Merge branch 'main' into 42290-wipe-activity

Author: ksykulev

.github/workflows/loadtest-osquery-perf.yml

@@ -13,7 +13,7 @@ on:
         default: "main"
         required: true
       loadtest_containers:
-        description: "Deploys osquery-perf containers all at once. Total number of osquery-perf tasks to run (should be a multiple of 8, if setting loadtest_containers_starting_index). This is also used as the end index in enroll.sh"
+        description: "Deploys osquery-perf containers all at once. Total number of osquery-perf tasks to run. This is also used as the end index in enroll.sh"
         type: string
         required: true
       loadtest_containers_starting_index:
@@ -22,7 +22,7 @@ on:
         default: 0
         required: true
       task_size:
-        description: "CPU and Memory setting for osquery-perf containers. Example: {\"cpu\":\"4098\",\"memory\":\"8192\"}"
+        description: "CPU and Memory setting for osquery-perf containers. Example: {\"cpu\":\"4096\",\"memory\":\"8192\"}"
         type: string
         default: "{\"cpu\":\"4096\",\"memory\":\"8192\"}"
         required: true

.github/workflows/test-packaging.yml

@@ -84,16 +84,6 @@ jobs:
         with:
           go-version-file: "go.mod"
 
-      - name: Install wine and wix
-        if: startsWith(matrix.os, 'macos')
-        run: |
-          ./assets/scripts/install-wine.sh -n
-          wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
-          mkdir wix
-          unzip wix.zip -d wix
-          rm -f wix.zip
-          echo wix installed at $(pwd)/wix
-
       - name: Build fleetctl
         run: make fleetctl
 
@@ -128,7 +118,3 @@ jobs:
 
       - name: Build PKG with Fleet Desktop
         run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-      - name: Build MSI on macOS (using local Wix)
-        if: startsWith(matrix.os, 'macos')
-        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop --local-wix-dir ./wix

Dockerfile-desktop-linux

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.26.1-trixie@sha256:96b28783b99bcd265fbfe0b36a3ac6462416ce6bf1feac85d4c4ff533cbaa473
+FROM --platform=linux/amd64 golang:1.26.2-trixie@sha256:b53c282df83967299380adbd6a2dc67e750a58217f39285d6240f6f80b19eaad
 LABEL maintainer="Fleet Developers"
 
 RUN apt-get update && apt-get install -y musl-tools && rm -rf /var/lib/apt/lists/*

Makefile

@@ -680,12 +680,62 @@ restore: $(SNAPSHOT_BINARY)
 # Generate osqueryd.app.tar.gz bundle from osquery.io.
 #
 # Usage:
+# To generate an osquery bundle for a released version of osquery:
 # make osqueryd-app-tar-gz version=5.1.0 out-path=.
+#
+# To generate an osquery bundle for a unreleased change in osquery in a pull request
+# (e.g. https://github.com/osquery/osquery/pull/8815):
+# make osqueryd-app-tar-gz pr=8815 out-path=.
 osqueryd-app-tar-gz:
 ifneq ($(shell uname), Darwin)
 	@echo "Makefile target osqueryd-app-tar-gz is only supported on macOS"
 	@exit 1
 endif
+ifdef pr
+	$(eval TMP_DIR := $(shell mktemp -d))
+	@echo "Fetching macos_unsigned_tgz_universal artifact from osquery/osquery PR $(pr)..."
+	@PR_SHA=$$(gh pr view -R osquery/osquery $(pr) --json headRefOid -q .headRefOid) && \
+		echo "PR head SHA: $$PR_SHA" && \
+		RUN_IDS=$$(gh api "repos/osquery/osquery/actions/runs?head_sha=$$PR_SHA" \
+			-q '[.workflow_runs[] | select(.conclusion == "success") | .id] | .[]') && \
+		if [ -z "$$RUN_IDS" ]; then \
+			echo "Error: no successful workflow runs found for PR $(pr)"; \
+			rm -rf $(TMP_DIR); \
+			exit 1; \
+		fi && \
+		DOWNLOADED=false && \
+		for run_id in $$RUN_IDS; do \
+			if gh run download -R osquery/osquery $$run_id -n macos_unsigned_tgz_universal -D $(TMP_DIR)/artifact 2>/dev/null; then \
+				DOWNLOADED=true; \
+				echo "Downloaded artifact from run $$run_id"; \
+				break; \
+			fi; \
+		done && \
+		if [ "$$DOWNLOADED" != "true" ]; then \
+			echo "Error: macos_unsigned_tgz_universal artifact not found in any successful run for PR $(pr)"; \
+			rm -rf $(TMP_DIR); \
+			exit 1; \
+		fi
+	@INNER_TGZ=$$(find $(TMP_DIR)/artifact -name '*.tar.gz' -o -name '*.tgz' | head -1) && \
+		if [ -z "$$INNER_TGZ" ]; then \
+			echo "Error: no tarball found inside downloaded artifact"; \
+			rm -rf $(TMP_DIR); \
+			exit 1; \
+		fi && \
+		mkdir -p $(TMP_DIR)/extracted && \
+		tar xf "$$INNER_TGZ" -C $(TMP_DIR)/extracted
+	@OSQUERY_APP=$$(find $(TMP_DIR)/extracted -type d -name 'osquery.app' | head -1) && \
+		if [ -z "$$OSQUERY_APP" ]; then \
+			echo "Error: osquery.app not found in extracted artifact. Contents:"; \
+			find $(TMP_DIR)/extracted -type f; \
+			rm -rf $(TMP_DIR); \
+			exit 1; \
+		fi && \
+		OSQUERY_APP_DIR=$$(dirname "$$OSQUERY_APP") && \
+		"$$OSQUERY_APP/Contents/MacOS/osqueryd" --version && \
+		tar czf $(out-path)/osqueryd.app.tar.gz -C "$$OSQUERY_APP_DIR" osquery.app
+	rm -rf $(TMP_DIR)
+else
 	$(eval TMP_DIR := $(shell mktemp -d))
 	curl -L https://github.com/osquery/osquery/releases/download/$(version)/osquery-$(version).pkg --output $(TMP_DIR)/osquery-$(version).pkg
 	pkgutil --expand $(TMP_DIR)/osquery-$(version).pkg $(TMP_DIR)/osquery_pkg_expanded
@@ -695,6 +745,7 @@ endif
 	$(TMP_DIR)/osquery_pkg_payload_expanded/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd --version
 	tar czf $(out-path)/osqueryd.app.tar.gz -C $(TMP_DIR)/osquery_pkg_payload_expanded/opt/osquery/lib osquery.app
 	rm -r $(TMP_DIR)
+endif
 
