal.
* Updated `GET /api/_version_/fleet/config` to now omits fields `smtp_settings` and `sso_settings` if not set.
* Added a response payload to the `POST /api/latest/fleet/spec/teams` contributor API endpoint so that it returns an object with a `team_ids_by_name` key which maps team names with their corresponding id.
* Ensure we send post-enrollment commands to MDM devices that are re-enrolling after being wiped.
* Added error message to UI when Redis disconnects during a live query session.
* Optimized query used for listing activities on the dashboard.
* Added ability for users to delete multiple pages of hosts.
* Added ability to deselect label filter on host table.
* Added support for value `null` on `FLEET_JIT_USER_ROLE_GLOBAL` and `FLEET_JIT_USER_ROLE_TEAM_*` SAML attributes. Fleet will accept and ignore such `null` attributes.
* Deprecate `enable_jit_role_sync` setting and only change role for existing users if role attributes are set in the `SAMLResponse`.
* Improved styling in sandbox mode.
* Patched a potential security issue.
* Improved icon clarity.
* Fixed issues with the MDM migration flow.
* Fixed a bug with applying team specs via `fleetctl apply` and updating a team via the `PATCH /api/latest/fleet/mdm/teams/{id}` endpoint so that the MDM updates settings (`minimum_version` and `deadline`) are not cleared if not provided in the payload.
* Fixed table formatting for the output of `fleetctl get mdm-command-results`.
* Fixed the `/api/latest/fleet/mdm/apple_bm` endpoint so that it returns 400 instead of 500 when it fails to authenticate with Apple's Business Manager API, as this indicates a Fleet configuration issue with the Apple BM certificate or token.
* Fixed a bug that would show MDM URLs for the same server as different servers if they contain query parameters.
* Fixed an issue preventing a user with the `gitops` role from applying some MDM settings via `fleetctl apply` (the `macos_setup_assistant` and `bootstrap_package` settings).
* Fixed `GET /api/v1/fleet/spec/labels/{name}` endpoint so that it now includes the label id.
* Fixed Observer/Observer+ role being able to see team secrets.
* Fixed UI bug where `inherited_page=0` was incorrectly added to some URLs.
* Fixed misaligned icons in UI.
* Fixed tab misalignment caused by new font.
* Fixed dashed line styling on multiline activities.
* Fixed a bug in the users table where users that are observer+ for all of more than one team were listed as "Various roles".
* Fixed 500 error being returned if SSO session is not found.
* Fixed issue with `chrome_extensions` virtual table not returning a path value on `fleetd-chrome`, which was breaking software ingestion.
* Fixed bug with page navigation inside 'My Device' page.
* Fixed a styling bug in the add hosts modal in sandbox mode.
* Added `gitops` user role to Fleet. GitOps users are users that can manage configuration.
* Added the `fleetctl get mdm-commands` command to get a list of MDM commands that were executed. Added the `GET /api/latest/fleet/mdm/apple/commands` API endpoint.
* Added Fleet UI flows for uploading, downloading, deleting, and viewing information about a Fleet MDM
bootstrap package.
* Added `apple_bm_enabled_and_configured` to app config responses.
* Added support for the `mdm.macos_setup.macos_setup_assistant` key in the 'config' and 'team' YAML
payloads supported by `fleetctl apply`.
* Added the endpoints to set, get and delete the macOS setup assistant associated with a team or no team (`GET`, `POST` and `DELETE` methods on the `/api/latest/fleet/mdm/apple/enrollment_profile` path).
* Added functionality to gate Apple MDM login behind SAML authentication.
* Added new "verifying" status for MDM profiles.
* Migrated MDM status values from "applied" to "verifying" and updated associated endpoints.
* Updated macOS settings status filters and aggregate counts to more accurately reflect the status of
FileVault settings.
* Filter out non-`observer_can_run` queries for observers in `fleetctl get queries` to match the UI behavior.
* Fall back to a previous NVD release if the asset we want is not in the latest release.
* Users can now click back to software to return to the filtered host details software tab or filtered manage software page.
* Users can now bookmark software table filters.
* Added a maximum height to the teams dropdown, allowing the user to scroll through a large number of
teams.
* Present the 403 error page when a user with no access logs in.
* Back to hosts and back to software in host details and software details return to previous table
state.
* Bookmarkable URLs are now the source of truth for Manage Host and Manage Software table states.
* Removed old Okta configuration that was only documented for internal usage. These configs are being replaced for a general approach to gate profiles behind SSO.
* Removed any host's packs information for observers and observer plus in UI.
* Added `changed_macos_setup_assistant` and `deleted_macos_setup_assistant` activities for the macOS setup assistant setting.
* Hide reset sessions in user dropdown for current user.
* Added a suite of UI logic for premium features in the Sandbox environment.
* In Sandbox, added "Premium Feature" icons for premium-only option to designate a policy as "Critical," as well
as copy to the tooltip above the icon next to policies designated "Critical" in the Manage policies table.
* Added a star to let a sandbox user know that the "Probability of exploit" column of the Manage
Software page is a premium feature.
* Added "Premium Feature" icons for premium-only columns of the Vulnerabilities table when in
Sandbox mode.
* Inform prospective customers that Teams is a Premium feature.
* Fixed animation for opening edit user modal.
* Fixed nav bar buttons not responsively resizing when small screen widths cannot fit default size nav bar.
* Fixed a bug with and improved the overall experience of tabbed navigation through the setup flow.
* Fixed `/api/_version/fleet/logout` to return HTTP 401 if unauthorized.
* Fixed endpoint to return proper status code (401) on `/api/fleet/orbit/enroll` if secret is invalid.
* Fixed a bug where a white bar appears at the top of the login page before the app renders.
* Fixed bug in manage hosts table where UI elements related to row selection were displayed to a team
observer user when that user was also a team and maintainer or admin on another team.
* Fixed bug in add policy UI where a user that is team maintainer or team admin cannot access the UI
to save a new policy if that user is also an observer on another team.
* Fixed UI bug where dashboard links to hosts filtered by platform did not carry over the selected
team filter.
* Fixed not showing software card on dashboard when clicking on vulnerabilities.
* Fixed a UI bug where fields on the "My account" page were cut off at smaller viewport widths.
* Fixed software table to match UI spec (responsively hidden vulnerabilities/probability of export column under 990px width).
* Fixed a bug where bundle information displayed in tooltips over a software's name was mistakenly
hidden.
* Fixed an HTTP 500 on `GET /api/_version_/fleet/hosts` returned when `mdm_enrollment_status` is invalid.
* Removed both `FLEET_MDM_APPLE_ENABLE` and `FLEET_DEV_MDM_ENABLED` feature flags.
* Automatically send a configuration profile for the `fleetd` agent to teams that use DEP enrollment.
* DEP JSON profiles are now automatically created with default values when the server is run.
* Added the `--mdm` and `--mdm-pending` flags to the `fleetctl get hosts` command to list hosts enrolled in Fleet MDM and pending enrollment in Fleet MDM, respectively.
* Added support for the "enrolled" value for the `mdm_enrollment_status` filter and the new `mdm_name` filter for the "List hosts", "Count hosts" and "List hosts in label" endpoints.
* Added the `fleetctl mdm run-command` command, to run any of the [Apple-supported MDM commands](https://developer.apple.com/documentation/devicemanagement/commands_and_queries) on a host.
* Added the `fleetctl get mdm-command-results` sub-command to get the results for a previously-executed MDM command.
* Added API support to filter the host by the disk encryption status on "GET /hosts", "GET /hosts/count", and "GET /labels/:id/hosts" endpoints.
* Added API endpoint for disk encryption aggregate status data.
* Automatically install `fleetd` for DEP enrolled hosts.
* Updated hosts' profiles status sync to set to "pending" immediately after an action that affects their list of profiles.
* Updated FileVault configuration profile to disallow device user from disabling full-disk encryption.
* Updated MDM settings so that they are consistent, and updated documentation for clarity, completeness and correctness.
* Added `observer_plus` user role to Fleet. Observers+ are observers that can run any live query.
* Added a premium-only "Published" column to the vulnerabilities table to display when a vulnerability was first published.
* Improved version detection for macOS apps. This fixes some false positives in macOS vulnerability detection.
* If a new CPE translation rule is pushed, the data in the database should reflect that.
* If a false positive is patched, the data in the database should reflect that.
* Include the published date from NVD in the vulnerability object in the API and the vulnerability webhooks (premium feature only).
* User management table informs which users only have API access.
* Added configuration option `websockets_allow_unsafe_origin` to optionally disable the websocket origin check.
* Added new config `prometheus.basic_auth.disable` to allow running the Prometheus endpoint without HTTP Basic Auth.
* Added missing tables to be cleared on host deletion (those that reference the host by UUID instead of ID).
