Summary:
- Enroll hosts page refinement
- Since page was too long and had a lot of content I did following:
- Moved most important sections to the top
- Did some changes to make things more consistent, when possible having
UI and CLI sections with steps (ordered list)
- Moved `Add hosts with plain osquery` to contributor docs, since I
learned this approach is used just by couple of Fleet customers, and we
don't advise this as best practice anymore
- Added overview (table of contents) on the top to make easier to
navigate through the page
- Moved some technical (advanced) topics into separate section on the
bottom of the page
---------
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
This commit is contained in:
Marko Lisica2023-11-20 19:39:41 +01:00committed byGitHub
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-installers).
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-fleetd-installers).
@ -46,7 +46,7 @@ You'll see how many hosts, assigned to a team, have passed or failed global poli
* Added a '/api/v1/fleet/device/{token}/desktop' API route that returns only the number of failing policies for a specific host.
* Added support for [kubequery](https://github.com/Uptycs/kubequery).
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-installers).
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-fleetd-installers).
* Made cards on the Home page clickable.
* Added es_process_file_events, password_policy, and windows_update_history to osquery tables.
* Added activity items to capture when, and by who, agent options are edited.
> Follow the instructions [here](https://fleetdm.com/docs/using-fleet/adding-hosts#add-chromebooks-with-the-fleetd-chrome-extension) for installing the fleetd Chrome extension, with the following modifications:
> Follow the instructions [here](https://fleetdm.com/docs/using-fleet/enroll-hosts#enroll-chromebooks) for installing the fleetd Chrome extension, with the following modifications:
> + Select the "ChromeOSTesting" group.
> + For "Extension ID", use the ID previously copied.
> + For "Installation URL", use `http://test-new-tables.loca.lt/updates.xml`.
Osquery's [TLS API plugin](http://osquery.readthedocs.io/en/stable/deployment/remote/) lets you use the native osqueryd binaries to connect to Fleet.
You can find various ways to install osquery on your hosts at https://osquery.io/downloads. Once you have installed osquery, you need to do three things on your hosts:
- Set up your Fleet enroll secret.
- Provide the TLS certificate that osquery will use to communicate with Fleet.
- Configure and launch osqueryd.
## Set up your Fleet enroll secret
The enroll secret is a value that osquery provides to authenticate with Fleet. There are a few ways you can set the enroll secret on the hosts that you control. You can either set the value as
- a value of an environment variable (a common name is `OSQUERY_ENROLL_SECRET`)
- the content of a local file (a common path is `/etc/osquery/enroll_secret`)
The value of the environment variable or content of the file should be a secret shared between the osqueryd client and the Fleet server. This is osqueryd's passphrase which it uses to authenticate with Fleet, convincing Fleet that it is actually one of your hosts. The passphrase could be whatever you'd like, but it would be prudent to have the passphrase long, complex, mixed-case, etc. When you launch the Fleet server, you should specify this same value.
If you use an environment variable for this, you can specify it with the `--enroll_secret_env` flag when you launch osqueryd. If you use a local file for this, you can specify its path with the `--enroll_secret_path` flag.
To retrieve the enroll secret, use the "Add New Host" dialog in the Fleet UI or
`fleetctl get enroll_secret`).
If your organization has a robust internal public key infrastructure (PKI) and you already deploy TLS client certificates to each host to uniquely identify them, then osquery supports an advanced authentication mechanism that takes advantage of this. Fleet can be fronted with a proxy to perform the TLS client authentication.
## Provide the TLS certificate that osquery will use to communicate with Fleet
When Fleet uses a self-signed certificate, osquery agents will need a copy of that certificate in order to authenticate the Fleet server. If clients connect directly to the Fleet server, you can download the certificate through the Fleet UI. From the main dashboard (`/hosts/manage`), click **Add New Host** and **Fetch Certificate**. If Fleet is running behind a load balancer that terminates TLS, you will have to talk to your system administrator about where to find this certificate.
It is important that the CN of this certificate matches the hostname or IP that osqueryd clients will use to connect.
Specify the path to this certificate with the `--tls_server_certs` flag when you launch osqueryd.
## Configure and launch osquery
For osquery to connect to the Fleet server, some flags need to be set:
These can be specified directly in the command line or saved to a flag file.