 # Generate nudge.app.tar.gz bundle from nudge repo.
 #
@@ -889,7 +940,17 @@ vex-report:
 
 # make update-go version=1.24.4
 UPDATE_GO_DOCKERFILES := ./Dockerfile-desktop-linux ./infrastructure/loadtesting/terraform/docker/loadtest.Dockerfile ./tools/mdm/migration/mdmproxy/Dockerfile
-UPDATE_GO_MODS := go.mod ./tools/mdm/windows/bitlocker/go.mod ./tools/snapshot/go.mod ./tools/terraform/go.mod
+UPDATE_GO_MODS := \
+	go.mod \
+	./tools/mdm/windows/bitlocker/go.mod \
+	./tools/snapshot/go.mod \
+	./tools/terraform/go.mod \
+	./third_party/vuln-check/go.mod \
+	./tools/ci/setboolcheck/go.mod \
+	./tools/github-manage/go.mod \
+	./tools/qacheck/go.mod \
+	./third_party/goval-dictionary/go.mod \
+	./tools/fleet-mcp/go.mod
 update-go:
 	@test $(version) || (echo "Mising 'version' argument, usage: 'make update-go version=1.24.4'" ; exit 1)
 	@for dockerfile in $(UPDATE_GO_DOCKERFILES) ; do \

android/app/src/main/java/com/fleetdm/agent/ApiClient.kt

@@ -22,6 +22,7 @@ import kotlinx.coroutines.flow.map
 import kotlinx.coroutines.sync.Mutex
 import kotlinx.coroutines.sync.withLock
 import kotlinx.coroutines.withContext
+import kotlinx.serialization.EncodeDefault
 import kotlinx.serialization.KSerializer
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
@@ -438,6 +439,9 @@ object ApiClient : CertificateApiClient {
     )
 }
 
+// @EncodeDefault is marked @ExperimentalSerializationApi, but it has shipped in kotlinx.serialization since 1.3 (2022)
+// and is widely used and reliable in production. The opt-in only acknowledges that the API shape could change in a future version.
+@OptIn(kotlinx.serialization.ExperimentalSerializationApi::class)
 @Serializable
 data class EnrollRequest(
     @SerialName("enroll_secret")
@@ -446,6 +450,7 @@ data class EnrollRequest(
     val hardwareUUID: String,
     @SerialName("hardware_serial")
     val hardwareSerial: String,
+    @EncodeDefault(EncodeDefault.Mode.ALWAYS)
     @SerialName("platform")
     val platform: String = "android",
     @SerialName("computer_name")

android/app/src/test/java/com/fleetdm/agent/ApiClientReenrollTest.kt

@@ -100,10 +100,15 @@ class ApiClientReenrollTest {
         assertTrue("First call should succeed", firstResult.isSuccess)
         assertEquals(2, mockWebServer.requestCount) // enroll + config
 