* Introduced new email backend capable of sending email directly using SES APIs.
* Upgraded Go version to 1.19.8 (includes minor security fixes for HTTP DoS issues).
* Uninstalling applications from hosts will remove the corresponding entry in `software` if no more hosts have the application installed.
* Removed the unused "Issuer URI" field from the single sign-on configuration page of the UI.
* Fixed an issue where some icons would appear clipped at certain zoom levels.
* Fixed a bug where some empty table cells were slightly different colors.
* Fixed e-mail sending on user invites and user e-mail change when SMTP server has credentials.
* Fixed logo misalignment.
* Fixed a bug where for certain org logos, the user could still click on it even outside the navbar.
* Fixed styling bugs on the SelectQueryModal.
* Fixed an issue where custom org logos might be displayed off-center.
* Fixed a UI bug where in certain states, there would be extra space at the right edge of the Manage Hosts table.
* Fixed a migration that was causing `fleet prepare db` to fail due to changes in the collation of the tables. IMPORTANT: please make sure to have a database backup before running migrations.
* Fixed an issue where users would see the incorrect disk encryption banners on the My Device page.
* Added the `mdm.macos_settings.enable_disk_encryption` option to the `fleetctl apply` configuration
files of "config" and "team" kind as a Fleet Premium feature.
* Added `mdm.macos_settings.disk_encryption` and `mdm.macos_settings.action_required` status fields in the response for a single host (`GET /hosts/{id}` and `GET /device/{token}` endpoints).
* Added MDM solution name to `host.mdm`in API responses.
* Added support for fleetd to enroll a device using its serial number (in addition to its system
UUID) to help avoid host-matching issues when a host is first created in Fleet via the MDM
automatic enrollment (Apple Business Manager).
* Added ability to filter data under the Hosts tab by the aggregate status of hosts' MDM-managed macos
settings.
* Added activity feed items for enabling and disabling disk encryption with MDM.
* Added FileVault banners on the Host Details and My Device pages.
* Added activities for when macOS disk encryption setting is enabled or disabled.
* Added UI for fleet mdm managed disk encryption toggling and the disk encryption aggregate data.
* Added support to update a team's disk encryption via the Modify Team (`PATCH /api/latest/fleet/teams/{id}`) endpoint.
* Added a new API endpoint to gate access to an enrollment profile behind Okta authentication.
* Added new configuration values to integrate Okta in the DEP MDM flow.
* Added logic to ingest and decrypt FileVault recovery keys on macOS if Fleet's MDM is enabled.
* Create activity feed types for the creation, update, and deletion of macOS profiles (settings) via
MDM.
* Added an API endpoint to retrieve a host disk encryption key for macOS if Fleet's MDM is enabled.
* Added UI implementation for users to upload, download, and deleted macos profiles.
* Added activity feed types for the creation, update, and deletion of macOS profiles (settings) via
MDM.
* Added API endpoints to create, delete, list, and download MDM configuration profiles.
* Added "edited macos profiles" activity when updating a team's (or no team's) custom macOS settings via `fleetctl apply`.
* Enabled installation and auto-updates of Nudge via Orbit.
* Added support for providing `macos_settings.custom_settings` profiles for team (with Fleet Premium) and no-team levels via `fleetctl apply`.
* Added `--policies-team` flag to `fleetctl apply` to easily import a group of policies into a team.
* Remove requirement for Rosetta in installation of macOS packages on Apple Silicon. The binaries have been "universal" for a while now, but the installer still required Rosetta until now.
* Added max height on org logo image to ensure consistent height of the nav bar.
* Parse the Mac Office release notes and use that for doing vulnerability processing.
* Only set public IPs on the `host.public_ip` field and add documentation on how to properly configure the deployment to ingest correct public IPs from enrolled devices.
* Added tooltip with link to UI when Public IP address cannot be determined.
* Update to better URL validation in UI.
* Set policy platforms using the platform checkboxes as a user would expect the options to successfully save.
* Standardized on a default value for empty cells in the UI.
* Added link to query table in UI source (fleetdm.com/tables/table_name).
* Added live query distributed interval warnings on select targets picker and live query result page.
* Added a macOS settings indicator and modal on the host details and device user pages.
* Added configuration parameters for the filesystem logging destination -- max_size, max_age, and max_backups are now configurable rather than hardcoded values.
* Live query/policy selecting "All hosts" is mutually exclusive from other filters.
* Minor server changes to support Fleetd for ChromeOS (to be released soon).
* Fixed `network_interface_unix` and `network_interface_windows` to ingest "Private IPs" only
(filter out "Public IPs").
* Fixed how the Fleet MDM server URL is generated when stored for hosts enrolled in Fleet MDM.
* Fixed a panic when loading information for a host enrolled in MDM and its `is_server` field is
`NULL`.
* Fixed bug with host count on hosts filtered by operating system version.
* Fixed permissions warnings reported by Suspicious Package in macos pkg installers. These warnings
appeared to be purely cosmetic.
* Fixed UI bug: Long words in activity feed wrap within the div.
* Fixed "Turn off MDM" button appearing on host details without Fleet MDM enabled.
* Upgrade Go to 1.19.6 to remediate some low severity [denial of service vulnerabilities](https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E/m/CnYKgKwBBQAJ) in the standard library.
* Added API endpoint to unenroll a host from Fleet's MDM.
* Added Request CSR and Change default MDM BM team modals to Integrations > MDM.
* Added a `notifications` object to the response payload of `GET /api/fleet/orbit/config` that includes a `renew_enrollment_profile` field to indicate to fleetd that it needs to run a command on the device to renew the DEP enrollment profile.
* Added modal for automatic enrollment of a macOS host to MDM.
* Integrated with CSR request endpoint in fleet UI.
* Updated `Select targets` UI so that `Platforms`, `Teams`, and `Labels` become `AND` filters. Selecting 2 or more `Platforms`, `Teams`, and `Labels` continue to behave as `OR` filters.
* Added new activities to the activities API when a host is enrolled/unenrolled from Fleet's MDM.
* Implemented macOS update version content panel.
* Added an activity `edited_macos_min_version` when the required minimum macOS version is updated.
* Added the `GET /device/{token}/mdm/apple/manual_enrollment_profile` endpoint to allow downloading the manual MDM enrollment profile from the "My Device" page in Fleet Desktop.
* Run authorization checks before processing policy specs.
* Implemented the new Controls page and updated styling of the site-level navigation.
* Made `fleetctl get teams --yaml` output compatible with `fleetctl apply -f`.
* Added the `POST /api/v1/fleet/mdm/apple/request_csr` endpoint to trigger a Certificate Signing Request to fleetdm.com and return the associated APNs private key and SCEP certificate and key.
* Added mdm enrollment status and mdm server url to `GET /hosts` and `GET /hosts/:id` endpoint
responses.
* Added keys to the `GET /config` and `GET /device/:token` endpoints to inform if Fleet's MDM is properly configured.
* Add edited min macos version activity.
* User can hover over host UUID to see and copy full ID string.
* Made the 'Back to all hosts' link on the host details page fall back to the default path to the
manage hosts page. This addresses a bug in this functionality when the user navigates directly
with the URL.
* Implemented the ability for an authorized user to unenroll a host from MDM on its host details page. The host must be enrolled in MDM and online.
* Added nixos to the list of platforms that are detected at linux distributions.
* Allow to configure a minimum macOS version and a deadline for hosts enrolled into Fleet's MDM.
* Added license expiry to account information page for premium users.
* Removed stale time from loading team policies/policy automation so users are provided accurate team data when toggling between teams.
* Updated to software empty states and host details empty states.
* Changed default hosts per page from 100 to 50.
* Support `CrOS` as a valid platform string for customers with ChromeOS hosts.
* Clean tables at smaller screen widths.
* Log failed login attempts for user+pw and SSO logins (in the activity feed).
* Added `meta` attribute to `GET /activities` endpoint that includes pagination metadata. Fixed edge case
on UI for pagination buttons on activities card.
* Fleet Premium shows pending hosts on the dashboard and manage host page.
* Use stricter file permissions in `fleetctl updates add` command.
* When table only has 1 host, remove bulky tooltip overflow.
* Documented the Apple Push Notification service (APNs) and Apple Business Manager (ABM) setup and renewal steps.
* Added new activity that records create/edit/delete user roles.
* Log all successful logins as activity and all attempts with ip in stderr.
* Added API endpoint to generate DEP public and private keys.
* Added ability to mark policy as critical with Fleet Premium.
* Added ability to mark policies run automation for all already failing hosts.
* Added `fleet serve` configuration flags for Apple Push Notification service (APNs) and Simple
Certificate Enrollment Protocol (SCEP) certificates and keys.
