From c4a2bb4d6bbc6119f0fdd3dfddb2ad54f9ada532 Mon Sep 17 00:00:00 2001 From: Rachael Shaw Date: Tue, 17 Dec 2024 15:39:24 -0600 Subject: [PATCH] 4.61 documentation changes (#24833) Co-authored-by: Ian Littman Co-authored-by: Zach Wasserman Co-authored-by: Lucas Manuel Rodriguez Co-authored-by: Konstantin Sykulev Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> --- articles/fleet-usage-statistics.md | 1 + articles/fleetctl.md | 4 +- articles/remote-yara-rules.md | 91 ++++++++++++++++++ .../fleet-server-configuration.md | 3 + docs/Configuration/yaml-files.md | 22 ++++- docs/Contributing/API-for-contributors.md | 21 ++++- docs/Get started/FAQ.md | 2 +- docs/REST API/rest-api.md | 93 ++++++++++++------- handbook/company/pricing-features-table.yml | 3 +- 9 files changed, 197 insertions(+), 43 deletions(-) create mode 100644 articles/remote-yara-rules.md diff --git a/articles/fleet-usage-statistics.md b/articles/fleet-usage-statistics.md index 80e3e6328433..f2d865ea633b 100644 --- a/articles/fleet-usage-statistics.md +++ b/articles/fleet-usage-statistics.md @@ -17,6 +17,7 @@ Below is the JSON payload that is sent to Fleet Device Management Inc: "numHostsEnrolled": 999, "numUsers": 999, "numTeams": 999, + "numQueries": 999, "numPolicies": 999, "numQueries": 999, "numLabels": 999, diff --git a/articles/fleetctl.md b/articles/fleetctl.md index fb3aaa91f647..188b9d2034c4 100644 --- a/articles/fleetctl.md +++ b/articles/fleetctl.md @@ -102,9 +102,9 @@ Password: Once your local context is configured, you can use fleetctl normally. -### Log in with SAML (SSO) authentication +#### Users with single sign-on (SSO) or email two-factor authentication (2FA) -Users that authenticate to Fleet via SSO should retrieve their API token from the UI and manually set it in their fleetctl configuration (instead of logging in via `fleetctl login`). +Users that log into Fleet with SSO or email 2FA can't log in with `fleetctl login`. Instead they can retrieve their API token from the UI and manually set it in their fleetctl configuration (instead of logging in via `fleetctl login`). **Fleet UI:** 1. Go to the **My account** page (https://fleet.example.com/profile) diff --git a/articles/remote-yara-rules.md b/articles/remote-yara-rules.md new file mode 100644 index 000000000000..73d49c72565e --- /dev/null +++ b/articles/remote-yara-rules.md @@ -0,0 +1,91 @@ +# Remote deployment of YARA rules + +Fleetd with osquery can scan files using +[YARA](https://virustotal.github.io/yara/), a matching engine particularly useful for +identifying malicious patterns in binary files. The rule contents have typically been provided +either through files placed on the filesystem, or in unauthenticated HTTP endpoints such as public +GitHub repositories. + +We heard concerns from customers about making the rules publically available, so in osquery 5.14 +we [added the capability](https://github.com/osquery/osquery/pull/8437) for osquery to make +authenticated requests for YARA rules. Fleet is (as of this writing) the only osquery HTTP server +implementation that supports serving authenticated YARA rules. + +In this guide we demonstrate how to configure the agent and server to use this more secure remote +YARA functionality. This is supported for live queries and saved queries to the +[`yara`](https://fleetdm.com/tables/yara) table. + +## Configuration + +Configuration is performed in 3 steps. + +1) Configure agent options to enable authenticated requests to the Fleet server. +2) Configure YARA rules in Fleet. +3) Use YARA rules in queries. + +### 1 - Agent options + +Configure agent options to enable YARA rule request authentication in osquery and allowlist requests +to the Fleet server. This can be perfomed via the Fleet UI, GitOps, or the API. Set the agent +options as below, replacing `FLEET_SERVER_URL` with the URL of your Fleet server (eg. +`example.fleetdm.com`): + +``` +config: + options: + # other options omitted + yara_sigurl_authenticate: true # "on" switch for using YARA rules in Fleet + yara: + signature_urls: + - https:///api/osquery/yara/.