-        // Verify first enrollment used the enroll secret
+        // Verify first enrollment used the enroll secret and sent platform="android" on the wire
         val firstEnroll = mockWebServer.takeRequest()
         assertEquals("/api/fleet/orbit/enroll", firstEnroll.path)
-        assertTrue(firstEnroll.body.readUtf8().contains("test-enroll-secret"))
+        val firstEnrollBody = firstEnroll.body.readUtf8()
+        assertTrue(firstEnrollBody.contains("test-enroll-secret"))
+        assertTrue(
+            "Expected platform=\"android\" in enroll body, got: $firstEnrollBody",
+            firstEnrollBody.contains("\"platform\":\"android\""),
+        )
 
         // Verify first config used first-node-key
         val firstConfig = mockWebServer.takeRequest()

android/changes/43807-android-enroll-platform

@@ -0,0 +1 @@
+- Fixed Android agent to always send the `platform` field on enrollment so the device is registered with the correct platform.

articles/IT-leaders-guide-to-Linux-device-management.md

@@ -0,0 +1,54 @@
+### Linux adoption is growing. Management hasn't kept up.
+
+* macOS and Windows have mature management ecosystems. Linux does not.
+* Compliance frameworks don't grant exemptions by operating system.
+* Security audits don't skip Linux workstations.
+* These create the Linux gap.
+
+### Unmanaged devices are unmanaged risk.
+
+This guide helps IT leaders understand and close the Linux management gap.
+
+### What you'll learn
+
+You'll learn about a maturity model for planning your adoption path, a clear framework for defining your requirements, and a concrete evaluation scorecard for comparing management platforms. Whether you manage 50 Linux workstations or 5,000, this guide gives you the structure to make a defensible platform decision and explain it to your team.
+
+### Chapter list
+
+- **Why Linux devices are important**
+    * What's driving enterprise Linux adoption and why management is no longer optional.
+- **The business case for managing Linux devices**
+    * Cost, compliance, talent retention, and the price of inaction.
+- **Defining your Linux device management needs**
+    * Key questions to ask and a maturity model to map your goals.
+- **Automated provisioning for Linux desktop in the enterprise**
+    * The provisioning gap, enrollment approaches, and what zero-touch looks like on Linux.
+- **Security baselines for Linux**
+    * Why baselines matter, what to enforce, and how to fight configuration drift.
+- **App and certificate management for Linux**
+    * Software distribution challenges, the notarization gap, patching speed, and shrinking certificate lifetimes.
+- **Protecting the Linux device**
+    * USB and Bluetooth threats, the sudo problem, and remote lock and wipe.
+- **Controlling your software and your data**
+    * Software sovereignty, data sovereignty, and why your management tooling should reflect the values that made Linux worth adopting.
+- **Choosing the right solution**
+    * Business and technical requirements, an evaluation criteria table, and a structured way to compare platforms.
+
+
+
+<meta name="articleTitle" value="The IT leader's guide to Linux device management"> 
+
+<meta name="authorFullName" value="n/a">
+<meta name="authorGitHubUsername" value="fleet-release">
+
+<meta name="category" value="whitepaper">
+<meta name="publishedOn" value="2026-04-20">
+<meta name="description" value="Close the Linux management gap. A guide to help IT leaders understand the business case, security, compliance, and choosing the right solution.">
+
+
+<meta name="articleImageUrl" value="../website/assets/images/articles/IT-leaders-guide-to-Linux-device-management-cover-image-504x336@2x.png">
+<meta name="whitepaperFilename" value="IT-leaders-guide-to-Linux-device-management.pdf"> 
+<meta name="formHeadline" value="Learn how to close the Linux management gap">
+
+<meta name="introductionTextBlockOne" value="Linux now exceeds 5% of desktop market share. Stack Overflow's 2025 developer survey shows nearly 30% of developers use Linux as their primary work OS.">
+<meta name="introductionTextBlockTwo" value="Your most important contributors, developers, engineers, and security practitioners, are choosing Linux. And in most organizations, those devices sit outside formal IT management.">

