Left-click support for linux

client/cmd/debug.go

@@ -3,14 +3,12 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"os/user"
 	"strings"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/netbirdio/netbird/client/internal"
@@ -87,73 +85,6 @@ var persistenceCmd = &cobra.Command{
 	RunE:    setSyncResponsePersistence,
 }
 
-var debugConfigCmd = &cobra.Command{
-	Use:     "config",
-	Example: "  netbird debug config",
-	Short:   "Dump the effective configuration",
-	Long:    "Prints the daemon's resolved configuration (after applying defaults, file, env, CLI input, and MDM policy overrides) as JSON. Includes the list of MDM-managed fields.",
-	RunE:    debugConfigDump,
-}
-
-// debugConfigDump implements `netbird debug config`. It resolves the
-// active profile, queries the daemon for the effective configuration
-// via GetConfig, and prints the resulting GetConfigResponse as JSON
-// (via protojson with EmitUnpopulated=true so the output is stable
-// across runs and includes zero-valued fields).
-//
-// Useful for verifying MDM enforcement end-to-end: the response's
-// mDMManagedFields array is the single source of truth for "which
-// fields is the daemon currently enforcing from the MDM source", and
-// every config field side-by-side with that list confirms the merge
-// result. Secrets in the response (e.g. PreSharedKey) are already
-// redacted by the daemon-side handler.
-func debugConfigDump(cmd *cobra.Command, _ []string) error {
-	pm := profilemanager.NewProfileManager()
-	activeProf, err := pm.GetActiveProfile()
-	if err != nil {
-		return fmt.Errorf("get active profile: %v", err)
-	}
-	currUser, err := user.Current()
-	if err != nil {
-		return fmt.Errorf("get current user: %v", err)
-	}
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.GetConfig(cmd.Context(), &proto.GetConfigRequest{
-		ProfileName: activeProf.Name,
-		Username:    currUser.Username,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to get config: %v", status.Convert(err).Message())
-	}
-
-	// Use protojson so well-known fields render correctly; emit defaults so
-	// the operator sees every field even when zero/empty.
-	m := protojson.MarshalOptions{Multiline: true, Indent: "  ", EmitUnpopulated: true}
-	out, err := m.Marshal(resp)
-	if err != nil {
-		return fmt.Errorf("marshal config: %w", err)
-	}
-	cmd.Println(string(out))
-	return nil
-}
-
-// debugBundle requests the daemon to create a debug bundle and prints
-// the resulting local file path and, if uploaded, the uploaded file
-// key. It uses the package flags (anonymize, system info, log file
-// count, CLI version, optional upload URL) to configure the bundle
-// request. Returns an error if the RPC fails or if the daemon reports
-// an upload failure reason.
 func debugBundle(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {

client/cmd/kubernetes.go

@@ -1,301 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"slices"
-	"strings"
-
-	"github.com/goccy/go-yaml"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-const (
-	KubernetesDNSSuffix = "netbird-kubeapi-proxy"
-)
-
-var kubernetesCmd = &cobra.Command{
-	Use:   "kubernetes",
-	Short: "Kubernetes cluster commands.",
-	Long:  "Kubernetes cluster commands.",
-}
-
-var kubernetesListCmd = &cobra.Command{
-	Use:   "list",
-	RunE:  kubernetesList,
-	Short: "List Kubernetes clusters.",
-	Long:  "List Kubernetes clusters by discovering NetBird peers running netbird-kubeapi-proxy.",
-}
-
-var kubernetesWriteKubeconfigCmd = &cobra.Command{
-	Use:   "write-kubeconfig",
-	RunE:  kubernetesWriteKubeconfig,
-	Args:  cobra.ExactArgs(1),
-	Short: "Write kubeconfig for a Kubernetes cluster.",
-	Long:  "Updates kubeconfig in place to allow token-less access to the Kubernetes cluster through NetBird.",
-}
-
-func init() {
-	kubernetesWriteKubeconfigCmd.Flags().String("kubeconfig", "", "path to kubeconfig file")
-}
-
-func kubernetesList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	client := proto.NewDaemonServiceClient(conn)
-	statusResp, err := client.Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
-	if err != nil {
-		return err
-	}
-
-	kcs, err := getKubernetesClusters(cmd.Context(), statusResp.FullStatus.Peers, "")
-	if err != nil {
-		return err
-	}
-	if len(kcs) == 0 {
-		cmd.Println("No Kubernetes clusters available.")
-		return nil
-	}
-	cmd.Println("Available Kubernetes clusters:")
-	for _, k := range kcs {
-		cmd.Printf("\n  - Name: %s\n    FQDN: %s\n    Version: %s\n", k.name, k.url.Host, k.version)
-	}
-	return nil
-}
-
-func kubernetesWriteKubeconfig(cmd *cobra.Command, args []string) error {
-	kubeconfigPath, err := resolveKubeconfigPath(cmd)
-	if err != nil {
-		return err
-	}
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	client := proto.NewDaemonServiceClient(conn)
-	statusResp, err := client.Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
-	if err != nil {
-		return err
-	}
-
-	clusterName := args[0]
-	kcs, err := getKubernetesClusters(cmd.Context(), statusResp.FullStatus.Peers, clusterName)
-	if err != nil {
-		return err
-	}
-	if len(kcs) == 0 {
-		return fmt.Errorf("kubernetes cluster named %s not found", clusterName)
-	}
-	if len(kcs) > 1 {
-		return fmt.Errorf("too many Kubernetes clusters returned")
-	}
-	err = writeKubeconfig(kubeconfigPath, kcs[0])
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-type kubernetesCluster struct {
-	name    string
-	url     *url.URL
-	version string
-}
-
-func getKubernetesClusters(ctx context.Context, peers []*proto.PeerState, nameFilter string) ([]kubernetesCluster, error) {
-	transport := http.DefaultTransport.(*http.Transport).Clone()
-	transport.TLSClientConfig = &tls.Config{
-		InsecureSkipVerify: true,
-	}
-	httpClient := &http.Client{
-		Transport: transport,
-	}
-	resolver := net.Resolver{
-		// Required so both DNS records are returned.
-		// https://github.com/golang/go/issues/17093
-		PreferGo: true,
-	}
-
-	kcs := []kubernetesCluster{}
-	attempted := map[string]struct{}{}
-	for _, peer := range peers {
-		fqdns, err := resolver.LookupAddr(ctx, peer.IP)
-		if err != nil {
-			return nil, err
-		}
-		for _, fqdn := range fqdns {
-			if _, ok := attempted[fqdn]; ok {
-				continue
-			}
-			attempted[fqdn] = struct{}{}
-			comps := strings.Split(fqdn, ".")
-			if len(comps) < 2 {
-				continue
-			}
-			if comps[1] != KubernetesDNSSuffix {
-				continue
-			}
-			if nameFilter != "" && nameFilter != comps[0] {
-				continue
-			}
-			clusterURL, clusterVersion, err := fingerprintClusters(ctx, httpClient, fqdn)
-			if err != nil {
-				log.Debugf("could not fingerprint Kubernetes cluster %s %q", fqdn, err)
-				continue
-			}
-			kc := kubernetesCluster{
-				name:    comps[0],
-				url:     clusterURL,
-				version: clusterVersion,
-			}
-			if nameFilter != "" {
-				return []kubernetesCluster{kc}, nil
-			}
-			kcs = append(kcs, kc)
-		}
-	}
-	return kcs, nil
-}
-
-func fingerprintClusters(ctx context.Context, httpClient *http.Client, fqdn string) (*url.URL, string, error) {
-	clusterURL, err := url.Parse("https://" + fqdn)
-	if err != nil {
-		return nil, "", err
-	}
-	versionURL, err := clusterURL.Parse("/version")
-	if err != nil {
-		return nil, "", err
-	}
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, versionURL.String(), nil)
-	if err != nil {
-		return nil, "", err
-	}
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return nil, "", err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return nil, "", fmt.Errorf("expected %d response but got %s", http.StatusOK, resp.Status)
-	}
-	b, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, "", err
-	}
-	versionData := map[string]string{}
-	err = json.Unmarshal(b, &versionData)
-	if err != nil {
-		return nil, "", err
-	}
-	version, ok := versionData["gitVersion"]
-	if !ok {
-		return nil, "", errors.New("no version found in response")
-	}
-	return clusterURL, version, nil
-}
-
-func resolveKubeconfigPath(cmd *cobra.Command) (string, error) {
-	if cmd.Flags().Changed("kubeconfig") {
-		path, err := cmd.Flags().GetString("kubeconfig")
-		if err != nil {
-			return "", err
-		}
-		return path, nil
-	}
-	if env := os.Getenv("KUBECONFIG"); env != "" {
-		return env, nil
-	}
-	home, err := os.UserHomeDir()
-	if err != nil {
-		return "", fmt.Errorf("could not determine home directory: %w", err)
-	}
-	return filepath.Join(home, ".kube", "config"), nil
-}
-
-func writeKubeconfig(kubeconfigPath string, kc kubernetesCluster) error {
-	b, err := os.ReadFile(kubeconfigPath)
-	if err != nil && !errors.Is(err, os.ErrNotExist) {
-		return err
-	}
-	var cfg map[string]any
-	if err := yaml.Unmarshal(b, &cfg); err != nil {
-		return err
-	}
-	if cfg == nil {
-		cfg = map[string]any{
-			"apiVersion": "v1",
-			"kind":       "Config",
-		}
-	}
-
-	cfg["clusters"] = appendWithName(cfg["clusters"], map[string]any{
-		"name": kc.name,
-		"cluster": map[string]any{
-			"server":                   kc.url.String(),
-			"insecure-skip-tls-verify": true,
-		},
-	})
-	cfg["users"] = appendWithName(cfg["users"], map[string]any{
-		"name": "netbird",
-		"user": map[string]any{
-			"token": "none",
-		},
-	})
-	cfg["contexts"] = appendWithName(cfg["contexts"], map[string]any{
-		"name": kc.name,
-		"context": map[string]any{
-			"cluster":   kc.name,
-			"user":      "netbird",
-			"namespace": "default",
-		},
-	})
-	cfg["current-context"] = kc.name
-
-	out, err := yaml.Marshal(cfg)
-	if err != nil {
-		return err
-	}
-	if err := os.WriteFile(kubeconfigPath, out, 0o600); err != nil {
-		return err
-	}
-	return nil
-}
-
-func appendWithName(data any, add map[string]any) any {
-	if data == nil {
-		return []any{add}
-	}
-	v, ok := data.([]any)
-	if !ok {
-		return []any{add}
-	}
-	i := slices.IndexFunc(v, func(item any) bool {
-		m, ok := item.(map[string]any)
-		if !ok {
-			return false
-		}
-		return m["name"] == add["name"]
-	})
-	if i == -1 {
-		return append(v, add)
-	}
-	v[i] = add
-	return v
-}

client/cmd/kubernetes_test.go

@@ -1,120 +0,0 @@
-package cmd
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/require"
-)
-
-func TestFingerprintClusters(t *testing.T) {
-	t.Parallel()
-
-	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		//nolint: errcheck
-		w.Write([]byte(`{"gitVersion": "foobar"}`))
-	}))
-	defer srv.Close()
-
-	clusterURL, clusterVersion, err := fingerprintClusters(t.Context(), srv.Client(), srv.Listener.Addr().String())
-	require.NoError(t, err)
-	require.Equal(t, srv.URL, clusterURL.String())
-	require.Equal(t, "foobar", clusterVersion)
-}
-
-func TestResolveKubeconfigPath(t *testing.T) {
-	home, err := os.UserHomeDir()
-	if err != nil {
-		t.Fatalf("could not determine home directory: %v", err)
-	}
-	defaultPath := filepath.Join(home, ".kube", "config")
-	path, err := resolveKubeconfigPath(&cobra.Command{})
-	require.NoError(t, err)
-	require.Equal(t, defaultPath, path)
-
-	flagPath := "flag-path"
-	cmd := &cobra.Command{}
-	cmd.Flags().String("kubeconfig", "", "")
-	err = cmd.Flags().Set("kubeconfig", flagPath)
-	require.NoError(t, err)
-	path, err = resolveKubeconfigPath(cmd)
-	require.NoError(t, err)
-	require.Equal(t, flagPath, path)
-
-	envPath := "env-path"
-	t.Setenv("KUBECONFIG", envPath)
-	path, err = resolveKubeconfigPath(&cobra.Command{})
-	require.NoError(t, err)
-	require.Equal(t, envPath, path)
-}
-
-func TestWriteKubeconfig(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name     string
-		existing string
-	}{
-		{
-			name: "empty file",
-		},
-		{
-			name: "existing content",
-			existing: `apiVersion: v1
-clusters:
-- cluster:
-    insecure-skip-tls-verify: true
-    server: https://foobar.com
-  name: foo
-current-context: test
-kind: Config
-users: []
-`,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			kubeconfigPath := filepath.Join(t.TempDir(), "config")
-			err := os.WriteFile(kubeconfigPath, []byte(tt.existing), 0o644)
-			require.NoError(t, err)
-
-			kc := kubernetesCluster{
-				name: "foo",
-				url:  &url.URL{Scheme: "https", Host: "example.com"},
-			}
-			err = writeKubeconfig(kubeconfigPath, kc)
-			require.NoError(t, err)
-
-			b, err := os.ReadFile(kubeconfigPath)
-			require.NoError(t, err)
-			expected := `apiVersion: v1
-clusters:
-- cluster:
-    insecure-skip-tls-verify: true
-    server: https://example.com
-  name: foo
-contexts:
-- context:
-    cluster: foo
-    namespace: default
-    user: netbird
-  name: foo
-current-context: foo
-kind: Config
-users:
-- name: netbird
-  user:
-    token: none
-`
-			require.Equal(t, expected, string(b))
-		})
-	}
-
-}

client/cmd/root.go

@@ -95,9 +95,7 @@ var (
 	}
 )
 
-// Execute runs the appropriate Cobra command for the CLI.
-// If the process is the update binary it delegates to updateCmd; otherwise it runs the root command.
-// It returns any error produced during command execution.
+// Execute executes the root command.
 func Execute() error {
 	if isUpdateBinary() {
 		return updateCmd.Execute()
@@ -105,16 +103,6 @@ func Execute() error {
 	return rootCmd.Execute()
 }
 
-// init initialises package-level defaults and configures the root
-// Cobra command tree. Sets platform-specific config / log directory
-// paths (including legacy Wiretrustee fallbacks) and a default daemon
-// address; registers persistent CLI flags (daemon address,
-// management / admin URLs, logging, setup key (file and inline,
-// mutually exclusive), preshared key, hostname, anonymise, config
-// path); attaches top-level and nested subcommands to the root
-// command; and registers `up`-specific persistent flags (external IP
-// maps, custom DNS resolver address, Rosenpass options, auto-connect
-// disabling, lazy connection).
 func init() {
 	defaultConfigPathDir = "/etc/netbird/"
 	defaultLogFileDir = "/var/log/netbird/"
@@ -180,12 +168,6 @@ func init() {
 	logCmd.AddCommand(logLevelCmd)
 	debugCmd.AddCommand(forCmd)
 	debugCmd.AddCommand(persistenceCmd)
-	debugCmd.AddCommand(debugConfigCmd)
-
-	// kubernetes commands
-	rootCmd.AddCommand(kubernetesCmd)
-	kubernetesCmd.AddCommand(kubernetesListCmd)
-	kubernetesCmd.AddCommand(kubernetesWriteKubeconfigCmd)
 
 	// profile commands
 	profileCmd.AddCommand(profileListCmd)

client/embed/embed.go

@@ -279,10 +279,6 @@ func (c *Client) Start(startCtx context.Context) error {
 
 	select {
 	case <-startCtx.Done():
-		// Cancel the client context before stopping: Engine.Start blocks on the
-		// signal stream while holding the engine mutex and only unblocks on
-		// cancellation. Stopping first would deadlock on that mutex.
-		cancel()
 		if stopErr := client.Stop(); stopErr != nil {
 			return fmt.Errorf("stop error after context done. Stop error: %w. Context done: %w", stopErr, startCtx.Err())
 		}
@@ -446,8 +442,8 @@ func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession,
 
 // IdentityForIP looks up a remote peer by its tunnel IP using the
 // embedded client's status recorder. Returns the peer's WireGuard public
-// key and FQDN. ok=false means the IP doesn't belong to an active peer
-// — offline roster peers are treated as unknown, same as foreign IPs.
+// key and FQDN. ok=false means the IP isn't in this client's peer
+// roster — callers should treat that as "unknown peer".
 func (c *Client) IdentityForIP(ip netip.Addr) (pubKey, fqdn string, ok bool) {
 	if !ip.IsValid() || c.recorder == nil {
 		return "", "", false

client/embed/embed_test.go

@@ -1,168 +0,0 @@
-package embed
-
-import (
-	"context"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
-	"github.com/netbirdio/netbird/management/internals/modules/peers"
-	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
-	"github.com/netbirdio/netbird/management/internals/server/config"
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	mgmt "github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/activity"
-	nbcache "github.com/netbirdio/netbird/management/server/cache"
-	"github.com/netbirdio/netbird/management/server/groups"
-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
-	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/job"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"
-	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-const testSetupKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
-
-// TestClientStartTimeoutRollback reproduces a deadlock between Engine.Start and
-// Engine.Stop. The signal endpoint accepts gRPC connections but never serves the
-// SignalExchange service, so Engine.Start parks in WaitStreamConnected while
-// holding the engine mutex. When the Start context expires, the rollback path
-// calls ConnectClient.Stop, which must not block forever acquiring that mutex.
-func TestClientStartTimeoutRollback(t *testing.T) {
-	signalAddr := startBlackholeSignal(t)
-	mgmAddr := startManagement(t, signalAddr)
-
-	wgPort := 0
-	client, err := New(Options{
-		DeviceName:    "embed-rollback-test",
-		SetupKey:      testSetupKey,
-		ManagementURL: "http://" + mgmAddr,
-		WireguardPort: &wgPort,
-	})
-	require.NoError(t, err, "embed client creation must succeed")
-
-	startCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	startErr := make(chan error, 1)
-	go func() {
-		startErr <- client.Start(startCtx)
-	}()
-
-	select {
-	case err := <-startErr:
-		require.ErrorIs(t, err, context.DeadlineExceeded)
-	case <-time.After(60 * time.Second):
-		t.Fatal("client.Start did not return after its context expired: Engine.Stop deadlocked against Engine.Start waiting for the signal stream")
-	}
-}
-
-// startBlackholeSignal starts a gRPC server without the SignalExchange service
-// registered. Connections succeed, but the signal stream can never be
-// established, which keeps Engine.Start parked in WaitStreamConnected.
-func startBlackholeSignal(t *testing.T) string {
-	t.Helper()
-
-	lis, err := net.Listen("tcp", "localhost:0")
-	require.NoError(t, err)
-
-	s := grpc.NewServer()
-	go func() {
-		if err := s.Serve(lis); err != nil {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(s.Stop)
-
-	return lis.Addr().String()
-}
-
-func startManagement(t *testing.T, signalAddr string) string {
-	t.Helper()
-
-	cfg := &config.Config{
-		Stuns:      []*config.Host{},
-		TURNConfig: &config.TURNConfig{},
-		Relay: &config.Relay{
-			Addresses:      []string{"127.0.0.1:1234"},
-			CredentialsTTL: util.Duration{Duration: time.Hour},
-			Secret:         "222222222222222222",
-		},
-		Signal: &config.Host{
-			Proto: "http",
-			URI:   signalAddr,
-		},
-		Datadir:    t.TempDir(),
-		HttpConfig: nil,
-	}
-
-	lis, err := net.Listen("tcp", "localhost:0")
-	require.NoError(t, err)
-
-	s := grpc.NewServer()
-
-	testStore, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", cfg.Datadir)
-	require.NoError(t, err)
-	t.Cleanup(cleanUp)
-
-	eventStore := &activity.InMemoryEventStore{}
-
-	permissionsManager := permissions.NewManager(testStore)
-	peersManager := peers.NewManager(testStore, permissionsManager)
-	jobManager := job.NewJobManager(nil, testStore, peersManager)
-
-	cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100)
-	require.NoError(t, err)
-
-	iv, err := validator.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
-	require.NoError(t, err)
-	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
-	require.NoError(t, err)
-
-	ctrl := gomock.NewController(t)
-	t.Cleanup(ctrl.Finish)
-	settingsMockManager := settings.NewMockManager(ctrl)
-	settingsMockManager.EXPECT().
-		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
-		Return(&types.Settings{}, nil).
-		AnyTimes()
-	settingsMockManager.EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
-
-	groupsManager := groups.NewManagerMock()
-
-	updateManager := update_channel.NewPeersUpdateManager(metrics)
-	requestBuffer := mgmt.NewAccountRequestBuffer(context.Background(), testStore)
-	networkMapController := controller.NewController(context.Background(), testStore, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(testStore, peersManager), cfg)
-	accountManager, err := mgmt.BuildManager(context.Background(), cfg, testStore, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
-	require.NoError(t, err)
-
-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, cfg.TURNConfig, cfg.Relay, settingsMockManager, groupsManager)
-	require.NoError(t, err)
-
-	mgmtServer, err := nbgrpc.NewServer(cfg, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
-	require.NoError(t, err)
-	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
-
-	go func() {
-		if err := s.Serve(lis); err != nil {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(s.Stop)
-
-	return lis.Addr().String()
-}

client/internal/debug/debug.go

@@ -229,16 +229,9 @@ scutil_dns.txt (macOS only):
 
 const (
 	clientLogFile = "client.log"
-	uiLogFile     = "gui-client.log"
 	errorLogFile  = "netbird.err"
 	stdoutLogFile = "netbird.out"
 
-	// Rotated-log glob prefixes (base log name without extension) passed to
-	// addRotatedLogFiles. The daemon's own log and the GUI log live in the same
-	// dir, so the prefixes must be disjoint to keep their rotated siblings apart.
-	clientLogPrefix = "client"
-	uiLogPrefix     = "gui-client"
-
 	darwinErrorLogPath  = "/var/log/netbird.out.log"
 	darwinStdoutLogPath = "/var/log/netbird.err.log"
 )
@@ -256,7 +249,6 @@ type BundleGenerator struct {
 	statusRecorder *peer.Status
 	syncResponse   *mgmProto.SyncResponse
 	logPath        string
-	uiLogPath      string
 	tempDir        string
 	cpuProfile     []byte
 	capturePath    string
@@ -283,7 +275,6 @@ type GeneratorDependencies struct {
 	StatusRecorder *peer.Status
 	SyncResponse   *mgmProto.SyncResponse
 	LogPath        string
-	UILogPath      string // Absolute path to the desktop UI's gui-client.log, reported via RegisterUILog. Empty if no UI registered one.
 	TempDir        string // Directory for temporary bundle zip files. If empty, os.TempDir() is used.
 	CPUProfile     []byte
 	CapturePath    string
@@ -307,7 +298,6 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		statusRecorder: deps.StatusRecorder,
 		syncResponse:   deps.SyncResponse,
 		logPath:        deps.LogPath,
-		uiLogPath:      deps.UILogPath,
 		tempDir:        deps.TempDir,
 		cpuProfile:     deps.CPUProfile,
 		capturePath:    deps.CapturePath,
@@ -418,10 +408,6 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add logs to debug bundle: %v", err)
 	}
 
-	if err := g.addUILog(); err != nil {
-		log.Errorf("failed to add UI log to debug bundle: %v", err)
-	}
-
 	if err := g.addUpdateLogs(); err != nil {
 		log.Errorf("failed to add updater logs: %v", err)
 	}
@@ -530,14 +516,6 @@ func (g *BundleGenerator) addConfig() error {
 		}
 	}
 
-	// Surface the set of MDM-enforced keys so a support engineer reading
-	// the bundle can tell which field values are user-set vs MDM-overridden.
-	// Same semantics as the mDMManagedFields list returned by the
-	// GetConfig RPC consumed by `netbird debug config`.
-	if managed := g.internalConfig.Policy().ManagedKeys(); len(managed) > 0 {
-		configContent.WriteString(fmt.Sprintf("MDMManagedFields: %v\n", managed))
-	}
-
 	configReader := strings.NewReader(configContent.String())
 	if err := g.addFileToZip(configReader, "config.txt"); err != nil {
 		return fmt.Errorf("add config file to zip: %w", err)
@@ -994,7 +972,7 @@ func (g *BundleGenerator) addLogfile() error {
 		return fmt.Errorf("add client log file to zip: %w", err)
 	}
 
-	g.addRotatedLogFiles(logDir, clientLogPrefix)
+	g.addRotatedLogFiles(logDir)
 
 	stdErrLogPath := filepath.Join(logDir, errorLogFile)
 	stdoutLogPath := filepath.Join(logDir, stdoutLogFile)
@@ -1014,25 +992,6 @@ func (g *BundleGenerator) addLogfile() error {
 	return nil
 }
 
-// addUILog adds the desktop UI's gui-client.log (and its rotated siblings) to
-// the bundle. The path is reported by the UI via RegisterUILog; empty when no
-// UI registered one (e.g. headless / server). Missing file is non-fatal — the
-// UI only writes it while the daemon is in debug, so it's often absent.
-func (g *BundleGenerator) addUILog() error {
-	if g.uiLogPath == "" {
-		log.Debugf("no UI log path registered, skipping in debug bundle")
-		return nil
-	}
-
-	if err := g.addSingleLogfile(g.uiLogPath, uiLogFile); err != nil {
-		return fmt.Errorf("add UI log file to zip: %w", err)
-	}
-
-	g.addRotatedLogFiles(filepath.Dir(g.uiLogPath), uiLogPrefix)
-
-	return nil
-}
-
 // addSingleLogfile adds a single log file to the archive
 func (g *BundleGenerator) addSingleLogfile(logPath, targetName string) error {
 	logFile, err := os.Open(logPath)
@@ -1105,16 +1064,14 @@ func (g *BundleGenerator) addSingleLogFileGz(logPath, targetName string) error {
 	return nil
 }
 
-// addRotatedLogFiles adds rotated log files to the bundle based on logFileCount.
-// prefix is the base log name without extension (e.g. "client", "gui-client");
-// the glob matches both files rotated by us and by logrotate on linux.
-func (g *BundleGenerator) addRotatedLogFiles(logDir, prefix string) {
+// addRotatedLogFiles adds rotated log files to the bundle based on logFileCount
+func (g *BundleGenerator) addRotatedLogFiles(logDir string) {
 	if g.logFileCount == 0 {
 		return
 	}
 
-	// This pattern matches both logs rotated by us and logrotate on linux
-	pattern := filepath.Join(logDir, prefix+"*.log.*")
+	// This regex will match both logs rotated by us and logrotate on linux
+	pattern := filepath.Join(logDir, "client*.log.*")
 	files, err := filepath.Glob(pattern)
 	if err != nil {
 		log.Warnf("failed to glob rotated logs: %v", err)

client/internal/debug/debug_logfiles_test.go

@@ -40,25 +40,6 @@ func TestAddRotatedLogFiles_PicksUpAllVariants(t *testing.T) {
 	require.NotContains(t, names, "other.log", "unrelated files should not be in bundle")
 }
 
-// TestAddRotatedLogFiles_GUIPrefix asserts the prefix parameter scopes the glob
-// to the GUI log: gui-client.log.* rotated siblings are picked up and the
-// daemon's own client.log.* are not (and vice versa, covered above). This is
-// the load-bearing check for the gui-client.log bundle collection — the old
-// "client*.log.*" glob would have missed gui-client rotations.
-func TestAddRotatedLogFiles_GUIPrefix(t *testing.T) {
-	dir := t.TempDir()
-
-	writeFile(t, filepath.Join(dir, "gui-client.log.1"), "gui rotated\n")
-	writeGzFile(t, filepath.Join(dir, "gui-client.log.2.gz"), "gui rotated gz\n")
-	writeFile(t, filepath.Join(dir, "client.log.1"), "daemon rotated\n")
-
-	names := runAddRotatedLogFilesPrefix(t, dir, "gui-client", 10)
-
-	require.Contains(t, names, "gui-client.log.1", "gui-client rotated file should be in bundle")
-	require.Contains(t, names, "gui-client.log.2.gz", "gui-client gz rotated file should be in bundle")
-	require.NotContains(t, names, "client.log.1", "daemon rotated file must not match the gui-client prefix")
-}
-
 // TestAddRotatedLogFiles_RespectsLogFileCount asserts that only the newest
 // logFileCount rotated files are bundled, ordered by mtime.
 func TestAddRotatedLogFiles_RespectsLogFileCount(t *testing.T) {
@@ -86,10 +67,6 @@ func TestAddRotatedLogFiles_RespectsLogFileCount(t *testing.T) {
 // runAddRotatedLogFiles calls addRotatedLogFiles against a fresh in-memory
 // zip writer and returns the set of entry names that ended up in the archive.
 func runAddRotatedLogFiles(t *testing.T, dir string, logFileCount uint32) map[string]struct{} {
-	return runAddRotatedLogFilesPrefix(t, dir, "client", logFileCount)
-}
-
-func runAddRotatedLogFilesPrefix(t *testing.T, dir, prefix string, logFileCount uint32) map[string]struct{} {
 	t.Helper()
 
 	var buf bytes.Buffer
@@ -97,7 +74,7 @@ func runAddRotatedLogFilesPrefix(t *testing.T, dir, prefix string, logFileCount
 		archive:      zip.NewWriter(&buf),
 		logFileCount: logFileCount,
 	}
-	g.addRotatedLogFiles(dir, prefix)
+	g.addRotatedLogFiles(dir)
 	require.NoError(t, g.archive.Close())
 
 	zr, err := zip.NewReader(bytes.NewReader(buf.Bytes()), int64(buf.Len()))

client/internal/debug/debug_test.go

@@ -843,7 +843,6 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
 		"SSHKey":            "sensitive: SSH private key",
 		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
-		"policy":            "non-config: in-memory MDM policy snapshot, surfaced via Config.Policy() / GetConfigResponse.MDMManagedFields",
 	}
 
 	mURL, _ := url.Parse("https://api.example.com:443")

client/internal/dns/local/local.go

@@ -482,7 +482,7 @@ func (d *Resolver) logDNSError(logger *log.Entry, hostname string, qtype uint16,
 // completely when every proxy peer is offline (the upstream may still
 // be reachable some other way, or the peerstore may be stale).
 func (d *Resolver) filterDisconnectedPeerAnswers(logger *log.Entry, question dns.Question, records []dns.RR) []dns.RR {
-	if len(records) < 2 {
+	if len(records) == 0 {
 		return records
 	}
 	d.mu.RLock()

client/internal/dns/local/local_test.go

@@ -2738,17 +2738,6 @@ func TestLocalResolver_FilterDisconnectedPeerAnswers(t *testing.T) {
 			connByIP:    nil,
 			wantInOrder: []string{"100.64.0.10", "100.64.0.11"},
 		},
-		{
-			// A single answer is never filtered: dropping it would only
-			// trigger the empty-answer escape hatch, so the fast path
-			// returns it untouched.
-			name:    "single disconnected answer passes through",
-			records: []nbdns.SimpleRecord{disconnectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"100.64.0.11"},
-		},
 	}
 
 	for _, tc := range tests {

client/internal/engine.go

@@ -240,7 +240,7 @@ type Engine struct {
 	syncStore    syncstore.Store
 	syncStoreDir string
 
