From 7285cb5e75e11a32b707964aeef829d651454149 Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Wed, 21 Jan 2026 12:54:42 +0100 Subject: [PATCH 1/7] Update fleet-server-configuration.md with new mdm options Added new configuration options for Apple VPP in the documentation. --- .../fleet-server-configuration.md | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 12943aa9d82..10cff5aa3f5 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -3211,7 +3211,7 @@ The content of the Windows WSTEP identity key. An RSA private key, PEM-encoded. -----END RSA PRIVATE KEY----- ``` -### mdm.sso_rate_limit_per_minute +### mdm.sso​_rate​_limit​_per​_minute The number of requests per minute allowed to [Initiate SSO during DEP enrollment](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/api-for-contributors.md#initiate-sso-during-dep-enrollment) and [Complete SSO during DEP enrollment](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/api-for-contributors.md#complete-sso-during-dep-enrollment) endpoints, combined. @@ -3226,6 +3226,44 @@ The best practice is to set this to 3x the number of new employees (end users) t sso_rate_limit_per_minute: 200 ``` +### mdm.apple_vpp_app_store_region + +Override the default region (`us`) for the Apple App Store storefront. + +- Default value: us +- Environment variable: `FLEET_MDM_APPLE_VPP_APP_STORE_REGION` +- Config file format: + ```yaml + mdm: + apple_vpp_app_store_region: de + ``` + + + +### mdm.apple_vpp_app_metadata_endpoint_url + +Override the default region (`us`) for the Apple App Store storefront. + +- Default value: ... +- Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_ENDPOINT_URL` +- Config file format: + ```yaml + mdm: + apple_vpp_app_metadata_endpoint_url: https://... + ``` + +### mdm.apple_vpp_app_metadata_endpoint_bearer_token + +Override the default region (`us`) for the Apple App Store storefront. + +- Default value: ... +- Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_ENDPOINT_BEARER_TOKEN` +- Config file format: + ```yaml + mdm: + apple_vpp_app_metadata_endpoint_bearer_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ92eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikp + ``` + ## Partnerships ### partnerships_enable_secureframe From d4c9fe0d4419a2c7b1fdb9881394f352f6fbd405 Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Wed, 21 Jan 2026 13:15:59 +0100 Subject: [PATCH 2/7] update --- .../fleet-server-configuration.md | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 10cff5aa3f5..d654851db0e 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -3228,7 +3228,7 @@ The best practice is to set this to 3x the number of new employees (end users) t ### mdm.apple_vpp_app_store_region -Override the default region (`us`) for the Apple App Store storefront. +Specify the Apple App Store region. The region affects the availability of apps in Fleet. For example, if you [add apps to Apple Business Manager](https://fleetdm.com/guides/install-app-store-apps#apple-vpp) that aren't available in the `de` region, they won't appear in Fleet. - Default value: us - Environment variable: `FLEET_MDM_APPLE_VPP_APP_STORE_REGION` @@ -3239,29 +3239,33 @@ Override the default region (`us`) for the Apple App Store storefront. ``` +### mdm.apple_vpp_app_metadata_api_proxy -### mdm.apple_vpp_app_metadata_endpoint_url +By default, Fleet server retrieves metadata for Apple VPP apps via Fleet proxy, using an authentication token hosted on fleetdm.com. -Override the default region (`us`) for the Apple App Store storefront. +If you have an [Apple developer account that is enabled as MDM vendor](https://developer.apple.com/help/account/service-configurations/apps-and-books-for-organizations), Fleet server can directly communicate with the [Apple Apps and Books API](https://developer.apple.com/documentation/devicemanagement/get-your-apps-metadata). -- Default value: ... -- Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_ENDPOINT_URL` +If set to `false` then you must specify [mdm.apple_vpp_app_metadata_api_bearer_token](#mdm-apple-vpp-app-metadata-api-bearer-token). + + +- Default value: true +- Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_API_PROXY` - Config file format: ```yaml mdm: - apple_vpp_app_metadata_endpoint_url: https://... + apple_vpp_app_metadata_api_url: false ``` -### mdm.apple_vpp_app_metadata_endpoint_bearer_token +### mdm.apple_vpp_app_metadata_api_bearer_token -Override the default region (`us`) for the Apple App Store storefront. +Bearer token to authenticate requests to Apple Apps and Books API. This is required if [mdm.apple_vpp_app_metadata_api_proxy](#mdm-apple-vpp-app-metadata-api-proxy) is set to `false`. -- Default value: ... -- Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_ENDPOINT_BEARER_TOKEN` +- Default value: none +- Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_API_BEARER_TOKEN` - Config file format: ```yaml mdm: - apple_vpp_app_metadata_endpoint_bearer_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ92eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikp + apple_vpp_app_metadata_api_bearer_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ92eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikp ``` ## Partnerships From 074ca6989598f670b5f15a15405f3888a7456c4a Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:42:01 +0100 Subject: [PATCH 3/7] Update docs/Configuration/fleet-server-configuration.md Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> --- docs/Configuration/fleet-server-configuration.