* Added `fleet serve` configuration flags for Apple Business Manager (BM).
* Added `fleetctl trigger` command to trigger an ad hoc run of all jobs in a specified cron
schedule.
* Added the `fleetctl get mdm_apple` command to retrieve the Apple MDM configuration information. MDM features are not ready for production and are currently in development. These features are disabled by default.
* Added the `fleetctl get mdm_apple_bm` command to retrieve the Apple Business Manager configuration information.
* Added `fleetctl` command to generate APNs CSR and SCEP CA certificate and key pair.
* Add `fleetctl` command to generate DEP public and private keys.
* Windows installer now ensures that the installed osquery version gets removed before installing Orbit.
* Build on Ubuntu 20 to resolve glibc changes that were causing issues for older Docker runtimes.
* During deleting host flow, inform users how to prevent re-enrolling hosts.
* Added functionality to report if a carve failed along with its error message.
* Added the `redis.username` configuration option for setups that use Redis ACLs.
* Windows installer now ensures that no files are left on the filesystem when orbit uninstallation
process is kicked off.
* Improve how we are logging failed detail queries and windows os version queries.
* Spiffier UI: Add scroll shadows to indicate horizontal scrolling to user.
* Add counts_update_at attribute to GET /hosts/summary/mdm response. update GET /labels/:id/hosts to
filter by mdm_id and mdm_enrollment_status query params. add mobile_device_management_solution to
response from GET /labels/:id/hosts when including mdm_id query param. add mdm information to UI for
windows/all dashboard and host details.
* Fixed `fleetctl query` to use custom HTTP headers if configured.
* Fixed how we are querying and ingesting disk encryption in linux to workaround an osquery bug.
* Fixed buggy input field alignments.
* Fixed to multiselect styling.
* Fixed bug where manually triggering a cron run that preempts a regularly scheduled run causes
an unexpected shift in the start time of the next interval.
* Fixed an issue where the height of the label for some input fields changed when an error message is displayed.
* Fixed the alignment of the "copy" and "show" button icons in the manage enroll secrets and get API
* Improve live query activity item in the activity feed on the Dashboard page. Each item will include the user’s name, as well as an option to show the query. If the query has been saved, the item will include the query’s name.
* Improve navigation on Host details page and Dashboard page by adding the ability to navigate back to a tab (ex. Policies) and filter (ex. macOS) respectively.
* Improved performance of the Fleet server by decreasing CPU usage by 20% and memory usage by 3% on average.
* Added tooltips and updated dropdown choices on Hosts and Host details pages to clarify the meanings of "Status: Online" and "Status: Offline."
* Added “Void Linux” to the list of recognized distributions.
* Added clickable rows to software tables to view all hosts filtered by software.
* Added support for more OS-specific osquery command-line flags in the agent options.
* Added links to evented tables and columns that require user context in the query side panel.
* Improved CPU and memory usage of Fleet.
* Removed the Preview payload button from the usage statistics page, as well as its associated logic and unique styles. [See the example usage statistics payload](https://fleetdm.com/docs/using-fleet/usage-statistics#what-is-included-in-usage-statistics-in-fleet) in the Using Fleet documentation.
* Removed tooltips and conditional coloring in the disk space graph for Linux hosts.
* Reduced false negatives for the query used to determine encryption status on Linux systems.
* Fixed long software name from aligning centered.
* Fixed a discrepancy in the height of input labels when there’s a validation error.
* Added preview screenshots for Jira and Zendesk vulnerability tickets for Premium users.
* Improve host detail query to populate primary ip and mac address on host.
* Add option to show public IP address in Hosts table.
* Improve ingress resource by replacing the template with a most recent version, that enables:
- Not having any annotation hardcoded, all annotations are optional.
- Custom path, as of now it was hardcoded to `/*`, but depending on the ingress controller, it can require an extra annotation to work with regular expressions.
- Specify ingressClassName, as it was hardcoded to `gce`, and this is a setting that might be different on each cluster.
* Added ingestion of host orbit version from `orbit_info` osquery extension table.
* Added number of hosts enrolled by orbit version to usage statistics payload.
* Added number of hosts enrolled by osquery version to usage statistics payload.
* Added arch and linuxmint to list of linux distros so that their data is displayed and host count includes them.
* When submitting invalid agent options, inform user how to override agent options using fleetctl force flag.
* Exclude Windows Servers from mdm lists and aggregated data.
* Activity feed includes editing team config file using fleetctl.
* Update Go to 1.19.3.
* Host details page includes information about the host's disk encryption.
* Information surfaced to device user includes all summary/about information surfaced in host details page.
* Support low_disk_space filter for endpoint /labels/{id}/hosts.
* Select targets pages implements cleaner icons.
* Added validation of unknown keys for the Apply Teams Spec request payload (`POST /spec/teams` endpoint).
* Orbit MSI installer now includes the necessary manifest file to use windows_event_log as a logger_plugin.
* UI allows for filtering low disk space hosts by platform.
* Add passed policies column on the inherited policies table for teams.
* Use the MSRC security bulletins to scan for Windows vulnerabilities. Detected vulnerabilities are inserted in a new table, 'operating_system_vulnerabilities'.
* Added vulnerability scores to Jira and Zendesk integrations for Fleet Premium users.
* Improve database usage to prevent some deadlocks.
* Added ingestion of disk encryption status for hosts, and added that flag in the response of the `GET /hosts/{id}` API endpoint.
* Trying to add a host with 0 enroll secrets directs user to manage enroll secrets.
* Detect Windows MDM solutions and add mdm endpoints.
* Styling updates on login and forgot password pages.
* Add UI polish and style fixes for query pages.
* Update styling of tooltips and modals.
* Update colors, issues icon.
* Cleanup dashboard styling.
* Add tooling for writing integration tests on the frontend.
* Fixed host details page so munki card only shows for mac hosts.
* Fixed a bug where duplicate vulnerability webhook requests, jira, and zendesk tickets were being
made when scanning for vulnerabilities. This affected ubuntu and redhat hosts that support OVAL
vulnerability detection.
* Fixed bug where password reset token expiration was not enforced.
* Fixed a bug in `fleetctl apply` for teams, where a missing `agent_options` key in the YAML spec
file would clear the existing agent options for the team (now it leaves it unchanged). If the key
is present but empty, then it clears the agent options.
* Fixed bug with our CPE matching process. UTM.app was matching to the wrong CPE.
* Fixed an issue where fleet would send invalid usage stats if no hosts were enrolled.
* Fixed an Orbit MSI installer bug that caused Orbit files not to be removed during uninstallation.
* Added usage statistics for the weekly count of aggregate policy violation days. One policy violation day is counted for each policy that a host is failing, measured as of the time the count increments. The count increments once per 24-hour interval and resets each week.
* Fleet Premium: Add ability to see how many and which hosts have low disk space (less than 32GB available) on the **Home** page.
* Fleet Premium: Add ability to see how many and which hosts are missing (offline for at least 30 days) on the **Home** page.
* Improved the query console by indicating which columns are required in the WHERE clause, indicated which columns are platform-specific, and adding example queries for almost all osquery tables in the right sidebar. These improvements are also live on [fleetdm.com/tables](https://fleetdm.com/tables)
* Added a new display name for hosts in the Fleet UI. To determine the display name, Fleet uses the `computer_name` column in the [`system_info` table](https://fleetdm.com/tables/system_info). If `computer_name` isn't present, the `hostname` is used instead.
* Added functionality to consider device tokens as expired after one hour. This change is not compatible with older versions of Fleet Desktop. We recommend to manually update Orbit and Fleet Desktop to > v1.0.0 in addition to upgrading the server if:
* You're managing your own TUF server.
* You have auto-updates disabled (`fleetctl package [...] --disable-updates`)
* You have channels pinned to an older version (`fleetctl package [...] --orbit-channel 1.0.0 --desktop-channel 1.1.0`).
* Added security headers to HTML, CSV, and installer responses.
* Added validation of the `command_line_flags` object in the Agent Options section of Organization Settings and Team Settings.
* Added logic to clean up irrelevant policies for a host on re-enrollment (e.g., if a host changes its OS from linux to macOS or it changes teams).
* Added the `inherited_policies` array to the `GET /teams/{team_id}/policies` endpoint that lists the global policies inherited by the team, along with the pass/fail counts for the hosts on that team.
* Added a new UI state for when results are coming in from a live query or policy query.
* Added better team name suggestions to the Create teams modal.
* Clarified last seen time and last fetched time in the Fleet UI.
* Translated technical error messages returned by Agent options validation to be more user-friendly.
* Renamed machine serial to serial number and IPv4 properly to private IP address.
* Fleet Premium: Updated Fleet Desktop to use the `/device/{token}/desktop` API route to display the number of failing policies.
