8fb22579ea
Closes: #12611 Changes: - Added three new documentation sections `/docs/get-started/`, `/docs/configuration` and `/docs/rest api/` - Updated folder names: `/docs/Using-Fleet/` » `/docs/Using Fleet` and `/docs/deploying` » `/docs/deploy/` - Moved `/docs/using-fleet/process-events.md` to `/articles` and updated the meta tags to change it into a guide. - Added support for a new meta tag: `navSection`. This meta tag is used to organize pages in the sidebar navigation on fleetdm.com/docs - Moved `docs/using-fleet/application-security.md` and `docs/using-fleet/security-audits.md` to the security handbook. - Moved `docs/deploying/load-testing.md` and `docs/deploying/debugging.md` to the engineering handbook. - Moved the following files/folders: - `docs/using-fleet/configuration-files/` » `docs/configuration/configuration-files/` - `docs/deploying/configuration.md` » `docs/configuration/fleet-server-configuration.md` - `docs/using-fleet/rest-api.md` » `docs/rest-api/rest-api.md` - `docs/using-fleet/monitoring-fleet.md` » `docs/deploy/rest-api.md` - Updated filenames: - `docs/using-fleet/permissions.md` » `docs/using-fleet/manage-access.md` - `docs/using-fleet/adding-hosts.md` » `docs/using-fleet/enroll-hosts.md` - `docs/using-fleet/teams.md` » `docs/using-fleet/segment-hosts.md` - `docs/using-fleet/fleet-ctl-agent-updates.md` » `docs/using-fleet/update-agents.md` - `docs/using-fleet/chromeos.md` » `docs/using-fleet/enroll-chromebooks.md` - Updated the generated markdown in `server/fleet/gen_activity_doc.go` and `server/service/osquery_utils/gen_queries_doc.go` - Updated the navigation sidebar and mobile dropdown links on docs pages to group pages by their `navSection` meta tag. - Updated fleetdm.com/docs not to show pages in the `docs/contributing/` folder in the sidebar navigation - Added redirects for docs pages that have moved. . --------- Co-authored-by: Mike Thomas <mthomas@fleetdm.com> Co-authored-by: Rachael Shaw <r@rachael.wtf>
3.6 KiB
Fleet Desktop
Fleet Desktop is a menu bar icon available on macOS, Windows, and Linux.
At its core, Fleet Desktop gives your end users visibility into the security posture of their machine. This unlocks two key benefits:
- Self-remediation: end users can see which policies they are failing and resolution steps, reducing the need for IT and security teams to intervene
- Scope Transparency: end users can see what the Fleet agent can do on their machines, eliminating ambiguity between end users and their IT and security teams
Self-remediation is only available for users with Fleet Premium
OS support
Fleet Desktop is supported on macOS 12+.
Installing Fleet Desktop
For information on how to install Fleet Desktop, visit: Adding Hosts.
Upgrading Fleet Desktop
Once installed, Fleet Desktop will be automatically updated via Fleetd. To learn more, visit: Self-managed agent updates.
Custom transparency link
For organizations with complex security postures, they can direct end users to a resource of their choice to serve custom content.
The custom transparency link is only available for users with Fleet Premium
To turn on the custom transparency link in the Fleet GUI, click on your profile in the top right and select "Settings." On the settings page, go to "Organization Settings" and select "Fleet Desktop." Use the "Custom transparency URL" text input to specify the custom URL.
For information on how to set the custom transparency link via a YAML configuration file, see the configuration files documentation.
Securing Fleet Desktop
Requests sent by Fleet Desktop and the web page that opens when clicking on the "My Device" tray item use a Random (Version 4) UUID token to uniquely identify each host.
The server uses this token to authenticate requests that give host information. Fleet uses the following methods to secure access to this information.
Rate Limiting
To prevent brute-forcing, Fleet rate-limits the endpoints used by Fleet Desktop on a per-IP basis. If an IP requests more than 720 invalid UUIDs in a one-hour interval, Fleet will return HTTP error code 429.
Token Rotation
ℹ️ In Fleet v4.22.0, token rotation for Fleet Desktop was introduced.
Starting with Fleet v4.22.0, the server will reject any token older than one hour since it was issued. This helps Fleet protect against unintentionally leaked or brute-forced tokens.
As a consequence, Fleet Desktop will issue a new token if the current token is:
- Rejected by the server
- Older than one hour
This change is imperceptible to users, as clicking on the "My Device" tray item always uses a valid token. If a user visits an address with an expired token, they will get a message instructing them to click on the tray item again.