### Launching osqueryd using command-line flags
Assuming that you are deploying your enroll secret in the file `/etc/osquery/enroll_secret` and your osquery server certificate is at `/etc/osquery/fleet.crt`, you could copy and paste the following command with the following flags (be sure to replace `fleet.acme.net` with the hostname or IP of your Fleet installation):
If your osquery server certificate is deployed to a path that is not `/etc/osquery/fleet.crt`, be sure to update the `--tls_server_certs` flag. Similarly, if your enroll secret is in an environment variable that is not called `OSQUERY_ENROLL_SECRET`. Then, be sure to update the `--enroll_secret_env` environment variable.
If your enroll secret is defined in a local file, specify the file's path with the `--enroll_secret_path` flag instead of using the `--enroll_secret_env` flag.
### Launching osqueryd using a flag file
For your convenience, osqueryd supports putting all your flags into a single file. We suggest deploying this file to `/etc/osquery/fleet.flags`. If you've deployed the appropriate osquery flags to that path, you could simply launch osquery via:
```sh
osqueryd --flagfile=/etc/osquery/fleet.flags
```
When using a flag file on Windows, make sure that file paths in the flag file are absolute and not quoted. For example, in `C:\Program Files\osquery\osquery.flags`:
@ -3,7 +3,7 @@ For visibility on ChromeOS hosts, Fleet provides the fleetd Chrome extension whi
## Adding ChromeOS hosts to Fleet
To learn how to add ChromeOS hosts to Fleet, visit [here](https://fleetdm.com/docs/using-fleet/adding-hosts#add-chromebooks-with-the-fleetd-chrome-extension).
To learn how to add ChromeOS hosts to Fleet, visit [here](https://fleetdm.com/docs/using-fleet/adding-hosts#enroll-chromebooks).
> The fleetd Chrome browser extension is supported on ChromeOS operating systems that are managed using [Google Admin](https://admin.google.com). It is not intended for non-ChromeOS hosts with the Chrome browser installed.
- [Automatically adding hosts to a team](#automatically-adding-hosts-to-a-team)
- [Generating Windows installers using local WiX toolset](#generating-windows-installers-using-local-wix-toolset)
- [Configuration options](#configuration-options)
- [Add hosts with plain osquery](#add-hosts-with-plain-osquery)
- [Set up your Fleet enroll secret](#set-up-your-fleet-enroll-secret)
- [Provide the TLS certificate that osquery will use to communicate with Fleet](#provide-the-tls-certificate-that-osquery-will-use-to-communicate-with-fleet)
- [Configure and launch osquery](#configure-and-launch-osquery)
- [Launching osqueryd using command-line flags](#launching-osqueryd-using-command-line-flags)
- [Launching osqueryd using a flag file](#launching-osqueryd-using-a-flag-file)
- [Migrating from plain osquery to osquery installer](#migrating-from-plain-osquery-to-osquery-installer)
- [Generate installer](#generate-installer)
- [Migrate](#migrate)
- [Add Chromebooks with the fleetd Chrome extension](#add-chromebooks-with-the-fleetd-chrome-extension)
- [Grant full disk access to osquery on macOS](#grant-full-disk-access-to-osquery-on-macos)
- [Creating the configuration profile](#creating-the-configuration-profile)
- [Obtaining identifiers](#obtaining-identifiers)
- [Creating the profile](#creating-the-profile)
- [Test the profile](#test-the-profile)
## Introduction
Fleet gathers information from an [osquery](https://github.com/osquery/osquery) agent installed on each of your hosts. The recommended way to install osquery is using Fleetd, which includes [Orbit](https://fleetdm.com/docs/using-fleet/fleetd), Fleet's lightweight osquery runtime and auto-updater.
Fleet gathers information from an [osquery](https://github.com/osquery/osquery) agent installed on each of your hosts. The recommended way to install osquery is using fleetd.
You can also install plain osquery on your hosts and connect to Fleet using osquery's `TLS API` plugins.
You can enroll macOS, Windows or Linux hosts via the [CLI](#cli) or [UI](#ui). To learn how to enroll Chromebooks, see [Enroll Chromebooks](#enroll-chromebooks).