-	flowManager nftypes.FlowManager
+	flowManager         nftypes.FlowManager
 
 	// auto-update
 	updateManager *updater.Manager
@@ -911,94 +911,75 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate)
 	}
 
-	if err := e.updateNetbirdConfig(update.GetNetbirdConfig()); err != nil {
-		return err
-	}
+	if update.GetNetbirdConfig() != nil {
+		wCfg := update.GetNetbirdConfig()
+		err := e.updateTURNs(wCfg.GetTurns())
+		if err != nil {
+			return fmt.Errorf("update TURNs: %w", err)
+		}
 
-	// Posture checks are bound to the network map presence:
-	//   NetworkMap != nil, checks present -> apply the received checks
-	//   NetworkMap != nil, checks nil     -> posture checks were removed, clear them
-	//   NetworkMap == nil                 -> config-only update (e.g. relay token rotation),
-	//                                        leave the previously applied checks untouched
-	nm := update.GetNetworkMap()
-	if nm == nil {
-		return nil
+		err = e.updateSTUNs(wCfg.GetStuns())
+		if err != nil {
+			return fmt.Errorf("update STUNs: %w", err)
+		}
+
+		var stunTurn []*stun.URI
+		stunTurn = append(stunTurn, e.STUNs...)
+		stunTurn = append(stunTurn, e.TURNs...)
+		e.stunTurn.Store(stunTurn)
+
+		err = e.handleRelayUpdate(wCfg.GetRelay())
+		if err != nil {
+			return err
+		}
+
+		err = e.handleFlowUpdate(wCfg.GetFlow())
+		if err != nil {
+			return fmt.Errorf("handle the flow configuration: %w", err)
+		}
+
+		if err := e.PopulateNetbirdConfig(wCfg, nil); err != nil {
+			log.Warnf("Failed to update DNS server config: %v", err)
+		}
+
+		// todo update signal
 	}
 
 	if err := e.updateChecksIfNew(update.Checks); err != nil {
 		return err
 	}
 
-	e.persistSyncResponse(update)
+	nm := update.GetNetworkMap()
+	if nm == nil {
+		return nil
+	}
 
 	// only apply new changes and ignore old ones
 	if err := e.updateNetworkMap(nm); err != nil {
 		return err
 	}
 
+	// Persist sync response only after updateNetworkMap accepted and applied the update,
+	// so GetLatestSyncResponse() never returns state the engine did not actually apply.
+	// Done under the dedicated lock (syncRespMux), not under syncMsgMux.
+	// A non-nil syncStore is what marks persistence as enabled. Hold the lock for
+	// the whole Set so the store cannot be cleared (disabled / engine close)
+	// mid-call and have this write resurrect a file that was just removed.
+	e.syncRespMux.RLock()
+	if e.syncStore != nil {
+		if err := e.syncStore.Set(update); err != nil {
+			log.Errorf("failed to persist sync response: %v", err)
+		} else {
+			log.Debugf("sync response persisted with serial %d", nm.GetSerial())
+		}
+	}
+	e.syncRespMux.RUnlock()
+
 	e.statusRecorder.PublishEvent(cProto.SystemEvent_INFO, cProto.SystemEvent_SYSTEM, "Network map updated", "", nil)
 
 	return nil
 }
 
-// updateNetbirdConfig applies the management-provided NetBird configuration:
-// STUN/TURN and relay servers, flow logging and DNS settings. A nil config is a no-op,
-// which is the case for sync updates carrying only a network map.
-func (e *Engine) updateNetbirdConfig(wCfg *mgmProto.NetbirdConfig) error {
-	if wCfg == nil {
-		return nil
-	}
-
-	if err := e.updateTURNs(wCfg.GetTurns()); err != nil {
-		return fmt.Errorf("update TURNs: %w", err)
-	}
-
-	if err := e.updateSTUNs(wCfg.GetStuns()); err != nil {
-		return fmt.Errorf("update STUNs: %w", err)
-	}
-
-	var stunTurn []*stun.URI
-	stunTurn = append(stunTurn, e.STUNs...)
-	stunTurn = append(stunTurn, e.TURNs...)
-	e.stunTurn.Store(stunTurn)
-
-	if err := e.handleRelayUpdate(wCfg.GetRelay()); err != nil {
-		return err
-	}
-
-	if err := e.handleFlowUpdate(wCfg.GetFlow()); err != nil {
-		return fmt.Errorf("handle the flow configuration: %w", err)
-	}
-
-	if err := e.PopulateNetbirdConfig(wCfg, nil); err != nil {
-		log.Warnf("Failed to update DNS server config: %v", err)
-	}
-
-	// todo update signal
-
-	return nil
-}
-
-// persistSyncResponse stores the full sync response so it can be restored on the next
-// startup. Persistence is enabled only when syncStore is set. The dedicated syncRespMux
-// (not syncMsgMux) is held for the whole Set so the store cannot be cleared (disabled /
-// engine close) mid-call and have this write resurrect a file that was just removed.
-func (e *Engine) persistSyncResponse(update *mgmProto.SyncResponse) {
-	e.syncRespMux.RLock()
-	defer e.syncRespMux.RUnlock()
-
-	if e.syncStore == nil {
-		return
-	}
-
-	if err := e.syncStore.Set(update); err != nil {
-		log.Errorf("failed to persist sync response: %v", err)
-		return
-	}
-
-	log.Debugf("sync response persisted with serial %d", update.GetNetworkMap().GetSerial())
-}
-
 func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
 	if update != nil {
 		// when we receive token we expect valid address list too

client/internal/engine_authsession.go

@@ -9,8 +9,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
-	"github.com/netbirdio/netbird/client/internal/auth/sessionwatch"
 	cProto "github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/internal/auth/sessionwatch"
 	"github.com/netbirdio/netbird/client/system"
 )
 

client/internal/peer/conn_status.go

@@ -26,6 +26,7 @@ type connStatusInputs struct {
 	iceInProgress       bool // a negotiation is currently in flight
 }
 
+
 // ConnStatus describe the status of a peer's connection
 type ConnStatus int32
 

client/internal/peer/status.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"runtime"
 	"slices"
 	"sync"
 	"sync/atomic"
@@ -194,7 +195,6 @@ func (s *StatusChangeSubscription) Events() chan map[string]RouterState {
 type Status struct {
 	mux                 sync.RWMutex
 	peers               map[string]State
-	ipToKey             map[string]string
 	changeNotify        map[string]map[string]*StatusChangeSubscription // map[peerID]map[subscriptionID]*StatusChangeSubscription
 	signalState         bool
 	signalError         error
@@ -213,8 +213,7 @@ type Status struct {
 	// expiration is disabled. Populated from management LoginResponse /
 	// SyncResponse and exposed via the daemon's Status / SubscribeStatus RPC
 	// so the UI can show remaining time without itself talking to mgm.
-	sessionExpiresAt time.Time
-
+	sessionExpiresAt      time.Time
 	nsGroupStates         []NSGroupState
 	resolvedDomainsStates map[domain.Domain]ResolvedDomainInfo
 	lazyConnectionEnabled bool
@@ -255,7 +254,6 @@ type Status struct {
 func NewRecorder(mgmAddress string) *Status {
 	return &Status{
 		peers:                 make(map[string]State),
-		ipToKey:               make(map[string]string),
 		changeNotify:          make(map[string]map[string]*StatusChangeSubscription),
 		eventStreams:          make(map[string]chan *proto.SystemEvent),
 		eventQueue:            NewEventQueue(eventQueueSize),
@@ -308,12 +306,6 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string, ipv6 string)
 		Mux:        new(sync.RWMutex),
 	}
 	d.peerListChangedForNotification = true
-	if ipv6 != "" {
-		d.ipToKey[ipv6] = peerPubKey
-	}
-	if ip != "" {
-		d.ipToKey[ip] = peerPubKey
-	}
 	return nil
 }
 
@@ -343,22 +335,28 @@ func (d *Status) PeerByIP(ip string) (string, bool) {
 
 // PeerStateByIP returns the full peer State for the given tunnel IP.
 // Matches against either the IPv4 (State.IP) or IPv6 (State.IPv6) tunnel
-// address so dual-stack peers are reachable on either family. Only
-// active peers are matched; peers moved into the offline slice by
-// ReplaceOfflinePeers are intentionally treated as unknown.
+// address so dual-stack peers are reachable on either family. Searches
+// both d.peers and d.offlinePeers — peers that have been moved into
+// the offline slice by ReplaceOfflinePeers are still part of the
+// account's roster and callers (DNS filter, embed.Client.IdentityForIP)
+// need to recognise them rather than treating them as unknown. Returns
+// the zero State and false when no peer matches or the input is empty.
 func (d *Status) PeerStateByIP(ip string) (State, bool) {
 	if ip == "" {
 		return State{}, false
 	}
 	d.mux.RLock()
 	defer d.mux.RUnlock()
-	key, ok := d.ipToKey[ip]
-	if !ok {
-		return State{}, false
+
+	for _, state := range d.peers {
+		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
+			return state, true
+		}
 	}
-	state, ok := d.peers[key]
-	if ok {
-		return state, true
+	for _, state := range d.offlinePeers {
+		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
+			return state, true
+		}
 	}
 	return State{}, false
 }
@@ -368,18 +366,12 @@ func (d *Status) RemovePeer(peerPubKey string) error {
 	d.mux.Lock()
 	defer d.mux.Unlock()
 
-	p, ok := d.peers[peerPubKey]
+	_, ok := d.peers[peerPubKey]
 	if !ok {
 		return errors.New("no peer with to remove")
 	}
 
 	delete(d.peers, peerPubKey)
-	if mappedKey, exists := d.ipToKey[p.IP]; exists && mappedKey == peerPubKey {
-		delete(d.ipToKey, p.IP)
-	}
-	if mappedKey, exists := d.ipToKey[p.IPv6]; exists && mappedKey == peerPubKey {
-		delete(d.ipToKey, p.IPv6)
-	}
 	d.peerListChangedForNotification = true
 	return nil
 }
@@ -1378,6 +1370,9 @@ func (d *Status) UnsubscribeFromStateChanges(id string) {
 // is already going to fetch the latest snapshot, so multiple pending ticks
 // would be redundant.
 func (d *Status) notifyStateChange() {
+	if _, file, line, ok := runtime.Caller(1); ok {
+		log.Infof("--- notifyStateChange from %s:%d", file, line)
+	}
 	d.stateChangeMux.Lock()
 	defer d.stateChangeMux.Unlock()
 

client/internal/peer/status_test.go

@@ -90,11 +90,12 @@ func TestStatus_PeerStateByIP_MatchesIPv6(t *testing.T) {
 	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
 }
 
-// TestStatus_PeerStateByIP_IgnoresOfflinePeers documents that peers
-// moved into the offline slice via ReplaceOfflinePeers are intentionally
-// not resolvable by IP: only active peers can carry traffic, so callers
-// (DNS filter, embed.Client.IdentityForIP) treat them as unknown.
-func TestStatus_PeerStateByIP_IgnoresOfflinePeers(t *testing.T) {
+// TestStatus_PeerStateByIP_MatchesOfflinePeers covers peers that have
+// been moved into the offline slice via ReplaceOfflinePeers. Callers
+// (DNS filter, embed.Client.IdentityForIP) need to treat them as known
+// rather than unknown — otherwise authentication / DNS filtering treats
+// known-but-offline peers as foreign IPs.
+func TestStatus_PeerStateByIP_MatchesOfflinePeers(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	req := require.New(t)
 
@@ -102,31 +103,13 @@ func TestStatus_PeerStateByIP_IgnoresOfflinePeers(t *testing.T) {
 		{PubKey: "pk-offline", FQDN: "offline.netbird", IP: "100.64.0.20", IPv6: "fd00::20"},
 	})
 
-	_, ok := status.PeerStateByIP("100.64.0.20")
-	req.False(ok, "offline peer must not resolve by IPv4 tunnel address")
+	state, ok := status.PeerStateByIP("100.64.0.20")
+	req.True(ok, "offline peer must resolve by IPv4 tunnel address")
+	req.Equal("pk-offline", state.PubKey, "matching state must carry the offline peer's pub key")
 
-	_, ok = status.PeerStateByIP("fd00::20")
-	req.False(ok, "offline peer must not resolve by IPv6 tunnel address")
-}
-
-// TestStatus_PeerStateByIP_RemovedPeer verifies RemovePeer drops the
-// IP index entries for both address families.
-func TestStatus_PeerStateByIP_RemovedPeer(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", "fd00::1"))
-
-	_, ok := status.PeerStateByIP("100.64.0.10")
-	req.True(ok, "active peer must resolve before removal")
-
-	req.NoError(status.RemovePeer("pk-1"))
-
-	_, ok = status.PeerStateByIP("100.64.0.10")
-	req.False(ok, "removed peer must not resolve by IPv4 tunnel address")
-
-	_, ok = status.PeerStateByIP("fd00::1")
-	req.False(ok, "removed peer must not resolve by IPv6 tunnel address")
+	state, ok = status.PeerStateByIP("fd00::20")
+	req.True(ok, "offline peer must resolve by IPv6 tunnel address")
+	req.Equal("pk-offline", state.PubKey, "IPv6 match must carry the offline peer's pub key")
 }
 
 func TestStatus_UpdatePeerFQDN(t *testing.T) {

client/internal/profilemanager/config.go

@@ -22,7 +22,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
-	"github.com/netbirdio/netbird/client/mdm"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -58,10 +57,6 @@ var DefaultInterfaceBlacklist = []string{
 	"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
 }
 
-// loadMDMPolicy is the package-level indirection used by apply() to read the
-// active MDM policy. Tests override this to inject a fake policy.
-var loadMDMPolicy = mdm.LoadPolicy
-
 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
 	ManagementURL                 string
@@ -179,23 +174,6 @@ type Config struct {
 	LazyConnectionEnabled bool
 
 	MTU uint16
-
-	// policy is the MDM policy that produced the currently-set values for
-	// any MDM-enforced fields. Set by applyMDMPolicy at the tail of apply()
-	// and reset on every apply() invocation. Never persisted to disk.
-	// Callers query enforcement state via Policy() and the mdm.Policy API
-	// (HasKey, ManagedKeys, IsEmpty).
-	policy *mdm.Policy `json:"-"`
-}
-
-// Policy returns the MDM policy applied to this Config. Returns a non-nil
-// empty Policy when MDM enforcement is inactive; callers can always invoke
-// HasKey / ManagedKeys / IsEmpty without a nil check.
-func (config *Config) Policy() *mdm.Policy {
-	if config == nil || config.policy == nil {
-		return mdm.NewPolicy(nil)
-	}
-	return config.policy
 }
 
 var ConfigDirOverride string
@@ -634,93 +612,10 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	// MDM is the last override layer: any key present in the policy
-	// supersedes defaults, on-disk config, env vars and CLI input.
-	config.applyMDMPolicy(loadMDMPolicy())
-
 	return updated, nil
 }
 
-// applyMDMPolicy overlays MDM-supplied values on top of the resolved Config.
-// The provided Policy is also stored on the Config so callers can later query
-// which fields are enforced. Invalid values (e.g. malformed URLs) are logged
-// and skipped to avoid bricking the client; the field keeps its previous
-// resolved value but is still marked as managed (Policy.HasKey returns true
-// for the key, so per-field rejection of user writes still applies).
-func (config *Config) applyMDMPolicy(policy *mdm.Policy) {
-	config.policy = policy
-	if policy.IsEmpty() {
-		return
-	}
-
-	// Helper: log the application of a single MDM-managed key. Values for
-	// keys in mdm.SecretKeys are redacted.
-	logApplied := func(key string, displayValue any) {
-		if _, secret := mdm.SecretKeys[key]; secret {
-			log.Infof("MDM override %s = ********** (secret)", key)
-			return
-		}
-		log.Infof("MDM override %s = %v", key, displayValue)
-	}
-
-	if v, ok := policy.GetString(mdm.KeyManagementURL); ok {
-		if u, err := parseURL("Management URL", v); err != nil {
-			log.Warnf("MDM management URL %q invalid: %v; keeping previous value", v, err)
-		} else {
-			config.ManagementURL = u
-			logApplied(mdm.KeyManagementURL, u.String())
-		}
-	}
-
-	if v, ok := policy.GetString(mdm.KeyPreSharedKey); ok {
-		// Defensive: refuse the redaction mask in case it round-tripped
-		// through a manifest by mistake.
-		if !isPreSharedKeyHidden(&v) {
-			config.PreSharedKey = v
-			logApplied(mdm.KeyPreSharedKey, "")
-		}
-	}
-
-	// applyBool collapses the per-key "read + set + log" boilerplate
-	// for every plain bool MDM key into a single helper. Keeps the
-	// outer function's cognitive complexity below SonarCube's
-	// threshold; functional behaviour is identical to the inlined
-	// branches it replaces.
-	applyBool := func(key string, setter func(bool)) {
-		v, ok := policy.GetBool(key)
-		if !ok {
-			return
-		}
-		setter(v)
-		logApplied(key, v)
-	}
-
-	applyBool(mdm.KeyAllowServerSSH, func(v bool) { bv := v; config.ServerSSHAllowed = &bv })
-	applyBool(mdm.KeyDisableClientRoutes, func(v bool) { config.DisableClientRoutes = v })
-	applyBool(mdm.KeyDisableServerRoutes, func(v bool) { config.DisableServerRoutes = v })
-	applyBool(mdm.KeyBlockInbound, func(v bool) { config.BlockInbound = v })
-	applyBool(mdm.KeyDisableAutoConnect, func(v bool) { config.DisableAutoConnect = v })
-	applyBool(mdm.KeyRosenpassEnabled, func(v bool) { config.RosenpassEnabled = v })
-	applyBool(mdm.KeyRosenpassPermissive, func(v bool) { config.RosenpassPermissive = v })
-
-	if v, ok := policy.GetInt(mdm.KeyWireguardPort); ok {
-		// REG_DWORD is 32-bit; UDP port range is 1-65535. Clamp at the
-		// upper bound and reject obviously-invalid values to avoid the
-		// engine binding to an unusable port if the admin pushes garbage.
-		if v >= 1 && v <= 65535 {
-			config.WgPort = int(v)
-			logApplied(mdm.KeyWireguardPort, v)
-		} else {
-			log.Warnf("MDM wireguard port %d out of range [1,65535]; keeping previous value", v)
-		}
-	}
-}
-
-// parseURL parses and validates the URL for the named service. The URL
-// must use the http or https scheme; if no port is present, ":443" is
-// appended for https or ":80" for http. The serviceName parameter is
-// used to contextualise error messages. On success returns the parsed
-// *url.URL; on failure returns a non-nil error.
+// parseURL parses and validates a service URL
 func parseURL(serviceName, serviceURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(serviceURL)
 	if err != nil {

client/internal/profilemanager/config_mdm_test.go

@@ -1,152 +0,0 @@
-package profilemanager
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/mdm"
-)
-
-// withMDMPolicy temporarily overrides the package-level loadMDMPolicy hook so
-// apply() observes the supplied Policy. The original loader is restored at
-// test cleanup.
-func withMDMPolicy(t *testing.T, policy *mdm.Policy) {
-	t.Helper()
-	prev := loadMDMPolicy
-	loadMDMPolicy = func() *mdm.Policy { return policy }
-	t.Cleanup(func() { loadMDMPolicy = prev })
-}
-
-func TestApply_MDMEmpty_NoEnforcement(t *testing.T) {
-	withMDMPolicy(t, mdm.NewPolicy(nil))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	assert.True(t, cfg.Policy().IsEmpty(), "no MDM source ⇒ empty Policy")
-	assert.False(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-	assert.Empty(t, cfg.Policy().ManagedKeys())
-
-	// Default management URL still resolves.
-	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
-}
-
-func TestApply_MDMOnly_OverridesDefaults(t *testing.T) {
-	const mdmURL = "https://corp.mdm.example.com:443"
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL:       mdmURL,
-		mdm.KeyDisableClientRoutes: true,
-		mdm.KeyBlockInbound:        true,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
-	assert.True(t, cfg.DisableClientRoutes)
-	assert.True(t, cfg.BlockInbound)
-
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyBlockInbound))
-	assert.False(t, cfg.Policy().HasKey(mdm.KeyAllowServerSSH))
-}
-
-func TestApply_MDMBeatsCLIInput(t *testing.T) {
-	const mdmURL = "https://mdm.example.com:443"
-	const cliURL = "https://cli.example.com:443"
-
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL: mdmURL,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath:    filepath.Join(t.TempDir(), "config.json"),
-		ManagementURL: cliURL,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	// MDM wins over CLI-supplied management URL.
-	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-}
-
-func TestApply_MDMInvalidURL_KeepsPreviousValue(t *testing.T) {
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL: "not-a-url",
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	// Invalid MDM URL is logged and skipped: default URL stays in place
-	// to keep the client functional.
-	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
-
-	// But the key is still considered MDM-managed (admin intent is to
-	// enforce, daemon rejects user writes to this field — phase-1 scaffolding
-	// reflects this by keeping Policy.HasKey true even on parse failure).
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-}
-
-func TestApply_MDMBoolKeysOverrideOnDiskValue(t *testing.T) {
-	tmp := filepath.Join(t.TempDir(), "config.json")
-
-	// Seed without MDM.
-	withMDMPolicy(t, mdm.NewPolicy(nil))
-	_, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath:          tmp,
-		DisableClientRoutes: boolPtr(false),
-		RosenpassEnabled:    boolPtr(false),
-	})
-	require.NoError(t, err)
-
-	// Now enable MDM enforcement for these keys.
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyDisableClientRoutes: true,
-		mdm.KeyRosenpassEnabled:    true,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{ConfigPath: tmp})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	assert.True(t, cfg.DisableClientRoutes, "MDM override should flip on-disk false to true")
-	assert.True(t, cfg.RosenpassEnabled)
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyRosenpassEnabled))
-}
-
-func TestApply_MDMPreSharedKeyRedactionSentinelRejected(t *testing.T) {
-	const maskSentinel = "**********"
-
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyPreSharedKey: maskSentinel,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	// Mask sentinel must not be persisted as the actual PSK.
-	assert.NotEqual(t, maskSentinel, cfg.PreSharedKey)
-	// Key still marked managed so user writes are still rejected.
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyPreSharedKey))
-}
-
-func boolPtr(b bool) *bool { return &b }

client/internal/state.go

@@ -2,7 +2,10 @@ package internal
 
 import (
 	"context"
+	"runtime"
 	"sync"
+
+	log "github.com/sirupsen/logrus"
 )
 
 type StatusType string
@@ -52,6 +55,9 @@ func (c *contextState) SetOnChange(fn func()) {
 }
 
 func (c *contextState) Set(update StatusType) {
+	if _, file, line, ok := runtime.Caller(1); ok {
+		log.Infof("--- state.Set(%s) from %s:%d", update, file, line)
+	}
 	c.mutex.Lock()
 	c.status = update
 	c.err = nil

client/mdm/canonical_loaders.go

@@ -1,51 +0,0 @@
-//go:build windows || darwin
-
-package mdm
-
-import "strings"
-
-// allKeys is the set of recognised MDM keys. Unknown keys in a managed
-// configuration are ignored but logged. Lives in this build-tagged file
-// (windows || darwin) because only desktop loaders need the
-// canonicalisation table that consumes it; including it unconditionally
-// would trigger the `unused` golangci-lint check on platforms that
-// don't import canonical_loaders.go.
-var allKeys = []string{
-	KeyManagementURL,
-	KeyDisableUpdateSettings,
-	KeyDisableProfiles,
-	KeyDisableNetworks,
-	KeyDisableAdvancedView,
-	KeyDisableClientRoutes,
-	KeyDisableServerRoutes,
-	KeyBlockInbound,
-	KeyDisableMetricsCollection,
-	KeyAllowServerSSH,
-	KeyDisableAutoConnect,
-	KeyPreSharedKey,
-	KeyRosenpassEnabled,
-	KeyRosenpassPermissive,
-	KeyWireguardPort,
-	KeySplitTunnelMode,
-	KeySplitTunnelApps,
-}
-
-// canonicalKey maps the lowercase form of a managed-config value name to
-// its canonical mdm.Key* form. Admins commonly write PascalCase value
-// names in ADMX / Group Policy ("ManagementURL"); the iOS/AppConfig and
-// macOS plist conventions are camelCase ("managementURL"); both must
-// resolve to the same Policy lookup.
-//
-// Lives in a desktop-loader-only file (build tag `windows || darwin`)
-// because no other build path consumes it. Linux / FreeBSD / mobile
-// builds don't ship a platform loader that reads arbitrary-case key
-// names, so they don't need the canonicalisation table — and including
-// the var unconditionally would trigger the `unused` golangci-lint
-// check on those platforms.
-var canonicalKey = func() map[string]string {
-	m := make(map[string]string, len(allKeys))
-	for _, k := range allKeys {
-		m[strings.ToLower(k)] = k
-	}
-	return m
-}()