* Made host details software tables more responsive by adding links to software details.
* Fixed a bug in which a user would not be rerouted to the Home page if already logged in.
* Fixed a bug in which clicking the select all checkbox did not select all in some cases.
* Fixed a bug introduced in 4.21.0 where a Windows-specific query was being sent to non-Windows hosts, causing an error in query ingestion for `directIngestOSWindows`.
* Fixed a bug in which uninstalled software (DEB packages) appeared in Fleet.
* Fixed a bug in which a team that didn't have `config.features` settings was edited via the UI, then both `features.enable_host_users` and `features.enable_software_inventory` would be false instead of the global default.
* Fixed a bug that resulted in false negatives for vulnerable versions of Zoom, Google Chrome, Adobe Photoshop, Node.js, Visual Studio Code, Adobe Media Encoder, VirtualBox, Adobe Premiere Pro, Pip, and Firefox software.
* Fixed bug that caused duplicated vulnerabilities to be sent to third-party integrations.
* Fixed panic in `ingestKubequeryInfo` query ingestion.
* Fixed a bug in which `host_count` and `user_count` returned as `0` in the `teams/{id}` endpoint.
* Fixed a bug in which tooltips for Munki issue would be cut off at the edge of the browser window.
* Fixed a bug in which tooltips for Munki issue would be cut off at the edge of the browser window.
* Fixed a bug in which running `fleetctl apply` with the `--dry-run` flag would fail in some cases.
* Fixed a bug in which **Hosts** table displayed 20 hosts per page.
* Fixed a server panic that occured when a team was edited via YAML without an `agent_options` key.
* Fixed an bug where Pop!\_OS hosts were not being included in the linux hosts count on the hosts dashboard page.
* Fleet Premium: Added the ability to know how many hosts and which hosts, on a team, are failing a global policy.
* Added validation to the `config` and `teams` configuration files. Fleet can be managed with [configuration files (YAML syntax)](https://fleetdm.com/docs/using-fleet/configuration-files) and the fleetctl command line tool.
* Added the ability to manage osquery flags remotely. This requires [Orbit, Fleet's agent manager](https://fleetdm.com/announcements/introducing-orbit-your-fleet-agent-manager). If at some point you revoked an old enroll secret, this feature won't work for hosts that were added to Fleet using this old enroll secret. To manage osquery flags on these hosts, we recommend deploying a new package. Check out the instructions [here on GitHub](https://github.com/fleetdm/fleet/issues/7377).
* Added a `/api/v1/fleet/device/{token}/desktop` API route that returns only the number of failing policies for a specific host.
* Added support for kubequery.
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-installers).
* Made cards on the **Home** page clickable.
* Added es_process_file_events, password_policy, and windows_update_history tables to osquery.
* Added activity items to capture when, and by who, agent options are edited.
* Added logging to capture the user’s email upon successful login.
* Increased the size of placeholder text from extra small to small.
* Fixed an error that cleared the form when adding a new integration.
* Fixed an error generating Windows packages with the fleetctl package on non-English localizations of Windows.
* Fixed a bug that showed the small screen overlay when trying to print.
* Fixed the UI bug that caused the label filter dropdown to go under the table header.
* Fixed side panel tooltips to not be wider than side panel causing scroll bug.
* **Security**: Upgrade Go to 1.19.1 to resolve a possible HTTP denial of service vulnerability ([CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664)).
* Fixed a bug in which [vulnerability automations](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) sent duplicate webhooks.
* Fixed a bug in which logging in with single sign-on (SSO) did not work after a failed authorization attempt.
* Fixed a migration error. This only affects Fleet instances that use MariaDB. MariaDB is not [officially supported](https://fleetdm.com/docs/deploying/faq#what-mysql-versions-are-supported). Future issues specific to MariaDB may not be fixed quickly (or at all). We strongly advise migrating to MySQL 8.0.19+.
* Add ability to know how many hosts, and which hosts, have Munki issues. This information is presented on the **Home > macOS** page and **Host details** page. This information is also available in the [`GET /api/v1/fleet/macadmins`](https://fleetdm.com/docs/using-fleet/rest-api#get-aggregated-hosts-mobile-device-management-mdm-and-munki-information) and [`GET /api/v1/fleet/hosts/{id}/macadmins`](https://fleetdm.com/docs/using-fleet/rest-api#get-hosts-mobile-device-management-mdm-and-munki-information) and API routes.
* Fleet Premium: Added ability to test features, like software inventory, on canary teams by adding a [`features` section](https://fleetdm.com/docs/using-fleet/configuration-files#features) to the `teams` YAML document.
* Improved vulnerability detection for macOS hosts by improving detection of Zoom, Ruby, and Node.js vulnerabilities. Warning: For users that download and sync Fleet's vulnerability feeds manually, there are [required adjustments](https://github.com/fleetdm/fleet/issues/6628) or else vulnerability processing will stop working. Users with the default vulnerability processing settings can safely upgrade without adjustments.
* Fleet Premium: Improved the vulnerability automations by adding vulnerability scores (EPSS probability, CVSS scores, and CISA-known exploits) to the webhook payload. Read more about vulnerability automations on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations).
* Renamed the `host_settings` section to `features` in the the [`config` YAML file](https://fleetdm.com/docs/using-fleet/configuration-files#features). But `host_settings` is still supported for backwards compatibility.
* Improved the activity feed by adding the ability to see who modified agent options and when modifications occurred. This information is available on the Home page in the Fleet UI and the [`GET /activites` API route](https://fleetdm.com/docs/using-fleet/rest-api#activities).
* Improved the [`config` YAML documentation](https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings).
* Improved the **Hosts** page for smaller screen widths.
* Improved the building of osquery installers for Windows (`.msi` packages).
* Added a **Show query** button on the **Schedule** page, which adds the ability to quickly see a query's SQL.
* Improved the Fleet UI by adding loading spinners to all buttons that create or update entities in Fleet (e.g., users).
* Fixed a bug in which a user could not reach some teams in the UI via pagination if there were more than 20 teams.
* Fixed a bug in which a user could not reach some users in the UI via pagination if there were more than 20 users.
* Fixed a bug in which duplicate vulnerabilities (CVEs) sometimes appeared on **Software details** page.
* Fixed a bug in which the count in the **Issues** column (exclamation tooltip) in the **Hosts** table would sometimes not appear.
* Fixed a bug in which no error message would appear if there was an issue while setting up Fleet.
* Fixed a bug in which no error message would appear if users were creating or editing a label with a name or description that was too long.
* Fixed a big in which the example payload for usage statistics included incorrect key names.
* Fixed a bug in which the count above the **Software** table would sometimes not appear.
* Fixed a bug in which the **Add hosts** button would not be displayed when search returned 0 hosts.
* Fixed a bug in which modifying filters on the **Hosts** page would not return the user to the first page of the **Hosts** table.
* Warning: Please upgrade to 4.19.1 instead of 4.19.0 due to a migration error included in 4.19.0. Like all releases, Fleet 4.19.1 includes all changes included in 4.19.0.
* Fleet Premium: De-anonymize usage statistics by adding an `organization` property to the usage statistics payload. For Fleet Free instances, organization is reported as "unknown". Documentation on how to disable usage statistics, can be found [here on fleetdm.com](https://fleetdm.com/docs/using-fleet/usage-statistics#disable-usage-statistics).
* Fleet Premium: Added support for Just-in-time (JIT) user provisioning via SSO. This adds the ability to
automatically create Fleet user accounts when a new users attempts to log in to Fleet via SSO. New
Fleet accounts are given the [Observer role](https://fleetdm.com/docs/using-fleet/permissions#user-permissions).
* Improved performance for aggregating software inventory. Aggregate software inventory is displayed on the **Software page** in the Fleet UI.
* Added the ability to see the vendor for Windows programs in software inventory. Vendor data is available in the [`GET /software` API route](https://fleetdm.com/docs/using-fleet/rest-api#software).
* Added a **Mobile device management (MDM) solutions** table to the **Home > macOS** page. This table allows users to see a list of all MDM solutions their hosts are enrolled to and drill down to see which hosts are enrolled to each solution. Note that MDM solutions data is updated as hosts send fresh osquery results to Fleet. This typically occurs in an hour or so of upgrading.
* Added a **Operating systems** table to the **Home > Windows** page. This table allows users to see a list of all Windows operating systems (ex. Windows 10 Pro 21H2) their hosts are running and drill down to see which hosts are running which version. Note that Windows operating system data is updated as hosts send fresh osquery results to Fleet. This typically occurs in an hour or so of upgrading.
* Added a message in `fleetctl` to that notifies users to run `fleet prepare` instead of `fleetctl prepare` when running database migrations for Fleet.
* Improved the Fleet UI by maintaining applied, host filters when a user navigates back to the Hosts page from an
individual host's **Host details** page.