> For ChromeOS hosts, the [fleetd Chrome extension](#add-chromebooks-with-the-fleetd-chrome-extension) is installed instead of osquery.
## Supported osquery versions
### Supported osquery versions
Fleet supports the [latest version of osquery](https://github.com/osquery/osquery/tags).
## Enroll hosts with Fleetd
To create a Fleet installer, you can use the `fleetctl package` command. To use the `fleetctl package` command, you must first install the `fleetctl` command-line tool. [Learn how to install `fleetctl`](https://fleetdm.com/fleetctl-preview).
The `fleetctl package` can create a Fleetd installer, which adds macOS hosts (**.pkg**), Windows hosts (**.msi**), or Linux hosts (**.deb** or **.rpm**) to Fleet.
The following command creates a Fleetd installer, `.pkg` file, which adds macOS hosts to Fleet. Locate this osquery installer in the folder where the `fleetctl package` command is run.
>**Note:** The only configuration option required to create an installer is `--type`. However, to communicate with a Fleet instance, you'll need to specify a `--fleet-url` and `--enroll-secret`. When those flags are not set, fleetd will log errors.
> You must have `fleetctl` installed. [Learn how to install `fleetctl`](https://fleetdm.com/fleetctl-preview).
When you install the generated Fleetd installer on a host, this host will automatically enroll in the specified Fleet instance.
The `fleetctl package` command is used to generate a fleetd installer.
### Signing installers
The `--type` flag is used to specify installer type:
- macOS: .pkg
- Windows: .msi
- Linux: .deb or .rpm
A `--fleet-url` (Fleet instance URL) and `--enroll-secret` (Fleet enrollment secret) must be specified in order to communicate with Fleet instance.
>**Note:** Currently, the `fleetctl package` does not provide support for signing Windows Fleetd installers. Windows installers can be signed after building.
#### Example
The `fleetctl package` provides support for signing and notarizing macOS osquery installers via the
The above command should be run on a macOS device, as the notarizing and signing of macOS Fleetd installers can only be done on macOS devices.
## UI
Also, remember to replace both `AC_USERNAME` and `AC_PASSWORD` environment variables with your Apple ID and a valid [app-specific](https://support.apple.com/en-ca/HT204397) password, respectively. Some organizations (notably those with Apple Enterprise Developer Accounts) may also need to specify `AC_TEAM_ID`. This value can be found on the [Apple Developer "Membership" page](https://developer.apple.com/account/#!/membership) under "Team ID."
To generate an installer in Fleet UI:
1. Go to the **Hosts** page, and select **Add hosts**.
2. Select the tab for your desired platform (e.g. macOS).
3. A CLI command with all necessary flags will be generated. Copy and run the command with [fleetctl](https://fleetdm.com/docs/using-fleet/fleetctl-cli) installed.
### Generate installer to enroll host to a specific team
With hosts segmented into teams, you can apply unique queries and give users access to only the hosts in specific teams. [Learn more about teams](https://fleetdm.com/docs/using-fleet/segment-hosts).
To generate an installer that enrolls to a specific team: from the **Hosts** page, select the desired team from the menu at the top of the screen, then follow the instructions above for generating an installer. The team's enroll secret will be included in the generated command.
### Enroll multiple hosts
If you're managing an enterprise environment with multiple hosts, you likely have an enterprise deployment tool like [Munki](https://www.munki.org/munki/), [Jamf Pro](https://www.jamf.com/products/jamf-pro/), [Chef](https://www.chef.io/), [Ansible](https://www.ansible.com/), or [Puppet](https://puppet.com/) to deliver software to your hosts.
You can use your software management tool of choice to distribute a fleetd installer generated via the instructions above.
### Including Fleet Desktop
> Fleet Desktop requires a Fleet version of 4.12.0 and above. To check your Fleet version, select
> the avatar on the right side of the top bar and select **My account**. Your Fleet version is
> displayed below the **Get API token** button.
> Fleet Desktop requires a Fleet version of 4.12.0 and above. To check your Fleet version, select the avatar on the right side of the top bar and select **My account**. Your Fleet version is displayed below the **Get API token** button.
Hosts without Fleet Desktop currently installed require a new installer to be generated and run on the target host.
