Update Orbit changelog (#13744)

Updating changelog to include previous changes that were not documented.

---------

Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>

orbit/CHANGELOG.md

@@ -1,3 +1,145 @@
+## Orbit 1.16.0 (Sep 6 17, 2023)
+
+* Updated the default TUF update roots with the newest metadata in the server. (#13381)
+
+* Updated bundled-in CA certificates. (#13446)
+
+* Removed a listener for the OS. Kill signal since golang can't capture it. (#12861)
+
+* Allow clients to report errors back to the server during the MDM migration flow. (#13189)
+
+* Use OrbitNodeKey for windows mdm enrollment authentication instead of HostUUID (#12847)
+
+* Implemented script execution on the fleetd agent (disabled by default). (#9583)
+
+* Improved the MDM migration dialogs:
+  * Adjusted the copy and images. (#13158)
+  * Made sure that all dialogs take over the screen. (#13512)
+  * Ensure migration dialog doesn't open automatically if it was opened manually. (#13505)
+
+* Fixed theme detection and icon coloring issues for Fleet Desktop on Windows. (#13457)
+
+## Orbit 1.2.0 - Orbit 1.15.0 (Oct 4, 2022 - Aug 17, 2023)
+
+* Fixed an issue preventing Nudge from reading the configuration file delivered by Fleet on some installations. This only affects you if Nudge was enabled and configured on a host using Orbit v1.8.0.
+
+* Added `pmset` table extension to Fleet for CIS check 2.9.1.
+
+* Fixed a bug in Fleet Desktop causing it to spam servers without licenses for policies.
+
+* Added support to enhance the DEP migration flow in macOS for MDM.
+
+* Added `firmware_eficheck_integrity_check` table for macOS CIS 5.9.
+
+* Fixed an issue where Orbit service on Windows was not creating the `secret-orbit-node-key.txt` with a restricted ACL.
+
+* Added periodical restart of the `softwareupdated` service to work around a macOS bug.
+
+* Set `--database_path` in the shell `osqueryd` invocation to retrieve UUID and other fields.
+
+* Updated MDM migration flow to include checking the output of `profiles show -type enrollment`.
+
+* Ensured MDM migration modal is not shown if the host is already enrolled into Fleet.
+
+* Embedded Augeas lenses into Orbit on Unix platforms.
+
+* Added a new table to support the CIS audit process.
+
+* Added `sudo_info` table to Orbit for CIS checks 5.4 and 5.5 on macOS.
+
+* Fixed an issue affecting macOS devices with MDM enabled that prevented Orbit from restarting if Nudge was still open.
+
+* Added support to query Windows MDM enrollment status and enforce MDM commands through the `mdm_bridge` virtual table.
+
+* Dumped pprof data into a `profiles` directory in the Orbit root directory on Unix systems when receiving a SIGUSR1.
+
+* Added `launchctl bootstrap` retries in Orbit `pkg` installer to fix MDM deployments.
+
+* Allowed `fleetd` to get an enroll secret and Fleet URL configuration from a macOS configuration profile.
+
+* Added version information and icons to Orbit and Fleet Desktop binaries.
+
+* Implemented a table to hold `user_login_settings` options extension via Orbit.
+
+* Removed automatic functionality to call `launchctl kickstart -k softwareupdated`.
+
+* Fixed a panic in `fleetd` that might occur when concurrent requests are made to the server.
+
+* Fixed an issue where Orbit lost communication with Fleet server when the certificate used for insecure mode was deleted.
+
+* Added `dscl` table to Orbit for CIS check 5.6 on macOS.
+