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index d654851db0e..7a99f383709 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -3226,19 +3226,6 @@ The best practice is to set this to 3x the number of new employees (end users) t sso_rate_limit_per_minute: 200 ``` -### mdm.apple_vpp_app_store_region - -Specify the Apple App Store region. The region affects the availability of apps in Fleet. For example, if you [add apps to Apple Business Manager](https://fleetdm.com/guides/install-app-store-apps#apple-vpp) that aren't available in the `de` region, they won't appear in Fleet. - -- Default value: us -- Environment variable: `FLEET_MDM_APPLE_VPP_APP_STORE_REGION` -- Config file format: - ```yaml - mdm: - apple_vpp_app_store_region: de - ``` - - ### mdm.apple_vpp_app_metadata_api_proxy By default, Fleet server retrieves metadata for Apple VPP apps via Fleet proxy, using an authentication token hosted on fleetdm.com. From 906fd0d5af43477525e3754f2f6c53d8e752e476 Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:42:24 +0100 Subject: [PATCH 4/7] Update docs/Configuration/fleet-server-configuration.md Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> --- docs/Configuration/fleet-server-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 7a99f383709..62dffa21de4 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -3228,7 +3228,7 @@ The best practice is to set this to 3x the number of new employees (end users) t ### mdm.apple_vpp_app_metadata_api_proxy -By default, Fleet server retrieves metadata for Apple VPP apps via Fleet proxy, using an authentication token hosted on fleetdm.com. +By default, Fleet retrieves [Apple App Store (VPP) metadata](https://developer.apple.com/documentation/devicemanagement/get-your-apps-metadata) from Apple using an API token from Fleet's Apple Developer account. This API token is hosted on fleetdm.com. If you have an [Apple developer account that is enabled as MDM vendor](https://developer.apple.com/help/account/service-configurations/apps-and-books-for-organizations), Fleet server can directly communicate with the [Apple Apps and Books API](https://developer.apple.com/documentation/devicemanagement/get-your-apps-metadata). From 5718f990c45d75af3a51c53f9422c05f7e1112e9 Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:45:14 +0100 Subject: [PATCH 5/7] Apply suggestion from @noahtalerman Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> --- docs/Configuration/fleet-server-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 62dffa21de4..2d363f9c705 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -3230,7 +3230,7 @@ The best practice is to set this to 3x the number of new employees (end users) t By default, Fleet retrieves [Apple App Store (VPP) metadata](https://developer.apple.com/documentation/devicemanagement/get-your-apps-metadata) from Apple using an API token from Fleet's Apple Developer account. This API token is hosted on fleetdm.com. -If you have an [Apple developer account that is enabled as MDM vendor](https://developer.apple.com/help/account/service-configurations/apps-and-books-for-organizations), Fleet server can directly communicate with the [Apple Apps and Books API](https://developer.apple.com/documentation/devicemanagement/get-your-apps-metadata). +If you have an [Apple Developer account that is enabled as MDM vendor](https://developer.apple.com/help/account/service-configurations/apps-and-books-for-organizations), you can optionally configure Fleet with your own API token. This way, Fleet can directly communicate with Apple. If set to `false` then you must specify [mdm.apple_vpp_app_metadata_api_bearer_token](#mdm-apple-vpp-app-metadata-api-bearer-token). From 16fd79672218d8c6a10de05c89c7cb22ec78a9d1 Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:47:49 +0100 Subject: [PATCH 6/7] update --- .../Configuration/fleet-server-configuration.md | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 2d363f9c705..4e720c7a493 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -3226,27 +3226,12 @@ The best practice is to set this to 3x the number of new employees (end users) t sso_rate_limit_per_minute: 200 ``` -### mdm.apple_vpp_app_metadata_api_proxy +### mdm.apple_vpp_app_metadata_api_bearer_token By default, Fleet retrieves [Apple App Store (VPP) metadata](https://developer.apple.com/documentation/devicemanagement/get-your-apps-metadata) from Apple using an API token from Fleet's Apple Developer account. This API token is hosted on fleetdm.com. If you have an [Apple Developer account that is enabled as MDM vendor](https://developer.apple.com/help/account/service-configurations/apps-and-books-for-organizations), you can optionally configure Fleet with your own API token. This way, Fleet can directly communicate with Apple. -If set to `false` then you must specify [mdm.apple_vpp_app_metadata_api_bearer_token](#mdm-apple-vpp-app-metadata-api-bearer-token). - - -- Default value: true -- Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_API_PROXY` -- Config file format: - ```yaml - mdm: - apple_vpp_app_metadata_api_url: false - ``` - -### mdm.apple_vpp_app_metadata_api_bearer_token - -Bearer token to authenticate requests to Apple Apps and Books API. This is required if [mdm.apple_vpp_app_metadata_api_proxy](#mdm-apple-vpp-app-metadata-api-proxy) is set to `false`. - - Default value: none - Environment variable: `FLEET_MDM_APPLE_VPP_APP_METADATA_API_BEARER_TOKEN` - Config file format: From c60fc51ad577e43d399e6fd3182966135fc215ed Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:49:07 +0100 Subject: [PATCH 7/7] Apply suggestion from @marko-lisica --- docs/Configuration/fleet-server-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 4e720c7a493..0862e7abb32 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -3211,7 +3211,7 @@ The content of the Windows WSTEP identity key. An RSA private key, PEM-encoded. -----END RSA PRIVATE KEY----- ``` -### mdm.sso​_rate​_limit​_per​_minute +### mdm.sso_rate_limit_per_minute The number of requests per minute allowed to [Initiate SSO during DEP enrollment](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/api-for-contributors.md#initiate-sso-during-dep-enrollment) and [Complete SSO during DEP enrollment](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/api-for-contributors.md#complete-sso-during-dep-enrollment) endpoints, combined.