How to generate an installer that includes Fleet Desktop in the Fleet UI:
1. On the top bar in the Fleet UI, select **Hosts > Add hosts**.
2. Select the **Include Fleet Desktop** checkbox.
3. Select the clipboard icon to copy the `fleetctl package` command.
4. In your terminal application, paste and run the copied command.
Hosts without Fleet Desktop currently installed require a new installer to be generated and run on the target host. To include Fleet desktop in your installer, select the **Include Fleet Desktop** checkbox when generating an installer via the instructions above.
Alternatively, you can generate an installer that includes Fleet Desktop in `fleetctl package` by appending the `--fleet-desktop` flag.
> Fleet Desktop is supported on macOS, Windows, and Linux. Check out the supported Linux distributions
> and versions [here
> on GitHub](https://github.com/fleetdm/fleet/issues/5684#issuecomment-1123906753).
Once installed on the target host, Fleet Desktop will be managed by Fleetd. To learn more about Fleetd updates, see [here](https://fleetdm.com/docs/deploying/fleetctl-agent-updates).
To prevent this auto-update behavior, you can turn off auto-updates via the `--disable-updates` flag or you can set a specific channel using the `--desktop-channel` flag.
### Adding multiple hosts
If you're managing an enterprise environment with multiple hosts, you likely have an enterprise deployment tool like [Munki](https://www.munki.org/munki/), [Jamf Pro](https://www.jamf.com/products/jamf-pro/), [Chef](https://www.chef.io/), [Ansible](https://www.ansible.com/), or [Puppet](https://puppet.com/) to deliver software to your hosts.
You can distribute your Fleetd installer and add all your hosts to Fleet using your software management tool of choice.
### Automatically adding hosts to a team
`Applies only to Fleet Premium`
```
ℹ️ Fleet 4.0 introduced Teams.
```
The Teams feature in Fleet allows you to place hosts in exclusive groups. With hosts segmented into Teams, you can apply unique queries and give users access to only the hosts in specific Teams.
You can add a host to a team by generating and using a unique osquery installer for a team or by [manually transferring a host to a team in the Fleet UI](https://fleetdm.com/docs/using-fleet/teams#transfer-hosts-to-a-team).
To generate an osquery installer for a team:
1. First, create a team in Fleet by selecting **Create team** in **Settings > Teams**.
2. Then, navigate to **Hosts** and select your team.
3. Next, select **Add hosts** and copy the `fleetctl package` command for the platform (macOS, Windows, Linux) of the hosts you'd like to add to a team in Fleet.
4. Run the copied `fleetctl package` command and [distribute your installer](#adding-multiple-hosts) to add your hosts to a team in Fleet.
### Generating Windows installers using local WiX toolset
`Applies only to Fleet Premium`
When creating a Fleetd installer for Windows hosts (**.msi**) on a Windows machine, you can tell `fleetctl package` to
use local installations of the 3 WiX v3 binaries used by this command (`heat.exe`, `candle.exe`, and
`light.exe`) instead of those in a pre-configured container, which is the default behavior. To do
so:
1. Install the WiX v3 binaries. To install, you can download them
[here](https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip), then unzip the downloaded file.
2. Find the absolute filepath of the directory containing your local WiX v3 binaries. This will be wherever you saved the unzipped package contents.
3. Run `fleetctl package`, and pass the absolute path above as the string argument to the
If the provided path doesn't contain all 3 binaries, the command will fail.
### Configuration options
The following command-line flags to `fleetctl package` allow you to configure an osquery installer further to communicate with a specific Fleet instance.
| --disable-updates | Disable auto updates on the generated package (default: false) |
| --osqueryd-channel | Update channel of osqueryd to use (default: `stable`) |
| --orbit-channel | Update channel of Orbit to use (default: `stable`) |
| --desktop-channel | Update channel of desktop to use (default: `stable`) |
| --update-url | URL for update server (default: `https://tuf.fleetctl.com`) |
| --update-roots | Root key JSON metadata for update server (from fleetctl updates roots) |
| --use-system-configuration | Try to read --fleet-url and --enroll-secret using configuration in the host (currently only macOS profiles are supported) |
| --verbose | Log detailed information when building the package (default: false) |
| --local-wix-dir | Use local installations of the 3 WiX v3 binaries this command uses (`heat.exe`, `candle.exe`, and
`light.exe`) instead of installations in a pre-configered Docker Hub (only available on Windows w/ WiX v3) |
| --help, -h | show help (default: `false`) |
Fleet supports other methods for adding your hosts to Fleet, such as the [plain osquery binaries](#add-hosts-with-plain-osquery) or [Kolide Osquery Launcher](https://github.com/kolide/launcher/blob/master/docs/launcher.md#connecting-to-fleet).