client/mdm/policy.go

@@ -1,254 +0,0 @@
-// Package mdm reads MDM-managed configuration from platform-native sources
-// (plist on macOS, registry on Windows, UserDefaults on iOS,
-// RestrictionsManager on Android). The returned Policy is consumed by
-// profilemanager.Config.apply() as the highest-priority override layer.
-//
-// An empty Policy (no source present, or source present with zero keys)
-// means no MDM enforcement is active and the client behaves as if the
-// feature did not exist.
-package mdm
-
-import (
-	"sort"
-	"strconv"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// Well-known policy keys. Names mirror the corresponding ConfigInput Go field
-// names (lowerCamelCase) so the daemon can map a Policy key directly to a
-// configuration field.
-const (
-	KeyManagementURL            = "managementURL"
-	KeyDisableUpdateSettings    = "disableUpdateSettings"
-	KeyDisableProfiles          = "disableProfiles"
-	KeyDisableNetworks          = "disableNetworks"
-	// KeyDisableAdvancedView gates the advanced-view section in the
-	// upcoming UI revision. UI-only: NOT stored on Config, not
-	// applied by applyMDMPolicy, not rejectable via SetConfig. The
-	// daemon surfaces it through GetFeatures (tristate: present
-	// true / present false / absent) and the same key appears in
-	// GetConfigResponse.mDMManagedFields when set.
-	KeyDisableAdvancedView      = "disableAdvancedView"
-	KeyDisableClientRoutes      = "disableClientRoutes"
-	KeyDisableServerRoutes      = "disableServerRoutes"
-	KeyBlockInbound             = "blockInbound"
-	KeyDisableMetricsCollection = "disableMetricsCollection"
-	KeyAllowServerSSH           = "allowServerSSH"
-	KeyDisableAutoConnect       = "disableAutoConnect"
-	KeyPreSharedKey             = "preSharedKey"
-	KeyRosenpassEnabled         = "rosenpassEnabled"
-	KeyRosenpassPermissive      = "rosenpassPermissive"
-	KeyWireguardPort            = "wireguardPort"
-
-	// Split tunnel is modeled as a single conceptual policy with two
-	// registry/plist values. KeySplitTunnelMode is the discriminator
-	// ("allow" or "disallow"); KeySplitTunnelApps is a comma-separated
-	// list of package names. The values are mutually exclusive by
-	// construction — only one mode can be set at a time.
-	KeySplitTunnelMode = "splitTunnelMode"
-	KeySplitTunnelApps = "splitTunnelApps"
-)
-
-// Split-tunnel mode literals (KeySplitTunnelMode values).
-const (
-	SplitTunnelModeAllow    = "allow"
-	SplitTunnelModeDisallow = "disallow"
-)
-
-// SecretKeys lists keys whose values must be redacted in logs.
-var SecretKeys = map[string]struct{}{
-	KeyPreSharedKey: {},
-}
-
-// boolStringLiterals enumerates the textual boolean encodings the
-// platform loaders may produce (Windows REG_SZ "true", iOS / Android
-// managed-config booleans-as-strings, etc.). Lookup keeps GetBool flat
-// (no nested switch on the string case).
-var boolStringLiterals = map[string]bool{
-	"true":  true,
-	"1":     true,
-	"yes":   true,
-	"false": false,
-	"0":     false,
-	"no":    false,
-}
-
-
-// Policy holds MDM-managed settings read from the platform source. A nil or
-// empty Policy means no enforcement is active.
-type Policy struct {
-	values map[string]any
-}
-
-// NewPolicy constructs a Policy from a key→value map. Pass nil or an
-// empty map to construct an empty (no-enforcement) Policy. The returned
-// *Policy is always non-nil.
-func NewPolicy(values map[string]any) *Policy {
-	if values == nil {
-		values = map[string]any{}
-	}
-	return &Policy{values: values}
-}
-
-// LoadPolicy reads the platform-native MDM configuration. Returns an
-// empty (but non-nil) Policy when no source is present, the source is
-// empty, or the platform is unsupported.
-//
-// Diagnostic logging differentiates the three states:
-//   - source absent / unsupported platform: trace log only
-//   - source present, zero keys:             info "MDM enrolled (no managed keys)"
-//   - source present, N keys:                info "MDM enrolled with N managed keys: [...]"
-func LoadPolicy() *Policy {
-	values, err := loadPlatformPolicy()
-	if err != nil {
-		log.Tracef("MDM policy load: %v", err)
-		return &Policy{values: map[string]any{}}
-	}
-	if values == nil {
-		return &Policy{values: map[string]any{}}
-	}
-	if len(values) == 0 {
-		log.Info("MDM enrolled (no managed keys)")
-	} else {
-		log.Infof("MDM enrolled with %d managed key(s): %v", len(values), sortedKeys(values))
-	}
-	return &Policy{values: values}
-}
-
-// IsEmpty reports whether the Policy has no managed keys.
-func (p *Policy) IsEmpty() bool {
-	return p == nil || len(p.values) == 0
-}
-
-// HasKey reports whether the given key is MDM-managed.
-func (p *Policy) HasKey(key string) bool {
-	if p == nil {
-		return false
-	}
-	_, ok := p.values[key]
-	return ok
-}
-
-// ManagedKeys returns the sorted list of managed key names. Returns an empty
-// slice (not nil) on an empty Policy.
-func (p *Policy) ManagedKeys() []string {
-	if p == nil {
-		return []string{}
-	}
-	return sortedKeys(p.values)
-}
-
-// GetString returns the managed value for key coerced to string, and whether
-// the key was set. A non-string value returns ("", false).
-func (p *Policy) GetString(key string) (string, bool) {
-	if p == nil {
-		return "", false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return "", false
-	}
-	s, ok := v.(string)
-	if !ok || s == "" {
-		return "", false
-	}
-	return s, true
-}
-
-// GetBool returns the managed value for key coerced to bool, and whether the
-// key was set. Accepts native bool and string literals "true"/"false"/"1"/"0".
-func (p *Policy) GetBool(key string) (bool, bool) {
-	if p == nil {
-		return false, false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return false, false
-	}
-	switch t := v.(type) {
-	case bool:
-		return t, true
-	case string:
-		b, known := boolStringLiterals[t]
-		return b, known
-	case int:
-		return t != 0, true
-	case int64:
-		return t != 0, true
-	}
-	return false, false
-}
-
-// GetInt returns the managed value for key as int64, and whether the key
-// was set. Accepts native int / int64 (as produced by the Windows registry
-// loader for REG_DWORD/REG_QWORD) and numeric strings (decimal).
-func (p *Policy) GetInt(key string) (int64, bool) {
-	if p == nil {
-		return 0, false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return 0, false
-	}
-	switch t := v.(type) {
-	case int64:
-		return t, true
-	case int:
-		return int64(t), true
-	case int32:
-		return int64(t), true
-	case uint64:
-		return int64(t), true
-	case float64:
-		return int64(t), true
-	case string:
-		if n, err := strconv.ParseInt(t, 10, 64); err == nil {
-			return n, true
-		}
-	}
-	return 0, false
-}
-
-// GetStringSlice returns the managed value for key as []string, and whether
-// the key was set. Accepts []string, []any (of strings), and a single string
-// (treated as a one-element list).
-func (p *Policy) GetStringSlice(key string) ([]string, bool) {
-	if p == nil {
-		return nil, false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return nil, false
-	}
-	switch t := v.(type) {
-	case []string:
-		return append([]string(nil), t...), true
-	case []any:
-		out := make([]string, 0, len(t))
-		for _, item := range t {
-			s, ok := item.(string)
-			if !ok {
-				return nil, false
-			}
-			out = append(out, s)
-		}
-		return out, true
-	case string:
-		return []string{t}, true
-	}
-	return nil, false
-}
-
-// sortedKeys returns the keys of m as a deterministic, lexicographically
-// sorted slice. Used internally by Policy.ManagedKeys and LoadPolicy's
-// diagnostic log line so callers see a stable key order across runs
-// regardless of Go's randomised map iteration.
-func sortedKeys(m map[string]any) []string {
-	out := make([]string, 0, len(m))
-	for k := range m {
-		out = append(out, k)
-	}
-	sort.Strings(out)
-	return out
-}

client/mdm/policy_darwin.go

@@ -1,90 +0,0 @@
-//go:build darwin && !ios
-
-package mdm
-
-import (
-	"errors"
-	"fmt"
-	"io/fs"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"howett.net/plist"
-)
-
-// policyPlistPath is the well-known location where macOS writes the
-// device-level mandatory MDM payload for NetBird. The path is fixed by
-// Apple convention: when an MDM provider (Jamf / Kandji / Mosyle /
-// Intune for Mac / Workspace ONE) pushes a Configuration Profile that
-// contains a com.apple.ManagedClient.preferences payload targeting the
-// bundle id io.netbird.client, the OS materializes the payload here.
-//
-// Read-only — only the OS (root) is supposed to write this file. The
-// loader sanity-checks the file mode and refuses to honour a world-
-// writable plist, as a defense against tampered installs.
-const policyPlistPath = "/Library/Managed Preferences/io.netbird.client.plist"
-
-// loadPlatformPolicy reads the MDM-managed configuration from the macOS
-// managed-preferences plist at policyPlistPath. Returns:
-//   - (nil, nil)  when the plist is absent (device not MDM-enrolled for
-//     NetBird, or admin has not yet pushed a payload)
-//   - (map, nil)  with N entries when N managed values are present
-//     (N may be 0 — empty plist still signals enrollment to the caller)
-//   - (nil, err)  on permission / parse / safety errors (including
-//     refusal to read a world-writable plist)
-//
-// Top-level plist keys are canonicalised case-insensitively to the
-// package's internal mdm.Key* names; unknown keys are logged and
-// skipped so a stray entry in the payload does not block startup.
-// Native plist value types map naturally onto the Policy accessor
-// expectations (GetString / GetBool / GetInt / GetStringSlice).
-func loadPlatformPolicy() (map[string]any, error) {
-	f, err := os.Open(policyPlistPath)
-	if err != nil {
-		if errors.Is(err, fs.ErrNotExist) {
-			// Not enrolled for NetBird. Caller treats nil as
-			// "no MDM source present".
-			//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-			return nil, nil
-		}
-		return nil, fmt.Errorf("open %s: %w", policyPlistPath, err)
-	}
-	defer func() {
-		if closeErr := f.Close(); closeErr != nil {
-			log.Warnf("MDM close plist %s: %v", policyPlistPath, closeErr)
-		}
-	}()
-
-	info, err := f.Stat()
-	if err != nil {
-		return nil, fmt.Errorf("stat %s: %w", policyPlistPath, err)
-	}
-	// World-writable plist => tampered install. Refuse rather than
-	// honour potentially attacker-controlled policy values.
-	if info.Mode().Perm()&0o002 != 0 {
-		return nil, fmt.Errorf("refusing to read world-writable MDM source %s (mode %o)",
-			policyPlistPath, info.Mode().Perm())
-	}
-
-	raw := make(map[string]any)
-	if err := plist.NewDecoder(f).Decode(&raw); err != nil {
-		return nil, fmt.Errorf("decode plist %s: %w", policyPlistPath, err)
-	}
-
-	out := make(map[string]any, len(raw))
-	for name, val := range raw {
-		// macOS / AppConfig conventions both use camelCase for managed
-		// preferences keys; canonicalize to the mdm.Key* form so a key
-		// written as "ManagementURL" (PascalCase, rare on macOS but
-		// possible if the admin reused an ADMX-style name) still
-		// resolves.
-		canonical, known := canonicalKey[strings.ToLower(name)]
-		if !known {
-			log.Warnf("MDM ignoring unknown plist key %s: %s", policyPlistPath, name)
-			continue
-		}
-		out[canonical] = val
-	}
-	return out, nil
-}

client/mdm/policy_mobile.go

@@ -1,14 +0,0 @@
-//go:build ios || android
-
-package mdm
-
-// loadPlatformPolicy is unused on mobile: the native layer (Swift on iOS,
-// Kotlin/Java on Android) reads the OS managed-config store and pushes the
-// resulting dictionary in-process via a gomobile entry point that lands in
-// Phase 5 / Phase 6. The stub keeps the package compilable for mobile
-// builds and returns (nil, nil) — the platform-absent sentinel that
-// LoadPolicy in policy.go treats as "no MDM source present".
-func loadPlatformPolicy() (map[string]any, error) {
-	//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-	return nil, nil
-}

client/mdm/policy_other.go

@@ -1,14 +0,0 @@
-//go:build !windows && !darwin && !ios && !android
-
-package mdm
-
-// loadPlatformPolicy returns no policy on platforms without an MDM channel
-// (Linux, FreeBSD). MDM enforcement is off and the client behaves as if
-// the feature did not exist. Returns (nil, nil) — the platform-absent
-// sentinel the caller (LoadPolicy in policy.go) treats as "no MDM
-// source present"; an error here would just translate to the same
-// outcome with an extra log line.
-func loadPlatformPolicy() (map[string]any, error) {
-	//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-	return nil, nil
-}

client/mdm/policy_test.go

@@ -1,160 +0,0 @@
-package mdm
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestPolicy_NilSafe(t *testing.T) {
-	var p *Policy
-	assert.True(t, p.IsEmpty())
-	assert.False(t, p.HasKey(KeyManagementURL))
-	assert.Empty(t, p.ManagedKeys())
-
-	_, ok := p.GetString(KeyManagementURL)
-	assert.False(t, ok)
-	_, ok = p.GetBool(KeyDisableProfiles)
-	assert.False(t, ok)
-	_, ok = p.GetStringSlice(KeySplitTunnelApps)
-	assert.False(t, ok)
-}
-
-func TestPolicy_Empty(t *testing.T) {
-	p := NewPolicy(nil)
-	require.NotNil(t, p)
-	assert.True(t, p.IsEmpty())
-	assert.False(t, p.HasKey(KeyManagementURL))
-	assert.Empty(t, p.ManagedKeys())
-}
-
-func TestPolicy_HasKey(t *testing.T) {
-	p := NewPolicy(map[string]any{
-		KeyManagementURL:    "https://corp.example.com",
-		KeyDisableProfiles:  true,
-	})
-	assert.False(t, p.IsEmpty())
-	assert.True(t, p.HasKey(KeyManagementURL))
-	assert.True(t, p.HasKey(KeyDisableProfiles))
-	assert.False(t, p.HasKey(KeyPreSharedKey))
-}
-
-func TestPolicy_ManagedKeysSorted(t *testing.T) {
-	p := NewPolicy(map[string]any{
-		KeyDisableProfiles: true,
-		KeyManagementURL:   "https://x",
-		KeyAllowServerSSH:  false,
-	})
-	got := p.ManagedKeys()
-	assert.Equal(t, []string{KeyAllowServerSSH, KeyDisableProfiles, KeyManagementURL}, got)
-}
-
-func TestPolicy_GetString(t *testing.T) {
-	p := NewPolicy(map[string]any{
-		KeyManagementURL:   "https://corp.example.com",
-		KeyDisableProfiles: true,            // wrong type for GetString
-		KeyPreSharedKey:        "",              // empty rejected
-	})
-	v, ok := p.GetString(KeyManagementURL)
-	assert.True(t, ok)
-	assert.Equal(t, "https://corp.example.com", v)
-
-	_, ok = p.GetString(KeyDisableProfiles)
-	assert.False(t, ok, "non-string value must not be reported as string")
-
-	_, ok = p.GetString(KeyPreSharedKey)
-	assert.False(t, ok, "empty string treated as unset")
-
-	_, ok = p.GetString("nonexistent")
-	assert.False(t, ok)
-}
-
-func TestPolicy_GetBool(t *testing.T) {
-	cases := []struct {
-		name string
-		raw  any
-		want bool
-		ok   bool
-	}{
-		{"native true", true, true, true},
-		{"native false", false, false, true},
-		{"string true", "true", true, true},
-		{"string false", "false", false, true},
-		{"string 1", "1", true, true},
-		{"string 0", "0", false, true},
-		{"string yes", "yes", true, true},
-		{"string no", "no", false, true},
-		{"int nonzero", 1, true, true},
-		{"int zero", 0, false, true},
-		{"int64 nonzero", int64(2), true, true},
-		{"int64 zero", int64(0), false, true},
-		{"string garbage", "maybe", false, false},
-		{"float unsupported", 1.0, false, false},
-	}
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			p := NewPolicy(map[string]any{KeyDisableProfiles: c.raw})
-			got, ok := p.GetBool(KeyDisableProfiles)
-			assert.Equal(t, c.ok, ok)
-			if c.ok {
-				assert.Equal(t, c.want, got)
-			}
-		})
-	}
-
-	_, ok := NewPolicy(nil).GetBool(KeyDisableProfiles)
-	assert.False(t, ok)
-}
-
-func TestPolicy_GetStringSlice(t *testing.T) {
-	t.Run("native string slice", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: []string{"com.a", "com.b"},
-		})
-		got, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.True(t, ok)
-		assert.Equal(t, []string{"com.a", "com.b"}, got)
-	})
-
-	t.Run("any slice of strings", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: []any{"com.a", "com.b"},
-		})
-		got, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.True(t, ok)
-		assert.Equal(t, []string{"com.a", "com.b"}, got)
-	})
-
-	t.Run("single string lifts to one-element slice", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: "com.a",
-		})
-		got, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.True(t, ok)
-		assert.Equal(t, []string{"com.a"}, got)
-	})
-
-	t.Run("mixed any slice rejected", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: []any{"com.a", 1},
-		})
-		_, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.False(t, ok)
-	})
-
-	t.Run("missing key", func(t *testing.T) {
-		p := NewPolicy(nil)
-		_, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.False(t, ok)
-	})
-}
-
-func TestLoadPolicy_PlatformStubReturnsEmpty(t *testing.T) {
-	// loadPlatformPolicy is a stub on every OS for Phase 1. LoadPolicy must
-	// degrade gracefully and never return nil.
-	p := LoadPolicy()
-	require.NotNil(t, p)
-	assert.True(t, p.IsEmpty())
-	assert.Empty(t, p.ManagedKeys())
-}

client/mdm/policy_windows.go

@@ -1,108 +0,0 @@
-//go:build windows
-
-package mdm
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows/registry"
-)
-
-// policyRegistryPath is the well-known MDM policy registry key for NetBird.
-// Admins push values here through Group Policy, Intune ADMX ingestion, an
-// Intune custom Registry CSP profile, or `reg add` during MSI deployment.
-// Listed in the project's docs/mdm/netbird.admx schema.
-const policyRegistryPath = `Software\Policies\NetBird`
-
-// readRegistryValue reads a single value under policyRegistryPath and,
-// on success, stores the type-coerced result in out[canonical]. Type
-// coercion mirrors loadPlatformPolicy's documented mapping:
-//   - REG_SZ / REG_EXPAND_SZ -> string (REG_EXPAND_SZ is expanded by the API)
-//   - REG_DWORD / REG_QWORD  -> int64
-//   - REG_MULTI_SZ           -> []string
-//
-// Unsupported value types and per-value read failures are logged at
-// warn level and skipped — one malformed value must not block the
-// surrounding loop. Extracted from loadPlatformPolicy to keep that
-// function's cognitive complexity in check.
-func readRegistryValue(k registry.Key, name, canonical string, out map[string]any) {
-	_, valType, err := k.GetValue(name, nil)
-	if err != nil {
-		log.Warnf("MDM stat %s\\%s: %v", policyRegistryPath, name, err)
-		return
-	}
-	switch valType {
-	case registry.SZ, registry.EXPAND_SZ:
-		if v, _, err := k.GetStringValue(name); err == nil {
-			out[canonical] = v
-		} else {
-			log.Warnf("MDM read string %s\\%s: %v", policyRegistryPath, name, err)
-		}
-	case registry.DWORD, registry.QWORD:
-		if v, _, err := k.GetIntegerValue(name); err == nil {
-			// uint64 from the registry API; Policy.GetBool / GetInt
-			// helpers consume int64, so narrow safely.
-			out[canonical] = int64(v)
-		} else {
-			log.Warnf("MDM read int %s\\%s: %v", policyRegistryPath, name, err)
-		}
-	case registry.MULTI_SZ:
-		if v, _, err := k.GetStringsValue(name); err == nil {
-			out[canonical] = v
-		} else {
-			log.Warnf("MDM read multi-string %s\\%s: %v", policyRegistryPath, name, err)
-		}
-	default:
-		log.Warnf("MDM ignoring unsupported registry value type %d at %s\\%s",
-			valType, policyRegistryPath, name)
-	}
-}
-
-// loadPlatformPolicy reads the MDM-managed configuration from the
-// Windows registry under HKLM\Software\Policies\NetBird. Returns:
-//   - (nil, nil)  when the key is absent (device not MDM-enrolled for NetBird)
-//   - (map, nil)  with N entries when N managed values are set (N may be 0)
-//   - (nil, err)  on open / enumerate registry errors
-//
-// Per-value type coercion + skip-on-error is delegated to
-// readRegistryValue. Unknown value names are logged and skipped so a
-// malformed deployment does not block startup.
-func loadPlatformPolicy() (map[string]any, error) {
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, policyRegistryPath, registry.QUERY_VALUE)
-	if err != nil {
-		if errors.Is(err, registry.ErrNotExist) {
-			// Not enrolled. Caller treats nil as "no MDM source present".
-			//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-			return nil, nil
-		}
-		return nil, fmt.Errorf("open %s: %w", policyRegistryPath, err)
-	}
-	defer func() {
-		if closeErr := k.Close(); closeErr != nil {
-			log.Warnf("MDM close registry key %s: %v", policyRegistryPath, closeErr)
-		}
-	}()
-
-	names, err := k.ReadValueNames(-1)
-	if err != nil {
-		return nil, fmt.Errorf("enumerate values of %s: %w", policyRegistryPath, err)
-	}
-
-	out := make(map[string]any, len(names))
-	for _, name := range names {
-		// Canonicalize the registry value name against the known MDM key
-		// set so Policy.HasKey lookups (which use the canonical names)
-		// succeed regardless of the casing used by the admin's ADMX or
-		// `reg add` command.
-		canonical, known := canonicalKey[strings.ToLower(name)]
-		if !known {
-			log.Warnf("MDM ignoring unknown registry value %s\\%s", policyRegistryPath, name)
-			continue
-		}
-		readRegistryValue(k, name, canonical, out)
-	}
-	return out, nil
-}

client/mdm/ticker.go

@@ -1,129 +0,0 @@
-package mdm
-
-import (
-	"context"
-	"reflect"
-	"sort"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// DefaultReloadInterval is the production cadence at which the desktop daemon
-// re-reads the OS-native MDM policy. Picked to balance responsiveness against
-// registry/plist I/O overhead. Mobile builds use OS-side notifications
-// instead, hence anticipating the ticker mechanism entirely.
-const DefaultReloadInterval = 1 * time.Minute
-
-// policyLoader is the indirection through which the ticker reads the
-// OS-native policy, both for the initial observation and on every tick.
-// Production points it at LoadPolicy; tests in this package override it to
-// feed a scripted sequence of policies without touching the real OS store.
-var policyLoader = LoadPolicy
-
-// Ticker periodically re-reads the OS-native MDM policy via LoadPolicy and
-// invokes the onChange callback (supplied to Run) whenever the observed
-// Policy diverges from the last observation (added / removed / changed
-// keys). Launch with Run from a goroutine; cancel the supplied context
-// to stop.
-type Ticker struct {
-	interval time.Duration
-	prev     *Policy
-}
-
-// NewTicker constructs a Ticker that will re-read the OS-native policy
-// every reloadInterval once Run is called.
-// The initial snapshot is populated by calling policyLoader at
-// construction time so the first tick only fires
-// onChange when the policy actually changed since boot — without
-// this baseline the first tick would report every currently-managed
-// key as "added" and trigger a spurious engine restart.
-func NewTicker(reloadInterval time.Duration) *Ticker {
-	return &Ticker{
-		interval: reloadInterval,
-		prev:     policyLoader(),
-	}
-}
-
-// Run blocks until ctx is cancelled, polling the OS-native policy store at
-// the configured cadence and emitting log lines + onChange callback on
-// every observed diff. onChange must be non-nil.
-func (t *Ticker) Run(ctx context.Context, onChange func(prev, curr *Policy) error) {
-	tk := time.NewTicker(t.interval)
-	defer tk.Stop()
-	log.Infof("MDM policy reload ticker started (interval=%s)", t.interval)
-	for {
-		select {
-		case <-ctx.Done():
-			log.Info("MDM policy reload ticker stopped")
-			return
-		case <-tk.C:
-			curr := policyLoader()
-			if policiesEqual(t.prev, curr) {
-				continue
-			}
-			added, removed, changed := diffPolicies(t.prev, curr)
-			log.Infof("MDM policy changed: added=%v removed=%v changed=%v",
-				added, removed, changed)
-			prev := t.prev
-			if err := onChange(prev, curr); err != nil {
-				log.Errorf("MDM policy change handler failed (retrying in 1 minute): %v", err)
-				continue
-			}
-			t.prev = curr
-		}
-	}
-}
-
-// policiesEqual reports whether two Policy instances carry the same
-// managed key set with identical values. Nil and empty policies
-// compare equal; one-nil/one-non-empty compare not equal; otherwise
-// the underlying values maps are compared with reflect.DeepEqual.
-func policiesEqual(a, b *Policy) bool {
-	if a.IsEmpty() && b.IsEmpty() {
-		return true
-	}
-	if a == nil || b == nil {
-		return false
-	}
-	return reflect.DeepEqual(a.values, b.values)
-}
-
-// diffPolicies returns the keys added in curr, removed from prev, and
-// whose values changed between prev and curr. Each slice is sorted
-// lexicographically for stable log output; value differences are
-// determined with reflect.DeepEqual.
-func diffPolicies(prev, curr *Policy) (added, removed, changed []string) {
-	prevKVs := mapOf(prev)
-	currKVs := mapOf(curr)
-	for k := range currKVs {
-		if _, ok := prevKVs[k]; !ok {
-			added = append(added, k)
-		} else if !reflect.DeepEqual(prevKVs[k], currKVs[k]) {
-			changed = append(changed, k)
-		}
-	}
-	for k := range prevKVs {
-		if _, ok := currKVs[k]; !ok {
-			removed = append(removed, k)
-		}
-	}
-	sort.Strings(added)
-	sort.Strings(removed)
-	sort.Strings(changed)
-	return added, removed, changed
-}
-
-// mapOf returns a (possibly empty, never nil) copy of the underlying
-// values map of a Policy so callers outside this package can compare
-// keys/values across the type boundary. Returns an empty map on nil p.
-func mapOf(p *Policy) map[string]any {
-	if p == nil {
-		return map[string]any{}
-	}
-	out := make(map[string]any, len(p.values))
-	for k, v := range p.values {
-		out[k] = v
-	}
-	return out
-}

client/mdm/ticker_test.go

@@ -1,100 +0,0 @@
-package mdm
-
-import (
-	"context"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// testReloadInterval for speeding up the ticker cadence under `go test`
-const testReloadInterval = 1 * time.Second
-
-// withPolicyLoader overrides the package-level policyLoader for the duration
-// of the test so the ticker observes a scripted policy instead of the real
-// OS-native store. The original loader is restored on cleanup.
-func withPolicyLoader(t *testing.T, fn func() *Policy) {
-	t.Helper()
-	prev := policyLoader
-	policyLoader = fn
-	t.Cleanup(func() { policyLoader = prev })
-}
-
-func TestTicker_FiresOnChangeWithDelta(t *testing.T) {
-	var mu sync.Mutex
-	current := NewPolicy(nil) // initial observation: empty (no enforcement)
-	withPolicyLoader(t, func() *Policy {
-		mu.Lock()
-		defer mu.Unlock()
-		return current
-	})
-
-	type change struct{ prev, curr *Policy }
-	changes := make(chan change, 1)
-	tk := NewTicker(testReloadInterval)
-	require.Equal(t, testReloadInterval, tk.interval)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan struct{})
-	go func() {
-		tk.Run(ctx, func(prev, curr *Policy) error {
-			select {
-			case changes <- change{prev, curr}:
-			default:
-			}
-			return nil
-		})
-		close(done)
-	}()
-	// Stop Run and wait for it to exit before returning, so the policyLoader
-	// restore in t.Cleanup can't race the ticker goroutine still reading it.
-	defer func() { cancel(); <-done }()
-
-	// Flip the OS-observed policy from empty to one managed key. The next
-	// tick must detect the diff and invoke onChange.
-	mu.Lock()
-	current = NewPolicy(map[string]any{KeyManagementURL: "https://mdm.example.com:443"})
-	mu.Unlock()
-
-	select {
-	case c := <-changes:
-		assert.True(t, c.prev.IsEmpty(), "prev should be the initial empty policy")
-		assert.True(t, c.curr.HasKey(KeyManagementURL), "curr should carry the newly-pushed managed key")
-	case <-time.After(5 * time.Second):
-		t.Fatal("onChange not invoked within 5s; ticker should fire every 1s under test")
-	}
-}
-
-func TestTicker_NoCallbackWhenPolicyUnchanged(t *testing.T) {
-	withPolicyLoader(t, func() *Policy {
-		return NewPolicy(map[string]any{KeyBlockInbound: true})
-	})
-
-	fired := make(chan struct{}, 1)
-	tk := NewTicker(testReloadInterval)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan struct{})
-	go func() {
-		tk.Run(ctx, func(_, _ *Policy) error {
-			select {
-			case fired <- struct{}{}:
-			default:
-			}
-			return nil
-		})
-		close(done)
-	}()
-	defer func() { cancel(); <-done }()
-
-	// Over ~2 ticks at the 1s test cadence the policy never changes, so the
-	// diff guard must suppress the callback entirely.
-	select {
-	case <-fired:
-		t.Fatal("onChange fired despite an unchanged policy")
-	case <-time.After(2500 * time.Millisecond):
-	}
-}

client/proto/daemon.proto

@@ -85,11 +85,6 @@ service DaemonService {
 
   rpc GetEvents(GetEventsRequest) returns (GetEventsResponse) {}
 
-  // RegisterUILog records the desktop UI's absolute log path so the daemon's
-  // debug bundle can collect it (the daemon runs as root and can't resolve the
-  // user's config dir).
-  rpc RegisterUILog(RegisterUILogRequest) returns (RegisterUILogResponse) {}
-
   rpc SwitchProfile(SwitchProfileRequest) returns (SwitchProfileResponse) {}
 
   rpc SetConfig(SetConfigRequest) returns (SetConfigResponse) {}
@@ -354,13 +349,6 @@ message GetConfigResponse {
   int32 sshJWTCacheTTL = 26;
 
   bool disable_ipv6 = 27;
-
-  // mDMManagedFields lists the names of configuration keys whose value is
-  // currently enforced by an MDM policy. Names match mdm.Key* constants
-  // (e.g. "managementURL", "disableClientRoutes"). UI/CLI clients should
-  // render the corresponding inputs as read-only and display a "managed
-  // by MDM" indicator.
-  repeated string mDMManagedFields = 28;
 }
 
 // PeerState contains the latest state of a peer
@@ -559,13 +547,6 @@ message SetLogLevelRequest {
 message SetLogLevelResponse {
 }
 