* Improved the Fleet UI by adding consistent styling for **Cancel** buttons.
* Improved the **Queries**, **Schedule**, and **Policies** pages in the Fleet UI by page size to 20
items.
* Improve the Fleet UI by informing the user that Fleet only supports screen widths above 768px.
* Added support for asynchronous saving of the hosts' scheduled query statistics. This is an
experimental feature and should only be used if you're seeing performance issues. Documentation
for this feature can be found [here on fleetdm.com](https://fleetdm.com/docs/deploying/configuration#osquery-enable-async-host-processing).
* Fixed a bug in which the **Operating system** and **Munki versions** cards on the **Home > macOS**
page would not stack vertically at smaller screen widths.
* Fixed a bug in which multiple Fleet Desktop icons would appear on macOS computers.
* Fixed a bug that prevented Windows (`.msi`) installers from being generated on Windows machines.
* Added a Call to Action to the failing policy banner in Fleet Desktop. This empowers end-users to manage their device's compliance.
* Introduced rate limiting for device authorized endpoints to improve the security of Fleet Desktop.
* Improved styling for tooltips, dropdowns, copied text, checkboxes and buttons.
* Fixed a bug in the Fleet UI causing text to be truncated in tables.
* Fixed a bug affecting software vulnerabilities count in Host Details.
* Fixed "Select Targets" search box and updated to reflect currently supported search values: hostname, UUID, serial number, or IPv4.
* Improved disk space reporting in Host Details.
* Updated frequency formatting for Packs to match Schedules.
* Replaced "hosts" count with "results" count for live queries.
* Replaced "Uptime" with "Last restarted" column in Host Details.
* Removed vulnerabilities that do not correspond to a CVE in Fleet UI and API.
* Added standard password requirements when users are created by an admin.
* Updated the regexp we use for detecting the major/minor version on OS platforms.
* Improved calculation of battery health based on cycle count. “Normal” corresponds to cycle count <1000and“Replacementrecommended”correspondstocyclecount>= 1000.
* Fixed an issue with double quotes usage in SQL query, caused by enabling `ANSI_QUOTES` in MySQL.
* Added the number of hosts enrolled by operating system (OS) and its version to usage statistics. Also added the weekly active users count to usage statistics.
Documentation on how to disable usage statistics, can be found [here on fleetdm.com](https://fleetdm.com/docs/using-fleet/usage-statistics#disable-usage-statistics).
* Fleet Premium and Fleet Free: Fleet desktop is officially out of beta. This application shows users exactly what's going on with their device and gives them the tools they need to make sure it is secure and aligned with policies. They just need to click an icon in their menu bar.
* Fleet Premium and Fleet Free: Fleet's osquery installer is officially out of beta. Orbit is a lightweight wrapper for osquery that allows you to easily deploy, configure and keep osquery up-to-date across your organization.
* Added native support for M1 Macs.
* Added battery health tracking to **Host details** page.
* Improved reporting of error states on the health dashboard and added separate health checks for MySQL and Redis with `/healthz?check=mysql` and `/healthz?check=redis`.
* Improved SSO login failure messaging.
* Fixed osquery tables that report incorrect platforms.
* Added `docker_container_envs` table to the osquery table schema on the **Query* page.
* Updated Fleet host detail query so that the `os_version` for Ubuntu hosts reflects the accurate patch number.
* Fleet Premium: Added the ability to set a Custom URL for the "Transparency" link included in Fleet Desktop. This allows you to use custom branding, as well as gives you control over what information you want to share with your end-users.
* Fleet Premium: Added scoring to vulnerability detection, including EPSS probability score, CVSS base score, and known exploits. This helps you to quickly categorize which threats need attention today, next week, next month, or "someday."
* Added a ticket-workflow for policy automations. Configured Fleet to automatically create a Jira issue or Zendesk ticket when one or more hosts fail a specific policy.
* Added [Open Vulnerability and Assement Language](https://access.redhat.com/solutions/4161) (`OVAL`) processing for Ubuntu hosts. This increases the accuracy of detected vulnerabilities.
* Added software details page to the Fleet UI.
* Improved live query experience by saving the state of selected targets and adding count of visible results when filtering columns.
* Fixed an issue where the **Device user** page redirected to login if an expired session token was present.
* Fixed an issue that caused a delay in availability of **My device** in Fleet Desktop.
* Added support for custom headers for requests made to `fleet` instances by the `fleetctl` command.
* Updated to an improved `users` query in every query we send to osquery.
* Fixed `no such table` errors for `mdm` and `munki_info` for vanilla osquery MacOS hosts.
* Fixed data inconsistencies in policy counts caused when a host was re-enrolled without a team or in a different one.
* Fixed a bug affecting `fleetctl debug``archive` and `errors` commands on Windows.
* Added `/api/_version_/fleet/device/{token}/policies` to retrieve policies for a specific device. This endpoint can only be accessed with a premium license.
* Added `POST /targets/search` and `POST /targets/count` API endpoints.
* Updated `GET /software`, `GET /software/{:id}`, and `GET /software/count` endpoints to no include software that has been removed from hosts, but not cleaned up yet (orphaned).
* Expanded beta support for vulnerability reporting to include both Zendesk and Jira integration. This allows users to configure Fleet to automatically create a Zendesk ticket or Jira issue when a new vulnerability (CVE) is detected on your hosts.
* Expanded beta support for Fleet Desktop to Mac and Windows hosts. Fleet Desktop allows the device user to see
information about their device. To add Fleet Desktop to a host, generate a Fleet-osquery installer with `fleetctl package` and include the `--fleet-desktop` flag. Then, open this installer on the device.
* Added the ability to see when software was last used on Mac hosts in the **Host Details** view in the Fleet UI. Allows you to know how recently an application was accessed and is especially useful when making decisions about whether to continue subscriptions for paid software and distributing licensces.
* Improved security by increasing the minimum password length requirement for Fleet users to 12 characters.
* Added Policies tab to **Host Details** page for Fleet Premium users.
* Added `device_mapping` to host information in UI and API responses.
* Deprecated "MIA" host status in UI and API responses.
* Added CVE scores to `/software` API endpoint responses when available.
* Added `all_linux_count` and `builtin_labels` to `GET /host_summary` response.
* Added the ability to select columns when exporting hosts to CSV.
* Improved the output of `fleetclt debug errors` and added the ability to print the errors to stdout via the `-stdout` flag.
* Added support for Docker Compose V2 to `fleetctl preview`.
* Added experimental option to save responses to `host_last_seen` queries to the database in batches as well as the ability to configure `enable_async_host_processing` settings for `host_last_seen`, `label_membership` and `policy_membership` independently.
* Expanded `wifi_networks` table to include more data on macOS and fixed compatibility issues with newer MacOS releases.
* Added `basic_auth.username` and `basic_auth.password` [Prometheus configuration options](https://fleetdm.com/docs/deploying/configuration#prometheus). The `GET
/metrics` API route is now disabled if these configuration options are left unspecified.
* Fleet Premium: Add ability to specify a team specific "Destination URL" for policy automations.
This allows the user to configure Fleet to send a webhook request to a unique location for
policies that belong to a specific team. Documentation on what data is included the webhook
request and when the webhook request is sent can be found here on [fleedm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations)
**Home > macOS** page. This information is also available via the [`GET /os_versions` API route](https://fleetdm.com/docs/using-fleet/rest-api#get-host-os-versions).
* Added a "Vulnerabilities" column to **Host details > Software** page. This allows the user see and search for specific vulnerabilities (CVEs) detected on a specific host.
before use. Documentation on how to use API-only users can be found here on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/fleetctl-cli#using-fleetctl-with-an-api-only-user).
* Fixed a bug in which a user could not log in with basic authentication. This only affects Fleet deployments that use a [MySQL read replica](https://fleetdm.com/docs/deploying/configuration#mysql).
* Added [`database_path` GeoIP configuration option](https://fleetdm.com/docs/deploying/configuration#database-path) to specify a GeoIP database. When configured,
* Added instructions and materials needed to add hosts to Fleet using [plain osquery](https://fleetdm.com/docs/using-fleet/adding-hosts#plain-osquery). These instructions
* Added instructions for using plain osquery to add hosts to Fleet in the Fleet View these instructions by heading to **Hosts > Add hosts > Advanced**.
* Upgraded Go to 1.17.7 with security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). These are not likely to be high impact in Fleet deployments, but we are upgrading in an abundance of caution.
found on at least one host. Documentation on what data is included the webhook
request and when the webhook request is sent can be found here on [fleedm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations).
* **Security**: Fixed a vulnerability in Fleet's SSO implementation that could allow a malicious or compromised SAML Service Provider (SP) to log into Fleet as an existing Fleet user. See https://github.com/fleetdm/fleet/security/advisories/GHSA-ch68-7cf4-35vr for details.