+* Fixed an issue that prevented Orbit shell from running when the `osqueryd` instance attempted to register the same named pipe name.
+
+* Ensured Orbit now installs properly on Windows Server 2012 and 2016 with legacy Orbit or Osquery previously installed.
+
+* Fixed an Orbit bug causing repeated restarts when Fleet agent options were configured with `command_line_flags: {}`.
+
+* Fixed an update bug where the Orbit symlink was not present.
+
+* Adjusted the dialog shown during MDM migration to close when the "contact IT" button is pressed.
+
+* Added support for mTLS to `fleetd`.
+
+* Added `authdb` table for macOS CIS check 5.7.
+
+* Fixed a crash that occurred when updates were disabled under certain conditions.
+
+* Implemented a table to hold `csrutil_info` extension via Orbit.
+
+* Fixed a bug that set a wrong Fleet URL in Windows installers.
+
+* Added `sntp_request` table implementation to query NTP servers.
+
+* Stopped rendering errors as tooltips in Fleet Desktop. Errors are now found in the logs.
+
+* Retrieved UUID by reading the SMBIOS interface when WMI call fails on Windows.
+
+* Implemented autoupdate and deploy extensions via Orbit.
+
+* Implemented a table to hold `nvram_info` and `pwd_policy` options extension via Orbit.
+
+* Improved the logic to read enroll secrets from macOS configuration profiles.
+
+* Implemented `icloud_private_relay` table to get iCloud Private Relay status.
+
+* Ensured Orbit kills any pre-existing Fleet Desktop processes at startup.
+
+* Added support for `fleetd` to renew the MDM enrollment profile on pending devices.
+
+* Fixed an issue in Windows where the Fleet service was getting killed if the start took longer than 30 seconds.
+
+* Updated `fleetctl` to generate installer flags that are compatible with MySQL 8 & S3.
+
+* Ensured Fleet Desktop app on Windows removes the tray icon when it exits.
+
+* Added functionality to rotate device tokens every one hour.
+
+* Waited until the device is fully unenrolled from the previous MDM to close the migration dialog.
+
+* Ensured Orbit restarts and switches channels when needed, even if the new channel is already installed.
+
+* Added a new flag, `--use-system-configuration`, for Orbit to read configuration values from the system.
+
+* Added `software_update` table implementation to check whether Apple software needs updating.
+
+* Updated Windows MSI installer to use custom actions to remove Orbit files.
+
+* Allowed configuring osquery startup flags from Fleet, with important notes for existing deployments:
+
+This feature requires Orbit to communicate with Fleet. Orbit uses osquery's enroll secret to authenticate and enroll to Fleet.
+
+On environments where an enroll secret has been revoked, Orbit hosts that were deployed with such secret will fail to enroll to Fleet.
+
+This is not a regression, all existing features should work as expected, but we recommend to fix this issue given that we will be adding more features to Orbit that will use the new communication channel.
+
+1. To determine which hosts need to be fixed, run the following query: `SELECT * FROM orbit_info WHERE enrolled = false`.
+Hosts not running Orbit will fail to execute such query because the table doesn't exist, those can be ignored.
+2. Generate Orbit packages with the new enroll secret.
+3. Deploy Orbit packages to the hosts returned in (1).
+
+* Ensured Orbit re-enrolls when encountering a 401/unauthenticated error when communicating with Fleet server endpoints.
+
 ## Orbit 1.1.0 (Aug 19, 2022)
 