* # (Fleet server URL) Also required for using YARA rules in Fleet + ``` + + ### 2 - YARA rules + + Provide YARA rules to Fleet that will be served to agents. This can be performed via GitOps, or the + API. Reference each rule file by path under the main `org_settings` configuration. In this example, + we assume the rule files are in a `/lib/` subdirectory. This is a directory structure like the + [Fleet GitOps recommendations](https://github.com/fleetdm/fleet-gitops). + +``` +org_settings: + yara_rules: + - path: ./lib/rule1.yar + - path: ./lib/rule2.yar +``` + +Apply this configuration with `fleetctl apply` or with your GitOps CI job. + +Because rules are stored as separate files in the repository, other tools like +[YARA-CI](https://yara-ci.cloud.virustotal.com/) may be used before applying the rules to Fleet. + +### 3 - Use in queries + +Now the provided rules may be referenced in queries utilizing the `yara` table. Rules are available at +`https:///api/osquery/yara/`. For example: + +``` +SELECT * FROM yara WHERE path="/bin/ls" AND sigurl='https://example.fleetdm.com/api/osquery/yara/rule1.yar' +``` + +This works for both live and saved queries. Each time osquery runs the query, an authenticated HTTP +request will be made to the Fleet server requesting the referenced rule(s). + +## Targeting rules with teams (Fleet Premium) + +It is often desirable to run different sets of YARA rules on different devices within the +organization. To achieve this, target the _queries_ to the desired team. + +For example, with `rule1.yar` and `rule2.yar` configured in the `org_settings`: + +1. Ensure the agent options are configured for "No team" and/or the desired teams. + +2. Target queries to the appropriate team, referencing the desired rules. For example, target a + query referencing `rule1.yar` to the "Workstations" team and a query referencing `rule2.yar` to + the Servers team. + + + + + + diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index cac03fb24b9f..e87044072c96 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -1856,6 +1856,9 @@ By default, the SMTP backend is enabled and no additional configuration is requi SMTP through the [Fleet console UI](https://fleetdm.com/docs/using-fleet/configuration-files#smtp-settings). However, you can also configure Fleet to use AWS SES natively rather than through SMTP. +A configured email backend is required for sending user invites, resetting passwords, verifying user email address changes, +and multi-factor authentication within Fleet (without using an SSO identity provider). + ### backend Enable SES support for Fleet. You must also configure the ses configurations such as `ses.source_arn` diff --git a/docs/Configuration/yaml-files.md b/docs/Configuration/yaml-files.md index 2f953c7c6e89..2a4f3e18bbfc 100644 --- a/docs/Configuration/yaml-files.md +++ b/docs/Configuration/yaml-files.md @@ -384,7 +384,7 @@ org_settings: ### fleet_desktop -Direct end users to a custom URL when they select **Transparency** in the Fleet Desktop dropdown (default: [https://fleetdm.com/transparency](https://fleetdm.com/transparency)). +Direct end users to a custom URL when they select **About Fleet** in the Fleet Desktop dropdown (default: [https://fleetdm.com/transparency](https://fleetdm.com/transparency)). Can only be configured for all teams (`org_settings`). @@ -710,6 +710,26 @@ org_settings: Can only be configured for all teams (`org_settings`). +#### yara_rules + +The `yara_rules` section lets you define [YARA rules](https://virustotal.github.io/yara/) that will be served by Fleet's authenticated +YARA rule functionality. Learn more about authenticated YARA rules in Fleet +[here](https://fleetdm.com/guides/remote-yara-rules). + +Each entry should be the relative path to a valid YARA rule file. + +##### Example + +```yaml +org_settings: + yara_rules: + - path: ./lib/rule1.yar + - path: ./lib/rule2.yar +``` + +Can only be configured for all teams (`org_settings`). To target rules to specific teams, target the +queries referencing the rules to the desired teams. + diff --git a/docs/Contributing/API-for-contributors.md b/docs/Contributing/API-for-contributors.md index c26b57428eb0..f90663de3173 100644 --- a/docs/Contributing/API-for-contributors.md +++ b/docs/Contributing/API-for-contributors.md @@ -1,5 +1,6 @@ # API for contributors +- [Authentication](#authentication) - [Packs](#packs) - [Mobile