* Improved the [live query API route (`GET /api/v1/queries/run`)](https://fleetdm.com/docs/using-fleet/rest-api#run-live-query) so that it successfully return results for Fleet
* Added a `disable_failing_policies` parameter to the [`GET /hosts` API route](https://fleetdm.com/docs/using-fleet/rest-api#list-hosts) to allow the API request to respond faster if failing policies count information is not needed.
* Fleet Premium: Added ability to filter aggregate host data such as platforms (macOS, Windows, and Linux) and status (online, offline, and new) the **Home** page. The aggregate host data is also available in the [`GET /host_summary API route`](https://fleetdm.com/docs/using-fleet/rest-api#get-hosts-summary).
* Fleet Premium: Added `fleetctl updates rotate` command for rotation of keys in the updates system. The `fleetctl updates` command provides the ability to [self-manage an agent update server](https://fleetdm.com/docs/deploying/fleetctl-agent-updates).
* Enabled the software inventory by default for new Fleet instances. The software inventory feature can be turned on or off using the [`enable_software_inventory` configuration option](https://fleetdm.com/docs/using-fleet/vulnerability-processing#setup).
* Updated the JSON payload for the host status webhook by renaming the `"message"` property to `"text"` so that the payload can be received and displayed in Slack.
* Added instructions in the Fleet UI for generating an osquery installer for macOS, Linux, or Windows. Documentation for generating an osquery installer and distributing the installer to your hosts to add them to Fleet can be found here on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/adding-hosts)
* Added ability to see all the software, and filter by vulnerable software, installed across all your hosts on the **Home** page. Each software's `name`, `version`, `hosts_count`, `vulnerabilities`, and more is also available in the [`GET /software` API route](https://fleetdm.com/docs/using-fleet/rest-api#software) and `fleetctl get software` command.
* Added ability to see all of the queries scheduled to run on a specific host on the **Host details** page immediately after a query is added to a schedule or pack.
* Clarified that a policy in Fleet is a yes or no question you can ask about your hosts by replacing "Passing" and "Failing" text with "Yes" and "No" respectively on the **Policies** page and **Host details** page.
* Improved the UI for the "Software" table and "Policies" table on the **Host details** page so that it's easier to pivot to see all hosts with a specific software installed or answering "No" to a specific policy.
* Fleet Premium: Added a Team admin user role. This allows users to delegate the responsibility of managing team members in Fleet. Documentation for the permissions associated with the Team admin and other user roles can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/permissions).
* Added Apache Kafka logging plugin. Documentation for configuring Kafka as a logging plugin can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#kafka-rest-proxy-logging). Thank you to Joseph Macaulay for adding this capability.
* Added support for [MinIO](https://min.io/) as a file carving backend. Documentation for configuring MinIO as a file carving backend can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/fleetctl-cli#minio). Thank you to Chandra Majumdar and Ben Edwards for adding this capability.
* Improved the performance of vulnerability processing by making the process consume less RAM. Documentation for the vulnerability processing feature can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/vulnerability-processing).
* Added the ability to run a live query and receive results using only the Fleet REST API with a `GET /api/v1/fleet/queries/run` API route. Documentation for this new API route can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/rest-api#run-live-query).
* Added ability to see whether a specific host is "Passing" or "Failing" a policy on the **Host details** page. This information is also exposed in the `GET api/v1/fleet/hosts/{id}` API route. In Fleet, a policy is a "yes" or "no" question you can ask of all your hosts.
* Added the ability to quickly see the total number of "Failing" policies for a particular host on the **Hosts** page with a new "Issues" column. Total "Issues" are also revealed on a specific host's **Host details** page.
* Added the ability to see which platforms (macOS, Windows, Linux) a specific query is compatible with. The compatibility detected by Fleet is estimated based on the osquery tables used in the query.
* Added the ability to see whether your queries have a "Minimal," "Considerable," or "Excessive" performance impact on your hosts. Query performance information is only collected when a query runs as a scheduled query.
* Added the ability to see a list of hosts that have a specific software version installed by selecting a software version on a specific host's **Host details** page. Software inventory is currently under a feature flag. To enable this feature flag, check out the [feature flag documentation](https://fleetdm.com/docs/deploying/configuration#feature-flags).
* Added the ability to see all vulnerable software detected across all your hosts with the `GET /api/v1/fleet/software` API route. Documentation for this new API route can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/rest-api#software).
* Added the ability to see the exact number of hosts that selected filters on the **Hosts** page. This ability is also available when using the `GET api/v1/fleet/hosts/count` API route.
* Added ability to connect to Redis with TLS. Documentation for configuring Fleet to use a TLS connection to the Redis server can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-use-tls).
* Added `cluster_read_from_replica` Redis to specify whether or not to prefer readying from a replica when possible. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-cluster-read-from-replica).
* Fixed a bug in which users with the global maintainer role could not edit or save queries. In, Fleet 4.0.0, the Admin, Maintainer, and Observer user roles were introduced. Documentation for the permissions associated with each role can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/permissions).
* Fixed a bug in which policies were checked about every second and add a `policy_update_interval` osquery configuration option. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#osquery-policy-update-interval).
* Added `fleetctl get software` command to list all software and the detected vulnerabilities. The Vulnerable software feature is currently in Beta. For information on how to configure the Vulnerable software feature and how exactly Fleet processes vulnerabilities, check out the [Vulnerability processing documentation](https://fleetdm.com/docs/using-fleet/vulnerability-processing).
* Added `disable_data_sync` vulnerabilities configuration option to avoid downloading the data streams. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#disable-data-sync).
* Only shows observers the queries they have permissions to run on the **Queries** page. In, Fleet 4.0.0, the Admin, Maintainer, and Observer user roles were introduced. Documentation for the permissions associated with each role can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/permissions).
* Added `connect_retry_attempts` Redis configuration option to retry failed connections. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-connect-retry-attempts).
* Added `cluster_follow_redirections` Redis configuration option to follow cluster redirections. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#redis-cluster-follow-redirections).
* Added `max_jitter_percent` osquery configuration option to prevent all hosts from returning data at roughly the same time. Note that this improves the Fleet server performance, but it will now take longer for new labels to populate. Documentation for this configuration option can be found [here on fleetdm.com/docs](https://fleetdm.com/docs/deploying/configuration#osquery-max-jitter-percent).
* MariaDB compatibility fixes: add explicit foreign key constraint and on cascade delete for host_software to allow for hosts with software to be deleted.
* Fixed a bug in which some new Fleet deployments don't include the default global agent options. Documentation for global and team agent options can be found [here](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options).
* Improved how a host's `users` are stored in MySQL to prevent deadlocks. This information is available in the "Users" table on each host's **Host details** page and in the `GET /api/v1/fleet/hosts/{id}` API route.
* Added "-o" flag to fleetctl convert command to ensure consistent output rather than relying on shell redirection (this was causing issues with file encodings).
* When a connection from a live query websocket is closed, Fleet now timeouts the receive and handles the different cases correctly to not hold the connection to Redis.
* Added the ability to create a Team schedule in Fleet. The Schedule feature was released in Fleet 4.1.0. For more information on the new Schedule feature, check out the [Fleet 4.1.0 release blog post](https://blog.fleetdm.com/fleet-4-1-0-57dfa25e89c1). *Available for Fleet Basic customers*.
* Added Beta Vulnerable software feature which surfaces vulnerable software on the **Host details** page and the `GET /api/v1/fleet/hosts/{id}` API route. For information on how to configure the Vulnerable software feature and how exactly Fleet processes vulnerabilities, check out the [Vulnerability processing documentation](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing).
* Added the ability to see which logging destination is configured for Fleet in the Fleet UI. To see this information, head to the **Schedule** page and then select "Schedule a query." Configured logging destination information is also available in the `GET api/v1/fleet/config` API route.
* Added the ability to modify scheduled queries in your Schedule in Fleet. The Schedule feature was released in Fleet 4.1.0. For more information on the new Schedule feature, check out the [Fleet 4.1.0 release blog post](https://blog.fleetdm.com/fleet-4-1-0-57dfa25e89c1).
* Added the ability to disable the Users feature in Fleet by setting the new `enable_host_users` key to `true` in the `config` yaml, configuration file. For documentation on using configuration files in yaml syntax, check out the [Using yaml files in Fleet](https://fleetdm.com/docs/using-fleet/configuration-files#using-yaml-files-in-fleet) documentation.
* Improved performance of the Software inventory feature. Software inventory is currently under a feature flag. To enable this feature flag, check out the [feature flag documentation](https://fleetdm.com/docs/deploying/configuration#feature-flags).