 * Rename `unified_log` table to `macadmins_unified_log` to avoid collision with osquery core. This allows Orbit to support osquery 5.5.0.

orbit/changes/10044-orbit-hang

@@ -1 +0,0 @@
-* Fixed an issue affecting macOS devices with MDM enabled that prevented Orbit for restarting if Nudge was still open.

orbit/changes/10300-symlink-not-present-quirk

@@ -1 +0,0 @@
-* An update bug where orbit symlink was not present is now fixed

orbit/changes/10520-mac-cis-1.1-fix-query

@@ -1 +0,0 @@
-* Add table implementation `software_update` to check whether Apple software needs updating.

orbit/changes/11012-11013-versioninfo-and-icon-on-orbit-binaries

@@ -1 +0,0 @@
-* Added version information and icon on orbit and fleet-desktop binaries

orbit/changes/11218-nudge-config-permissinos

@@ -1 +0,0 @@
-* Fixed an issue preventing Nudge to read the configuration file delivered by Fleet on some installations. This only affects you if Nudge was enabled and configured on a host using Orbit v1.8.0

orbit/changes/11244-cis-audit-table

@@ -1 +0,0 @@
-* New table was added to support CIS audit process

orbit/changes/11534-orbit-fd

@@ -1 +0,0 @@
-* MDM: added support to enhance the DEP migration flow in macOS.

orbit/changes/11692-profile-config-read

@@ -1 +0,0 @@
-* Improve the logic to read enroll secrets from macOS configuration profiles to be compatible with different MDM providers.

orbit/changes/11777-deprecate-kickstart-softwareupdated

@@ -1,2 +0,0 @@
-* Removed automatic functionality to call `launchctl kickstart -k softwareupdated` periodically, which was causing issues on some macOS devices.
-  The `--disable-kickstart-softwareupdated` flag is kept for backwards compatibility but it doesn't have any effect.

orbit/changes/11859-swiftDialog-layout

@@ -1 +0,0 @@
-* Adjusted the dialog shown during MDM migration to close when the button to contact IT is pressed.

orbit/changes/11980-updates-panic

@@ -1 +0,0 @@
-* Fixed a crash that happened when updates where disabled and certain conditions (Nudge configuration set or host elegible for MDM migration) were met.

orbit/changes/12068-migration-sanity-check

@@ -1 +0,0 @@
-* Ensure MDM migration modal is not shown, and enrollment commands are not run if the host is already enrolled into Fleet

orbit/changes/12955-windows-desktop-icon-colors

@@ -1 +0,0 @@
-* Replace the black and white Fleet desktop icons with a single colorful icon on Windows.

orbit/changes/13102-check-assigned-enrollment-profile

@@ -1,3 +0,0 @@
-- Updated MDM migration flow to include checking the output of `profiles show -type enrollment`
-  as a pre-condition for `profiles renew -type enrollment` to mitigate issues where caching or other
-  unexpected delays in Apple DEP profile assignment could cause the wrong profile to be renewed.

orbit/changes/13175-windows-url

@@ -1 +0,0 @@
-* Fixed a bug that set a wrong Fleet URL in Windows installers.

orbit/changes/13310-scripts-config

@@ -1,2 +0,0 @@
-* Add a `--enable-scripts` flag to `fleetctl package` to build a package capable of script execution
-* Allow script execution to be enabled by providing a configuration profile with `PayloadType` equal to `com.fleetdm.fleetd.config` and a key `ScriptsEnabled` set to `true`.

orbit/changes/13450-migration-hold

@@ -1 +0,0 @@
-* Wait until the device is fully unenrolled from the previous MDM to close the migration dialog.

orbit/changes/13505-migrate-frequency

@@ -1 +0,0 @@
-* Ensure migration dialog is not opened automatically if it was opened manually in the last 15 minutes

orbit/changes/6441-duplicated-fleet-desktop-bis

@@ -1,2 +0,0 @@
-* Orbit now kills any pre-existing fleet desktop processes at startup.
-* Orbit now handles SIGTERM on unix.

orbit/changes/6581-remote-flags-management

@@ -1,13 +0,0 @@
-* Orbit allows configuring osquery startup flags from Fleet, see [#7377](https://github.com/fleetdm/fleet/issues/7377).
-
-Important note for existing deployments that use Orbit: 
-This feature requires Orbit to communicate with Fleet. Orbit uses osquery's enroll secret to authenticate and enroll to Fleet.
-On environments where an enroll secret has been revoked, Orbit hosts that were deployed with such secret will fail to enroll to Fleet.
-This is not a regression, all existing features should work as expected, but we recommend to fix this issue given that we will be adding
-more features to Orbit that will use the new communication channel.
-
-1. To determine which hosts need to be fixed, run the following query: `SELECT * FROM orbit_info WHERE enrolled = false`.
-Hosts not running Orbit will fail to execute such query because the table doesn't exist, those can be ignored.
-2. Generate Orbit packages with the new enroll secret.
-3. Deploy Orbit packages to the hosts returned in (1).
-