device management (MDM)](#mobile-device-management-mdm) - [Get or apply configuration files](#get-or-apply-configuration-files) @@ -18,6 +19,22 @@ This document includes the internal Fleet API routes that are helpful when devel If you are interested in gathering information from Fleet in a production environment, please see the [public Fleet REST API documentation](https://fleetdm.com/docs/using-fleet/rest-api). +## Authentication + +### Create session + +`POST /api/v1/fleet/sessions` + +#### Parameters + +| Name | Type | In | Description | +| token | string | body | **Required**. The token retrieved from the magic link email. | + +#### Response + +See [the Log in endpoint](https://fleetdm.com/docs/rest-api/rest-api#log-in) for the current +successful response format. + ## Packs Scheduling queries in Fleet is the best practice for collecting data from hosts. To learn how to schedule queries, [check out the docs here](https://fleetdm.com/docs/using-fleet/fleet-ui#schedule-a-query). @@ -2396,7 +2413,7 @@ Runs the specified saved query as a live query on the specified targets. Returns After the query has been initiated, [get results via WebSocket](#retrieve-live-query-results-standard-websocket-api). -`POST /api/v1/fleet/queries/run_by_names` +`POST /api/v1/fleet/queries/run_by_identifiers` #### Parameters @@ -2404,7 +2421,7 @@ After the query has been initiated, [get results via WebSocket](#retrieve-live-q | -------- | ------- | ---- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | query | string | body | The SQL of the query. | | query_id | integer | body | The saved query (if any) that will be run. The `observer_can_run` property on the query effects which targets are included. | -| selected | object | body | **Required.** The object includes lists of selected hostnames (`selected.hosts`), label names (`labels`). When provided, builtin label names and custom label names become `AND` filters. Within each selector, selecting two or more builtin labels, or two or more custom labels, behave as `OR` filters. There's one special case for the builtin label `"All hosts"`, if such label is selected, then all other label and team selectors are ignored (and all hosts will be selected). If a host's hostname is explicitly included in `selected.hosts`, then it is assured that the query will be selected to run on it (no matter the contents of `selected.labels`). See examples below. | +| selected | object | body | **Required.** The object includes lists of selected hostnames (`selected.hosts`), label names (`labels`). When provided, builtin label names and custom label names become `AND` filters. Within each selector, selecting two or more builtin labels, or two or more custom labels, behave as `OR` filters. If a label provided could not be found in the database, a 400 bad request will be returned specifying which label is invalid. There's one special case for the builtin label `"All hosts"`, if such label is selected, then all other label and team selectors are ignored (and all hosts will be selected). If a host's hostname is explicitly included in `selected.hosts`, then it is assured that the query will be selected to run on it (no matter the contents of `selected.labels`). See examples below. | One of `query` and `query_id` must be specified. diff --git a/docs/Get started/FAQ.md b/docs/Get started/FAQ.md index 10d4afe9f235..539a6185a0cf 100644 --- a/docs/Get started/FAQ.md +++ b/docs/Get started/FAQ.md @@ -45,7 +45,7 @@ When you collect data with Fleet, the [performance impact](https://fleetdm.com/r You can test changes on a small subset of hosts first, then roll them out to the rest of your organization. -## What browsers does Fleet supported? +## What browsers does Fleet support? Fleet supports the latest, stable releases of all major browsers and platforms. diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index 9ee4cb67e3c4..4ad8cce17f48 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -48,7 +48,7 @@ Then, use that API token to authenticate all subsequent API requests by sending Authorization: Bearer ``` -> For SSO users, email/password login is disabled. The API token can instead be retrieved from the "My account" page