Merge branch 'main' into nonpunctual-patch-10

.github/scripts/dogfood-policy-updater-latest-macos.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+
+# Variables
+REPO_OWNER="fleetdm"
+REPO_NAME="fleet"
+FILE_PATH="it-and-security/lib/macos/policies/latest-macos.yml"
+BRANCH="main"
+NEW_BRANCH="update-macos-version-$(date +%s)"
+
+# Ensure required environment variables are set
+if [ -z "$DOGFOOD_AUTOMATION_TOKEN" ] || [ -z "$DOGFOOD_AUTOMATION_USER_NAME" ] || [ -z "$DOGFOOD_AUTOMATION_USER_EMAIL" ]; then
+    echo "Error: Missing required environment variables."
+    exit 1
+fi
+
+# GitHub API URL
+FILE_URL="https://api.github.com/repos/$REPO_OWNER/$REPO_NAME/contents/$FILE_PATH?ref=$BRANCH"
+
+# Fetch the file contents from GitHub
+response=$(curl -s -H "Authorization: token $DOGFOOD_AUTOMATION_TOKEN" -H "Accept: application/vnd.github.v3.raw" "$FILE_URL")
+
+if [ -z "$response" ] || [[ "$response" == *"Not Found"* ]]; then
+    echo "Error: Failed to fetch file or file does not exist in the repository."
+    exit 1
+fi
+
+# Extract the query line
+query_line=$(echo "$response" | grep 'query:')
+if [ -z "$query_line" ]; then
+    echo "Error: Could not find the query line in the file."
+    exit 1
+fi
+
+# Extract the version number from the query line
+policy_version_number=$(echo "$query_line" | grep -oE "'[0-9]+\.[0-9]+(\.[0-9]+)?'" | sed "s/'//g")
+if [ -z "$policy_version_number" ]; then
+    echo "Error: Failed to extract the policy version number."
+    exit 1
+fi
+
+echo "Policy version number: $policy_version_number"
+
+# Fetch the latest macOS version
+latest_macos_version=$(curl -s "https://sofafeed.macadmins.io/v1/macos_data_feed.json" | \
+jq -r '.. | objects | select(has("ProductVersion")) | .ProductVersion' | sort -Vr | head -n 1)
+
+if [ -z "$latest_macos_version" ]; then
+    echo "Error: Failed to fetch the latest macOS version."
+    exit 1
+fi
+
+echo "Latest macOS version: $latest_macos_version"
+
+# Compare versions and update the file if needed
+if [ "$policy_version_number" != "$latest_macos_version" ]; then
+    echo "Updating query line with the new version..."
+
+    # Prepare the new query line
+    new_query_line="query: SELECT 1 FROM os_version WHERE version >= '$latest_macos_version';"
+
+    # Update the response
+    updated_response=$(echo "$response" | sed "s/query: .*/$new_query_line/")
+    if [ -z "$updated_response" ]; then
+        echo "Error: Failed to update the query line."
+        exit 1
+    fi
+
+    # Create a temporary file for the update
+    temp_file=$(mktemp)
+    echo "$updated_response" > "$temp_file"
+
+    # Configure Git
+    git config --global user.name "$DOGFOOD_GIT_USER_NAME"
+    git config --global user.email "$DOGFOOD_GIT_USER_EMAIL"
+
+    # Clone the repository and create a new branch
+    git clone "https://$DOGFOOD_AUTOMATION_TOKEN@github.com/$REPO_OWNER/$REPO_NAME.git" repo || {
+        echo "Error: Failed to clone repository."
+        exit 1
+    }
+    cd repo || exit
+    git checkout -b "$NEW_BRANCH"
+    cp "$temp_file" "$FILE_PATH"
+    git add "$FILE_PATH"
+    git commit -m "Update macOS version number to $latest_macos_version"
+    git push origin "$NEW_BRANCH"
+
+    # Create a pull request
+    pr_data=$(jq -n --arg title "Update macOS version number to $latest_macos_version" \
+                 --arg head "$NEW_BRANCH" \
+                 --arg base "$BRANCH" \
+                 '{title: $title, head: $head, base: $base}')
+
+    pr_response=$(curl -s -H "Authorization: token $DOGFOOD_AUTOMATION_TOKEN" \
+        -H "Accept: application/vnd.github.v3+json" \
+        -X POST \
+        -d "$pr_data" \
+        "https://api.github.com/repos/$REPO_OWNER/$REPO_NAME/pulls")
+
+    if [[ "$pr_response" == *"Validation Failed"* ]]; then
+        echo "Error: Failed to create a pull request. Response: $pr_response"
+        exit 1
+    fi
+
+    echo "Pull request created successfully."
+else
+    echo "No updates needed; the version is the same."
+fi