orbit/changes/7517-token-rotation

@@ -1 +0,0 @@
-- Added functionality to rotate device tokens every one hour

orbit/changes/7970-orbit-mtls-support

@@ -1 +0,0 @@
-* Add support for mTLS to fleetd.

orbit/changes/8373-fix-desktop-free-spam

@@ -1 +0,0 @@
-- Fixed a bug in Fleet Desktop causing it to spam servers without licenses for policies.

orbit/changes/8485-dump-pprof

@@ -1,2 +0,0 @@
-- On Unix systems, dump pprof data into a `profiles` directory in the orbit root dir
-  when receiving a SIGUSR1. This is to assist debugging for memory leaks

orbit/changes/8901-augeas-lenses

@@ -1,2 +0,0 @@
-- Embed augeas lenses into orbit on Unix platforms so that the `augeas`
-  table works without further configuration

orbit/changes/9132-orbit-enroll-set-osquery-db-to-retrieve-uuid

@@ -1 +0,0 @@
-* Set `--database_path` in the shell osqueryd invocation to retrieve UUID and other fields.

orbit/changes/9239-cis-2.3.2.2

@@ -1 +0,0 @@
-* Add table implementation `sntp_request` to query NTP servers.

orbit/changes/9253-add-fleetd-table-pmset

@@ -1 +0,0 @@
-* Add `pmset` table extension to fleed for CIS check 2.9.1.

orbit/changes/9260-add-authdb-table

@@ -1 +0,0 @@
-* Add `authdb` table for macOS CIS check 5.7.

orbit/changes/9260-add-dscl-table-cis-5.6

@@ -1 +0,0 @@
-* Add `dscl` table to Orbit for CIS check 5.6 on macOS.

orbit/changes/9260-add-firmware_eficheck_integity_check-table

@@ -1 +0,0 @@
-* Add `firmware_eficheck_integrity_check` table for macOS CIS 5.9.

orbit/changes/9260-add-sudo_info-table-cis-5.X

@@ -1 +0,0 @@
-* Add `sudo_info` table to Orbit for CIS checks 5.4 and 5.5 on macOS.

orbit/changes/9310-new-mdm-bridge-osquery-table

@@ -1 +0,0 @@
-* Adding support to query Windows MDM enrollment status and to enforce MDM commands through the mdm_bridge virtual table

orbit/changes/9459-read-config

@@ -1 +0,0 @@
-* Allow `fleetd` to get an enroll secret and Fleet URL configuration from a configuration profile on macOS.

orbit/changes/9459-use-system-config

@@ -1 +0,0 @@
-* Added a new flag, `--use-system-configuration` to make orbit read configuration values from the system. Currently this is only supported in macOS via configuration profiles.

orbit/changes/add-retries-bootstrap-mdm-push

@@ -1 +0,0 @@
-- Added `launchctl bootstrap` retries in Orbit `pkg` installer to fix MDM deployments of Orbit (when pushed with `InstallEnterpriseApplication`).

orbit/changes/bug-3563-uninstall-does-not-remove-files

@@ -1 +0,0 @@
-* Windows MSI installer now uses custom actions to remove Orbit files

orbit/changes/bug-6479-store-proxy-cert-at-secure-location

@@ -1,2 +0,0 @@
-* Orbit lost communication with Fleet server 
-when the certificate used for insecure mode gets deleted.  