in the UI (/profile). On this page, choose "Get API token". +> For SSO and MFA users, email/password login is disabled. The API token can instead be retrieved from the "My account" page in the UI (/profile). On this page, choose "Get API token". ### Log in @@ -56,7 +56,7 @@ Authenticates the user with the specified credentials. Use the token returned fr `POST /api/v1/fleet/login` -> This API endpoint is not available to SSO users, since email/password login is disabled for SSO users. To get an API token for an SSO user, you can use the Fleet UI. +> Logging in via the API is not supported for SSO and MFA users. The API token can instead be retrieved from the "My account" page in the UI (/profile). On this page, choose "Get API token". #### Parameters @@ -94,6 +94,7 @@ Authenticates the user with the specified credentials. Use the token returned fr "force_password_reset": false, "gravatar_url": "", "sso_enabled": false, + "mfa_enabled": false, "global_role": "admin", "teams": [] }, @@ -118,6 +119,16 @@ Authenticates the user with the specified credentials. Use the token returned fr } ``` +##### MFA Required + +`Status: 202 Accepted` + +```json +{ + "message": "We sent an email to you. Please click the magic link in the email to sign in.", +} +``` + ##### Too many requests / Rate limiting `Status: 429 Too Many Requests` @@ -3671,7 +3682,7 @@ _Available in Fleet Premium_ ### Turn off MDM for a host -Turns off MDM for the specified macOS host. +Turns off MDM for the specified macOS, iOS, or iPadOS host. `DELETE /api/v1/fleet/hosts/:id/mdm` @@ -3687,7 +3698,7 @@ Turns off MDM for the specified macOS host. ##### Default response -`Status: 200` +`Status: 204` ### Bulk delete hosts by filter or ids @@ -4136,7 +4147,7 @@ A `team_id` of `0` returns the statistics for hosts that are not part of any tea Resends a configuration profile for the specified host. -`POST /api/v1/fleet/hosts/:id/configuration_profiles/resend/:profile_uuid` +`POST /api/v1/fleet/hosts/:id/configuration_profiles/:profile_uuid/resend` #### Parameters @@ -4147,7 +4158,7 @@ Resends a configuration profile for the specified host. #### Example -`POST /api/v1/fleet/hosts/233/configuration_profiles/resend/fc14a20-84a2-42d8-9257-a425f62bb54d` +`POST /api/v1/fleet/hosts/233/configuration_profiles/fc14a20-84a2-42d8-9257-a425f62bb54d/resend` ##### Default response @@ -4478,6 +4489,7 @@ To lock a macOS host, the host must have MDM turned on. To lock a Windows or Lin `Status: 204` + #### Example `POST /api/v1/fleet/hosts/123/lock?view_pin=true` @@ -4516,6 +4528,7 @@ To unlock a Windows or Linux host, the host must have [scripts enabled](https:// `Status: 204` + ##### Default response (macOS hosts) `Status: 200` @@ -9042,7 +9055,13 @@ Get a list of all software. "software_package": { "name": "FirefoxInsall.pkg", "version": "125.6", - "self_service": true + "self_service": true, + "automatic_install_policies": [ + { + "id": 343, + "name": "[Install software] Firefox.app", + } + ], }, "app_store_app": null, "versions_count": 3, @@ -9144,6 +9163,9 @@ Get a list of all software versions. | min_cvss_score | integer | query | _Available in Fleet Premium_. Filters to include only software with vulnerabilities that have a CVSS version 3.x base score higher than the specified value. | | max_cvss_score | integer | query | _Available in Fleet Premium_. Filters to only include software with vulnerabilities that have a CVSS version 3.x base score lower than what's specified. | | exploit | boolean | query | _Available in Fleet Premium_. If `true`, filters to only include software with vulnerabilities that have been actively exploited in the wild (`cisa_known_exploit: true`). Default is `false`. | +| without_vulnerability_details | boolean | query | _Available in Fleet Premium_. If `true` only vulnerability name is included in response. If `false` (or omitted), adds vulnerability description, CVSS score, and other details available in Fleet Premium. See notes below on performance. | + +> For optimal performance, we recommend Fleet Premium users set `without_vulnerability_details` to `true` whenever possible. If set to `false` a large amount of data will be included in the response. If you need vulnerability