[PROVISIONING] ADMX/ADML/PS/bash scripts/templates

Tests MDM config reload via ticker
Introduces support for darwing plist loading
2026-06-09 01:19:55 +00:00 · 2026-06-08 18:06:02 +02:00 · 2026-06-08 18:06:02 +02:00 · 2026-06-08 18:06:02 +02:00 · 2026-06-08 18:06:02 +02:00 · 2026-06-08 18:06:02 +02:00
180 changed files with 6004 additions and 2980 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,45 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 15
+    groups:
+      actions:
+        patterns:
+          - "*"
+    ignore:
+      # git-town/action v1.3.x crashes on cyclic PR graphs (self-loop main->main
+      # fork PRs) via its topological-sort visualization. Pinned to v1.2.1 in
+      # git-town.yml; block v1.3.x until upstream tolerates cyclic edges.
+      - dependency-name: "git-town/action"
+        update-types:
+          - "version-update:semver-minor"
+          - "version-update:semver-major"
+
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 15
+    groups:
+      aws-sdk:
+        patterns:
+          - "github.com/aws/aws-sdk-go-v2/*"
+      pion:
+        patterns:
+          - "github.com/pion/*"
+      gorm:
+        patterns:
+          - "gorm.io/*"
+      otel:
+        patterns:
+          - "go.opentelemetry.io/*"
+      testcontainers:
+        patterns:
+          - "github.com/testcontainers/testcontainers-go/*"
+      wireguard:
+        patterns:
+          - "golang.zx2c4.com/wireguard*"
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -2,16 +2,16 @@ name: Check License Dependencies

 on:
  push:
-    branches: [ main ]
+    branches: [main]
    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.github/workflows/check-license-dependencies.yml'
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/check-license-dependencies.yml"
  pull_request:
    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.github/workflows/check-license-dependencies.yml'
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/check-license-dependencies.yml"

 jobs:
  check-internal-dependencies:
@@ -19,7 +19,10 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Check for problematic license dependencies
        run: |
@@ -56,55 +59,57 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        cache: true
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: "go.mod"
+          cache: true

-    - name: Install go-licenses
-      run: go install github.com/google/go-licenses@v1.6.0
+      - name: Install go-licenses
+        run: go install github.com/google/go-licenses@v1.6.0

-    - name: Check for GPL/AGPL licensed dependencies
-      run: |
-        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
-        echo ""
-
-        # Check all Go packages for copyleft licenses, excluding internal netbird packages
-        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
-
-        if [ -n "$COPYLEFT_DEPS" ]; then
-          echo "Found copyleft licensed dependencies:"
-          echo "$COPYLEFT_DEPS"
+      - name: Check for GPL/AGPL licensed dependencies
+        run: |
+          echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
          echo ""

-          # Filter out dependencies that are only pulled in by internal AGPL packages
-          INCOMPATIBLE=""
-          while IFS=',' read -r package url license; do
-            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
-              # Find ALL packages that import this GPL package using go list
-              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+          # Check all Go packages for copyleft licenses, excluding internal netbird packages
+          COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)

-              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
-
-              if [ -n "$BSD_IMPORTER" ]; then
-                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
-                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
-              else
-                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
-              fi
-            fi
-          done <<< "$COPYLEFT_DEPS"
-
-          if [ -n "$INCOMPATIBLE" ]; then
+          if [ -n "$COPYLEFT_DEPS" ]; then
+            echo "Found copyleft licensed dependencies:"
+            echo "$COPYLEFT_DEPS"
            echo ""
-            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
-            echo -e "$INCOMPATIBLE"
-            exit 1
-          fi
-        fi

-        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
+            # Filter out dependencies that are only pulled in by internal AGPL packages
+            INCOMPATIBLE=""
+            while IFS=',' read -r package url license; do
+              if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+                # Find ALL packages that import this GPL package using go list
+                IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+
+                # Check if any importer is NOT in management/signal/relay
+                BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
+
+                if [ -n "$BSD_IMPORTER" ]; then
+                  echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
+                  INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
+                else
+                  echo "✓ $package ($license) is only used by internal AGPL packages - OK"
+                fi
+              fi
+            done <<< "$COPYLEFT_DEPS"
+
+            if [ -n "$INCOMPATIBLE" ]; then
+              echo ""
+              echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
+              echo -e "$INCOMPATIBLE"
+              exit 1
+            fi
+          fi
+
+          echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/.github/workflows/docs-ack.yml
+++ b/.github/workflows/docs-ack.yml
@@ -83,7 +83,7 @@ jobs:

      - name: Verify docs PR exists (and is open or merged)
        if: steps.validate.outputs.mode == 'added'
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        id: verify
        with:
          pr_number: ${{ steps.extract.outputs.pr_number }}
--- a/.github/workflows/forum.yml
+++ b/.github/workflows/forum.yml
@@ -8,11 +8,10 @@ jobs:
  post:
    runs-on: ubuntu-latest
    steps:
-      - uses: roots/discourse-topic-github-release-action@main
+      - uses: roots/discourse-topic-github-release-action@557d74ea05b6cc0c47f555c1d5d28a89d904005b # v1.1.0
        with:
          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
          discourse-base-url: https://forum.netbird.io
          discourse-author-username: NetBird
          discourse-category: 17
-          discourse-tags:
-            releases
+          discourse-tags: releases
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -3,7 +3,7 @@ name: Git Town
 on:
  pull_request:
    branches:
-      - '**'
+      - "**"

 jobs:
  git-town:
@@ -15,7 +15,9 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/checkout@v4
-      - uses: git-town/action@v1.2.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: git-town/action@3d8b878379abb1ee393fb49865a28b4a6c2cd3b0 # v1.2.1
        with:
          skip-single-stacks: true
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -16,16 +16,18 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/go/pkg/mod
          key: macos-gotest-${{ hashFiles('**/go.sum') }}
@@ -43,5 +45,11 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -coverprofile=coverage.txt -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: netbirdio/netbird
+          flags: unit,client
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -15,20 +15,31 @@ jobs:
    name: "Client / Unit"
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Read Go version from go.mod
+        id: goversion
+        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
+
      - name: Test in FreeBSD
        id: test
-        uses: vmactions/freebsd-vm@v1
+        env:
+          GO_VERSION: ${{ steps.goversion.outputs.version }}
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
-          release: "14.2"
+          release: "15.0"
+          envs: "GO_VERSION"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
+            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"            
+            tar -C /usr/local -vxzf "$GO_TARBALL"

          # -x - to print all executed commands
          # -e - to faile on first error
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -18,9 +18,11 @@ jobs:
      management: ${{ steps.filter.outputs.management }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        id: filter
        with:
          filters: |
@@ -28,7 +30,7 @@ jobs:
              - 'management/**'

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -36,10 +38,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: cache
        with:
          path: |
@@ -113,14 +115,16 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -128,10 +132,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -154,18 +158,29 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -coverprofile=coverage.txt -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+
+      - name: Upload coverage reports to Codecov
+        if: matrix.arch == 'amd64'
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: netbirdio/netbird
+          flags: unit,client
+

  test_client_on_docker:
    name: "Client (Docker) / Unit"
-    needs: [ build-cache ]
+    needs: [build-cache]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -177,7 +192,7 @@ jobs:
          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: cache-restore
        with:
          path: |
@@ -231,10 +246,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -246,10 +263,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -268,23 +285,33 @@ jobs:
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test ${{ matrix.raceFlag }} \
-            -exec 'sudo' \
+            -exec 'sudo' -coverprofile=coverage.txt \
            -timeout 10m -p 1 ./relay/... ./shared/relay/...

+      - name: Upload coverage reports to Codecov
+        if: matrix.arch == 'amd64'
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: netbirdio/netbird
+          flags: unit,relay
+
  test_proxy:
    name: "Proxy / Unit"
    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -298,7 +325,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -316,7 +343,15 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test -timeout 10m -p 1 ./proxy/...
+          go test -timeout 10m -p 1 -coverprofile=coverage.txt ./proxy/...
+
+      - name: Upload coverage reports to Codecov
+        if: matrix.arch == 'amd64'
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: netbirdio/netbird
+          flags: unit,proxy

  test_signal:
    name: "Signal / Unit"
@@ -324,14 +359,16 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -343,10 +380,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -365,24 +402,34 @@ jobs:
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test \
-            -exec 'sudo' \
+            -exec 'sudo' -coverprofile=coverage.txt \
            -timeout 10m ./signal/... ./shared/signal/...

+      - name: Upload coverage reports to Codecov
+        if: matrix.arch == 'amd64'
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: netbirdio/netbird
+          flags: unit,signal
+
  test_management:
    name: "Management / Unit"
-    needs: [ build-cache ]
+    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres', 'mysql' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres", "mysql"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -390,10 +437,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -410,7 +457,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -427,23 +474,31 @@ jobs:
        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
-        run: |          
+        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
            CI=true \
-          go test -tags=devcert \
+          go test -tags=devcert -coverprofile=coverage.txt \
            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
            -timeout 20m ./management/... ./shared/management/...

+      - name: Upload coverage reports to Codecov
+        if: matrix.arch == 'amd64'
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: netbirdio/netbird
+          flags: unit,management
+
  benchmark:
    name: "Management / Benchmark"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -474,10 +529,12 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -485,10 +542,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -505,7 +562,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -529,13 +586,13 @@ jobs:

  api_benchmark:
    name: "Management / Benchmark (API)"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -566,10 +623,12 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -577,10 +636,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -597,7 +656,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -623,20 +682,22 @@ jobs:

  api_integration_test:
    name: "Management / Integration"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres']
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -644,10 +705,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -667,6 +728,14 @@ jobs:
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
-          go test -tags=integration \
+          go test -tags=integration -coverprofile=coverage.txt \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
          -timeout 20m ./management/server/http/...
+
+      - name: Upload coverage reports to Codecov
+        if: matrix.arch == 'amd64'
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: netbirdio/netbird
+          flags: integration,management
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -18,10 +18,12 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        id: go
        with:
          go-version-file: "go.mod"
@@ -33,7 +35,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -44,16 +46,15 @@ jobs:
            ${{ runner.os }}-go-

      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
        id: download-wintun
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          destination: ${{ env.downloadPath }}\wintun.zip
+          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51

      - name: Decompressing wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -xvf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}

      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'

--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,9 +15,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: codespell
-        uses: codespell-project/actions-codespell@v2
+        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
        with:
          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
          skip: go.mod,go.sum,**/proxy/web/**
@@ -38,13 +40,15 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Check for duplicate constants
        if: matrix.os == 'ubuntu-latest'
        run: |
          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -52,7 +56,7 @@ jobs:
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
        with:
          version: latest
          skip-cache: true
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -22,7 +22,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: run install script
        env:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -16,23 +16,25 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Setup Android SDK
-        uses: android-actions/setup-android@v3
+        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
        with:
          cmdline-tools-version: 8512546
      - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
        with:
          java-version: "11"
          distribution: "adopt"
      - name: NDK Cache
        id: ndk-cache
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: /usr/local/lib/android/sdk/ndk
          key: ndk-cache-23.1.7779620
@@ -52,9 +54,11 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: install gomobile
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR title prefix
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const title = context.payload.pull_request.title;
--- a/.github/workflows/proto-version-check.yml
+++ b/.github/workflows/proto-version-check.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check for proto tool version changes
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const files = await github.paginate(github.rest.pulls.listFiles, {
@@ -20,15 +20,30 @@ jobs:
              per_page: 100,
            });

-            const modifiedPbFiles = files.filter(
-              f => f.filename.endsWith('.pb.go') && f.status === 'modified'
-            );
-            if (modifiedPbFiles.length === 0) {
-              console.log('No modified .pb.go files to check');
+            // Cover renamed .pb.go files in addition to plain edits.
+            // Renamed entries land under the new path with previous_filename
+            // pointing at the base-side name, so we read the base content
+            // from the old path when present.
+            const changedPbFiles = files
+              .filter(f => (f.status === 'modified' || f.status === 'renamed')
+                && f.filename.endsWith('.pb.go'))
+              .map(f => ({
+                headPath: f.filename,
+                basePath: f.previous_filename || f.filename,
+              }));
+            if (changedPbFiles.length === 0) {
+              console.log('No modified or renamed .pb.go files to check');
              return;
            }

-            const versionPattern = /^\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
+            // Matches the generator version headers protoc writes at the top
+            // of generated files:
+            //   //   protoc           v3.21.12
+            //   //   protoc-gen-go    v1.26.0
+            //   // - protoc-gen-go-grpc v1.6.1   (grpc files prefix with "- ")
+            // The optional "- " prefix and the optional -gen-go / -gen-go-grpc
+            // suffixes keep the *_grpc.pb.go headers in scope.
+            const versionPattern = /^\s*\/\/\s+(?:-\s+)?protoc(?:-gen-go(?:-grpc)?)?\s+v[\d.]+/;
            const baseSha = context.payload.pull_request.base.sha;
            const headSha = context.payload.pull_request.head.sha;

@@ -55,20 +70,22 @@ jobs:
            }

            const violations = [];
-            for (const file of modifiedPbFiles) {
+            for (const file of changedPbFiles) {
              const [base, head] = await Promise.all([
-                getVersionHeader(file.filename, baseSha),
-                getVersionHeader(file.filename, headSha),
+                getVersionHeader(file.basePath, baseSha),
+                getVersionHeader(file.headPath, headSha),
              ]);
              if (!base.ok || !head.ok) {
                core.warning(
-                  `Skipping ${file.filename}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
+                  `Skipping ${file.headPath}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
                );
                continue;
              }
              if (base.lines.join('\n') !== head.lines.join('\n')) {
                violations.push({
-                  file: file.filename,
+                  file: file.basePath === file.headPath
+                    ? file.headPath
+                    : `${file.basePath} → ${file.headPath}`,
                  base: base.lines,
                  head: head.lines,
                });
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.4"
+  SIGN_PIPE_VER: "v0.1.5"
  GORELEASER_VER: "v2.14.3"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
@@ -24,13 +24,15 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Generate FreeBSD port diff
-        run: bash release_files/freebsd-port-diff.sh
+        run: bash -x release_files/freebsd-port-diff.sh

      - name: Generate FreeBSD port issue body
-        run: bash release_files/freebsd-port-issue-body.sh
+        run: bash -x release_files/freebsd-port-issue-body.sh

      - name: Check if diff was generated
        id: check_diff
@@ -51,19 +53,26 @@ jobs:
          echo "Generated files for version: $VERSION"
          cat netbird-*.diff

+      - name: Read Go version from go.mod
+        id: goversion
+        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
+
      - name: Test FreeBSD port
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: vmactions/freebsd-vm@v1
+        env:
+          GO_VERSION: ${{ steps.goversion.outputs.version }}
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
          release: "15.0"
+          envs: "GO_VERSION"
          prepare: |
            # Install required packages
-            pkg install -y git curl portlint go
+            pkg install -y git curl portlint

            # Install Go for building
-            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
+            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -LO "$GO_URL"
            tar -C /usr/local -xzf "$GO_TARBALL"
@@ -93,19 +102,19 @@ jobs:

            # Show patched Makefile
            version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
-            
+
            cd /usr/ports/security/netbird
            export BATCH=yes
            make package
            pkg add ./work/pkg/netbird-*.pkg
-            
+
            netbird version | grep "$version"

            echo "FreeBSD port test completed successfully!"

      - name: Upload FreeBSD port files
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: freebsd-port-files
          path: |
@@ -124,26 +133,25 @@ jobs:
    env:
      flags: ""
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+          persist-credentials: false
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
+        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -156,18 +164,18 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
      - name: Login to Docker hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -191,7 +199,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --clean ${{ env.flags }}
@@ -282,28 +290,28 @@ jobs:
          } >> "$GITHUB_OUTPUT"
      - name: upload non tags for debug purposes
        id: upload_release
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release
          path: dist/
          retention-days: 7
      - name: upload linux packages
        id: upload_linux_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: linux-packages
          path: dist/netbird_linux**
          retention-days: 7
      - name: upload windows packages
        id: upload_windows_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: windows-packages
          path: dist/netbird_windows**
          retention-days: 7
      - name: upload macos packages
        id: upload_macos_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: macos-packages
          path: dist/netbird_darwin**
@@ -314,27 +322,26 @@ jobs:
    outputs:
      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+          persist-credentials: false
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
+        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -375,7 +382,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -404,7 +411,7 @@ jobs:
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        id: upload_release_ui
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release-ui
          path: dist/
@@ -418,16 +425,17 @@ jobs:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
+          persist-credentials: false
      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -441,7 +449,7 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -449,7 +457,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: upload non tags for debug purposes
        id: upload_release_ui_darwin
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release-ui-darwin
          path: dist/
@@ -474,27 +482,26 @@ jobs:
      PackageWorkdir: netbird_windows_${{ matrix.arch }}
      downloadPath: '${{ github.workspace }}\temp'
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
-
-      - name: Checkout
-        uses: actions/checkout@v4
+        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

      - name: Add 7-Zip to PATH
        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append

      - name: Download release artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release
          path: release

      - name: Download UI release artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release-ui
          path: release-ui
@@ -514,29 +521,27 @@ jobs:
          Get-ChildItem $workdir

      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
        id: download-wintun
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          destination: ${{ env.downloadPath }}\wintun.zip
+          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51

      - name: Decompress wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -xvf "${{ env.downloadPath }}\wintun.zip" -C ${{ env.downloadPath }}

      - name: Move wintun.dll into dist
        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

      - name: Download Mesa3D (amd64 only)
-        uses: carlosperate/download-file-action@v2
        id: download-mesa3d
        if: matrix.arch == 'amd64'
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
-          file-name: mesa3d.7z
-          location: ${{ env.downloadPath }}
-          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
+          url: https://pkgs.netbird.io/mesa3d/MesaForWindows-x64-20.1.8.7z
+          destination: ${{ env.downloadPath }}\mesa3d.7z
+          sha256: 71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9

      - name: Extract Mesa3D driver (amd64 only)
        if: matrix.arch == 'amd64'
@@ -547,35 +552,38 @@ jobs:
        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

      - name: Download EnVar plugin for NSIS
-        uses: carlosperate/download-file-action@v2
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
-          file-name: envar_plugin.zip
-          location: ${{ github.workspace }}
+          url: https://pkgs.netbird.io/nsis/EnVar_plugin.zip
+          destination: ${{ github.workspace }}\envar_plugin.zip
+          sha256: e9aa92de351345ed82795251d838f1ae9041ba35af9d381a5780c7843b01f56a

      - name: Extract EnVar plugin
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"

      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
-        uses: carlosperate/download-file-action@v2
        if: matrix.arch == 'amd64'
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
-          file-name: ShellExecAsUser_amd64-Unicode.7z
-          location: ${{ github.workspace }}
+          url: https://pkgs.netbird.io/nsis/ShellExecAsUser_amd64-Unicode.7z
+          destination: ${{ github.workspace }}\ShellExecAsUser_amd64-Unicode.7z
+          sha256: 0a55ea25c7330a92cec028eda8afcaf1b1a7092e0dfb77c21c8f654564b4ff9d

      - name: Extract ShellExecAsUser plugin (amd64 only)
        if: matrix.arch == 'amd64'
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"

      - name: Build NSIS installer
-        uses: joncloud/makensis-action@v3.3
-        with:
-          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
-          script-file: client/installer.nsis
-          arguments: "/V4 /DARCH=${{ matrix.arch }}"
+        shell: pwsh
        env:
          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
+        run: |
+          $nsisPluginDir = "C:\Program Files (x86)\NSIS\Plugins\x86-unicode"
+          $srcPlugins    = "${{ github.workspace }}\NSIS_Plugins\Plugins"
+          Get-ChildItem -Path $srcPlugins -Recurse -Filter *.dll |
+            Copy-Item -Destination $nsisPluginDir -Force
+          & "C:\Program Files (x86)\NSIS\makensis.exe" /V4 "/DARCH=${{ matrix.arch }}" client\installer.nsis
+          if ($LASTEXITCODE -ne 0) { throw "makensis failed with exit code $LASTEXITCODE" }

      - name: Rename NSIS installer
        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
@@ -592,7 +600,7 @@ jobs:

      - name: Upload installer artifacts
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: windows-installer-test-${{ matrix.arch }}
          path: |
@@ -611,7 +619,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Create or update PR comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          RELEASE_RESULT: ${{ needs.release.result }}
          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
@@ -703,7 +711,7 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger binaries sign pipelines
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: Sign bin and installer
          repo: netbirdio/sign-pipelines
--- a/.github/workflows/sync-main.yml
+++ b/.github/workflows/sync-main.yml
@@ -14,9 +14,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger main branch sync
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: sync-main.yml
          repo: ${{ secrets.UPSTREAM_REPO }}
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "sha": "${{ github.sha }}" }'
+          inputs: '{ "sha": "${{ github.sha }}" }'
--- a/.github/workflows/sync-tag.yml
+++ b/.github/workflows/sync-tag.yml
@@ -3,7 +3,7 @@ name: sync tag
 on:
  push:
    tags:
-      - 'v*'
+      - "v*"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger release tag sync
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: sync-tag.yml
          ref: main
@@ -29,7 +29,7 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: bump-netbird.yml
          ref: main
@@ -42,10 +42,10 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: bump-netbird.yml
          ref: main
          repo: netbirdio/ios-client
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -6,10 +6,10 @@ on:
      - main
  pull_request:
    paths:
-      - 'infrastructure_files/**'
-      - '.github/workflows/test-infrastructure-files.yml'
-      - 'management/cmd/**'
-      - 'signal/cmd/**'
+      - "infrastructure_files/**"
+      - ".github/workflows/test-infrastructure-files.yml"
+      - "management/cmd/**"
+      - "signal/cmd/**"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        store: [ 'sqlite', 'postgres', 'mysql' ]
+        store: ["sqlite", "postgres", "mysql"]
    services:
      postgres:
        image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
@@ -68,15 +68,17 @@ jobs:
        run: sudo apt-get install -y curl

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -139,8 +141,8 @@ jobs:
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
          CI_NETBIRD_SIGNAL_PORT: 12345
          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: "${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$"
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: "${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$"
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
@@ -254,7 +256,9 @@ jobs:
        run: sudo apt-get install -y jq

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: run script with Zitadel PostgreSQL
        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -3,9 +3,9 @@ name: update docs
 on:
  push:
    tags:
-      - 'v*'
+      - "v*"
    paths:
-      - 'shared/management/http/api/openapi.yml'
+      - "shared/management/http/api/openapi.yml"

 jobs:
  trigger_docs_api_update:
@@ -13,10 +13,10 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: generate api pages
          repo: netbirdio/docs
          ref: "refs/heads/main"
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -19,15 +19,17 @@ jobs:
      GOARCH: wasm
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
        with:
          version: latest
          install-mode: binary
@@ -42,9 +44,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Build Wasm client
@@ -61,8 +65,7 @@ jobs:

          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"

-          if [ ${SIZE} -gt 58720256 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
+          if [ ${SIZE} -gt 62914560 ]; then
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 60MB limit!"
            exit 1
          fi
-
--- a/client/android/profile_manager.go
+++ b/client/android/profile_manager.go
@@ -137,7 +137,7 @@ func (pm *ProfileManager) SwitchProfile(profileName string) error {
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	if err := pm.serviceMgr.AddProfile(profileName, androidUsername, nil); err != nil {
+	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}

--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -3,12 +3,14 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os/user"
 	"strings"
 	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/durationpb"

 	"github.com/netbirdio/netbird/client/internal"
@@ -19,6 +21,7 @@ import (
 	"github.com/netbirdio/netbird/client/server"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
+	"github.com/netbirdio/netbird/version"
 )

 const errCloseConnection = "Failed to close connection: %v"
@@ -84,6 +87,55 @@ var persistenceCmd = &cobra.Command{
 	RunE:    setSyncResponsePersistence,
 }

+var debugConfigCmd = &cobra.Command{
+	Use:     "config",
+	Example: "  netbird debug config",
+	Short:   "Dump the effective configuration",
+	Long:    "Prints the daemon's resolved configuration (after applying defaults, file, env, CLI input, and MDM policy overrides) as JSON. Includes the list of MDM-managed fields.",
+	RunE:    debugConfigDump,
+}
+
+func debugConfigDump(cmd *cobra.Command, _ []string) error {
+	pm := profilemanager.NewProfileManager()
+	activeProf, err := pm.GetActiveProfile()
+	if err != nil {
+		return fmt.Errorf("get active profile: %v", err)
+	}
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %v", err)
+	}
+
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Errorf(errCloseConnection, err)
+		}
+	}()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.GetConfig(cmd.Context(), &proto.GetConfigRequest{
+		ProfileName: activeProf.Name,
+		Username:    currUser.Username,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to get config: %v", status.Convert(err).Message())
+	}
+
+	// Use protojson so well-known fields render correctly; emit defaults so
+	// the operator sees every field even when zero/empty.
+	m := protojson.MarshalOptions{Multiline: true, Indent: "  ", EmitUnpopulated: true}
+	out, err := m.Marshal(resp)
+	if err != nil {
+		return fmt.Errorf("marshal config: %w", err)
+	}
+	cmd.Println(string(out))
+	return nil
+}
+
 func debugBundle(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {
@@ -100,6 +152,7 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
+		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -298,6 +351,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
+		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -432,6 +486,7 @@ func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, c
 			SyncResponse:   syncResponse,
 			LogPath:        logFilePath,
 			CPUProfile:     nil,
+			DaemonVersion:  version.NetbirdVersion(), // acting as daemon
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,
--- a/client/cmd/owner.go
+++ b/client/cmd/owner.go
@@ -1,84 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strconv"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var ownerCmd = &cobra.Command{
-	Use:   "owner",
-	Short: "Manage daemon owner UIDs",
-	Long: `Manage the list of UIDs allowed to control the NetBird daemon.
-
-Owners are persisted in the active profile config and survive daemon restarts.
-The first call from the user logged in at the GUI / console session claims
-ownership automatically; these subcommands cover the rest of the lifecycle.`,
-}
-
-var ownerAddCmd = &cobra.Command{
-	Use:   "add <uid>",
-	Short: "Add a UID as an owner of the daemon",
-	Long: `Add a UID to the active profile's owner list. Requires root or an
-existing owner. Use this to grant another local user permanent access without
-having them log in at the console first.`,
-	Args: cobra.ExactArgs(1),
-	RunE: addOwnerFunc,
-}
-
-var ownerResetCmd = &cobra.Command{
-	Use:   "reset",
-	Short: "Clear the daemon's owner list",
-	Long: `Clear the active profile's owner list, returning the daemon to its
-unconfigured state. The next call from the active console-session user will
-re-claim ownership. Requires root.`,
-	RunE: resetOwnerFunc,
-}
-
-func addOwnerFunc(cmd *cobra.Command, args []string) error {
-	if err := setupCmd(cmd); err != nil {
-		return err
-	}
-
-	uid, err := strconv.ParseUint(args[0], 10, 32)
-	if err != nil {
-		return fmt.Errorf("parse uid %q: %w", args[0], err)
-	}
-
-	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	if _, err := client.AddOwner(cmd.Context(), &proto.AddOwnerRequest{Uid: uint32(uid)}); err != nil {
-		return fmt.Errorf("add owner: %w", err)
-	}
-
-	cmd.Printf("UID %d added as owner\n", uid)
-	return nil
-}
-
-func resetOwnerFunc(cmd *cobra.Command, _ []string) error {
-	if err := setupCmd(cmd); err != nil {
-		return err
-	}
-
-	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	if _, err := client.ResetOwner(cmd.Context(), &proto.ResetOwnerRequest{}); err != nil {
-		return fmt.Errorf("reset owner: %w", err)
-	}
-
-	cmd.Println("daemon owner list cleared; next call from the active console user will re-claim ownership")
-	return nil
-}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -23,7 +23,6 @@ import (
 	"google.golang.org/grpc/credentials/insecure"

 	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -157,12 +156,8 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
-	rootCmd.AddCommand(ownerCmd)
 	rootCmd.AddCommand(exposeCmd)

-	ownerCmd.AddCommand(ownerAddCmd)
-	ownerCmd.AddCommand(ownerResetCmd)
-
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)

@@ -173,6 +168,7 @@ func init() {
 	logCmd.AddCommand(logLevelCmd)
 	debugCmd.AddCommand(forCmd)
 	debugCmd.AddCommand(persistenceCmd)
+	debugCmd.AddCommand(debugConfigCmd)

 	// profile commands
 	profileCmd.AddCommand(profileListCmd)
@@ -255,24 +251,11 @@ func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, e
 	return grpc.DialContext(
 		ctx,
 		strings.TrimPrefix(addr, "tcp://"),
-		daemonDialTransportOption(addr),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithBlock(),
 	)
 }

-// daemonDialTransportOption returns the appropriate transport credentials for connecting
-// to the daemon. On Unix socket platforms, uses Unix transport credentials so the server
-// can extract the caller's UID for owner verification. Otherwise, uses insecure credentials.
-func daemonDialTransportOption(addr string) grpc.DialOption {
-	if strings.HasPrefix(addr, "unix://") {
-		creds := owner.NewUnixTransportCredentials()
-		if creds != nil {
-			return grpc.WithTransportCredentials(creds)
-		}
-	}
-	return grpc.WithTransportCredentials(insecure.NewCredentials())
-}
-
 // WithBackOff execute function in backoff cycle.
 func WithBackOff(bf func() error) error {
 	return backoff.RetryNotify(bf, CLIBackOffSettings, func(err error, duration time.Duration) {
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -16,7 +16,6 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"

-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/client/system"
@@ -30,6 +29,9 @@ func (p *program) Start(svc service.Service) error {
 	// Collect static system and platform information
 	system.UpdateStaticInfoAsync()

+	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
+	p.serv = grpc.NewServer()
+
 	split := strings.Split(daemonAddr, "://")
 	switch split[0] {
 	case "unix":
@@ -45,12 +47,6 @@ func (p *program) Start(svc service.Service) error {
 		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
 	}

-	// Set up owner enforcement for Unix sockets.
-	configAdapter := &owner.ConfigAdapter{}
-	serverOpts := ownerServerOpts(split[0], configAdapter)
-
-	p.serv = grpc.NewServer(serverOpts...)
-
 	listen, err := net.Listen(split[0], split[1])
 	if err != nil {
 		return fmt.Errorf("listen daemon interface: %w", err)
@@ -69,8 +65,6 @@ func (p *program) Start(svc service.Service) error {
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}
-
-		configAdapter.SetBackend(serverInstance)
 		proto.RegisterDaemonServiceServer(p.serv, serverInstance)

 		p.serverInstanceMu.Lock()
@@ -85,32 +79,6 @@ func (p *program) Start(svc service.Service) error {
 	return nil
 }

-// ownerServerOpts returns gRPC server options for owner enforcement.
-// On Unix socket platforms, this includes transport credentials for peer credential
-// extraction and interceptors that check the caller's UID. On other platforms or TCP,
-// no owner enforcement is applied and a warning is logged so operators know the daemon
-// is running without per-user authorization.
-func ownerServerOpts(protocol string, configAdapter *owner.ConfigAdapter) []grpc.ServerOption {
-	if protocol != "unix" {
-		log.Warnf("daemon socket owner enforcement is not applied for protocol %q", protocol)
-		return nil
-	}
-
-	creds := owner.NewUnixTransportCredentials()
-	if creds == nil {
-		log.Warnf("daemon socket owner enforcement unavailable on this platform; daemon will accept any local connection")
-		return nil
-	}
-
-	interceptor := owner.NewInterceptor(configAdapter)
-
-	return []grpc.ServerOption{
-		grpc.Creds(creds),
-		grpc.ChainUnaryInterceptor(interceptor.UnaryInterceptor()),
-		grpc.ChainStreamInterceptor(interceptor.StreamInterceptor()),
-	}
-}
-
 func (p *program) Stop(srv service.Service) error {
 	p.serverInstanceMu.Lock()
 	if p.serverInstance != nil {
@@ -134,7 +102,7 @@ func (p *program) Stop(srv service.Service) error {
 }

 // Common setup for service control commands
-func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
+func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc, consoleLog bool) (service.Service, error) {
 	// rootCmd env vars are already applied by PersistentPreRunE.
 	SetFlagsFromEnvVars(serviceCmd)

@@ -144,8 +112,14 @@ func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel
 		return nil, err
 	}

-	if err := util.InitLog(logLevel, logFiles...); err != nil {
-		return nil, fmt.Errorf("init log: %w", err)
+	if consoleLog {
+		if err := util.InitLog(logLevel, util.LogConsole); err != nil {
+			return nil, fmt.Errorf("init log: %w", err)
+		}
+	} else {
+		if err := util.InitLog(logLevel, logFiles...); err != nil {
+			return nil, fmt.Errorf("init log: %w", err)
+		}
 	}

 	cfg, err := newSVCConfig()
@@ -170,7 +144,7 @@ var runCmd = &cobra.Command{
 		SetupCloseHandler(ctx, cancel)
 		SetupDebugHandler(ctx, nil, nil, nil, util.FindFirstLogPath(logFiles))

-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -184,7 +158,7 @@ var startCmd = &cobra.Command{
 	Short: "starts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -202,7 +176,7 @@ var stopCmd = &cobra.Command{
 	Short: "stops NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -220,7 +194,7 @@ var restartCmd = &cobra.Command{
 	Short: "restarts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -238,7 +212,7 @@ var svcStatusCmd = &cobra.Command{
 	Short: "shows NetBird service status",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, true)
 		if err != nil {
 			return err
 		}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -44,9 +44,6 @@ const (

 	profileNameFlag = "profile"
 	profileNameDesc = "profile name to use for the login. If not specified, the last used profile will be used."
-
-	claimOwnerFlag = "owner"
-	claimOwnerDesc = "claim owner privileges for this profile, restricting daemon control to the current user and root"
 )

 var (
@@ -57,7 +54,6 @@ var (
 	showQR             bool
 	profileName        string
 	configPath         string
-	claimOwner         bool

 	upCmd = &cobra.Command{
 		Use:   "up",
@@ -91,7 +87,6 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	upCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	upCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) NetBird config file location. ")
-	upCmd.PersistentFlags().BoolVar(&claimOwner, claimOwnerFlag, false, claimOwnerDesc)