## Add hosts with plain osquery
Osquery's [TLS API plugin](http://osquery.readthedocs.io/en/stable/deployment/remote/) lets you use the native osqueryd binaries to connect to Fleet.
You can find various ways to install osquery on your hosts at https://osquery.io/downloads. Once you have installed osquery, you need to do three things on your hosts:
- Set up your Fleet enroll secret.
- Provide the TLS certificate that osquery will use to communicate with Fleet.
- Configure and launch osqueryd.
### Set up your Fleet enroll secret
The enroll secret is a value that osquery provides to authenticate with Fleet. There are a few ways you can set the enroll secret on the hosts which you control. You can either set the value as
- a value of an environment variable (a common name is `OSQUERY_ENROLL_SECRET`)
- the content of a local file (a common path is `/etc/osquery/enroll_secret`)
The value of the environment variable or content of the file should be a secret shared between the osqueryd client and the Fleet server. This is osqueryd's passphrase which it uses to authenticate with Fleet, convincing Fleet that it is actually one of your hosts. The passphrase could be whatever you'd like, but it would be prudent to have the passphrase long, complex, mixed-case, etc. When you launch the Fleet server, you should specify this same value.
If you use an environment variable for this, you can specify it with the `--enroll_secret_env` flag when you launch osqueryd. If you use a local file for this, you can specify its path with the `--enroll_secret_path` flag.
To retrieve the enroll secret, use the "Add New Host" dialog in the Fleet UI or
`fleetctl get enroll_secret`).
If your organization has a robust internal public key infrastructure (PKI) and you already deploy TLS client certificates to each host to uniquely identify them, then osquery supports an advanced authentication mechanism that takes advantage of this. Fleet can be fronted with a proxy that will perform the TLS client authentication.
### Provide the TLS certificate that osquery will use to communicate with Fleet
When Fleet uses a self-signed certificate, osquery agents will need a copy of that certificate in order to authenticate the Fleet server. If clients connect directly to the Fleet server, you can download the certificate through the Fleet UI. From the main dashboard (`/hosts/manage`), click **Add New Host** and **Fetch Certificate**. If Fleet is running behind a load-balancer that terminates TLS, you will have to talk to your system administrator about where to find this certificate.
It is important that the CN of this certificate matches the hostname or IP that osqueryd clients will use to connect.
Specify the path to this certificate with the `--tls_server_certs` flag when you launch osqueryd.
### Configure and launch osquery
In order for osquery to connect to the fleet server, there are some flags that need to be set:
These can be specified directly in the command line or saved to a flag file.
#### Launching osqueryd using command-line flags
Assuming that you are deploying your enroll secret in the file `/etc/osquery/enroll_secret` and your osquery server certificate is at `/etc/osquery/fleet.crt`, you could copy and paste the following command with the following flags (be sure to replace `fleet.acme.net` with the hostname or IP of your Fleet installation):
If your osquery server certificate is deployed to a path that is not `/etc/osquery/fleet.crt`, be sure to update the `--tls_server_certs` flag. Similarly, if your enroll secret is in an environment variable that is not called `OSQUERY_ENROLL_SECRET`. Then, be sure to update the `--enroll_secret_env` environment variable.
If your enroll secret is defined in a local file, specify the file's path with the `--enroll_secret_path` flag instead of using the `--enroll_secret_env` flag.