-message RegisterUILogRequest {
-  string path = 1;
-}
-
-message RegisterUILogResponse {
-}
-
 // State represents a daemon state entry
 message State {
   string name = 1;
@@ -791,21 +772,6 @@ message GetFeaturesResponse{
   bool disable_profiles = 1;
   bool disable_update_settings = 2;
   bool disable_networks = 3;
-  // disableAdvancedView gates the upcoming UI revision's advanced
-  // section. Tristate: unset = no MDM directive, the UI applies its
-  // own default; true = MDM enforces disable; false = MDM enforces
-  // enable. Sourced exclusively from the MDM policy — no CLI /
-  // config flag backs this value.
-  optional bool disable_advanced_view = 4;
-}
-
-// MDMManagedFieldsViolation is attached as a gRPC error detail on a
-// FailedPrecondition status returned from SetConfig (and similar mutating
-// RPCs) when the caller tries to modify one or more MDM-enforced fields.
-// The fields list contains the offending key names; the entire request is
-// rejected (no partial apply).
-message MDMManagedFieldsViolation {
-  repeated string fields = 1;
 }
 
 message TriggerUpdateRequest {}

client/proto/metadata.go

@@ -1,61 +0,0 @@
-package proto
-
-// SystemEvent metadata markers. The daemon stamps these on internal control
-// events it publishes over SubscribeEvents (profile-list refresh, log-level
-// change); the desktop UI recognises them and acts on them instead of
-// surfacing them as user-facing notifications.
-//
-// These live in the proto package — the shared contract both the daemon
-// (client/server) and the UI (client/ui/services) already import — so producer
-// and consumer reference the same constant rather than duplicating literals.
-// This file is hand-written and not touched by protoc.
-const (
-	// MetadataKindKey is the SystemEvent.metadata key carrying the event-kind
-	// marker (one of the MetadataKind* values below).
-	MetadataKindKey = "kind"
-
-	// MetadataKindProfileListChanged marks a CLI-driven profile add/remove that
-	// should nudge the UI's profile views to refresh.
-	MetadataKindProfileListChanged = "profile-list-changed"
-	// MetadataKindLogLevelChanged marks a daemon log-level change (or the
-	// per-subscription snapshot) that drives the GUI's file logging on/off.
-	MetadataKindLogLevelChanged = "log-level-changed"
-
-	// MetadataProfileKey carries the profile name for
-	// MetadataKindProfileListChanged.
-	MetadataProfileKey = "profile"
-	// MetadataLevelKey carries the lowercase logrus level name for
-	// MetadataKindLogLevelChanged.
-	MetadataLevelKey = "level"
-)
-
-// SystemEvent metadata markers for daemon config-change events. The daemon
-// publishes a SYSTEM-category event whenever its effective Config is
-// replaced (engine spawn, Up RPC, MDM policy diff); the UI re-fetches its
-// cached config/features in response and, for the MDM source, shows a
-// localised toast. Producer (client/server) and consumer (client/ui) share
-// these so neither duplicates the wire literals.
-const (
-	// MetadataTypeKey is the SystemEvent.metadata key carrying the
-	// config-change event type (one of the MetadataType* values below).
-	MetadataTypeKey = "type"
-	// MetadataTypeConfigChanged marks a config replacement that should nudge
-	// UIs to re-fetch their cached config + features. UserMessage is empty so
-	// the change is silent; the source is carried in MetadataSourceKey.
-	MetadataTypeConfigChanged = "config_changed"
-	// MetadataTypePolicyApplied marks an MDM-policy-driven config change. The
-	// daemon stamps it with a (non-localised) UserMessage; the UI suppresses
-	// that and builds its own localised toast off the paired config_changed
-	// event instead.
-	MetadataTypePolicyApplied = "policy_applied"
-
-	// MetadataSourceKey is the SystemEvent.metadata key carrying what
-	// triggered a config_changed event (one of the MetadataSource* values).
-	MetadataSourceKey = "source"
-	// MetadataSourceStartup marks a config_changed from the daemon Start path.
-	MetadataSourceStartup = "startup"
-	// MetadataSourceUpRPC marks a config_changed from the Up RPC.
-	MetadataSourceUpRPC = "up_rpc"
-	// MetadataSourceMDM marks a config_changed driven by an MDM policy diff.
-	MetadataSourceMDM = "mdm"
-)

client/server/debug.go

@@ -67,7 +67,6 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 			StatusRecorder: s.statusRecorder,
 			SyncResponse:   syncResponse,
 			LogPath:        s.logFile,
-			UILogPath:      s.uiLogPath,
 			CPUProfile:     cpuProfileData,
 			CapturePath:    capturePath,
 			RefreshStatus:  refreshStatus,
@@ -128,26 +127,9 @@ func (s *Server) SetLogLevel(_ context.Context, req *proto.SetLogLevelRequest) (
 
 	log.Infof("Log level set to %s", level.String())
 
-	// Signal the desktop UI so it can attach/detach its gui-client.log. Rides
-	// the SubscribeEvents stream as a marked event (see publishLogLevelChanged).
-	s.publishLogLevelChanged(level.String())
-
 	return &proto.SetLogLevelResponse{}, nil
 }
 
-// RegisterUILog records the desktop UI's absolute log path so DebugBundle can
-// collect the GUI log. The daemon runs as root and can't resolve the user's
-// config dir, so the UI reports it. Last-writer-wins (one UI per socket).
-func (s *Server) RegisterUILog(_ context.Context, req *proto.RegisterUILogRequest) (*proto.RegisterUILogResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	s.uiLogPath = req.GetPath()
-	log.Infof("registered UI log path: %s", s.uiLogPath)
-
-	return &proto.RegisterUILogResponse{}, nil
-}
-
 // SetSyncResponsePersistence sets the sync response persistence for the server.
 func (s *Server) SetSyncResponsePersistence(_ context.Context, req *proto.SetSyncResponsePersistenceRequest) (*proto.SetSyncResponsePersistenceResponse, error) {
 	s.mutex.Lock()

client/server/event.go

@@ -1,9 +1,7 @@
 package server
 
 import (
-	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/netbirdio/netbird/client/proto"
 )
@@ -18,15 +16,6 @@ func (s *Server) SubscribeEvents(req *proto.SubscribeRequest, stream proto.Daemo
 	log.Debug("client subscribed to events")
 	s.startUpdateManagerForGUI()
 
-	// Replay the current log level to this subscriber so a freshly-connected UI
-	// learns it even when the daemon was already started with --log-level debug
-	// (the change-driven publishLogLevelChanged only fires on SetLogLevel). Sent
-	// directly on this stream rather than via PublishEvent so it reaches only
-	// the new subscriber, not every connected client.
-	if err := s.sendCurrentLogLevel(stream); err != nil {
-		return err
-	}
-
 	for {
 		select {
 		case event := <-subscription.Events():
@@ -39,24 +28,3 @@ func (s *Server) SubscribeEvents(req *proto.SubscribeRequest, stream proto.Daemo
 		}
 	}
 }
-
-// sendCurrentLogLevel sends a marked log-level-changed SystemEvent carrying the
-// daemon's current level directly to one subscriber. Mirrors the shape
-// publishLogLevelChanged emits so the UI's dispatchSystemEvent handles both the
-// same way.
-func (s *Server) sendCurrentLogLevel(stream proto.DaemonService_SubscribeEventsServer) error {
-	level := log.GetLevel().String()
-	event := &proto.SystemEvent{
-		Id:        uuid.New().String(),
-		Severity:  proto.SystemEvent_INFO,
-		Category:  proto.SystemEvent_SYSTEM,
-		Message:   "Log level changed",
-		Metadata:  map[string]string{proto.MetadataKindKey: proto.MetadataKindLogLevelChanged, proto.MetadataLevelKey: level},
-		Timestamp: timestamppb.Now(),
-	}
-	if err := stream.Send(event); err != nil {
-		log.Warnf("error sending initial log level event: %v", err)
-		return err
-	}
-	return nil
-}

client/server/mdm.go

@@ -1,422 +0,0 @@
-package server
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/mdm"
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// preSharedKeyRedactedSentinel is the value GetConfig returns in place
-// of an actual PSK, so a UI that round-trips the field back to the
-// daemon (via SetConfig / Login) can be distinguished from a deliberate
-// override. Any incoming PSK that equals this sentinel is treated as
-// a no-op echo, never as a conflict with the policy.
-const preSharedKeyRedactedSentinel = "**********"
-
-// loadMDMPolicy is the indirection used by server handlers to read the
-// active MDM policy. Tests override this to inject a fake policy.
-var loadMDMPolicy = mdm.LoadPolicy
-
-// conflictCheck is a value-aware comparison between a single field in
-// the incoming request and the corresponding MDM-enforced value. It
-// runs only when the field was actually set in the request (presence
-// already filtered upstream); ok=true reports the policy value, ok=false
-// means the policy is silent on the key — both are treated as conflicts
-// to be safe (an MDM key declared as managed must hold a value).
-type conflictCheck struct {
-	key   string
-	check func(*mdm.Policy) (match bool)
-}
-
-// onMDMPolicyChange is invoked by the MDM reload ticker every time the
-// OS-native managed-config store reports a diff vs the last observation.
-//
-// Restart sequence:
-//  1. Cancel the active engine context (terminates connectWithRetryRuns).
-//  2. Wait briefly for that goroutine to exit (giveUpChan is closed on exit).
-//  3. Re-resolve Config from disk + MDM policy (Config.apply re-runs
-//     applyMDMPolicy with the freshly loaded Policy).
-//  4. Spawn a fresh connectWithRetryRuns with the new context and config.
-//  5. Broadcast a SystemEvent so any GUI / CLI subscriber (SubscribeEvents
-//     RPC) can refresh its cached config view without polling.
-//
-// The callback runs in the ticker's own goroutine. Ticker has already
-// logged the per-key diff before invoking this hook.
-func (s *Server) onMDMPolicyChange(_, _ *mdm.Policy) error {
-	log.Warn("MDM policy changed; restarting engine to apply new configuration")
-
-	// Hold s.mutex for the entire restart sequence (cancel + quiescence
-	// wait + re-spawn). Any concurrent Up/Down/Status arriving while
-	// MDM is restarting blocks on the Lock until we are done — they
-	// then observe the post-restart state coherently. This is safe
-	// because the connectWithRetryRuns goroutine no longer acquires
-	// s.mutex in its defer (intent vs. goroutine-alive concerns are
-	// fully separated; see the connectionGoroutineRunning helper).
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if !s.clientRunning {
-		// The client is not running, so there's no engine to restart.
-		return nil
-	}
-	if s.actCancel != nil {
-		s.actCancel()
-	}
-
-	// Wait for previous connectWithRetryRuns to exit so we don't end up
-	// with two goroutines fighting over the same status recorder + engine.
-	// The teardown engages a fan-out of engine goroutines (peer workers,
-	// signal handler, route manager, ...). close(clientGiveUpChan)
-	// happens in the function-scope defer of connectWithRetryRuns, on
-	// every exit path (ctx cancel, backoff exhausted, panic) — see the
-	// defer in server.go.
-	if s.clientGiveUpChan != nil {
-		select {
-		case <-s.clientGiveUpChan:
-		case <-time.After(10 * time.Second):
-			return fmt.Errorf("failed to restart the engine due to timeout")
-		}
-	}
-
-	if err := s.restartEngineForMDMLocked(); err != nil {
-		log.Errorf("MDM restart failed: %v", err)
-		return err
-	}
-
-	// publishConfigChangedEvent has already fired inside
-	// restartEngineForMDMLocked with source="mdm". Emit an MDM-specific
-	// user-visible toast so the operator knows their IT policy was
-	// applied (UserMessage != "" triggers the GUI notifier).
-	s.statusRecorder.PublishEvent(
-		proto.SystemEvent_INFO,
-		proto.SystemEvent_SYSTEM,
-		"MDM policy applied",
-		"NetBird configuration was updated by your IT policy.",
-		map[string]string{
-			proto.MetadataSourceKey: proto.MetadataSourceMDM,
-			proto.MetadataTypeKey:   proto.MetadataTypePolicyApplied,
-		},
-	)
-	return nil
-}
-
-// publishConfigChangedEvent broadcasts a SystemEvent informing any active
-// SubscribeEvents subscriber (typically the GUI tray) that the daemon's
-// effective Config has been replaced and any cached client-side view
-// should be refreshed. Callers pass a stable `source` label so the GUI
-// can distinguish a startup spawn from a user-triggered Up or an
-// MDM-driven restart. Reusing the SYSTEM category keeps the proto enum
-// stable; metadata.type="config_changed" routes to the GUI's refresh
-// handler. UserMessage is left empty so the system tray does not toast
-// for every internal restart; the MDM path emits a separate
-// "policy_applied" event (with UserMessage) for that purpose.
-func (s *Server) publishConfigChangedEvent(source string) {
-	if s.statusRecorder == nil {
-		return
-	}
-	s.statusRecorder.PublishEvent(
-		proto.SystemEvent_INFO,
-		proto.SystemEvent_SYSTEM,
-		fmt.Sprintf("daemon config changed (source=%s)", source),
-		"",
-		map[string]string{
-			proto.MetadataSourceKey: source,
-			proto.MetadataTypeKey:   proto.MetadataTypeConfigChanged,
-		},
-	)
-}
-
-// restartEngineForMDMLocked re-resolves the active profile config
-// (re-running applyMDMPolicy via Config.apply) and re-spawns
-// connectWithRetryRuns. Mirrors the tail of Server.Start so a runtime
-// MDM change behaves identically to a fresh boot under the new policy.
-//
-// MUST be called with s.mutex held — onMDMPolicyChange holds the lock
-// for the entire restart sequence (cancel + quiescence wait + re-spawn)
-// so concurrent Up/Down/Status RPCs observe a coherent post-restart
-// state.
-func (s *Server) restartEngineForMDMLocked() error {
-	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err != nil {
-		return fmt.Errorf("get active profile state: %w", err)
-	}
-	config, _, err := s.getConfig(activeProf)
-	if err != nil {
-		return fmt.Errorf("get active profile config: %w", err)
-	}
-
-	s.config = config
-	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
-	s.statusRecorder.UpdateRosenpass(config.RosenpassEnabled, config.RosenpassPermissive)
-	s.statusRecorder.UpdateLazyConnection(config.LazyConnectionEnabled)
-
-	ctx, cancel := context.WithCancel(s.rootCtx)
-	s.actCancel = cancel
-	s.clientRunning = true
-	s.clientRunningChan = make(chan struct{})
-	s.clientGiveUpChan = make(chan struct{})
-	log.Info("MDM restart: spawning connectWithRetryRuns with re-resolved config")
-	go s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)
-	s.publishConfigChangedEvent(proto.MetadataSourceMDM)
-	return nil
-}
-
-// conflictBool builds a conflictCheck for a boolean MDM key. If p is nil
-// the field is treated as matching (no override requested); otherwise the
-// check returns true only when the policy contains the key and its
-// boolean value equals *p.
-func conflictBool(key string, p *bool) conflictCheck {
-	return conflictCheck{
-		key: key,
-		check: func(pol *mdm.Policy) bool {
-			if p == nil {
-				return true // absent → match by definition
-			}
-			want, ok := pol.GetBool(key)
-			return ok && want == *p
-		},
-	}
-}
-
-// conflictString builds a conflictCheck for a string MDM key. An empty
-// `got` is treated as "field not set" (no override requested); otherwise
-// the check returns true only when the policy contains the key and its
-// value equals got.
-func conflictString(key, got string) conflictCheck {
-	return conflictCheck{
-		key: key,
-		check: func(pol *mdm.Policy) bool {
-			if got == "" {
-				return true
-			}
-			want, ok := pol.GetString(key)
-			return ok && want == got
-		},
-	}
-}
-
-// conflictInt64 builds a conflictCheck for an integer MDM key. If p is
-// nil the field is treated as matching; otherwise the check returns
-// true only when the policy contains the key and its int value equals *p.
-func conflictInt64(key string, p *int64) conflictCheck {
-	return conflictCheck{
-		key: key,
-		check: func(pol *mdm.Policy) bool {
-			if p == nil {
-				return true
-			}
-			want, ok := pol.GetInt(key)
-			return ok && want == *p
-		},
-	}
-}
-
-// resolveConflicts walks the per-field checks against the active MDM
-// policy and returns the names of keys whose requested value diverges
-// from the policy-enforced value. Keys not present in the policy are
-// skipped silently (the gate fires only for keys the admin has
-// actually pushed). Returns nil for an empty policy.
-func resolveConflicts(policy *mdm.Policy, checks []conflictCheck) []string {
-	if policy.IsEmpty() {
-		return nil
-	}
-	var conflicts []string
-	for _, c := range checks {
-		if !policy.HasKey(c.key) {
-			continue
-		}
-		if !c.check(policy) {
-			conflicts = append(conflicts, c.key)
-		}
-	}
-	return conflicts
-}
-
-// mdmManagedFieldConflicts returns the names of MDM-managed keys whose
-// requested value in the SetConfigRequest differs from the MDM-enforced
-// value. A field set to the same value the policy already enforces is
-// treated as a no-op echo (the GUI tray sends a full Config snapshot on
-// every toggle, so most fields in a typical request match the policy
-// exactly and must NOT be flagged as conflicts). The redacted PSK
-// sentinel ("**********") returned by GetConfig is recognised and
-// treated as no-op so the UI can safely round-trip it.
-func mdmManagedFieldConflicts(msg *proto.SetConfigRequest, policy *mdm.Policy) []string {
-	if msg == nil {
-		return nil
-	}
-
-	// PSK round-trip echo: collapse the sentinel to empty so the
-	// shared check treats it as "field not set".
-	pskGot := ""
-	if msg.OptionalPreSharedKey != nil && *msg.OptionalPreSharedKey != preSharedKeyRedactedSentinel {
-		pskGot = *msg.OptionalPreSharedKey
-	}
-
-	return resolveConflicts(policy, []conflictCheck{
-		conflictString(mdm.KeyManagementURL, msg.ManagementUrl),
-		conflictString(mdm.KeyPreSharedKey, pskGot),
-		conflictBool(mdm.KeyRosenpassEnabled, msg.RosenpassEnabled),
-		conflictBool(mdm.KeyRosenpassPermissive, msg.RosenpassPermissive),
-		conflictBool(mdm.KeyDisableAutoConnect, msg.DisableAutoConnect),
-		conflictBool(mdm.KeyAllowServerSSH, msg.ServerSSHAllowed),
-		conflictBool(mdm.KeyDisableClientRoutes, msg.DisableClientRoutes),
-		conflictBool(mdm.KeyDisableServerRoutes, msg.DisableServerRoutes),
-		conflictBool(mdm.KeyBlockInbound, msg.BlockInbound),
-		conflictInt64(mdm.KeyWireguardPort, msg.WireguardPort),
-	})
-}
-
-// setConfigRequestHasConfigOverrides reports whether the SetConfigRequest
-// carries ANY field that would actually mutate the persisted config.
-// The CLI builds a SetConfigRequest unconditionally on every
-// `netbird up` (see setupSetConfigReq in cmd/up.go) — a plain
-// `netbird up` produces a request with every field at its zero value;
-// the gate must skip such no-op invocations or it would always fire
-// even when the user did not pass any --flag. Returns false on a nil
-// msg; true when any management/admin URL, PSK, DNS/NAT list+clean
-// flag, interface/port/MTU, or any optional bool/duration field is set.
-func setConfigRequestHasConfigOverrides(msg *proto.SetConfigRequest) bool {
-	if msg == nil {
-		return false
-	}
-	return msg.ManagementUrl != "" ||
-		msg.AdminURL != "" ||
-		msg.OptionalPreSharedKey != nil ||
-		len(msg.CustomDNSAddress) > 0 ||
-		len(msg.NatExternalIPs) > 0 || msg.CleanNATExternalIPs ||
-		len(msg.ExtraIFaceBlacklist) > 0 ||
-		len(msg.DnsLabels) > 0 || msg.CleanDNSLabels ||
-		msg.DnsRouteInterval != nil ||
-		msg.RosenpassEnabled != nil ||
-		msg.RosenpassPermissive != nil ||
-		msg.InterfaceName != nil ||
-		msg.WireguardPort != nil ||
-		msg.Mtu != nil ||
-		msg.DisableAutoConnect != nil ||
-		msg.ServerSSHAllowed != nil ||
-		msg.NetworkMonitor != nil ||
-		msg.DisableClientRoutes != nil ||
-		msg.DisableServerRoutes != nil ||
-		msg.DisableDns != nil ||
-		msg.DisableFirewall != nil ||
-		msg.BlockLanAccess != nil ||
-		msg.DisableNotifications != nil ||
-		msg.LazyConnectionEnabled != nil ||
-		msg.BlockInbound != nil ||
-		msg.DisableIpv6 != nil ||
-		msg.EnableSSHRoot != nil ||
-		msg.EnableSSHSFTP != nil ||
-		msg.EnableSSHLocalPortForwarding != nil ||
-		msg.EnableSSHRemotePortForwarding != nil ||
-		msg.DisableSSHAuth != nil ||
-		msg.SshJWTCacheTTL != nil
-}
-
-// loginRequestHasConfigOverrides reports whether the LoginRequest
-// carries ANY field that would mutate persisted daemon configuration
-// (as opposed to pure-auth fields like setupKey, hostname, hint,
-// profileName, username). Used by the Login handler to decide whether
-// the `--disable-update-settings` / MDM gates must run: a re-auth that
-// changes nothing about the configuration is always allowed.
-func loginRequestHasConfigOverrides(msg *proto.LoginRequest) bool {
-	if msg == nil {
-		return false
-	}
-	return msg.ManagementUrl != "" ||
-		msg.AdminURL != "" ||
-		msg.PreSharedKey != "" || //nolint:staticcheck // SA1019: legacy proto field still accepted by Login
-		msg.OptionalPreSharedKey != nil ||
-		len(msg.CustomDNSAddress) > 0 ||
-		len(msg.NatExternalIPs) > 0 || msg.CleanNATExternalIPs ||
-		msg.RosenpassEnabled != nil ||
-		msg.InterfaceName != nil ||
-		msg.WireguardPort != nil ||
-		msg.DisableAutoConnect != nil ||
-		msg.ServerSSHAllowed != nil ||
-		msg.RosenpassPermissive != nil ||
-		len(msg.ExtraIFaceBlacklist) > 0 ||
-		msg.NetworkMonitor != nil ||
-		msg.DnsRouteInterval != nil ||
-		msg.DisableClientRoutes != nil ||
-		msg.DisableServerRoutes != nil ||
-		msg.DisableDns != nil ||
-		msg.DisableFirewall != nil ||
-		msg.BlockLanAccess != nil ||
-		msg.DisableNotifications != nil ||
-		len(msg.DnsLabels) > 0 || msg.CleanDNSLabels ||
-		msg.LazyConnectionEnabled != nil ||
-		msg.BlockInbound != nil
-}
-
-// loginRequestMDMConflicts mirrors mdmManagedFieldConflicts but for the
-// LoginRequest surface. Same value-aware semantics: a field set to the
-// MDM-enforced value is a no-op echo, not a conflict; only a divergent
-// value is flagged. PSK has two proto fields — PreSharedKey (deprecated)
-// and OptionalPreSharedKey (current); either route trips the gate if it
-// diverges from the MDM-enforced PSK. OptionalPreSharedKey wins when
-// both are set; the redaction sentinel ("**********") is accepted as
-// a no-op echo.
-func loginRequestMDMConflicts(msg *proto.LoginRequest, policy *mdm.Policy) []string {
-	if msg == nil {
-		return nil
-	}
-
-	// Collapse the two PSK fields + the redaction sentinel down to a
-	// single "got" string the shared check can compare against the
-	// policy: OptionalPreSharedKey wins if set; PreSharedKey (deprecated)
-	// is the fallback; sentinel echo is treated as "field not set".
-	pskGot := ""
-	if msg.OptionalPreSharedKey != nil {
-		pskGot = *msg.OptionalPreSharedKey
-	} else if msg.PreSharedKey != "" { //nolint:staticcheck // SA1019: legacy proto field still accepted by Login
-		pskGot = msg.PreSharedKey //nolint:staticcheck // SA1019
-	}
-	if pskGot == preSharedKeyRedactedSentinel {
-		pskGot = ""
-	}
-
-	return resolveConflicts(policy, []conflictCheck{
-		conflictString(mdm.KeyManagementURL, msg.ManagementUrl),
-		conflictString(mdm.KeyPreSharedKey, pskGot),
-		conflictBool(mdm.KeyRosenpassEnabled, msg.RosenpassEnabled),
-		conflictBool(mdm.KeyRosenpassPermissive, msg.RosenpassPermissive),
-		conflictBool(mdm.KeyDisableAutoConnect, msg.DisableAutoConnect),
-		conflictBool(mdm.KeyAllowServerSSH, msg.ServerSSHAllowed),
-		conflictBool(mdm.KeyDisableClientRoutes, msg.DisableClientRoutes),
-		conflictBool(mdm.KeyDisableServerRoutes, msg.DisableServerRoutes),
-		conflictBool(mdm.KeyBlockInbound, msg.BlockInbound),
-		conflictInt64(mdm.KeyWireguardPort, msg.WireguardPort),
-	})
-}
-
-// rejectMDMManagedFieldConflicts returns a FailedPrecondition gRPC error
-// with an MDMManagedFieldsViolation detail when any of the requested
-// fields tries to change an MDM-enforced value to something else, and
-// nil otherwise. The whole request is rejected on any conflict; non-
-// conflicting fields in the same request are not applied either (no
-// partial apply).
-func rejectMDMManagedFieldConflicts(conflicts []string) error {
-	if len(conflicts) == 0 {
-		return nil
-	}
-	log.Warnf("MDM rejected request: tried to modify %d managed key(s): %v",
-		len(conflicts), conflicts)
-	st := gstatus.New(
-		codes.FailedPrecondition,
-		fmt.Sprintf("fields managed by MDM cannot be modified: %v", conflicts),
-	)
-	detailed, err := st.WithDetails(&proto.MDMManagedFieldsViolation{Fields: conflicts})
-	if err != nil {
-		// Detail attachment is best-effort; fall back to the plain status
-		// so the caller still gets a usable FailedPrecondition.
-		return st.Err()
-	}
-	return detailed.Err()
-}

client/server/network.go

@@ -30,7 +30,7 @@ func (s *Server) ListNetworks(context.Context, *proto.ListNetworksRequest) (*pro
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.checkNetworksDisabled() {
+	if s.networksDisabled {
 		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
 	}
 
@@ -143,7 +143,7 @@ func (s *Server) SelectNetworks(_ context.Context, req *proto.SelectNetworksRequ
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.checkNetworksDisabled() {
+	if s.networksDisabled {
 		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
 	}
 
@@ -206,7 +206,7 @@ func (s *Server) DeselectNetworks(_ context.Context, req *proto.SelectNetworksRe
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.checkNetworksDisabled() {
+	if s.networksDisabled {
 		return nil, gstatus.Errorf(codes.Unavailable, errNetworksDisabled)
 	}
 

client/server/server.go

@@ -25,7 +25,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
-	"github.com/netbirdio/netbird/client/mdm"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -68,12 +67,6 @@ type Server struct {
 
 	logFile string
 
-	// uiLogPath is the desktop UI's absolute log path, reported via
-	// RegisterUILog. Guarded by mutex. Consumed by DebugBundle so the bundle
-	// can collect the GUI log even though the daemon runs as root and can't
-	// resolve the user's config dir. Last-writer-wins (one UI per socket).
-	uiLogPath string
-
 	oauthAuthFlow oauthAuthFlow
 	// extendAuthSessionFlow holds the pending PKCE flow created by
 	// RequestExtendAuthSession until WaitExtendAuthSession resolves it.
@@ -85,13 +78,7 @@ type Server struct {
 	mutex  sync.Mutex
 	config *profilemanager.Config
 	proto.UnimplementedDaemonServiceServer
-	// clientRunning tracks "the daemon wants to be connected" — set true by
-	// Start / Up, cleared by Down / Logout. Persists across retry
-	// loops, signal disconnects, and ErrResetConnection cycles. NOT
-	// changed by connectWithRetryRuns goroutine exit — for that
-	// (goroutine-still-alive) check, see connectionGoroutineRunning() which
-	// derives from clientGiveUpChan close state. Protected by s.mutex.
-	clientRunning     bool
+	clientRunning     bool // protected by mutex
 	clientRunningChan chan struct{}
 	clientGiveUpChan  chan struct{} // closed when connectWithRetryRuns goroutine exits
 
@@ -118,11 +105,6 @@ type Server struct {
 
 	sleepHandler *sleephandler.SleepHandler
 
-	// mdmTicker periodically re-reads the OS-native MDM policy and triggers
-	// an engine restart when the policy changes. Launched once by Start;
-	// stopped by the rootCtx cancellation.
-	mdmTicker *mdm.Ticker
-
 	updateManager *updater.Manager
 
 	jwtCache *jwtCache
@@ -191,17 +173,6 @@ func (s *Server) Start() error {
 		s.updateManager.CheckUpdateSuccess(s.rootCtx)
 	}
 
-	// MDM policy reload ticker: every minute the desktop daemon re-reads
-	// the OS-native managed-config store and, on diff vs the previous
-	// observation, cancels the active engine context so connectWithRetry-
-	// Runs re-resolves Config (re-running profilemanager.Config.apply which
-	// applies the freshly-read MDM policy as the last layer) and brings
-	// the engine back with the new values.
-	if s.mdmTicker == nil {
-		s.mdmTicker = mdm.NewTicker(mdm.DefaultReloadInterval)
-		go s.mdmTicker.Run(s.rootCtx, s.onMDMPolicyChange)
-	}
-
 	// if current state contains any error, return it
 	// in all other cases we can continue execution only if status is idle and up command was
 	// not in the progress or already successfully established connection.
@@ -260,28 +231,24 @@ func (s *Server) Start() error {
 	s.clientRunningChan = make(chan struct{})
 	s.clientGiveUpChan = make(chan struct{})
 	go s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)
-	s.publishConfigChangedEvent(proto.MetadataSourceStartup)
 	return nil
 }
 
 // connectWithRetryRuns runs the client connection with a backoff strategy where we retry the operation as additional
 // mechanism to keep the client connected even when the connection is lost.
 // we cancel retry if the client receive a stop or down command, or if disable auto connect is configured.
-//
-// The goroutine's exit is signalled to the daemon via close(giveUpChan)
-// — placed in the function-scope defer so every return path (panic,
-// DisableAutoConnect early-exit, backoff exhausted, ctx cancel) closes
-// it. Callers that need to observe "is the goroutine still alive?" use
-// Server.connectionGoroutineRunning() which non-blockingly checks the close state
-// of clientGiveUpChan. The defer does NOT touch s.mutex; the daemon's
-// "intent" (clientRunning) is maintained by the RPC handlers, not by this
-// goroutine.
 func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profilemanager.Config, statusRecorder *peer.Status, runningChan chan struct{}, giveUpChan chan struct{}) {
 	// close(giveUpChan) MUST run on every exit path (DisableAutoConnect
 	// return, backoff.Retry return, panic) — Down() blocks for up to 5s
 	// waiting on this signal before flipping the state to Idle, and a
-	// missed close leaves Down() always hitting the timeout.
+	// missed close leaves Down() always hitting the timeout. The signal
+	// fires AFTER clientRunning=false is committed under the mutex so a
+	// Down/Up racing with the goroutine exit never observes a half-state
+	// (chan closed but clientRunning still true).
 	defer func() {
+		s.mutex.Lock()
+		s.clientRunning = false
+		s.mutex.Unlock()
 		if giveUpChan != nil {
 			close(giveUpChan)
 		}
@@ -339,27 +306,6 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profil
 	if err := backoff.Retry(runOperation, backOff); err != nil {
 		log.Errorf("operation failed: %v", err)
 	}
-	// giveUpChan is closed by the function-scope defer.
-}
-
-// connectionGoroutineRunning reports whether the connectWithRetryRuns goroutine is
-// still running. Returns false when no goroutine has ever been started
-// AND when the most recent one has already closed clientGiveUpChan on
-// exit (whether due to ctx cancel, DisableAutoConnect single-shot
-// completion, or backoff retry exhaustion).
-//
-// MUST be called with s.mutex held — accesses s.clientGiveUpChan which
-// is written by Start/Up under the same lock.
-func (s *Server) connectionGoroutineRunning() bool {
-	if s.clientGiveUpChan == nil {
-		return false
-	}
-	select {
-	case <-s.clientGiveUpChan:
-		return false
-	default:
-		return true
-	}
 }
 
