When introducing the MDM config, we took into account the log directives
from the config when applying it via the GUI but failed to apply the new
directives on startup.
Introduces new structure in the `/kb/deploy/clients` docs for managed
configurations.
In draft until new Apple clients, Android, and Windows is ready.
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
As part of the introduction of General settings, we split up "Advanced
settings" and also renamed one of the fields. Upon first start, the
settings are migrated to the new format. What we failed to notice is
that one the next subsequent start, the legacy settings struct will fail
to parse the now migrated configuration and fall back to the default.
This then appears as if the settings are not getting saved.
Resolves: #9417
---------
Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
When the Android app calls `disconnect`, it is still within the context
of a `connlib` callback. That callback is executed within the runtime
that we are trying to drop. That is not allowed and leads to a panic.
Resolves: #9390
---------
Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.3 to 8.5.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/releases">postcss's
releases</a>.</em></p>
<blockquote>
<h2>8.5.4</h2>
<ul>
<li>Fixed Parcel compatibility issue (by <a
href="https://github.com/git-sumitchaudhary"><code>@git-sumitchaudhary</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's
changelog</a>.</em></p>
<blockquote>
<h2>8.5.4</h2>
<ul>
<li>Fixed Parcel compatibility issue (by <a
href="https://github.com/git-sumitchaudhary"><code>@git-sumitchaudhary</code></a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6cb4a6673f"><code>6cb4a66</code></a>
Release 8.5.4 version</li>
<li><a
href="ec5c1e0310"><code>ec5c1e0</code></a>
Update dependencies</li>
<li><a
href="e85e9385c8"><code>e85e938</code></a>
Fix code format</li>
<li><a
href="50542335f2"><code>5054233</code></a>
fixed error at line 401 (<a
href="https://redirect.github.com/postcss/postcss/issues/2046">#2046</a>)</li>
<li><a
href="0538b6309e"><code>0538b63</code></a>
docs: Update README.md (<a
href="https://redirect.github.com/postcss/postcss/issues/2044">#2044</a>)</li>
<li><a
href="b5f407f397"><code>b5f407f</code></a>
Add <code>postcss-fontsource-url</code> to plugins (<a
href="https://redirect.github.com/postcss/postcss/issues/2043">#2043</a>)</li>
<li><a
href="94b5260be6"><code>94b5260</code></a>
Clarify documentation for <code>node.source.end.offset</code> (<a
href="https://redirect.github.com/postcss/postcss/issues/2032">#2032</a>)</li>
<li><a
href="a20724af14"><code>a20724a</code></a>
Fix Markdown syntax</li>
<li><a
href="cf6b969751"><code>cf6b969</code></a>
fix: add a mention for postcssense extension (<a
href="https://redirect.github.com/postcss/postcss/issues/2040">#2040</a>)</li>
<li><a
href="ff48c29ebb"><code>ff48c29</code></a>
Increase size</li>
<li>Additional commits viewable in <a
href="https://github.com/postcss/postcss/compare/8.5.3...8.5.4">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
When `connlib` creates new UDP sockets for the p2p traffic, it tries to
increase the send and receive buffers for improved performance. Failure
to do so currently results in `connlib` failing to start entirely. This
is unnecessarily harsh, we can simply log a warning instead and move on.
The changelog entries are written in TSX which is HTML, so backticks
render as backticks on the website. Updating these to use `<code>`
blocks correctly triggers the proper CSS to apply.
This PR fixes two crashes related to lifetimes on Apple:
- `completionHandler` was being called from within a Task executor
context, which could be different from the one the IPC call was received
on
- The `getLogFolderSize` task could return and attempt to call
`completionHandler` after the PacketTunnelProvider deinit'd
- We were calling the completionHandler from `stopTunnel` manually.
Apple explicitly says not to do this. Instead, we must call
`cancelTunnelWithError(nil)` when we want to stop the tunnel from e.g.
the `onDisconnect`. Apple with then call our `stopTunnel` override. The
downside is that we have no control over the `NEProviderStopReason`
received in this callback, but we don't use it anyway. Instead, we write
the reason to a temporary file and read it from the GUI process when we
detect a status change to `disconnected`. When that occurs, we're able
to show a UI notification (macOS only - iOS can show this notification
from the PacketTunnelProvider itself).