* Improved performance of inserting `pack_stats` in the database. The `pack_stats` information is used to display "Frequency" and "Last run" information for a specific host's scheduled queries. You can find this information on the **Host details** page.
Scheduled lets you add queries which are executed on your devices at regular intervals without having to understand or configure osquery query packs. For experienced Fleet and osquery users, the ability to create new, and modify existing, query packs is still available in the Fleet UI and fleetctl command-line tool. To reach the **Packs** page in the Fleet UI, head to **Schedule > Advanced**.
Activity feed adds the ability to observe when, and by whom, queries are changes, packs are created, live queries are run, and more. The Activity feed feature is located on the new Home page in the Fleet UI. Select the logo in the top right corner of the Fleet UI to navigate to the new **Home** page.
* Added ability to create teams and update their respective agent options and enroll secrets using the new `teams` yaml document and fleetctl. Available in Fleet Basic.
* Added a "Users" table on the **Host details** page. The `username` information displayed in the "Users" table, as well as the `uid`, `type`, and `groupname` are available in the Fleet REST API via the `/api/v1/fleet/hosts/{id}` API route.
* Added ability to create a user without an invitation. You can now create a new user by heading to **Settings > Users**, selecting "Create user," and then choosing the "Create user" option.
* Improved performance of the Software inventory feature by reducing the amount of inserts and deletes are done in the database when updating each host's
* Fixed an issue in which it was not possible to clear host settings by applying the `config` yaml document. This allows users to successfully remove the `additional_queries` property after adding it.
The primary additions in Fleet 4.0.0 are the new Role-based access control (RBAC) and Teams features.
RBAC adds the ability to define a user's access to features in Fleet. This way, more individuals in an organization can utilize Fleet with appropriate levels of access.
* Check out the [permissions documentation](https://github.com/fleetdm/fleet/blob/2f42c281f98e39a72ab4a5125ecd26d303a16a6b/docs/1-Using-Fleet/9-Permissions.md) for a breakdown of the new user roles.
Teams adds the ability to separate hosts into exclusive groups. This way, users can easily act on consistent groups of hosts.
* Read more about the Teams feature in [the documentation here](https://github.com/fleetdm/fleet/blob/2f42c281f98e39a72ab4a5125ecd26d303a16a6b/docs/1-Using-Fleet/10-Teams.md).
* Added the ability to separate hosts into exclusive groups with the Teams feature. The Teams feature is available for Fleet Basic customers. Check out the list below for the new functionality included with Teams:
* Added the ability to create an API-only user. API-only users cannot access the Fleet UI. These users can access all Fleet API endpoints and `fleetctl` features. Available in Fleet Core.
Fleet 4.0.0 is a major release and introduces several breaking changes and database migrations. The following sections call out changes to consider when upgrading to Fleet 4.0.0:
* The structure of Fleet's`.tar.gz` and`.zip` release archives have changed slightly. Deployments that use the binary artifacts may need to update scripts or tooling. The `fleetdm/fleet` Docker container maintains the same API.
* Use strictly `fleet` in Fleet's configuration, API routes, and environment variables. Users must update all usage of `kolide` in these items (deprecated since Fleet 3.8.0).
* Replaced the use of the `api/v1/fleet/spec/osquery/options` with `api/v1/fleet/config`. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the `api/v1/fleet/config` API endpoint.
* Enrolled secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.
* JWT encoding is no longer used for session keys. Sessions now default to expiring in 4 hours of inactivity. `auth_jwt_key` and `auth_jwt_key_file` are no longer accepted as configuration.
* The `username` artifact has been removed in favor of the more recognizable `name` (Full name). As a result the `email` artifact is now used for uniqueness in Fleet. Upon upgrading to Fleet 4.0.0, existing users will have the `name` field populated with `username`. SAML users may need to update their username mapping to match user emails.
* As of Fleet 4.0.0, Fleet Device Management Inc. periodically collects anonymous information about your instance. Sending usage statistics is turned off by default for users upgrading from a previous version of Fleet. Read more about the exact information collected [here](https://github.com/fleetdm/fleet/blob/2f42c281f98e39a72ab4a5125ecd26d303a16a6b/docs/1-Using-Fleet/11-Usage-statistics.md).
The primary additions in Fleet 4.0.0 are the new Role-based access control (RBAC) and Teams features.
RBAC adds the ability to define a user's access to features in Fleet. This way, more individuals in an organization can utilize Fleet with appropriate levels of access.
* Check out the [permissions documentation](https://github.com/fleetdm/fleet/blob/5e40afa8ba28fc5cdee813dfca53b84ee0ee65cd/docs/1-Using-Fleet/8-Permissions.md) for a breakdown of the new user roles.
Teams adds the ability to separate hosts into exclusive groups. This way, users can easily act on consistent groups of hosts.
* Read more about the Teams feature in [the documentation here](https://github.com/fleetdm/fleet/blob/5e40afa8ba28fc5cdee813dfca53b84ee0ee65cd/docs/1-Using-Fleet/9-Teams.md).
* Added the ability to separate hosts into exclusive groups with the Teams feature. The Teams feature is available for Fleet Basic customers. Check out the list below for the new functionality included with Teams:
* Added the ability to create an API-only user. API-only users cannot access the Fleet UI. These users can access all Fleet API endpoints and `fleetctl` features. Available in Fleet Core.
Fleet 4.0.0 is a major release and introduces several breaking changes and database migrations.
* Use strictly `fleet` in Fleet's configuration, API routes, and environment variables. Users must update all usage of `kolide` in these items (deprecated since Fleet 3.8.0).
* Replaced the use of the `api/v1/fleet/spec/osquery/options` with `api/v1/fleet/config`. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the `api/v1/fleet/config` API endpoint.
* Enrolled secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.
*`auth_jwt_key` and `auth_jwt_key_file` are no longer accepted as configuration.
* JWT encoding is no longer used for session keys. Sessions now default to expiring in 4 hours of inactivity.
### Known issues
There are currently no known issues in this release. However, we recommend only upgrading to Fleet 4.0.0-rc2 for testing purposes. Please file a GitHub issue for any issues discovered when testing Fleet 4.0.0!
RBAC adds the ability to define a user's access to information and features in Fleet. This way, more individuals in an organization can utilize Fleet with appropriate levels of access. Check out the [permissions documentation](https://fleetdm.com/docs/using-fleet/permissions) for a breakdown of the new user roles and their respective capabilities.
Teams adds the ability to separate hosts into exclusive groups. This way, users can easily observe and apply operations to consistent groups of hosts. Read more about the Teams feature in [the documentation here](https://fleetdm.com/docs/using-fleet/teams).
There are several known issues that will be fixed for the stable release of Fleet 4.0.0. Therefore, we recommend only upgrading to Fleet 4.0.0 RC1 for testing purposes. Please file a GitHub issue for any issues discovered when testing Fleet 4.0.0!
* Added the ability to separate hosts into exclusive groups with the Teams feature. The Teams feature is available for Fleet Basic customers. Check out the list below for the new functionality included with Teams:
* Used strictly `fleet` in Fleet's configuration, API routes, and environment variables. This means that you must update all usage of `kolide` in these items. The backwards compatibility introduced in Fleet 3.8.0 is no longer valid in Fleet 4.0.0.
* Replaced the use of the `api/v1/fleet/spec/osquery/options` with `api/v1/fleet/config`. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the `api/v1/fleet/config` API endpoint.
* Enrolled secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.
* Improved performance of the `additional_queries` feature by moving `additional` query results into a separate table in the MySQL database. Please note that the `/api/v1/fleet/hosts` API endpoint now return only the requested `additional` columns. See documentation on the changes to the hosts API endpoint [here](https://github.com/fleetdm/fleet/blob/06b2e564e657492bfbc647e07eb49fd4efca5a03/docs/1-Using-Fleet/3-REST-API.md#list-hosts).
* Improved `fleetctl preview` experience by adding the `fleetctl preview reset` and `fleetctl preview stop` commands to reset and stop simulated hosts running in Docker.
* Added scheduled queries to the _Host details_ page. Surface the "Name", "Description", "Frequency", and "Last run" information for each query in a pack that apply to a specific host.
* Added ability to duplicate live query results in Redis. When the `redis_duplicate_results` configuration option is set to `true`, all live query results will be copied to an additional Redis Pub/Sub channel named LQDuplicate.
* Added ability to controls the server-side HTTP keepalive property. Turning off keepalives has helped reduce outstanding TCP connections in some deployments.
* Improved Fleet performance by batch updating host seen time instead of updating synchronously. This improvement reduces MySQL CPU usage by ~33% with 4,000 simulated hosts and MySQL running in Docker.