 // loginAttempt attempts to login using the provided information. it returns a status in case something fails
@@ -391,85 +337,52 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	// Skip the update-settings gate when the request carries no actual
-	// overrides: the CLI builds a SetConfigRequest unconditionally on
-	// every `netbird up` (setupSetConfigReq in cmd/up.go), so a plain
-	// `netbird up` would otherwise always trip the gate and surface a
-	// misleading "setConfig method is not available" warning, even when
-	// the user did not pass any config flag.
-	if setConfigRequestHasConfigOverrides(msg) {
-		if s.checkUpdateSettingsDisabled() {
-			return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
-		}
+	if s.checkUpdateSettingsDisabled() {
+		return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
 	}
 
-	// MDM gate: refuse the whole request if any of its fields is enforced
-	// by the active MDM policy. The error carries an MDMManagedFields-
-	// Violation detail listing the offending key names. Non-conflicting
-	// fields in the same request are not applied either.
-	policy := loadMDMPolicy()
-	if err := rejectMDMManagedFieldConflicts(mdmManagedFieldConflicts(msg, policy)); err != nil {
-		return nil, err
-	}
-
-	config, err := setConfigInputFromRequest(msg)
-	if err != nil {
-		return nil, err
-	}
-
-	if _, err := profilemanager.UpdateConfig(config); err != nil {
-		log.Errorf("failed to update profile config: %v", err)
-		return nil, fmt.Errorf("failed to update profile config: %w", err)
-	}
-
-	return &proto.SetConfigResponse{}, nil
-}
-
-// setConfigInputFromRequest translates a SetConfigRequest into the
-// profilemanager.ConfigInput that profilemanager.UpdateConfig consumes.
-// Pure mapping with no business logic beyond presence-aware copying of
-// optional fields and the "empty / clean" semantics for the two slice
-// fields (DNS labels, NAT external IPs). Extracted from SetConfig to
-// keep the handler's cognitive complexity below the SonarCube
-// threshold; the body is intentionally linear because each proto
-// field is its own optional case. Returns the resolved ConfigInput
-// and a non-nil error only when the active profile file path cannot
-// be determined.
-func setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.ConfigInput, error) {
-	var config profilemanager.ConfigInput
-
 	profState := profilemanager.ActiveProfileState{
 		Name:     msg.ProfileName,
 		Username: msg.Username,
 	}
+
 	profPath, err := profState.FilePath()
 	if err != nil {
 		log.Errorf("failed to get active profile file path: %v", err)
-		return config, fmt.Errorf("failed to get active profile file path: %w", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
 	}
+
+	var config profilemanager.ConfigInput
+
 	config.ConfigPath = profPath
 
 	if msg.ManagementUrl != "" {
 		config.ManagementURL = msg.ManagementUrl
 	}
+
 	if msg.AdminURL != "" {
 		config.AdminURL = msg.AdminURL
 	}
+
 	if msg.InterfaceName != nil {
 		config.InterfaceName = msg.InterfaceName
 	}
+
 	if msg.WireguardPort != nil {
 		wgPort := int(*msg.WireguardPort)
 		config.WireguardPort = &wgPort
 	}
-	if msg.OptionalPreSharedKey != nil && *msg.OptionalPreSharedKey != "" {
+
+	if msg.OptionalPreSharedKey != nil {
 		config.PreSharedKey = msg.OptionalPreSharedKey
 	}
 
 	if msg.CleanDNSLabels {
 		config.DNSLabels = domain.List{}
+
 	} else if msg.DnsLabels != nil {
-		config.DNSLabels = domain.FromPunycodeList(msg.DnsLabels)
+		dnsLabels := domain.FromPunycodeList(msg.DnsLabels)
+		config.DNSLabels = dnsLabels
 	}
 
 	if msg.CleanNATExternalIPs {
@@ -482,6 +395,7 @@ func setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.Conf
 	if string(msg.CustomDNSAddress) == "empty" {
 		config.CustomDNSAddress = []byte{}
 	}
+
 	config.ExtraIFaceBlackList = msg.ExtraIFaceBlacklist
 
 	if msg.DnsRouteInterval != nil {
@@ -514,31 +428,22 @@ func setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.Conf
 		ttl := int(*msg.SshJWTCacheTTL)
 		config.SSHJWTCacheTTL = &ttl
 	}
+
 	if msg.Mtu != nil {
 		mtu := uint16(*msg.Mtu)
 		config.MTU = &mtu
 	}
-	return config, nil
+
+	if _, err := profilemanager.UpdateConfig(config); err != nil {
+		log.Errorf("failed to update profile config: %v", err)
+		return nil, fmt.Errorf("failed to update profile config: %w", err)
+	}
+
+	return &proto.SetConfigResponse{}, nil
 }
 
 // Login uses setup key to prepare configuration for the daemon.
 func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*proto.LoginResponse, error) {
-	// Config-override gates. LoginRequest carries the same surface as
-	// SetConfigRequest (managementUrl, PSK, ssh/rosenpass/port toggles,
-	// ...), so the same protections must apply. Without these the CLI
-	// command `netbird up --management-url=X` (which falls through to
-	// Login when SetConfig is rejected — see cmd/up.go) would silently
-	// bypass `--disable-update-settings` and any MDM policy.
-	if loginRequestHasConfigOverrides(msg) {
-		if s.checkUpdateSettingsDisabled() {
-			return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
-		}
-		policy := loadMDMPolicy()
-		if err := rejectMDMManagedFieldConflicts(loginRequestMDMConflicts(msg, policy)); err != nil {
-			return nil, err
-		}
-	}
-
 	s.mutex.Lock()
 	if s.actCancel != nil {
 		s.actCancel()
@@ -859,13 +764,7 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 // Up starts engine work in the daemon.
 func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpResponse, error) {
 	s.mutex.Lock()
-	// clientRunning is the daemon-intent flag (set by previous Up/Start, cleared
-	// by Down). connectionGoroutineRunning() reports whether the previous retry-loop
-	// goroutine is still trying. When intent is up AND goroutine is alive,
-	// the existing engine is on the job — just wait for it. When intent
-	// is up but the goroutine has given up (backoff exhausted) OR when
-	// intent is down, fall through to spawn a fresh retry loop.
-	if s.clientRunning && s.connectionGoroutineRunning() {
+	if s.clientRunning {
 		state := internal.CtxGetState(s.rootCtx)
 		status, err := state.Status()
 		if err != nil {
@@ -972,7 +871,6 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	s.clientGiveUpChan = make(chan struct{})
 
 	go s.connectWithRetryRuns(ctx, s.config, s.statusRecorder, s.clientRunningChan, s.clientGiveUpChan)
-	s.publishConfigChangedEvent(proto.MetadataSourceUpRPC)
 
 	s.mutex.Unlock()
 	if msg.GetAsync() {
@@ -1122,12 +1020,6 @@ func (s *Server) cleanupConnection() error {
 		return ErrServiceNotUp
 	}
 
-	// Daemon intent flips to "down" — all callers (Down RPC,
-	// Logout RPC handlers) tear down the connection because the user
-	// explicitly asked for it. MDM restart does NOT go through this
-	// path, so its clientRunning stays true.
-	s.clientRunning = false
-
 	// Capture the engine reference before cancelling the context.
 	// After actCancel(), the connectWithRetryRuns goroutine wakes up
 	// and sets connectClient.engine = nil, causing connectClient.Stop()
@@ -1343,14 +1235,10 @@ func (s *Server) Status(
 	msg *proto.StatusRequest,
 ) (*proto.StatusResponse, error) {
 	s.mutex.Lock()
-	// Only wait if the retry-loop goroutine is alive and making
-	// progress. clientRunning=true with connectionGoroutineRunning=false means the
-	// backoff has given up — there is nothing to wait for; let the
-	// caller observe the failed status directly.
-	alive := s.connectionGoroutineRunning()
+	clientRunning := s.clientRunning
 	s.mutex.Unlock()
 
-	if msg.WaitForReady != nil && *msg.WaitForReady && alive {
+	if msg.WaitForReady != nil && *msg.WaitForReady && clientRunning {
 		state := internal.CtxGetState(s.rootCtx)
 		status, err := state.Status()
 		if err != nil {
@@ -1971,7 +1859,6 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		EnableSSHRemotePortForwarding: enableSSHRemotePortForwarding,
 		DisableSSHAuth:                disableSSHAuth,
 		SshJWTCacheTTL:                sshJWTCacheTTL,
-		MDMManagedFields:              cfg.Policy().ManagedKeys(),
 	}, nil
 }
 
@@ -2029,8 +1916,8 @@ func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequ
 // a marked INFO/SYSTEM event over SubscribeEvents: the UI's dispatchSystemEvent
 // recognises the metadata "kind" marker and translates it into its internal
 // profile-changed signal that both the tray menu and the React profile views
-// already subscribe to (see proto.MetadataKindProfileListChanged, recognised in
-// client/ui/services/daemon_feed.go). userMessage is intentionally empty so this
+// already subscribe to (see client/ui/services/daemon_feed.go,
+// MetadataKindProfileListChanged). userMessage is intentionally empty so this
 // stays a silent refresh signal rather than a user-facing notification.
 func (s *Server) publishProfileListChanged(profileName string) {
 	s.statusRecorder.PublishEvent(
@@ -2038,26 +1925,7 @@ func (s *Server) publishProfileListChanged(profileName string) {
 		proto.SystemEvent_SYSTEM,
 		"Profile list changed",
 		"",
-		map[string]string{proto.MetadataKindKey: proto.MetadataKindProfileListChanged, proto.MetadataProfileKey: profileName},
-	)
-}
-
-// publishLogLevelChanged signals the desktop UI that the daemon log level
-// changed, so it can attach/detach its rotated gui-client.log. Like
-// publishProfileListChanged, this rides the SubscribeEvents stream as a marked
-// INFO/SYSTEM event (kind "log-level-changed", level the lowercase logrus
-// name); the UI's dispatchSystemEvent recognises the marker and routes it to
-// the logging toggle instead of an OS toast (userMessage is empty so it stays
-// a silent control signal). The "level" value matches log.Level.String()
-// (e.g. "debug", "info") so the UI can parse it directly. See
-// proto.MetadataKindLogLevelChanged, recognised in client/ui/services/daemon_feed.go.
-func (s *Server) publishLogLevelChanged(level string) {
-	s.statusRecorder.PublishEvent(
-		proto.SystemEvent_INFO,
-		proto.SystemEvent_SYSTEM,
-		"Log level changed",
-		"",
-		map[string]string{proto.MetadataKindKey: proto.MetadataKindLogLevelChanged, proto.MetadataLevelKey: level},
+		map[string]string{"kind": "profile-list-changed", "profile": profileName},
 	)
 }
 
@@ -2114,28 +1982,12 @@ func (s *Server) GetFeatures(ctx context.Context, msg *proto.GetFeaturesRequest)
 	features := &proto.GetFeaturesResponse{
 		DisableProfiles:       s.checkProfilesDisabled(),
 		DisableUpdateSettings: s.checkUpdateSettingsDisabled(),
-		DisableNetworks:       s.checkNetworksDisabled(),
-		DisableAdvancedView:   s.checkDisableAdvancedView(),
+		DisableNetworks:       s.networksDisabled,
 	}
 
 	return features, nil
 }
 
-// checkDisableAdvancedView reports the MDM-policy directive for the
-// upcoming UI's advanced-view section. Tristate: returns nil when no
-// MDM directive is set so the UI applies its own default; returns
-// &true / &false when MDM explicitly enforces. No CLI flag backs
-// this feature — MDM is the sole source.
-func (s *Server) checkDisableAdvancedView() *bool {
-	if s.config == nil {
-		return nil
-	}
-	if v, ok := s.config.Policy().GetBool(mdm.KeyDisableAdvancedView); ok {
-		return &v
-	}
-	return nil
-}
-
 func (s *Server) connect(ctx context.Context, config *profilemanager.Config, statusRecorder *peer.Status, runningChan chan struct{}) error {
 	log.Tracef("running client connection")
 	client := internal.NewConnectClient(ctx, config, statusRecorder)
@@ -2152,46 +2004,22 @@ func (s *Server) connect(ctx context.Context, config *profilemanager.Config, sta
 	return nil
 }
 
-// MDM authority: when the platform-native MDM source sets a kill switch
-// key (regardless of true/false value), that value wins. The CLI flag
-// supplied at service install time is the fallback used only when the
-// MDM source is silent on the key. This honors the "MDM decides
-// everything" semantic agreed for NET-1214 — an admin pushing
-// disableX=false via MDM explicitly re-enables the feature even on a
-// box installed with --disable-X.
 func (s *Server) checkProfilesDisabled() bool {
-	if s.config != nil {
-		if v, ok := s.config.Policy().GetBool(mdm.KeyDisableProfiles); ok {
-			return v
-		}
+	// Check if the environment variable is set to disable profiles
+	if s.profilesDisabled {
+		return true
 	}
-	return s.profilesDisabled
-}
 
-// checkNetworksDisabled reports whether the networks/exit-node feature
-// is disabled on this daemon instance. Resolved MDM-first: when the
-// active policy declares mdm.KeyDisableNetworks the policy value wins
-// (regardless of true/false), so an admin can re-enable the feature
-// via MDM even on a host that was installed with --disable-networks.
-// Falls back to the s.networksDisabled CLI flag when the policy is
-// silent on the key. Mirrors checkProfilesDisabled and
-// checkUpdateSettingsDisabled.
-func (s *Server) checkNetworksDisabled() bool {
-	if s.config != nil {
-		if v, ok := s.config.Policy().GetBool(mdm.KeyDisableNetworks); ok {
-			return v
-		}
-	}
-	return s.networksDisabled
+	return false
 }
 
 func (s *Server) checkUpdateSettingsDisabled() bool {
-	if s.config != nil {
-		if v, ok := s.config.Policy().GetBool(mdm.KeyDisableUpdateSettings); ok {
-			return v
-		}
+	// Check if the environment variable is set to disable profiles
+	if s.updateSettingsDisabled {
+		return true
 	}
-	return s.updateSettingsDisabled
+
+	return false
 }
 
 func (s *Server) startUpdateManagerForGUI() {

client/server/server_connect_test.go

@@ -101,7 +101,6 @@ func TestCleanupConnection_ClearsConnectClient(t *testing.T) {
 	require.NoError(t, err)
 
 	assert.Nil(t, s.connectClient, "connectClient should be nil after cleanup")
-	assert.False(t, s.clientRunning, "clientRunning should be cleared after cleanup (intent = down)")
 }
 
 // TestCleanState_NilConnectClient validates that CleanState doesn't panic
@@ -145,20 +144,17 @@ func TestDownThenUp_StaleRunningChan(t *testing.T) {
 	_, cancel := context.WithCancel(context.Background())
 	s.actCancel = cancel
 
-	// Simulate Down(): cleanupConnection sets connectClient = nil and
-	// flips clientRunning to false (intent = down). The connectionGoroutineRunning state
-	// remains independent of intent — derived from clientGiveUpChan.
+	// Simulate Down(): cleanupConnection sets connectClient = nil
 	s.mutex.Lock()
 	err := s.cleanupConnection()
 	s.mutex.Unlock()
 	require.NoError(t, err)
 
-	// After cleanup: connectClient is nil, clientRunning is false (intent
-	// cleared by cleanupConnection), connectionGoroutineRunning may still be true
-	// (goroutine teardown is independent of the intent flag).
+	// After cleanup: connectClient is nil, clientRunning still true
+	// (goroutine hasn't exited yet)
 	s.mutex.Lock()
 	assert.Nil(t, s.connectClient, "connectClient should be nil after cleanup")
-	assert.False(t, s.clientRunning, "clientRunning should be cleared by cleanupConnection (intent = down)")
+	assert.True(t, s.clientRunning, "clientRunning still true until goroutine exits")
 	s.mutex.Unlock()
 
 	// waitForUp() returns immediately due to stale closed clientRunningChan

client/server/setconfig_mdm_test.go

@@ -1,198 +0,0 @@
-package server
-
-import (
-	"context"
-	"os/user"
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/mdm"
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// withMDMPolicy temporarily overrides the server-package loadMDMPolicy hook
-// so SetConfig observes the supplied Policy. Restores the original loader
-// at test cleanup.
-func withMDMPolicy(t *testing.T, policy *mdm.Policy) {
-	t.Helper()
-	prev := loadMDMPolicy
-	loadMDMPolicy = func() *mdm.Policy { return policy }
-	t.Cleanup(func() { loadMDMPolicy = prev })
-}
-
-// setupServerWithProfile mirrors the boilerplate of TestSetConfig_AllFieldsSaved:
-// overrides profilemanager paths to a temp dir, seeds a profile, sets it
-// active, and constructs a Server instance. Returns the constructed server
-// plus context + profile name + username + cfgPath for the seeded profile.
-func setupServerWithProfile(t *testing.T) (s *Server, ctx context.Context, profName, username, cfgPath string) {
-	t.Helper()
-	tempDir := t.TempDir()
-
-	origDefaultProfileDir := profilemanager.DefaultConfigPathDir
-	origDefaultConfigPath := profilemanager.DefaultConfigPath
-	origActiveProfileStatePath := profilemanager.ActiveProfileStatePath
-	profilemanager.ConfigDirOverride = tempDir
-	profilemanager.DefaultConfigPathDir = tempDir
-	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
-	profilemanager.DefaultConfigPath = filepath.Join(tempDir, "default.json")
-	t.Cleanup(func() {
-		profilemanager.DefaultConfigPathDir = origDefaultProfileDir
-		profilemanager.ActiveProfileStatePath = origActiveProfileStatePath
-		profilemanager.DefaultConfigPath = origDefaultConfigPath
-		profilemanager.ConfigDirOverride = ""
-	})
-
-	currUser, err := user.Current()
-	require.NoError(t, err)
-
-	profName = "test-profile-mdm"
-	cfgPath = filepath.Join(tempDir, profName+".json")
-
-	_, err = profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
-		ConfigPath:    cfgPath,
-		ManagementURL: "https://api.netbird.io:443",
-	})
-	require.NoError(t, err)
-
-	pm := profilemanager.ServiceManager{}
-	require.NoError(t, pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profName,
-		Username: currUser.Username,
-	}))
-
-	ctx = context.Background()
-	s = New(ctx, "console", "", false, false, false, false)
-	return s, ctx, profName, currUser.Username, cfgPath
-}
-
-// extractViolation pulls the MDMManagedFieldsViolation detail from a
-// FailedPrecondition error. Fails the test if absent or malformed.
-func extractViolation(t *testing.T, err error) *proto.MDMManagedFieldsViolation {
-	t.Helper()
-	require.Error(t, err)
-	st, ok := gstatus.FromError(err)
-	require.True(t, ok, "error must be a gRPC status: %v", err)
-	require.Equal(t, codes.FailedPrecondition, st.Code(), "expected FailedPrecondition, got %s", st.Code())
-	for _, d := range st.Details() {
-		if v, ok := d.(*proto.MDMManagedFieldsViolation); ok {
-			return v
-		}
-	}
-	t.Fatalf("MDMManagedFieldsViolation detail not found on status; details: %v", st.Details())
-	return nil
-}
-
-func TestSetConfig_MDMReject_SingleField(t *testing.T) {
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL: "https://mdm.example.com:443",
-	}))
-
-	s, ctx, profName, username, _ := setupServerWithProfile(t)
-
-	_, err := s.SetConfig(ctx, &proto.SetConfigRequest{
-		ProfileName:   profName,
-		Username:      username,
-		ManagementUrl: "https://user.tried.this.com:443",
-	})
-
-	v := extractViolation(t, err)
-	assert.Equal(t, []string{mdm.KeyManagementURL}, v.GetFields())
-}
-
-func TestSetConfig_MDMReject_MultipleFields(t *testing.T) {
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL:     "https://mdm.example.com:443",
-		mdm.KeyBlockInbound:      true,
-		mdm.KeyRosenpassEnabled:  true,
-	}))
-
-	s, ctx, profName, username, _ := setupServerWithProfile(t)
-
-	blockInbound := false
-	rosenpassEnabled := false
-	_, err := s.SetConfig(ctx, &proto.SetConfigRequest{
-		ProfileName:      profName,
-		Username:         username,
-		ManagementUrl:    "https://user.tried.this.com:443",
-		BlockInbound:     &blockInbound,
-		RosenpassEnabled: &rosenpassEnabled,
-	})
-
-	v := extractViolation(t, err)
-	assert.ElementsMatch(t, []string{
-		mdm.KeyManagementURL,
-		mdm.KeyBlockInbound,
-		mdm.KeyRosenpassEnabled,
-	}, v.GetFields())
-}
-
-func TestSetConfig_MDMReject_AllOrNothing(t *testing.T) {
-	// MDM enforces ManagementURL only; user request touches both the
-	// enforced field AND a non-enforced field (RosenpassEnabled).
-	// The whole request must be rejected — non-conflicting fields are not
-	// applied either.
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL: "https://mdm.example.com:443",
-	}))
-
-	s, ctx, profName, username, cfgPath := setupServerWithProfile(t)
-
-	rosenpassEnabled := true
-	_, err := s.SetConfig(ctx, &proto.SetConfigRequest{
-		ProfileName:      profName,
-		Username:         username,
-		ManagementUrl:    "https://user.tried.this.com:443",
-		RosenpassEnabled: &rosenpassEnabled,
-	})
-
-	v := extractViolation(t, err)
-	assert.Equal(t, []string{mdm.KeyManagementURL}, v.GetFields())
-
-	// Confirm RosenpassEnabled was NOT applied even though it was not
-	// in the conflict list: the request was rejected as a whole.
-	reloaded, err := profilemanager.GetConfig(cfgPath)
-	require.NoError(t, err)
-	assert.False(t, reloaded.RosenpassEnabled, "non-conflicting field must not be applied when request is rejected")
-}
-
-func TestSetConfig_MDMAllow_NonManagedFields(t *testing.T) {
-	// MDM enforces ManagementURL but the user only writes RosenpassEnabled.
-	// Request must succeed.
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL: "https://mdm.example.com:443",
-	}))
-
-	s, ctx, profName, username, _ := setupServerWithProfile(t)
-
-	rosenpassEnabled := true
-	resp, err := s.SetConfig(ctx, &proto.SetConfigRequest{
-		ProfileName:      profName,
-		Username:         username,
-		RosenpassEnabled: &rosenpassEnabled,
-	})
-
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-}
-
-func TestSetConfig_MDMEmpty_NoEnforcement(t *testing.T) {
-	// No MDM policy active: any field can be written.
-	withMDMPolicy(t, mdm.NewPolicy(nil))
-
-	s, ctx, profName, username, _ := setupServerWithProfile(t)
-
-	resp, err := s.SetConfig(ctx, &proto.SetConfigRequest{
-		ProfileName:   profName,
-		Username:      username,
-		ManagementUrl: "https://user.changed.url.com:443",
-	})
-
-	require.NoError(t, err)
-	require.NotNil(t, resp)
-}

client/ui/.claude/settings.local.json

@@ -1,8 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(gh api *)",
-      "Bash(wails3 generate *)"
-    ]
-  }
-}

client/ui/CLAUDE.md

@@ -7,10 +7,9 @@ This is the Wails v3 desktop UI for NetBird. Go services live in `services/`; th
 ## Layout
 
 ### Go (top-level package `main`)
-- `main.go` — app entry. Builds the shared gRPC `Conn`, constructs services, registers them with Wails, creates the main webview window, then starts (in order) the Linux SNI watcher → tray → `peers.Watch` → `app.Run`. CLI flags: `--daemon-addr`, `--log-file` (repeatable; default is **empty** so "no flag" is distinguishable from explicit `--log-file console` — when empty `parseFlagsAndInitLog` falls back to `console` for `InitLog` and returns `userSetLogFile=false`), `--log-level` (`trace|debug|info|warn|error`, default `info`). See "GUI debug logging" below for what `userSetLogFile` gates.
+- `main.go` — app entry. Builds the shared gRPC `Conn`, constructs services, registers them with Wails, creates the main webview window, then starts (in order) the Linux SNI watcher → tray → `peers.Watch` → `app.Run`. CLI flags: `--daemon-addr`, `--log-file` (repeatable; first user-provided value drops the seeded `console` default), `--log-level` (`trace|debug|info|warn|error`, default `info`).
 - `tray.go` — `Tray` struct + menu. Subscribes to `EventStatus`, `EventSystem`, `EventUpdateAvailable`, `EventUpdateProgress`. Owns per-status icon/dot, Profiles submenu, Connect/Disconnect swap, About → Update, session-expired toast.
-- **Tray menu updates go through `relayoutMenu` (whole-tree rebuild), never in-place submenu mutation.** Any dynamic menu change — status-text transitions (`tray_status.go applyStatus`, which also folds in daemon-version and session-deadline changes into one aggregated relayout per push), Profiles submenu (`tray_profiles.go loadProfiles` → caches rows under `profilesMu`, then `fillProfileSubmenu`), Exit Node submenu (`tray_exitnodes.go refreshExitNodes` → `fillExitNodeSubmenu`), and the About → Update row (`tray_update.go applyState` → `onMenuChange` callback) — rebuilds the entire menu via `Tray.relayoutMenu` (`buildMenu()` + repaint cached state + single `t.tray.SetMenu`). Serialised by `menuMu`. **Why:** on KDE/Plasma the StatusNotifierItem host caches a submenu's layout the first time it's opened (`GetLayout` for that submenu id) and never re-fetches it on a `LayoutUpdated(parent=0)` signal — so the old `submenu.Clear()`+`Add()` left both the visible rows AND the click→id mapping frozen on the first snapshot. Because `Clear()`+`Add()` allocates fresh monotonic item ids each time (Wails `menuitem.go`), clicks then sent ids the rebuilt `itemMap` no longer knew, and silently no-op'd ("Manage Profiles" stopped responding after the first switch). `buildMenu()` allocates a brand-new submenu container id each relayout, which Plasma treats as unseen and re-queries on next open — fixing both the stale paint and the dead clicks. Confirmed via `dbus-monitor`: a re-opened submenu issued no `GetLayout` until its container id changed. The whole-tree `SetMenu` also subsumes the older darwin detached-NSMenu workaround. `fill*Submenu` helpers are pure UI (read caches, no daemon fetch, no `SetMenu`) so `relayoutMenu` never recurses back into the fetchers.
-- **Tray concurrency model (menuMu domain).** Wails dispatches `Event.On` listeners and menu `OnClick` callbacks on **fresh goroutines** (so `applyStatus` runs are concurrent with each other and with relayouts), and Wails `MenuItem` setters are not goroutine-safe. Hence `t.menu` and every `*Item`/`*Submenu` field on `Tray` are `menuMu`-owned: `buildMenu` reassigns them all on each relayout, and repaints happen from the caches inside `relayoutMenu` (caches are committed *before* the menu is touched, which makes a write on an orphaned pre-relayout item self-healing). Two sanctioned out-of-lock accesses: the Connect/Disconnect `OnClick` closures capture their own item, and `refreshSessionExpiresLabel` (30s ticker) snapshots `sessionExpiresItem` under `menuMu`. `relayoutMenu` is the **only post-startup `tray.SetMenu` call site** — never push a menu pointer snapshotted outside `menuMu` (it can reinstall a stale tree); `applyStatusIndicator` is `SetBitmap`-only, the relayout's trailing `SetMenu` is what repaints the macOS dot. Tray code never runs on the OS main thread, so taking `menuMu` from any goroutine can't deadlock the setters' `dispatch_sync`/`InvokeSync`.
+- **Tray menu updates go through `relayoutMenu` (whole-tree rebuild), never in-place submenu mutation.** Any dynamic menu change — Profiles submenu (`tray_profiles.go loadProfiles` → caches rows under `profilesMu`, then `fillProfileSubmenu`), Exit Node submenu (`tray_exitnodes.go refreshExitNodes` → `fillExitNodeSubmenu`), daemon-version row (`tray_status.go`), and the About → Update row (`tray_update.go applyState` → `onMenuChange` callback) — rebuilds the entire menu via `Tray.relayoutMenu` (`buildMenu()` + repaint cached state + single `t.tray.SetMenu`). Serialised by `menuMu`. **Why:** on KDE/Plasma the StatusNotifierItem host caches a submenu's layout the first time it's opened (`GetLayout` for that submenu id) and never re-fetches it on a `LayoutUpdated(parent=0)` signal — so the old `submenu.Clear()`+`Add()` left both the visible rows AND the click→id mapping frozen on the first snapshot. Because `Clear()`+`Add()` allocates fresh monotonic item ids each time (Wails `menuitem.go`), clicks then sent ids the rebuilt `itemMap` no longer knew, and silently no-op'd ("Manage Profiles" stopped responding after the first switch). `buildMenu()` allocates a brand-new submenu container id each relayout, which Plasma treats as unseen and re-queries on next open — fixing both the stale paint and the dead clicks. Confirmed via `dbus-monitor`: a re-opened submenu issued no `GetLayout` until its container id changed. The whole-tree `SetMenu` also subsumes the older darwin detached-NSMenu workaround. `fill*Submenu` helpers are pure UI (read caches, no daemon fetch, no `SetMenu`) so `relayoutMenu` never recurses back into the fetchers.
 - `tray_linux.go` — `init()` sets `WEBKIT_DISABLE_DMABUF_RENDERER=1` (blank-white window on VMs / minimal WMs) and `WEBKIT_DISABLE_COMPOSITING_MODE=1` (Intel/Mesa SIGSEGV in `g_application_run` via unimplemented DRM-format-modifier paths — DMABUF-disable alone doesn't cover the GL compositor). Both are skipped if the user already set the var. Also `WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1` when unprivileged userns are blocked.
 - `tray_watcher_linux.go`, `xembed_host_linux.go`, `xembed_tray_linux.{c,h}` — in-process SNI watcher + XEmbed bridge for minimal WMs. See `LINUX-TRAY.md`.
 - `signal_unix.go` / `signal_windows.go` — `listenForShowSignal`. Unix uses SIGUSR1; Windows uses a named event `Global\NetBirdQuickActionsTriggerEvent`. Mirrors the legacy Fyne UI's external-trigger contract so the installer / CLI keep working.
@@ -36,7 +35,7 @@ All services live in `services/` and assume a build tag `!android && !ios && !fr
 | `Peers` | `peers.go` | Daemon status snapshot + two long-running streams (`SubscribeStatus` → `EventStatus`, `SubscribeEvents` → `EventSystem`). Emits synthetic `StatusDaemonUnavailable` when the socket is unreachable. Owns the profile-switch suppression filter (`BeginProfileSwitch` / `CancelProfileSwitch` / `shouldSuppress`). Fan-outs update metadata into dedicated `EventUpdateAvailable` / `EventUpdateProgress` events. |
 | `Networks` | `network.go` | `List` / `Select` / `Deselect` of routed networks. |
 | `Forwarding` | `forwarding.go` | `List` exposed/forwarded services from the daemon's reverse-proxy table. |
-| `Debug` | `debug.go` | `Bundle` (debug bundle creation + optional upload) / `Get|SetLogLevel` / `RegisterUILog` (report the GUI log path to the daemon for bundle collection) / `RevealFile` (cross-platform "show in file manager"). |
+| `Debug` | `debug.go` | `Bundle` (debug bundle creation + optional upload) / `Get|SetLogLevel` / `RevealFile` (cross-platform "show in file manager"). |
 | `Update` | `update.go` | `GetState` / `Trigger` (enforced installer) / `GetInstallerResult` / `Quit`. The install-progress UI lives in its own auxiliary window (`/#/dialog/install-progress`), opened by `WindowManager.OpenInstallProgress` — the daemon goes unreachable mid-install so it can't be inside the main window. |
 | `WindowManager` | `windowmanager.go` | `OpenSettings(tab)` / `OpenBrowserLogin(uri)` / `CloseBrowserLogin` / `OpenSessionExpiration(seconds)` / `CloseSessionExpiration` / `OpenInstallProgress(version)` / `CloseInstallProgress` / `OpenWelcome` / `CloseWelcome` / `OpenError(title, message)` / `CloseError` / `OpenMain`. `OpenSettings("")` opens the General tab; pass a tab id (e.g. `"profiles"`) to deep-link, encoded as `?tab=…` in the start URL. `OpenInstallProgress` is `AlwaysOnTop` and hides every other visible window for the duration of the install (restored on close). `OpenMain` is the handoff path from the welcome window to the main UI (avoids depending on the tray). Auxiliary windows are created on first open and **destroyed** on close (Wails-recommended singleton pattern; prevents the macOS dock-reopen from resurrecting hidden windows). |
 | `I18n` | `i18n.go` | Thin facade over `i18n.Bundle`. `Languages()` returns the shipped locales (`_index.json`); `Bundle(code)` returns the full key→text map for one language so the React layer can drive its own translation library. |
@@ -51,17 +50,6 @@ All services live in `services/` and assume a build tag `!android && !ios && !fr
 - Pinned versions (see `daemon.pb.go` header): `protoc v7.34.1`, `protoc-gen-go v1.36.6`. CI's `proto-version-check` workflow fails on mismatch.
 - After proto regen, also regen Wails bindings so the TS layer picks up new fields.
 