 }

@@ -336,7 +331,6 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	if _, err := client.Up(ctx, &proto.UpRequest{
 		ProfileName: &activeProf.Name,
 		Username:    &username,
-		ClaimOwner:  claimOwner,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)
 	}
--- a/client/cmd/up_daemon_test.go
+++ b/client/cmd/up_daemon_test.go
@@ -29,7 +29,7 @@ func TestUpDaemon(t *testing.T) {
 	}

 	sm := profilemanager.ServiceManager{}
-	err = sm.AddProfile("test1", currUser.Username, nil)
+	err = sm.AddProfile("test1", currUser.Username)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -12,7 +12,13 @@ var (
 		Short: "Print the NetBird's client application version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
-			cmd.Println(version.NetbirdVersion())
+			out := version.NetbirdVersion()
+			if version.IsDevelopmentVersion(out) {
+				if commit := version.NetbirdCommit(); commit != "" {
+					out += "-" + commit
+				}
+			}
+			cmd.Println(out)
 		},
 	}
 )
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -362,6 +362,10 @@ func (f *Forwarder) injectICMPv6Reply(id stack.TransportEndpointID, icmpPayload
 		return 0
 	}

+	if pc := f.endpoint.capture.Load(); pc != nil {
+		(*pc).Offer(fullPacket, true)
+	}
+
 	return len(fullPacket)
 }

--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -360,7 +360,13 @@ func isRedirectURLPortUsed(redirectURL string, excludedRanges []excludedPortRang
 		return true
 	}

-	addr := fmt.Sprintf(":%s", port)
+	// FreeBSD 15 disables connecting to INADDR_ANY (0.0.0.0) as a localhost
+	// alias by default, ensure explicit ip for localhost.
+	host := parsedURL.Hostname()
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	addr := net.JoinHostPort(host, port)
 	conn, err := net.DialTimeout("tcp", addr, 3*time.Second)
 	if err != nil {
 		return false
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"path/filepath"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -346,6 +347,11 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}
 		engineConfig.TempDir = mobileDependency.TempDir
+		// Leave StateDir empty when there is no state path so a disk-backed
+		// syncstore falls back to os.TempDir() instead of filepath.Dir("") == ".".
+		if path != "" {
+			engineConfig.StateDir = filepath.Dir(path)
+		}

 		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -254,6 +254,8 @@ type BundleGenerator struct {
 	capturePath    string
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
+	daemonVersion  string
+	cliVersion     string

 	anonymize         bool
 	includeSystemInfo bool
@@ -278,6 +280,8 @@ type GeneratorDependencies struct {
 	CapturePath    string
 	RefreshStatus  func()
 	ClientMetrics  MetricsExporter
+	DaemonVersion  string
+	CliVersion     string
 }

 func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGenerator {
@@ -299,6 +303,8 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		capturePath:    deps.CapturePath,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
+		daemonVersion:  deps.DaemonVersion,
+		cliVersion:     deps.CliVersion,

 		anonymize:         cfg.Anonymize,
 		includeSystemInfo: cfg.IncludeSystemInfo,
@@ -459,9 +465,11 @@ func (g *BundleGenerator) addStatus() error {
 		protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
 		protoFullStatus.Events = g.statusRecorder.GetEventHistory()
 		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, nbstatus.ConvertOptions{
-			Anonymize:   g.anonymize,
-			ProfileName: profName,
+			Anonymize:     g.anonymize,
+			ProfileName:   profName,
+			DaemonVersion: g.daemonVersion,
 		})
+		overview.CliVersion = g.cliVersion
 		statusOutput := overview.FullDetailSummary()

 		statusReader := strings.NewReader(statusOutput)
@@ -798,6 +806,8 @@ func (g *BundleGenerator) addSyncResponse() error {
 		AllowPartial:    true,
 	}

+	g.maskSecrets()
+
 	jsonBytes, err := options.Marshal(g.syncResponse)
 	if err != nil {
 		return fmt.Errorf("generate json: %w", err)
@@ -810,6 +820,27 @@ func (g *BundleGenerator) addSyncResponse() error {
 	return nil
 }

+func (g *BundleGenerator) maskSecrets() {
+	if g.syncResponse == nil || g.syncResponse.NetbirdConfig == nil {
+		return
+	}
+
+	if g.syncResponse.NetbirdConfig.Flow != nil {
+		g.syncResponse.NetbirdConfig.Flow.TokenPayload = maskedValue
+
+	}
+
+	if g.syncResponse.NetbirdConfig.Relay != nil {
+		g.syncResponse.NetbirdConfig.Relay.TokenPayload = maskedValue
+	}
+
+	for i := range g.syncResponse.NetbirdConfig.Turns {
+		if g.syncResponse.NetbirdConfig.Turns[i] != nil {
+			g.syncResponse.NetbirdConfig.Turns[i].Password = maskedValue
+		}
+	}
+}
+
 func (g *BundleGenerator) addStateFile() error {
 	sm := profilemanager.NewServiceManager("")
 	path := sm.GetStatePath()
@@ -1039,7 +1070,8 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {
 		return
 	}

-	pattern := filepath.Join(logDir, "client-*.log.gz")
+	// This regex will match both logs rotated by us and logrotate on linux
+	pattern := filepath.Join(logDir, "client*.log.*")
 	files, err := filepath.Glob(pattern)
 	if err != nil {
 		log.Warnf("failed to glob rotated logs: %v", err)
@@ -1072,7 +1104,12 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {

 	for i := 0; i < maxFiles; i++ {
 		name := filepath.Base(files[i])
-		if err := g.addSingleLogFileGz(files[i], name); err != nil {
+		if strings.HasSuffix(name, ".gz") {
+			err = g.addSingleLogFileGz(files[i], name)
+		} else {
+			err = g.addSingleLogfile(files[i], name)
+		}
+		if err != nil {
 			log.Warnf("failed to add rotated log %s: %v", name, err)
 		}
 	}
--- a/client/internal/debug/debug_logfiles_test.go
+++ b/client/internal/debug/debug_logfiles_test.go
@@ -0,0 +1,103 @@
+package debug
+
+import (
+	"archive/zip"
+	"bytes"
+	"compress/gzip"
+	"io"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestAddRotatedLogFiles_PicksUpAllVariants asserts that the rotated-log
+// glob picks up logs rotated by timberjack (gzipped) and by logrotate (plain
+// and gzipped), and skips unrelated files.
+func TestAddRotatedLogFiles_PicksUpAllVariants(t *testing.T) {
+	dir := t.TempDir()
+
+	writeFile(t, filepath.Join(dir, "client.log"), "active log\n")
+	writeFile(t, filepath.Join(dir, "other.log"), "unrelated\n")
+
+	timberjackRotated := "client-2026-05-21T10-30-45.000.log.gz"
+	writeGzFile(t, filepath.Join(dir, timberjackRotated), "timberjack rotated content\n")
+
+	logrotatePlain := "client.log.1"
+	writeFile(t, filepath.Join(dir, logrotatePlain), "logrotate plain content\n")
+
+	logrotateGz := "client.log.2.gz"
+	writeGzFile(t, filepath.Join(dir, logrotateGz), "logrotate gz content\n")
+
+	names := runAddRotatedLogFiles(t, dir, 10)
+
+	require.Contains(t, names, timberjackRotated, "timberjack rotated file should be in bundle")
+	require.Contains(t, names, logrotatePlain, "logrotate plain rotated file should be in bundle")
+	require.Contains(t, names, logrotateGz, "logrotate gzipped rotated file should be in bundle")
+	require.NotContains(t, names, "client.log", "active log should not be added by addRotatedLogFiles")
+	require.NotContains(t, names, "other.log", "unrelated files should not be in bundle")
+}
+
+// TestAddRotatedLogFiles_RespectsLogFileCount asserts that only the newest
+// logFileCount rotated files are bundled, ordered by mtime.
+func TestAddRotatedLogFiles_RespectsLogFileCount(t *testing.T) {
+	dir := t.TempDir()
+
+	oldest := filepath.Join(dir, "client.log.3")
+	middle := filepath.Join(dir, "client.log.2")
+	newest := filepath.Join(dir, "client.log.1")
+	writeFile(t, oldest, "old\n")
+	writeFile(t, middle, "mid\n")
+	writeFile(t, newest, "new\n")
+
+	now := time.Now()
+	require.NoError(t, os.Chtimes(oldest, now.Add(-2*time.Hour), now.Add(-2*time.Hour)))
+	require.NoError(t, os.Chtimes(middle, now.Add(-1*time.Hour), now.Add(-1*time.Hour)))
+	require.NoError(t, os.Chtimes(newest, now, now))
+
+	names := runAddRotatedLogFiles(t, dir, 2)
+
+	require.Contains(t, names, "client.log.1")
+	require.Contains(t, names, "client.log.2")
+	require.NotContains(t, names, "client.log.3", "oldest file should be dropped when logFileCount=2")
+}
+
+// runAddRotatedLogFiles calls addRotatedLogFiles against a fresh in-memory
+// zip writer and returns the set of entry names that ended up in the archive.
+func runAddRotatedLogFiles(t *testing.T, dir string, logFileCount uint32) map[string]struct{} {
+	t.Helper()
+
+	var buf bytes.Buffer
+	g := &BundleGenerator{
+		archive:      zip.NewWriter(&buf),
+		logFileCount: logFileCount,
+	}
+	g.addRotatedLogFiles(dir)
+	require.NoError(t, g.archive.Close())
+
+	zr, err := zip.NewReader(bytes.NewReader(buf.Bytes()), int64(buf.Len()))
+	require.NoError(t, err)
+
+	names := make(map[string]struct{}, len(zr.File))
+	for _, f := range zr.File {
+		names[f.Name] = struct{}{}
+	}
+	return names
+}
+
+func writeFile(t *testing.T, path, content string) {
+	t.Helper()
+	require.NoError(t, os.WriteFile(path, []byte(content), 0o644))
+}
+
+func writeGzFile(t *testing.T, path, content string) {
+	t.Helper()
+	var buf bytes.Buffer
+	gw := gzip.NewWriter(&buf)
+	_, err := io.WriteString(gw, content)
+	require.NoError(t, err)
+	require.NoError(t, gw.Close())
+	require.NoError(t, os.WriteFile(path, buf.Bytes(), 0o644))
+}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -22,7 +22,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/protobuf/proto"

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
@@ -56,6 +55,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/internal/syncstore"
 	"github.com/netbirdio/netbird/client/internal/updater"
 	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
@@ -72,6 +72,7 @@ import (
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/util/capture"
+	"github.com/netbirdio/netbird/version"
 )

 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -148,6 +149,10 @@ type EngineConfig struct {

 	LogPath string
 	TempDir string
+
+	// StateDir is the directory holding the state file. The sync response
+	// (network map) is serialized here on platforms that persist it to disk.
+	StateDir string
 }

 // EngineServices holds the external service dependencies required by the Engine.
@@ -226,10 +231,15 @@ type Engine struct {

 	afpacketCapture *capture.AFPacketCapture

-	// Sync response persistence (protected by syncRespMux)
-	syncRespMux         sync.RWMutex
-	persistSyncResponse bool
-	latestSyncResponse  *mgmProto.SyncResponse
+	// Sync response persistence (protected by syncRespMux).
+	// syncStore is nil unless persistence has been enabled; its presence is
+	// what marks persistence as active. The backend (disk or memory) is
+	// selected per-platform; see the syncstore package. syncStoreDir is where
+	// a disk-backed store serializes to.
+	syncRespMux  sync.RWMutex
+	syncStore    syncstore.Store
+	syncStoreDir string
+
 	flowManager         nftypes.FlowManager

 	// auto-update
@@ -292,6 +302,7 @@ func NewEngine(
 		jobExecutor:        jobexec.NewExecutor(),
 		clientMetrics:      services.ClientMetrics,
 		updateManager:      services.UpdateManager,
+		syncStoreDir:       config.StateDir,
 	}

 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
@@ -913,19 +924,18 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	}

 	// Persist sync response under the dedicated lock (syncRespMux), not under syncMsgMux.
-	// Read the storage-enabled flag under the syncRespMux too.
+	// A non-nil syncStore is what marks persistence as enabled. Hold the lock for
+	// the whole Set so the store cannot be cleared (disabled / engine close)
+	// mid-call and have this write resurrect a file that was just removed.
 	e.syncRespMux.RLock()
-	enabled := e.persistSyncResponse
-	e.syncRespMux.RUnlock()
-
-	// Store sync response if persistence is enabled
-	if enabled {
-		e.syncRespMux.Lock()
-		e.latestSyncResponse = update
-		e.syncRespMux.Unlock()
-
-		log.Debugf("sync response persisted with serial %d", nm.GetSerial())
+	if e.syncStore != nil {
+		if err := e.syncStore.Set(update); err != nil {
+			log.Errorf("failed to persist sync response: %v", err)
+		} else {
+			log.Debugf("sync response persisted with serial %d", nm.GetSerial())
+		}
 	}
+	e.syncRespMux.RUnlock()

 	// only apply new changes and ignore old ones
 	if err := e.updateNetworkMap(nm); err != nil {
@@ -1063,6 +1073,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
 	state.KernelInterface = !e.wgInterface.IsUserspaceBind()
 	state.FQDN = conf.GetFqdn()
+	state.WgPort = e.config.WgPort

 	e.statusRecorder.UpdateLocalPeerState(state)

@@ -1141,6 +1152,7 @@ func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobR
 		LogPath:        e.config.LogPath,
 		TempDir:        e.config.TempDir,
 		ClientMetrics:  e.clientMetrics,
+		DaemonVersion:  version.NetbirdVersion(),
 		RefreshStatus: func() {
 			e.RunHealthProbes(true)
 		},
@@ -1813,6 +1825,18 @@ func (e *Engine) close() {
 	if err := e.portForwardManager.GracefullyStop(ctx); err != nil {
 		log.Warnf("failed to gracefully stop port forwarding manager: %s", err)
 	}
+
+	// Drop any persisted sync response so its network map does not linger on
+	// disk after the engine stops (and cannot leak into a later run).
+	e.syncRespMux.Lock()
+	store := e.syncStore
+	e.syncStore = nil
+	e.syncRespMux.Unlock()
+	if store != nil {
+		if err := store.Clear(); err != nil {
+			log.Warnf("failed to clear persisted sync response on close: %v", err)
+		}
+	}
 }

 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, error) {
@@ -2142,45 +2166,42 @@ func (e *Engine) stopDNSServer() {
 	e.statusRecorder.UpdateDNSStates(nsGroupStates)
 }

-// SetSyncResponsePersistence enables or disables sync response persistence
+// SetSyncResponsePersistence enables or disables sync response persistence.
+// The store is only instantiated while persistence is enabled; construction
+// itself drops any stale data left over from an earlier run (see syncstore).
 func (e *Engine) SetSyncResponsePersistence(enabled bool) {
 	e.syncRespMux.Lock()
 	defer e.syncRespMux.Unlock()

-	if enabled == e.persistSyncResponse {
+	if enabled == (e.syncStore != nil) {
 		return
 	}
-	e.persistSyncResponse = enabled
 	log.Debugf("Sync response persistence is set to %t", enabled)

 	if !enabled {
-		e.latestSyncResponse = nil
+		if err := e.syncStore.Clear(); err != nil {
+			log.Warnf("failed to clear persisted sync response: %v", err)
+		}
+		e.syncStore = nil
+		return
 	}
+
+	e.syncStore = syncstore.New(e.syncStoreDir)
 }

 // GetLatestSyncResponse returns the stored sync response if persistence is enabled
 func (e *Engine) GetLatestSyncResponse() (*mgmProto.SyncResponse, error) {
+	// Hold the lock for the whole Get so the store cannot be cleared
+	// (disabled / engine close) mid-call.
 	e.syncRespMux.RLock()
-	enabled := e.persistSyncResponse
-	latest := e.latestSyncResponse
-	e.syncRespMux.RUnlock()
+	defer e.syncRespMux.RUnlock()

-	if !enabled {
+	if e.syncStore == nil {
 		return nil, errors.New("sync response persistence is disabled")
 	}

-	if latest == nil {
-		//nolint:nilnil
-		return nil, nil
-	}
-
-	log.Debugf("Retrieving latest sync response with size %d bytes", proto.Size(latest))
-	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
-	if !ok {
-		return nil, fmt.Errorf("failed to clone sync response")
-	}
-
-	return sr, nil
+	//nolint:nilnil
+	return e.syncStore.Get()
 }

 // GetWgAddr returns the wireguard address
@@ -2216,7 +2237,7 @@ func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
 ) {
-	if e.config.DisableServerRoutes {
+	if e.config.DisableServerRoutes || e.config.BlockInbound {
 		return
 	}

--- a/client/internal/lazyconn/support.go
+++ b/client/internal/lazyconn/support.go
@@ -4,6 +4,8 @@ import (
 	"strings"

 	"github.com/hashicorp/go-version"
+
+	nbversion "github.com/netbirdio/netbird/version"
 )

 var (
@@ -11,7 +13,7 @@ var (
 )

 func IsSupported(agentVersion string) bool {
-	if agentVersion == "development" {
+	if nbversion.IsDevelopmentVersion(agentVersion) {
 		return true
 	}

