* Migrated the last of the articles Migrated the remaining articles: • Fleet 4.6.0 with osquery installer, enroll secret management, and improved host vitals • Fleet 4.5.0 with new team admin role, live OS compatibility checking, query performance impact, and a new-look dashboard • Fleet 4.4.0 releases aggregated software inventory, team policies, and improved team scheduling • Fleet 4.3.0 • Fleet 4.2.0 • Fleet 4.1.0 • Fleet 4.0.0 • Fleet 3.13 released • Fleet 3.12 released • Fleet 3.11.0 released with software inventory • Fleet 3.10.0 released with agent auto-updates beta • Fleet 3.9.0 • Fleet 3.8.0 • Fleet 3.7.1 • Fleet 3.6.0 • Fleet 3.5.0 * update hr styles * remove unused images Co-authored-by: eashaw <caglc@live.com>
5.8 KiB
Fleet 4.0.0 released with Role-based access control and Teams features
Fleet 4.0.0 is now available to spread the power of Fleet throughout your organization, with Teams for separating devices into exclusive groups, Role-based access control to define a user’s access to features in Fleet, and API-only users to help you create more automation pipelines.
Spread the power of Fleet
Fleet is utilized at organizations with hundreds of thousands of devices. Our new Teams feature enables separating hosts into exclusive groups. This way, users can easily act on a consistent group of devices.
Having access to Fleet and it’s features provides you with a powerful toolset however, not all individuals in your organization need to be able to do everything that Fleet offers. Our new Role-based access control (RBAC) feature helps you define who can do what in Fleet. This way, more individuals in your organization can utilize Fleet with appropriate levels of access.
Teams
Available in Fleet Basic
In Fleet 4.0.0, you can group hosts together in a team. With hosts segmented into exclusive teams, you can apply specific queries, query packs, and configuration to each team. For example, you could create teams based on actual teams within your organization, or you might want to create a team for each type of system, e.g., “Workstations,” “Workstations-sandbox”, “Servers,” etc. Once you have your teams set up you can:
- Enroll hosts to one team using team specific enroll secrets
- Apply unique configuration to each Team
- Schedule queries that target one or more Teams
- Run live queries against one or more Teams
- Grant users access to one or more Teams
Users with the Admin role can create teams at Settings > Teams in the Fleet UI. Check out the Fleet documentation for instructions on creating teams, enrolling devices to teams, adding users to teams, and more.
Role-based access control (RBAC)
Available in Fleet Core, Fleet Basic
We’re pleased to announce the introduction of the Admin, Maintainer, and Observer users roles in Fleet! Users can now be assigned one of the three roles to restrict or expand their access to features in Fleet. This is especially useful for when an individual in your organization needs to run a specific saved query in Fleet and nothing else. For example, someone working at your help desk can be given access to Fleet to only collect information on which applications are installed on company laptops. Users with the Admin role can create and assign new users to the three new roles at Settings > Users in the Fleet UI.
API-only users
Available in Fleet Core, Fleet Basic
You can now create users that can only access the Fleet API and fleetctl
CLI tool. This allows you to generate as many automation or bot users as you like without having to think about who and which accounts can access the Fleet UI. API-only users can currently be created by adding the --api_only
flag to the fleetctl user create
command. Look for this ability to come to the Fleet UI in a future release of Fleet.
Ready to update?
Visit our update guide for instructions on how to update.
Fleet 4.0.0 is a major release and introduces several breaking changes and database migrations. The following sections call out changes to consider when upgrading to Fleet 4.0.0:
The structure of Fleet’s .tar.gz
and .zip
release archives have changed slightly. Deployments that use the binary artifacts may need to update scripts or tooling. The fleetdm/fleet
Docker container maintains the same API.
Use strictly fleet
in Fleet’s configuration, API routes, and environment variables. Users must update all usage of kolide
in these items (deprecated since Fleet 3.8.0).
Change your SAML SSO URI to use fleet
instead of kolide
. This is due to the changes to Fleet’s API routes outlined in the section above.
Change the server_tlsprofile
configuration option to server_tls_compatibility
. This options previously had an inconsistent key name.
Replace the use of the api/v1/fleet/spec/osquery/options
with api/v1/fleet/config
. In Fleet 4.0.0, “osquery options” are now called “agent options.” The new agent options are moved to the Fleet application config spec file and the api/v1/fleet/config
API endpoint.
Enroll secrets no longer have “names” and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.
JWT encoding is no longer used for session keys. Sessions now default to expiring in 4 hours of inactivity. auth_jwt_key
and auth_jwt_key_file
are no longer accepted as configuration.
As of Fleet 4.0.0, Fleet Device Management Inc. periodically collects anonymous information about your instance. Sending usage statistics is turned off by default for users upgrading from a previous version of Fleet. Read more about the exact information collected here.