articles/device-management-that-actually-works-for-IT.md

@@ -0,0 +1,24 @@
+Join Brock Walters from Fleet and their customers for a candid conversation around enabling device management in the enterprise at the speed that business demands. Explore how to help your IT teams get out of the way by giving employees their time back, reducing spend, and proving compliance in real time.
+
+## Why Modern Device Management Matters
+
+This session will cover how to deliver configurations and updates that accelerate work, maintain real-time visibility that keeps IT audit-ready without last-minute scrambles, use live health data to catch issues before they become tickets, and respect end user focus with transparent device management.
+
+### The GitOps Advantage
+
+The sessions will also cover how a GitOps approach to using device management solutions eliminates manual "click-ops" and prevents configuration drift. Store changes live in a version-controlled workflow - peer-reviewed, transparent, and easy to roll back. Understand how your engineering talent can spend less time on repetitive tasks and more time on work that matters, at scale.
+
+
+
+<meta name="articleTitle" value="Device management that actually works for IT"> 
+
+<meta name="authorFullName" value="n/a">
+<meta name="authorGitHubUsername" value="fleet-release">
+
+<meta name="category" value="webinar">
+<meta name="publishedOn" value="2026-04-21">
+<meta name="description" value="Explore how to help your IT teams get out of the way by giving employees their time back, reducing spend, and proving compliance in real time.">
+
+<meta name="webinarEmbeddedVideoUrl" value="https://player.mediadelivery.net/play/637410/0ecc433a-fa3c-4ff9-a178-621d6da0847e"> 
+
+

articles/how-to-define-your-Linux-device-management-needs.md

@@ -10,7 +10,7 @@ To do this, you will need sophisticated and flexible tools. But first, you need
 
 In this article, we will discuss key questions to ask as you define your organizational goals for Linux device management. We will also discuss how these goals can be mapped to a maturity model of Linux MDM adoption. Formally defining your Linux needs and understanding your target location on this maturity model will help you adopt robust technical solutions for Linux MDM.
 
-## Questions to Consider
+## Questions to consider
 
 Every business is different, and every team has its own needs based on team dynamics, regulatory requirements, and other factors. However, you can set yourself up for success by asking a few common questions to understand your Linux device goals:
 
@@ -92,13 +92,13 @@ IT teams are not monolithic. A helpdesk technician needs different access than a
 
 Define your access control requirements before evaluating platforms. A tool that offers only administrator versus read-only access will create friction as your team grows or your compliance requirements become more specific. This is easy to overlook during a demo and painful to work around in production.
 
-## The Linux MDM Maturity Model
+## The Linux MDM maturity model
 
 Not every organization needs the same level of Linux device management. This model defines four levels, from basic monitoring to full zero-touch provisioning. Your requirements determine which level is right for you, and not every team needs to reach level 4\.
 
 When planning, consider both short and long-term goals. A short-term goal might be to understand which software your Linux users are running. A long-term goal might be automatically provisioning the tools every engineer needs to do their job. Either way, start by knowing where you want to land before deciding how far to climb.
 
-### Level 1 \- Monitoring and Auditing
+### Level 1 \- Monitoring and auditing
 
 Providing device monitoring, reporting, and insight is the first level in the Linux device management maturity model. All teams need some level of device monitoring to ensure compliance with internal and external policies. You must understand your environment before you can manage it. Robust monitoring provides individual and aggregate metrics to drive intelligent decisions.
 
@@ -110,21 +110,21 @@ Monitoring lets you answer questions like:
 
 For some organizations, especially small teams with limited Linux footprints, this may be the final level on their journey. If you only have a handful of Linux workstations, then you may not need further device management features. However, everyone can benefit from understanding the state of their environment.
 
-### Level 2 \- Security and System Baselines
+### Level 2 \- Security and system baselines
 
 Equipped with a solid understanding of your Linux devices, you can begin providing baseline configurations that meet organizational and security policies.
 
 Start with something simple, like implementing a specific security policy. For example, you may want to prevent users from adding any local accounts to their workstations. As you gain experience and user trust, you can move on to more advanced configurations that help your users. For example, you can deploy corporate certificates automatically on all of your Linux workstations.
 
 Basic system management might be the final stop on your maturity journey. Many organizations are quite happy to provide baseline system management and leave the rest to their highly-skilled end users.
 
-### Level 3 \- Self-Service Configuration and Software
+### Level 3 \- Self-service configuration and software
 
 Linux users are technically skilled, and most are comfortable installing and managing their own software. But even advanced users who’ve been using Linux on their desktop for years still sigh when they have to install a complex package with custom configuration. This is toil, and Linux users often face the brunt of it due to a lack of robust MDM tooling.
 
 This level in the maturity journey is all about providing your Linux users with access to the tools and software to do their job. Consider the complexity of even a simple package installation in a modern organization. A user may have to add an internal company repository, determine the correct version that matches production, install the software itself, and then configure it to match the organization’s preferred configs. Providing a self-service portal, such as [Fleet Desktop](https://fleetdm.com/guides/fleet-desktop), saves hours.
 
-### Level 4 \- Zero-Touch Provisioning and Drift Management
+### Level 4 \- Zero-touch provisioning and drift management
 
 Level 4 is full zero-touch provisioning and automated, continuous management of devices. A new Linux device can be powered on and immediately put into service by an end-user without any IT involvement (discussed in the next article). Organizations can onboard new Linux employees just as they do Windows and Mac users.