--- a/client/internal/owner/config.go
+++ b/client/internal/owner/config.go
@@ -1,46 +0,0 @@
-package owner
-
-import (
-	"fmt"
-	"sync"
-)
-
-// ConfigAdapter is a thread-safe OwnerConfig that delegates to a lazily-set backend.
-// This allows the interceptor to be created before the daemon server (and its config)
-// is initialized, which is necessary because gRPC interceptors are set at server creation time.
-type ConfigAdapter struct {
-	mu      sync.RWMutex
-	backend OwnerConfig
-}
-
-// SetBackend sets the actual config implementation. Must be called before any RPCs are served.
-func (a *ConfigAdapter) SetBackend(backend OwnerConfig) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.backend = backend
-}
-
-// GetOwnerUIDs delegates to the backend.
-func (a *ConfigAdapter) GetOwnerUIDs() []UID {
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-
-	if a.backend == nil {
-		// No backend yet, return empty (root-only).
-		return []UID{}
-	}
-
-	return a.backend.GetOwnerUIDs()
-}
-
-// AddOwnerUID delegates to the backend.
-func (a *ConfigAdapter) AddOwnerUID(uid UID) error {
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-
-	if a.backend == nil {
-		return fmt.Errorf("owner config backend not initialized")
-	}
-
-	return a.backend.AddOwnerUID(uid)
-}
--- a/client/internal/owner/consoleuser/consoleuser.go
+++ b/client/internal/owner/consoleuser/consoleuser.go
@@ -1,17 +0,0 @@
-// Package consoleuser provides the OS-level "active console user" UID lookup
-// used to gate ownership TOFU. The active console user is the local user
-// physically at the machine (or in the foreground GUI session): the user that
-// can legitimately claim the daemon as theirs on first run.
-package consoleuser
-
-// ActiveUID returns the UID of the currently active console / GUI session
-// user, and true if such a user exists. Returns 0, false on platforms without
-// a console concept (ios, android), on headless servers with no active
-// session, or on lookup failure.
-//
-// Implementations must fail closed: any error or ambiguity returns (0, false)
-// so that the caller treats the result as "no console user" rather than
-// granting access to an unverified UID.
-func ActiveUID() (uint32, bool) {
-	return activeUID()
-}
--- a/client/internal/owner/consoleuser/consoleuser_darwin.go
+++ b/client/internal/owner/consoleuser/consoleuser_darwin.go
@@ -1,58 +0,0 @@
-package consoleuser
-
-import (
-	"unsafe"
-
-	"github.com/ebitengine/purego"
-)
-
-// activeUID returns the UID of the user currently logged into the macOS GUI
-// console session. Uses SCDynamicStoreCopyConsoleUser from the
-// SystemConfiguration framework via purego (no cgo).
-func activeUID() (uint32, bool) {
-	sc, err := purego.Dlopen(
-		"/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration",
-		purego.RTLD_NOW|purego.RTLD_GLOBAL,
-	)
-	if err != nil {
-		return 0, false
-	}
-
-	cf, err := purego.Dlopen(
-		"/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation",
-		purego.RTLD_NOW|purego.RTLD_GLOBAL,
-	)
-	if err != nil {
-		return 0, false
-	}
-
-	// CFStringRef SCDynamicStoreCopyConsoleUser(SCDynamicStoreRef store,
-	//     uid_t *uid, gid_t *gid);
-	//
-	// We pass nil for the store (NULL is accepted; the framework creates a
-	// transient one), discard the returned CFStringRef username (we only
-	// need the UID), and read uid via the out-pointer.
-	var copyConsoleUser func(store uintptr, uidPtr, gidPtr unsafe.Pointer) uintptr
-	purego.RegisterLibFunc(&copyConsoleUser, sc, "SCDynamicStoreCopyConsoleUser")
-
-	var cfRelease func(uintptr)
-	purego.RegisterLibFunc(&cfRelease, cf, "CFRelease")
-
-	var uid uint32
-	var gid uint32
-
-	cfStr := copyConsoleUser(0, unsafe.Pointer(&uid), unsafe.Pointer(&gid))
-	if cfStr == 0 {
-		return 0, false
-	}
-	cfRelease(cfStr)
-
-	// loginwindow / no GUI session reports uid 0. We don't want the
-	// console-user path to grant anything to root (root is already always
-	// allowed by the interceptor), so treat uid 0 as "no console user".
-	if uid == 0 {
-		return 0, false
-	}
-
-	return uid, true
-}
--- a/client/internal/owner/consoleuser/consoleuser_freebsd.go
+++ b/client/internal/owner/consoleuser/consoleuser_freebsd.go
@@ -1,34 +0,0 @@
-package consoleuser
-
-import (
-	"fmt"
-	"os"
-	"syscall"
-)
-
-// activeUID returns the UID of the user currently logged into the FreeBSD
-// console. FreeBSD's vt(4) chowns the active virtual terminal device to the
-// logged-in user, so a non-root owner of any /dev/ttyvN reliably identifies
-// the console user.
-//
-// We scan /dev/ttyv0../dev/ttyv9 and return the first non-root owner. Network
-// ptys (pts) are intentionally not considered: SSH'd users are not "at the
-// console" and must not TOFU-claim ownership.
-func activeUID() (uint32, bool) {
-	for i := 0; i < 10; i++ {
-		path := fmt.Sprintf("/dev/ttyv%d", i)
-		fi, err := os.Stat(path)
-		if err != nil {
-			continue
-		}
-		st, ok := fi.Sys().(*syscall.Stat_t)
-		if !ok {
-			continue
-		}
-		if st.Uid == 0 {
-			continue
-		}
-		return st.Uid, true
-	}
-	return 0, false
-}
--- a/client/internal/owner/consoleuser/consoleuser_linux.go
+++ b/client/internal/owner/consoleuser/consoleuser_linux.go
@@ -1,64 +0,0 @@
-package consoleuser
-
-import (
-	"github.com/godbus/dbus/v5"
-)
-
-const (
-	loginDest      = "org.freedesktop.login1"
-	loginPath      = dbus.ObjectPath("/org/freedesktop/login1")
-	loginInterface = "org.freedesktop.login1.Manager"
-	listSessions   = loginInterface + ".ListSessions"
-
-	sessionInterface = "org.freedesktop.login1.Session"
-	sessionActive    = sessionInterface + ".Active"
-	sessionClass     = sessionInterface + ".Class"
-)
-
-// activeUID queries systemd-logind for the active local user session and
-// returns that user's UID. Falls back to (0, false) on any error or when no
-// active user session exists (headless box, no GUI, no login at the console).
-func activeUID() (uint32, bool) {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return 0, false
-	}
-
-	mgr := conn.Object(loginDest, loginPath)
-
-	// ListSessions returns []struct{ID string; UID uint32; User string;
-	// Seat string; Path dbus.ObjectPath}.
-	var sessions []struct {
-		ID   string
-		UID  uint32
-		User string
-		Seat string
-		Path dbus.ObjectPath
-	}
-	if err := mgr.Call(listSessions, 0).Store(&sessions); err != nil {
-		return 0, false
-	}
-
-	for _, s := range sessions {
-		obj := conn.Object(loginDest, s.Path)
-
-		active, err := obj.GetProperty(sessionActive)
-		if err != nil || active.Value() != true {
-			continue
-		}
-
-		class, err := obj.GetProperty(sessionClass)
-		if err != nil {
-			continue
-		}
-		// Only "user" sessions count; "greeter" / "lock-screen" / etc. are
-		// not someone we should grant ownership to.
-		if classStr, ok := class.Value().(string); !ok || classStr != "user" {
-			continue
-		}
-
-		return s.UID, true
-	}
-
-	return 0, false
-}
--- a/client/internal/owner/consoleuser/consoleuser_other.go
+++ b/client/internal/owner/consoleuser/consoleuser_other.go
@@ -1,9 +0,0 @@
-//go:build !linux && !darwin && !freebsd && !windows
-
-package consoleuser
-
-// activeUID has no meaning on platforms without a console-user concept
-// (ios, android). Returns no-user so TOFU never fires.
-func activeUID() (uint32, bool) {
-	return 0, false
-}
--- a/client/internal/owner/consoleuser/consoleuser_windows.go
+++ b/client/internal/owner/consoleuser/consoleuser_windows.go
@@ -1,59 +0,0 @@
-package consoleuser
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-// activeUID returns a synthetic UID (the user SID's RID) for the currently
-// active Windows console session. The owner package treats UIDs as opaque
-// uint32 identifiers; on Windows we use the user account RID, which is stable
-// per-account on a given machine.
-//
-// Returns (0, false) when there is no active console session, the session has
-// no logged-in user, or any lookup fails.
-func activeUID() (uint32, bool) {
-	sessionID := windows.WTSGetActiveConsoleSessionId()
-	if sessionID == 0xFFFFFFFF {
-		return 0, false
-	}
-
-	var token windows.Token
-	if err := windows.WTSQueryUserToken(sessionID, &token); err != nil {
-		return 0, false
-	}
-	defer token.Close()
-
-	user, err := tokenUserSID(token)
-	if err != nil || user == nil {
-		return 0, false
-	}
-
-	subCount := user.SubAuthorityCount()
-	if subCount == 0 {
-		return 0, false
-	}
-	rid := user.SubAuthority(uint32(subCount) - 1)
-	if rid == 0 {
-		return 0, false
-	}
-	return rid, true
-}
-
-// tokenUserSID returns the user SID associated with the given access token.
-func tokenUserSID(token windows.Token) (*windows.SID, error) {
-	var size uint32
-	err := windows.GetTokenInformation(token, windows.TokenUser, nil, 0, &size)
-	if err != windows.ERROR_INSUFFICIENT_BUFFER {
-		return nil, err
-	}
-
-	buf := make([]byte, size)
-	if err := windows.GetTokenInformation(token, windows.TokenUser, &buf[0], size, &size); err != nil {
-		return nil, err
-	}
-
-	tu := (*windows.Tokenuser)(unsafe.Pointer(&buf[0]))
-	return tu.User.Sid, nil
-}
--- a/client/internal/owner/creds.go
+++ b/client/internal/owner/creds.go
@@ -1,37 +0,0 @@
-package owner
-
-import (
-	"context"
-
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/peer"
-)
-
-// UnixAuthInfo implements credentials.AuthInfo carrying the peer's UID from SO_PEERCRED.
-type UnixAuthInfo struct {
-	credentials.CommonAuthInfo
-	UID UID
-	GID uint32
-	PID int32
-}
-
-// AuthType returns the authentication type.
-func (u UnixAuthInfo) AuthType() string {
-	return "unix_peercred"
-}
-
-// UIDFromContext extracts the caller's UID from the gRPC peer context.
-// Returns uid and true if Unix credentials were available, 0 and false otherwise.
-func UIDFromContext(ctx context.Context) (UID, bool) {
-	p, ok := peer.FromContext(ctx)
-	if !ok {
-		return 0, false
-	}
-
-	info, ok := p.AuthInfo.(UnixAuthInfo)
-	if !ok {
-		return 0, false
-	}
-
-	return info.UID, true
-}
--- a/client/internal/owner/env.go
+++ b/client/internal/owner/env.go
@@ -1,48 +0,0 @@
-package owner
-
-import (
-	"os"
-	"strconv"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// EnvOwnerUID is the environment variable that seeds the owner UID list for new config files.
-// MDM deployments can set this (e.g. via --service-env NB_OWNER_UID=1000) so the first
-// config created by the daemon pre-populates the owner without requiring "netbird up --owner".
-// Multiple UIDs can be comma-separated: NB_OWNER_UID=1000,1001
-const EnvOwnerUID = "NB_OWNER_UID"
-
-// OwnerUIDsFromEnv parses NB_OWNER_UID into a UID slice.
-// Returns nil if the variable is unset, allowing the caller to distinguish
-// "not configured" from "explicitly empty".
-func OwnerUIDsFromEnv() []UID {
-	val := os.Getenv(EnvOwnerUID)
-	if val == "" {
-		return nil
-	}
-
-	parts := strings.Split(val, ",")
-	uids := make([]UID, 0, len(parts))
-	for _, p := range parts {
-		p = strings.TrimSpace(p)
-		if p == "" {
-			continue
-		}
-		uid, err := strconv.ParseUint(p, 10, 32)
-		if err != nil {
-			log.Warnf("ignoring invalid UID %q in %s: %v", p, EnvOwnerUID, err)
-			continue
-		}
-		uids = append(uids, UID(uid))
-	}
-
-	if len(uids) == 0 {
-		log.Warnf("%s set but contains no valid UIDs, defaulting to root-only", EnvOwnerUID)
-		return []UID{}
-	}
-
-	log.Infof("seeding owner UIDs from %s: %v", EnvOwnerUID, uids)
-	return uids
-}
--- a/client/internal/owner/env_test.go
+++ b/client/internal/owner/env_test.go
@@ -1,81 +0,0 @@
-package owner
-
-import (
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestOwnerUIDsFromEnv(t *testing.T) {
-	tests := []struct {
-		name     string
-		envValue string
-		unset    bool
-		want     []UID
-	}{
-		{
-			name:  "unset returns nil",
-			unset: true,
-			want:  nil,
-		},
-		{
-			name:     "empty string returns nil",
-			envValue: "",
-			want:     nil,
-		},
-		{
-			name:     "single UID",
-			envValue: "1000",
-			want:     []UID{1000},
-		},
-		{
-			name:     "multiple UIDs",
-			envValue: "1000,1001,1002",
-			want:     []UID{1000, 1001, 1002},
-		},
-		{
-			name:     "spaces around UIDs",
-			envValue: " 1000 , 1001 ",
-			want:     []UID{1000, 1001},
-		},
-		{
-			name:     "invalid UID skipped",
-			envValue: "1000,notanumber,1001",
-			want:     []UID{1000, 1001},
-		},
-		{
-			name:     "all invalid returns empty slice",
-			envValue: "abc,def",
-			want:     []UID{},
-		},
-		{
-			name:     "trailing comma",
-			envValue: "1000,",
-			want:     []UID{1000},
-		},
-		{
-			name:     "zero UID is valid",
-			envValue: "0",
-			want:     []UID{0},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Setenv(EnvOwnerUID, tt.envValue)
-			if tt.unset {
-				os.Unsetenv(EnvOwnerUID)
-			}
-
-			got := OwnerUIDsFromEnv()
-
-			if tt.want == nil {
-				require.Nil(t, got)
-			} else {
-				assert.Equal(t, tt.want, got)
-			}
-		})
-	}
-}
--- a/client/internal/owner/interceptor.go
+++ b/client/internal/owner/interceptor.go
@@ -1,170 +0,0 @@
-package owner
-
-import (
-	"context"
-	"slices"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/owner/consoleuser"
-)
-
-const servicePath = "/daemon.DaemonService/"
-
-// profileBypassMethods skip the active-profile owner check. They either
-// operate on a specific target profile (and the handler enforces target-profile
-// owner-or-root itself) or are per-user listings/creations that don't affect
-// the active session and shouldn't require active-profile ownership. Peer
-// credentials are still required.
-var profileBypassMethods = map[string]bool{
-	servicePath + "AddProfile":    true,
-	servicePath + "ListProfiles":  true,
-	servicePath + "RemoveProfile": true,
-	servicePath + "SwitchProfile": true,
-}
-
-// Error messages returned to denied callers. They are multi-line so the
-// suggested commands sit on their own line for easy triple-click copy-paste.
-const (
-	errNoPeerCreds = "peer credentials unavailable; rerun via the netbird CLI"
-
-	errNoOwnerConfigured = `no daemon owner is configured and no console-session user matches your UID.
-Run as root for one-off use:
-    sudo netbird ...
-Or call from the active console session: the first call from the user logged in
-at the GUI/console claims ownership automatically.`
-
-	errOwnerRequired = `this operation requires root or the daemon owner (uid %d is not an owner).
-Run as root for one-off use:
-    sudo netbird ...
-Or ask an existing owner (or root) to add you:
-    sudo netbird owner add %[1]d`
-)
-
-// consoleUIDLookup is the function used to look up the active console UID.
-// Overridable in tests; defaults to the platform implementation.
-var consoleUIDLookup = consoleuser.ActiveUID
-
-// OwnerConfig provides access to the current owner UIDs setting.
-// The interceptor reads and writes through this interface so it can
-// work with the profile manager's config without a direct dependency.
-type OwnerConfig interface {
-	// GetOwnerUIDs returns the current owner UIDs.
-	// nil means legacy/migration TOFU (field absent from existing config).
-	// empty means fresh install (root-only with console-user TOFU exception).
-	// populated means those UIDs plus root may control the daemon.
-	GetOwnerUIDs() []UID
-
-	// AddOwnerUID adds the given UID to the owner list and persists it.
-	AddOwnerUID(uid UID) error
-}
-
-// Interceptor enforces owner restrictions on the daemon gRPC socket.
-type Interceptor struct {
-	config OwnerConfig
-	// mu serializes the read-then-write of OwnerUIDs during TOFU/claim flows
-	// so two concurrent first-callers can't both end up persisted as owners.
-	// Holds across the OwnerConfig.AddOwnerUID call; safe because no callback
-	// path takes this mutex.
-	mu sync.Mutex
-}
-
-// NewInterceptor creates an owner interceptor backed by the given config.
-func NewInterceptor(config OwnerConfig) *Interceptor {
-	return &Interceptor{config: config}
-}
-
-// UnaryInterceptor returns a gRPC unary server interceptor that enforces owner policy.
-func (i *Interceptor) UnaryInterceptor() grpc.UnaryServerInterceptor {
-	return func(
-		ctx context.Context,
-		req any,
-		info *grpc.UnaryServerInfo,
-		handler grpc.UnaryHandler,
-	) (any, error) {
-		if err := i.authorize(ctx, info.FullMethod); err != nil {
-			return nil, err
-		}
-		return handler(ctx, req)
-	}
-}
-
-// StreamInterceptor returns a gRPC stream server interceptor that enforces owner policy.
-func (i *Interceptor) StreamInterceptor() grpc.StreamServerInterceptor {
-	return func(
-		srv any,
-		ss grpc.ServerStream,
-		info *grpc.StreamServerInfo,
-		handler grpc.StreamHandler,
-	) error {
-		if err := i.authorize(ss.Context(), info.FullMethod); err != nil {
-			return err
-		}
-		return handler(srv, ss)
-	}
-}
-
-// authorize checks whether the caller is allowed to call the given method.
-// Every RPC is gated; root is always allowed. Non-root callers are accepted
-// when they are existing owners, when the config is in legacy TOFU state
-// (claim on first call, preserves pre-enforcement behavior), or when the
-// config is in fresh-install state and they match the active console user.
-func (i *Interceptor) authorize(ctx context.Context, fullMethod string) error {
-	uid, ok := UIDFromContext(ctx)
-	if !ok {
-		return status.Error(codes.PermissionDenied, errNoPeerCreds)
-	}
-
-	if uid == 0 {
-		return nil
-	}
-
-	// Profile-management RPCs do their own per-target authorization in the
-	// handler. The interceptor only confirms peer credentials are present.
-	if profileBypassMethods[fullMethod] {
-		return nil
-	}
-
-	i.mu.Lock()
-	defer i.mu.Unlock()
-
-	ownerUIDs := i.config.GetOwnerUIDs()
-
-	switch {
-	case ownerUIDs == nil:
-		// Legacy / migration TOFU: existing pre-enforcement config has no
-		// owners field. Any non-root local caller claims on first call so
-		// upgrades don't break.
-		return i.claim(uid, "migration TOFU")
-
-	case len(ownerUIDs) == 0:
-		// Fresh-install root-only mode with a console-user exception so the
-		// GUI/CLI just works for the user physically at the machine. SSH'd
-		// or otherwise non-console callers are denied.
-		consoleUID, ok := consoleUIDLookup()
-		if ok && uint32(uid) == consoleUID {
-			return i.claim(uid, "console-user TOFU")
-		}
-		return status.Error(codes.PermissionDenied, errNoOwnerConfigured)
-
-	case slices.Contains(ownerUIDs, uid):
-		return nil
-
-	default:
-		return status.Errorf(codes.PermissionDenied, errOwnerRequired, uid)
-	}
-}
-
-// claim adds uid to the owner list and persists it. The caller must hold i.mu.
-func (i *Interceptor) claim(uid UID, reason string) error {
-	log.Infof("%s: claiming owner for UID %d", reason, uid)
-	if err := i.config.AddOwnerUID(uid); err != nil {
-		log.Errorf("persist owner UID: %v", err)
-		return status.Error(codes.Internal, "persist owner UID")
-	}
-	return nil
-}
--- a/client/internal/owner/interceptor_test.go
+++ b/client/internal/owner/interceptor_test.go
@@ -1,277 +0,0 @@
-package owner
-
-import (
-	"context"
-	"net"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/status"
-)
-
-type mockOwnerConfig struct {
-	uids []UID
-	err  error
-}
-
-func (m *mockOwnerConfig) GetOwnerUIDs() []UID {
-	return m.uids
-}
-
-func (m *mockOwnerConfig) AddOwnerUID(uid UID) error {
-	if m.err != nil {
-		return m.err
-	}
-	m.uids = append(m.uids, uid)
-	return nil
-}
-
-func peerContext(uid UID) context.Context {
-	return peer.NewContext(context.Background(), &peer.Peer{
-		Addr: &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
-		AuthInfo: UnixAuthInfo{
-			CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
-			UID:            uid,
-		},
-	})
-}
-
-func noPeerContext() context.Context {
-	return context.Background()
-}
-
-// withConsoleUID overrides the platform console-user lookup for a single test.
-func withConsoleUID(t *testing.T, uid uint32, ok bool) {
-	t.Helper()
-	prev := consoleUIDLookup
-	consoleUIDLookup = func() (uint32, bool) { return uid, ok }
-	t.Cleanup(func() { consoleUIDLookup = prev })
-}
-
-func TestInterceptor_RootAlwaysAllowed(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	for _, method := range []string{
-		"/daemon.DaemonService/Up",
-		"/daemon.DaemonService/Status",
-		"/daemon.DaemonService/Down",
-	} {
-		err := interceptor.authorize(peerContext(0), method)
-		assert.NoError(t, err, "root should always be allowed for %s", method)
-	}
-}
-
-func TestInterceptor_NoPeerCreds_AlwaysDenies(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	for _, method := range []string{
-		"/daemon.DaemonService/Status",
-		"/daemon.DaemonService/Up",
-		"/daemon.DaemonService/SomeNewMethod",
-	} {
-		err := interceptor.authorize(noPeerContext(), method)
-		require.Error(t, err, "method %s should be denied without peer creds", method)
-		assert.Equal(t, codes.PermissionDenied, status.Code(err))
-	}
-}
-
-// TestInterceptor_LegacyMigration covers the nil-OwnerUIDs branch:
-// pre-enforcement configs upgraded to this version. Any non-root local caller
-// can claim on first call.
-func TestInterceptor_LegacyMigration_AnyCallerClaims(t *testing.T) {
-	withConsoleUID(t, 0, false) // no console; should not matter for nil
-	cfg := &mockOwnerConfig{uids: nil}
-	interceptor := NewInterceptor(cfg)
-
-	// First call from any UID claims regardless of method.
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
-	require.NoError(t, err)
-	require.Equal(t, []UID{1000}, cfg.uids)
-
-	// After claim, a different UID is denied.
-	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Status")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-// TestInterceptor_FreshInstall covers the empty-OwnerUIDs branch: console-user
-// can claim, others denied.
-func TestInterceptor_FreshInstall_ConsoleUserClaims(t *testing.T) {
-	withConsoleUID(t, 1000, true)
-	cfg := &mockOwnerConfig{uids: []UID{}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
-	require.NoError(t, err)
-	require.Equal(t, []UID{1000}, cfg.uids)
-}
-
-func TestInterceptor_FreshInstall_NonConsoleDenied(t *testing.T) {
-	withConsoleUID(t, 1000, true)
-	cfg := &mockOwnerConfig{uids: []UID{}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-	assert.Empty(t, cfg.uids, "non-console caller must not claim")
-}
-
-func TestInterceptor_FreshInstall_NoConsole_Denied(t *testing.T) {
-	withConsoleUID(t, 0, false)
-	cfg := &mockOwnerConfig{uids: []UID{}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Up")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-func TestInterceptor_OwnerUID_AllowsOwner(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
-	assert.NoError(t, err)
-}
-
-func TestInterceptor_OwnerUID_DeniesOther(t *testing.T) {
-	withConsoleUID(t, 9999, true) // console-user TOFU should not apply once owners exist
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-func TestInterceptor_MultipleOwners(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000, 2000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
-	assert.NoError(t, err)
-
-	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
-	assert.NoError(t, err)
-
-	err = interceptor.authorize(peerContext(3000), "/daemon.DaemonService/Down")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-// TestInterceptor_UnknownMethodRequiresOwner pins the safe-by-default invariant:
-// any future RPC still goes through owner enforcement.
-func TestInterceptor_UnknownMethodRequiresOwner(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/SomeFutureMethod")
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-
-	err = interceptor.authorize(peerContext(1000), "/daemon.DaemonService/SomeFutureMethod")
-	assert.NoError(t, err)
-}
-
-func TestInterceptor_ErrorMessageActionable(t *testing.T) {
-	withConsoleUID(t, 9999, true)
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
-	require.Error(t, err)
-	msg := status.Convert(err).Message()
-	assert.Contains(t, msg, "sudo netbird")
-	assert.Contains(t, msg, "owner add")
-}
-
-func TestInterceptor_UnaryIntegration(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	unary := interceptor.UnaryInterceptor()
-
-	resp, err := unary(peerContext(1000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
-		return "ok", nil
-	})
-	require.NoError(t, err)
-	assert.Equal(t, "ok", resp)
-
-	_, err = unary(peerContext(2000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
-		t.Fatal("handler should not be called")
-		return nil, nil
-	})
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-func TestInterceptor_StreamIntegration(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	stream := interceptor.StreamInterceptor()
-
-	called := false
-	err := stream(nil, &mockServerStream{ctx: peerContext(1000)},
-		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
-		func(srv any, stream grpc.ServerStream) error {
-			called = true
-			return nil
-		})
-	require.NoError(t, err)
-	assert.True(t, called)
-
-	err = stream(nil, &mockServerStream{ctx: peerContext(2000)},
-		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
-		func(srv any, stream grpc.ServerStream) error {
-			t.Fatal("handler should not be called")
-			return nil
-		})
-	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-}
-
-type mockServerStream struct {
-	grpc.ServerStream
-	ctx context.Context
-}
-
-func (m *mockServerStream) Context() context.Context { return m.ctx }
-
-// TestInterceptor_ProfileBypass pins that profile-management methods reach
-// the handler regardless of active-profile ownership; the handler enforces
-// per-target-profile auth itself.
-func TestInterceptor_ProfileBypass(t *testing.T) {
-	cfg := &mockOwnerConfig{uids: []UID{1000}}
-	interceptor := NewInterceptor(cfg)
-
-	// Caller UID 2000 is not an owner of the active profile but must be
-	// allowed through for these methods.
-	for _, method := range []string{
-		"/daemon.DaemonService/AddProfile",
-		"/daemon.DaemonService/ListProfiles",
-		"/daemon.DaemonService/RemoveProfile",
-		"/daemon.DaemonService/SwitchProfile",
-	} {
-		err := interceptor.authorize(peerContext(2000), method)
-		assert.NoError(t, err, "profile method %s should bypass active-owner check", method)
-	}
-
-	// Without peer creds, even bypass methods are denied.
-	for _, method := range []string{
-		"/daemon.DaemonService/AddProfile",
-		"/daemon.DaemonService/SwitchProfile",
-	} {
-		err := interceptor.authorize(noPeerContext(), method)
-		require.Error(t, err, "bypass method %s still requires peer creds", method)
-		assert.Equal(t, codes.PermissionDenied, status.Code(err))
-	}
-}
--- a/client/internal/owner/transport_bsd.go
+++ b/client/internal/owner/transport_bsd.go
@@ -1,66 +0,0 @@
-//go:build darwin || freebsd
-
-package owner
-
-import (
-	"context"
-	"fmt"
-	"net"
-
-	"golang.org/x/sys/unix"
-	"google.golang.org/grpc/credentials"
-)
-
-// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
-// peer UID from Unix socket connections via LOCAL_PEERCRED (Xucred).
-func NewUnixTransportCredentials() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-type unixCreds struct{}
-
-func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	return conn, UnixAuthInfo{}, nil
-}
-
-// ServerHandshake extracts peer credentials from the Unix connection using LOCAL_PEERCRED.
-// Returns an error if credentials cannot be extracted (fail-closed).
-func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	uc, ok := conn.(*net.UnixConn)
-	if !ok {
-		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
-	}
-
-	raw, err := uc.SyscallConn()
-	if err != nil {
-		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
-	}
-
-	var xucred *unix.Xucred
-	var credErr error
-	if err := raw.Control(func(fd uintptr) {
-		xucred, credErr = unix.GetsockoptXucred(int(fd), unix.SOL_LOCAL, unix.LOCAL_PEERCRED)
-	}); err != nil {
-		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
-	}
-	if credErr != nil {
-		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
-	}
-
-	return conn, UnixAuthInfo{
-		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
-		UID:            UID(xucred.Uid),
-	}, nil
-}
-
-func (c *unixCreds) Info() credentials.ProtocolInfo {
-	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
-}
-
-func (c *unixCreds) Clone() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-func (c *unixCreds) OverrideServerName(_ string) error {
-	return nil
-}
--- a/client/internal/owner/transport_generic.go
+++ b/client/internal/owner/transport_generic.go
@@ -1,11 +0,0 @@
-//go:build !linux && !darwin && !freebsd
-
-package owner
-
-import "google.golang.org/grpc/credentials"
-
-// NewUnixTransportCredentials returns nil on platforms without Unix socket peer credentials.
-// The daemon should use insecure credentials and skip owner enforcement.
-func NewUnixTransportCredentials() credentials.TransportCredentials {
-	return nil
-}
--- a/client/internal/owner/transport_linux.go
+++ b/client/internal/owner/transport_linux.go
@@ -1,66 +0,0 @@
-package owner
-
-import (
-	"context"
-	"fmt"
-	"net"
-
-	"golang.org/x/sys/unix"
-	"google.golang.org/grpc/credentials"
-)
-
-// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
-// peer UID/GID/PID from Unix socket connections via SO_PEERCRED.
-func NewUnixTransportCredentials() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-type unixCreds struct{}
-
-func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	return conn, UnixAuthInfo{}, nil
-}
-
-// ServerHandshake extracts peer credentials from the Unix connection.
-// Returns an error if credentials cannot be extracted (fail-closed).
-func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
-	uc, ok := conn.(*net.UnixConn)
-	if !ok {
-		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
-	}
-
-	raw, err := uc.SyscallConn()
-	if err != nil {
-		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
-	}
-
-	var ucred *unix.Ucred
-	var credErr error
-	if err := raw.Control(func(fd uintptr) {
-		ucred, credErr = unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
-	}); err != nil {
-		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
-	}
-	if credErr != nil {
-		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
-	}
-
-	return conn, UnixAuthInfo{
-		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
-		UID:            UID(ucred.Uid),
-		GID:            ucred.Gid,
-		PID:            ucred.Pid,
-	}, nil
-}
-
-func (c *unixCreds) Info() credentials.ProtocolInfo {
-	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
-}
-
-func (c *unixCreds) Clone() credentials.TransportCredentials {
-	return &unixCreds{}
-}
-
-func (c *unixCreds) OverrideServerName(_ string) error {
-	return nil
-}
--- a/client/internal/owner/transport_test.go
+++ b/client/internal/owner/transport_test.go
@@ -1,107 +0,0 @@
-package owner
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/credentials"
-)
-
-func TestUnixTransportCredentials_ServerHandshake(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	sockPath := filepath.Join(t.TempDir(), "test.sock")
-
-	ln, err := net.Listen("unix", sockPath)
-	require.NoError(t, err)
-	t.Cleanup(func() { ln.Close() })
-
-	done := make(chan struct{})
-	var serverConn net.Conn
-	var serverAuth credentials.AuthInfo
-	var serverErr error
-
-	go func() {
-		defer close(done)
-		raw, err := ln.Accept()
-		if err != nil {
-			serverErr = err
-			return
-		}
-		serverConn, serverAuth, serverErr = creds.ServerHandshake(raw)
-	}()
-
-	client, err := net.Dial("unix", sockPath)
-	require.NoError(t, err)
-	t.Cleanup(func() { client.Close() })
-
-	<-done
-	require.NoError(t, serverErr)
-	require.NotNil(t, serverConn)
-	t.Cleanup(func() { serverConn.Close() })
-
-	authInfo, ok := serverAuth.(UnixAuthInfo)
-	require.True(t, ok, "expected UnixAuthInfo, got %T", serverAuth)
-	assert.Equal(t, UID(os.Getuid()), authInfo.UID, "UID should match current user")
-}
-
-func TestUnixTransportCredentials_ServerHandshake_NonUnixConn(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	// Use a TCP connection, which is not *net.UnixConn.
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-	t.Cleanup(func() { ln.Close() })
-
-	done := make(chan struct{})
-	var handshakeErr error
-
-	go func() {
-		defer close(done)
-		raw, err := ln.Accept()
-		if err != nil {
-			handshakeErr = err
-			return
-		}
-		defer raw.Close()
-		_, _, handshakeErr = creds.ServerHandshake(raw)
-	}()
-
-	client, err := net.Dial("tcp", ln.Addr().String())
-	require.NoError(t, err)
-	t.Cleanup(func() { client.Close() })
-
-	<-done
-	require.Error(t, handshakeErr, "ServerHandshake must fail for non-Unix connections")
-}
-
-func TestUnixTransportCredentials_Info(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	info := creds.Info()
-	assert.Equal(t, "unix_peercred", info.SecurityProtocol)
-}
-
-func TestUnixTransportCredentials_Clone(t *testing.T) {
-	creds := NewUnixTransportCredentials()
-	if creds == nil {
-		t.Skip("unix transport credentials not supported on this platform")
-	}
-
-	cloned := creds.Clone()
-	require.NotNil(t, cloned)
-	assert.Equal(t, creds.Info(), cloned.Info())
-}
--- a/client/internal/owner/uid.go
+++ b/client/internal/owner/uid.go
@@ -1,5 +0,0 @@
-package owner
-
-// UID is a Unix user ID. Defined as a distinct type so it can't be silently
-// swapped with GID, PID, or other uint32 values at call sites.
-type UID uint32
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -111,6 +111,7 @@ type LocalPeerState struct {
 	PubKey          string
 	KernelInterface bool
 	FQDN            string
+	WgPort          int
 	Routes          map[string]struct{}
 }

@@ -310,8 +311,12 @@ func (d *Status) PeerByIP(ip string) (string, bool) {

 // PeerStateByIP returns the full peer State for the given tunnel IP.
 // Matches against either the IPv4 (State.IP) or IPv6 (State.IPv6) tunnel
-// address so dual-stack peers are reachable on either family. Returns the
-// zero State and false when no peer matches or the input is empty.
+// address so dual-stack peers are reachable on either family. Searches
+// both d.peers and d.offlinePeers — peers that have been moved into
+// the offline slice by ReplaceOfflinePeers are still part of the
+// account's roster and callers (DNS filter, embed.Client.IdentityForIP)
+// need to recognise them rather than treating them as unknown. Returns
+// the zero State and false when no peer matches or the input is empty.
 func (d *Status) PeerStateByIP(ip string) (State, bool) {
 	if ip == "" {
 		return State{}, false
@@ -324,6 +329,11 @@ func (d *Status) PeerStateByIP(ip string) (State, bool) {
 			return state, true
 		}
 	}
+	for _, state := range d.offlinePeers {
+		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
+			return state, true
+		}
+	}
 	return State{}, false
 }

@@ -1348,6 +1358,7 @@ func (fs FullStatus) ToProto() *proto.FullStatus {
 	pbFullStatus.LocalPeerState.PubKey = fs.LocalPeerState.PubKey
 	pbFullStatus.LocalPeerState.KernelInterface = fs.LocalPeerState.KernelInterface
 	pbFullStatus.LocalPeerState.Fqdn = fs.LocalPeerState.FQDN
+	pbFullStatus.LocalPeerState.WgPort = int32(fs.LocalPeerState.WgPort)
 	pbFullStatus.LocalPeerState.RosenpassPermissive = fs.RosenpassState.Permissive
 	pbFullStatus.LocalPeerState.RosenpassEnabled = fs.RosenpassState.Enabled
 	pbFullStatus.NumberOfForwardingRules = int32(fs.NumOfForwardingRules)
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -90,6 +90,28 @@ func TestStatus_PeerStateByIP_MatchesIPv6(t *testing.T) {
 	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
 }

+// TestStatus_PeerStateByIP_MatchesOfflinePeers covers peers that have
+// been moved into the offline slice via ReplaceOfflinePeers. Callers
+// (DNS filter, embed.Client.IdentityForIP) need to treat them as known
+// rather than unknown — otherwise authentication / DNS filtering treats
+// known-but-offline peers as foreign IPs.
+func TestStatus_PeerStateByIP_MatchesOfflinePeers(t *testing.T) {
+	status := NewRecorder("https://mgm")
+	req := require.New(t)
+
+	status.ReplaceOfflinePeers([]State{
+		{PubKey: "pk-offline", FQDN: "offline.netbird", IP: "100.64.0.20", IPv6: "fd00::20"},
+	})
+
+	state, ok := status.PeerStateByIP("100.64.0.20")
+	req.True(ok, "offline peer must resolve by IPv4 tunnel address")
+	req.Equal("pk-offline", state.PubKey, "matching state must carry the offline peer's pub key")
+
+	state, ok = status.PeerStateByIP("fd00::20")
+	req.True(ok, "offline peer must resolve by IPv6 tunnel address")
+	req.Equal("pk-offline", state.PubKey, "IPv6 match must carry the offline peer's pub key")
+}
+
 func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	key := "abc"
 	fqdn := "peer-a.netbird.local"
--- a/client/internal/portforward/pcp/nat.go
+++ b/client/internal/portforward/pcp/nat.go
@@ -179,8 +179,10 @@ func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
 	}

 	dst := net.IPv4zero
-	if runtime.GOOS == "linux" {
-		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux.
+	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
+		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux/Android.
+		// TODO: on android/ios, use platform APIs (ConnectivityManager.getLinkProperties /
+		// NWPathMonitor) when netlink-based lookup is restricted or unavailable.
 		dst = net.IPv4(0, 0, 0, 1)
 	}
 	_, gateway, localIP, err = router.Route(dst)
@@ -203,7 +205,7 @@ func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
 	}

 	dst := net.IPv6zero
-	if runtime.GOOS == "linux" {
+	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		// ::2
 		dst = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
 	}
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -21,8 +21,8 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
+	"github.com/netbirdio/netbird/client/mdm"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -100,10 +100,6 @@ type ConfigInput struct {
 	LazyConnectionEnabled *bool

 	MTU *uint16
-
-	// OwnerUIDs sets the UIDs of users allowed to control the daemon.
-	// When non-nil, replaces the config's OwnerUIDs.
-	OwnerUIDs []owner.UID
 }

 // Config Configuration type
@@ -180,11 +176,22 @@ type Config struct {

 	MTU uint16

-	// OwnerUIDs controls who can perform privileged daemon operations via the gRPC socket.
-	// nil (absent from JSON): TOFU mode, first privileged caller claims ownership (backward compat for existing installs).
-	// [] (empty slice): root-only, no non-root owners until explicitly set via "netbird up --owner".
-	// [uid1, uid2, ...]: these UIDs plus root can perform privileged operations.
-	OwnerUIDs []owner.UID `json:"OwnerUIDs"`
+	// policy is the MDM policy that produced the currently-set values for
+	// any MDM-enforced fields. Set by applyMDMPolicy at the tail of apply()
+	// and reset on every apply() invocation. Never persisted to disk.
+	// Callers query enforcement state via Policy() and the mdm.Policy API
+	// (HasKey, ManagedKeys, IsEmpty).
+	policy *mdm.Policy `json:"-"`
+}
+
+// Policy returns the MDM policy applied to this Config. Returns a non-nil
+// empty Policy when MDM enforcement is inactive; callers can always invoke
+// HasKey / ManagedKeys / IsEmpty without a nil check.
+func (config *Config) Policy() *mdm.Policy {
+	if config == nil || config.policy == nil {
+		return mdm.NewPolicy(nil)
+	}
+	return config.policy
 }

 var ConfigDirOverride string
@@ -245,18 +252,10 @@ func fileExists(path string) (bool, error) {

 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
-	// Seed owner UIDs from environment if set (for MDM deployments),
-	// otherwise default to root-only (empty slice).
-	ownerUIDs := owner.OwnerUIDsFromEnv()
-	if ownerUIDs == nil {
-		ownerUIDs = []owner.UID{}
-	}
-
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
 		WgPort:           iface.DefaultWgPort,
-		OwnerUIDs:        ownerUIDs,
 	}

 	if _, err := config.apply(input); err != nil {
@@ -631,15 +630,98 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

-	if input.OwnerUIDs != nil {
-		if !slices.Equal(config.OwnerUIDs, input.OwnerUIDs) {
-			log.Infof("updating owner UIDs to %v", input.OwnerUIDs)
-			config.OwnerUIDs = input.OwnerUIDs
-			updated = true
+	// MDM is the last override layer: any key present in the policy
+	// supersedes defaults, on-disk config, env vars and CLI input.
+	config.applyMDMPolicy(loadMDMPolicy())
+
+	return updated, nil
+}
+
+// loadMDMPolicy is the package-level indirection used by apply() to read the
+// active MDM policy. Tests override this to inject a fake policy.
+var loadMDMPolicy = mdm.LoadPolicy
+
+// applyMDMPolicy overlays MDM-supplied values on top of the resolved Config.
+// The provided Policy is also stored on the Config so callers can later query
+// which fields are enforced. Invalid values (e.g. malformed URLs) are logged
+// and skipped to avoid bricking the client; the field keeps its previous
+// resolved value but is still marked as managed (Policy.HasKey returns true
+// for the key, so per-field rejection of user writes still applies).
+func (config *Config) applyMDMPolicy(policy *mdm.Policy) {
+	config.policy = policy
+	if policy.IsEmpty() {
+		return
+	}
+
+	// Helper: log the application of a single MDM-managed key. Values for
+	// keys in mdm.SecretKeys are redacted.
+	logApplied := func(key string, displayValue any) {
+		if _, secret := mdm.SecretKeys[key]; secret {
+			log.Infof("MDM override %s = ********** (secret)", key)
+			return
+		}
+		log.Infof("MDM override %s = %v", key, displayValue)
+	}
+
+	if v, ok := policy.GetString(mdm.KeyManagementURL); ok {
+		if u, err := parseURL("Management URL", v); err != nil {
+			log.Warnf("MDM management URL %q invalid: %v; keeping previous value", v, err)
+		} else {
+			config.ManagementURL = u
+			logApplied(mdm.KeyManagementURL, u.String())
 		}
 	}

-	return updated, nil
+	if v, ok := policy.GetString(mdm.KeyPreSharedKey); ok {
+		// Defensive: refuse the redaction mask in case it round-tripped
+		// through a manifest by mistake.
+		if !isPreSharedKeyHidden(&v) {
+			config.PreSharedKey = v
+			logApplied(mdm.KeyPreSharedKey, "")
+		}
+	}
+
+	if v, ok := policy.GetBool(mdm.KeyAllowServerSSH); ok {
+		bv := v
+		config.ServerSSHAllowed = &bv
+		logApplied(mdm.KeyAllowServerSSH, bv)
+	}
+	if v, ok := policy.GetBool(mdm.KeyDisableClientRoutes); ok {
+		config.DisableClientRoutes = v
+		logApplied(mdm.KeyDisableClientRoutes, v)
+	}
+	if v, ok := policy.GetBool(mdm.KeyDisableServerRoutes); ok {
+		config.DisableServerRoutes = v
+		logApplied(mdm.KeyDisableServerRoutes, v)
+	}
+	if v, ok := policy.GetBool(mdm.KeyBlockInbound); ok {
+		config.BlockInbound = v
+		logApplied(mdm.KeyBlockInbound, v)
+	}
+	if v, ok := policy.GetBool(mdm.KeyDisableAutoConnect); ok {
+		config.DisableAutoConnect = v
+		logApplied(mdm.KeyDisableAutoConnect, v)
+	}
+	if v, ok := policy.GetBool(mdm.KeyRosenpassEnabled); ok {
+		config.RosenpassEnabled = v
+		logApplied(mdm.KeyRosenpassEnabled, v)
+	}
+	if v, ok := policy.GetBool(mdm.KeyRosenpassPermissive); ok {
+		config.RosenpassPermissive = v
+		logApplied(mdm.KeyRosenpassPermissive, v)
+	}
+
+	if v, ok := policy.GetInt(mdm.KeyWireguardPort); ok {
+		// REG_DWORD is 32-bit; UDP port range is 1-65535. Clamp at the
+		// upper bound and reject obviously-invalid values to avoid the
+		// engine binding to an unusable port if the admin pushes garbage.
+		if v >= 1 && v <= 65535 {
+			config.WgPort = int(v)
+			logApplied(mdm.KeyWireguardPort, v)
+		} else {
+			log.Warnf("MDM wireguard port %d out of range [1,65535]; keeping previous value", v)
+		}
+	}
 }

 // parseURL parses and validates a service URL
--- a/client/internal/profilemanager/config_mdm_test.go
+++ b/client/internal/profilemanager/config_mdm_test.go
@@ -0,0 +1,152 @@
+package profilemanager
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/mdm"
+)
+
+// withMDMPolicy temporarily overrides the package-level loadMDMPolicy hook so
+// apply() observes the supplied Policy. The original loader is restored at
+// test cleanup.
+func withMDMPolicy(t *testing.T, policy *mdm.Policy) {
+	t.Helper()
+	prev := loadMDMPolicy
+	loadMDMPolicy = func() *mdm.Policy { return policy }
+	t.Cleanup(func() { loadMDMPolicy = prev })
+}
+
+func TestApply_MDMEmpty_NoEnforcement(t *testing.T) {
+	withMDMPolicy(t, mdm.NewPolicy(nil))
+
+	cfg, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+
+	assert.True(t, cfg.Policy().IsEmpty(), "no MDM source ⇒ empty Policy")
+	assert.False(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
+	assert.Empty(t, cfg.Policy().ManagedKeys())
+
+	// Default management URL still resolves.
+	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
+}
+
+func TestApply_MDMOnly_OverridesDefaults(t *testing.T) {
+	const mdmURL = "https://corp.mdm.example.com:443"
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyManagementURL:       mdmURL,
+		mdm.KeyDisableClientRoutes: true,
+		mdm.KeyBlockInbound:        true,
+	}))
+
+	cfg, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+
+	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
+	assert.True(t, cfg.DisableClientRoutes)
+	assert.True(t, cfg.BlockInbound)
+
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyBlockInbound))
+	assert.False(t, cfg.Policy().HasKey(mdm.KeyAllowServerSSH))
+}
+
+func TestApply_MDMBeatsCLIInput(t *testing.T) {
+	const mdmURL = "https://mdm.example.com:443"
+	const cliURL = "https://cli.example.com:443"
+
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyManagementURL: mdmURL,
+	}))
+
+	cfg, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath:    filepath.Join(t.TempDir(), "config.json"),
+		ManagementURL: cliURL,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+
+	// MDM wins over CLI-supplied management URL.
+	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
+}
+
+func TestApply_MDMInvalidURL_KeepsPreviousValue(t *testing.T) {
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyManagementURL: "not-a-url",
+	}))
+
+	cfg, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+
+	// Invalid MDM URL is logged and skipped: default URL stays in place
+	// to keep the client functional.
+	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
+
+	// But the key is still considered MDM-managed (admin intent is to
+	// enforce, daemon rejects user writes to this field — phase-1 scaffolding
+	// reflects this by keeping Policy.HasKey true even on parse failure).
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
+}
+
+func TestApply_MDMBoolKeysOverrideOnDiskValue(t *testing.T) {
+	tmp := filepath.Join(t.TempDir(), "config.json")
+
+	// Seed without MDM.
+	withMDMPolicy(t, mdm.NewPolicy(nil))
+	_, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath:          tmp,
+		DisableClientRoutes: boolPtr(false),
+		RosenpassEnabled:    boolPtr(false),
+	})
+	require.NoError(t, err)
+
+	// Now enable MDM enforcement for these keys.
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyDisableClientRoutes: true,
+		mdm.KeyRosenpassEnabled:    true,
+	}))
+
+	cfg, err := UpdateOrCreateConfig(ConfigInput{ConfigPath: tmp})
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+
+	assert.True(t, cfg.DisableClientRoutes, "MDM override should flip on-disk false to true")
+	assert.True(t, cfg.RosenpassEnabled)
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyRosenpassEnabled))
+}
+
+func TestApply_MDMPreSharedKeyRedactionSentinelRejected(t *testing.T) {
+	const maskSentinel = "**********"
+
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyPreSharedKey: maskSentinel,
+	}))
+
+	cfg, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+
+	// Mask sentinel must not be persisted as the actual PSK.
+	assert.NotEqual(t, maskSentinel, cfg.PreSharedKey)
+	// Key still marked managed so user writes are still rejected.
+	assert.True(t, cfg.Policy().HasKey(mdm.KeyPreSharedKey))
+}
+
+func boolPtr(b bool) *bool { return &b }
--- a/client/internal/profilemanager/service.go
+++ b/client/internal/profilemanager/service.go
@@ -13,7 +13,6 @@ import (

 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/util"
 )

@@ -244,10 +243,7 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }

-// AddProfile creates a new profile with the given name. inheritOwnerUIDs is
-// applied to the new profile's OwnerUIDs (pass the active profile's owners so
-// the caller stays authorized; pass nil to leave the default empty/env-seeded).
-func (s *ServiceManager) AddProfile(profileName, username string, inheritOwnerUIDs []owner.UID) error {
+func (s *ServiceManager) AddProfile(profileName, username string) error {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
 		return fmt.Errorf("failed to get config directory: %w", err)
@@ -268,7 +264,7 @@ func (s *ServiceManager) AddProfile(profileName, username string, inheritOwnerUI
 		return ErrProfileAlreadyExists
 	}