Bumps [framer-motion](https://github.com/motiondivision/motion) from
12.9.4 to 12.14.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/motiondivision/motion/blob/main/CHANGELOG.md">framer-motion's
changelog</a>.</em></p>
<blockquote>
<h2>[12.14.0] 2025-05-26</h2>
<h3>Added</h3>
<ul>
<li>Support for <code>originX</code>/<code>Y</code>/<code>Z</code> in
<code>styleEffect</code>.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Added markers for pure function calls with effects.</li>
</ul>
<h2>[12.13.0] 2025-05-26</h2>
<h3>Added</h3>
<ul>
<li><code>svgEffect</code>, <code>propEffect</code> and
<code>attrEffect</code>.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fixed a jump in layout animations in select circumstances.</li>
</ul>
<h2>[12.12.2] 2025-05-23</h2>
<h3>Fixed</h3>
<ul>
<li>Ensure scroll updates are only triggered after a scroll read.</li>
</ul>
<h2>[12.12.1] 2025-05-16</h2>
<h3>Fixed</h3>
<ul>
<li>Checks for <code>instanceof HTMLElement</code> made compatible with
dynamically generated <code>iframe</code>s.</li>
</ul>
<h2>[12.12.0] 2025-05-16</h2>
<h3>Added</h3>
<ul>
<li><code>springValue</code></li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fixed various typos in the type definitions along with a stale
documentation link.</li>
</ul>
<h2>[12.11.4] 2025-05-15</h2>
<h3>Fixed</h3>
<ul>
<li>Only read <code>transform</code> from the DOM for initial
independent transforms when there's no active projection.</li>
</ul>
<h2>[12.11.3] 2025-05-14</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f0d5139625"><code>f0d5139</code></a>
v12.14.0</li>
<li><a
href="4bb70f3e24"><code>4bb70f3</code></a>
Updating changelog</li>
<li><a
href="a463a27d1b"><code>a463a27</code></a>
Merge pull request <a
href="https://redirect.github.com/motiondivision/motion/issues/3230">#3230</a>
from motiondivision/feature/transform-origin-effect</li>
<li><a
href="96578cd24f"><code>96578cd</code></a>
Latest</li>
<li><a
href="ee0e0dfcc2"><code>ee0e0df</code></a>
Adding support for transform-origin</li>
<li><a
href="6aa294fb70"><code>6aa294f</code></a>
v12.13.0</li>
<li><a
href="d6ce30707b"><code>d6ce307</code></a>
Updated changelog</li>
<li><a
href="d70b94ce55"><code>d70b94c</code></a>
Merge pull request <a
href="https://redirect.github.com/motiondivision/motion/issues/3223">#3223</a>
from rick-hup/fix/layout-jump</li>
<li><a
href="009d4f1497"><code>009d4f1</code></a>
Merge pull request <a
href="https://redirect.github.com/motiondivision/motion/issues/3229">#3229</a>
from motiondivision/feature/effects</li>
<li><a
href="e2725e99d9"><code>e2725e9</code></a>
Updating effect tests</li>
<li>Additional commits viewable in <a
href="https://github.com/motiondivision/motion/compare/v12.9.4...v12.14.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [mixpanel-browser](https://github.com/mixpanel/mixpanel-js) and
[@types/mixpanel-browser](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/mixpanel-browser).
These dependencies needed to be updated together.