.github/workflows/dogfood-automated-policy-updates.yml

@@ -0,0 +1,28 @@
+name: "Automated policy updates for dogfood"
+
+on:
+  schedule:
+    - cron: '0 */6 * * *'  # Run every 6 hours
+  workflow_dispatch:     # Allow manual trigger
+
+jobs:
+  update-macos-versions:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Git
+        run: |
+          git config --global user.name "GitHub Action"
+          git config --global user.email "[email protected]"
+
+      - name: Run macOS version update script
+        run: |
+          chmod +x ./.github/scripts/dogfood-policy-updater-latest-macos.sh
+          ./.github/scripts/dogfood-policy-updater-latest-macos.sh
+        env:
+          DOGFOOD_AUTOMATION_TOKEN: ${{ secrets.DOGFOOD_AUTOMATION_TOKEN }}
+          DOGFOOD_AUTOMATION_USER_NAME: ${{ secrets.DOGFOOD_AUTOMATION_USER_NAME }}
+          DOGFOOD_AUTOMATION_USER_EMAIL: ${{ secrets.DOGFOOD_AUTOMATION_USER_EMAIL }}

.github/workflows/goreleaser-fleet.yaml

@@ -4,7 +4,6 @@ on:
   push:
     tags:
       - "fleet-*"
-      - "rc-fleetctl-*"
 
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:

articles/custom-os-settings.md

@@ -30,13 +30,13 @@ In the Fleet UI, head to the **Controls > OS settings** tab.
 
 In the top box, with "Verified," "Verifying," "Pending," and "Failed" statuses, click each status to view a list of hosts:
 
-* Verified: hosts that installed all configuration profiles. Fleet has verified with osquery.
+* **Verified**: hosts that applied all OS settings. Fleet verified by running an osquery query on Windows and macOS hosts (declarations profiles are verified with a [DDM StatusReport](https://developer.apple.com/documentation/devicemanagement/statusreport)). Currently, iOS and iPadOS hosts are "Verified" after they acknowledge all MDM commands to apply OS settings.
 
-* Verifying: hosts that have acknowledged all MDM commands to install configuration profiles. Fleet is verifying the profiles are installed with osquery. If the profile wasn't installed, Fleet will redeliver the profile.
+* Verifying: hosts that acknowledged all MDM commands to apply OS settings. Fleet is verifying. If the profile wasn't delivered, Fleet will redeliver the profile.
 
-* Pending: hosts that will receive MDM commands to install configuration profiles when the hosts come online.
+* Pending: hosts that are running MDM commands or will run MDM commands to apply OS settings when they come online.
 
-* Failed: hosts that failed to install configuration profiles. For Windows profiles, the status codes are documented in Microsoft's documentation [here](https://learn.microsoft.com/en-us/windows/client-management/oma-dm-protocol-support#syncml-response-status-codes).
+* Failed: hosts that failed to apply OS settings. For Windows profiles, the status codes are documented in Microsoft's documentation [here](https://learn.microsoft.com/en-us/windows/client-management/oma-dm-protocol-support#syncml-response-status-codes).
 
 In the list of hosts, click on an individual host and click the **OS settings** item to see the status for a specific setting.
 