-	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath, OwnerUIDs: inheritOwnerUIDs})
+	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
 	if err != nil {
 		return fmt.Errorf("failed to create new config: %w", err)
 	}
--- a/client/internal/syncstore/disk.go
+++ b/client/internal/syncstore/disk.go
@@ -0,0 +1,99 @@
+package syncstore
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/proto"
+
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/util"
+)
+
+// syncResponseFileName is the name of the file the sync response is serialized
+// to, placed inside the configured directory (the state directory).
+const syncResponseFileName = "networkmap.pb"
+
+// diskStore serializes the latest sync response to a file on disk instead of
+// keeping it in memory. This trades disk I/O for a much smaller memory
+// footprint, which matters on memory-constrained platforms (iOS).
+type diskStore struct {
+	mu   sync.Mutex
+	path string
+}
+
+// NewDiskStore returns a Store that serializes the sync response to a file in
+// the given directory. If dir is empty it falls back to the OS temp directory.
+//
+// Any file left over from a previous run is removed on construction so a fresh
+// store never reads stale data (e.g. another profile's network map).
+func NewDiskStore(dir string) Store {
+	if dir == "" {
+		dir = os.TempDir()
+	}
+	s := &diskStore{
+		path: filepath.Join(dir, syncResponseFileName),
+	}
+	if err := s.Clear(); err != nil {
+		log.Warnf("failed to clear stale sync response file: %v", err)
+	}
+	return s
+}
+
+func (s *diskStore) Set(resp *mgmProto.SyncResponse) error {
+	if resp == nil {
+		return s.Clear()
+	}
+
+	bs, err := proto.Marshal(resp)
+	if err != nil {
+		return fmt.Errorf("marshal sync response: %w", err)
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if err := util.WriteBytesWithRestrictedPermission(context.Background(), s.path, bs); err != nil {
+		return fmt.Errorf("write sync response to %s: %w", s.path, err)
+	}
+
+	log.Debugf("sync response persisted to %s (%d bytes)", s.path, len(bs))
+	return nil
+}
+
+func (s *diskStore) Get() (*mgmProto.SyncResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	bs, err := os.ReadFile(s.path)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			//nolint:nilnil // nil,nil means "nothing stored", per the Store contract; preserve the original behaviour
+			return nil, nil
+		}
+		return nil, fmt.Errorf("read sync response from %s: %w", s.path, err)
+	}
+
+	resp := &mgmProto.SyncResponse{}
+	if err := proto.Unmarshal(bs, resp); err != nil {
+		return nil, fmt.Errorf("unmarshal sync response: %w", err)
+	}
+
+	log.Debugf("retrieving latest sync response from %s (%d bytes)", s.path, len(bs))
+	return resp, nil
+}
+
+func (s *diskStore) Clear() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if err := os.Remove(s.path); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return fmt.Errorf("remove sync response file %s: %w", s.path, err)
+	}
+	return nil
+}
--- a/client/internal/syncstore/factory_ios.go
+++ b/client/internal/syncstore/factory_ios.go
@@ -0,0 +1,9 @@
+//go:build ios
+
+package syncstore
+
+// New returns the platform default store. On iOS the sync response is
+// serialized to disk (in dir) to keep it out of the constrained process memory.
+func New(dir string) Store {
+	return NewDiskStore(dir)
+}
--- a/client/internal/syncstore/factory_other.go
+++ b/client/internal/syncstore/factory_other.go
@@ -0,0 +1,9 @@
+//go:build !ios
+
+package syncstore
+
+// New returns the platform default store. On all non-iOS platforms the sync
+// response is kept in memory; dir is unused.
+func New(_ string) Store {
+	return NewMemoryStore()
+}
--- a/client/internal/syncstore/memory.go
+++ b/client/internal/syncstore/memory.go
@@ -0,0 +1,56 @@
+package syncstore
+
+import (
+	"fmt"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/proto"
+
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+// memoryStore keeps the latest sync response in memory.
+type memoryStore struct {
+	mu     sync.RWMutex
+	latest *mgmProto.SyncResponse
+}
+
+// NewMemoryStore returns a Store that keeps the sync response in memory.
+func NewMemoryStore() Store {
+	return &memoryStore{}
+}
+
+func (s *memoryStore) Set(resp *mgmProto.SyncResponse) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.latest = resp
+	return nil
+}
+
+func (s *memoryStore) Get() (*mgmProto.SyncResponse, error) {
+	s.mu.RLock()
+	latest := s.latest
+	s.mu.RUnlock()
+
+	if latest == nil {
+		//nolint:nilnil // nil,nil means "nothing stored", per the Store contract; preserve the original behaviour
+		return nil, nil
+	}
+
+	log.Debugf("retrieving latest sync response with size %d bytes", proto.Size(latest))
+	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
+	if !ok {
+		return nil, fmt.Errorf("clone sync response")
+	}
+	return sr, nil
+}
+
+func (s *memoryStore) Clear() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.latest = nil
+	return nil
+}
--- a/client/internal/syncstore/syncstore.go
+++ b/client/internal/syncstore/syncstore.go
@@ -0,0 +1,29 @@
+// Package syncstore stores the latest Management sync response (which carries
+// the network map) for debug bundle generation.
+//
+// The storage backend is selected at build time per operating system: on iOS
+// the response is serialized to disk to keep it out of the (tightly
+// constrained) process memory, while on all other platforms it is kept in
+// memory. The backend is chosen by the New constructor; see factory_ios.go and
+// factory_other.go.
+package syncstore
+
+import (
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+// Store persists the latest sync response and returns it on demand.
+//
+// Implementations must be safe for concurrent use.
+type Store interface {
+	// Set stores the given sync response, replacing any previously stored one.
+	Set(resp *mgmProto.SyncResponse) error
+
+	// Get returns the stored sync response, or nil if none is stored.
+	// The returned value is an independent copy that the caller may retain.
+	Get() (*mgmProto.SyncResponse, error)
+
+	// Clear removes any stored sync response. It is safe to call when nothing
+	// is stored.
+	Clear() error
+}
--- a/client/internal/updater/manager.go
+++ b/client/internal/updater/manager.go
@@ -19,8 +19,6 @@ import (

 const (
 	latestVersion = "latest"
-	// this version will be ignored
-	developmentVersion = "development"
 )

 var errNoUpdateState = errors.New("no update state found")
@@ -483,7 +481,7 @@ func (m *Manager) loadAndDeleteUpdateState(ctx context.Context) (*UpdateState, e
 }

 func (m *Manager) shouldUpdate(updateVersion *v.Version, forceUpdate bool) bool {
-	if m.currentVersion == developmentVersion {
+	if version.IsDevelopmentVersion(m.currentVersion) {
 		log.Debugf("skipping auto-update, running development version")
 		return false
 	}
--- a/client/mdm/policy.go
+++ b/client/mdm/policy.go
@@ -0,0 +1,267 @@
+// Package mdm reads MDM-managed configuration from platform-native sources
+// (plist on macOS, registry on Windows, UserDefaults on iOS,
+// RestrictionsManager on Android). The returned Policy is consumed by
+// profilemanager.Config.apply() as the highest-priority override layer.
+//
+// An empty Policy (no source present, or source present with zero keys)
+// means no MDM enforcement is active and the client behaves as if the
+// feature did not exist.
+package mdm
+
+import (
+	"sort"
+	"strconv"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// Well-known policy keys. Names mirror the corresponding ConfigInput Go field
+// names (lowerCamelCase) so the daemon can map a Policy key directly to a
+// configuration field.
+const (
+	KeyManagementURL            = "managementURL"
+	KeyDisableUpdateSettings    = "disableUpdateSettings"
+	KeyDisableProfiles          = "disableProfiles"
+	KeyDisableNetworks          = "disableNetworks"
+	KeyDisableClientRoutes      = "disableClientRoutes"
+	KeyDisableServerRoutes      = "disableServerRoutes"
+	KeyBlockInbound             = "blockInbound"
+	KeyDisableMetricsCollection = "disableMetricsCollection"
+	KeyAllowServerSSH           = "allowServerSSH"
+	KeyDisableAutoConnect       = "disableAutoConnect"
+	KeyPreSharedKey             = "preSharedKey"
+	KeyRosenpassEnabled         = "rosenpassEnabled"
+	KeyRosenpassPermissive      = "rosenpassPermissive"
+	KeyWireguardPort            = "wireguardPort"
+
+	// Split tunnel is modeled as a single conceptual policy with two
+	// registry/plist values. KeySplitTunnelMode is the discriminator
+	// ("allow" or "disallow"); KeySplitTunnelApps is a comma-separated
+	// list of package names. The values are mutually exclusive by
+	// construction — only one mode can be set at a time.
+	KeySplitTunnelMode = "splitTunnelMode"
+	KeySplitTunnelApps = "splitTunnelApps"
+)
+
+// Split-tunnel mode literals (KeySplitTunnelMode values).
+const (
+	SplitTunnelModeAllow    = "allow"
+	SplitTunnelModeDisallow = "disallow"
+)
+
+// AllKeys is the set of recognised MDM keys. Unknown keys in a managed
+// configuration are ignored but logged.
+var AllKeys = []string{
+	KeyManagementURL,
+	KeyDisableUpdateSettings,
+	KeyDisableProfiles,
+	KeyDisableNetworks,
+	KeyDisableClientRoutes,
+	KeyDisableServerRoutes,
+	KeyBlockInbound,
+	KeyDisableMetricsCollection,
+	KeyAllowServerSSH,
+	KeyDisableAutoConnect,
+	KeyPreSharedKey,
+	KeyRosenpassEnabled,
+	KeyRosenpassPermissive,
+	KeyWireguardPort,
+	KeySplitTunnelMode,
+	KeySplitTunnelApps,
+}
+
+// SecretKeys lists keys whose values must be redacted in logs.
+var SecretKeys = map[string]struct{}{
+	KeyPreSharedKey: {},
+}
+
+// canonicalKey maps the lowercase form of a managed-config value name to its
+// canonical mdm.Key* form. Admins commonly write PascalCase value names in
+// ADMX / Group Policy ("ManagementURL"), the iOS/AppConfig and macOS plist
+// conventions are camelCase ("managementURL"); both must resolve to the
+// same Policy lookup. Shared across all platform loaders.
+var canonicalKey = func() map[string]string {
+	m := make(map[string]string, len(AllKeys))
+	for _, k := range AllKeys {
+		m[strings.ToLower(k)] = k
+	}
+	return m
+}()
+
+// Policy holds MDM-managed settings read from the platform source. A nil or
+// empty Policy means no enforcement is active.
+type Policy struct {
+	values map[string]any
+}
+
+// NewPolicy constructs a Policy from a key→value map. Pass nil or an empty
+// map to construct an empty (no-enforcement) Policy.
+func NewPolicy(values map[string]any) *Policy {
+	if values == nil {
+		values = map[string]any{}
+	}
+	return &Policy{values: values}
+}
+
+// LoadPolicy reads the platform-native MDM configuration. Returns an empty
+// (but non-nil) Policy when no source is present, the source is empty, or
+// the platform is unsupported.
+//
+// Diagnostic logging differentiates the three states:
+//   - source absent / unsupported platform: trace log only
+//   - source present, zero keys:             info "MDM enrolled (no managed keys)"
+//   - source present, N keys:                info "MDM enrolled with N managed keys: [...]"
+func LoadPolicy() *Policy {
+	values, err := loadPlatformPolicy()
+	if err != nil {
+		log.Tracef("MDM policy load: %v", err)
+		return &Policy{values: map[string]any{}}
+	}
+	if values == nil {
+		return &Policy{values: map[string]any{}}
+	}
+	if len(values) == 0 {
+		log.Info("MDM enrolled (no managed keys)")
+	} else {
+		log.Infof("MDM enrolled with %d managed key(s): %v", len(values), sortedKeys(values))
+	}
+	return &Policy{values: values}
+}
+
+// IsEmpty reports whether the Policy has no managed keys.
+func (p *Policy) IsEmpty() bool {
+	return p == nil || len(p.values) == 0
+}
+
+// HasKey reports whether the given key is MDM-managed.
+func (p *Policy) HasKey(key string) bool {
+	if p == nil {
+		return false
+	}
+	_, ok := p.values[key]
+	return ok
+}
+
+// ManagedKeys returns the sorted list of managed key names. Returns an empty
+// slice (not nil) on an empty Policy.
+func (p *Policy) ManagedKeys() []string {
+	if p == nil {
+		return []string{}
+	}
+	return sortedKeys(p.values)
+}
+
+// GetString returns the managed value for key coerced to string, and whether
+// the key was set. A non-string value returns ("", false).
+func (p *Policy) GetString(key string) (string, bool) {
+	if p == nil {
+		return "", false
+	}
+	v, ok := p.values[key]
+	if !ok {
+		return "", false
+	}
+	s, ok := v.(string)
+	if !ok || s == "" {
+		return "", false
+	}
+	return s, true
+}
+
+// GetBool returns the managed value for key coerced to bool, and whether the
+// key was set. Accepts native bool and string literals "true"/"false"/"1"/"0".
+func (p *Policy) GetBool(key string) (bool, bool) {
+	if p == nil {
+		return false, false
+	}
+	v, ok := p.values[key]
+	if !ok {
+		return false, false
+	}
+	switch t := v.(type) {
+	case bool:
+		return t, true
+	case string:
+		switch t {
+		case "true", "1", "yes":
+			return true, true
+		case "false", "0", "no":
+			return false, true
+		}
+	case int:
+		return t != 0, true
+	case int64:
+		return t != 0, true
+	}
+	return false, false
+}
+
+// GetInt returns the managed value for key as int64, and whether the key
+// was set. Accepts native int / int64 (as produced by the Windows registry
+// loader for REG_DWORD/REG_QWORD) and numeric strings (decimal).
+func (p *Policy) GetInt(key string) (int64, bool) {
+	if p == nil {
+		return 0, false
+	}
+	v, ok := p.values[key]
+	if !ok {
+		return 0, false
+	}
+	switch t := v.(type) {
+	case int64:
+		return t, true
+	case int:
+		return int64(t), true
+	case int32:
+		return int64(t), true
+	case uint64:
+		return int64(t), true
+	case float64:
+		return int64(t), true
+	case string:
+		if n, err := strconv.ParseInt(t, 10, 64); err == nil {
+			return n, true
+		}
+	}
+	return 0, false
+}
+
+// GetStringSlice returns the managed value for key as []string, and whether
+// the key was set. Accepts []string, []any (of strings), and a single string
+// (treated as a one-element list).
+func (p *Policy) GetStringSlice(key string) ([]string, bool) {
+	if p == nil {
+		return nil, false
+	}
+	v, ok := p.values[key]
+	if !ok {
+		return nil, false
+	}
+	switch t := v.(type) {
+	case []string:
+		return append([]string(nil), t...), true
+	case []any:
+		out := make([]string, 0, len(t))
+		for _, item := range t {
+			s, ok := item.(string)
+			if !ok {
+				return nil, false
+			}
+			out = append(out, s)
+		}
+		return out, true
+	case string:
+		return []string{t}, true
+	}
+	return nil, false
+}
+
+func sortedKeys(m map[string]any) []string {
+	out := make([]string, 0, len(m))
+	for k := range m {
+		out = append(out, k)
+	}
+	sort.Strings(out)
+	return out
+}
--- a/client/mdm/policy_darwin.go
+++ b/client/mdm/policy_darwin.go
@@ -0,0 +1,88 @@
+//go:build darwin && !ios
+
+package mdm
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"howett.net/plist"
+)
+
+// policyPlistPath is the well-known location where macOS writes the
+// device-level mandatory MDM payload for NetBird. The path is fixed by
+// Apple convention: when an MDM provider (Jamf / Kandji / Mosyle /
+// Intune for Mac / Workspace ONE) pushes a Configuration Profile that
+// contains a com.apple.ManagedClient.preferences payload targeting the
+// bundle id io.netbird.client, the OS materializes the payload here.
+//
+// Read-only — only the OS (root) is supposed to write this file. The
+// loader sanity-checks the file mode and refuses to honour a world-
+// writable plist, as a defense against tampered installs.
+const policyPlistPath = "/Library/Managed Preferences/io.netbird.client.plist"
+
+// loadPlatformPolicy reads the MDM-managed configuration from the macOS
+// managed-preferences plist. Returns:
+//   - (nil, nil)  when the plist is absent (device not MDM-enrolled for
+//     NetBird, or admin has not yet pushed a payload)
+//   - (map, nil)  with N entries when N managed values are present
+//     (N may be 0 — empty plist still signals enrollment to the caller)
+//   - (nil, err)  on permission / parse / safety errors
+//
+// Value-type coercion mirrors the Windows loader: native plist types
+// map naturally onto the Policy accessor expectations (GetString /
+// GetBool / GetInt / GetStringSlice). Unknown top-level keys are
+// logged and skipped so a stray entry in the payload does not block
+// startup.
+func loadPlatformPolicy() (map[string]any, error) {
+	f, err := os.Open(policyPlistPath)
+	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			// Not enrolled for NetBird. Caller treats nil as
+			// "no MDM source present".
+			return nil, nil
+		}
+		return nil, fmt.Errorf("open %s: %w", policyPlistPath, err)
+	}
+	defer func() {
+		if closeErr := f.Close(); closeErr != nil {
+			log.Warnf("MDM close plist %s: %v", policyPlistPath, closeErr)
+		}
+	}()
+
+	info, err := f.Stat()
+	if err != nil {
+		return nil, fmt.Errorf("stat %s: %w", policyPlistPath, err)
+	}
+	// World-writable plist => tampered install. Refuse rather than
+	// honour potentially attacker-controlled policy values.
+	if info.Mode().Perm()&0o002 != 0 {
+		return nil, fmt.Errorf("refusing to read world-writable MDM source %s (mode %o)",
+			policyPlistPath, info.Mode().Perm())
+	}
+
+	raw := make(map[string]any)
+	if err := plist.NewDecoder(f).Decode(&raw); err != nil {
+		return nil, fmt.Errorf("decode plist %s: %w", policyPlistPath, err)
+	}
+
+	out := make(map[string]any, len(raw))
+	for name, val := range raw {
+		// macOS / AppConfig conventions both use camelCase for managed
+		// preferences keys; canonicalize to the mdm.Key* form so a key
+		// written as "ManagementURL" (PascalCase, rare on macOS but
+		// possible if the admin reused an ADMX-style name) still
+		// resolves.
+		canonical, known := canonicalKey[strings.ToLower(name)]
+		if !known {
+			log.Warnf("MDM ignoring unknown plist key %s: %s", policyPlistPath, name)
+			continue
+		}
+		out[canonical] = val
+	}
+	return out, nil
+}
--- a/client/mdm/policy_mobile.go
+++ b/client/mdm/policy_mobile.go
@@ -0,0 +1,12 @@
+//go:build ios || android
+
+package mdm
+
+// loadPlatformPolicy is unused on mobile: the native layer (Swift on iOS,
+// Kotlin/Java on Android) reads the OS managed-config store and pushes the
+// resulting dictionary in-process via a gomobile entry point that lands in
+// Phase 5 / Phase 6. The stub keeps the package compilable for mobile
+// build targets.
+func loadPlatformPolicy() (map[string]any, error) {
+	return nil, nil
+}
--- a/client/mdm/policy_other.go
+++ b/client/mdm/policy_other.go
@@ -0,0 +1,10 @@
+//go:build !windows && !darwin && !ios && !android
+
+package mdm
+
+// loadPlatformPolicy returns no policy on platforms without an MDM channel
+// (Linux, FreeBSD). MDM enforcement is off and the client behaves as if
+// the feature did not exist.
+func loadPlatformPolicy() (map[string]any, error) {
+	return nil, nil
+}
--- a/client/mdm/policy_test.go
+++ b/client/mdm/policy_test.go
@@ -0,0 +1,160 @@
+package mdm
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPolicy_NilSafe(t *testing.T) {
+	var p *Policy
+	assert.True(t, p.IsEmpty())
+	assert.False(t, p.HasKey(KeyManagementURL))
+	assert.Empty(t, p.ManagedKeys())
+
+	_, ok := p.GetString(KeyManagementURL)
+	assert.False(t, ok)
+	_, ok = p.GetBool(KeyDisableProfiles)
+	assert.False(t, ok)
+	_, ok = p.GetStringSlice(KeySplitTunnelApps)
+	assert.False(t, ok)
+}
+
+func TestPolicy_Empty(t *testing.T) {
+	p := NewPolicy(nil)
+	require.NotNil(t, p)
+	assert.True(t, p.IsEmpty())
+	assert.False(t, p.HasKey(KeyManagementURL))
+	assert.Empty(t, p.ManagedKeys())
+}
+
+func TestPolicy_HasKey(t *testing.T) {
+	p := NewPolicy(map[string]any{
+		KeyManagementURL:    "https://corp.example.com",
+		KeyDisableProfiles:  true,
+	})
+	assert.False(t, p.IsEmpty())
+	assert.True(t, p.HasKey(KeyManagementURL))
+	assert.True(t, p.HasKey(KeyDisableProfiles))
+	assert.False(t, p.HasKey(KeyPreSharedKey))
+}
+
+func TestPolicy_ManagedKeysSorted(t *testing.T) {
+	p := NewPolicy(map[string]any{
+		KeyDisableProfiles: true,
+		KeyManagementURL:   "https://x",
+		KeyAllowServerSSH:  false,
+	})
+	got := p.ManagedKeys()
+	assert.Equal(t, []string{KeyAllowServerSSH, KeyDisableProfiles, KeyManagementURL}, got)
+}
+
+func TestPolicy_GetString(t *testing.T) {
+	p := NewPolicy(map[string]any{
+		KeyManagementURL:   "https://corp.example.com",
+		KeyDisableProfiles: true,            // wrong type for GetString
+		KeyPreSharedKey:        "",              // empty rejected
+	})
+	v, ok := p.GetString(KeyManagementURL)
+	assert.True(t, ok)
+	assert.Equal(t, "https://corp.example.com", v)
+
+	_, ok = p.GetString(KeyDisableProfiles)
+	assert.False(t, ok, "non-string value must not be reported as string")
+
+	_, ok = p.GetString(KeyPreSharedKey)
+	assert.False(t, ok, "empty string treated as unset")
+
+	_, ok = p.GetString("nonexistent")
+	assert.False(t, ok)
+}
+
+func TestPolicy_GetBool(t *testing.T) {
+	cases := []struct {
+		name string
+		raw  any
+		want bool
+		ok   bool
+	}{
+		{"native true", true, true, true},
+		{"native false", false, false, true},
+		{"string true", "true", true, true},
+		{"string false", "false", false, true},
+		{"string 1", "1", true, true},
+		{"string 0", "0", false, true},
+		{"string yes", "yes", true, true},
+		{"string no", "no", false, true},
+		{"int nonzero", 1, true, true},
+		{"int zero", 0, false, true},
+		{"int64 nonzero", int64(2), true, true},
+		{"int64 zero", int64(0), false, true},
+		{"string garbage", "maybe", false, false},
+		{"float unsupported", 1.0, false, false},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			p := NewPolicy(map[string]any{KeyDisableProfiles: c.raw})
+			got, ok := p.GetBool(KeyDisableProfiles)
+			assert.Equal(t, c.ok, ok)
+			if c.ok {
+				assert.Equal(t, c.want, got)
+			}
+		})
+	}
+
+	_, ok := NewPolicy(nil).GetBool(KeyDisableProfiles)
+	assert.False(t, ok)
+}
+
+func TestPolicy_GetStringSlice(t *testing.T) {
+	t.Run("native string slice", func(t *testing.T) {
+		p := NewPolicy(map[string]any{
+			KeySplitTunnelApps: []string{"com.a", "com.b"},
+		})
+		got, ok := p.GetStringSlice(KeySplitTunnelApps)
+		assert.True(t, ok)
+		assert.Equal(t, []string{"com.a", "com.b"}, got)
+	})
+
+	t.Run("any slice of strings", func(t *testing.T) {
+		p := NewPolicy(map[string]any{
+			KeySplitTunnelApps: []any{"com.a", "com.b"},
+		})
+		got, ok := p.GetStringSlice(KeySplitTunnelApps)
+		assert.True(t, ok)
+		assert.Equal(t, []string{"com.a", "com.b"}, got)
+	})
+
+	t.Run("single string lifts to one-element slice", func(t *testing.T) {
+		p := NewPolicy(map[string]any{
+			KeySplitTunnelApps: "com.a",
+		})
+		got, ok := p.GetStringSlice(KeySplitTunnelApps)
+		assert.True(t, ok)
+		assert.Equal(t, []string{"com.a"}, got)
+	})
+
+	t.Run("mixed any slice rejected", func(t *testing.T) {
+		p := NewPolicy(map[string]any{
+			KeySplitTunnelApps: []any{"com.a", 1},
+		})
+		_, ok := p.GetStringSlice(KeySplitTunnelApps)
+		assert.False(t, ok)
+	})
+
+	t.Run("missing key", func(t *testing.T) {
+		p := NewPolicy(nil)
+		_, ok := p.GetStringSlice(KeySplitTunnelApps)
+		assert.False(t, ok)
+	})
+}
+
+func TestLoadPolicy_PlatformStubReturnsEmpty(t *testing.T) {
+	// loadPlatformPolicy is a stub on every OS for Phase 1. LoadPolicy must
+	// degrade gracefully and never return nil.
+	p := LoadPolicy()
+	require.NotNil(t, p)
+	assert.True(t, p.IsEmpty())
+	assert.Empty(t, p.ManagedKeys())
+}
--- a/client/mdm/policy_windows.go
+++ b/client/mdm/policy_windows.go
@@ -0,0 +1,99 @@
+//go:build windows
+
+package mdm
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows/registry"
+)
+
+// policyRegistryPath is the well-known MDM policy registry key for NetBird.
+// Admins push values here through Group Policy, Intune ADMX ingestion, an
+// Intune custom Registry CSP profile, or `reg add` during MSI deployment.
+// Listed in the project's docs/mdm/netbird.admx schema.
+const policyRegistryPath = `Software\Policies\NetBird`
+
+// loadPlatformPolicy reads the MDM-managed configuration from the Windows
+// registry under HKLM\Software\Policies\NetBird. Returns:
+//   - (nil, nil)  when the key is absent (device not MDM-enrolled for NetBird)
+//   - (map, nil)  with N entries when N managed values are set (N may be 0)
+//   - (nil, err)  on any other registry error
+//
+// Type coercion of registry value types into the Policy map:
+//   - REG_SZ        -> string
+//   - REG_EXPAND_SZ -> string (expanded by the registry API)
+//   - REG_DWORD     -> int64 (caller's GetBool handles 0/!=0 coercion)
+//   - REG_QWORD     -> int64
+//   - REG_MULTI_SZ  -> []string
+//
+// Unsupported value types (REG_BINARY, REG_NONE, ...) are skipped with a
+// warning so a malformed deployment does not block startup.
+func loadPlatformPolicy() (map[string]any, error) {
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, policyRegistryPath, registry.QUERY_VALUE)
+	if err != nil {
+		if errors.Is(err, registry.ErrNotExist) {
+			// Not enrolled. Caller treats nil as "no MDM source present".
+			return nil, nil
+		}
+		return nil, fmt.Errorf("open %s: %w", policyRegistryPath, err)
+	}
+	defer func() {
+		if closeErr := k.Close(); closeErr != nil {
+			log.Warnf("MDM close registry key %s: %v", policyRegistryPath, closeErr)
+		}
+	}()
+
+	names, err := k.ReadValueNames(-1)
+	if err != nil {
+		return nil, fmt.Errorf("enumerate values of %s: %w", policyRegistryPath, err)
+	}
+
+	out := make(map[string]any, len(names))
+	for _, name := range names {
+		// Canonicalize the registry value name against the known MDM key
+		// set so Policy.HasKey lookups (which use the canonical names)
+		// succeed regardless of the casing used by the admin's ADMX or
+		// `reg add` command.
+		canonical, known := canonicalKey[strings.ToLower(name)]
+		if !known {
+			log.Warnf("MDM ignoring unknown registry value %s\\%s", policyRegistryPath, name)
+			continue
+		}
+
+		_, valType, err := k.GetValue(name, nil)
+		if err != nil {
+			log.Warnf("MDM stat %s\\%s: %v", policyRegistryPath, name, err)
+			continue
+		}
+		switch valType {
+		case registry.SZ, registry.EXPAND_SZ:
+			if v, _, err := k.GetStringValue(name); err == nil {
+				out[canonical] = v
+			} else {
+				log.Warnf("MDM read string %s\\%s: %v", policyRegistryPath, name, err)
+			}
+		case registry.DWORD, registry.QWORD:
+			if v, _, err := k.GetIntegerValue(name); err == nil {
+				// uint64 from the registry API; Policy.GetBool / GetInt
+				// helpers consume int64, so narrow safely.
+				out[canonical] = int64(v)
+			} else {
+				log.Warnf("MDM read int %s\\%s: %v", policyRegistryPath, name, err)
+			}
+		case registry.MULTI_SZ:
+			if v, _, err := k.GetStringsValue(name); err == nil {
+				out[canonical] = v
+			} else {
+				log.Warnf("MDM read multi-string %s\\%s: %v", policyRegistryPath, name, err)
+			}
+		default:
+			log.Warnf("MDM ignoring unsupported registry value type %d at %s\\%s",
+				valType, policyRegistryPath, name)
+		}
+	}
+	return out, nil
+}
--- a/client/mdm/ticker.go
+++ b/client/mdm/ticker.go
@@ -0,0 +1,140 @@
+package mdm
+
+import (
+	"context"
+	"reflect"
+	"sort"
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// defaultReloadInterval is the production cadence at which the desktop daemon
+// re-reads the OS-native MDM policy. Picked to balance responsiveness against
+// registry/plist I/O overhead. Mobile builds use OS-side notifications
+// instead and bypass this ticker entirely. Unexported on purpose: callers do
+// not pass it — NewTicker owns the default (see reloadInterval).
+const defaultReloadInterval = 1 * time.Minute
+
+// testReloadInterval is the cadence used under `go test` (detected via
+// testing.Testing()) so the reload path is exercised in seconds rather than
+// minutes. It has no effect on production builds, where testing.Testing()
+// always returns false.
+const testReloadInterval = 1 * time.Second
+
+// reloadInterval returns the production cadence, or the accelerated test
+// cadence when running under `go test`. Centralising the choice here keeps
+// the prod/test split in one place and out of the ticker's call sites.
+func reloadInterval() time.Duration {
+	if testing.Testing() {
+		return testReloadInterval
+	}
+	return defaultReloadInterval
+}
+
+// policyLoader is the indirection through which the ticker reads the
+// OS-native policy, both for the initial observation and on every tick.
+// Production points it at LoadPolicy; tests in this package override it to
+// feed a scripted sequence of policies without touching the real OS store.
+var policyLoader = LoadPolicy
+
+// Ticker periodically re-reads the OS-native MDM policy via LoadPolicy and
+// invokes onChange whenever the observed Policy diverges from the last
+// observation (added / removed / changed keys). Launch with Run from a
+// goroutine; cancel the supplied context to stop.
+type Ticker struct {
+	interval time.Duration
+	onChange func(prev, curr *Policy)
+	prev     *Policy
+}
+
+// NewTicker constructs a Ticker that re-reads the OS-native policy every
+// reloadInterval() and invokes onChange on any diff. The cadence is owned by
+// reloadInterval (production default, accelerated under `go test`); callers
+// do not supply it. onChange may be nil for a log-only ticker.
+func NewTicker(onChange func(prev, curr *Policy)) *Ticker {
+	return &Ticker{
+		interval: reloadInterval(),
+		onChange: onChange,
+		prev:     policyLoader(),
+	}
+}
+
+// Run blocks until ctx is cancelled, polling the OS-native policy store at
+// the configured cadence and emitting log lines + onChange callback on
+// every observed diff.
+func (t *Ticker) Run(ctx context.Context) {
+	tk := time.NewTicker(t.interval)
+	defer tk.Stop()
+	log.Infof("MDM policy reload ticker started (interval=%s)", t.interval)
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info("MDM policy reload ticker stopped")
+			return
+		case <-tk.C:
+			curr := policyLoader()
+			if PoliciesEqual(t.prev, curr) {
+				continue
+			}
+			added, removed, changed := diffPolicies(t.prev, curr)
+			log.Infof("MDM policy changed: added=%v removed=%v changed=%v",
+				added, removed, changed)
+			prev := t.prev
+			t.prev = curr
+			if t.onChange != nil {
+				t.onChange(prev, curr)
+			}
+		}
+	}
+}
+
+// PoliciesEqual reports whether two Policy instances carry the same managed
+// key set with identical values. Nil and empty policies compare equal.
+func PoliciesEqual(a, b *Policy) bool {
+	if a.IsEmpty() && b.IsEmpty() {
+		return true
+	}
+	if a == nil || b == nil {
+		return false
+	}
+	return reflect.DeepEqual(a.values, b.values)
+}
+
+// diffPolicies returns the keys added in curr, removed from prev, and whose
+// value changed. Returned slices are sorted for stable log output.
+func diffPolicies(prev, curr *Policy) (added, removed, changed []string) {
+	prevKeys := mapOf(prev)
+	currKeys := mapOf(curr)
+	for k := range currKeys {
+		if _, ok := prevKeys[k]; !ok {
+			added = append(added, k)
+		} else if !reflect.DeepEqual(prevKeys[k], currKeys[k]) {
+			changed = append(changed, k)
+		}
+	}
+	for k := range prevKeys {
+		if _, ok := currKeys[k]; !ok {
+			removed = append(removed, k)
+		}
+	}
+	sort.Strings(added)
+	sort.Strings(removed)
+	sort.Strings(changed)
+	return added, removed, changed
+}
+
+// mapOf returns a (possibly empty, never nil) copy of the underlying values
+// map of a Policy so callers outside this package can compare across the
+// public Policy boundary without touching unexported state.
+func mapOf(p *Policy) map[string]any {
+	if p == nil {
+		return map[string]any{}
+	}
+	out := make(map[string]any, len(p.values))
+	for k, v := range p.values {
+		out[k] = v
+	}
+	return out
+}
--- a/client/mdm/ticker_test.go
+++ b/client/mdm/ticker_test.go
@@ -0,0 +1,100 @@
+package mdm
+
+import (
+	"context"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// withPolicyLoader overrides the package-level policyLoader for the duration
+// of the test so the ticker observes a scripted policy instead of the real
+// OS-native store. The original loader is restored on cleanup.
+func withPolicyLoader(t *testing.T, fn func() *Policy) {
+	t.Helper()
+	prev := policyLoader
+	policyLoader = fn
+	t.Cleanup(func() { policyLoader = prev })
+}
+
+func TestTicker_UsesTestCadenceUnderGoTest(t *testing.T) {
+	withPolicyLoader(t, func() *Policy { return NewPolicy(nil) })
+
+	// Under `go test`, testing.Testing() is true so reloadInterval() returns
+	// the accelerated 1s cadence instead of the minute-long production
+	// default — this is what makes the reload path observable without a real
+	// wall-clock wait.
+	assert.Equal(t, testReloadInterval, reloadInterval())
+	assert.Equal(t, testReloadInterval, NewTicker(nil).interval)
+}
+
+func TestTicker_FiresOnChangeWithDelta(t *testing.T) {
+	var mu sync.Mutex
+	current := NewPolicy(nil) // initial observation: empty (no enforcement)
+	withPolicyLoader(t, func() *Policy {
+		mu.Lock()
+		defer mu.Unlock()
+		return current
+	})
+
+	type change struct{ prev, curr *Policy }
+	changes := make(chan change, 1)
+	tk := NewTicker(func(prev, curr *Policy) {
+		select {
+		case changes <- change{prev, curr}:
+		default:
+		}
+	})
+	require.Equal(t, testReloadInterval, tk.interval)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+	go func() { tk.Run(ctx); close(done) }()
+	// Stop Run and wait for it to exit before returning, so the policyLoader
+	// restore in t.Cleanup can't race the ticker goroutine still reading it.
+	defer func() { cancel(); <-done }()
+
+	// Flip the OS-observed policy from empty to one managed key. The next
+	// tick must detect the diff and invoke onChange.
+	mu.Lock()
+	current = NewPolicy(map[string]any{KeyManagementURL: "https://mdm.example.com:443"})
+	mu.Unlock()
+
+	select {
+	case c := <-changes:
+		assert.True(t, c.prev.IsEmpty(), "prev should be the initial empty policy")
+		assert.True(t, c.curr.HasKey(KeyManagementURL), "curr should carry the newly-pushed managed key")
+	case <-time.After(5 * time.Second):
+		t.Fatal("onChange not invoked within 5s; ticker should fire every 1s under test")
+	}
+}
+
+func TestTicker_NoCallbackWhenPolicyUnchanged(t *testing.T) {
+	withPolicyLoader(t, func() *Policy {
+		return NewPolicy(map[string]any{KeyBlockInbound: true})
+	})
+
+	fired := make(chan struct{}, 1)
+	tk := NewTicker(func(_, _ *Policy) {
+		select {
+		case fired <- struct{}{}:
+		default:
+		}
+	})
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan struct{})
+	go func() { tk.Run(ctx); close(done) }()
+	defer func() { cancel(); <-done }()
+
+	// Over ~2 ticks at the 1s test cadence the policy never changes, so the
+	// diff guard must suppress the callback entirely.
+	select {
+	case <-fired:
+		t.Fatal("onChange fired despite an unchanged policy")
+	case <-time.After(2500 * time.Millisecond):
+	}
+}
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -91,15 +91,6 @@ service DaemonService {

  rpc GetActiveProfile(GetActiveProfileRequest) returns (GetActiveProfileResponse) {}