-## GUI debug logging
-
-When the daemon is put into **debug**/**trace** level, the GUI automatically writes a rotated `gui-client.log` in `os.UserConfigDir()/netbird/` and the daemon's **debug bundle** collects it. Pieces:
-
-- **`uilogpath.go`** (package `main`) — `uiLogPath()` resolves the path; `newDebugLog(userSetLogFile)` builds the `guilog.DebugLog` (disabled when the user passed `--log-file`, or when the config dir can't be resolved).
-- **`guilog/debuglog.go` — `guilog.DebugLog`** (own package, **not** a Wails service — no React binding) — owns the file-logging side effects. `Apply(level)`: on debug/trace attaches `gui-client.log` alongside the console (via `util.SetLogOutputs`, MultiWriter, rotated by timberjack like the daemon log) and raises the logrus level; on a higher level detaches the file and restores `info`. Idempotent (`fileOn` guard) so the startup replay + a racing change-event are harmless. The `gui-client.log` is left on disk on quit (rotated by timberjack) for the debug bundle — there's no shutdown cleanup. `Path()` returns "" when disabled so the daemon won't try to collect a file the GUI never writes.
-- **Activation rule:** any `--log-file` (even `console`) is a manual override → the controller is disabled and never touches logging. Only the *absence* of `--log-file` enables the daemon-driven `gui-client.log`. This is why `parseFlagsAndInitLog` seeds the flag default empty (Layout note above).
-- **Level signalling — no new stream.** The daemon publishes a **marked `SystemEvent`** (`metadata[proto.MetadataKindKey]==proto.MetadataKindLogLevelChanged`, `metadata[proto.MetadataLevelKey]==<logrus name>`) on the existing `SubscribeEvents` stream. `DaemonFeed.dispatchSystemEvent` recognises the marker and routes it to the controller's `Apply` instead of an OS toast (same pattern as `proto.MetadataKindProfileListChanged`). The controller is injected into `NewDaemonFeed` (a `services.LogController` interface — no exported setter, so the Wails-bound `DaemonFeed` gains no binding), and `DaemonFeed` **re-registers the UI log path** (`RegisterUILog` RPC) on every event-stream (re)connect, so a daemon restart re-learns it. Startup case (daemon already in debug) is covered daemon-side: `Server.SubscribeEvents` (`client/server/event.go`) sends the current level once to each new subscriber; `SetLogLevel` publishes on change (`publishLogLevelChanged` in `client/server/server.go`). The metadata key/value markers live in `client/proto/metadata.go` so producer (daemon) and consumer (UI) share one definition.
-- **Daemon side of the bundle:** `Server.RegisterUILog` stores the path in `Server.uiLogPath`; `DebugBundle` passes it to `debug.GeneratorDependencies.UILogPath`; `BundleGenerator.addUILog` adds `gui-client.log` + rotated siblings (`addRotatedLogFiles(dir, "gui-client")` — the glob is prefix-parametrised so it doesn't collide with the daemon's own `client*.log.*`). Missing file is non-fatal (the GUI only writes it while in debug).
-- **JS-side logs/errors** already reach the same logrus pipeline via `frontend/src/lib/logs.ts` → `services.UILog.Log`, so once the file is attached, frontend console/`unhandledrejection`/`error` output is captured too. Go-side uncaught-goroutine panics go to stderr only (out of scope).
-
 ## Events bus
 
 `main.go` registers five typed events for the frontend: `netbird:status` (`Status`), `netbird:event` (`SystemEvent`), `netbird:profile:changed` (`ProfileRef`), `netbird:update:available` (`UpdateAvailable`), `netbird:update:progress` (`UpdateProgress`). `netbird:profile:changed` fires from `ProfileSwitcher.SwitchActive` after a successful daemon-side switch — both the React `ProfileContext` and the tray subscribe so a flip driven from one surface paints in the others (the daemon itself does not emit a profile event). Plus three plain-string events:

client/ui/build/linux/nfpm/nfpm.yaml

@@ -28,7 +28,6 @@ contents:
 depends:
   - libgtk-4-1
   - libwebkitgtk-6.0-4
-  - xdg-utils
 
 # Distribution-specific overrides for different package formats
 overrides:
@@ -37,14 +36,12 @@ overrides:
     depends:
       - gtk4
       - webkitgtk6.0
-      - xdg-utils
 
   # Arch Linux packages
   archlinux:
     depends:
       - gtk4
       - webkitgtk-6.0
-      - xdg-utils
 
 # scripts section to ensure desktop database is updated after install
 scripts:

client/ui/frontend/CLAUDE.md

@@ -70,7 +70,7 @@ Page-specific chrome and providers live in the page, not the layout:
   - `session/` — `SessionExpirationDialog.tsx`.
   - `auto-update/` — `UpdateInProgressDialog.tsx`, `UpdateBadge.tsx`, `UpdateVersionCard.tsx`. Context in `contexts/ClientVersionContext.tsx`.
   - `error/` — `ErrorDialog.tsx`.
-- `contexts/` — every React context as a flat file: `StatusContext`, `ProfileContext`, `DebugBundleContext`, `ClientVersionContext`, `SettingsContext`, `MdmContext`, `NetworksContext`, `PeerDetailContext`, `ViewModeContext`, `NavSectionContext`, `DialogContext`. Mental model: "where is the X context? `contexts/XContext.tsx`."
+- `contexts/` — every React context as a flat file: `StatusContext`, `ProfileContext`, `DebugBundleContext`, `ClientVersionContext`, `SettingsContext`, `NetworksContext`, `PeerDetailContext`, `ViewModeContext`, `NavSectionContext`, `DialogContext`. Mental model: "where is the X context? `contexts/XContext.tsx`."
 - `components/` — presentational primitives, no daemon RPCs, no router:
   - `buttons/` — `Button`, `IconButton`.
   - `inputs/` — `Input`, `SearchInput`.
@@ -79,7 +79,7 @@ Page-specific chrome and providers live in the page, not the layout:
   - `typography/` — `Label`, `HelpText`.
   - `empty-state/` — `EmptyState`, `NoResults`, `NotConnectedState`, `DaemonUnavailableOverlay`.
   - Flat at root: `Badge`, `CopyToClipboard`, `DropdownMenu`, `SquareIcon`, `Tooltip`, `TruncatedText`, `VerticalTabs`, `LanguagePicker`, `ManagementServerSwitch`.
-- `hooks/` — `useAutoSizeWindow.ts` (auto-size + `Window.Show` for auxiliary dialogs), `useKeyboardShortcut.ts`, `useManagementUrl.ts` (management-URL helpers: `CLOUD_MANAGEMENT_URL`, `isValidManagementUrl`, `normalizeManagementUrl`, `isNetbirdCloud`, `checkManagementUrlReachable`).
+- `hooks/` — `useAutoSizeWindow.ts` (auto-size + `Window.Show` for auxiliary dialogs), `useKeyboardShortcut.ts`, `useManagementUrl.ts` (management-URL helpers: `CLOUD_MANAGEMENT_URL`, `isValidManagementUrl`, `normalizeManagementUrl`, `isCloudManagementUrl`, `checkManagementUrlReachable`).
 - `lib/` — pure utilities (no JSX, no React state): `cn.ts`, `errors.ts` (`formatErrorMessage` + the `errorDialog({Title, Message})` window wrapper), `formatters.ts` (byte/latency/relative-time + `shortenDns`), `sorting.ts` (`reconcileOrder` — order-preserving list reconciliation shared by the peers/networks/profiles lists), `i18n.ts`, `logs.ts` (forwards console + uncaught errors to the Go log pipeline), `platform.ts` (`isMacOS`/`isWindows`), `welcome.ts`.
 - `assets/` — fonts, logos, flags.
 
@@ -106,7 +106,6 @@ State that crosses screens/windows lives in context, each provider mounted exact
 - **`useStatus`** (`StatusContext`) — `{ status, error, refresh, isReady, isDaemonAvailable, isDaemonUnavailable }`. Owns the single `DaemonFeed.Get` + `netbird:status` subscription and the daemon gate (see Layouts). `refresh()` after Connect/Disconnect to dodge a few hundred ms of event-stream lag.
 - **`ProfileContext`** — `username`, `activeProfile`, `profiles`, plus `refresh` / `switchProfile` / `addProfile` / `removeProfile` / `logoutProfile`. `switchProfile` delegates to `ProfileSwitcher.SwitchActive` (the Go-side single source of truth — drives the optimistic-Connecting paint and `Peers` suppression). The other methods are thin wrappers over `Profiles.*` / `Connection.Logout` + a `refresh()`.
 - **`SettingsContext`** — `setField` / `saveField` / `saveFields` / `saveNow` over `Settings.GetConfig|SetConfig` with 400ms debounce. Renders `<SettingsSkeleton/>` while `config === null`. **PSK mask quirk:** `GetConfig` returns existing PSKs as `"**********"`; sending the mask back round-trips it into storage and `wgtypes.ParseKey` fails on the next connect — `save` drops the field when it equals the mask.
-- **`MdmContext`** — `useMdm()` returns `config.managedFields` as `Record<string, boolean>`, **keyed by the daemon's `mdm.Key*` names exactly as written in the policy source** (`managementURL`, `allowServerSSH`, `preSharedKey`, `wireguardPort`, `rosenpassEnabled`/`Permissive`, `disableClientRoutes`/`disableServerRoutes`, `disableAutoConnect`, `blockInbound`). No GUI-side renaming — what the Group Policy admin writes is what the lookup key is. Mounted in `AppLayout` (under `ProfileProvider`); fetches `Settings.GetConfig` once, re-fetches on the daemon's `netbird:event` `metadata.type=config_changed` push so policy flips paint live. No second copy of the locked *values* — MDM is a global override, so the active profile's resolved `useSettings().config.<field>` already carries the MDM-enforced value. Consumers: Settings tabs hide individual toggles/sections (both rosenpass keys managed ⇒ whole encryption section hidden); `SettingsNavigation` + `SettingsPage` hide the SSH tab when `managed.allowServerSSH` is set and bounce `active="ssh"` back to General; `ProfileCreationModal` skips the Cloud/self-hosted picker when `managed.managementURL` is set and submits the resolved URL verbatim; `WelcomeDialog` reads `config.managedFields.managementURL` directly (sits outside `AppLayout`) to skip the management step on a fresh install.
 - **`DebugBundleContext`** — stages `idle → preparing-trace → reconnecting → capturing → restoring-level → bundling → uploading → done`. Cancellable via `AbortController` at any stage; cancel restores the original log level best-effort. Upload URL is the hardcoded `NETBIRD_UPLOAD_URL`.
 - **`ClientVersionContext`** — seeds from `Update.GetState()`, subscribes to `netbird:update:state`; exposes `{ updateAvailable, updateVersion, enforced, installing, triggerUpdate, updating }`. Three branches:
   1. `available && !enforced` — download-only; `UpdateVersionCard` → opens GitHub releases.

client/ui/frontend/src/components/typography/HelpText.tsx

@@ -5,15 +5,13 @@ type Props = {
     children?: ReactNode;
     margin?: boolean;
     className?: string;
-    disabled?: boolean;
 };
 
-export const HelpText = ({ children, margin = true, className, disabled = false }: Props) => (
+export const HelpText = ({ children, margin = true, className }: Props) => (
     <span
         className={cn(
-            "text-[.81rem] dark:text-nb-gray-300 block font-light tracking-wide transition-all duration-300",
+            "text-[.81rem] dark:text-nb-gray-300 block font-light tracking-wide",
             margin && "mb-2",
-            disabled && "opacity-30 pointer-events-none",
             className,
         )}
     >

client/ui/frontend/src/components/typography/Label.tsx

@@ -10,19 +10,13 @@ const labelVariants = cva(
 type LabelProps = ComponentPropsWithoutRef<typeof LabelPrimitive.Root> &
     VariantProps<typeof labelVariants> & {
         as?: "label" | "div";
-        disabled?: boolean;
     };
 
 export const Label = forwardRef<HTMLElement, LabelProps>(function Label(
-    { className, as = "label", disabled = false, children, ...props },
+    { className, as = "label", children, ...props },
     ref,
 ) {
-    const classes = cn(
-        labelVariants(),
-        className,
-        "select-none transition-all duration-300",
-        disabled && "opacity-30 pointer-events-none",
-    );
+    const classes = cn(labelVariants(), className, "select-none");
 
     if (as === "div") {
         return (

client/ui/frontend/src/contexts/DebugBundleContext.tsx

@@ -1,18 +1,13 @@
-import { createContext, useContext, useEffect, useRef, useState, type ReactNode } from "react";
+import { createContext, useContext, useRef, useState, type ReactNode } from "react";
 import { Connection as ConnectionSvc, Debug as DebugSvc } from "@bindings/services";
 import type { DebugBundleResult } from "@bindings/services/models.js";
 import i18next from "@/lib/i18n";
 import { errorDialog, formatErrorMessage } from "@/lib/errors.ts";
-import { startConnection } from "@/lib/connection.ts";
+import { useProfile } from "@/contexts/ProfileContext.tsx";
 
 const NETBIRD_UPLOAD_URL = "https://upload.debug.netbird.io/upload-url";
 const TRACE_LOG_FILE_COUNT = 5;
 const PLAIN_LOG_FILE_COUNT = 1;
-// Lowercase logrus level name sent to Debug.SetLogLevel (the Go binding
-// upper-cases before the proto enum lookup). Raising to trace is what drives
-// the daemon's verbose logging and the GUI's gui-client.log during a bundle.
-const TRACE_LOG_LEVEL = "trace";
-const DEFAULT_LOG_LEVEL = "info";
 
 export type DebugStage =
     | { kind: "idle" }
@@ -56,21 +51,14 @@ const setLogLevelBestEffort = async (level: string) => {
     }
 };
 
-const stopCaptureBestEffort = async () => {
-    try {
-        await DebugSvc.StopBundleCapture();
-    } catch {
-        // empty
-    }
-};
-
 type LevelState = { original: string; raised: boolean };
-type CaptureState = { started: boolean };
 
-const raiseToTrace = async (
+const runTracePhase = async (
     signal: AbortSignal,
     level: LevelState,
     setStage: (s: DebugStage) => void,
+    target: { profileName: string; username: string },
+    traceMinutes: number,
 ) => {
     setStage({ kind: "preparing-trace" });
     try {
@@ -80,11 +68,9 @@ const raiseToTrace = async (
         // empty
     }
     throwIfAborted(signal);
-    await DebugSvc.SetLogLevel({ level: TRACE_LOG_LEVEL });
+    await DebugSvc.SetLogLevel({ level: "trace" });
     level.raised = true;
-};
 
-const cycleConnection = async (signal: AbortSignal, setStage: (s: DebugStage) => void) => {
     throwIfAborted(signal);
     setStage({ kind: "reconnecting" });
     try {
@@ -93,10 +79,14 @@ const cycleConnection = async (signal: AbortSignal, setStage: (s: DebugStage) =>
         // empty
     }
     throwIfAborted(signal);
-    await startConnection(undefined, signal);
-};
+    await ConnectionSvc.Up(target);
+
+    const totalSec = Math.max(1, Math.min(30, traceMinutes)) * 60;
+    for (let remaining = totalSec; remaining > 0; remaining--) {
+        setStage({ kind: "capturing", remainingSec: remaining, totalSec });
+        await sleep(1000, signal);
+    }
 
-const restoreLogLevel = async (level: LevelState, setStage: (s: DebugStage) => void) => {
     setStage({ kind: "restoring-level" });
     try {
         await DebugSvc.SetLogLevel({ level: level.original });
@@ -106,35 +96,17 @@ const restoreLogLevel = async (level: LevelState, setStage: (s: DebugStage) => v
     }
 };
 
-const waitCaptureWindow = async (
-    signal: AbortSignal,
-    setStage: (s: DebugStage) => void,
-    totalSec: number,
-) => {
-    for (let remaining = totalSec; remaining > 0; remaining--) {
-        setStage({ kind: "capturing", remainingSec: remaining, totalSec });
-        await sleep(1000, signal);
-    }
-};
-
 const useDebugBundle = () => {
+    const { activeProfile, username } = useProfile();
     const [anonymize, setAnonymize] = useState(false);
     const [systemInfo, setSystemInfo] = useState(true);
     const [upload, setUpload] = useState(true);
-    const [trace, setTrace] = useState(true);
-    const [capture, setCapture] = useState(false);
+    const [trace, setTrace] = useState(false);
     const [traceMinutes, setTraceMinutes] = useState(1);
-    const [capturePackets, setCapturePackets] = useState(true);
     const [stage, setStage] = useState<DebugStage>({ kind: "idle" });
     const [lastBundlePath, setLastBundlePath] = useState<string>("");
     const abortRef = useRef<AbortController | null>(null);
 
-    useEffect(() => {
-        return () => {
-            abortRef.current?.abort();
-        };
-    }, []);
-
     const isRunning = stage.kind !== "idle" && stage.kind !== "done";
 
     const reset = () => setStage({ kind: "idle" });
@@ -151,44 +123,17 @@ const useDebugBundle = () => {
         const signal = ctrl.signal;
 
         const uploadUrl = upload ? NETBIRD_UPLOAD_URL : "";
-        const level: LevelState = { original: DEFAULT_LOG_LEVEL, raised: false };
-        const pcap: CaptureState = { started: false };
-        const totalSec = Math.max(1, Math.min(30, traceMinutes)) * 60;
-        const hasWindow = capture && totalSec > 0;
+        const level: LevelState = { original: "info", raised: false };
 
         try {
             if (trace) {
-                await raiseToTrace(signal, level, setStage);
-            }
-            throwIfAborted(signal);
-
-            if (capture) {
-                await cycleConnection(signal, setStage);
-            }
-            throwIfAborted(signal);
-
-            if (hasWindow && capturePackets) {
-                try {
-                    // Mirror the CLI's safety margin: window + 30s, server caps at 10m.
-                    await DebugSvc.StartBundleCapture(totalSec + 30);
-                    pcap.started = true;
-                } catch {
-                    // empty
-                }
-            }
-            throwIfAborted(signal);
-
-            if (hasWindow) {
-                await waitCaptureWindow(signal, setStage, totalSec);
-            }
-
-            if (pcap.started) {
-                await stopCaptureBestEffort();
-                pcap.started = false;
-            }
-
-            if (level.raised) {
-                await restoreLogLevel(level, setStage);
+                await runTracePhase(
+                    signal,
+                    level,
+                    setStage,
+                    { profileName: activeProfile, username },
+                    traceMinutes,
+                );
             }
 
             throwIfAborted(signal);
@@ -211,13 +156,10 @@ const useDebugBundle = () => {
             });
         } catch (e) {
             if (isAbort(e)) {
-                setStage({ kind: "cancelling" });
-                if (pcap.started) await stopCaptureBestEffort();
                 if (level.raised) await setLogLevelBestEffort(level.original);
                 setStage({ kind: "idle" });
                 return;
             }
-            if (pcap.started) await stopCaptureBestEffort();
             setStage({ kind: "idle" });
             await errorDialog({
                 Title: i18next.t("settings.error.debugBundleTitle"),
@@ -244,12 +186,8 @@ const useDebugBundle = () => {
         setUpload,
         trace,
         setTrace,
-        capture,
-        setCapture,
         traceMinutes,
         setTraceMinutes,
-        capturePackets,
-        setCapturePackets,
         stage,
         isRunning,
         lastBundlePath,

client/ui/frontend/src/contexts/RestrictionsContext.tsx

@@ -1,45 +0,0 @@
-import { createContext, useContext, useEffect, useState, type ReactNode } from "react";
-import { Events } from "@wailsio/runtime";
-import { Settings as SettingsSvc } from "@bindings/services";
-import { Restrictions } from "@bindings/services/models.js";
-
-const EVENT_SYSTEM = "netbird:event";
-const EMPTY = new Restrictions();
-
-const RestrictionsContext = createContext<Restrictions>(EMPTY);
-
-export const useRestrictions = () => useContext(RestrictionsContext);
-
-export const RestrictionsProvider = ({ children }: { children: ReactNode }) => {
-    const [restrictions, setRestrictions] = useState<Restrictions>(EMPTY);
-
-    useEffect(() => {
-        let cancelled = false;
-
-        const refresh = async () => {
-            try {
-                const r = await SettingsSvc.GetRestrictions();
-                if (!cancelled) setRestrictions(r);
-            } catch (e) {
-                console.error("[RestrictionsContext] refresh failed", e);
-            }
-        };
-
-        refresh();
-
-        const off = Events.On(
-            EVENT_SYSTEM,
-            (e: { data?: { metadata?: { [k: string]: string | undefined } } }) => {
-                if (e.data?.metadata?.type === "config_changed") refresh();
-            },
-        );
-        return () => {
-            cancelled = true;
-            off();
-        };
-    }, []);
-
-    return (
-        <RestrictionsContext.Provider value={restrictions}>{children}</RestrictionsContext.Provider>
-    );
-};

client/ui/frontend/src/contexts/SettingsContext.tsx

@@ -26,10 +26,7 @@ type SettingsContextValue = {
     guiVersion: string;
     setField: <K extends keyof Config>(k: K, v: Config[K]) => void;
     saveField: <K extends keyof Config>(k: K, v: Config[K]) => Promise<void>;
-    // opts.preSharedKey carries a new PSK to write. Config no longer exposes the
-    // PSK value (only preSharedKeySet), so it rides alongside the Config fields
-    // here and is sent only when non-empty.
-    saveFields: (partial: Partial<Config>, opts?: { preSharedKey?: string }) => Promise<void>;
+    saveFields: (partial: Partial<Config>) => Promise<void>;
     saveNow: () => Promise<void>;
 };
 
@@ -57,41 +54,28 @@ export const useAutostartSetting = () => {
     return ctx;
 };
 
-type LoadedConfig = { profileName: string; data: Config };
-
 const useSettingsState = () => {
     const { username, activeProfile, loaded: profileLoaded } = useProfile();
-    const [loaded, setLoaded] = useState<LoadedConfig | null>(null);
+    const [config, setConfig] = useState<Config | null>(null);
     const [guiVersion, setGuiVersion] = useState<string>("—");
     const saveTimer = useRef<ReturnType<typeof setTimeout> | null>(null);
-    const loadedRef = useRef<LoadedConfig | null>(null);
-
-    useEffect(() => {
-        loadedRef.current = loaded;
-    }, [loaded]);
 
     useEffect(() => {
         if (!profileLoaded || !activeProfile) return;
-        let cancelled = false;
         (async () => {
             try {
-                const data = await SettingsSvc.GetConfig({
+                const c = await SettingsSvc.GetConfig({
                     profileName: activeProfile,
                     username,
                 });
-                if (cancelled) return;
-                setLoaded({ profileName: activeProfile, data });
+                setConfig(c);
             } catch (e) {
-                if (cancelled) return;
                 await errorDialog({
                     Title: i18next.t("settings.error.loadTitle"),
                     Message: errorMessage(e),
                 });
             }
         })();
-        return () => {
-            cancelled = true;
-        };
     }, [profileLoaded, activeProfile, username]);
 
     useEffect(() => {
@@ -112,15 +96,14 @@ const useSettingsState = () => {
     );
 
     const save = useCallback(
-        async (profileName: string, next: Config, preSharedKey?: string) => {
+        async (next: Config) => {
+            // Sending the "**********" PSK mask back corrupts the stored PSK (wgtypes.ParseKey fails next connect).
+            const { preSharedKey, ...rest } = next;
             try {
                 await SettingsSvc.SetConfig({
-                    ...next,
-                    // The daemon never returns the PSK value (only preSharedKeySet),
-                    // so send one only when the user actually typed a new key; an
-                    // empty field means "leave unchanged", never "clear".
-                    ...(preSharedKey ? { preSharedKey } : {}),
-                    profileName,
+                    ...rest,
+                    ...(preSharedKey === "**********" ? {} : { preSharedKey }),
+                    profileName: activeProfile,
                     username,
                 });
             } catch (e) {
@@ -130,65 +113,62 @@ const useSettingsState = () => {
                 });
             }
         },
-        [username],
+        [activeProfile, username],
     );
 
     const setField = useCallback(
         <K extends keyof Config>(k: K, v: Config[K]) => {
-            const cur = loadedRef.current;
-            if (!cur) return;
-            const next: LoadedConfig = {
-                profileName: cur.profileName,
-                data: { ...cur.data, [k]: v },
-            };
-            loadedRef.current = next;
-            setLoaded(next);
-            if (saveTimer.current) clearTimeout(saveTimer.current);
-            saveTimer.current = setTimeout(() => {
-                save(next.profileName, next.data).catch(logSaveError);
-            }, SAVE_DEBOUNCE_MS);
+            setConfig((c) => {
+                if (!c) return c;
+                const next = { ...c, [k]: v };
+                if (saveTimer.current) clearTimeout(saveTimer.current);
+                saveTimer.current = setTimeout(() => {
+                    save(next).catch(logSaveError);
+                }, SAVE_DEBOUNCE_MS);
+                return next;
+            });
         },
         [save],
     );
 
     const saveNow = useCallback(async () => {
-        if (!loaded) return;
+        if (!config) return;
         if (saveTimer.current) {
             clearTimeout(saveTimer.current);
             saveTimer.current = null;
         }
-        await save(loaded.profileName, loaded.data);
-    }, [loaded, save]);
+        await save(config);
+    }, [config, save]);
 
     const saveField = useCallback(
         async <K extends keyof Config>(k: K, v: Config[K]) => {
-            if (!loaded) return;
+            if (!config) return;
             if (saveTimer.current) {
                 clearTimeout(saveTimer.current);
                 saveTimer.current = null;
             }
-            const next = { ...loaded.data, [k]: v };
-            setLoaded({ profileName: loaded.profileName, data: next });
-            await save(loaded.profileName, next);
+            const next = { ...config, [k]: v };
+            setConfig(next);
+            await save(next);
         },
-        [loaded, save],
+        [config, save],
     );
 
     const saveFields = useCallback(
-        async (partial: Partial<Config>, opts?: { preSharedKey?: string }) => {
-            if (!loaded) return;
+        async (partial: Partial<Config>) => {
+            if (!config) return;
             if (saveTimer.current) {
                 clearTimeout(saveTimer.current);
                 saveTimer.current = null;
             }
-            const next = { ...loaded.data, ...partial };
-            setLoaded({ profileName: loaded.profileName, data: next });
-            await save(loaded.profileName, next, opts?.preSharedKey);
+            const next = { ...config, ...partial };
+            setConfig(next);
+            await save(next);
         },
-        [loaded, save],
+        [config, save],
     );
 
