fleetdm · rachaelshaw · Jan 23, 2025 · Jan 29, 2025 · Feb 6, 2025 · Feb 7, 2025
@@ -259,9 +259,6 @@ controls:
     enable_end_user_authentication: true
     macos_setup_assistant: ../lib/dep-profile.json
     script: ../lib/macos-setup-script.sh
-    software:
-      - app_store_id: '1091189122'
-      - package_path: ../lib/software/adobe-acrobat.software.yml
   macos_migration: # Available in Fleet Premium
     enable: true
     mode: voluntary
@@ -305,10 +302,10 @@ Use `labels_include_all` to target hosts that have all labels in the array, `lab
 The `macos_setup` section lets you control the out-of-the-box macOS [setup experience](https://fleetdm.com/guides/macos-setup-experience) for hosts that use Automated Device Enrollment (ADE).
 
 - `bootstrap_package` is the URL to a bootstrap package. Fleet will download the bootstrap package (default: `""`).
+- `manual_agent_install` specifies whether Fleet's agent (fleetd) will be installed as part of setup experience. (default: `false`)
 - `enable_end_user_authentication` specifies whether or not to require end user authentication when the user first sets up their macOS host. 
 - `macos_setup_assistant` is a path to a custom automatic enrollment (ADE) profile (.json).
 - `script` is the path to a custom setup script to run after the host is first set up.
-- `software` is a list of references to either a `package_path` matching a package in the `software` section below or an `app_store_id` to install when the host is first set up.
 
 ### macos_migration
 
@@ -362,6 +359,7 @@ Use `labels_include_any` to target hosts that have any label in the array or `la
 - `uninstall_script.path` is the script Fleet will run on hosts to uninstall software. The [default script](https://github.com/fleetdm/fleet/tree/main/pkg/file/scripts) is dependent on the software type (i.e. .pkg).
 - `post_install_script.path` is the script Fleet will run on hosts after the software install. There is no default.
 - `self_service` specifies whether or not end users can install from **Fleet Desktop > Self-service**.
+- `setup_experience` specifies whether the app will be installed when the host is first step up. Currently this works only for macOS apps (i.e. .pkg).
 
 #### Example
 
@@ -376,6 +374,7 @@ uninstall_script:
 post_install_script:
   path: ../lib/software/tailscale-config-script.ps1
 self_service: true
+setup_experience: true
 ```
 
 ### app_store_apps
@@ -385,6 +384,7 @@ self_service: true
 > Make sure to include only the ID itself, and not the `id` prefix shown in the URL. The ID must be wrapped in quotes as shown in the example so that it is processed as a string.
 
 - `self_service` only applies to macOS, and is ignored for other platforms. For example, if the app is supported on macOS, iOS, and iPadOS, and `self_service` is set to `true`, it will be self-service on macOS workstations but not iPhones or iPads.
+- `setup_experience` specifies whether the app will be installed when the host is first step up.
 
 ## org_settings and team_settings
 
@@ -476,7 +476,6 @@ org_settings:
 - `query_reports_disabled` disables query reports and deletes existing reports. (default: `false`)
 - `query_report_cap` sets the maximum number of results to store per query report before the report is clipped. If increasing this cap, we recommend enabling reports for one query at a time and monitoring your infrastructure. (default: `1000`)
 - `scripts_disabled` blocks access to run scripts. Scripts may still be added in the UI and CLI. (default: `false`)
-- `server_url` is the base URL of the Fleet instance. If this URL changes and Apple (macOS, iOS, iPadOS) hosts already have MDM turned on, the end users will have to turn MDM off and back on to use MDM features. (default: provided during Fleet setup)
 
 
 Can only be configured for all teams (`org_settings`).

@@ -2909,6 +2909,7 @@ Device-authenticated routes are routes used by the Fleet Desktop application. Un
 - [Get Fleet Desktop information](#get-fleet-desktop-information)
 - [Get device's software](#get-devices-software)
 - [Get device's policies](#get-devices-policies)
+- [Get device's certificate](#get-devices-certificate)
 - [Get device's API features](#get-devices-api-features)
 - [Get device's transparency URL](#get-devices-transparency-url)
 - [Download device's MDM manual enrollment profile](#download-devices-mdm-manual-enrollment-profile)
@@ -3190,6 +3191,66 @@ Lists the policies applied to the current device.
 }
 ```
 