-  // AddOwner adds a UID to the active profile's owner list. Requires
-  // root or an existing owner.
-  rpc AddOwner(AddOwnerRequest) returns (AddOwnerResponse) {}
-
-  // ResetOwner clears the active profile's owner list, returning it to
-  // the unconfigured state. The next call from the active console-session
-  // user will then re-claim ownership. Requires root.
-  rpc ResetOwner(ResetOwnerRequest) returns (ResetOwnerResponse) {}
-
  // Logout disconnects from the network and deletes the peer from the management server
  rpc Logout(LogoutRequest) returns (LogoutResponse) {}

@@ -236,10 +227,6 @@ message UpRequest {
  optional string profileName = 1;
  optional string username = 2;
  reserved 3;
-  // When true, the caller claims owner privileges for this profile.
-  // Requires root or current owner; for new installs (root-only mode),
-  // the calling UID becomes an owner.
-  bool claimOwner = 4;
 }

 message UpResponse {}
@@ -327,6 +314,13 @@ message GetConfigResponse {
  int32 sshJWTCacheTTL = 26;

  bool disable_ipv6 = 27;
+
+  // mDMManagedFields lists the names of configuration keys whose value is
+  // currently enforced by an MDM policy. Names match mdm.Key* constants
+  // (e.g. "managementURL", "disableClientRoutes"). UI/CLI clients should
+  // render the corresponding inputs as read-only and display a "managed
+  // by MDM" indicator.
+  repeated string mDMManagedFields = 28;
 }

 // PeerState contains the latest state of a peer
@@ -362,6 +356,7 @@ message LocalPeerState {
  bool rosenpassPermissive = 6;
  repeated string networks = 7;
  string ipv6 = 8;
+  int32 wgPort = 9;
 }

 // SignalState contains the latest state of a signal connection
@@ -484,6 +479,7 @@ message DebugBundleRequest {
  bool systemInfo = 3;
  string uploadURL = 4;
  uint32 logFileCount = 5;
+  string cliVersion = 6;
 }

 message DebugBundleResponse {
@@ -702,16 +698,6 @@ message AddProfileRequest {

 message AddProfileResponse {}

-message AddOwnerRequest {
-  uint32 uid = 1;
-}
-
-message AddOwnerResponse {}
-
-message ResetOwnerRequest {}
-
-message ResetOwnerResponse {}
-
 message RemoveProfileRequest {
  string username = 1;
  string profileName = 2;
@@ -754,6 +740,15 @@ message GetFeaturesResponse{
  bool disable_networks = 3;
 }

+// MDMManagedFieldsViolation is attached as a gRPC error detail on a
+// FailedPrecondition status returned from SetConfig (and similar mutating
+// RPCs) when the caller tries to modify one or more MDM-enforced fields.
+// The fields list contains the offending key names; the entire request is
+// rejected (no partial apply).
+message MDMManagedFieldsViolation {
+  repeated string fields = 1;
+}
+
 message TriggerUpdateRequest {}

 message TriggerUpdateResponse {
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -48,8 +48,6 @@ const (
 	DaemonService_RemoveProfile_FullMethodName              = "/daemon.DaemonService/RemoveProfile"
 	DaemonService_ListProfiles_FullMethodName               = "/daemon.DaemonService/ListProfiles"
 	DaemonService_GetActiveProfile_FullMethodName           = "/daemon.DaemonService/GetActiveProfile"
-	DaemonService_AddOwner_FullMethodName                   = "/daemon.DaemonService/AddOwner"
-	DaemonService_ResetOwner_FullMethodName                 = "/daemon.DaemonService/ResetOwner"
 	DaemonService_Logout_FullMethodName                     = "/daemon.DaemonService/Logout"
 	DaemonService_GetFeatures_FullMethodName                = "/daemon.DaemonService/GetFeatures"
 	DaemonService_TriggerUpdate_FullMethodName              = "/daemon.DaemonService/TriggerUpdate"
@@ -117,13 +115,6 @@ type DaemonServiceClient interface {
 	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
 	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
-	// AddOwner adds a UID to the active profile's owner list. Requires
-	// root or an existing owner.
-	AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error)
-	// ResetOwner clears the active profile's owner list, returning it to
-	// the unconfigured state. The next call from the active console-session
-	// user will then re-claim ownership. Requires root.
-	ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
 	GetFeatures(ctx context.Context, in *GetFeaturesRequest, opts ...grpc.CallOption) (*GetFeaturesResponse, error)
@@ -461,26 +452,6 @@ func (c *daemonServiceClient) GetActiveProfile(ctx context.Context, in *GetActiv
 	return out, nil
 }

-func (c *daemonServiceClient) AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(AddOwnerResponse)
-	err := c.cc.Invoke(ctx, DaemonService_AddOwner_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *daemonServiceClient) ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(ResetOwnerResponse)
-	err := c.cc.Invoke(ctx, DaemonService_ResetOwner_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *daemonServiceClient) Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(LogoutResponse)
@@ -645,13 +616,6 @@ type DaemonServiceServer interface {
 	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
 	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
-	// AddOwner adds a UID to the active profile's owner list. Requires
-	// root or an existing owner.
-	AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error)
-	// ResetOwner clears the active profile's owner list, returning it to
-	// the unconfigured state. The next call from the active console-session
-	// user will then re-claim ownership. Requires root.
-	ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
 	GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error)
@@ -768,12 +732,6 @@ func (UnimplementedDaemonServiceServer) ListProfiles(context.Context, *ListProfi
 func (UnimplementedDaemonServiceServer) GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetActiveProfile not implemented")
 }
-func (UnimplementedDaemonServiceServer) AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method AddOwner not implemented")
-}
-func (UnimplementedDaemonServiceServer) ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method ResetOwner not implemented")
-}
 func (UnimplementedDaemonServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method Logout not implemented")
 }
@@ -1333,42 +1291,6 @@ func _DaemonService_GetActiveProfile_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_AddOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(AddOwnerRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).AddOwner(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: DaemonService_AddOwner_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).AddOwner(ctx, req.(*AddOwnerRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _DaemonService_ResetOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(ResetOwnerRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).ResetOwner(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: DaemonService_ResetOwner_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).ResetOwner(ctx, req.(*ResetOwnerRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _DaemonService_Logout_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(LogoutRequest)
 	if err := dec(in); err != nil {
@@ -1657,14 +1579,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetActiveProfile",
 			Handler:    _DaemonService_GetActiveProfile_Handler,
 		},
-		{
-			MethodName: "AddOwner",
-			Handler:    _DaemonService_AddOwner_Handler,
-		},
-		{
-			MethodName: "ResetOwner",
-			Handler:    _DaemonService_ResetOwner_Handler,
-		},
 		{
 			MethodName: "Logout",
 			Handler:    _DaemonService_Logout_Handler,
--- a/client/proto/generate.sh
+++ b/client/proto/generate.sh
@@ -1,17 +1,16 @@
 #!/bin/bash
 set -e

-if ! which realpath > /dev/null 2>&1
-then
-  echo realpath is not installed
-  echo run: brew install coreutils
-  exit 1
+if ! which realpath >/dev/null 2>&1; then
+	echo realpath is not installed
+	echo run: brew install coreutils
+	exit 1
 fi

 old_pwd=$(pwd)
-script_path=$(dirname $(realpath "$0"))
+script_path=$(dirname "$(realpath "$0")")
 cd "$script_path"
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.6
-go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.6.1
 protoc -I ./ ./daemon.proto --go_out=../ --go-grpc_out=../ --experimental_allow_proto3_optional
 cd "$old_pwd"
--- a/client/server/debug.go
+++ b/client/server/debug.go
@@ -14,6 +14,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/proto"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/version"
 )

 // DebugBundle creates a debug bundle and returns the location.
@@ -67,6 +68,8 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 			CapturePath:    capturePath,
 			RefreshStatus:  refreshStatus,
 			ClientMetrics:  clientMetrics,
+			DaemonVersion:  version.NetbirdVersion(),
+			CliVersion:     req.CliVersion,
 		},
 		debug.BundleConfig{
 			Anonymize:         req.GetAnonymize(),
--- a/client/server/mdm.go
+++ b/client/server/mdm.go
@@ -0,0 +1,377 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/mdm"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// loadMDMPolicy is the indirection used by server handlers to read the
+// active MDM policy. Tests override this to inject a fake policy.
+var loadMDMPolicy = mdm.LoadPolicy
+
+// onMDMPolicyChange is invoked by the MDM reload ticker every time the
+// OS-native managed-config store reports a diff vs the last observation.
+//
+// Restart sequence:
+//   1. Cancel the active engine context (terminates connectWithRetryRuns).
+//   2. Wait briefly for that goroutine to exit (giveUpChan is closed on exit).
+//   3. Re-resolve Config from disk + MDM policy (Config.apply re-runs
+//      applyMDMPolicy with the freshly loaded Policy).
+//   4. Spawn a fresh connectWithRetryRuns with the new context and config.
+//   5. Broadcast a SystemEvent so any GUI / CLI subscriber (SubscribeEvents
+//      RPC) can refresh its cached config view without polling.
+//
+// The callback runs in the ticker's own goroutine. Ticker has already
+// logged the per-key diff before invoking this hook.
+func (s *Server) onMDMPolicyChange(_, curr *mdm.Policy) {
+	log.Warn("MDM policy changed; restarting engine to apply new configuration")
+
+	s.mutex.Lock()
+	cancel := s.actCancel
+	giveUpChan := s.clientGiveUpChan
+	s.mutex.Unlock()
+
+	if cancel != nil {
+		cancel()
+	}
+
+	// Wait for previous connectWithRetryRuns to exit so we don't end up
+	// with two goroutines fighting over the same status recorder + engine.
+	if giveUpChan != nil {
+		select {
+		case <-giveUpChan:
+		case <-time.After(5 * time.Second):
+			log.Warn("MDM restart: timeout waiting for previous engine goroutine; proceeding anyway")
+		}
+	}
+
+	if err := s.restartEngineForMDM(); err != nil {
+		log.Errorf("MDM restart failed: %v", err)
+		return
+	}
+
+	// publishConfigChangedEvent has already fired inside
+	// restartEngineForMDM with source="mdm". Here we additionally emit an
+	// MDM-specific user-visible toast so the operator knows their IT
+	// policy was applied (UserMessage != "" triggers the GUI notifier).
+	_ = curr
+	s.statusRecorder.PublishEvent(
+		proto.SystemEvent_INFO,
+		proto.SystemEvent_SYSTEM,
+		"MDM policy applied",
+		"NetBird configuration was updated by your IT policy.",
+		map[string]string{"source": "mdm", "type": "policy_applied"},
+	)
+}
+
+// publishConfigChangedEvent broadcasts a SystemEvent informing any active
+// SubscribeEvents subscriber (typically the GUI tray) that the daemon's
+// effective Config has been replaced and any cached client-side view
+// should be refreshed. Callers pass a stable `source` label so the GUI
+// can distinguish a startup spawn from a user-triggered Up or an
+// MDM-driven restart. Reusing the SYSTEM category keeps the proto enum
+// stable; metadata.type="config_changed" routes to the GUI's refresh
+// handler. UserMessage is left empty so the system tray does not toast
+// for every internal restart; the MDM path emits a separate
+// "policy_applied" event (with UserMessage) for that purpose.
+func (s *Server) publishConfigChangedEvent(source string) {
+	if s.statusRecorder == nil {
+		return
+	}
+	var managed []string
+	if s.config != nil {
+		managed = s.config.Policy().ManagedKeys()
+	}
+	s.statusRecorder.PublishEvent(
+		proto.SystemEvent_INFO,
+		proto.SystemEvent_SYSTEM,
+		fmt.Sprintf("daemon config changed (source=%s)", source),
+		"",
+		map[string]string{
+			"source":         source,
+			"type":           "config_changed",
+			"managed_fields": strings.Join(managed, ","),
+		},
+	)
+}
+
+// restartEngineForMDM re-resolves the active profile config (re-running
+// applyMDMPolicy via Config.apply) and re-spawns connectWithRetryRuns.
+// Mirrors the tail of Server.Start so a runtime MDM change behaves
+// identically to a fresh boot under the new policy.
+func (s *Server) restartEngineForMDM() error {
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		return fmt.Errorf("get active profile state: %w", err)
+	}
+	config, existingConfig, err := s.getConfig(activeProf)
+	if err != nil {
+		return fmt.Errorf("get active profile config: %w", err)
+	}
+
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	s.config = config
+	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
+	s.statusRecorder.UpdateRosenpass(config.RosenpassEnabled, config.RosenpassPermissive)
+	s.statusRecorder.UpdateLazyConnection(config.LazyConnectionEnabled)
+
+	state := internal.CtxGetState(s.rootCtx)
+	if config.DisableAutoConnect {
+		log.Info("MDM restart: DisableAutoConnect=true; staying idle")
+		state.Set(internal.StatusIdle)
+		s.actCancel = nil
+		return nil
+	}
+	if !existingConfig {
+		log.Warn("MDM restart: config absent; not reconnecting")
+		state.Set(internal.StatusNeedsLogin)
+		s.actCancel = nil
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(s.rootCtx)
+	s.actCancel = cancel
+	s.clientRunning = true
+	s.clientRunningChan = make(chan struct{})
+	s.clientGiveUpChan = make(chan struct{})
+	log.Info("MDM restart: spawning connectWithRetryRuns with re-resolved config")
+	go s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)
+	s.publishConfigChangedEvent("mdm")
+	return nil
+}
+
+// mdmManagedFieldConflicts returns the names of MDM-managed keys whose
+// requested value in the SetConfigRequest differs from the MDM-enforced
+// value. A field set to the same value the policy already enforces is
+// treated as a no-op echo (the GUI tray sends a full Config snapshot on
+// every toggle, so most fields in a typical request match the policy
+// exactly and must NOT be flagged as conflicts).
+//
+// The redacted PreSharedKey sentinel ("**********") that GetConfig
+// returns is recognised and treated as no-op so the UI can safely round-
+// trip it without tripping the gate.
+func mdmManagedFieldConflicts(msg *proto.SetConfigRequest, policy *mdm.Policy) []string {
+	if msg == nil || policy.IsEmpty() {
+		return nil
+	}
+	var conflicts []string
+	mark := func(key string) { conflicts = append(conflicts, key) }
+
+	if msg.ManagementUrl != "" && policy.HasKey(mdm.KeyManagementURL) {
+		if want, ok := policy.GetString(mdm.KeyManagementURL); !ok || want != msg.ManagementUrl {
+			mark(mdm.KeyManagementURL)
+		}
+	}
+	if msg.OptionalPreSharedKey != nil && policy.HasKey(mdm.KeyPreSharedKey) {
+		// "**********" is the redacted echo from GetConfig — never a real
+		// override attempt regardless of what the policy holds.
+		if *msg.OptionalPreSharedKey != "**********" {
+			if want, ok := policy.GetString(mdm.KeyPreSharedKey); !ok || want != *msg.OptionalPreSharedKey {
+				mark(mdm.KeyPreSharedKey)
+			}
+		}
+	}
+	checkBool := func(key string, p *bool) {
+		if p == nil || !policy.HasKey(key) {
+			return
+		}
+		if want, ok := policy.GetBool(key); !ok || want != *p {
+			mark(key)
+		}
+	}
+	checkBool(mdm.KeyRosenpassEnabled, msg.RosenpassEnabled)
+	checkBool(mdm.KeyRosenpassPermissive, msg.RosenpassPermissive)
+	checkBool(mdm.KeyDisableAutoConnect, msg.DisableAutoConnect)
+	checkBool(mdm.KeyAllowServerSSH, msg.ServerSSHAllowed)
+	checkBool(mdm.KeyDisableClientRoutes, msg.DisableClientRoutes)
+	checkBool(mdm.KeyDisableServerRoutes, msg.DisableServerRoutes)
+	checkBool(mdm.KeyBlockInbound, msg.BlockInbound)
+
+	if msg.WireguardPort != nil && policy.HasKey(mdm.KeyWireguardPort) {
+		if want, ok := policy.GetInt(mdm.KeyWireguardPort); !ok || want != *msg.WireguardPort {
+			mark(mdm.KeyWireguardPort)
+		}
+	}
+	return conflicts
+}
+
+// setConfigRequestHasConfigOverrides reports whether the SetConfigRequest
+// carries ANY field that would actually mutate the persisted config. The
+// CLI builds the request unconditionally on every `netbird up` (see
+// setupSetConfigReq in cmd/up.go), so a plain `netbird up` results in a
+// SetConfig call with every field at its zero value; the gate must skip
+// such no-op invocations or it would always fire even when the user did
+// not pass any --flag.
+func setConfigRequestHasConfigOverrides(msg *proto.SetConfigRequest) bool {
+	if msg == nil {
+		return false
+	}
+	return msg.ManagementUrl != "" ||
+		msg.AdminURL != "" ||
+		msg.OptionalPreSharedKey != nil ||
+		len(msg.CustomDNSAddress) > 0 ||
+		len(msg.NatExternalIPs) > 0 || msg.CleanNATExternalIPs ||
+		len(msg.ExtraIFaceBlacklist) > 0 ||
+		len(msg.DnsLabels) > 0 || msg.CleanDNSLabels ||
+		msg.DnsRouteInterval != nil ||
+		msg.RosenpassEnabled != nil ||
+		msg.RosenpassPermissive != nil ||
+		msg.InterfaceName != nil ||
+		msg.WireguardPort != nil ||
+		msg.Mtu != nil ||
+		msg.DisableAutoConnect != nil ||
+		msg.ServerSSHAllowed != nil ||
+		msg.NetworkMonitor != nil ||
+		msg.DisableClientRoutes != nil ||
+		msg.DisableServerRoutes != nil ||
+		msg.DisableDns != nil ||
+		msg.DisableFirewall != nil ||
+		msg.BlockLanAccess != nil ||
+		msg.DisableNotifications != nil ||
+		msg.LazyConnectionEnabled != nil ||
+		msg.BlockInbound != nil ||
+		msg.DisableIpv6 != nil ||
+		msg.EnableSSHRoot != nil ||
+		msg.EnableSSHSFTP != nil ||
+		msg.EnableSSHLocalPortForwarding != nil ||
+		msg.EnableSSHRemotePortForwarding != nil ||
+		msg.DisableSSHAuth != nil ||
+		msg.SshJWTCacheTTL != nil
+}
+
+// loginRequestHasConfigOverrides reports whether the LoginRequest
+// carries ANY field that would mutate persisted daemon configuration
+// (as opposed to pure-auth fields like setupKey, hostname, hint,
+// profileName, username). Used by the Login handler to decide whether
+// the `--disable-update-settings` / MDM gates must run: a re-auth that
+// changes nothing about the configuration is always allowed.
+func loginRequestHasConfigOverrides(msg *proto.LoginRequest) bool {
+	if msg == nil {
+		return false
+	}
+	return msg.ManagementUrl != "" ||
+		msg.AdminURL != "" ||
+		msg.PreSharedKey != "" ||
+		msg.OptionalPreSharedKey != nil ||
+		len(msg.CustomDNSAddress) > 0 ||
+		len(msg.NatExternalIPs) > 0 || msg.CleanNATExternalIPs ||
+		msg.RosenpassEnabled != nil ||
+		msg.InterfaceName != nil ||
+		msg.WireguardPort != nil ||
+		msg.DisableAutoConnect != nil ||
+		msg.ServerSSHAllowed != nil ||
+		msg.RosenpassPermissive != nil ||
+		len(msg.ExtraIFaceBlacklist) > 0 ||
+		msg.NetworkMonitor != nil ||
+		msg.DnsRouteInterval != nil ||
+		msg.DisableClientRoutes != nil ||
+		msg.DisableServerRoutes != nil ||
+		msg.DisableDns != nil ||
+		msg.DisableFirewall != nil ||
+		msg.BlockLanAccess != nil ||
+		msg.DisableNotifications != nil ||
+		len(msg.DnsLabels) > 0 || msg.CleanDNSLabels ||
+		msg.LazyConnectionEnabled != nil ||
+		msg.BlockInbound != nil
+}
+
+// loginRequestMDMConflicts mirrors mdmManagedFieldConflicts but for the
+// LoginRequest surface. Same value-aware semantics: a field set to the
+// MDM-enforced value is a no-op echo, not a conflict; only a divergent
+// value is flagged. PSK has two proto fields (PreSharedKey deprecated
+// and OptionalPreSharedKey current); both routes are checked, and the
+// "**********" redaction sentinel is accepted as a no-op.
+func loginRequestMDMConflicts(msg *proto.LoginRequest, policy *mdm.Policy) []string {
+	if msg == nil || policy.IsEmpty() {
+		return nil
+	}
+	var conflicts []string
+	mark := func(key string) { conflicts = append(conflicts, key) }
+
+	if msg.ManagementUrl != "" && policy.HasKey(mdm.KeyManagementURL) {
+		if want, ok := policy.GetString(mdm.KeyManagementURL); !ok || want != msg.ManagementUrl {
+			mark(mdm.KeyManagementURL)
+		}
+	}
+
+	// PSK: PreSharedKey (deprecated) and OptionalPreSharedKey are both
+	// accepted by Login; either trips the gate if it diverges from the
+	// MDM-enforced PSK.
+	if policy.HasKey(mdm.KeyPreSharedKey) {
+		psk := ""
+		set := false
+		if msg.OptionalPreSharedKey != nil {
+			psk = *msg.OptionalPreSharedKey
+			set = true
+		} else if msg.PreSharedKey != "" {
+			psk = msg.PreSharedKey
+			set = true
+		}
+		if set && psk != "**********" {
+			if want, ok := policy.GetString(mdm.KeyPreSharedKey); !ok || want != psk {
+				mark(mdm.KeyPreSharedKey)
+			}
+		}
+	}
+
+	checkBool := func(key string, p *bool) {
+		if p == nil || !policy.HasKey(key) {
+			return
+		}
+		if want, ok := policy.GetBool(key); !ok || want != *p {
+			mark(key)
+		}
+	}
+	checkBool(mdm.KeyRosenpassEnabled, msg.RosenpassEnabled)
+	checkBool(mdm.KeyRosenpassPermissive, msg.RosenpassPermissive)
+	checkBool(mdm.KeyDisableAutoConnect, msg.DisableAutoConnect)
+	checkBool(mdm.KeyAllowServerSSH, msg.ServerSSHAllowed)
+	checkBool(mdm.KeyDisableClientRoutes, msg.DisableClientRoutes)
+	checkBool(mdm.KeyDisableServerRoutes, msg.DisableServerRoutes)
+	checkBool(mdm.KeyBlockInbound, msg.BlockInbound)
+
+	if msg.WireguardPort != nil && policy.HasKey(mdm.KeyWireguardPort) {
+		if want, ok := policy.GetInt(mdm.KeyWireguardPort); !ok || want != *msg.WireguardPort {
+			mark(mdm.KeyWireguardPort)
+		}
+	}
+	return conflicts
+}
+
+// rejectMDMManagedFieldConflicts returns a FailedPrecondition gRPC error
+// with an MDMManagedFieldsViolation detail when any of the requested
+// fields tries to change an MDM-enforced value to something else, and
+// nil otherwise. The whole request is rejected on any conflict; non-
+// conflicting fields in the same request are not applied either (no
+// partial apply).
+func rejectMDMManagedFieldConflicts(policy *mdm.Policy, conflicts []string) error {
+	if len(conflicts) == 0 {
+		return nil
+	}
+	_ = policy
+	log.Warnf("MDM rejected request: tried to modify %d managed key(s): %v",
+		len(conflicts), conflicts)
+	st := gstatus.New(
+		codes.FailedPrecondition,
+		fmt.Sprintf("fields managed by MDM cannot be modified: %v", conflicts),
+	)
+	detailed, err := st.WithDetails(&proto.MDMManagedFieldsViolation{Fields: conflicts})
+	if err != nil {
+		// Detail attachment is best-effort; fall back to the plain status
+		// so the caller still gets a usable FailedPrecondition.
+		return st.Err()
+	}
+	return detailed.Err()
+}
--- a/client/server/network.go
+++ b/client/server/network.go
@@ -30,7 +30,7 @@ func (s *Server) ListNetworks(context.Context, *proto.ListNetworksRequest) (*pro
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

-	if s.networksDisabled {
+	if s.checkNetworksDisabled() {
 		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
 	}

@@ -143,7 +143,7 @@ func (s *Server) SelectNetworks(_ context.Context, req *proto.SelectNetworksRequ
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

-	if s.networksDisabled {
+	if s.checkNetworksDisabled() {
 		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
 	}

@@ -195,7 +195,7 @@ func (s *Server) DeselectNetworks(_ context.Context, req *proto.SelectNetworksRe
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

-	if s.networksDisabled {
+	if s.checkNetworksDisabled() {
 		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
 	}

--- a/client/server/owner.go
+++ b/client/server/owner.go
@@ -1,172 +0,0 @@
-package server
-
-import (
-	"context"
-	"fmt"
-	"slices"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/owner"
-	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-// authorizeTargetProfile enforces the "match or root" rule for operations
-// that target a specific profile (Remove/Switch). The caller must be root
-// or appear in the target profile config's OwnerUIDs. A target profile in
-// legacy TOFU state (nil OwnerUIDs) is treated as unowned and therefore
-// accessible to any peer-creds caller, which matches pre-enforcement
-// behavior on upgraded installs.
-func (s *Server) authorizeTargetProfile(ctx context.Context, profileName, username string) error {
-	uid, ok := owner.UIDFromContext(ctx)
-	if !ok {
-		return status.Error(codes.PermissionDenied, "peer credentials unavailable")
-	}
-	if uid == 0 {
-		return nil
-	}
-
-	cfg, err := s.readProfileConfig(profileName, username)
-	if err != nil {
-		return fmt.Errorf("read target profile config: %w", err)
-	}
-
-	// Legacy / never-claimed target: allow, mirroring the migration TOFU
-	// semantics in the interceptor.
-	if cfg.OwnerUIDs == nil {
-		return nil
-	}
-
-	if slices.Contains(cfg.OwnerUIDs, uid) {
-		return nil
-	}
-
-	return status.Errorf(codes.PermissionDenied,
-		"profile %q is owned by another user (uid %d is not in its owner list)", profileName, uid)
-}
-
-// readProfileConfig loads a profile's config from disk without making it
-// active. Used by authorizeTargetProfile.
-func (s *Server) readProfileConfig(profileName, username string) (*profilemanager.Config, error) {
-	state := &profilemanager.ActiveProfileState{Name: profileName, Username: username}
-	path, err := state.FilePath()
-	if err != nil {
-		return nil, fmt.Errorf("resolve profile path: %w", err)
-	}
-	cfg, err := profilemanager.GetConfig(path)
-	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", path, err)
-	}
-	return cfg, nil
-}
-
-// GetOwnerUIDs returns the current owner UIDs from the active config.
-// nil means TOFU mode, empty means root-only, populated means those UIDs are owners.
-func (s *Server) GetOwnerUIDs() []owner.UID {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.config == nil {
-		return nil
-	}
-
-	return s.config.OwnerUIDs
-}
-
-// AddOwnerUID adds the given UID to the owner list in the active profile config.
-func (s *Server) AddOwnerUID(uid owner.UID) error {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	return s.addOwnerUIDLocked(uid)
-}
-
-// addOwnerUIDLocked adds uid to the active profile's owner list and persists it.
-// The caller must hold s.mutex.
-func (s *Server) addOwnerUIDLocked(uid owner.UID) error {
-	if s.config == nil {
-		return fmt.Errorf("config not loaded")
-	}
-
-	if slices.Contains(s.config.OwnerUIDs, uid) {
-		return nil
-	}
-
-	s.config.OwnerUIDs = append(s.config.OwnerUIDs, uid)
-
-	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err != nil {
-		return fmt.Errorf("get active profile: %w", err)
-	}
-
-	cfgPath, err := activeProf.FilePath()
-	if err != nil {
-		return fmt.Errorf("get profile file path: %w", err)
-	}
-
-	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
-		return fmt.Errorf("write config: %w", err)
-	}
-
-	log.Infof("owner UID %d added in %s (owners: %v)", uid, cfgPath, s.config.OwnerUIDs)
-	return nil
-}
-
-// AddOwner handles the AddOwner RPC. The interceptor has already gated this
-// call (caller must be root or an existing owner); the handler just persists
-// the new UID into the active profile config.
-func (s *Server) AddOwner(_ context.Context, msg *proto.AddOwnerRequest) (*proto.AddOwnerResponse, error) {
-	if msg == nil || msg.Uid == 0 {
-		return nil, status.Error(codes.InvalidArgument, "uid must be non-zero")
-	}
-	if err := s.AddOwnerUID(owner.UID(msg.Uid)); err != nil {
-		return nil, fmt.Errorf("add owner: %w", err)
-	}
-	return &proto.AddOwnerResponse{}, nil
-}
-
-// ResetOwner clears the active profile's owner list. Only callable by root
-// (the interceptor enforces this: a non-owner non-root caller is denied
-// before reaching the handler, and only owners or root can reach Add/Reset
-// at all; we additionally require root here so existing owners can't reset
-// each other out).
-func (s *Server) ResetOwner(ctx context.Context, _ *proto.ResetOwnerRequest) (*proto.ResetOwnerResponse, error) {
-	uid, ok := owner.UIDFromContext(ctx)
-	if !ok {
-		return nil, status.Error(codes.PermissionDenied, "peer credentials unavailable")
-	}
-	if uid != 0 {
-		return nil, status.Error(codes.PermissionDenied, "reset-owner requires root")
-	}
-
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.config == nil {
-		return nil, fmt.Errorf("config not loaded")
-	}
-
-	// Reset to the fresh-install state (empty, not nil): only root and the
-	// active console-session user can reclaim. nil would be legacy migration
-	// TOFU, where any non-root caller (including SSH) could reclaim.
-	s.config.OwnerUIDs = []owner.UID{}
-
-	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err != nil {
-		return nil, fmt.Errorf("get active profile: %w", err)
-	}
-	cfgPath, err := activeProf.FilePath()
-	if err != nil {
-		return nil, fmt.Errorf("get profile file path: %w", err)
-	}
-	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
-		return nil, fmt.Errorf("write config: %w", err)
-	}
-
-	log.Infof("owner list reset; next call from the active console user will re-claim ownership")
-	return &proto.ResetOwnerResponse{}, nil
-}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -22,9 +22,9 @@ import (