#### Launching osqueryd using a flag file
For your convenience, osqueryd supports putting all your flags into a single file. We suggest deploying this file to `/etc/osquery/fleet.flags`. If you've deployed the appropriate osquery flags to that path, you could simply launch osquery via:
```sh
osqueryd --flagfile=/etc/osquery/fleet.flags
```
When using a flag file on Windows, make sure that file paths in the flag file are absolute and not quoted. For example, in `C:\Program Files\osquery\osquery.flags`:
If the existing enrolled hosts use `--host_identifier=uuid` (or the `uuid` setting for Fleet's
[osquery_host_identifier](https://fleetdm.com/docs/deploying/configuration#osquery-host-identifier)), the new
installation should appear as the same host in the Fleet UI. If other settings are used, duplicate
entries will appear in the Fleet UI. The older entries can be automatically cleaned up with the host
expiration setting. To configure this setting, in the Fleet UI, head to **Settings > Organization settings > Advanced options**.
## Add Chromebooks with the fleetd Chrome extension
## Enroll Chromebooks
> The fleetd Chrome browser extension is supported on ChromeOS operating systems that are managed using [Google Admin](https://admin.google.com). It is not intended for non-ChromeOS hosts with the Chrome browser installed.
@ -332,41 +87,32 @@ To install the fleetd Chrome extension on Google Admin, there are two steps:
### Step 1: OU for Chromebook users
Create an [organizational unit](https://support.google.com/a/answer/182537?hl=en) where the extension should be installed. [Add all the relevant users](https://support.google.com/a/answer/182449?hl=en) to this OU.
Visit the Google Admin console. In the navigation menu, visit Devices > Chrome > Apps & Extensions > Users & browsers.
Select the relevant OU where you want the fleetd Chrome extension to be installed.
> Currently, the Chrome extension can only be installed across the entire organization. The work to enable installation for sub-groups is tracked in https://github.com/fleetdm/fleet/issues/13353.
In the bottom right, click the yellow "+" button and select "Add Chrome app or extension by ID."
Visit your Fleet instance and select Hosts > Add Hosts and select ChromeOS in the popup modal.
Enter the "Extension ID," "Installation URL," and "Policy for extensions" using the data provided in the modal.
Under "Installation Policy", select "Force install". Under "Update URL", select "Installation URL (see above)".
In the Google Admin console:
1. In the navigation menu, visit **Devices > Chrome > Apps & Extensions > Users & browsers**.
2. Select the relevant OU where you want the fleetd Chrome extension to be installed.
3. In the bottom right, select the **+** button and select **Add Chrome app or extension by ID**.
4. Go to your Fleet instance and select **Hosts > Add Hosts** and select **ChromeOS** in the popup modal.
5. Enter the **Extension ID**, **Installation URL**, and **Policy for extensions** using the data provided in the modal.
6. Under **Installation Policy**, select **Force install**, and under **Update URL**, select **Installation URL** (see above).
> For the fleetd Chrome extension to have full access to Chrome data, it must be force-installed by enterprise policy as per above
### Step 2: OU to block non-Chromebook devices
Create an [organizational unit](https://support.google.com/a/answer/182537?hl=en) to house devices where the extension should not be installed. [Add all the relevant devices](https://support.google.com/chrome/a/answer/2978876?hl=en) to this OU.
In the Google Admin console, in the navigation menu, visit Devices > Chrome > Managed Browsers.
Select the relevant OU where you want the fleetd Chrome extension to be blocked.
In the bottom right, click the yellow "+" button and select "Add Chrome app or extension by ID."
Visit your Fleet instance and select Hosts > Add Hosts and select ChromeOS in the popup modal.
Enter the "Extension ID" and "Installation URL" using the data provided in the modal.
Under "Installation Policy", select "Block".
In the Google Admin console:
1. In the navigation menu, select **Devices > Chrome > Managed Browsers**.
2. Select the relevant OU where you want the fleetd Chrome extension to be blocked.
3. In the bottom right, select the **+** button and select **Add Chrome app or extension by ID**.
4. Go to your Fleet instance and select **Hosts > Add Hosts** and select **ChromeOS** in the popup modal.
5. Enter the **Extension ID** and **Installation URL** using the data provided in the modal.
6. Under **Installation Policy**, select **Block**.
## Grant full disk access to osquery on macOS
macOS does not allow applications to access all system files by default. If you are using MDM, which
is required to deploy these profiles, you
can deploy a "Privacy Preferences Policy Control" policy to grant Fleetd or osquery that level of
can deploy a "Privacy Preferences Policy Control" policy to grant fleetd or osquery that level of
access. This is necessary to query for files located in protected paths as well as to use event
tables that require access to the [EndpointSecurity
API](https://developer.apple.com/documentation/endpointsecurity#overview), such as *es_process_events*.