orbit/changes/bug-6935-cannot-run-orbit-shell-on-windows

@@ -1 +0,0 @@
-* Fixed an issue that prevented orbit shell to run when the osqueryd instance ran through orbit shell attempted to register the same named pipe name used by the osqueryd instance launched by orbit service

orbit/changes/bug-7874-call-scm-on-service-start

@@ -1,3 +0,0 @@
-* When running on Windows, Fleet service was getting killed by the OS when
-service start takes longer than 30 secs due to missing calls to the 
-Service Control Manager (SCM) APIs.

orbit/changes/bug-8009-fleet-desktop-duplicated-icon

@@ -1 +0,0 @@
-* Fleet-desktop app on windows now removes the tray icon when it exits

orbit/changes/bug-8974-smbios-uuid-value-retrieval

@@ -1 +0,0 @@
-* When WMI call fails on Windows, UUID can now be retrieved by reading the SMBIOS interface.

orbit/changes/bug-9053-update-symlink-on-change

@@ -1,2 +0,0 @@
-* Orbit now restarts and switches channels when needed,
-even if the new channel is already installed

orbit/changes/bug-9157-secret-orbit-node-file-is-world-accessible

@@ -1 +0,0 @@
-* Orbit service on windows is not creating the secret-orbit-node-key.txt with a restricted ACL to allow only privileged users to access its content

orbit/changes/bug-9576-orbit-fails-to-install-on-legacy-windows-servers

@@ -1 +0,0 @@
-* Orbit now installs propery on Windows Server 2012 and 2016 environments with legacy Orbit or Osquery previously installed

orbit/changes/bug-orbit-restart-empty-flags

@@ -1 +0,0 @@
-- Fixed Orbit bug that caused it to restart repeatedly when Fleet agent options are configured with `command_line_flags: {}`.

orbit/changes/concurrent-requests

@@ -1 +0,0 @@
-* Fix a panic in `fleetd` that might occurr when concurrent requests are made to the server.

orbit/changes/icloud-private-relay

@@ -1 +0,0 @@
-- Implement `icloud_private_relay` table to get iCloud Private Relay status.

orbit/changes/issue-9278-orbit-renew-enrollment-profile

@@ -1 +0,0 @@
-* Added support to `fleetd` to run the necessary command to renew the MDM enrollment profile on the devices that are pending automatic enrollment into Fleet MDM.

orbit/changes/issue-9347-kickstart-softwareupdated

@@ -1 +0,0 @@
-* Added periodical restart of the `softwareupdated` service to work around a macOS bug where it sometimes hangs and prevents software updates.

orbit/changes/issue-9550-default-carver-block-size

@@ -1 +0,0 @@
-- update fleetctl to generate installer flags that use a larger default file carving block size compatible with MySQL 8 & S3

orbit/changes/orbit-extensions-autoupdate

@@ -1 +0,0 @@
-- Implement autoupdate and deploy extensions via Orbit

orbit/changes/orbit-extensions-csrutil_info

@@ -1 +0,0 @@
-- Implement table to hold csrutil_info extension via Orbit

orbit/changes/orbit-extensions-nvram-info

@@ -1 +0,0 @@
-- Implement table to hold nvram_info extension via Orbit

orbit/changes/orbit-extensions-pwd-policy

@@ -1 +0,0 @@
-- Implement table to hold pwd_policy options extension via Orbit

orbit/changes/orbit-extensions-user-login-settings

@@ -1 +0,0 @@
-- Implement table to hold user_login_settings options extension via Orbit

orbit/changes/remove-desktop-errors-tooltip

@@ -1 +0,0 @@
-* Stop rendering errors as tooltips in Fleet Desktop. Errors can now be found in the Fleet Desktop logs.

orbit/changes/retry-enroll-on-unauth-error

@@ -1 +0,0 @@
-* Orbit now re-enroll when encountering a 401/unauthenticated error when communicating with orbit endpoints on Fleet server

orbit/changes/windows-theme-detection

@@ -1 +0,0 @@
-* Fix theme detection and icon coloring issues for Fleet Desktop on Windows.