articles/deploying-entra-platform-sso-with-fleet.md

@@ -0,0 +1,152 @@
+# Deploying Entra Platform SSO with Fleet
+Apple’s Platform Single Sign-on (Platform SSO), [introduced at WWDC22](https://developer.apple.com/videos/play/wwdc2022/10045) alongside macOS Ventura, iOS 17, and iPadOS 17, enables users to sign in to their identity provider credentials once and automatically access apps and websites that require authentication through an IdP.
+
+This guide details how to deploy Microsoft Entra’s macOS Platform SSO extension to your Fleet macOS hosts.
+
+## Why use Platform SSO?
+If your Identity Provider (IdP) supports Platform Single Sign-on, deploying it in your environment offers a great and secure sign-in experience for your users.
+
+Rather than your users having to enter credentials each time they sign in to an app protected by Entra, the Platform SSO extension will automatically perform the authentication using a Secure Enclave-backed key.
+
+This speeds up the authentication process for your employees and is more resistant to phishing than a traditional username and password.
+
+## Requirements
+- macOS 13 or later
+- Microsoft Entra ID
+- A Fleet server with Apple MDM turned on
+- Microsoft’s [Company Portal app](https://go.microsoft.com/fwlink/?linkid=853070) (version 5.2404.0 or greater)
+- iMazing Profile Editor (optional)
+- If using Google Chrome, [Microsoft’s Single Sign On Extension](https://chromewebstore.google.com/detail/microsoft-single-sign-on/ppnbnpeolgkicgegkbkbjmhlideopiji)
+
+## Deploy the Company Portal app
+### Upload the Company Portal app to your Fleet server
+On your Fleet server, select the team you want to deploy Platform SSO to. Navigate to **Software > Add software > Custom package > Choose file**.
+
+Select the `CompanyPortal-Installer.pkg` file on your computer, then click the **Add software** button.
+
+Choose if you want to manually install the Company Portal app on your hosts or have Fleet automatically do it. If you select **Automatic**, Fleet will create a policy to detect which hosts do not have the Company Portal app and install it. If you select **Manual**, you'll need to trigger the install from the **Software** tab on individual hosts from the host's details page .
+
+Next, let’s build the configuration profile that enables the Company Portal Platform SSO extension.
+
+## Building the Platform SSO Configuration Profile
+Once your hosts have the Company Portal app installed, you’ll need to deploy a configuration profile that enables the Microsoft Enterprise SSO plug-in.
+
+On your Mac, open iMazing Profile Editor. In the **General** domain, select a name for your Platform SSO profile in the **Payload Display Name** field. If you wish, you can modify the identifier and UUID fields to meet your organization’s naming standards, but it’s also fine to leave them as they are.
+
+Next, find the **Extensible Single Sign-On** payload from the list of available system domains, and click the **+ Add Configuration Payload** button.
+
+Before we start to add values to the payload, double-check to make sure that only macOS is selected in the toolbar at the top of the iMazing window. Some of the keys we’ll be using are macOS only and won’t appear if iOS, tvOS, or watchOS are also selected.
+
+>Note: This profile uses the `SecureEnclaveKey` authentication method, which uses a Secure Enclave-backed key to authenticate with the IdP instead of the user’s local account password. If you wish, you can instead use Password, which prompts the user for their local account password to authenticate with the IdP and keeps it in sync with the IdP.
+
+Enter the following values for the specified keys:
+**Extension Identifier:** com.microsoft.CompanyPortalMac.ssoextension
+**Type:** Redirect
+**Team Identifier:** UBF8T346G9
+**URLs:** https://login.microsoftonline.com
+https://login.microsoft.com
+https://sts.windows.net
+**Screen Locked Behavior:** Do Not Handle
+**Authentication Method:** User Secure Enclave Key
+**Platform SSO Authentication Method:** UserSecureEnclaveKey
+**Use Shared Device Keys:** Checked
+**Account Name:** preferred_username
+**Full Name:** name
+
+The finalized profile should look like this:
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>AuthenticationMethod</key>
+			<string>UserSecureEnclaveKey</string>
+			<key>ExtensionIdentifier</key>
+			<string>com.microsoft.CompanyPortalMac.ssoextension</string>
+			<key>PayloadDisplayName</key>
+			<string>Extensible Single Sign-On</string>
+			<key>PayloadIdentifier</key>
+			<string>com.apple.extensiblesso.4D68D4CF-1250-4FF4-AFFB-1176DB539C49</string>
+			<key>PayloadType</key>
+			<string>com.apple.extensiblesso</string>
+			<key>PayloadUUID</key>
+			<string>4D68D4CF-1250-4FF4-AFFB-1176DB539C49</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>PlatformSSO</key>
+			<dict>
+				<key>AuthenticationMethod</key>
+				<string>UserSecureEnclaveKey</string>
+				<key>TokenToUserMapping</key>
+				<dict>
+					<key>AccountName</key>
+					<string>preferred_username</string>
+					<key>FullName</key>
+					<string>name</string>
+				</dict>
+				<key>UseSharedDeviceKeys</key>
+				<true/>
+			</dict>
+			<key>ScreenLockedBehavior</key>
+			<string>DoNotHandle</string>
+			<key>TeamIdentifier</key>
+			<string>UBF8T346G9</string>
+			<key>Type</key>
+			<string>Redirect</string>
+			<key>URLs</key>
+			<array>
+				<string>https://login.microsoftonline.com</string>
+				<string>https://login.microsoft.com</string>
+				<string>https://sts.windows.net</string>
+			</array>
+		</dict>
+	</array>
+	<key>PayloadDisplayName</key>
+	<string>PlatformSSO</string>
+	<key>PayloadIdentifier</key>
+	<string>com.fleetdm.platformsso.652B07D0-2E08-45CE-9423-1FCAFFAEC390</string>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>652B07D0-2E08-45CE-9423-1FCAFFAEC390</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
+```
+Save the profile to your computer so you can upload it to Fleet in the next section. I named mine `platform-sso-settings.mobileconfig`. If you wish, you can sign the profile before uploading it, but this is not required.
+
+### Deploy the Configuration Profile to your Hosts
+Now that we have a configuration profile with our desired settings, we can upload it to Fleet to deploy it to our hosts and activate the Platform SSO extension.
+
+On your Fleet server, select the team you want to deploy Platform SSO to. Navigate to Controls > OS Settings > Custom settings. Click the Add profile button, then find the `platform-sso-settings.mobileconfig` profile on your computer and upload it to Fleet.
+
+Uploading the profile to a team in Fleet will automatically deliver it to all macOS hosts enrolled in that team. If you wish to have more control over which hosts on the team receive the profile, you can use labels to target or exclude specific hosts.
+
+
+## End User Experience
+When the Company Portal app and Platform SSO configuration profile are deployed to a host, the end user will receive a notification that says **Registration Required: Please register with your identity provider**. You should direct your end users to interact with this notification by clicking the **Register** button that appears when they hover their mouse over the notification.
+
+![Registration Notification](../website/assets/images/articles/deploying-entra-platform-sso-with-fleet-registration-notification.png)
+
+After clicking the register button in the notification, a Platform Single Sign-On Registration window will appear. After clicking **Continue**, the user will be prompted for the password they use to log into their Mac (this might be different than their Entra ID password).
+
+![Registration Window](../website/assets/images/articles/deploying-entra-platform-sso-with-fleet-register-window.png)
+
+Next, they’ll be prompted to sign into Microsoft Entra ID. This is what associates the user’s device to their Microsoft Entra ID account.
+
+Lastly, they’ll be prompted to enable the Company Portal app to be used as a Passkey. The notification will direct them to System Settings and enable the toggle next to the Company Portal app.
+
+![Enable PSSO Passkey](../website/assets/images/articles/deploying-entra-platform-sso-with-fleet-passkey.gif)
+
+Once registration is complete, the next time an employee logs into an Entra ID protected app in their web browser, the authentication will be seamless. The employee won’t be prompted for their password or be required to complete an MFA challenge. The Platform SSO extension will handle the the entire authentication using the Secure Enclave-backed key.
+
+<meta name="category" value="guides">
+<meta name="authorGitHubUsername" value="ddribeiro">
+<meta name="authorFullName" value="Dale Ribeiro">
+<meta name="publishedOn" value="2024-07-03">
+<meta name="articleTitle" value="Deploying Platform SSO with Microsoft Entra ID">
+<meta name="description" value="Learn how to use Fleet to deploy the Microsoft Entra ID Platfrom SSO Extension">