-    return { config: loaded?.data ?? null, guiVersion, setField, saveField, saveFields, saveNow };
+    return { config, guiVersion, setField, saveField, saveFields, saveNow };
 };
 
 export const SettingsProvider = ({ children }: { children: ReactNode }) => {

client/ui/frontend/src/hooks/useManagementUrl.ts

@@ -4,15 +4,6 @@ import { useSettings } from "@/contexts/SettingsContext.tsx";
 import { useConfirm } from "@/contexts/DialogContext.tsx";
 
 export const CLOUD_MANAGEMENT_URL = "https://api.netbird.io:443";
-const CLOUD_MANAGEMENT_URLS = new Set([
-    CLOUD_MANAGEMENT_URL,
-    "https://api.wiretrustee.com:443", // legacy cloud endpoint
-]);
-
-export function isNetbirdCloud(url: string): boolean {
-    if (!url || url.trim() === "") return true;
-    return CLOUD_MANAGEMENT_URLS.has(url);
-}
 
 // Matches http(s)://host[:port][/path][?query][#fragment]; host = domain, localhost, or IPv4.
 // Syntactic validation only — reachability is checked via checkManagementUrlReachable.
@@ -39,6 +30,11 @@ export function isValidManagementUrl(input: string): boolean {
     return URL_PATTERN.test(trimmed);
 }
 
+export function isCloudManagementUrl(url: string): boolean {
+    if (!url || url.trim() === "") return true;
+    return url === CLOUD_MANAGEMENT_URL;
+}
+
 // Can false-negative for self-hosted behind internal DNS / self-signed certs — treat as a soft warning, not a hard block.
 export async function checkManagementUrlReachable(
     url: string,
@@ -64,7 +60,7 @@ export enum ManagementMode {
 }
 
 function modeFromUrl(url: string): ManagementMode {
-    return isNetbirdCloud(url) ? ManagementMode.Cloud : ManagementMode.SelfHosted;
+    return url === CLOUD_MANAGEMENT_URL ? ManagementMode.Cloud : ManagementMode.SelfHosted;
 }
 
 export function useManagementUrl() {
@@ -73,14 +69,14 @@ export function useManagementUrl() {
     const { config, saveField } = useSettings();
     const [modeState, setModeState] = useState<ManagementMode>(modeFromUrl(config.managementUrl));
     const [url, setUrl] = useState(
-        isNetbirdCloud(config.managementUrl) ? "" : config.managementUrl,
+        config.managementUrl === CLOUD_MANAGEMENT_URL ? "" : config.managementUrl,
     );
     const [checking, setChecking] = useState(false);
     const [unreachable, setUnreachable] = useState(false);
 
     useEffect(() => {
         setModeState(modeFromUrl(config.managementUrl));
-        if (!isNetbirdCloud(config.managementUrl)) {
+        if (config.managementUrl !== CLOUD_MANAGEMENT_URL) {
             setUrl(config.managementUrl);
         }
     }, [config.managementUrl]);
@@ -90,7 +86,7 @@ export function useManagementUrl() {
     }, [url, modeState]);
 
     const setMode = async (next: ManagementMode) => {
-        if (next === ManagementMode.Cloud && !isNetbirdCloud(config.managementUrl)) {
+        if (next === ManagementMode.Cloud && config.managementUrl !== CLOUD_MANAGEMENT_URL) {
             const ok = await confirm({
                 title: t("settings.general.management.switchCloudTitle"),
                 description: t("settings.general.management.switchCloudMessage"),

client/ui/frontend/src/layouts/AppLayout.tsx

@@ -4,7 +4,6 @@ import { StatusProvider } from "@/contexts/StatusContext.tsx";
 import { DebugBundleProvider } from "@/contexts/DebugBundleContext.tsx";
 import { ProfileProvider } from "@/contexts/ProfileContext.tsx";
 import { DialogProvider } from "@/contexts/DialogContext.tsx";
-import { RestrictionsProvider } from "@/contexts/RestrictionsContext.tsx";
 
 export const AppLayout = () => {
     return (
@@ -12,13 +11,11 @@ export const AppLayout = () => {
             <DialogProvider>
                 <StatusProvider>
                     <ProfileProvider>
-                        <RestrictionsProvider>
-                            <DebugBundleProvider>
-                                <ClientVersionProvider>
-                                    <Outlet />
-                                </ClientVersionProvider>
-                            </DebugBundleProvider>
-                        </RestrictionsProvider>
+                        <DebugBundleProvider>
+                            <ClientVersionProvider>
+                                <Outlet />
+                            </ClientVersionProvider>
+                        </DebugBundleProvider>
                     </ProfileProvider>
                 </StatusProvider>
             </DialogProvider>

client/ui/frontend/src/lib/connection.ts

@@ -1,112 +0,0 @@
-import { Events } from "@wailsio/runtime";
-import { Connection, WindowManager } from "@bindings/services";
-import i18next from "@/lib/i18n";
-import { errorDialog, formatErrorMessage } from "@/lib/errors.ts";
-
-export const EVENT_BROWSER_LOGIN_CANCEL = "browser-login:cancel";
-export const EVENT_TRIGGER_LOGIN = "trigger-login";
-
-let connectionInFlight = false;
-
-export async function startConnection(onSettled?: () => void, signal?: AbortSignal): Promise<void> {
-    if (connectionInFlight) {
-        onSettled?.();
-        return;
-    }
-    if (signal?.aborted) {
-        onSettled?.();
-        return;
-    }
-    connectionInFlight = true;
-
-    let cancelled = false;
-    let offCancel: (() => void) | undefined;
-    let offSignal: (() => void) | undefined;
-    let connectError: unknown;
-
-    try {
-        const result = await Connection.Login({
-            profileName: "",
-            username: "",
-            managementUrl: "",
-            setupKey: "",
-            preSharedKey: "",
-            hostname: "",
-            hint: "",
-        });
-
-        if (signal?.aborted) cancelled = true;
-
-        if (!cancelled && result.needsSsoLogin) {
-            const uri = result.verificationUriComplete || result.verificationUri;
-            if (uri) {
-                try {
-                    await WindowManager.OpenBrowserLogin(uri);
-                } catch (e) {
-                    console.error(e);
-                }
-            }
-
-            const cancelPromise = new Promise<void>((resolve) => {
-                offCancel = Events.On(EVENT_BROWSER_LOGIN_CANCEL, () => {
-                    cancelled = true;
-                    resolve();
-                });
-                if (signal) {
-                    const onAbort = () => {
-                        cancelled = true;
-                        resolve();
-                    };
-                    if (signal.aborted) {
-                        onAbort();
-                    } else {
-                        signal.addEventListener("abort", onAbort);
-                        offSignal = () => signal.removeEventListener("abort", onAbort);
-                    }
-                }
-            });
-
-            const waitPromise = Connection.WaitSSOLogin({
-                userCode: result.userCode,
-                hostname: "",
-            });
-
-            try {
-                await Promise.race([waitPromise, cancelPromise]);
-            } finally {
-                WindowManager.CloseBrowserLogin().catch(console.error);
-            }
-
-            if (cancelled) {
-                waitPromise.cancel?.();
-                waitPromise.catch(() => {});
-            }
-        }
-
-        if (!cancelled && signal?.aborted) cancelled = true;
-
-        if (!cancelled) {
-            await Connection.Up({ profileName: "", username: "" });
-        }
-    } catch (e) {
-        WindowManager.CloseBrowserLogin().catch(console.error);
-        if (!cancelled) connectError = e;
-    } finally {
-        offCancel?.();
-        offSignal?.();
-        connectionInFlight = false;
-        onSettled?.();
-    }
-
-    if (connectError !== undefined) {
-        await errorDialog({
-            Title: i18next.t("connect.error.loginTitle"),
-            Message: formatErrorMessage(connectError),
-        });
-        return;
-    }
-
-    if (cancelled && signal) {
-        throw new DOMException("aborted", "AbortError");
-    }
-}

client/ui/frontend/src/modules/auto-update/UpdateInProgressDialog.tsx

@@ -144,7 +144,7 @@ export default function UpdateInProgressDialog() {
 
 function mapInstallError(msg: string): Phase {
     const m = msg.trim().toLowerCase();
-    if (m === "") return { kind: "failed", message: "" };
+    if (m === "") return { kind: "failed", message: "unknown update error" };
     if (m.includes("deadline exceeded") || m.includes("timeout") || m.includes("timed out")) {
         return { kind: "timeout" };
     }

client/ui/frontend/src/modules/main/MainConnectionStatusSwitch.tsx

@@ -2,16 +2,12 @@ import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Events } from "@wailsio/runtime";
 import { Connection, WindowManager } from "@bindings/services";
+import i18next from "@/lib/i18n";
 import { ToggleSwitch } from "@/components/switches/ToggleSwitch.tsx";
 import { useStatus } from "@/contexts/StatusContext.tsx";
 import { useProfile } from "@/contexts/ProfileContext.tsx";
 import { cn } from "@/lib/cn.ts";
 import { errorDialog, formatErrorMessage } from "@/lib/errors.ts";
-import {
-    startConnection,
-    EVENT_BROWSER_LOGIN_CANCEL,
-    EVENT_TRIGGER_LOGIN,
-} from "@/lib/connection.ts";
 import { CopyToClipboard } from "@/components/CopyToClipboard";
 import { TruncatedText } from "@/components/TruncatedText";
 import { shortenDns } from "@/lib/formatters";
@@ -20,6 +16,89 @@ import { Check as CheckIcon, ChevronDownIcon, Copy as CopyIcon } from "lucide-re
 import * as Popover from "@radix-ui/react-popover";
 import netbirdFullLogo from "@/assets/logos/netbird-full.svg";
 
+const EVENT_BROWSER_LOGIN_CANCEL = "browser-login:cancel";
+
+const EVENT_TRIGGER_LOGIN = "trigger-login";
+
+let loginInFlight = false;
+
+// onSettled (re-arm guards) must fire before the error dialog, never gated on it:
+// a hanging dialog would silently drop every later login until restart.
+async function startLogin(onSettled?: () => void): Promise<void> {
+    if (loginInFlight) {
+        onSettled?.();
+        return;
+    }
+    loginInFlight = true;
+
+    let cancelled = false;
+    let offCancel: (() => void) | undefined;
+    let loginError: unknown;
+
+    try {
+        const result = await Connection.Login({
+            profileName: "",
+            username: "",
+            managementUrl: "",
+            setupKey: "",
+            preSharedKey: "",
+            hostname: "",
+            hint: "",
+        });
+
+        if (result.needsSsoLogin) {
+            const uri = result.verificationUriComplete || result.verificationUri;
+            if (uri) {
+                try {
+                    await WindowManager.OpenBrowserLogin(uri);
+                } catch (e) {
+                    console.error(e);
+                }
+            }
+
+            const cancelPromise = new Promise<void>((resolve) => {
+                offCancel = Events.On(EVENT_BROWSER_LOGIN_CANCEL, () => {
+                    cancelled = true;
+                    resolve();
+                });
+            });
+
+            const waitPromise = Connection.WaitSSOLogin({
+                userCode: result.userCode,
+                hostname: "",
+            });
+
+            try {
+                await Promise.race([waitPromise, cancelPromise]);
+            } finally {
+                WindowManager.CloseBrowserLogin().catch(console.error);
+            }
+
+            if (cancelled) {
+                waitPromise.cancel?.();
+                waitPromise.catch(() => {});
+                return;
+            }
+        }
+
+        await Connection.Up({ profileName: "", username: "" });
+    } catch (e) {
+        WindowManager.CloseBrowserLogin().catch(console.error);
+        if (!cancelled) loginError = e;
+    } finally {
+        offCancel?.();
+        loginInFlight = false;
+        onSettled?.();
+    }
+
+    if (loginError !== undefined) {
+        await errorDialog({
+            Title: i18next.t("connect.error.loginTitle"),
+            Message: formatErrorMessage(loginError),
+        });
+    }
+}
+
 enum ConnectionState {
     Disconnected = "disconnected",
     Connecting = "connecting",
@@ -57,7 +136,7 @@ export const MainConnectionStatusSwitch = () => {
         if (loginGuard.current) return;
         loginGuard.current = true;
         setAction("logging-in");
-        void startConnection(() => {
+        void startLogin(() => {
             loginGuard.current = false;
             setAction(null);
             refresh().catch((err: unknown) => console.error("refresh after login failed", err));

client/ui/frontend/src/modules/main/MainHeader.tsx

@@ -24,7 +24,6 @@ import { useClientVersion } from "@/contexts/ClientVersionContext";
 import { cn } from "@/lib/cn";
 import { formatShortcut, useKeyboardShortcut } from "@/hooks/useKeyboardShortcut";
 import { useViewMode, type ViewMode } from "@/contexts/ViewModeContext";
-import { useRestrictions } from "@/contexts/RestrictionsContext";
 import { isWindows } from "@/lib/platform.ts";
 
 const SETTINGS_SHORTCUT = { key: ",", cmd: true } as const;
@@ -34,7 +33,6 @@ export const MainHeader = () => {
     const [menuOpen, setMenuOpen] = useState(false);
     const { viewMode, setViewMode } = useViewMode();
     const { updateAvailable } = useClientVersion();
-    const { mdm, features } = useRestrictions();
 
     const openSettings = useCallback(() => {
         setMenuOpen(false);
@@ -57,9 +55,7 @@ export const MainHeader = () => {
         setViewMode(mode);
     };
 
-    const profileSlot = features.disableProfiles ? null : (
-        <ProfileDropdown onManageProfiles={openManageProfiles} />
-    );
+    const profileSlot = <ProfileDropdown onManageProfiles={openManageProfiles} />;
 
     const settingsSlot = (
         <div className={"relative"}>
@@ -98,23 +94,19 @@ export const MainHeader = () => {
                             </DropdownMenuShortcut>
                         </div>
                     </DropdownMenuItem>
-                    {!mdm.disableAdvancedView && (
-                        <>
-                            <DropdownMenuSeparator />
-                            <ViewModeItem
-                                icon={RectangleVertical}
-                                label={t("header.menu.defaultView")}
-                                selected={viewMode === "default"}
-                                onSelect={() => selectMode("default")}
-                            />
-                            <ViewModeItem
-                                icon={PanelsRightBottom}
-                                label={t("header.menu.advancedView")}
-                                selected={viewMode === "advanced"}
-                                onSelect={() => selectMode("advanced")}
-                            />
-                        </>
-                    )}
+                    <DropdownMenuSeparator />
+                    <ViewModeItem
+                        icon={RectangleVertical}
+                        label={t("header.menu.defaultView")}
+                        selected={viewMode === "default"}
+                        onSelect={() => selectMode("default")}
+                    />
+                    <ViewModeItem
+                        icon={PanelsRightBottom}
+                        label={t("header.menu.advancedView")}
+                        selected={viewMode === "advanced"}
+                        onSelect={() => selectMode("advanced")}
+                    />
                 </DropdownMenuContent>
             </DropdownMenu>
             {updateAvailable && (

client/ui/frontend/src/modules/main/MainPage.tsx

@@ -5,15 +5,13 @@ import { AppRightPanel } from "@/layouts/AppRightPanel.tsx";
 import { Navigation } from "@/modules/main/advanced/Navigation.tsx";
 import { cn } from "@/lib/cn";
 import { NavSectionProvider, useNavSection } from "@/contexts/NavSectionContext";
-import { ViewModeProvider, useViewMode } from "@/contexts/ViewModeContext";
-import { useEffect } from "react";
+import { ViewModeProvider } from "@/contexts/ViewModeContext";
 import { NotConnectedState } from "@/components/empty-state/NotConnectedState";
 import { useStatus } from "@/contexts/StatusContext";
 import { Peers } from "@/modules/main/advanced/peers/Peers";
 import { Networks } from "@/modules/main/advanced/networks/Networks";
 import { NetworksProvider } from "@/contexts/NetworksContext";
 import { PeerDetailProvider, usePeerDetail } from "@/contexts/PeerDetailContext";
-import { useRestrictions } from "@/contexts/RestrictionsContext";
 import { PeerDetailPanel } from "@/modules/main/advanced/peers/PeerDetailPanel";
 import { isWindows } from "@/lib/platform.ts";
 
@@ -31,18 +29,6 @@ export const MainPage = () => {
 };
 
 const MainBody = () => {
-    const { viewMode, setViewMode } = useViewMode();
-    const { mdm, features } = useRestrictions();
-
-    // Force flip the view if mdm changed it
-    useEffect(() => {
-        if (mdm.disableAdvancedView && viewMode === "advanced") {
-            setViewMode("default");
-        }
-    }, [mdm.disableAdvancedView, viewMode, setViewMode]);
-
-    const isAdvanced = viewMode === "advanced";
-
     return (
         <div className={"wails-draggable flex flex-1 min-h-0"}>
             {/* Windows narrower width compensates for the OS frame Wails counts differently than macOS.
@@ -54,17 +40,13 @@ const MainBody = () => {
                 )}
             >
                 <MainConnectionStatusSwitch />
-                {!features.disableNetworks && (
-                    <div className={"absolute left-5 right-5 bottom-5 wails-no-draggable"}>
-                        <MainExitNodeSwitcher />
-                    </div>
-                )}
+                <div className={"absolute left-5 right-5 bottom-5 wails-no-draggable"}>
+                    <MainExitNodeSwitcher />
+                </div>
             </div>
-            {isAdvanced && (
-                <NavSectionProvider>
-                    <AdvancedAppRightPanel />
-                </NavSectionProvider>
-            )}
+            <NavSectionProvider>
+                <AdvancedAppRightPanel />
+            </NavSectionProvider>
         </div>
     );
 };

client/ui/frontend/src/modules/main/advanced/Navigation.tsx

@@ -4,8 +4,6 @@ import { Layers3Icon, LucideProps, MonitorSmartphoneIcon } from "lucide-react";
 import { cn } from "@/lib/cn";
 import { useNavSection, type NavSection } from "@/contexts/NavSectionContext";
 import { useStatus } from "@/contexts/StatusContext";
-import { useRestrictions } from "@/contexts/RestrictionsContext";
-import { useEffect } from "react";
 
 type TabEntry = {
     value: NavSection;
@@ -17,30 +15,20 @@ export const Navigation = () => {
     const { t } = useTranslation();
     const { section, setSection } = useNavSection();
     const { status } = useStatus();
-    const { features } = useRestrictions();
     const isConnected = status?.status === "Connected";
 
-    // Reset back to peers tab if mdm or feature flag flipped it
-    useEffect(() => {
-        if (features.disableNetworks && section === "networks") {
-            setSection("peers");
-        }
-    }, [features.disableNetworks, section, setSection]);
-
     const tabs: TabEntry[] = [
         {
             value: "peers",
             label: t("nav.peers.title"),
             icon: MonitorSmartphoneIcon,
         },
-    ];
-    if (!features.disableNetworks) {
-        tabs.push({
+        {
             value: "networks",
             label: t("nav.resources.title"),
             icon: Layers3Icon,
-        });
-    }
+        },
+    ];
 
     return (
         <div className={"wails-no-draggable shrink-0 flex items-stretch "}>

client/ui/frontend/src/modules/profiles/ProfileCreationModal.tsx

@@ -14,7 +14,6 @@ import {
     isValidManagementUrl,
     normalizeManagementUrl,
 } from "@/hooks/useManagementUrl";
-import { useRestrictions } from "@/contexts/RestrictionsContext.tsx";
 
 type Props = {
     open: boolean;
@@ -32,8 +31,6 @@ const sanitizeProfileInput = (value: string): string =>
 
 export const ProfileCreationModal = ({ open, onOpenChange, onCreate }: Props) => {
     const { t } = useTranslation();
-    const { mdm } = useRestrictions();
-    const managedManagementUrl = mdm.managementURL;
     const [name, setName] = useState("");
     const [nameError, setNameError] = useState<string | null>(null);
     const nameRef = useRef<HTMLInputElement>(null);
@@ -73,12 +70,6 @@ export const ProfileCreationModal = ({ open, onOpenChange, onCreate }: Props) =>
             return;
         }
 
-        if (managedManagementUrl) {
-            onCreate(sanitized, managedManagementUrl);
-            onOpenChange(false);
-            return;
-        }
-
         if (mode === ManagementMode.Cloud) {
             onCreate(sanitized, CLOUD_MANAGEMENT_URL);
             onOpenChange(false);
@@ -154,41 +145,35 @@ export const ProfileCreationModal = ({ open, onOpenChange, onCreate }: Props) =>
                             />
                         </div>
 
-                        {!managedManagementUrl && (
-                            <div className="flex flex-col gap-2">
-                                <div className={"pl-1"}>
-                                    <Label as={"div"} className={"mb-0.5"}>
-                                        {t("settings.general.management.label")}
-                                    </Label>
-                                    <HelpText margin={false}>
-                                        {t("profile.dialog.managementHelp")}
-                                    </HelpText>
-                                </div>
-                                <div className="flex flex-col gap-3">
-                                    <ManagementServerSwitch
-                                        value={mode}
-                                        onChange={setMode}
-                                        fullWidth
-                                    />
-                                    {mode === ManagementMode.SelfHosted && (
-                                        <Input
-                                            ref={urlRef}
-                                            autoFocus
-                                            placeholder={t(
-                                                "settings.general.management.urlPlaceholder",
-                                            )}
-                                            value={url}
-                                            onChange={(e) => setUrl(e.target.value)}
-                                            error={urlInputError}
-                                            warning={urlInputWarning}
-                                            spellCheck={false}
-                                            autoComplete="off"
-                                            autoCapitalize="off"
-                                        />
-                                    )}
-                                </div>
+                        <div className="flex flex-col gap-2">
+                            <div className={"pl-1"}>
+                                <Label as={"div"} className={"mb-0.5"}>
+                                    {t("settings.general.management.label")}
+                                </Label>
+                                <HelpText margin={false}>
+                                    {t("profile.dialog.managementHelp")}
+                                </HelpText>
                             </div>
-                        )}
+                            <div className="flex flex-col gap-3">
+                                <ManagementServerSwitch value={mode} onChange={setMode} fullWidth />
+                                {mode === ManagementMode.SelfHosted && (
+                                    <Input
+                                        ref={urlRef}
+                                        autoFocus
+                                        placeholder={t(
+                                            "settings.general.management.urlPlaceholder",
+                                        )}
+                                        value={url}
+                                        onChange={(e) => setUrl(e.target.value)}
+                                        error={urlInputError}
+                                        warning={urlInputWarning}
+                                        spellCheck={false}
+                                        autoComplete="off"
+                                        autoCapitalize="off"
+                                    />
+                                )}
+                            </div>
+                        </div>
 
                         <DialogActions className={"flex-row items-center justify-end gap-2.5 pt-2"}>
                             <Button

client/ui/frontend/src/modules/profiles/ProfilesTab.tsx

@@ -13,7 +13,7 @@ import { useProfile } from "@/contexts/ProfileContext";
 import { useConfirm } from "@/contexts/DialogContext";
 import { Settings as SettingsSvc } from "@bindings/services";
 import { SetConfigParams } from "@bindings/services/models.js";
-import { isNetbirdCloud } from "@/hooks/useManagementUrl.ts";
+import { CLOUD_MANAGEMENT_URL } from "@/hooks/useManagementUrl.ts";
 import { SectionGroup, SettingsBottomBar } from "@/modules/settings/SettingsSection.tsx";
 import { cn } from "@/lib/cn";
 import { reconcileOrder } from "@/lib/sorting";
@@ -108,7 +108,7 @@ export function ProfilesTab() {
             await addProfile(name);
             // SetConfig is keyed by profile name, so it writes the not-yet-active
             // profile. Write before switching so any reconnect targets the right deployment.
-            if (!isNetbirdCloud(managementUrl)) {
+            if (managementUrl !== CLOUD_MANAGEMENT_URL) {
                 await SettingsSvc.SetConfig(
                     new SetConfigParams({ profileName: name, username, managementUrl }),
                 );

client/ui/frontend/src/modules/settings/SettingsAdvanced.tsx

@@ -7,7 +7,6 @@ import { Input } from "@/components/inputs/Input";
 import { Label } from "@/components/typography/Label";
 import { SectionGroup, SettingsBottomBar } from "@/modules/settings/SettingsSection.tsx";
 import { useSettings } from "@/contexts/SettingsContext.tsx";
-import { useRestrictions } from "@/contexts/RestrictionsContext.tsx";
 
 // macOS daemon/CLI only accept utun<N> (Darwin parses digits as the utun unit); Linux caps at IFNAMSIZ-1 = 15 chars.
 const IS_MAC = System.IsMac();
@@ -15,27 +14,25 @@ const INTERFACE_NAME_RE = IS_MAC ? /^utun\d+$/ : /^[A-Za-z0-9._-]{1,15}$/;
 const INTERFACE_NAME_ERROR_KEY = IS_MAC
     ? "settings.advanced.interfaceName.errorMac"
     : "settings.advanced.interfaceName.error";
-
 // Port 0 lets the daemon pick a random free port.
 const PORT_MIN = 0;
 const PORT_MAX = 65535;
-
 // Mirrors client/iface/iface.go MinMTU / MaxMTU.
 const MTU_MIN = 576;
 const MTU_MAX = 8192;
+// GetConfig returns existing PSKs as this mask; revealing it would only show the asterisks.
+const PSK_MASK = "**********";
 
 export function SettingsAdvanced() {
     const { t } = useTranslation();
     const { config, saveFields } = useSettings();
-    const { mdm } = useRestrictions();
 
     const [values, setValues] = useState({
         interfaceName: config.interfaceName,
         wireguardPort: config.wireguardPort,
         mtu: config.mtu,
+        preSharedKey: config.preSharedKey,
     });
-
-    const [psk, setPsk] = useState("");
     const [saving, setSaving] = useState(false);
 
     useEffect(() => {
@@ -43,9 +40,9 @@ export function SettingsAdvanced() {
             interfaceName: config.interfaceName,
             wireguardPort: config.wireguardPort,
             mtu: config.mtu,
+            preSharedKey: config.preSharedKey,
         });
-        setPsk("");
-    }, [config.interfaceName, config.wireguardPort, config.mtu, config.preSharedKeySet]);
+    }, [config.interfaceName, config.wireguardPort, config.mtu, config.preSharedKey]);
 
     const errors = useMemo(() => {
         const out: { interfaceName?: string; wireguardPort?: string; mtu?: string } = {};
@@ -68,22 +65,18 @@ export function SettingsAdvanced() {
         return out;
     }, [values.interfaceName, values.wireguardPort, values.mtu, t]);
 
-    const filteredErrors = mdm.wireguardPort ? { ...errors, wireguardPort: undefined } : errors;
-    const hasErrors = Object.values(filteredErrors).some((v) => v !== undefined);
+    const hasErrors = Object.keys(errors).length > 0;
     const hasChanges =
         values.interfaceName !== config.interfaceName ||
-        (!mdm.wireguardPort && values.wireguardPort !== config.wireguardPort) ||
+        values.wireguardPort !== config.wireguardPort ||
         values.mtu !== config.mtu ||
-        (!mdm.preSharedKey && psk !== "");
+        values.preSharedKey !== config.preSharedKey;
 
     const handleSave = async () => {
         if (!hasChanges || saving || hasErrors) return;
         setSaving(true);
         try {
-            const partial: typeof values = { ...values };
-            if (mdm.wireguardPort) partial.wireguardPort = config.wireguardPort;
-            const pskOpts = !mdm.preSharedKey && psk ? { preSharedKey: psk } : undefined;
-            await saveFields(partial, pskOpts);
+            await saveFields(values);
         } finally {
             setSaving(false);
         }
@@ -98,28 +91,24 @@ export function SettingsAdvanced() {
                     error={errors.interfaceName}
                     onChange={(e) => setValues((v) => ({ ...v, interfaceName: e.target.value }))}
                 />
-                <div className={mdm.wireguardPort ? "" : "grid grid-cols-2 gap-4"}>
-                    {!mdm.wireguardPort && (
-                        <div>
-                            <Input
-                                label={t("settings.advanced.port.label")}
-                                type={"number"}
-                                min={PORT_MIN}
-                                max={PORT_MAX}
-                                value={values.wireguardPort}
-                                error={errors.wireguardPort}
-                                onChange={(e) =>
-                                    setValues((v) => ({
-                                        ...v,
-                                        wireguardPort: Number(e.target.value),
-                                    }))
-                                }
-                            />
-                            <HelpText className={"mt-1.5"}>
-                                {t("settings.advanced.port.help")}
-                            </HelpText>
-                        </div>
-                    )}
+                <div className={"grid grid-cols-2 gap-4"}>
+                    <div>
+                        <Input
+                            label={t("settings.advanced.port.label")}
+                            type={"number"}
+                            min={PORT_MIN}
+                            max={PORT_MAX}
+                            value={values.wireguardPort}
+                            error={errors.wireguardPort}
+                            onChange={(e) =>
+                                setValues((v) => ({
+                                    ...v,
+                                    wireguardPort: Number(e.target.value),
+                                }))
+                            }
+                        />
+                        <HelpText className={"mt-1.5"}>{t("settings.advanced.port.help")}</HelpText>
+                    </div>
                     <Input
                         label={t("settings.advanced.mtu.label")}
                         type={"number"}
@@ -132,25 +121,19 @@ export function SettingsAdvanced() {
                 </div>
             </SectionGroup>
 