Updates `mixpanel-browser` from 2.64.0 to 2.65.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/mixpanel/mixpanel-js/releases">mixpanel-browser's
releases</a>.</em></p>
<blockquote>
<h2>Updates to revenue, session recording, autocapture, etc</h2>
<p>This release packages up changes and improvements to several
subsystems:</p>
<ul>
<li>The long-deprecated <code>mixpanel.people.track_charge()</code>
method now only prints a console error and no longer sets a profile
property or produces any other change. The old version of Mixpanel's
Revenue analysis UI has been replaced by a newer suite of analysis tools
which don't depend on profile properties (see <a
href="https://docs.mixpanel.com/docs/features/revenue_analytics">https://docs.mixpanel.com/docs/features/revenue_analytics</a>).</li>
<li>Autocapture click tracking properties now include page height and
width.</li>
<li>Session recording now stops when <code>mixpanel.reset()</code> is
called.</li>
<li>New init option<code>api_extra_query_params</code> adds support for
appending arbitrary query string params to tracking requests (useful for
non-standard proxy setups)</li>
<li>The API of the Feature Flagging system (under development) has been
revised</li>
<li>Whale Browser is now detected automatically</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/mixpanel/mixpanel-js/blob/master/CHANGELOG.md">mixpanel-browser's
changelog</a>.</em></p>
<blockquote>
<p><strong>2.65.0</strong> (20 May 2025)</p>
<ul>
<li><code>mixpanel.people.track_charge()</code> (deprecated) no longer
sets profile property</li>
<li>Adds page height and width tracking to autocapture click
tracking</li>
<li>Session recording now stops when mixpanel.reset() is called</li>
<li>Support for adding arbitrary query string params to tracking
requests (thanks <a
href="https://github.com/dylan-asos"><code>@dylan-asos</code></a>)</li>
<li>Feature flagging API revisions</li>
<li>Whale Browser detection</li>
</ul>
<p><strong>2.64.0</strong> (15 Apr 2025)</p>
<ul>
<li>Add <code>record_heatmap_data</code> init option for Session
Recording to ensure click events are captured for Heat Maps</li>
<li>Initial support for feature flagging</li>
</ul>
<p><strong>2.63.0</strong> (1 Apr 2025)</p>
<ul>
<li>Update rrweb to latest alpha version</li>
<li>Refactor SDK build process to rely mainly on Rollup</li>
</ul>
<p><strong>2.62.0</strong> (26 Mar 2025)</p>
<ul>
<li>Replace UUID generator with UUIDv4 (using native API when
available)</li>
<li>Consistently use native JSON serialization when available</li>
<li>Fix for session recording idle timeout race condition</li>
</ul>
<p><strong>2.61.2</strong> (14 Mar 2025)</p>
<ul>
<li>Revert 10ms throttle on enqueueing events to improve tracking
reliability on page unload</li>
</ul>
<p><strong>2.61.1</strong> (11 Mar 2025)</p>
<ul>
<li>Session recording stops if initial DOM snapshot fails</li>
<li>Errors triggered by rrweb's record function are now caught</li>
<li>Fix for issue causing opt-out check error messages in
<code>debug</code> mode</li>
</ul>
<p><strong>2.61.0</strong> (6 Mar 2025)</p>
<ul>
<li>Session recordings now continue across page loads within the same
tab, using IndexedDB for persistence</li>
</ul>
<p><strong>2.60.0</strong> (31 Jan 2025)</p>
<ul>
<li>Expanded Autocapture configs</li>
<li>Prevent duplicate values in persistence when using people.union
(thanks <a
href="https://github.com/chrisdeely"><code>@chrisdeely</code></a>)</li>
</ul>
<p><strong>2.59.0</strong> (21 Jan 2025)</p>
<ul>
<li>Initial Autocapture support</li>
<li>Block more crawlers (AmazonBot, more Yandex bots)</li>
</ul>
<p><strong>2.58.0</strong> (16 Dec 2024)</p>
<ul>
<li>Added canvas recording option</li>
<li>Session Replay checkpoint events now include a starting URL</li>
</ul>
<p><strong>2.57.1</strong> (12 Dec 2024)</p>
<ul>
<li>Asynchronous abstractions (primarily Promise support) introduced in
internal refactor of batch/queue/retry system</li>
</ul>
<p><strong>2.57.0</strong> (Dec 2024)
REDACTED</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="bb9a0053b8"><code>bb9a005</code></a>
2.65.0</li>
<li><a
href="409a7aae9e"><code>409a7aa</code></a>
changelog for 2.65.0</li>
<li><a
href="b8ed533587"><code>b8ed533</code></a>
rebuild 2.65.0</li>
<li><a
href="2538584c46"><code>2538584</code></a>
lint fix</li>
<li><a
href="6fda746356"><code>6fda746</code></a>
rebuild 2.65.0-rc1</li>
<li><a
href="13348c6d78"><code>13348c6</code></a>
try to work around global recorder object test issue</li>
<li><a
href="340e9cf921"><code>340e9cf</code></a>
make track_charge a NOOP</li>
<li><a
href="7d9d3a5e91"><code>7d9d3a5</code></a>
fix tests</li>
<li><a
href="37c1f3de1b"><code>37c1f3d</code></a>
add back get_feature_data temporarily</li>
<li><a
href="0c3ab8bd73"><code>0c3ab8b</code></a>
[Session Replay] Stop session recording when SDK calls reset()</li>
<li>Additional commits viewable in <a
href="https://github.com/mixpanel/mixpanel-js/compare/v2.64.0...v2.65.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `@types/mixpanel-browser` from 2.54.0 to 2.60.0
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/mixpanel-browser">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR adds the equivalent MDM configuration that we already have for
MacOS & iOS for the GUI client on Windows. These options are retrieved
from the Windows registry when the Client is started. Specifically, the
key for these is: `HKEY_CURRENT_USER\Software\Policies\Firezone`.