details, consider using the [Get vulnerability](#get-vulnerability) endpoint. #### Example @@ -9290,7 +9312,7 @@ Returns information about the specified software. By default, `versions` are sor #### Example -`GET /api/v1/fleet/software/titles/12` +`GET /api/v1/fleet/software/titles/12?team_id=3` ##### Default response @@ -9300,8 +9322,8 @@ Returns information about the specified software. By default, `versions` are sor { "software_title": { "id": 12, - "name": "Firefox.app", - "bundle_identifier": "org.mozilla.firefox", + "name": "Falcon.app", + "bundle_identifier": "crowdstrike.falcon.Agent", "software_package": { "name": "FalconSensor-6.44.pkg", "version": "6.44", @@ -9313,6 +9335,12 @@ Returns information about the specified software. By default, `versions` are sor "post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX", "uninstall_script": "/Library/CS/falconctl uninstall", "self_service": true, + "automatic_install_policies": [ + { + "id": 343, + "name": "[Install software] Crowdstrike Agent", + } + ], "status": { "installed": 3, "pending_install": 1, @@ -9757,9 +9785,9 @@ List available Fleet-maintained apps. | Name | Type | In | Description | | ---- | ---- | -- | ----------- | -| team_id | integer | query | **Required**. The team ID. Filters Fleet-maintained apps to only include apps available for the specified team. | -| page | integer | query | Page number of the results to fetch. | -| per_page | integer | query | Results per page. | +| team_id | integer | query | If supplied, only list apps for which an installer doesn't already exist for the specified team. | +| page | integer | query | Page number of the results to fetch. | +| per_page | integer | query | Results per page. | #### Example @@ -9869,7 +9897,13 @@ Add Fleet-maintained app so it's available for install. ##### Default response -`Status: 204` +`Status: 200` + +```json +{ + "software_title_id": 234 +} +``` ### Download package @@ -11136,6 +11170,7 @@ None. "force_password_reset": false, "gravatar_url": "", "sso_enabled": false, + "mfa_enabled": false, "global_role": null, "api_only": false, "teams": [ @@ -11183,8 +11218,6 @@ Creates a user account after an invited user provides registration information a | name | string | body | **Required**. The name of the user. | | password | string | body | The password chosen by the user (if not SSO user). | | password_confirmation | string | body | Confirmation of the password chosen by the user. | -| global_role | string | body | The role assigned to the user. In Fleet 4.0.0, 3 user roles were introduced (`admin`, `maintainer`, and `observer`). In Fleet 4.30.0 and 4.31.0, the `observer_plus` and `gitops` roles were introduced respectively. If `global_role` is specified, `teams` cannot be specified. For more information, see [manage access](https://fleetdm.com/docs/using-fleet/manage-access). | -| teams | array | body | _Available in Fleet Premium_. The teams and respective roles assigned to the user. Should contain an array of objects in which each object includes the team's `id` and the user's `role` on each team. In Fleet 4.0.0, 3 user roles were introduced (`admin`, `maintainer`, and `observer`). In Fleet 4.30.0 and 4.31.0, the `observer_plus` and `gitops` roles were introduced respectively. If `teams` is specified, `global_role` cannot be specified. For more information, see [manage access](https://fleetdm.com/docs/using-fleet/manage-access). | #### Example @@ -11198,17 +11231,7 @@ Creates a user account after an invited user provides registration information a "invite_token": "SjdReDNuZW5jd3dCbTJtQTQ5WjJTc2txWWlEcGpiM3c=", "name": "janedoe", "password": "test-123", - "password_confirmation": "test-123", - "teams": [ - { - "id": 2, - "role": "observer" - }, - { - "id": 4, - "role": "observer" - } - ] + "password_confirmation": "test-123" } ``` @@ -11228,6 +11251,7 @@ Creates a user account after an invited user provides registration information a "force_password_reset": false, "gravatar_url": "", "sso_enabled": false, + "mfa_enabled": false, "global_role": "admin", "teams": [] } @@ -11299,6 +11323,7 @@ By default, the user will be forced to reset its password upon first login. | name | string | body | **Required**. The user's full