 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/expose"
-	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
+	"github.com/netbirdio/netbird/client/mdm"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -99,6 +99,11 @@ type Server struct {

 	sleepHandler *sleephandler.SleepHandler

+	// mdmTicker periodically re-reads the OS-native MDM policy and triggers
+	// an engine restart when the policy changes. Launched once by Start;
+	// stopped by the rootCtx cancellation.
+	mdmTicker *mdm.Ticker
+
 	updateManager *updater.Manager

 	jwtCache *jwtCache
@@ -156,6 +161,17 @@ func (s *Server) Start() error {
 		s.updateManager.CheckUpdateSuccess(s.rootCtx)
 	}

+	// MDM policy reload ticker: every minute the desktop daemon re-reads
+	// the OS-native managed-config store and, on diff vs the previous
+	// observation, cancels the active engine context so connectWithRetry-
+	// Runs re-resolves Config (re-running profilemanager.Config.apply which
+	// applies the freshly-read MDM policy as the last layer) and brings
+	// the engine back with the new values.
+	if s.mdmTicker == nil {
+		s.mdmTicker = mdm.NewTicker(s.onMDMPolicyChange)
+		go s.mdmTicker.Run(s.rootCtx)
+	}
+
 	// if current state contains any error, return it
 	// in all other cases we can continue execution only if status is idle and up command was
 	// not in the progress or already successfully established connection.
@@ -214,6 +230,7 @@ func (s *Server) Start() error {
 	s.clientRunningChan = make(chan struct{})
 	s.clientGiveUpChan = make(chan struct{})
 	go s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)
+	s.publishConfigChangedEvent("startup")
 	return nil
 }

@@ -305,8 +322,25 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

-	if s.checkUpdateSettingsDisabled() {
-		return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
+	// Skip the update-settings gate when the request carries no actual
+	// overrides: the CLI builds a SetConfigRequest unconditionally on
+	// every `netbird up` (setupSetConfigReq in cmd/up.go), so a plain
+	// `netbird up` would otherwise always trip the gate and surface a
+	// misleading "setConfig method is not available" warning, even when
+	// the user did not pass any config flag.
+	if setConfigRequestHasConfigOverrides(msg) {
+		if s.checkUpdateSettingsDisabled() {
+			return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
+		}
+	}
+
+	// MDM gate: refuse the whole request if any of its fields is enforced
+	// by the active MDM policy. The error carries an MDMManagedFields-
+	// Violation detail listing the offending key names. Non-conflicting
+	// fields in the same request are not applied either.
+	policy := loadMDMPolicy()
+	if err := rejectMDMManagedFieldConflicts(policy, mdmManagedFieldConflicts(msg, policy)); err != nil {
+		return nil, err
 	}

 	profState := profilemanager.ActiveProfileState{
@@ -414,6 +448,22 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques

 // Login uses setup key to prepare configuration for the daemon.
 func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*proto.LoginResponse, error) {
+	// Config-override gates. LoginRequest carries the same surface as
+	// SetConfigRequest (managementUrl, PSK, ssh/rosenpass/port toggles,
+	// ...), so the same protections must apply. Without these the CLI
+	// command `netbird up --management-url=X` (which falls through to
+	// Login when SetConfig is rejected — see cmd/up.go) would silently
+	// bypass `--disable-update-settings` and any MDM policy.
+	if loginRequestHasConfigOverrides(msg) {
+		if s.checkUpdateSettingsDisabled() {
+			return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
+		}
+		policy := loadMDMPolicy()
+		if err := rejectMDMManagedFieldConflicts(policy, loginRequestMDMConflicts(msg, policy)); err != nil {
+			return nil, err
+		}
+	}
+
 	s.mutex.Lock()
 	if s.actCancel != nil {
 		s.actCancel()
@@ -736,18 +786,6 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 	s.config = config

-	// An explicit --owner claim locks the active profile to the calling user
-	// (plus root). Root has no specific UID to claim, so only non-root callers
-	// take effect here; the interceptor has already authorized the call.
-	if msg != nil && msg.ClaimOwner {
-		if uid, ok := owner.UIDFromContext(callerCtx); ok && uid != 0 {
-			if err := s.addOwnerUIDLocked(uid); err != nil {
-				s.mutex.Unlock()
-				return nil, fmt.Errorf("claim owner: %w", err)
-			}
-		}
-	}
-
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)

@@ -756,6 +794,7 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	s.clientGiveUpChan = make(chan struct{})

 	go s.connectWithRetryRuns(ctx, s.config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)
+	s.publishConfigChangedEvent("up_rpc")

 	s.mutex.Unlock()
 	return s.waitForUp(callerCtx)
@@ -813,18 +852,6 @@ func (s *Server) switchProfileIfNeeded(profileName string, userName *string, act

 // SwitchProfile switches the active profile in the daemon.
 func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfileRequest) (*proto.SwitchProfileResponse, error) {
-	// Switching downs the current session and starts another, so the caller
-	// must own the target profile (or be root).
-	if msg != nil && msg.ProfileName != nil {
-		username := ""
-		if msg.Username != nil {
-			username = *msg.Username
-		}
-		if err := s.authorizeTargetProfile(callerCtx, *msg.ProfileName, username); err != nil {
-			return nil, err
-		}
-	}
-
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

@@ -1573,6 +1600,7 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		EnableSSHRemotePortForwarding: enableSSHRemotePortForwarding,
 		DisableSSHAuth:                disableSSHAuth,
 		SshJWTCacheTTL:                sshJWTCacheTTL,
+		MDMManagedFields:              cfg.Policy().ManagedKeys(),
 	}, nil
 }

@@ -1589,17 +1617,7 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}

-	// New profiles auto-claim the caller as their sole owner so the user who
-	// just created the profile retains control (and other local users can't
-	// touch it via SwitchProfile/RemoveProfile). When called by root, leave
-	// OwnerUIDs at the default (empty/env-seeded); root explicitly didn't
-	// claim ownership for any specific user.
-	var initialOwners []owner.UID
-	if uid, ok := owner.UIDFromContext(ctx); ok && uid != 0 {
-		initialOwners = []owner.UID{uid}
-	}
-
-	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username, initialOwners); err != nil {
+	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}
@@ -1609,10 +1627,6 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (

 // RemoveProfile removes a profile from the daemon.
 func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequest) (*proto.RemoveProfileResponse, error) {
-	if err := s.authorizeTargetProfile(ctx, msg.ProfileName, msg.Username); err != nil {
-		return nil, err
-	}
-
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

@@ -1685,7 +1699,7 @@ func (s *Server) GetFeatures(ctx context.Context, msg *proto.GetFeaturesRequest)
 	features := &proto.GetFeaturesResponse{
 		DisableProfiles:       s.checkProfilesDisabled(),
 		DisableUpdateSettings: s.checkUpdateSettingsDisabled(),
-		DisableNetworks:       s.networksDisabled,
+		DisableNetworks:       s.checkNetworksDisabled(),
 	}

 	return features, nil
@@ -1707,22 +1721,38 @@ func (s *Server) connect(ctx context.Context, config *profilemanager.Config, sta
 	return nil
 }

+// MDM authority: when the platform-native MDM source sets a kill switch
+// key (regardless of true/false value), that value wins. The CLI flag
+// supplied at service install time is the fallback used only when the
+// MDM source is silent on the key. This honors the "MDM decides
+// everything" semantic agreed for NET-1214 — an admin pushing
+// disableX=false via MDM explicitly re-enables the feature even on a
+// box installed with --disable-X.
 func (s *Server) checkProfilesDisabled() bool {
-	// Check if the environment variable is set to disable profiles
-	if s.profilesDisabled {
-		return true
+	if s.config != nil {
+		if v, ok := s.config.Policy().GetBool(mdm.KeyDisableProfiles); ok {
+			return v
+		}
 	}
+	return s.profilesDisabled
+}

-	return false
+func (s *Server) checkNetworksDisabled() bool {
+	if s.config != nil {
+		if v, ok := s.config.Policy().GetBool(mdm.KeyDisableNetworks); ok {
+			return v
+		}
+	}
+	return s.networksDisabled
 }

 func (s *Server) checkUpdateSettingsDisabled() bool {
-	// Check if the environment variable is set to disable profiles
-	if s.updateSettingsDisabled {
-		return true
+	if s.config != nil {
+		if v, ok := s.config.Policy().GetBool(mdm.KeyDisableUpdateSettings); ok {
+			return v
+		}
 	}
-
-	return false
+	return s.updateSettingsDisabled
 }

 func (s *Server) startUpdateManagerForGUI() {
--- a/client/server/setconfig_mdm_test.go
+++ b/client/server/setconfig_mdm_test.go
@@ -0,0 +1,198 @@
+package server
+
+import (
+	"context"
+	"os/user"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/mdm"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// withMDMPolicy temporarily overrides the server-package loadMDMPolicy hook
+// so SetConfig observes the supplied Policy. Restores the original loader
+// at test cleanup.
+func withMDMPolicy(t *testing.T, policy *mdm.Policy) {
+	t.Helper()
+	prev := loadMDMPolicy
+	loadMDMPolicy = func() *mdm.Policy { return policy }
+	t.Cleanup(func() { loadMDMPolicy = prev })
+}
+
+// setupServerWithProfile mirrors the boilerplate of TestSetConfig_AllFieldsSaved:
+// overrides profilemanager paths to a temp dir, seeds a profile, sets it
+// active, and constructs a Server instance. Returns the constructed server
+// plus context + profile name + username + cfgPath for the seeded profile.
+func setupServerWithProfile(t *testing.T) (s *Server, ctx context.Context, profName, username, cfgPath string) {
+	t.Helper()
+	tempDir := t.TempDir()
+
+	origDefaultProfileDir := profilemanager.DefaultConfigPathDir
+	origDefaultConfigPath := profilemanager.DefaultConfigPath
+	origActiveProfileStatePath := profilemanager.ActiveProfileStatePath
+	profilemanager.ConfigDirOverride = tempDir
+	profilemanager.DefaultConfigPathDir = tempDir
+	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
+	profilemanager.DefaultConfigPath = filepath.Join(tempDir, "default.json")
+	t.Cleanup(func() {
+		profilemanager.DefaultConfigPathDir = origDefaultProfileDir
+		profilemanager.ActiveProfileStatePath = origActiveProfileStatePath
+		profilemanager.DefaultConfigPath = origDefaultConfigPath
+		profilemanager.ConfigDirOverride = ""
+	})
+
+	currUser, err := user.Current()
+	require.NoError(t, err)
+
+	profName = "test-profile-mdm"
+	cfgPath = filepath.Join(tempDir, profName+".json")
+
+	_, err = profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
+		ConfigPath:    cfgPath,
+		ManagementURL: "https://api.netbird.io:443",
+	})
+	require.NoError(t, err)
+
+	pm := profilemanager.ServiceManager{}
+	require.NoError(t, pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
+		Name:     profName,
+		Username: currUser.Username,
+	}))
+
+	ctx = context.Background()
+	s = New(ctx, "console", "", false, false, false, false)
+	return s, ctx, profName, currUser.Username, cfgPath
+}
+
+// extractViolation pulls the MDMManagedFieldsViolation detail from a
+// FailedPrecondition error. Fails the test if absent or malformed.
+func extractViolation(t *testing.T, err error) *proto.MDMManagedFieldsViolation {
+	t.Helper()
+	require.Error(t, err)
+	st, ok := gstatus.FromError(err)
+	require.True(t, ok, "error must be a gRPC status: %v", err)
+	require.Equal(t, codes.FailedPrecondition, st.Code(), "expected FailedPrecondition, got %s", st.Code())
+	for _, d := range st.Details() {
+		if v, ok := d.(*proto.MDMManagedFieldsViolation); ok {
+			return v
+		}
+	}
+	t.Fatalf("MDMManagedFieldsViolation detail not found on status; details: %v", st.Details())
+	return nil
+}
+
+func TestSetConfig_MDMReject_SingleField(t *testing.T) {
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyManagementURL: "https://mdm.example.com:443",
+	}))
+
+	s, ctx, profName, username, _ := setupServerWithProfile(t)
+
+	_, err := s.SetConfig(ctx, &proto.SetConfigRequest{
+		ProfileName:   profName,
+		Username:      username,
+		ManagementUrl: "https://user.tried.this.com:443",
+	})
+
+	v := extractViolation(t, err)
+	assert.Equal(t, []string{mdm.KeyManagementURL}, v.GetFields())
+}
+
+func TestSetConfig_MDMReject_MultipleFields(t *testing.T) {
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyManagementURL:     "https://mdm.example.com:443",
+		mdm.KeyBlockInbound:      true,
+		mdm.KeyRosenpassEnabled:  true,
+	}))
+
+	s, ctx, profName, username, _ := setupServerWithProfile(t)
+
+	blockInbound := false
+	rosenpassEnabled := false
+	_, err := s.SetConfig(ctx, &proto.SetConfigRequest{
+		ProfileName:      profName,
+		Username:         username,
+		ManagementUrl:    "https://user.tried.this.com:443",
+		BlockInbound:     &blockInbound,
+		RosenpassEnabled: &rosenpassEnabled,
+	})
+
+	v := extractViolation(t, err)
+	assert.ElementsMatch(t, []string{
+		mdm.KeyManagementURL,
+		mdm.KeyBlockInbound,
+		mdm.KeyRosenpassEnabled,
+	}, v.GetFields())
+}
+
+func TestSetConfig_MDMReject_AllOrNothing(t *testing.T) {
+	// MDM enforces ManagementURL only; user request touches both the
+	// enforced field AND a non-enforced field (RosenpassEnabled).
+	// The whole request must be rejected — non-conflicting fields are not
+	// applied either.
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyManagementURL: "https://mdm.example.com:443",
+	}))
+
+	s, ctx, profName, username, cfgPath := setupServerWithProfile(t)
+
+	rosenpassEnabled := true
+	_, err := s.SetConfig(ctx, &proto.SetConfigRequest{
+		ProfileName:      profName,
+		Username:         username,
+		ManagementUrl:    "https://user.tried.this.com:443",
+		RosenpassEnabled: &rosenpassEnabled,
+	})
+
+	v := extractViolation(t, err)
+	assert.Equal(t, []string{mdm.KeyManagementURL}, v.GetFields())
+
+	// Confirm RosenpassEnabled was NOT applied even though it was not
+	// in the conflict list: the request was rejected as a whole.
+	reloaded, err := profilemanager.GetConfig(cfgPath)
+	require.NoError(t, err)
+	assert.False(t, reloaded.RosenpassEnabled, "non-conflicting field must not be applied when request is rejected")
+}
+
+func TestSetConfig_MDMAllow_NonManagedFields(t *testing.T) {
+	// MDM enforces ManagementURL but the user only writes RosenpassEnabled.
+	// Request must succeed.
+	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
+		mdm.KeyManagementURL: "https://mdm.example.com:443",
+	}))
+
+	s, ctx, profName, username, _ := setupServerWithProfile(t)
+
+	rosenpassEnabled := true
+	resp, err := s.SetConfig(ctx, &proto.SetConfigRequest{
+		ProfileName:      profName,
+		Username:         username,
+		RosenpassEnabled: &rosenpassEnabled,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+}
+
+func TestSetConfig_MDMEmpty_NoEnforcement(t *testing.T) {
+	// No MDM policy active: any field can be written.
+	withMDMPolicy(t, mdm.NewPolicy(nil))
+
+	s, ctx, profName, username, _ := setupServerWithProfile(t)
+
+	resp, err := s.SetConfig(ctx, &proto.SetConfigRequest{
+		ProfileName:   profName,
+		Username:      username,
+		ManagementUrl: "https://user.changed.url.com:443",
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+}
--- a/client/status/status.go
+++ b/client/status/status.go
@@ -143,6 +143,7 @@ type OutputOverview struct {
 	IPv6                    string                     `json:"netbirdIpv6,omitempty" yaml:"netbirdIpv6,omitempty"`
 	PubKey                  string                     `json:"publicKey" yaml:"publicKey"`
 	KernelInterface         bool                       `json:"usesKernelInterface" yaml:"usesKernelInterface"`
+	WgPort                  int                        `json:"wireguardPort" yaml:"wireguardPort"`
 	FQDN                    string                     `json:"fqdn" yaml:"fqdn"`
 	RosenpassEnabled        bool                       `json:"quantumResistance" yaml:"quantumResistance"`
 	RosenpassPermissive     bool                       `json:"quantumResistancePermissive" yaml:"quantumResistancePermissive"`
@@ -187,6 +188,7 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, opts ConvertO
 		IPv6:                    pbFullStatus.GetLocalPeerState().GetIpv6(),
 		PubKey:                  pbFullStatus.GetLocalPeerState().GetPubKey(),
 		KernelInterface:         pbFullStatus.GetLocalPeerState().GetKernelInterface(),
+		WgPort:                  int(pbFullStatus.GetLocalPeerState().GetWgPort()),
 		FQDN:                    pbFullStatus.GetLocalPeerState().GetFqdn(),
 		RosenpassEnabled:        pbFullStatus.GetLocalPeerState().GetRosenpassEnabled(),
 		RosenpassPermissive:     pbFullStatus.GetLocalPeerState().GetRosenpassPermissive(),
@@ -547,6 +549,21 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		goarm = fmt.Sprintf(" (ARMv%s)", os.Getenv("GOARM"))
 	}

+	daemonVersion := "N/A"
+	if o.DaemonVersion != "" {
+		daemonVersion = o.DaemonVersion
+	}
+
+	cliVersion := version.NetbirdVersion()
+	if o.CliVersion != "" {
+		cliVersion = o.CliVersion
+	}
+
+	wgPortString := "N/A"
+	if o.WgPort > 0 {
+		wgPortString = fmt.Sprintf("%d", o.WgPort)
+	}
+
 	summary := fmt.Sprintf(
 		"OS: %s\n"+
 			"Daemon version: %s\n"+
@@ -560,6 +577,7 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 			"NetBird IP: %s\n"+
 			"%s"+
 			"Interface type: %s\n"+
+			"Wireguard port: %s\n"+
 			"Quantum resistance: %s\n"+
 			"Lazy connection: %s\n"+
 			"SSH Server: %s\n"+
@@ -567,8 +585,8 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 			"%s"+
 			"Peers count: %s\n",
 		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
-		o.DaemonVersion,
-		version.NetbirdVersion(),
+		daemonVersion,
+		cliVersion,
 		o.ProfileName,
 		managementConnString,
 		signalConnString,
@@ -578,6 +596,7 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		interfaceIP,
 		ipv6Line,
 		interfaceTypeString,
+		wgPortString,
 		rosenpassEnabledStatus,
 		lazyConnectionEnabledStatus,
 		sshServerStatus,
--- a/client/status/status_test.go
+++ b/client/status/status_test.go
@@ -94,6 +94,7 @@ var resp = &proto.StatusResponse{
 			Ipv6:            "fd00::100",
 			PubKey:          "Some-Pub-Key",
 			KernelInterface: true,
+			WgPort:          51820,
 			Fqdn:            "some-localhost.awesome-domain.com",
 			Networks: []string{
 				"10.10.0.0/24",
@@ -210,6 +211,7 @@ var overview = OutputOverview{
 	IPv6:            "fd00::100",
 	PubKey:          "Some-Pub-Key",
 	KernelInterface: true,
+	WgPort:          51820,
 	FQDN:            "some-localhost.awesome-domain.com",
 	NSServerGroups: []NsServerGroupStateOutput{
 		{
@@ -369,6 +371,7 @@ func TestParsingToJSON(t *testing.T) {
          "netbirdIpv6": "fd00::100",
          "publicKey": "Some-Pub-Key",
          "usesKernelInterface": true,
+          "wireguardPort": 51820,
          "fqdn": "some-localhost.awesome-domain.com",
          "quantumResistance": false,
          "quantumResistancePermissive": false,
@@ -487,6 +490,7 @@ netbirdIp: 192.168.178.100/16
 netbirdIpv6: fd00::100
 publicKey: Some-Pub-Key
 usesKernelInterface: true
+wireguardPort: 51820
 fqdn: some-localhost.awesome-domain.com
 quantumResistance: false
 quantumResistancePermissive: false
@@ -579,12 +583,13 @@ FQDN: some-localhost.awesome-domain.com
 NetBird IP: 192.168.178.100/16
 NetBird IPv6: fd00::100
 Interface type: Kernel
+Wireguard port: %d
 Quantum resistance: false
 Lazy connection: false
 SSH Server: Disabled
 Networks: 10.10.0.0/24
 Peers count: 2/2 Connected
-`, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)
+`, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion, overview.WgPort)

 	assert.Equal(t, expectedDetail, detail)
 }
@@ -604,6 +609,7 @@ FQDN: some-localhost.awesome-domain.com
 NetBird IP: 192.168.178.100/16
 NetBird IPv6: fd00::100
 Interface type: Kernel
+Wireguard port: 51820
 Quantum resistance: false
 Lazy connection: false
 SSH Server: Disabled
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -38,6 +38,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/mdm"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ui/desktop"
 	"github.com/netbirdio/netbird/client/ui/event"
@@ -56,6 +57,12 @@ const (
 const (
 	censoredPreSharedKey = "**********"
 	maxSSHJWTCacheTTL    = 86_400 // 24 hours in seconds
+	// mdmFieldSuffix is appended to plain-text Entry widgets in the
+	// advanced Settings window when the underlying field is enforced
+	// by MDM, so the user sees the lock indicator inline next to the
+	// value. Stripped before any read site that feeds the value back
+	// into a SetConfig request (saveSettings / parseNumericSettings).
+	mdmFieldSuffix = " (MDM)"
 )

 func main() {
@@ -318,6 +325,11 @@ type serviceClient struct {
 	settingsEnabled      bool
 	profilesEnabled      bool
 	networksEnabled      bool
+	// networksMenuEnabled caches the last applied enabled-state of the
+	// mNetworks + mExitNode submenu items. Combines features.DisableNetworks
+	// AND s.connected — both must be true for the menus to be active.
+	// Zero value (false) matches the Disable() call at AddMenuItem time.
+	networksMenuEnabled  bool
 	showNetworks         bool
 	wNetworks            fyne.Window
 	wProfiles            fyne.Window
@@ -336,6 +348,13 @@ type serviceClient struct {
 	updateContextCancel  context.CancelFunc

 	connectCancel context.CancelFunc
+
+	// mdmManagedFields caches the names of MDM-enforced policy keys
+	// surfaced by the daemon in GetConfigResponse. Each refresh of
+	// daemon config (loadSettings, getSrvConfig, config_changed event)
+	// updates this set and re-applies the lock/badge to the affected
+	// menu items and settings-form widgets.
+	mdmManagedFields map[string]bool
 }

 type menuHandler struct {
@@ -441,15 +460,12 @@ func (s *serviceClient) updateIcon() {
 }

 func (s *serviceClient) showSettingsUI() {
-	// Check if update settings are disabled by daemon
-	features, err := s.getFeatures()
-	if err != nil {
-		log.Errorf("failed to get features from daemon: %v", err)
-		// Continue with default behavior if features can't be retrieved
-	} else if features != nil && features.DisableUpdateSettings {
-		log.Warn("Update settings are disabled by daemon")
-		return
-	}
+	// DisableUpdateSettings no longer gates the window from opening:
+	// the daemon blocks every actual mutation at SetConfig / Login,
+	// so the window is safe to show as a read-only view. The previous
+	// early-return also blocked Advanced Settings whenever update
+	// editing was off, which conflated two distinct kill switches
+	// (see comment in checkAndUpdateFeatures).

 	// add settings window UI elements.
 	s.wSettings = s.app.NewWindow("NetBird Settings")
@@ -502,7 +518,7 @@ func (s *serviceClient) getConnectionForm() *widget.Form {
 			{Text: "Pre-shared Key", Widget: s.iPreSharedKey},
 			{Text: "Quantum-Resistance", Widget: s.sRosenpassPermissive},
 			{Text: "Interface Name", Widget: s.iInterfaceName},
-			{Text: "Interface Port", Widget: s.iInterfacePort},
+			{Text: "Interface Port", Widget: s.iInterfacePort, HintText: "If set to 0, a random free port will be used"},
 			{Text: "MTU", Widget: s.iMTU},
 			{Text: "Log File", Widget: s.iLogFile},
 		},
@@ -532,7 +548,7 @@ func (s *serviceClient) saveSettings() {
 		return
 	}

-	iMngURL := strings.TrimSpace(s.iMngURL.Text)
+	iMngURL := strings.TrimSpace(strings.TrimSuffix(s.iMngURL.Text, mdmFieldSuffix))

 	if s.hasSettingsChanged(iMngURL, port, mtu) {
 		if err := s.applySettingsChanges(iMngURL, port, mtu); err != nil {
@@ -554,12 +570,12 @@ func (s *serviceClient) validateSettings() error {
 }

 func (s *serviceClient) parseNumericSettings() (int64, int64, error) {
-	port, err := strconv.ParseInt(s.iInterfacePort.Text, 10, 64)
+	port, err := strconv.ParseInt(strings.TrimSpace(strings.TrimSuffix(s.iInterfacePort.Text, mdmFieldSuffix)), 10, 64)
 	if err != nil {
 		return 0, 0, errors.New("invalid interface port")
 	}
-	if port < 1 || port > 65535 {
-		return 0, 0, errors.New("invalid interface port: out of range 1-65535")
+	if port < 0 || port > 65535 {
+		return 0, 0, errors.New("invalid interface port: out of range 0-65535")
 	}

 	var mtu int64
@@ -663,7 +679,15 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 		req.SshJWTCacheTTL = &sshJWTCacheTTL32
 	}

-	if s.iPreSharedKey.Text != censoredPreSharedKey {
+	// Only attach the PSK when the user actually typed something:
+	// - "" means the field was left untouched (we deliberately render
+	//   an empty Text + placeholder hint to avoid leaking the daemon's
+	//   "**********" redaction through the password reveal toggle);
+	//   sending an empty pointer would tell the daemon to clear / overwrite
+	//   the on-disk or MDM-enforced PSK, which then trips the MDM
+	//   conflict gate when PSK is policy-managed.
+	// - "**********" is the redacted echo (legacy non-MDM path); also a no-op.
+	if s.iPreSharedKey.Text != "" && s.iPreSharedKey.Text != censoredPreSharedKey {
 		req.OptionalPreSharedKey = &s.iPreSharedKey.Text
 	}

@@ -1036,6 +1060,13 @@ func (s *serviceClient) onTrayReady() {
 	}

 	s.mProfile = newProfileMenu(*newProfileMenuArgs)
+	// Seed the transition cache to match the actual default menu
+	// state (visible / enabled). Without this, the first
+	// checkAndUpdateFeatures tick that observes DisableProfiles=true
+	// is a no-op (cache zero-value == desired-false) and the menu
+	// never gets hidden — symptom: MDM enforces the kill switch but
+	// the profile menu stays clickable.
+	s.profilesEnabled = true

 	systray.AddSeparator()
 	s.mUp = systray.AddMenuItem("Connect", "Connect")
@@ -1055,18 +1086,18 @@ func (s *serviceClient) onTrayReady() {
 	s.mCreateDebugBundle = s.mSettings.AddSubMenuItem("Create Debug Bundle", debugBundleMenuDescr)
 	s.loadSettings()

-	// Disable settings menu if update settings are disabled by daemon
+	// Disable profile menu if profiles are disabled by daemon.
+	// DisableUpdateSettings is enforced at the daemon's SetConfig /
+	// Login gates, not by hiding the UI — so the Settings menu (and
+	// its Advanced Settings submenu, which has its own kill switch)
+	// stays visible and the user can still inspect current values.
 	features, err := s.getFeatures()
 	if err != nil {
 		log.Errorf("failed to get features from daemon: %v", err)
 		// Continue with default behavior if features can't be retrieved
-	} else {
-		if features != nil && features.DisableUpdateSettings {
-			s.setSettingsEnabled(false)
-		}
-		if features != nil && features.DisableProfiles {
-			s.mProfile.setEnabled(false)
-		}
+	} else if features != nil && features.DisableProfiles {
+		s.mProfile.setEnabled(false)
+		s.profilesEnabled = false
 	}

 	s.exitNodeMu.Lock()
@@ -1100,13 +1131,20 @@ func (s *serviceClient) onTrayReady() {
 	// update exit node menu in case service is already connected
 	go s.updateExitNodes()

+	// Features (DisableProfiles, DisableUpdateSettings, DisableNetworks,
+	// ...) only change in two ways: at service install time (CLI flag,
+	// static) and at MDM ticker diff time. The daemon already publishes
+	// a SystemEvent{type=config_changed} on every MDM-driven engine
+	// restart, so the UI no longer needs to poll GetFeatures every 2 s.
+	// A single fetch at startup covers the static CLI-flag case; the
+	// event handler below covers MDM transitions. updateStatus stays in
+	// the 2 s loop because connection / peer state genuinely change
+	// continuously and have no event yet.
+	s.checkAndUpdateFeatures()
 	go func() {
 		s.getSrvConfig()
 		time.Sleep(100 * time.Millisecond) // To prevent race condition caused by systray not being fully initialized and ignoring setIcon
 		for {
-			// Check features before status so menus respect disable flags before being enabled
-			s.checkAndUpdateFeatures()
-
 			err := s.updateStatus()
 			if err != nil {
 				log.Errorf("error while updating status: %v", err)
@@ -1150,6 +1188,23 @@ func (s *serviceClient) onTrayReady() {
 			s.onUpdateAvailable(newVersion, enforced)
 		}
 	})
+	s.eventManager.AddHandler(func(event *proto.SystemEvent) {
+		// Daemon emits a config_changed event after every engine spawn
+		// (Server.Start, Server.Up, MDM ticker restart). Re-sync the
+		// tray submenu checkboxes from the fresh daemon-side config so
+		// the user does not have to restart the tray to see CLI- or
+		// MDM-driven changes.
+		if event.Category == proto.SystemEvent_SYSTEM && event.Metadata["type"] == "config_changed" {
+			log.Infof("config_changed event received (source=%s); refreshing settings + features", event.Metadata["source"])
+			s.loadSettings()
+			// MDM-driven feature kill switches (DisableProfiles /
+			// DisableUpdateSettings / DisableNetworks) ride the same
+			// config_changed signal because the daemon re-applies its
+			// MDM policy on every engine spawn. Pull them in here so
+			// the UI is up to date without a periodic GetFeatures poll.
+			s.checkAndUpdateFeatures()
+		}
+	})

 	go s.eventManager.Start(s.ctx)
 	go s.eventHandler.listen(s.ctx)
@@ -1236,12 +1291,11 @@ func (s *serviceClient) checkAndUpdateFeatures() {
 	s.updateIndicationLock.Lock()
 	defer s.updateIndicationLock.Unlock()

-	// Update settings menu based on current features
-	settingsEnabled := features == nil || !features.DisableUpdateSettings
-	if s.settingsEnabled != settingsEnabled {
-		s.settingsEnabled = settingsEnabled
-		s.setSettingsEnabled(settingsEnabled)
-	}
+	// DisableUpdateSettings is enforced server-side by the daemon gates
+	// on SetConfig + Login: any attempt to mutate config from UI or
+	// CLI is rejected at that layer. The UI deliberately keeps the
+	// Settings menu visible so the user can still inspect current
+	// values — read-only by virtue of the daemon refusing edits.