+#### Get device's certificates
+
+Available for macOS, iOS, and iPadOS hosts only. Requires Fleet's MDM properly [enabled and configured](https://fleetdm.com/docs/using-fleet/mdm-setup).
+
+
+Lists the certificates installed on the current device.
+
+`GET /api/v1/fleet/device/{token}/certificates`
+
+##### Parameters
+
+| Name  | Type   | In   | Description                        |
+| ----- | ------ | ---- | ---------------------------------- |
+| token | string | path | The device's authentication token. |
+| page | integer | query | Page number of the results to fetch.|
+| per_page | integer | query | Results per page.|
+
+##### Example
+
+`GET /api/v1/fleet/device/bbb7cdcc-f1d9-4b39-af9e-daa0f35728e8/certificates`
+
+#### Default response
+
+`Status: 200`
+
+```json
+{
+  "certificates": [
+    {
+      "id": 3,
+      "not_valid_after": "2021-08-19T02:02:17Z",
+      "not_valid_before": "2021-08-19T02:02:17Z",
+      "certificate_authority": true,
+      "common_name": "FleetDM",
+      "key_algorithm": "rsaEncryption",
+      "key_strength": 2048,
+      "key_usage": "CRL Sign, Key Cert Sign",
+      "serial": 1,
+      "signing_algorithm": "sha256WithRSAEncryption",
+      "subject": {
+        "country": "US",
+        "organization": "Fleet Device Management Inc.",
+        "organizational_unit": "Fleet Device Management Inc.",
+        "common_name": "FleetDM"
+      },
+      "issuer": {
+        "country": "US",
+        "organization": "Fleet Device Management Inc.",
+        "organizational_unit": "Fleet Device Management Inc.",
+        "common_name": "FleetDM"
+      }
+    }
+  ],
+  "meta": {
+    "has_next_results": false,
+    "has_previous_results": false
+  }
+}
+```
+
 #### Get device's API features
 
 This supports the dynamic discovery of API features supported by the server for device-authenticated routes. This allows supporting different versions of Fleet Desktop and Fleet server instances (older or newer) while supporting the evolution of the API features. With this mechanism, an older Fleet Desktop can ignore features it doesn't know about, and a newer one can avoid requesting features about which the server doesn't know.

@@ -1458,20 +1458,19 @@ This activity contains the following fields:
 
 ## installed_app_store_app
 
-Generated when an App Store app is installed on a device.
+Generated when an App Store app is installed on a host.
 
 This activity contains the following fields:
 - "host_id": ID of the host on which the app was installed.
-- "self_service": App installation was initiated by device owner.
+- "self_service":" App installation was initiated by device owner.
 - "host_display_name": Display name of the host.
 - "software_title": Name of the App Store app.
 - "app_store_id": ID of the app on the Apple App Store.
 - "status": Status of the App Store app installation.
-- "command_uuid": UUID of the MDM command used to install the app.
+- "command_uuid": UUID of the MDM command used to install the app. If the host has MDM turned off or there are no licenses available, no MDM command is sent and this is set to a random UUID. 
 - "policy_id": ID of the policy whose failure triggered the install. Null if no associated policy.
 - "policy_name": Name of the policy whose failure triggered the install. Null if no associated policy.
 
-
 #### Example
 
 ```json
@@ -1487,6 +1486,29 @@ This activity contains the following fields:
 }
 ```
 
+## uninstalled_app_store_app
+
+Generated when an App Store app software is uninstalled on a host.
+
+This activity contains the following fields:
+- "host_id": ID of the host.
+- "host_display_name": Display name of the host.
+- "software_title": Name of the software.
+- "command_uuid": UUID of the MDM command used to install the app.
+- "status": Status of the software uninstallation.
+
+#### Example
+
+```json
+{
+  "host_id": 1,
+  "host_display_name": "Anna's MacBook Pro",
+  "software_title": "Falcon.app",
+  "command_uuid": "ece8d99d-4313-446a-9af2-e152cd1bad1e",
+  "status": "uninstalled"
+}
+```
+
 ## edited_app_store_app
 
 Generated when an App Store app is updated in Fleet.