@ -375,8 +121,8 @@ API](https://developer.apple.com/documentation/endpointsecurity#overview), such
#### Obtaining identifiers
If you use plain osquery, instructions are [available here](https://osquery.readthedocs.io/en/stable/deployment/process-auditing/).
On a system with osquery installed via the Fleet osquery installer (Fleetd), obtain the
`CodeRequirement` of Fleetd by running:
On a system with osquery installed via the Fleet osquery installer (fleetd), obtain the
- [Enroll hosts with plain osquery](#enroll-hosts-with-plain-osquery)
### Signing fleetd installers
>**Note:** Currently, the `fleetctl package` command does not support signing Windows fleetd installers. Windows installers can be signed after building.
The `fleetctl package` command supports signing and notarizing macOS osquery installers via the
The above command must be run on a macOS device, as the notarizing and signing of macOS fleetd installers can only be done on macOS devices.
Also, remember to replace both `AC_USERNAME` and `AC_PASSWORD` environment variables with your Apple ID and a valid [app-specific](https://support.apple.com/en-ca/HT204397) password, respectively. Some organizations (notably those with Apple Enterprise Developer Accounts) may also need to specify `AC_TEAM_ID`. This value can be found on the [Apple Developer "Membership" page](https://developer.apple.com/account/#!/membership) under "Team ID."
### Generating Windows installers using local WiX toolset
`Applies only to Fleet Premium`
When creating a fleetd installer for Windows hosts (**.msi**) on a Windows machine, you can tell `fleetctl package` to
use local installations of the 3 WiX v3 binaries used by this command (`heat.exe`, `candle.exe`, and
`light.exe`) instead of those in a pre-configured container, which is the default behavior. To do
so:
1. Install the WiX v3 binaries. To install, you can download them
[here](https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip), then unzip the downloaded file.
2. Find the absolute filepath of the directory containing your local WiX v3 binaries. This will be wherever you saved the unzipped package contents.
3. Run `fleetctl package`, and pass the absolute path above as the string argument to the
If the provided path doesn't contain all 3 binaries, the command will fail.
### Fleetd configuration options
The following command-line flags to `fleetctl package` allow you to configure an osquery installer further to communicate with a specific Fleet instance.
| --disable-updates | Disable auto updates on the generated package (default: false) |
| --osqueryd-channel | Update channel of osqueryd to use (default: `stable`) |
| --orbit-channel | Update channel of Orbit to use (default: `stable`) |
| --desktop-channel | Update channel of desktop to use (default: `stable`) |
| --update-url | URL for update server (default: `https://tuf.fleetctl.com`) |
| --update-roots | Root key JSON metadata for update server (from fleetctl updates roots) |
| --use-system-configuration | Try to read --fleet-url and --enroll-secret using configuration in the host (currently only macOS profiles are supported) |
| --verbose | Log detailed information when building the package (default: false) |
| --local-wix-dir | Use local installations of the 3 WiX v3 binaries this command uses (`heat.exe`, `candle.exe`, and `light.exe`) instead of installations in a pre-configered Docker Hub (only available on Windows w/ WiX v3) |
| --help, -h | show help (default: `false`) |
Fleet supports other methods for adding your hosts to Fleet, such as the plain osquery
Osquery's [TLS API](http://osquery.readthedocs.io/en/stable/deployment/remote/) plugin lets you use
the native osqueryd binaries to connect to Fleet. Learn more [here](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Enroll-hosts-with-plain-osquery.md).
<metaname="pageOrderInSection"value="500">
<metaname="description"value="Learn how to generate installers and enroll hosts in your Fleet instance using fleetd or osquery.">
@ -11,7 +11,7 @@ Run the following command to generate an extension.
```
## Adding Chrome to Fleet
To learn how to package and add hosts to Fleet, visit: https://fleetdm.com/docs/using-fleet/adding-hosts#add-chromebooks-with-the-fleetd-chrome-extension.
To learn how to package and add hosts to Fleet, visit: https://fleetdm.com/docs/using-fleet/enroll-hosts#enroll-chromebooks.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Marko Lisica
GitHub