 	// Update profile menu based on current features
 	if s.mProfile != nil {
@@ -1252,14 +1306,23 @@ func (s *serviceClient) checkAndUpdateFeatures() {
 		}
 	}

-	// Update networks and exit node menus based on current features
+	// Update networks and exit node menus based on current features.
+	// `networksEnabled` is the bare feature flag (read elsewhere, e.g. at
+	// connection-status transitions). `networksMenuEnabled` is the
+	// transition-cached state actually applied to the menu items —
+	// it folds in the connection state so a Connected client with the
+	// kill switch off shows the menus active, and only flips on diff.
 	s.networksEnabled = features == nil || !features.DisableNetworks
-	if s.networksEnabled && s.connected {
-		s.mNetworks.Enable()
-		s.mExitNode.Enable()
-	} else {
-		s.mNetworks.Disable()
-		s.mExitNode.Disable()
+	desiredNetworksMenu := s.networksEnabled && s.connected
+	if desiredNetworksMenu != s.networksMenuEnabled {
+		s.networksMenuEnabled = desiredNetworksMenu
+		if desiredNetworksMenu {
+			s.mNetworks.Enable()
+			s.mExitNode.Enable()
+		} else {
+			s.mNetworks.Disable()
+			s.mExitNode.Disable()
+		}
 	}
 }

@@ -1356,7 +1419,14 @@ func (s *serviceClient) getSrvConfig() {

 	if s.showAdvancedSettings {
 		s.iMngURL.SetText(s.managementURL)
-		s.iPreSharedKey.SetText(cfg.PreSharedKey)
+		// PSK is rendered with an empty Text and a hint via the
+		// placeholder so the eye toggle never reveals literal asterisks
+		// (the daemon returns the "**********" sentinel — writing that
+		// into a PasswordEntry would surface the literal sentinel when
+		// the user unmasks the field). The placeholder communicates the
+		// configured / MDM-managed state without exposing any value.
+		s.iPreSharedKey.SetText("")
+		s.iPreSharedKey.SetPlaceHolder(preSharedKeyPlaceholder(srvCfg))
 		s.iInterfaceName.SetText(cfg.WgIface)
 		s.iInterfacePort.SetText(strconv.Itoa(cfg.WgPort))
 		if cfg.MTU != 0 {
@@ -1395,6 +1465,13 @@ func (s *serviceClient) getSrvConfig() {
 		}
 	}

+	// MDM locks must run before the mNotifications-nil early return:
+	// the Settings window is rendered by a separate UI process launched
+	// with --settings (see handleAdvancedSettingsClick), and that child
+	// process does NOT run onReady — so its mNotifications is nil and
+	// the early return below skipped the lock pass entirely.
+	s.applyMDMLocks(srvCfg.MDMManagedFields)
+
 	if s.mNotifications == nil {
 		return
 	}
@@ -1438,7 +1515,7 @@ func protoConfigToConfig(cfg *proto.GetConfigResponse) *profilemanager.Config {
 	}

 	config.WgIface = cfg.InterfaceName
-	if cfg.WireguardPort != 0 {
+	if cfg.WireguardPort >= 0 && cfg.WireguardPort <= 65535 {
 		config.WgPort = int(cfg.WireguardPort)
 	} else {
 		config.WgPort = iface.DefaultWgPort
@@ -1579,6 +1656,129 @@ func (s *serviceClient) loadSettings() {
 	if s.eventManager != nil {
 		s.eventManager.SetNotificationsEnabled(s.mNotifications.Checked())
 	}
+	s.applyMDMLocks(cfg.MDMManagedFields)
+}
+
+// applyMDMLocks disables and badges any tray submenu item or settings-
+// form widget whose underlying field is enforced by the active MDM
+// policy. Called from loadSettings (submenu refresh) and from
+// getSrvConfig (settings-window refresh). Locked items keep their value
+// already set by the surrounding refresh code — this routine only
+// flips the enabled state and the title suffix, never the value.
+func (s *serviceClient) applyMDMLocks(managed []string) {
+	set := make(map[string]bool, len(managed))
+	for _, k := range managed {
+		set[k] = true
+	}
+	s.mdmManagedFields = set
+	if len(managed) > 0 {
+		log.Infof("MDM-managed UI fields: %v", managed)
+	}
+
+	type submenuTarget struct {
+		item  *systray.MenuItem
+		title string
+		key   string
+	}
+	for _, t := range []submenuTarget{
+		{s.mAllowSSH, "Allow SSH", mdm.KeyAllowServerSSH},
+		{s.mAutoConnect, "Connect on Startup", mdm.KeyDisableAutoConnect},
+		{s.mEnableRosenpass, "Enable Quantum-Resistance", mdm.KeyRosenpassEnabled},
+		{s.mBlockInbound, "Block Inbound Connections", mdm.KeyBlockInbound},
+	} {
+		if t.item == nil {
+			continue
+		}
+		if set[t.key] {
+			t.item.SetTitle(t.title + " (MDM)")
+			t.item.Disable()
+		} else {
+			t.item.SetTitle(t.title)
+			t.item.Enable()
+		}
+	}
+
+	s.applyMDMLocksToSettingsForm(set)
+}
+
+// preSharedKeyPlaceholder returns the hint string shown in the PSK
+// Entry's placeholder slot. The placeholder is the only signal the user
+// gets that a PSK is configured, because the entry's Text is forced to
+// empty to keep the password reveal toggle from leaking the
+// "**********" sentinel.
+func preSharedKeyPlaceholder(cfg *proto.GetConfigResponse) string {
+	if cfg == nil || cfg.PreSharedKey == "" {
+		return ""
+	}
+	for _, k := range cfg.MDMManagedFields {
+		if k == mdm.KeyPreSharedKey {
+			return "MDM-managed"
+		}
+	}
+	return "configured"
+}
+
+// applyMDMLocksToSettingsForm disables the per-field input widgets in
+// the advanced Settings window when the corresponding MDM key is set.
+// For plain-text entries (Management URL, Interface Port) the visible
+// value is suffixed with " (MDM)" so the user sees the lock indicator
+// inline; for the password entry the suffix is skipped (a password
+// widget renders every char as a dot and the indicator would not be
+// readable). The widgets are created lazily by showSettingsUI, so
+// guard each ref against nil.
+func (s *serviceClient) applyMDMLocksToSettingsForm(set map[string]bool) {
+	type entryTarget struct {
+		entry     *widget.Entry
+		key       string
+		inlineTag bool
+	}
+	for _, t := range []entryTarget{
+		{s.iMngURL, mdm.KeyManagementURL, true},
+		{s.iPreSharedKey, mdm.KeyPreSharedKey, false},
+		{s.iInterfacePort, mdm.KeyWireguardPort, true},
+	} {
+		if t.entry == nil {
+			continue
+		}
+		if set[t.key] {
+			if t.inlineTag && t.entry.Text != "" && !strings.HasSuffix(t.entry.Text, mdmFieldSuffix) {
+				t.entry.SetText(t.entry.Text + mdmFieldSuffix)
+			}
+			t.entry.Disable()
+		} else {
+			if t.inlineTag {
+				t.entry.SetText(strings.TrimSuffix(t.entry.Text, mdmFieldSuffix))
+			}
+			t.entry.Enable()
+		}
+	}
+	type checkTarget struct {
+		check *widget.Check
+		key   string
+	}
+	for _, t := range []checkTarget{
+		{s.sDisableClientRoutes, mdm.KeyDisableClientRoutes},
+		{s.sDisableServerRoutes, mdm.KeyDisableServerRoutes},
+	} {
+		if t.check == nil {
+			continue
+		}
+		if set[t.key] {
+			t.check.Disable()
+		} else {
+			t.check.Enable()
+		}
+	}
+	if s.sRosenpassPermissive != nil {
+		if set[mdm.KeyRosenpassPermissive] {
+			s.sRosenpassPermissive.Disable()
+		}
+		// Re-enable is NOT issued here: the existing code path in
+		// getSrvConfig disables sRosenpassPermissive whenever
+		// RosenpassEnabled is false (it cannot be permissive without
+		// being enabled). Leave that gating intact and only override
+		// when MDM forces a lock.
+	}
 }

 // updateConfig updates the configuration parameters
--- a/client/ui/debug.go
+++ b/client/ui/debug.go
@@ -21,6 +21,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
 	uptypes "github.com/netbirdio/netbird/upload-server/types"
+	"github.com/netbirdio/netbird/version"
 )

 // Initial state for the debug collection
@@ -462,6 +463,7 @@ func (s *serviceClient) createDebugBundleFromCollection(
 	request := &proto.DebugBundleRequest{
 		Anonymize:  params.anonymize,
 		SystemInfo: params.systemInfo,
+		CliVersion: version.NetbirdVersion(),
 	}

 	if params.upload {
@@ -593,6 +595,7 @@ func (s *serviceClient) createDebugBundle(anonymize bool, systemInfo bool, uploa
 	request := &proto.DebugBundleRequest{
 		Anonymize:  anonymize,
 		SystemInfo: systemInfo,
+		CliVersion: version.NetbirdVersion(),
 	}

 	if uploadURL != "" {
--- a/client/ui/profile.go
+++ b/client/ui/profile.go
@@ -666,16 +666,48 @@ func (p *profileMenu) clear(profiles []Profile) {
 	}
 }

-// setEnabled enables or disables the profile menu based on the provided state
+// setEnabled greys out (Disable) the profile menu and every existing
+// sub-item when the daemon reports the kill switch active, so the user
+// sees the menu but cannot enter "Manage Profiles" or switch profile.
+// Previously this used Hide() on the parent, but Fyne's systray on
+// Windows does not propagate Hide() to a parent that already has
+// children — the submenu kept popping up and accepting clicks. Disable
+// is the reliable visual lock.
 func (p *profileMenu) setEnabled(enabled bool) {
-	if p.profileMenuItem != nil {
-		if enabled {
-			p.profileMenuItem.Enable()
-			p.profileMenuItem.SetTooltip("")
-		} else {
-			p.profileMenuItem.Hide()
-			p.profileMenuItem.SetTooltip("Profiles are disabled by daemon")
+	if p.profileMenuItem == nil {
+		return
+	}
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if enabled {
+		p.profileMenuItem.Enable()
+		p.profileMenuItem.SetTooltip("")
+	} else {
+		p.profileMenuItem.Disable()
+		p.profileMenuItem.SetTooltip("Profiles are disabled by daemon")
+	}
+
+	apply := func(item *systray.MenuItem) {
+		if item == nil {
+			return
 		}
+		if enabled {
+			item.Enable()
+		} else {
+			item.Disable()
+		}
+	}
+	for _, sub := range p.profileSubItems {
+		if sub != nil {
+			apply(sub.MenuItem)
+		}
+	}
+	if p.manageProfilesSubItem != nil {
+		apply(p.manageProfilesSubItem.MenuItem)
+	}
+	if p.logoutSubItem != nil {
+		apply(p.logoutSubItem.MenuItem)
 	}
 }

--- a/combined/cmd/root.go
+++ b/combined/cmd/root.go
@@ -67,6 +67,10 @@ func init() {
 	rootCmd.AddCommand(newTokenCommands())
 }

+func RootCmd() *cobra.Command {
+	return rootCmd
+}
+
 func Execute() error {
 	return rootCmd.Execute()
 }
@@ -168,7 +172,7 @@ func initializeConfig() error {
 // serverInstances holds all server instances created during startup.
 type serverInstances struct {
 	relaySrv      *relayServer.Server
-	mgmtSrv       *mgmtServer.BaseServer
+	mgmtSrv       mgmtServer.Server
 	signalSrv     *signalServer.Server
 	healthcheck   *healthcheck.Server
 	stunServer    *stun.Server
@@ -324,19 +328,24 @@ func setupServerHooks(servers *serverInstances, cfg *CombinedConfig) {
 		return
 	}

-	servers.mgmtSrv.AfterInit(func(s *mgmtServer.BaseServer) {
-		grpcSrv := s.GRPCServer()
+	if s, ok := servers.mgmtSrv.GetContainer(mgmtServer.ContainerKeyBaseServer); ok {
+		if baseServer, ok := s.(*mgmtServer.BaseServer); ok {
+			baseServer.AfterInit(func(s *mgmtServer.BaseServer) {
+				grpcSrv := s.GRPCServer()

-		if servers.signalSrv != nil {
-			proto.RegisterSignalExchangeServer(grpcSrv, servers.signalSrv)
-			log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
-		}
+				if servers.signalSrv != nil {
+					proto.RegisterSignalExchangeServer(grpcSrv, servers.signalSrv)
+					log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
+				}

-		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), s.IDPHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
-		if servers.relaySrv != nil {
-			log.Infof("Relay WebSocket handler added (path: /relay)")
+				s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), s.IDPHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
+				if servers.relaySrv != nil {
+					log.Infof("Relay WebSocket handler added (path: /relay)")
+				}
+			})
 		}
-	})
+	}
+
 }

 func startServers(wg *sync.WaitGroup, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, metricsServer *sharedMetrics.Metrics) {
@@ -346,38 +355,32 @@ func startServers(wg *sync.WaitGroup, srv *relayServer.Server, httpHealthcheck *
 		log.Infof("Relay WebSocket multiplexed on management port (no separate relay listener)")
 	}

-	wg.Add(1)
-	go func() {
-		defer wg.Done()
+	wg.Go(func() {
 		log.Infof("running metrics server: %s%s", metricsServer.Addr, metricsServer.Endpoint)
 		if err := metricsServer.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
 			log.Fatalf("failed to start metrics server: %v", err)
 		}
-	}()
+	})

-	wg.Add(1)
-	go func() {
-		defer wg.Done()
+	wg.Go(func() {
 		if err := httpHealthcheck.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
 			log.Fatalf("failed to start healthcheck server: %v", err)
 		}
-	}()
+	})

 	if stunServer != nil {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			if err := stunServer.Listen(); err != nil {
 				if errors.Is(err, stun.ErrServerClosed) {
 					return
 				}
 				log.Errorf("STUN server error: %v", err)
 			}
-		}()
+		})
 	}
 }

-func shutdownServers(ctx context.Context, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, mgmtSrv *mgmtServer.BaseServer, metricsServer *sharedMetrics.Metrics) error {
+func shutdownServers(ctx context.Context, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, mgmtSrv mgmtServer.Server, metricsServer *sharedMetrics.Metrics) error {
 	var errs error

 	if err := httpHealthcheck.Shutdown(ctx); err != nil {
@@ -491,7 +494,7 @@ func handleTLSConfig(cfg *CombinedConfig) (*tls.Config, bool, error) {
 	return nil, false, nil
 }

-func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*mgmtServer.BaseServer, error) {
+func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (mgmtServer.Server, error) {
 	mgmt := cfg.Management

 	// Extract port from listen address
@@ -502,7 +505,7 @@ func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*
 	}
 	mgmtPort, _ := strconv.Atoi(portStr)

-	mgmtSrv := mgmtServer.NewServer(
+	mgmtSrv := newServer(
 		&mgmtServer.Config{
 			NbConfig:                mgmtConfig,
 			DNSDomain:               "",
--- a/combined/cmd/server.go
+++ b/combined/cmd/server.go
@@ -0,0 +1,13 @@
+package cmd
+
+import (
+	mgmtServer "github.com/netbirdio/netbird/management/internals/server"
+)
+
+var newServer = func(cfg *mgmtServer.Config) mgmtServer.Server {
+	return mgmtServer.NewServer(cfg)
+}
+
+func SetNewServer(fn func(*mgmtServer.Config) mgmtServer.Server) {
+	newServer = fn
+}
--- a/docs/macos-netbird-mdm.sh
+++ b/docs/macos-netbird-mdm.sh
@@ -0,0 +1,179 @@
+#!/bin/bash
+#
+# SYNOPSIS
+#   Push the NetBird MDM policy to a macOS device via JumpCloud Commands.
+#
+# DESCRIPTION
+#   This is the macOS counterpart of docs/netbird-policy.reg.ps1.
+#   It writes the values declared in the "POLICY VALUES" block below to
+#   the managed-preferences plist that the NetBird daemon's
+#   client/mdm/policy_darwin.go loader reads on every 1-minute MDM
+#   reload tick:
+#
+#       /Library/Managed Preferences/io.netbird.client.plist
+#
+#   Once the plist lands, the daemon picks up the new values without
+#   restart (the ticker calls Config.apply() → applyMDMPolicy() and
+#   restarts the engine on diff).
+#
+# DEPLOYMENT (JumpCloud)
+#   1. Admin Console -> Device Management -> Commands -> +.
+#   2. Type: Mac, Shell, Run as: root.
+#   3. Paste this file verbatim into the command body.
+#   4. Bind to the target system group, save, run.
+#
+# IMPORTANT: PERSISTENCE
+#   macOS wipes /Library/Managed Preferences/ at every boot on devices
+#   that are NOT MDM-enrolled. For a persistent fleet rollout, push the
+#   companion docs/netbird-macos.mobileconfig as a Custom Configuration
+#   Profile (Admin Console -> MDM -> Mac Custom Configuration Profiles)
+#   instead of this script. Use this script when:
+#     - the device is MDM-enrolled (file survives reboots), or
+#     - you need a one-shot test push before reboot, or
+#     - you orchestrate via JumpCloud Commands and want the same
+#       variable-driven workflow as the Windows .ps1 sibling.
+#
+# IDEMPOTENCY: re-running with the same values is a no-op from the
+# daemon's point of view (the 1-minute reload ticker diff returns empty).
+#
+# SECURITY: PreSharedKey is redacted in this script's log output.
+
+set -euo pipefail
+
+### POLICY VALUES — EDIT THIS BLOCK ###########################################
+#
+# Set each variable below to the desired value. Set to empty string ""
+# or to NULL to omit a key entirely (the daemon treats an absent key
+# as "no enforcement" for that field). Booleans use "true"/"false"
+# (lowercase). Integers as decimal.
+#
+# Reference for key names + accepted values:
+#   client/mdm/policy.go (Key* constants)
+#   docs/netbird-macos.mobileconfig (sample profile)
+#   docs/netbird.admx + .adml (Windows ADMX schema)
+#
+NULL='__UNSET__'
+managementURL='https://api.netbird.io:443'
+preSharedKey="$NULL"                       # secret; redacted in log
+allowServerSSH='true'
+blockInbound="$NULL"
+disableAutoConnect="$NULL"
+disableClientRoutes="$NULL"
+disableServerRoutes="$NULL"
+disableMetricsCollection="$NULL"
+disableUpdateSettings="$NULL"
+disableProfiles="$NULL"
+disableNetworks="$NULL"
+rosenpassEnabled="$NULL"
+rosenpassPermissive="$NULL"
+wireguardPort='51820'
+splitTunnelMode="$NULL"                    # "allow" or "disallow", Android-only at the daemon level
+splitTunnelApps="$NULL"                    # comma-separated app IDs, Android-only
+##############################################################################
+
+readonly PLIST_DIR='/Library/Managed Preferences'
+readonly PLIST_PATH="$PLIST_DIR/io.netbird.client.plist"
+readonly LOG_TAG='netbird-mdm'
+
+log() {
+  /usr/bin/logger -t "$LOG_TAG" "$*"
+  printf '%s [%s] %s\n' "$(date -u '+%Y-%m-%dT%H:%M:%SZ')" "$LOG_TAG" "$*"
+}
+
+is_set() {
+  [[ -n "$1" && "$1" != "$NULL" ]]
+}
+
+start_plist() {
+  cat > "$PLIST_PATH.tmp" <<'EOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+EOF
+}
+
+end_plist() {
+  cat >> "$PLIST_PATH.tmp" <<'EOF'
+</dict>
+</plist>
+EOF
+}
+
+emit_string() {
+  local key="$1" value="$2" log_value="$2"
+  # Escape XML entities in the value
+  local escaped
+  escaped="$(printf '%s' "$value" | sed -e 's/&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g')"
+  printf '    <key>%s</key>\n    <string>%s</string>\n' "$key" "$escaped" >> "$PLIST_PATH.tmp"
+  if [[ "$key" == "preSharedKey" ]]; then
+    log_value='********** (secret)'
+  fi
+  log "set $key = $log_value"
+}
+
+emit_bool() {
+  local key="$1" value="$2"
+  local xml_bool
+  case "$value" in
+    true|True|TRUE|1|yes)  xml_bool='<true/>'  ; value='true'  ;;
+    false|False|FALSE|0|no) xml_bool='<false/>' ; value='false' ;;
+    *) log "invalid boolean for $key: $value (must be true/false); skipping"; return ;;
+  esac
+  printf '    <key>%s</key>\n    %s\n' "$key" "$xml_bool" >> "$PLIST_PATH.tmp"
+  log "set $key = $value"
+}
+
+emit_int() {
+  local key="$1" value="$2"
+  if ! [[ "$value" =~ ^[0-9]+$ ]]; then
+    log "invalid integer for $key: $value (must be decimal); skipping"
+    return
+  fi
+  printf '    <key>%s</key>\n    <integer>%s</integer>\n' "$key" "$value" >> "$PLIST_PATH.tmp"
+  log "set $key = $value"
+}
+
+main() {
+  log "applying NetBird MDM policy to $PLIST_PATH"
+  /bin/mkdir -p "$PLIST_DIR"
+  start_plist
+
+  is_set "$managementURL"             && emit_string  managementURL             "$managementURL"
+  is_set "$preSharedKey"              && emit_string  preSharedKey              "$preSharedKey"
+  is_set "$allowServerSSH"            && emit_bool    allowServerSSH            "$allowServerSSH"
+  is_set "$blockInbound"              && emit_bool    blockInbound              "$blockInbound"
+  is_set "$disableAutoConnect"        && emit_bool    disableAutoConnect        "$disableAutoConnect"
+  is_set "$disableClientRoutes"       && emit_bool    disableClientRoutes       "$disableClientRoutes"
+  is_set "$disableServerRoutes"       && emit_bool    disableServerRoutes       "$disableServerRoutes"
+  is_set "$disableMetricsCollection"  && emit_bool    disableMetricsCollection  "$disableMetricsCollection"
+  is_set "$disableUpdateSettings"     && emit_bool    disableUpdateSettings     "$disableUpdateSettings"
+  is_set "$disableProfiles"           && emit_bool    disableProfiles           "$disableProfiles"
+  is_set "$disableNetworks"           && emit_bool    disableNetworks           "$disableNetworks"
+  is_set "$rosenpassEnabled"          && emit_bool    rosenpassEnabled          "$rosenpassEnabled"
+  is_set "$rosenpassPermissive"       && emit_bool    rosenpassPermissive       "$rosenpassPermissive"
+  is_set "$wireguardPort"             && emit_int     wireguardPort             "$wireguardPort"
+  is_set "$splitTunnelMode"           && emit_string  splitTunnelMode           "$splitTunnelMode"
+  is_set "$splitTunnelApps"           && emit_string  splitTunnelApps           "$splitTunnelApps"
+
+  end_plist
+
+  if ! /usr/bin/plutil -lint "$PLIST_PATH.tmp" >/dev/null 2>&1; then
+    log "ERROR: generated plist failed plutil lint; not installing"
+    /usr/bin/plutil -lint "$PLIST_PATH.tmp" >&2 || true
+    /bin/rm -f "$PLIST_PATH.tmp"
+    exit 1
+  fi
+
+  /bin/mv -f "$PLIST_PATH.tmp" "$PLIST_PATH"
+  /usr/sbin/chown root:wheel "$PLIST_PATH"
+  /bin/chmod 644 "$PLIST_PATH"
+
+  log "policy installed; NetBird daemon will pick it up within the next 1-minute reload tick"
+
+  # Optional: kick the daemon for an immediate apply. Safe — does
+  # nothing on a host where NetBird is not yet installed.
+  /bin/launchctl kickstart -k system/io.netbird.client 2>/dev/null || true
+}
+
+main "$@"
--- a/docs/netbird-macos.mobileconfig
+++ b/docs/netbird-macos.mobileconfig
@@ -0,0 +1,159 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+    NetBird MDM configuration profile (macOS).
+
+    Wraps a `com.apple.ManagedClient.preferences` payload that pushes the
+    NetBird MDM policy into:
+        /Library/Managed Preferences/io.netbird.client.plist
+
+    Read at runtime by the netbird daemon's macOS loader
+    (client/mdm/policy_darwin.go — Phase 2). Key names match the canonical
+    lowerCamelCase form used in docs/netbird.admx and the mdm.Key*
+    constants in client/mdm/policy.go.
+
+    Bundle identifier: io.netbird.client
+        (confirm against the signed pkg before fleet roll-out)
+
+    Distribution:
+      - sign with `productsign --sign "Developer ID Installer: ..." ...`
+        before fleet roll-out (Apple-Configurator-2 won't install an
+        unsigned profile on Sonoma+ without user override).
+      - For local dev install: `sudo profiles install -path netbird-macos.mobileconfig`.
+      - For MDM (Jamf/Kandji/Mosyle/Intune): upload as a Custom Profile.
+
+    Editing:
+      - Replace UUID placeholders below with fresh UUIDs (`uuidgen` on
+        macOS) when forking this template for a real fleet — each
+        deployment should have unique UUIDs so the OS treats it as a
+        distinct profile.
+      - Tune the PayloadContent values to the policy you want to enforce.
+      - Remove any key you do NOT want to enforce (the daemon treats an
+        absent key as "no enforcement" for that field).
+
+    iOS note:
+      This file is macOS-specific. iOS uses managed app config via
+      UserDefaults[com.apple.configuration.managed] under a different
+      payload type (com.apple.app.configuration.managed); the wrapper
+      structure is the same but the inner payload dictionary differs.
+      See docs/netbird-ios.mobileconfig (Phase 5) when shipped.
+-->
+<plist version="1.0">
+<dict>
+    <!-- Outer profile envelope -->
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+    <key>PayloadIdentifier</key>
+    <string>io.netbird.client.mdm</string>
+    <key>PayloadUUID</key>
+    <string>11111111-1111-1111-1111-111111111111</string>
+    <key>PayloadDisplayName</key>
+    <string>NetBird MDM Policy</string>
+    <key>PayloadDescription</key>
+    <string>Enforces NetBird client configuration. Values written here override any local user / CLI / on-disk setting and are re-applied at every daemon boot and on every 1-minute MDM reload tick.</string>
+    <key>PayloadOrganization</key>
+    <string>NetBird</string>
+    <key>PayloadScope</key>
+    <string>System</string>
+    <key>PayloadRemovalDisallowed</key>
+    <false/>
+
+    <key>PayloadContent</key>
+    <array>
+        <dict>
+            <!-- Managed preferences payload: writes /Library/Managed Preferences/io.netbird.client.plist -->
+            <key>PayloadType</key>
+            <string>com.apple.ManagedClient.preferences</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+            <key>PayloadIdentifier</key>
+            <string>io.netbird.client.mdm.preferences</string>
+            <key>PayloadUUID</key>
+            <string>22222222-2222-2222-2222-222222222222</string>
+            <key>PayloadDisplayName</key>
+            <string>NetBird Managed Preferences</string>
+            <key>PayloadEnabled</key>
+            <true/>
+
+            <key>PayloadContent</key>
+            <dict>
+                <key>io.netbird.client</key>
+                <dict>
+                    <key>Forced</key>
+                    <array>
+                        <dict>
+                            <key>mcx_preference_settings</key>
+                            <dict>
+
+                                <!-- ===== Identity / auth (strings) ===== -->
+                                <key>managementURL</key>
+                                <string>https://api.netbird.io:443</string>
+
+                                <!-- Pre-shared key: secret. Remove the entry entirely
+                                     when not used; do NOT leave an empty string. -->
+                                <!--
+                                <key>preSharedKey</key>
+                                <string>REPLACE_ME</string>
+                                -->
+
+                                <!-- ===== Engine / runtime behavior (bool) =====
+                                     Remove any key to leave the field unmanaged. -->
+                                <!--
+                                <key>disableAutoConnect</key>
+                                <false/>
+                                <key>disableClientRoutes</key>
+                                <false/>
+                                <key>disableServerRoutes</key>
+                                <false/>
+                                <key>blockInbound</key>
+                                <false/>
+                                -->
+                                <key>allowServerSSH</key>
+                                <true/>
+                                <!--
+                                <key>rosenpassEnabled</key>
+                                <true/>
+                                <key>rosenpassPermissive</key>
+                                <false/>
+                                -->
+
+                                <!-- ===== WireGuard UDP port (int) =====
+                                     Range 1-65535. Omit to keep the default. -->
+                                <!--
+                                <key>wireguardPort</key>
+                                <integer>51820</integer>
+                                -->
+
+                                <!-- ===== Split tunnel (Android-only at the daemon level)
+                                     Pushed harmlessly on macOS for fleets with mixed
+                                     desktop+mobile devices; the macOS daemon ignores it. -->
+                                <!--
+                                <key>splitTunnelMode</key>
+                                <string>allow</string>
+                                <key>splitTunnelApps</key>
+                                <string>com.acme.app1,com.acme.app2</string>
+                                -->
+
+                                <!-- ===== UI / kill switches (bool) ===== -->
+                                <!--
+                                <key>disableUpdateSettings</key>
+                                <true/>
+                                <key>disableProfiles</key>
+                                <true/>
+                                <key>disableNetworks</key>
+                                <true/>
+                                <key>disableMetricsCollection</key>
+                                <false/>
+                                -->
+
+                            </dict>
+                        </dict>
+                    </array>
+                </dict>
+            </dict>
+        </dict>
+    </array>
+</dict>
+</plist>
--- a/docs/netbird-policy.reg
+++ b/docs/netbird-policy.reg
--- a/docs/netbird-policy.reg.ps1
+++ b/docs/netbird-policy.reg.ps1
@@ -0,0 +1,94 @@
+#requires -Version 5.1
+<#
+.SYNOPSIS
+  Push the NetBird MDM policy to a Windows device via JumpCloud Commands
+  by importing a sidecar netbird-policy.reg file.
+
+.DESCRIPTION
+  Windows counterpart of docs/macos-netbird-mdm.sh. Outcome:
+  HKLM\Software\Policies\NetBird populated from the attached
+  netbird-policy.reg file, daemon picks up the change via the
+  1-minute MDM reload ticker.
+
+  Deployment:
+    1. Admin Console -> Device Management -> Commands -> +.
+    2. Type: Windows PowerShell. Run as: SYSTEM.
+    3. Paste this file verbatim into the command body.
+    4. In the same command, attach `netbird-policy.reg` as a file.
+       JumpCloud copies attached files into the command's working
+       directory before invoking the script, so `$PSScriptRoot` or
+       Get-Location resolves to where the .reg lives.
+    5. Bind to the target system group, save, run.
+
+  Producing the .reg file:
+    On a reference machine, after configuring the policy values either
+    via gpedit (GPO) or manual `reg add`, export with:
+
+        reg export "HKLM\Software\Policies\NetBird" netbird-policy.reg /y
+
+    Then attach the resulting file to the JumpCloud command.
+
+  Semantics:
+    - The script nukes the existing HKLM\Software\Policies\NetBird key
+      before importing the .reg, so the .reg is the SINGLE SOURCE OF
+      TRUTH. Any value present in the registry but absent from the .reg
+      is removed. This is what an MDM admin almost always wants.
+    - Setting the .reg to an empty (header-only) file effectively unsets
+      the policy.
+
+  Idempotency: re-running the script with the same .reg is a no-op from
+  the daemon's perspective (values identical → 1-min ticker sees no
+  diff → engine not restarted).
+
+  Exit codes: 0 = success; 1 = .reg missing or reg.exe error.
+#>
+
+$ErrorActionPreference = "Stop"
+
+$RegFileName = "netbird-policy.reg"
+$RegKey      = "HKLM\Software\Policies\NetBird"
+
+# Resolve the attached .reg file: JumpCloud copies command attachments
+# into C:\Windows\Temp\ before invoking the script. Cwd / $PSScriptRoot
+# fallbacks cover the local-dev case where you might dot-source this
+# from elsewhere.
+$candidates = @(
+    (Join-Path "$env:WINDIR\Temp" $RegFileName)
+    (Join-Path (Get-Location)     $RegFileName)
+    (Join-Path $PSScriptRoot      $RegFileName)
+) | Where-Object { Test-Path $_ }
+
+if ($candidates.Count -eq 0) {
+    Write-Error "[netbird-mdm] $RegFileName not found in working directory or `$PSScriptRoot. Attach the file to the JumpCloud command."
+    exit 1
+}
+$regFile = $candidates[0]
+Write-Host "[netbird-mdm] using $regFile"
+
+# Wipe the existing policy key so the .reg is authoritative.
+$existed = Test-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\NetBird"
+if ($existed) {
+    & reg.exe delete $RegKey /f | Out-Null
+    if ($LASTEXITCODE -ne 0) {
+        Write-Error "[netbird-mdm] failed to clear $RegKey before import (exit $LASTEXITCODE)"
+        exit 1
+    }
+    Write-Host "[netbird-mdm] cleared previous values under $RegKey"
+}
+
+# Import. reg.exe writes both data and (re-)creates the key if needed.
+& reg.exe import $regFile
+if ($LASTEXITCODE -ne 0) {
+    Write-Error "[netbird-mdm] reg import failed (exit $LASTEXITCODE)"
+    exit 1
+}
+
+# Audit dump so the JumpCloud per-execution log captures the applied state.
+Write-Host "[netbird-mdm] final policy state under $RegKey :"
+& reg.exe query $RegKey /s
+
+# Daemon's 1-min reload ticker picks up the change automatically.
+# Uncomment to force immediate convergence (skips the ticker wait):
+#   Restart-Service netbird -Force -ErrorAction SilentlyContinue
+
+exit 0
--- a/docs/netbird.adml
+++ b/docs/netbird.adml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                           revision="1.0"
+                           schemaVersion="1.0"
+                           xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
+  <displayName>NetBird Client Policies</displayName>
+  <description>Group Policy template for NetBird client MDM-managed settings. Values are written under HKLM\Software\Policies\NetBird and consumed by the netbird daemon at startup and every 1-minute reload tick.</description>
+  <resources>
+    <stringTable>
+
+      <!-- Categories -->
+      <string id="NetBird_Category">NetBird</string>
+      <string id="SUPPORTED_NetBird_All">NetBird Client 0.40+</string>
+
+      <!-- Identity / auth -->
+      <string id="ManagementURL_Name">Management URL</string>
+      <string id="ManagementURL_Help">URL of the NetBird management server. Format: https://host[:port]. When set, users cannot override this value via UI or CLI.</string>
+
+      <string id="PreSharedKey_Name">Pre-shared key</string>
+      <string id="PreSharedKey_Help">WireGuard pre-shared key used as an additional symmetric secret on every peer-to-peer tunnel. Secret value.</string>
+
+      <!-- Settings: engine / runtime behavior -->
+      <string id="DisableAutoConnect_Name">Disable auto-connect</string>
+      <string id="DisableAutoConnect_Help">When enabled, the NetBird tunnel does not auto-connect at daemon startup. Equivalent to --disable-auto-connect.</string>
+
+      <string id="DisableClientRoutes_Name">Disable client routes</string>
+      <string id="DisableClientRoutes_Help">When enabled, this client will not consume routes advertised by routing peers. Equivalent to --disable-client-routes.</string>
+
+      <string id="DisableServerRoutes_Name">Disable server routes</string>
+      <string id="DisableServerRoutes_Help">When enabled, this client will not act as a routing peer for other clients. Equivalent to --disable-server-routes.</string>
+
+      <string id="BlockInbound_Name">Block inbound</string>
+      <string id="BlockInbound_Help">When enabled, the client firewall blocks all inbound peer traffic on the WireGuard interface. Equivalent to --block-inbound.</string>
+
+      <string id="AllowServerSSH_Name">Allow server SSH</string>
+      <string id="AllowServerSSH_Help">When enabled, this client accepts incoming SSH sessions via NetBird SSH. Equivalent to --allow-server-ssh.</string>
+
+      <string id="RosenpassEnabled_Name">Enable Rosenpass</string>
+      <string id="RosenpassEnabled_Help">Enables Rosenpass post-quantum key exchange on WireGuard tunnels. Both peers must support it.</string>
+
+      <string id="RosenpassPermissive_Name">Rosenpass permissive</string>
+      <string id="RosenpassPermissive_Help">When enabled, the client falls back to plain WireGuard if a peer does not support Rosenpass; otherwise it refuses the connection.</string>
+
+      <string id="WireguardPort_Name">WireGuard port</string>
+      <string id="WireguardPort_Help">UDP port used by the local WireGuard interface. Allowed range: 1-65535.</string>
+
+      <string id="SplitTunnel_Name">Split tunnel</string>
+      <string id="SplitTunnel_Help">Restrict the NetBird tunnel to or from a chosen list of application package names. Choose either the allow mode (only the listed apps route through NetBird) or the disallow mode (the listed apps bypass NetBird; everything else routes through). The mode is mutually exclusive — only one can be active at a time. Android-only at the daemon level; Windows/macOS/iOS clients ignore this policy.</string>
+      <string id="SplitTunnel_Allow">Allow only listed apps (everything else bypasses)</string>
+      <string id="SplitTunnel_Disallow">Disallow listed apps (everything else routes)</string>
+
+      <!-- UI -->
+      <string id="DisableUpdateSettings_Name">Disable update settings</string>
+      <string id="DisableUpdateSettings_Help">When enabled, blocks every configuration change from the client UI and from the CLI (netbird up / login / setconfig). The Settings view stays viewable but read-only. Equivalent to --disable-update-settings.</string>
+
+      <string id="DisableProfiles_Name">Disable profiles</string>
+      <string id="DisableProfiles_Help">When enabled, the client UI/CLI cannot list, create, switch or remove NetBird connection profiles. Equivalent to --disable-profiles.</string>
+
+      <string id="DisableNetworks_Name">Disable networks</string>
+      <string id="DisableNetworks_Help">When enabled, the client UI/CLI cannot list, select or deselect NetBird networks (the corresponding daemon RPCs return Unavailable). Equivalent to --disable-networks.</string>
+
+      <string id="DisableMetricsCollection_Name">Disable metrics collection</string>
+      <string id="DisableMetricsCollection_Help">When enabled, the client does not collect or report local usage metrics.</string>
+
+    </stringTable>
+    <presentationTable>
+
+      <presentation id="ManagementURL_Pres">
+        <textBox refId="ManagementURL_Text">
+          <label>Management URL:</label>
+          <defaultValue>https://api.netbird.io:443</defaultValue>
+        </textBox>
+      </presentation>
+
+      <presentation id="PreSharedKey_Pres">
+        <textBox refId="PreSharedKey_Text">
+          <label>Pre-shared key:</label>
+        </textBox>
+      </presentation>
+
+      <presentation id="WireguardPort_Pres">
+        <decimalTextBox refId="WireguardPort_Decimal" defaultValue="51820">WireGuard UDP port:</decimalTextBox>
+      </presentation>
+
+      <presentation id="SplitTunnel_Pres">
+        <dropdownList refId="SplitTunnel_Mode" defaultItem="0">Mode:</dropdownList>
+        <textBox refId="SplitTunnel_Apps">
+          <label>Package names (comma-separated):</label>
+        </textBox>
+      </presentation>
+
+    </presentationTable>
+  </resources>
+</policyDefinitionResources>
--- a/docs/netbird.admx
+++ b/docs/netbird.admx
@@ -0,0 +1,223 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   revision="1.0"
+                   schemaVersion="1.0"
+                   xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
+  <policyNamespaces>
+    <target prefix="netbird" namespace="NetBird.Policies.Client" />
+  </policyNamespaces>
+  <resources minRequiredRevision="1.0" />
+  <supportedOn>
+    <definitions>
+      <definition name="SUPPORTED_NetBird_All" displayName="$(string.SUPPORTED_NetBird_All)" />
+    </definitions>
+  </supportedOn>
+  <categories>
+    <category name="NetBird" displayName="$(string.NetBird_Category)" />
+  </categories>
+  <policies>
+
+    <!-- ============================================================ -->
+    <!-- TOP-LEVEL: foundational identity / authentication              -->
+    <!-- ============================================================ -->
+
+    <policy name="ManagementURL"
+            class="Machine"
+            displayName="$(string.ManagementURL_Name)"
+            explainText="$(string.ManagementURL_Help)"
+            key="Software\Policies\NetBird"
+            presentation="$(presentation.ManagementURL_Pres)">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <elements>
+        <text id="ManagementURL_Text" valueName="ManagementURL" required="true" />
+      </elements>
+    </policy>
+
+    <policy name="PreSharedKey"
+            class="Machine"
+            displayName="$(string.PreSharedKey_Name)"
+            explainText="$(string.PreSharedKey_Help)"
+            key="Software\Policies\NetBird"
+            presentation="$(presentation.PreSharedKey_Pres)">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <elements>
+        <text id="PreSharedKey_Text" valueName="PreSharedKey" />
+      </elements>
+    </policy>
+
+    <!-- ============================================================ -->
+    <!-- SETTINGS: engine / runtime / connection behavior              -->
+    <!-- ============================================================ -->
+
+    <policy name="DisableAutoConnect"
+            class="Machine"
+            displayName="$(string.DisableAutoConnect_Name)"
+            explainText="$(string.DisableAutoConnect_Help)"
+            key="Software\Policies\NetBird"
+            valueName="DisableAutoConnect">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="DisableClientRoutes"
+            class="Machine"
+            displayName="$(string.DisableClientRoutes_Name)"
+            explainText="$(string.DisableClientRoutes_Help)"
+            key="Software\Policies\NetBird"
+            valueName="DisableClientRoutes">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="DisableServerRoutes"
+            class="Machine"
+            displayName="$(string.DisableServerRoutes_Name)"
+            explainText="$(string.DisableServerRoutes_Help)"
+            key="Software\Policies\NetBird"
+            valueName="DisableServerRoutes">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="BlockInbound"
+            class="Machine"
+            displayName="$(string.BlockInbound_Name)"
+            explainText="$(string.BlockInbound_Help)"
+            key="Software\Policies\NetBird"
+            valueName="BlockInbound">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="AllowServerSSH"
+            class="Machine"
+            displayName="$(string.AllowServerSSH_Name)"
+            explainText="$(string.AllowServerSSH_Help)"
+            key="Software\Policies\NetBird"
+            valueName="AllowServerSSH">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="RosenpassEnabled"
+            class="Machine"
+            displayName="$(string.RosenpassEnabled_Name)"
+            explainText="$(string.RosenpassEnabled_Help)"
+            key="Software\Policies\NetBird"
+            valueName="RosenpassEnabled">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="RosenpassPermissive"
+            class="Machine"
+            displayName="$(string.RosenpassPermissive_Name)"
+            explainText="$(string.RosenpassPermissive_Help)"
+            key="Software\Policies\NetBird"
+            valueName="RosenpassPermissive">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="WireguardPort"
+            class="Machine"
+            displayName="$(string.WireguardPort_Name)"
+            explainText="$(string.WireguardPort_Help)"
+            key="Software\Policies\NetBird"
+            presentation="$(presentation.WireguardPort_Pres)">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <elements>
+        <decimal id="WireguardPort_Decimal" valueName="WireguardPort"
+                 minValue="1" maxValue="65535" required="true" />
+      </elements>
+    </policy>
+
+    <policy name="SplitTunnel"
+            class="Machine"
+            displayName="$(string.SplitTunnel_Name)"
+            explainText="$(string.SplitTunnel_Help)"
+            key="Software\Policies\NetBird"
+            presentation="$(presentation.SplitTunnel_Pres)">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <elements>
+        <enum id="SplitTunnel_Mode" valueName="SplitTunnelMode" required="true">
+          <item displayName="$(string.SplitTunnel_Allow)"><value><string>allow</string></value></item>
+          <item displayName="$(string.SplitTunnel_Disallow)"><value><string>disallow</string></value></item>
+        </enum>
+        <text id="SplitTunnel_Apps" valueName="SplitTunnelApps" required="true" />
+      </elements>
+    </policy>
+
+    <!-- ============================================================ -->
+    <!-- UI: visibility / UX kill switches                             -->
+    <!-- ============================================================ -->
+
+    <policy name="DisableUpdateSettings"
+            class="Machine"
+            displayName="$(string.DisableUpdateSettings_Name)"
+            explainText="$(string.DisableUpdateSettings_Help)"
+            key="Software\Policies\NetBird"
+            valueName="DisableUpdateSettings">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="DisableProfiles"
+            class="Machine"
+            displayName="$(string.DisableProfiles_Name)"
+            explainText="$(string.DisableProfiles_Help)"
+            key="Software\Policies\NetBird"
+            valueName="DisableProfiles">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="DisableNetworks"
+            class="Machine"
+            displayName="$(string.DisableNetworks_Name)"
+            explainText="$(string.DisableNetworks_Help)"
+            key="Software\Policies\NetBird"
+            valueName="DisableNetworks">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+    <policy name="DisableMetricsCollection"
+            class="Machine"
+            displayName="$(string.DisableMetricsCollection_Name)"
+            explainText="$(string.DisableMetricsCollection_Help)"
+            key="Software\Policies\NetBird"
+            valueName="DisableMetricsCollection">
+      <parentCategory ref="NetBird" />
+      <supportedOn ref="SUPPORTED_NetBird_All" />
+      <enabledValue><decimal value="1" /></enabledValue>
+      <disabledValue><decimal value="0" /></disabledValue>
+    </policy>
+
+  </policies>
+</policyDefinitions>
--- a/go.mod
+++ b/go.mod
@@ -24,13 +24,13 @@ require (
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.80.0
 	google.golang.org/protobuf v1.36.11
-	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 )