* Added support for software inventory, introducing a list of installed software items on each host's respective _Host details_ page. This feature is flagged off by default (for now). Check out [the feature flag documentation for instructions on how to turn this feature on](https://fleetdm.com/docs/deploying/configuration#software-inventory).
* Added Windows support for `fleetctl` agent autoupdates. The `fleetctl updates` command provides the ability to self-manage an agent update server. Available for Fleet Basic customers.
* Fixed a frontend bug that prevented the "Pack" page and "Edit pack" page from rendering in the Fleet UI. This issue occurred when the `platform` key, in the requested pack's configuration, was set to any value other than `darwin`, `linux`, `windows`, or `all`.
* Improved logging. All errors are logged regardless of log level, some non-errors are logged regardless of log level (agent enrollments, runs of live queries etc.), and all other non-errors are logged on debug level.
* Improved `fleetctl preview` to ensure the latest version of Fleet is fired up on every run. In addition, the Fleet UI is now accessible without having to click through browser security warning messages.
* Added configurable host identifier to help with duplicate host enrollment scenarios. By default, Fleet's behavior does not change (it uses the identifier configured in osquery's `--host_identifier` flag), but for users with overlapping host UUIDs changing `--osquery_host_identifier` to `instance` may be helpful.
* Made cool-down period for host enrollment configurable to control load on the database in scenarios in which hosts are using the same identifier. By default, the cooldown is off, reverting to the behavior of Fleet <=3.4.0. The cooldown can be enabled with `--osquery_enroll_cooldown`.
* Deprecated `KOLIDE_` environment variable prefixes in favor of `FLEET_` prefixes. Deprecated prefixes continue to work and the Fleet server will log warnings if the deprecated variable names are used.
* Deprecated `/api/v1/kolide` routes in favor of `/api/v1/fleet`. Deprecated routes continue to work and the Fleet server will log warnings if the deprecated routes are used.
* Changed the default `--server_tls_compatibility` to `intermediate`. The new settings caused TLS connectivity issues for users in some environments. This new default is a more appropriate balance of security and compatibility, as recommended by Mozilla.
* **Security**: Fixed a vulnerability in which a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. See https://github.com/fleetdm/fleet/security/advisories/GHSA-xwh8-9p3f-3x45 and the linked content within that advisory.
* Improved the `fleetctl preview` experience to include adding containerized osquery agents, displaying login information, creating a default directory, and checking for Docker daemon status.
* **Security**: Introduced XML validation library to mitigate Go stdlib XML parsing vulnerability effecting SSO login. See https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx and the linked content within that advisory.
* **Security**: Prevents new queries from using the SQLite `ATTACH` command. This is a mitigation for the osquery vulnerability https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8.
Follow up: Audit existing saved queries and logs of live query executions for possible malicious use of `ATTACH`. Upgrade osquery to 4.6.0 to prevent `ATTACH` queries from executing.
* Update icons and fix hosts dashboard for wide screen sizes.
* Added capability to collect "additional" information from hosts. Additional queries can be set to be updated along with the host detail queries. This additional information is returned by the API.
* Removed extraneous network interface information to optimize server performance. Users that require this information can use the additional queries functionality to retrieve it.
* Added `--server_url_prefix` flag to configure a URL prefix to prepend on all Fleet URLs. This can be useful to run fleet behind a reverse-proxy on a hostname shared with other services.
* Added option to automatically expire hosts that have not checked in within a certain number of days. Configure this in the "Advanced Options" of "App Settings" in the browser UI.
* Added capability to export packs, labels, and queries as yaml in `fleetctl get` with the `--yaml` flag. Include queries with a pack using `--with-queries`.
* Modified email templates to load image assets from Github CDN rather than Fleet server (fixes broken images in emails when Fleet server is not accessible from email clients).
* Server and browser performance improved to reduced loading of hosts in frontend. Host status will only update on page load when over 100 hosts are present.
* Utilized details sent by osquery in enrollment request to more quickly display details of new hosts. Also fixes a bug in which hosts could not complete enrollment if certain platform-dependent options were used.
* Added capability to log osquery status and results to AWS Firehose. Note that this deprecated some existing logging configuration (`--osquery_status_log_file` and `--osquery_result_log_file`). Existing configurations will continue to work, but will be removed at some point.
* Fixed a bug where duplicate queries were being created in the same pack but only one was ever delivered to osquery. A migration was added to delete duplicate queries in packs created by the UI.
* It is possible to schedule the same query with different options in one pack, but only via the CLI.
* If you thought you were relying on this functionality via the UI, note that duplicate queries will be deleted when you run migrations as apart of a cleanup fix. Please check your configurations and make sure to create any double-scheduled queries via the CLI moving forward.
The primary new addition in Fleet 2 is the new `fleetctl` CLI and file-format, which dramatically increases the flexibility and control that administrators have over their osquery deployment. The CLI and the file format are documented [in the Fleet documentation](https://fleetdm.com/docs/using-fleet/fleetctl-cli).
* New `fleetctl` CLI for managing your entire osquery workflow via CLI, API, and source controlled files!
* You can use `fleetctl` to manage osquery packs, queries, labels, and configuration.
* In addition to the CLI, Fleet 2.0.0 introduces a new file format for articulating labels, queries, packs, options, etc. This format is designed for composability, enabling more effective sharing and re-use of intelligence.
```yaml
apiVersion: v1
kind: query
spec:
name: pending_updates
query: >
select value
from plist
where
path = "/Library/Preferences/ManagedInstalls.plist" and
key = "PendingUpdateCount" and
value > "0";
```
* Run live osquery queries against arbitrary subsets of your infrastructure via the `fleetctl query` command.
* Use `fleetctl setup`, `fleetctl login`, and `fleetctl logout` to manage the authentication life-cycle via the CLI.
* Use `fleetctl get`, `fleetctl apply`, and `fleetctl delete` to manage the state of your Fleet data.
* Manage any osquery option you want and set platform-specific overrides with the `fleetctl` CLI and file format.
* Managing osquery options via the UI has been removed in favor of the more flexible solution provided by the CLI. If you have customized your osquery options with Fleet, there is [a database migration](./server/datastore/mysql/migrations/data/20171212182458_MigrateOsqueryOptions.go) which will port your existing data into the new format when you run `fleet prepare db`. To download your osquery options after migrating your database, run `fleetctl get options > options.yaml`. Further modifications to your options should occur in this file and it should be applied with `fleetctl apply -f ./options.yaml`.
* Added feature that allows users to import existing Osquery configuration files using the [configimporter](https://github.com/kolide/configimporter) utility.
The Kolide server now tracks the `distributed_interval` and `config_tls_refresh` values for each individual host (these can be different if they are set via flagfile and not through Kolide), to ensure that online status is represented as accurately as possible.
* Log rotation is no longer the default setting for Osquery status and results logs. To enable log rotation use the `--osquery_enable_log_rotation` flag.
When `kolide serve --debug` is used, additional handlers will be started to provide access to profiling tools. These endpoints are authenticated with a randomly generated token that is printed to the Kolide logs at startup. These profiling tools are not intended for general use, but they may be useful when providing performance-related bug reports to the Kolide developers.
Osquery 2.3.2 incorrectly reports an empty value for `platform` on CentOS6 hosts. We added a workaround to properly detect platform in Kolide, and also [submitted a fix](https://github.com/facebook/osquery/pull/3071) to upstream osquery.
Previously this item was visible to non-admin users and if selected, a blank options page would be displayed since server side authorization constraints prevent regular users from viewing or changing options.
In an effort to provide a more resilient web server, timeouts are more strictly enforced by the Kolide HTTP server (regardless of whether or not you're using the built-in TLS termination).
For customers using Kolide's built-in TLS server (if the `server.tls` configuration is `true`), the server was hardened to only accept modern cipher suites as recommended by [Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility).
* Improve the mechanism used to calculate whether or not hosts are online.
Previously, hosts were categorized as "online" if they had been seen within the past 30 minutes. To make the "online" status more representative of reality, hosts are marked "online" if the Kolide server has heard from them within two times the lowest polling interval as described by the Kolide-managed osquery configuration. For example, if you've configured osqueryd to check-in with Kolide every 10 seconds, only hosts that Kolide has heard from within the last 20 seconds will be marked "online".
Customers running Kolide behind a web balancer lacking support for websockets were unable to use the distributed query feature. Also, in certain circumstances, Safari users with a self-signed cert for Kolide would receive an error. This release add a fallback mechanism from websockets using SockJS for improved compatibility.
Previously Kolide was determining platform based on the OS of the system osquery was built on instead of the OS it was running on. Please note: Offline hosts may continue to report an erroneous platform until they check-in with Kolide.
* Now support MySQL client certificate authentication. More details can be found in the [Configuring the Fleet binary docs](./docs/infrastructure/configuring-the-fleet-binary.md).
