Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

hi all, I ran the `fleetctl package` command from my M2 mac, and it installed successfully on other M chip macs, but when I push the pkg out via JAMF, the pkg verification fails on intel chip macs. is there something I can do to fix this?

<@U07KNAZ39MM> this is related to our convo from the other week. unfortunately it’s not super simple for me to pull logs off of the machines :confused:

Screenshot 2025-03-18 at 12.10.07 PM.png

this isn’t a lot to go off of, but here’s what JAMF shows as the error

@alex d (osquery), it looks like the error is popping up because the package isn't signed. If you're using JAMF. it may be simpler to download the fleetd base package (which is signed by us) and use a configuration profile to configure your server url and enroll secret using our config-less deployment option:<https://fleetdm.com/guides/config-less-fleetd-agent-deployment>

I packaged osqueryd as the doc stated
```fleetctl package --type=pkg --use-system-configuration --fleet-desktop```
and have the plist with the enroll secret and endpoint queued up.

is the correct order of operations for next steps to scope the configuration profile at a host, then run the installer on it?

You'd want to download the existing package rather than creating your own. Scope the configuration profile, then install that downloaded package.

Looks like the guide was updated and that link isn't there any more, one sec and I'll send it over.

<https://download.fleetdm.com/stable/fleetd-base.pkgSorry> I didn't realize the download instructions for Mac had been removed in favor of the fleetctl package workflow.

will give it a shot thanks! maybe a dumb question but I believe when I enrolled hosts in Fleet prior, I gave the host certs, as well as some other flags. are those not necessary with the pre-packaged fleet + config profile?

e.g.
```/opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd --pidfile=/opt/orbit/osquery.pid --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_env ENROLL_SECRET --tls_hostname=redacted --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=8000000 --tls_server_certs /opt/orbit/fleet.pem --augeas_lenses /opt/orbit/lenses --force --flagfile /opt/orbit/osquery.flags --host-identifier uuid --database_path /opt/orbit/osquery.db```

that’s the full path of the osquery process currently

Darn, that makes things a little more complicated. In that case, you do need to build and sign the package.

I mean most of that stuff is default, I think? but I wasn’t sure about the certs

Most everything you'd need is baked in to that package, you generally only need to pass certs if you're using a self-signed certificate in Fleet.