Fleet 4.30.0 | MDM public beta, Observer+ role, Vulnerability publication dates.

Fleet 4.30.0 is live. Check out the full changelog or continue reading to get the highlights.

For upgrade instructions, see our upgrade guide in the Fleet docs.

Highlights

• Fleet introduces MDM public beta
• Granular roles added
• Vulnerability objects include publication date
• Go version to 1.19.8

Fleet introduces MDM public beta

Fleet has enabled MDM features in the latest release of Fleet as a public beta broadly available to everyone. 🟣 Openness is at the heart of open-source, and we are excited to bring an open-source MDM. Read the full announcement.

Granular roles added

Available in Fleet Premium and Fleet Ultimate

With this update, you can take 🟠 Ownership of Fleet account roles with greater granularity. Fleet 4.30.0 includes a new user role, observer+.

The observer+ user role extends the observer user role. The observer+ user role can edit and run SQL for a given query without saving the query allowing for greater discovery without overriding the original query. Users with the observer+ role can also execute live queries.

Vulnerability objects include publication date

Knowing how long ago a vulnerability was published, helps gauge the urgency of the vulnerability. Vulnerability objects now include the date a vulnerability was published in the National Vulnerability Database (NVD) to provide you with better 🟢 Results. The published date from NVD in the vulnerability object is also available in the Fleet API and when using the vulnerability webhooks.

Go updated to 1.19.8

Fleet has updated Go to 1.19.8 in light of Go’s crypto/elliptic fix. While this only affected niche configurations with very specific direct uses of crypto/elliptic, Fleet does not make any special use of crypto/elliptic, but Fleet takes 🟠 Ownership of the tools we use and ensures they are kept up to date.

More new features, improvements, and bug fixes

List of features

• Removed both FLEET_MDM_APPLE_ENABLE and FLEET_DEV_MDM_ENABLED feature flags.
• Automatically send a configuration profile for the fleetd agent to teams that use Automatic Device Enrollment (ADE).
• ADE JSON profiles are now automatically created with default values when the server is run.
• Added the --mdm and --mdm-pending flags to the fleetctl get hosts command to list hosts enrolled in Fleet MDM and pending enrollment in Fleet MDM, respectively.
• Added support for the "enrolled" value for the mdm_enrollment_status filter and the new mdm_name filter for the "List hosts", "Count hosts" and "List hosts in label" endpoints.
• Added the fleetctl mdm run-command command, to run any of the Apple-supported MDM commands on a host.
• Added the fleetctl get mdm-command-results sub-command to get the results for a previously-executed MDM command.
• Added API support to filter the host by the disk encryption status on "GET /hosts", "GET /hosts/count", and "GET /labels/:id/hosts" endpoints.
• Added API endpoint for disk encryption aggregate status data.
• Automatically install fleetd for DEP enrolled hosts.
• Updated hosts' profiles status sync to set to "pending" immediately after an action that affects their list of profiles.
• Updated FileVault configuration profile to disallow device user from disabling full-disk encryption.
• Updated MDM settings so that they are consistent, and updated documentation for clarity, completeness, and correctness.
• Added observer_plus user role to Fleet. Observers+ are observers that can run any live query.
• Added a premium-only "Published" column to the vulnerabilities table to display when a vulnerability was first published.
• Improved version detection for macOS apps. This fixes some false positives in macOS vulnerability detection.
• If a new CPE translation rule is pushed, the data in the database should reflect that.
• If a false positive is patched, the data in the database should reflect that.
• Include the published date from NVD in the vulnerability object in the API and the vulnerability webhooks (premium feature only).
• User management table informs which users only have API access.
• Added configuration option websockets_allow_unsafe_origin to optionally disable the websocket origin check.
• Added new config prometheus.basic_auth.disable to allow running the Prometheus endpoint without HTTP Basic Auth.
• Added missing tables to be cleared on host deletion (those that reference the host by UUID instead of ID).
• Introduced new email backend capable of sending email directly using SES APIs.
• Upgraded Go version to 1.19.8 (includes minor security fixes for HTTP DoS issues).
• Uninstalling applications from hosts will remove the corresponding entry in software if no more hosts have the application installed.
• Removed the unused "Issuer URI" field from the single sign-on configuration page of the UI.
• Fixed an issue where some icons would appear clipped at certain zoom levels.
• Fixed a bug where some empty table cells were slightly different colors.
• Fixed e-mail sending on user invites and user e-mail change when SMTP server has credentials.
• Fixed logo misalignment.
• Fixed a bug where for certain org logos, the user could still click on it even outside the navbar.
• Fixed styling bugs on the SelectQueryModal.
• Fixed an issue where custom org logos might be displayed off-center.
• Fixed a UI bug where in certain states, there would be extra space at the right edge of the Manage Hosts table.-

Ready to upgrade?

Visit our upgrade guide in the Fleet docs for instructions on updating to Fleet 4.30.0.