name or nickname. | | password | string | body | The user's password (required for non-SSO users). | | sso_enabled | boolean | body | Whether or not SSO is enabled for the user. | +| mfa_enabled | boolean | body | _Available in Fleet Premium._ Whether or not the user must click a magic link emailed to them to log in, after they successfully enter their username and password. Incompatible with SSO and API-only users. | | api_only | boolean | body | User is an "API-only" user (cannot use web UI) if true. | | global_role | string | body | The role assigned to the user. In Fleet 4.0.0, 3 user roles were introduced (`admin`, `maintainer`, and `observer`). In Fleet 4.30.0 and 4.31.0, the `observer_plus` and `gitops` roles were introduced respectively. If `global_role` is specified, `teams` cannot be specified. For more information, see [manage access](https://fleetdm.com/docs/using-fleet/manage-access). | | admin_forced_password_reset | boolean | body | Sets whether the user will be forced to reset its password upon first login (default=true) | @@ -11345,6 +11370,7 @@ By default, the user will be forced to reset its password upon first login. "force_password_reset": false, "gravatar_url": "", "sso_enabled": false, + "mfa_enabled": false, "api_only": true, "global_role": null, "teams": [ @@ -11396,14 +11422,6 @@ Returns all information about a specific user. `GET /api/v1/fleet/users/2` -##### Request query parameters - -```json -{ - "id": 1 -} -``` - ##### Default response `Status: 200` @@ -11419,6 +11437,7 @@ Returns all information about a specific user. "force_password_reset": false, "gravatar_url": "", "sso_enabled": false, + "mfa_enabled": false, "global_role": "admin", "api_only": false, "teams": [] @@ -11455,6 +11474,7 @@ Returns all information about a specific user. | position | string | body | The user's position. | | email | string | body | The user's email. | | sso_enabled | boolean | body | Whether or not SSO is enabled for the user. | +| mfa_enabled | boolean | body | _Available in Fleet Premium._ Whether or not the user must click a magic link emailed to them to log in, after they successfully enter their username and password. Incompatible with SSO and API-only users. | | api_only | boolean | body | User is an "API-only" user (cannot use web UI) if true. | | password | string | body | The user's current password, required to change the user's own email or password (not required for an admin to modify another user). | | new_password| string | body | The user's new password. | @@ -11490,6 +11510,7 @@ Returns all information about a specific user. "force_password_reset": false, "gravatar_url": "", "sso_enabled": false, + "mfa_enabled": false, "api_only": false, "teams": [] } @@ -11533,6 +11554,7 @@ Returns all information about a specific user. "force_password_reset": false, "gravatar_url": "", "sso_enabled": false, + "mfa_enabled": false, "global_role": "admin", "teams": [ { @@ -11608,6 +11630,7 @@ The selected user is logged out of Fleet and required to reset their password du "email": "janedoe@example.com", "force_password_reset": true, "gravatar_url": "", + "mfa_enabled": false, "sso_enabled": false, "global_role": "observer", "teams": [] diff --git a/handbook/company/pricing-features-table.yml b/handbook/company/pricing-features-table.yml index ad60a5508ac3..734be24e34c8 100644 --- a/handbook/company/pricing-features-table.yml +++ b/handbook/company/pricing-features-table.yml @@ -146,7 +146,7 @@ # ║ ║║║║ ║───╠╣ ╠═╣║ ║ ║ ║╠╦╝ ╠═╣║ ║ ║ ╠═╣║╣ ║║║ ║ ║║ ╠═╣ ║ ║║ ║║║║ # ╩ ╚╩╝╚═╝ ╚ ╩ ╩╚═╝ ╩ ╚═╝╩╚═ ╩ ╩╚═╝ ╩ ╩ ╩╚═╝╝╚╝ ╩ ╩╚═╝╩ ╩ ╩ ╩╚═╝╝╚╝ - industryName: Two-factor authentication - moreInfoUrl: https://github.com/fleetdm/fleet/issues/5478 + moreInfoUrl: https://github.com/fleetdm/fleet/issues/22078 productCategories: [Endpoint operations,Device management,Vulnerability management] pricingTableCategories: [Configuration] usualDepartment: IT @@ -155,7 +155,6 @@ jamfProtectHasFeature: yes waysToUse: - description: Enforce two-factor authentication when logging in to Fleet for added security. - comingSoonOn: 2024-12-31 # # ╦═╗╔═╗╦ ╔═╗ ╔╗ ╔═╗╔═╗╔═╗╔╦╗ ╔═╗╔═╗╔═╗╔═╗╔═╗╔═╗ ╔═╗╔═╗╔╗╔╔╦╗╦═╗╔═╗╦ # ╠╦╝║ ║║ ║╣───╠╩╗╠═╣╚═╗║╣ ║║ ╠═╣║ ║ ║╣ ╚═╗╚═╗ ║ ║ ║║║║ ║ ╠╦╝║ ║║