 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
 	git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3
+	github.com/DeRuina/timberjack v1.4.2
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.31.6
@@ -328,6 +328,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	howett.net/plist v1.0.1 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )

--- a/go.sum
+++ b/go.sum
@@ -29,6 +29,8 @@ github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+
 github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/DeRuina/timberjack v1.4.2 h1:4bKlzhKdsR+2oNkgef9mqb4n11ICow8VK88RfzJPzN8=
+github.com/DeRuina/timberjack v1.4.2/go.mod h1:RLoeQrwrCGIEF8gO5nV5b/gMD0QIy7bzQhBUgpp1EqE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
@@ -378,6 +380,7 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade h1:FmusiCI1wHw+XQbvL9M+1r/C3SPqKrmBaIOYwVfQoDE=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade/go.mod h1:ZDXo8KHryOWSIqnsb/CiDq7hQUYryCgdVnxbj8tDG7o=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
@@ -940,12 +943,11 @@ gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8
 gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -968,5 +970,7 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89 h1:mGJaeA61P8dEHTqdvAgc70ZIV3QoUoJcXCRyyjO26OA=
 gvisor.dev/gvisor v0.0.0-20260219192049-0f2374377e89/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q=
+howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
+howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY=
 rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
@@ -311,11 +311,12 @@ initialize_default_values() {
  NETBIRD_STUN_PORT=3478

  # Docker images
-  DASHBOARD_IMAGE="netbirdio/dashboard:latest"
+  DASHBOARD_IMAGE=${DASHBOARD_IMAGE:-"netbirdio/dashboard:latest"}
  # Combined server replaces separate signal, relay, and management containers
-  NETBIRD_SERVER_IMAGE="netbirdio/netbird-server:latest"
-  NETBIRD_PROXY_IMAGE="netbirdio/reverse-proxy:latest"
-
+  NETBIRD_SERVER_IMAGE=${NETBIRD_SERVER_IMAGE:-"netbirdio/netbird-server:latest"}
+  NETBIRD_PROXY_IMAGE=${NETBIRD_PROXY_IMAGE:-"netbirdio/reverse-proxy:latest"}
+  TRAEFIK_IMAGE=${TRAEFIK_IMAGE:-"traefik:v3.6"}
+  CROWDSEC_IMAGE=${CROWDSEC_IMAGE:-"crowdsecurity/crowdsec:v1.7.7"}
  # Reverse proxy configuration
  REVERSE_PROXY_TYPE="0"
  TRAEFIK_EXTERNAL_NETWORK=""
@@ -656,7 +657,7 @@ render_docker_compose_traefik_builtin() {
    if [[ "$ENABLE_CROWDSEC" == "true" ]]; then
      crowdsec_service="
  crowdsec:
-    image: crowdsecurity/crowdsec:v1.7.7
+    image: $CROWDSEC_IMAGE
    container_name: netbird-crowdsec
    restart: unless-stopped
    networks: [netbird]
@@ -687,7 +688,7 @@ render_docker_compose_traefik_builtin() {
 services:
  # Traefik reverse proxy (automatic TLS via Let's Encrypt)
  traefik:
-    image: traefik:v3.6
+    image: $TRAEFIK_IMAGE
    container_name: netbird-traefik
    restart: unless-stopped
    networks:
@@ -771,7 +772,7 @@ $traefik_dynamic_volume
    labels:
      - traefik.enable=true
      # gRPC router (needs h2c backend for HTTP/2 cleartext)
-      - traefik.http.routers.netbird-grpc.rule=Host(\`$NETBIRD_DOMAIN\`) && (PathPrefix(\`/signalexchange.SignalExchange/\`) || PathPrefix(\`/management.ManagementService/\`))
+      - traefik.http.routers.netbird-grpc.rule=Host(\`$NETBIRD_DOMAIN\`) && (PathPrefix(\`/signalexchange.SignalExchange/\`) || PathPrefix(\`/management.ManagementService/\`) || PathPrefix(\`/management.ProxyService/\`))
      - traefik.http.routers.netbird-grpc.entrypoints=websecure
      - traefik.http.routers.netbird-grpc.tls=true
      - traefik.http.routers.netbird-grpc.tls.certresolver=letsencrypt
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -32,6 +32,7 @@ import (
 	"github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/shared/management/status"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )

 type Controller struct {
@@ -514,7 +515,7 @@ func computeForwarderPort(peers []*nbpeer.Peer, requiredVersion string) int64 {
 	for _, peer := range peers {

 		// Development version is always supported
-		if peer.Meta.WtVersion == "development" {
+		if version.IsDevelopmentVersion(peer.Meta.WtVersion) {
 			continue
 		}
 		peerVersion := semver.Canonical("v" + peer.Meta.WtVersion)
--- a/management/internals/modules/peers/manager.go
+++ b/management/internals/modules/peers/manager.go
@@ -75,7 +75,7 @@ func (m *managerImpl) SetAccountManager(accountManager account.Manager) {
 }

 func (m *managerImpl) GetPeer(ctx context.Context, accountID, userID, peerID string) (*peer.Peer, error) {
-	allowed, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	allowed, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
 	}
@@ -88,7 +88,7 @@ func (m *managerImpl) GetPeer(ctx context.Context, accountID, userID, peerID str
 }

 func (m *managerImpl) GetAllPeers(ctx context.Context, accountID, userID string) ([]*peer.Peer, error) {
-	allowed, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	allowed, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
 	}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
riccardom	5a12364702	[PROVISIONING] ADMX/ADML/PS/bash scripts/templates	2026-06-08 18:06:02 +02:00
riccardom	b09a07023a	Tests MDM config reload via ticker	2026-06-08 18:06:02 +02:00
riccardom	61b5b6b1a1	Introduces support for darwing plist loading	2026-06-08 18:06:02 +02:00
riccardom	b8818adc41	Adds dep for reading plist files	2026-06-08 18:06:02 +02:00
riccardom	83430c39e4	[UI] Fix for "hide" not working when propagating to parent with children	2026-06-08 18:06:02 +02:00
riccardom	47d438976e	Pins feat profile retrieval to notif event	2026-06-08 18:06:02 +02:00
riccardom	3bef0fec5b	[UI] Removes --disable-advanced-settings	2026-06-08 18:06:02 +02:00
riccardom	be3fe6edd6	[PROTO] Removes --disable-advanced-settings	2026-06-08 18:06:02 +02:00
riccardom	04998f6a1c	Removes --disable-advanced-settings It was a typo in our meetings. the actual thing is --disable-update-settings	2026-06-08 18:06:02 +02:00
riccardom	e55b64f2f7	Fixup: MDM wins. always	2026-06-08 18:06:02 +02:00
riccardom	d6780522ea	[UI] Aligns to "enable/disable once on change only"	2026-06-08 18:06:02 +02:00
riccardom	01a4c245a7	Enforces disable networks	2026-06-08 18:06:02 +02:00
riccardom	6355a24deb	[UI] Fixup for profile enable/disable toggle We need to align the initial state to evaluate the delta in case. The initial state has to be "true" since the profile starts visible. Then we receive MDM and transition the cache bool value to the actual MDM imposed state	2026-06-08 18:06:02 +02:00
riccardom	3d4240b979	[UI] Fixup for preshared key	2026-06-08 18:06:02 +02:00
riccardom	2be7ef4929	[UI] Fixup advanced Settings	2026-06-08 18:06:02 +02:00
riccardom	6509174400	Evaluate disable-update-settings errors only when there's an actual override	2026-06-08 18:06:02 +02:00
riccardom	b200f47e6d	Adds Gate Login as well when --disable-update-settings=true is given to service This commit tries to settle things with an old PR-4237 which had relaxed the case where the SetConfig returned an `Unavailable` code error. Under this circumnstance the PR allowed the upFunc to just emit a warning and progress further with the login gRPC. Since the login call is consuming the --management-url coming from the `up` command, it might be possible to abuse the "Unavailable" code to inject a management URL that is different from the configured one even though the --disable-update-settings is set to true (?)	2026-06-08 18:06:02 +02:00
riccardom	1b477d39a8	Adds support for disabling of Profiles and UpdateSettings feature flags	2026-06-08 18:06:02 +02:00
riccardom	7570c5c911	Toggle gray in/out for Advanced Settings	2026-06-08 18:06:02 +02:00
riccardom	bf8c8b0ea3	Apply MDM locks	2026-06-08 18:06:02 +02:00
riccardom	362efb832c	Fixup presharedkey	2026-06-08 18:06:02 +02:00
riccardom	1543d43a20	Advanced Settings locking	2026-06-08 18:06:02 +02:00
riccardom	cee17ebc36	Lock toggle Settngs	2026-06-08 18:06:02 +02:00
riccardom	aab1a3e150	UI behavior conflicts relaxation UI sends full config snapshot with all values. It doesn't make sense to block it if the values are aligned with the values constrained by the MDM policy. It's just simplier to allow values that are compliant. (this goes for the CLI as well at this point)	2026-06-08 18:06:02 +02:00
riccardom	1100cea6a4	Add events to resync UI to actual config This also provide fixup for UI no aligning to changed config when coming from cli up with config flags.	2026-06-08 18:06:02 +02:00
riccardom	029e69279c	Publishes event for UI to sync upon MDM changes	2026-06-08 18:06:02 +02:00
riccardom	c759aed3a3	Adds also up/start after cancel	2026-06-08 18:06:02 +02:00
riccardom	c36bf3a171	Adds MDM 1m diff checker & reloader	2026-06-08 18:06:02 +02:00
riccardom	08966adf30	Adds debug config cobra command This can be useful for troubleshooting and checking config now that its resolution is not trivial defaults > config > env cars > CLI/UI > MDM	2026-06-08 18:06:02 +02:00
riccardom	0db22debaf	Prefix every log with MDM	2026-06-08 14:37:10 +02:00
riccardom	0594f76655	Adds some log	2026-06-08 14:37:10 +02:00
riccardom	5271df5962	Align split tunnel code	2026-06-08 14:37:10 +02:00
riccardom	2d7949adfe	Cleanup setupKey to align to linear	2026-06-08 14:37:10 +02:00
riccardom	451fa5e142	Adds missing WGPort config	2026-06-08 14:37:10 +02:00
riccardom	22edfdd52b	Implements windows loading of MDM policy	2026-06-08 14:37:10 +02:00
riccardom	df9e216370	MDM Name scoping for clarity	2026-06-08 14:37:10 +02:00
riccardom	293a93910e	gRPC MDM changes	2026-06-08 14:37:10 +02:00
riccardom	66e807cc05	Adds initial 101 MDM policy business logic testing	2026-06-08 14:37:10 +02:00
riccardom	5255f5111b	Add ManagedFields to returned config over GetConfig	2026-06-08 14:37:10 +02:00
riccardom	978a392453	Return error if trying to modify any config that is gated by MDM	2026-06-08 14:37:10 +02:00
riccardom	78fe7fc510	Helpers business logic	2026-06-08 14:37:10 +02:00
riccardom	3ad961c9a7	Unit tests	2026-06-08 14:37:10 +02:00
riccardom	607cb56515	Applies MDM override	2026-06-08 14:37:10 +02:00
riccardom	ce0750b73a	Initial scaffolding	2026-06-08 14:37:10 +02:00
Maycon Santos	60d2fa08b0	[client] Mask sensitive data in debug bundle creation (#6364 ) * [client] Mask sensitive data in debug bundle creation * Avoid nil reference in turn and use masked constant	2026-06-08 13:17:04 +02:00
Maycon Santos	1e7b16db0a	[management] resolve private services on custom domains in synthesized DNS zones (#6348 ) private services on a custom domain didn't resolve on clients — the synthesized DNS zone was anchored to the cluster, and the account's custom domains weren't even loaded. - account.go — SynthesizePrivateServiceZones now keys zones by a resolved apex (privateServiceDomainZone): cluster suffix → registered account.Domains (filtered by matching TargetCluster, longest wins) → skip if none. One zone per apex; custom-domain services group under their registered domain. - sql_store.go — GetAccount now loads account.Domains on both loaders (gorm Preload("Domains") + pgx goroutine via ListCustomDomains; errChan buffer bumped 12→16). This was the reason the deploy didn't work — the relation was empty in prod. - Tests — custom-domain zone synthesis cases (apex resolution, free+custom separation, sibling collapse, cluster mismatch, mixed cluster/custom/public) + GetAccount domain-preload tests on sqlite and Postgres.	2026-06-06 12:56:01 +02:00
Maycon Santos	b377d99933	[management] Copy private field on shallowCloneMapping (#6347 ) * [management] Copy private field on shallowCloneMapping added test to ensure clone handles new fields * Remove unnecessary debug logs from proxy service * Increase Wasm binary size limit to 60MB in build validation	2026-06-05 22:45:49 +02:00
Theodor Midtlien	512899d82d	[client] Prevent corruption from competing log rotation and improve debug bundle (#6214 ) * Adds heuristic to detect an edge case on Linux where a system has configured logrotate as a separate service to rotate log files which would mangle our client log files. If we detect logrotate being configured for netbird, we disable our rotation. * Adds new env var to disable log rotation: NB_LOG_DISABLE_ROTATION * Adds compressed and plain logrotate files to debug bundle. * Replaces lumberjack with timberjack (maintained fork with bug fixes and extra features). * Clarifies which daemon version is running in the bundle stats. * Change logging for client service status to console	2026-06-04 17:36:45 +02:00
Theodor Midtlien	5993ec6e43	[client] Allow wireguard port to be zero in UI and show port in status command (#6158 ) * Allow wireguard port to be set to 0 in UI * Add wireguard port to cmd status * Correct protoc version	2026-06-04 15:04:11 +02:00
Maycon Santos	eac6d501c3	[infrastructure] allow docker image overrides for getting started (#6335 ) * [infrastructure] allow docker image overrides for getting started Make dashboard and server image configurations overrideable via environment variables * [infrastructure] update Traefik gRPC rule to include ProxyService PathPrefix * make Traefik and CrowdSec images configurable via environment variables	2026-06-04 11:24:47 +02:00
Maycon Santos	deeae30612	[misc] Add Codecov integration and coverage reporting across workflows (#6333 )	2026-06-03 19:08:45 +02:00
Bethuel Mmbaga	f3cdf163e1	[management] Export ResolveDomain (#6334 )	2026-06-03 19:53:57 +03:00
Zoltan Papp	3e61ccb162	[client] Persist sync response via pluggable store (disk on iOS) (#6331 ) * Persist sync response via pluggable store (disk on iOS) The latest Management sync response (which carries the network map) was kept in memory for debug bundle generation. On memory-constrained platforms like iOS the network map can be large enough to matter. Introduce a syncstore package with a Store interface and two backends: a memory backend (the previous behavior) and a disk backend that serializes the response to a file in the state directory. The backend is selected per-platform at build time: disk on iOS, memory elsewhere. The disk store clears any leftover file on construction so a fresh store never reads stale data from an earlier run (e.g. another profile's network map). In the engine, drop the separate persistSyncResponse bool: the store is only instantiated while persistence is enabled, and its presence is what marks persistence as active. The store is also cleared on engine close so the file does not linger on disk. * syncstore: silence nilnil linter on "nothing stored" returns Get returns (nil, nil) to signal that nothing is stored, which is part of the Store contract and preserves the original behaviour. Annotate both backends with //nolint:nilnil so golangci-lint does not flag it. * syncstore: hold syncRespMux for the whole store Set/Get Both handleSync and GetLatestSyncResponse snapshotted e.syncStore under the read lock and then released it before calling Set/Get. That allowed SetSyncResponsePersistence(false) or engine close to clear the store mid-call. In particular a concurrent Clear()+nil followed by a late Set could re-create the file that was just removed, defeating the leak/lingering protection. Hold syncRespMux for the duration of the store operation in both spots so the store cannot be cleared while a Set/Get is in flight. * syncstore: avoid StateDir "." when state path is empty On mobile the state path may be empty (the engine tolerates a missing state file). filepath.Dir("") returns ".", which would make a disk-backed syncstore write into the working directory instead of letting NewDiskStore fall back to os.TempDir(). Only set engineConfig.StateDir when path is non-empty.	2026-06-03 14:18:50 +02:00
Viktor Liu	a48c20d8d8	[client] Gate DNS forwarder on BlockInbound (#6257 )	2026-06-03 11:33:29 +02:00
Riccardo Manfrin	2b57a7d43b	[client, management, misc] expose VCS revision in dev build version output (#6263 ) * Refactor to use a common checker for development version * Adds commit sha to development version for cobra command only Leave dashboard unaffected * Adjust for "v0.31.1-dev" test case which must be considered pre-release * Drop synthetic "dev"/"0.50.0-dev" firewall feature-gate fixtures These test cases encoded the loose strings.Contains(v, "dev") semantics inherited from peerSupportedFirewallFeatures, but NetbirdVersion() never produces those values — only the literal "development" (and now "development-<sha>[-dirty]") ever flows through the wire. The agent owns the semantics of an ephemeral development build, so the tests should exercise the strings we actually emit. Replaced with development, development-<sha> and development-<sha>-dirty cases that match the HasPrefix("development") predicate introduced upstream. * Remove unexistent tests on wire format The sha / dirty flag are added only when the CLI asks the version. Account versions is unaffacted and can only strictly match "development" * Adds tests for IsDevelopmentVersion	2026-06-03 08:56:50 +02:00
Maycon Santos	fa1e241aea	[management, client, proxy] Follow-up fixes for private reverse-proxy services (#6268 ) * fix(proxy): gate tunnel-peer fast-path on inbound listener marker forwardWithTunnelPeer previously accepted any RFC1918 / ULA / CGNAT source IP, so a public client whose address happened to fall in those ranges could bypass the configured operator auth scheme by colliding with a known tunnel IP. The fast-path is now gated on TunnelLookupFromContext(r.Context()) being present — that context value is attached only by the per-account inbound (overlay) listener, so the host-facing listener never enters this branch. Tests updated to reflect the new requirement: requests that don't carry the inbound marker now fall through to the regular auth flow. * fix(proxy): harden inbound listener resource + startup-ctx handling Three correctness fixes on the per-account inbound path, with tests: - Close the logrus ErrorLog PipeWriter on tearDown. WriterLevel hands back an io.PipeWriter backed by a pipe + scanner goroutine that the caller owns; the two writers per account (https + plain) were never closed, leaking the pipe and goroutine on every teardown. - Run the post-Start hooks on context.Background(). runClientStartup is launched in a goroutine from AddPeer and was inheriting the caller's request-scoped ctx, so a cancelled request could abort the inbound bring-up or fail the management status notification. The tail is split into notifyClientReady so the contract is testable. Tests cover the PipeWriter close behaviour and assert the readyHandler + NotifyStatus calls receive a non-cancelled background context. feat(proxy): short-circuit peer-own-target loops with 421 When a peer that hosts the target of a private service dials its own service URL the request was being looped through the proxy and back over WireGuard to the same peer — twice the WG round-trip for no benefit, with no signal to the caller that something was wrong. Add isSelfTargetLoop to ReverseProxy.ServeHTTP: when the request arrived on the per-account overlay listener (IsOverlayOrigin) and the source tunnel IP matches the target host, refuse the request with 421 Misdirected Request and a body pointing the operator at the backend directly. The gate is scoped to overlay origin so requests on the public listener that happen to share a source IP with the target host are forwarded normally. * fix(management): private-service validation + tunnel-IP lookup semantics - Require an explicit port for L4 cluster targets. validateL4Target exempted TargetTypeCluster from the port check, but buildPathMappings serializes every L4 target via net.JoinHostPort(host, port) — port=0 shipped a ":0" upstream. Cluster targets use the same Host/Port fields, so the same requirement applies. - GetPeerByIP returns NotFound on a tunnel-IP miss instead of mapping every error to Internal. The proxy's ValidateTunnelPeer probes IPs that legitimately aren't in the roster; the miss is expected and now distinguishable from a real store failure. - Thread ctx into getClusterCapability's gorm query so a cancelled request doesn't keep the store busy. Tests updated for the L4-cluster port requirement and the GetPeerByIP NotFound path. * fix(client): include offlinePeers in PeerStateByIP lookup ReplaceOfflinePeers moves peers into d.offlinePeers but PeerStateByIP only scanned d.peers. Callers (the local DNS filter via localPeerConnectivity, embed.Client.IdentityForIP used by the proxy's tunnel-peer validator) were treating known-but-offline peers as unknown, which: - causes the DNS filter to keep returning records pointing at peers that have no live tunnel, AND - makes the proxy's local-roster check deny a request from such a peer rather than letting the cached management RPC carry the authorisation decision. Search both slices in PeerStateByIP. Adds a unit test for the IPv4 and IPv6 offline-match paths. * fix(rest): reject empty Delete path params in reverse-proxy clients ReverseProxyClustersAPI.Delete and ReverseProxyTokensAPI.Delete passed the path parameter into url.PathEscape without an empty check. PathEscape("") returns "" which collapses the request onto the collection endpoint ("/api/reverse-proxies/clusters/" / "/api/reverse-proxies/proxy-tokens/"), so a caller bug delete with no id reached a routable URL with surprising semantics (typically 405). Short-circuit with a typed error before the request is built. Tests mount a handler on the collection path that fails the test if hit, so the regression is impossible to reintroduce silently. * chore(api,ci,docs,test): private-service schema, proto-check, fixups Non-functional cleanups and contract/CI hardening around the private-service work: API schema (openapi.yml): - Require a non-empty access_groups and mode=http when private=true, on both Service and ServiceRequest, mirroring validatePrivateRequirements. mode stays optional-but-constrained (empty defaults to http server-side), matching runtime. CI (proto-version-check.yml): - Cover renamed .pb.go files (read base via previous_filename). - Match protoc-gen-go-grpc version headers (optional "- " prefix and -gen-go-grpc suffix) so grpc-generated files are in scope. Docs / comments: - Reword Config field docs to say defaults are applied at Server.Start (initDefaults), not New. - Rename the obsolete --private-inbound flag to --private across comments and the proto doc. Pre-existing test fixups surfaced by review: - Repair the integration-tagged validate_session_test.go (SignToken signature growth + new Manager interface methods). - Fix the CI-skip boolean precedence so Windows isn't skipped unconditionally. - Guard the router.HTTPListener type assertion with comma-ok. * fix(proxy): background ctx for already-started AddPeer notification The earlier ctx fix covered the async runClientStartup path but missed the synchronous branch: when a service is added to an already-started client, AddPeer called NotifyStatus with the caller's request-scoped ctx. A cancelled request/stream could drop the connected notification to management. Use context.Background() here too, matching notifyClientReady. Extends TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus to pass a pre-cancelled caller ctx and assert the notification still ran on a non-cancelled context. * use the cmd context for roundtripper	2026-06-02 13:40:09 +02:00
Viktor Liu	e7c9182ff9	[client] Offer injected ICMPv6 echo replies to packet capture (#6321 )	2026-06-01 19:38:00 +02:00
Pascal Fischer	9189625487	[management] enrich context in permissions manager (#6286 )	2026-05-29 16:36:38 +02:00
Bethuel Mmbaga	e9dbf9db6f	[management] Extend combined server initialization (#6156 )	2026-05-29 17:35:35 +03:00
Theodor Midtlien	5a9e9e7bc9	[Infrastructure] Pin actions with SHA and improve workflows (#6249 ) * Pin actions with SHA, replace unmaintained, add dependabot for actions * Update FreeBSD to version 15 for tests * Use shared actions * Update sign-pipelines version	2026-05-29 15:24:30 +02:00
Viktor Liu	43e041cf9f	[client] Apply netroute unspecified-destination workaround on android (#6192 )	2026-05-29 15:15:22 +02:00
Viktor Liu	77e5693200	[client] Recognize NetBird DNS forwarder port in capture text format (#6177 )	2026-05-29 15:14:32 +02:00