articles/interactive-entertainment-company-adopts-fleet-for-mdm.md

@@ -31,7 +31,7 @@ Smooth and seamless migration.
 By switching to Fleet, they continue to manage their devices through automated MDM workflows that support thousands of devices. Capabilities like automated device enrollment, dynamic host segmentation, real-time querying, and assisted migration allowed them to enforce security settings without overly restricting endpoints or their users.
 
 
-## Their Story
+## Their story
 
 The global leader in interactive entertainment and software development manages an extensive fleet of devices supporting game development, publishing, and operations. To overcome the challenges of scalability and customization, they partnered with Fleet early on to help contribute to Fleet’s MDM roadmap, resulting in a solution tailored for cross-platform enterprise teams.
 

articles/secrets-in-scripts-and-configuration-profiles.md

@@ -20,11 +20,13 @@ For macOS and Linux scripts, if a secret doesn't have the `$FLEET_SECRET_` prefi
 
 ```yaml
     env:
+      ###  Variables used by the gitops workflow ###
       FLEET_URL: ${{ secrets.FLEET_URL }}
       FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
       FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
       FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
       FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
+      ### Secrets uploaded to Fleet for use in profiles and scripts ###
       FLEET_SECRET_CERT_PASSWORD: ${{ secrets.FLEET_SECRET_CERT_PASSWORD }}
       FLEET_SECRET_CERT_BASE64: ${{ secrets.FLEET_SECRET_CERT_BASE64 }}
 ```

changes/23465-query-reports-support-event-format

@@ -0,0 +1 @@
+* Fixed a bug where query reports where not being recorded for hosts configured with `--logger_snapshot_event_type=true`.

changes/25306-add-windows-linux-hosts-radios

@@ -0,0 +1,2 @@
+* Replace "Include Fleet desktop" with host type radio selection buttons when adding Windows or
+Linux hosts.

changes/25553-update-compatibility-tooltip

@@ -0,0 +1,2 @@
+
+- Updates language in query comppatibility tooltip to clarify that comppatibility is based only on tables.

changes/25555-batch-hostnames-on-new-label

@@ -0,0 +1 @@
+- Updated the way new manual labels are created to better support adding large numbers of hosts at one time.

changes/issue-24824-tooltip-verified-verifying

@@ -0,0 +1 @@
+- improve the verified and verifying tooltips on the Profile Status on OS settings page.

changes/issue-24901-fixes-error-cutoff

@@ -0,0 +1 @@
+- fix in UI for window profiles error message being cut off in the OS settings modal