At moment, these cannot be configured or seen by the user. They are also
not "watched" for whilst the Client is running. If an admin pushes a new
MDM configuration, the Client will have to be restarted in order for
that new config to take effect.
Windows Policy templates are structured into two files:
- An `.admx` file that defines the structure of the policy, like the
kinds of values it has, where it is stored, which versions it is
supported on and which category it belongs to.
- An `.adml` file that defines defines all strings and presentation
logic, like the actual text of the policies and how the values are
presented in the GUI in e.g. Intune.
Internally, we differentiate between `MdmSettings` and
`AdvancedSettings`. The `MdmSettings` are cross-platform, however on
Linux, we always fallback to the defaults and therefore, they are always
"unset". Eventually, it might make sense to wrap both of these into a
more general `Settings` struct that acts as as a proxy for the two.
Related: #4505
When pulling IPs from system resolvers, it's possible the IPv6 addresses
may contain scopes which will cause connlib to barf when parsing.
To fix these, we first convert to the Swift-native type `IPv4Address` or
`IPv6Address` and then use the string representation of those types,
which normalizes them to plain addresses.
Fixes#9055
Having defaults in here is confusing, because they are actually all
unset by default which means the user settings won't be overridden.
This is the final version submitted at
https://github.com/profilemanifests/profilemanifests
The GUI client currently has a bug that resets the favourites and the
status of the Internet Resource every time the advanced settings are
saved. This happens because those fields are annotated with
`#[serde(default)]` and are thus initialised to their default value when
the struct is deserialised from the frontend.
To mitigate this, we introduce a new `GeneralSettings` struct that holds
the status of the Internet Resource and the list of favourites. When a
client starts up, it will try to migrate the existing advanced settings
into the new split of general and advanced settings.
On macOS, we need to use `mobileconfig` files to configure the client.
These are cumbersome to generate by hand and so a number of popular
tools exist to aid in generating these.
One of the more popular options is [iMazing Profile
Editor](https://imazing.com/profile-editor), which maintains a
[repository](https://github.com/ProfileManifests/ProfileManifests) of
popular "Profile Manifests" for various enterprise-managed applications
on Apple.
In addition to opening the PR for the Firezone client in this repo,
we'll want to open one there too so we can be added to the in-app list
of support applications to generate `mobileconfig` files for.
Tauri's `deb` and `rpm` bundler have support for configuring maintainer
scripts. We can therefore just use those instead of tearing apart the
`deb` file that it creates and rebuilding it ourselves.
Our `rpm` packaging is currently completely broken as well. I couldn't
get it to work on CentOS 9 at all due to missing dependencies, likely
introduced by our move to Tauri v2. It installs fine on CentOS 10
though, assuming that the user has the EPEL repository installed which
provides the WebView dependency. I extended the docs to reflect this.
Hence, with this PR, we drop support for CentOS 9 and now require CentOS
10. This allows us to remove a lot of cruft from our bundling process
and instead entirely rely on the Tauri provided bundler.
Lastly, for consistency with other platforms, the name of the
application in places like app drawers has been changed from "Firezone
Client" to just "Firezone".
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
The name IPC service is not very descriptive. By nature of being
separate processes, we need to use IPC to communicate between them. The
important thing is that the service process has control over the tunnel.
Therefore, we rename everything to "Tunnel service".
The only part that is not changed are historic changelog entries.
Resolves: #9048