-            {!mdm.preSharedKey && (
-                <SectionGroup title={t("settings.advanced.section.security")}>
-                    <div>
-                        <Label as={"div"}>{t("settings.advanced.psk.label")}</Label>
-                        <HelpText>{t("settings.advanced.psk.help")}</HelpText>
-                        <Input
-                            type={"password"}
-                            showPasswordToggle={psk !== ""}
-                            placeholder={
-                                config.preSharedKeySet
-                                    ? t("settings.advanced.psk.configured")
-                                    : "kQv0qF3oQpJYdgD5mC9hL7sB2xZ8nT4eU6wY1aR3jK0="
-                            }
-                            value={psk}
-                            onChange={(e) => setPsk(e.target.value)}
-                        />
-                    </div>
-                </SectionGroup>
-            )}
+            <SectionGroup title={t("settings.advanced.section.security")}>
+                <div>
+                    <Label as={"div"}>{t("settings.advanced.psk.label")}</Label>
+                    <HelpText>{t("settings.advanced.psk.help")}</HelpText>
+                    <Input
+                        type={"password"}
+                        showPasswordToggle={values.preSharedKey !== PSK_MASK}
+                        placeholder={"kQv0qF3oQpJYdgD5mC9hL7sB2xZ8nT4eU6wY1aR3jK0="}
+                        value={values.preSharedKey}
+                        onChange={(e) => setValues((v) => ({ ...v, preSharedKey: e.target.value }))}
+                    />
+                </div>
+            </SectionGroup>
 
             <SettingsBottomBar>
                 <Button

client/ui/frontend/src/modules/settings/SettingsGeneral.tsx

@@ -10,7 +10,6 @@ import { useAutostartSetting, useSettings } from "@/contexts/SettingsContext.tsx
 import { ManagementServerSwitch } from "@/components/ManagementServerSwitch.tsx";
 import { ManagementMode, useManagementUrl } from "@/hooks/useManagementUrl.ts";
 import { LanguagePicker } from "@/components/LanguagePicker.tsx";
-import { useRestrictions } from "@/contexts/RestrictionsContext.tsx";
 
 export function SettingsGeneral() {
     const { t } = useTranslation();
@@ -18,7 +17,6 @@ export function SettingsGeneral() {
     const { autostart, setAutostartEnabled } = useAutostartSetting();
     const { mode, setMode, setUrl, displayUrl, showError, canSave, save, checking, unreachable } =
         useManagementUrl();
-    const { mdm } = useRestrictions();
 
     const inputRef = useRef<HTMLInputElement>(null);
     const prevMode = useRef(mode);
@@ -39,14 +37,12 @@ export function SettingsGeneral() {
                     label={t("settings.general.notifications.label")}
                     helpText={t("settings.general.notifications.help")}
                 />
-                {!mdm.disableAutoConnect && (
-                    <FancyToggleSwitch
-                        value={!config.disableAutoConnect}
-                        onChange={(v) => setField("disableAutoConnect", !v)}
-                        label={t("settings.general.connectOnStartup.label")}
-                        helpText={t("settings.general.connectOnStartup.help")}
-                    />
-                )}
+                <FancyToggleSwitch
+                    value={!config.disableAutoConnect}
+                    onChange={(v) => setField("disableAutoConnect", !v)}
+                    label={t("settings.general.connectOnStartup.label")}
+                    helpText={t("settings.general.connectOnStartup.help")}
+                />
                 {(autostart === null || autostart.supported) && (
                     <FancyToggleSwitch
                         value={autostart?.enabled ?? false}
@@ -58,48 +54,46 @@ export function SettingsGeneral() {
                 )}
             </SectionGroup>
 
-            {!mdm.managementURL && (
-                <SectionGroup title={t("settings.general.section.connection")}>
-                    <div>
-                        <div className={"flex items-start gap-3"}>
-                            <div className={"flex-1 min-w-0"}>
-                                <Label as={"div"}>{t("settings.general.management.label")}</Label>
-                                <HelpText>{t("settings.general.management.help")}</HelpText>
-                            </div>
-                            <ManagementServerSwitch value={mode} onChange={setMode} />
+            <SectionGroup title={t("settings.general.section.connection")}>
+                <div>
+                    <div className={"flex items-start gap-3"}>
+                        <div className={"flex-1 min-w-0"}>
+                            <Label as={"div"}>{t("settings.general.management.label")}</Label>
+                            <HelpText>{t("settings.general.management.help")}</HelpText>
                         </div>
-                        {mode === ManagementMode.SelfHosted && (
-                            <div className={"flex items-start gap-3 mt-2"}>
-                                <Input
-                                    ref={inputRef}
-                                    value={displayUrl}
-                                    onChange={(e) => setUrl(e.target.value)}
-                                    placeholder={t("settings.general.management.urlPlaceholder")}
-                                    error={
-                                        showError
-                                            ? t("settings.general.management.urlError")
-                                            : undefined
-                                    }
-                                    warning={
-                                        unreachable
-                                            ? t("settings.general.management.urlUnreachable")
-                                            : undefined
-                                    }
-                                />
-                                <Button
-                                    variant={"primary"}
-                                    size={"md"}
-                                    disabled={!canSave}
-                                    loading={checking}
-                                    onClick={() => save()}
-                                >
-                                    {t("common.save")}
-                                </Button>
-                            </div>
-                        )}
+                        <ManagementServerSwitch value={mode} onChange={setMode} />
                     </div>
-                </SectionGroup>
-            )}
+                    {mode === ManagementMode.SelfHosted && (
+                        <div className={"flex items-start gap-3 mt-2"}>
+                            <Input
+                                ref={inputRef}
+                                value={displayUrl}
+                                onChange={(e) => setUrl(e.target.value)}
+                                placeholder={t("settings.general.management.urlPlaceholder")}
+                                error={
+                                    showError
+                                        ? t("settings.general.management.urlError")
+                                        : undefined
+                                }
+                                warning={
+                                    unreachable
+                                        ? t("settings.general.management.urlUnreachable")
+                                        : undefined
+                                }
+                            />
+                            <Button
+                                variant={"primary"}
+                                size={"md"}
+                                disabled={!canSave}
+                                loading={checking}
+                                onClick={() => save()}
+                            >
+                                {t("common.save")}
+                            </Button>
+                        </div>
+                    )}
+                </div>
+            </SectionGroup>
         </>
     );
 }

client/ui/frontend/src/modules/settings/SettingsNavigation.tsx

@@ -3,7 +3,6 @@ import { Tooltip } from "@/components/Tooltip.tsx";
 import { VerticalTabs } from "@/components/VerticalTabs.tsx";
 import { UpdateBadge } from "@/modules/auto-update/UpdateBadge.tsx";
 import { useClientVersion } from "@/contexts/ClientVersionContext.tsx";
-import { useRestrictions } from "@/contexts/RestrictionsContext.tsx";
 import {
     BoltIcon,
     InfoIcon,
@@ -18,7 +17,6 @@ import {
 export const SettingsNavigation = () => {
     const { t } = useTranslation();
     const { updateAvailable } = useClientVersion();
-    const { mdm, features } = useRestrictions();
 
     const aboutAdornment = updateAvailable ? (
         <Tooltip content={t("settings.tabs.updateAvailable")} side={"right"}>
@@ -29,44 +27,36 @@ export const SettingsNavigation = () => {
     return (
         <div className={"flex flex-col w-52 shrink-0 items-center select-none"}>
             <VerticalTabs.List>
-                {!features.disableUpdateSettings && (
-                    <>
-                        <VerticalTabs.Trigger
-                            value={"general"}
-                            icon={SlidersHorizontalIcon}
-                            title={t("settings.tabs.general")}
-                        />
-                        <VerticalTabs.Trigger
-                            value={"network"}
-                            icon={NetworkIcon}
-                            title={t("settings.tabs.network")}
-                        />
-                        <VerticalTabs.Trigger
-                            value={"security"}
-                            icon={ShieldIcon}
-                            title={t("settings.tabs.security")}
-                        />
-                        {!features.disableProfiles && (
-                            <VerticalTabs.Trigger
-                                value={"profiles"}
-                                icon={UserCircleIcon}
-                                title={t("settings.tabs.profiles")}
-                            />
-                        )}
-                        {!mdm.allowServerSSH && (
-                            <VerticalTabs.Trigger
-                                value={"ssh"}
-                                icon={SquareTerminalIcon}
-                                title={t("settings.tabs.ssh")}
-                            />
-                        )}
-                        <VerticalTabs.Trigger
-                            value={"advanced"}
-                            icon={BoltIcon}
-                            title={t("settings.tabs.advanced")}
-                        />
-                    </>
-                )}
+                <VerticalTabs.Trigger
+                    value={"general"}
+                    icon={SlidersHorizontalIcon}
+                    title={t("settings.tabs.general")}
+                />
+                <VerticalTabs.Trigger
+                    value={"network"}
+                    icon={NetworkIcon}
+                    title={t("settings.tabs.network")}
+                />
+                <VerticalTabs.Trigger
+                    value={"security"}
+                    icon={ShieldIcon}
+                    title={t("settings.tabs.security")}
+                />
+                <VerticalTabs.Trigger
+                    value={"profiles"}
+                    icon={UserCircleIcon}
+                    title={t("settings.tabs.profiles")}
+                />
+                <VerticalTabs.Trigger
+                    value={"ssh"}
+                    icon={SquareTerminalIcon}
+                    title={t("settings.tabs.ssh")}
+                />
+                <VerticalTabs.Trigger
+                    value={"advanced"}
+                    icon={BoltIcon}
+                    title={t("settings.tabs.advanced")}
+                />
                 <VerticalTabs.Trigger
                     value={"troubleshooting"}
                     icon={LifeBuoyIcon}

client/ui/frontend/src/modules/settings/SettingsNetwork.tsx

@@ -2,12 +2,10 @@ import { useTranslation } from "react-i18next";
 import FancyToggleSwitch from "@/components/switches/FancyToggleSwitch";
 import { SectionGroup } from "@/modules/settings/SettingsSection.tsx";
 import { useSettings } from "@/contexts/SettingsContext.tsx";
-import { useRestrictions } from "@/contexts/RestrictionsContext.tsx";
 
 export function SettingsNetwork() {
     const { t } = useTranslation();
     const { config, setField } = useSettings();
-    const { mdm } = useRestrictions();
 
     return (
         <>
@@ -33,22 +31,18 @@ export function SettingsNetwork() {
                     label={t("settings.network.dns.label")}
                     helpText={t("settings.network.dns.help")}
                 />
-                {!mdm.disableClientRoutes && (
-                    <FancyToggleSwitch
-                        value={!config.disableClientRoutes}
-                        onChange={(v) => setField("disableClientRoutes", !v)}
-                        label={t("settings.network.clientRoutes.label")}
-                        helpText={t("settings.network.clientRoutes.help")}
-                    />
-                )}
-                {!mdm.disableServerRoutes && (
-                    <FancyToggleSwitch
-                        value={!config.disableServerRoutes}
-                        onChange={(v) => setField("disableServerRoutes", !v)}
-                        label={t("settings.network.serverRoutes.label")}
-                        helpText={t("settings.network.serverRoutes.help")}
-                    />
-                )}
+                <FancyToggleSwitch
+                    value={!config.disableClientRoutes}
+                    onChange={(v) => setField("disableClientRoutes", !v)}
+                    label={t("settings.network.clientRoutes.label")}
+                    helpText={t("settings.network.clientRoutes.help")}
+                />
+                <FancyToggleSwitch
+                    value={!config.disableServerRoutes}
+                    onChange={(v) => setField("disableServerRoutes", !v)}
+                    label={t("settings.network.serverRoutes.label")}
+                    helpText={t("settings.network.serverRoutes.help")}
+                />
                 <FancyToggleSwitch
                     value={!config.disableIpv6}
                     onChange={(v) => setField("disableIpv6", !v)}

client/ui/frontend/src/modules/settings/SettingsPage.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useMemo, useState, type ReactNode } from "react";
+import { useEffect, useState } from "react";
 import { useLocation } from "react-router-dom";
 import { Events } from "@wailsio/runtime";
 import * as ScrollArea from "@radix-ui/react-scroll-area";
@@ -16,54 +16,13 @@ import { SettingsSSH } from "@/modules/settings/SettingsSSH.tsx";
 import { SettingsAdvanced } from "@/modules/settings/SettingsAdvanced.tsx";
 import { SettingsTroubleshooting } from "@/modules/settings/SettingsTroubleshooting.tsx";
 import { SettingsAbout } from "@/modules/settings/SettingsAbout.tsx";
-import { useRestrictions } from "@/contexts/RestrictionsContext.tsx";
 
 const EVENT_SETTINGS_OPEN = "netbird:settings:open";
 
-const enum Tab {
-    General = "general",
-    Network = "network",
-    Security = "security",
-    Profiles = "profiles",
-    SSH = "ssh",
-    Advanced = "advanced",
-    Troubleshooting = "troubleshooting",
-    About = "about",
-}
-
-const TAB_CONTENT: Record<Tab, ReactNode> = {
-    [Tab.General]: <SettingsGeneral />,
-    [Tab.Network]: <SettingsNetwork />,
-    [Tab.Security]: <SettingsSecurity />,
-    [Tab.Profiles]: <ProfilesTab />,
-    [Tab.SSH]: <SettingsSSH />,
-    [Tab.Advanced]: <SettingsAdvanced />,
-    [Tab.Troubleshooting]: <SettingsTroubleshooting />,
-    [Tab.About]: <SettingsAbout />,
-};
-
 export const SettingsPage = () => {
     const location = useLocation();
     const navState = location.state as { tab?: string } | null;
-    const { mdm, features } = useRestrictions();
-
-    const visibleTabs = useMemo<Tab[]>(() => {
-        const editable = !features.disableUpdateSettings;
-        const visibility: Record<Tab, boolean> = {
-            [Tab.General]: editable,
-            [Tab.Network]: editable,
-            [Tab.Security]: editable,
-            [Tab.Profiles]: editable && !features.disableProfiles,
-            [Tab.SSH]: editable && !mdm.allowServerSSH,
-            [Tab.Advanced]: editable,
-            [Tab.Troubleshooting]: true,
-            [Tab.About]: true,
-        };
-        return (Object.keys(visibility) as Tab[]).filter((t) => visibility[t]);
-    }, [features.disableUpdateSettings, features.disableProfiles, mdm.allowServerSSH]);
-
-    const defaultTab = visibleTabs[0];
-    const [active, setActive] = useState<string>(() => navState?.tab ?? defaultTab);
+    const [active, setActive] = useState(() => navState?.tab ?? "general");
 
     useEffect(() => {
         if (navState?.tab) setActive(navState.tab);
@@ -71,14 +30,9 @@ export const SettingsPage = () => {
 
     useEffect(() => {
         return Events.On(EVENT_SETTINGS_OPEN, (e: { data: string }) => {
-            setActive(e.data || defaultTab);
+            setActive(e.data || "general");
         });
-    }, [defaultTab]);
-
-    // Reset active tab if it got disabled by any feature flag or mdm restrictions
-    useEffect(() => {
-        if (!visibleTabs.includes(active as Tab)) setActive(defaultTab);
-    }, [visibleTabs, active, defaultTab]);
+    }, []);
 
     return (
         <>
@@ -98,12 +52,31 @@ export const SettingsPage = () => {
                                 className={"flex-1 min-h-0 overflow-hidden"}
                             >
                                 <ScrollArea.Viewport className={"h-full w-full"}>
-                                    <div className={"py-6 px-7"}>
-                                        {visibleTabs.map((tab) => (
-                                            <VerticalTabs.Content key={tab} value={tab}>
-                                                {TAB_CONTENT[tab]}
-                                            </VerticalTabs.Content>
-                                        ))}
+                                    <div className={"py-8 px-7"}>
+                                        <VerticalTabs.Content value={"general"}>
+                                            <SettingsGeneral />
+                                        </VerticalTabs.Content>
+                                        <VerticalTabs.Content value={"network"}>
+                                            <SettingsNetwork />
+                                        </VerticalTabs.Content>
+                                        <VerticalTabs.Content value={"security"}>
+                                            <SettingsSecurity />
+                                        </VerticalTabs.Content>
+                                        <VerticalTabs.Content value={"profiles"}>
+                                            <ProfilesTab />
+                                        </VerticalTabs.Content>
+                                        <VerticalTabs.Content value={"ssh"}>
+                                            <SettingsSSH />
+                                        </VerticalTabs.Content>
+                                        <VerticalTabs.Content value={"advanced"}>
+                                            <SettingsAdvanced />
+                                        </VerticalTabs.Content>
+                                        <VerticalTabs.Content value={"troubleshooting"}>
+                                            <SettingsTroubleshooting />
+                                        </VerticalTabs.Content>
+                                        <VerticalTabs.Content value={"about"}>
+                                            <SettingsAbout />
+                                        </VerticalTabs.Content>
                                     </div>
                                 </ScrollArea.Viewport>
                                 <ScrollArea.Scrollbar

client/ui/frontend/src/modules/settings/SettingsSection.tsx

@@ -20,7 +20,7 @@ export const SectionGroup = ({
 
 export const SettingsBottomBar = ({ children }: { children: ReactNode }) => (
     <>
-        <div className={"h-[3.2rem] shrink-0"} aria-hidden />
+        <div className={"h-[4rem] shrink-0"} aria-hidden />
         <div className={"absolute bottom-0 left-0 w-full"}>
             <div
                 className={

client/ui/frontend/src/modules/settings/SettingsSecurity.tsx

@@ -2,25 +2,19 @@ import { useTranslation } from "react-i18next";
 import FancyToggleSwitch from "@/components/switches/FancyToggleSwitch";
 import { SectionGroup } from "@/modules/settings/SettingsSection.tsx";
 import { useSettings } from "@/contexts/SettingsContext.tsx";
-import { useRestrictions } from "@/contexts/RestrictionsContext.tsx";
 
 export function SettingsSecurity() {
     const { t } = useTranslation();
     const { config, setField } = useSettings();
-    const { mdm } = useRestrictions();
-    const showEncryptionSection = !(mdm.rosenpassEnabled && mdm.rosenpassPermissive);
-
     return (
         <>
             <SectionGroup title={t("settings.security.section.firewall")}>
-                {!mdm.blockInbound && (
-                    <FancyToggleSwitch
-                        value={config.blockInbound}
-                        onChange={(v) => setField("blockInbound", v)}
-                        label={t("settings.security.blockInbound.label")}
-                        helpText={t("settings.security.blockInbound.help")}
-                    />
-                )}
+                <FancyToggleSwitch
+                    value={config.blockInbound}
+                    onChange={(v) => setField("blockInbound", v)}
+                    label={t("settings.security.blockInbound.label")}
+                    helpText={t("settings.security.blockInbound.help")}
+                />
                 <FancyToggleSwitch
                     value={config.blockLanAccess}
                     onChange={(v) => setField("blockLanAccess", v)}
@@ -29,30 +23,24 @@ export function SettingsSecurity() {
                 />
             </SectionGroup>
 
-            {showEncryptionSection && (
-                <SectionGroup title={t("settings.security.section.encryption")}>
-                    {!mdm.rosenpassEnabled && (
-                        <FancyToggleSwitch
-                            value={config.rosenpassEnabled}
-                            onChange={(v) => {
-                                setField("rosenpassEnabled", v);
-                                if (!v) setField("rosenpassPermissive", false);
-                            }}
-                            label={t("settings.security.rosenpass.label")}
-                            helpText={t("settings.security.rosenpass.help")}
-                        />
-                    )}
-                    {!mdm.rosenpassPermissive && (
-                        <FancyToggleSwitch
-                            value={config.rosenpassPermissive}
-                            onChange={(v) => setField("rosenpassPermissive", v)}
-                            label={t("settings.security.rosenpassPermissive.label")}
-                            helpText={t("settings.security.rosenpassPermissive.help")}
-                            disabled={!config.rosenpassEnabled}
-                        />
-                    )}
-                </SectionGroup>
-            )}
+            <SectionGroup title={t("settings.security.section.encryption")}>
+                <FancyToggleSwitch
+                    value={config.rosenpassEnabled}
+                    onChange={(v) => {
+                        setField("rosenpassEnabled", v);
+                        if (!v) setField("rosenpassPermissive", false);
+                    }}
+                    label={t("settings.security.rosenpass.label")}
+                    helpText={t("settings.security.rosenpass.help")}
+                />
+                <FancyToggleSwitch
+                    value={config.rosenpassPermissive}
+                    onChange={(v) => setField("rosenpassPermissive", v)}
+                    label={t("settings.security.rosenpassPermissive.label")}
+                    helpText={t("settings.security.rosenpassPermissive.help")}
+                    disabled={!config.rosenpassEnabled}
+                />
+            </SectionGroup>
         </>
     );
 }

client/ui/frontend/src/modules/settings/SettingsTroubleshooting.tsx

@@ -13,6 +13,7 @@ import HelpText from "@/components/typography/HelpText.tsx";
 import { Input } from "@/components/inputs/Input";
 import { Label } from "@/components/typography/Label";
 import { SquareIcon } from "@/components/SquareIcon";
+import { cn } from "@/lib/cn";
 import { formatRemaining } from "@/lib/formatters";
 import type { DebugStage } from "@/contexts/DebugBundleContext";
 import { useDebugBundleContext } from "@/contexts/DebugBundleContext";
@@ -31,12 +32,8 @@ export function SettingsTroubleshooting() {
         setUpload,
         trace,
         setTrace,
-        capture,
-        setCapture,
         traceMinutes,
         setTraceMinutes,
-        capturePackets,
-        setCapturePackets,
         run,
         stage,
         cancel,
@@ -54,6 +51,10 @@ export function SettingsTroubleshooting() {
 
     return (
         <SectionGroup title={t("settings.troubleshooting.section.title")}>
+            <HelpText className={"-mt-2 mb-2"}>
+                <Trans i18nKey={"settings.troubleshooting.intro"} components={{ br: <br /> }} />
+            </HelpText>
+
             <FancyToggleSwitch
                 value={anonymize}
                 onChange={setAnonymize}
@@ -78,44 +79,30 @@ export function SettingsTroubleshooting() {
                 label={t("settings.troubleshooting.trace.label")}
                 helpText={t("settings.troubleshooting.trace.help")}
             />
-            <FancyToggleSwitch
-                value={capture}
-                onChange={setCapture}
-                label={t("settings.troubleshooting.capture.label")}
-                helpText={t("settings.troubleshooting.capture.help")}
-            />
-            <div className={"flex flex-col gap-4"}>
-                <FancyToggleSwitch
-                    value={capturePackets}
-                    onChange={setCapturePackets}
-                    label={t("settings.troubleshooting.packets.label")}
-                    helpText={t("settings.troubleshooting.packets.help")}
-                    disabled={!capture}
-                />
-                <div className={"flex items-center gap-6 justify-between"}>
-                    <div className={"flex-1 max-w-md"}>
-                        <Label as={"div"} disabled={!capture}>
-                            {t("settings.troubleshooting.duration.label")}
-                        </Label>
-                        <HelpText margin={false} disabled={!capture}>
-                            {t("settings.troubleshooting.duration.help")}
-                        </HelpText>
-                    </div>
-                    <div className={"w-40 shrink-0"}>
-                        <Input
-                            type={"number"}
-                            min={1}
-                            max={30}
-                            value={traceMinutes}
-                            onChange={(e) =>
-                                setTraceMinutes(
-                                    Math.max(1, Math.min(30, Number(e.target.value) || 1)),
-                                )
-                            }
-                            customSuffix={t("settings.troubleshooting.duration.suffix")}
-                            disabled={!capture}
-                        />
-                    </div>
+            <div
+                className={cn(
+                    "flex items-center gap-6 justify-between",
+                    !trace && "opacity-50 pointer-events-none",
+                )}
+            >
+                <div className={"flex-1 max-w-md"}>
+                    <Label as={"div"}>{t("settings.troubleshooting.duration.label")}</Label>
+                    <HelpText margin={false}>
+                        {t("settings.troubleshooting.duration.help")}
+                    </HelpText>
+                </div>
+                <div className={"w-40 shrink-0"}>
+                    <Input
+                        type={"number"}
+                        min={1}
+                        max={30}
+                        value={traceMinutes}
+                        onChange={(e) =>
+                            setTraceMinutes(Math.max(1, Math.min(30, Number(e.target.value) || 1)))
+                        }
+                        customSuffix={t("settings.troubleshooting.duration.suffix")}
+                        disabled={!trace}
+                    />
                 </div>
             </div>
 
@@ -310,10 +297,14 @@ const stageLabel = (
     t: (key: string, options?: Record<string, unknown>) => string,
 ): string => {
     switch (stage.kind) {
+        case "preparing-trace":
+            return t("settings.troubleshooting.stage.preparingTrace");
         case "reconnecting":
             return t("settings.troubleshooting.stage.reconnecting");
         case "capturing":
             return t("settings.troubleshooting.stage.capturing");
+        case "restoring-level":
+            return t("settings.troubleshooting.stage.restoring");
         case "bundling":
             return t("settings.troubleshooting.stage.bundling");
         case "uploading":

client/ui/frontend/src/modules/welcome/WelcomeDialog.tsx

@@ -5,12 +5,12 @@ import {
     Settings as SettingsSvc,
     WindowManager,
 } from "@bindings/services";
-import { Restrictions, SetConfigParams } from "@bindings/services/models.js";
+import { SetConfigParams } from "@bindings/services/models.js";
 import { ConfirmDialog } from "@/components/dialog/ConfirmDialog";
 import { useAutoSizeWindow } from "@/hooks/useAutoSizeWindow";
 import { errorDialog, formatErrorMessage } from "@/lib/errors";
 import i18next from "@/lib/i18n";
-import { isNetbirdCloud } from "@/hooks/useManagementUrl";
+import { isCloudManagementUrl } from "@/hooks/useManagementUrl";
 import { WelcomeStepTray } from "./WelcomeStepTray";
 import { WelcomeStepManagement } from "./WelcomeStepManagement";
 
@@ -22,12 +22,10 @@ function shouldShowManagementStep(
     activeProfile: string,
     email: string,
     managementUrl: string,
-    managedManagementUrl: string,
 ): boolean {
-    if (managedManagementUrl) return false;
     if (activeProfile !== "default") return false;
     if (email.trim() !== "") return false;
-    return isNetbirdCloud(managementUrl);
+    return isCloudManagementUrl(managementUrl);
 }
 
 type InitialState = {
@@ -52,10 +50,9 @@ export default function WelcomeDialog() {
                     ProfilesSvc.GetActive(),
                 ]);
                 const profileName = active.profileName || "default";
-                const [config, list, restrictions] = await Promise.all([
+                const [config, list] = await Promise.all([
                     SettingsSvc.GetConfig({ profileName, username }),
                     ProfilesSvc.List(username),
-                    SettingsSvc.GetRestrictions().catch(() => new Restrictions()),
                 ]);
                 const profile = list.find((p) => p.name === profileName);
                 const email = profile?.email ?? "";
@@ -68,7 +65,6 @@ export default function WelcomeDialog() {
                         profileName,
                         email,
                         config.managementUrl,
-                        restrictions.mdm.managementURL,
                     ),
                 });
             } catch (e) {

client/ui/frontend/src/modules/welcome/WelcomeStepManagement.tsx

@@ -10,7 +10,7 @@ import {
     CLOUD_MANAGEMENT_URL,
     ManagementMode,
     checkManagementUrlReachable,
-    isNetbirdCloud,
+    isCloudManagementUrl,
     isValidManagementUrl,
     normalizeManagementUrl,
 } from "@/hooks/useManagementUrl";
@@ -27,7 +27,7 @@ export function WelcomeStepManagement({
     onContinue,
 }: Readonly<WelcomeStepManagementProps>) {
     const { t } = useTranslation();
-    const startsCloud = isNetbirdCloud(initialUrl);
+    const startsCloud = isCloudManagementUrl(initialUrl);
     const [mode, setMode] = useState<ManagementMode>(
         startsCloud ? ManagementMode.Cloud : ManagementMode.SelfHosted,
     );

client/ui/guilog/debuglog.go

@@ -1,92 +0,0 @@
-//go:build !android && !ios && !freebsd && !js
-
-// Package guilog manages the desktop UI's own file log (gui-client.log), which
-// follows the daemon's log level: when the daemon is in debug/trace the GUI
-// attaches a rotated file alongside the console so its (and the React frontend's
-// forwarded) output is captured for the debug bundle. It is intentionally not a
-// Wails service — it has no frontend-facing methods and generates no TS
-// bindings — so it lives outside client/ui/services.
-package guilog
-
-import (
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/util"
-)
-
-// DebugLog is the daemon-debug-driven GUI file log. The daemon publishes a
-// marked "log-level-changed" SystemEvent over SubscribeEvents (both on change
-// and once per new subscription, so a daemon already in debug is picked up at
-// startup); services.DaemonFeed routes it here via Apply.
-//
-// When the daemon is in debug/trace and the GUI owns its log (no manual
-// --log-file), it attaches a rotated gui-client.log alongside the console and
-// raises the logrus level; back to a higher level it detaches the file and
-// restores info. The file is left on disk (rotated by timberjack) for the debug
-// bundle to collect. When the user set --log-file explicitly, it is disabled and
-// never touches logging.
-type DebugLog struct {
-	uiPath  string
-	enabled bool
-
-	mu     sync.Mutex
-	fileOn bool
-}
-
-// NewDebugLog builds the GUI debug log. uiPath is the absolute gui-client.log
-// path; enabled is false when the user passed --log-file (manual override), in
-// which case it leaves logging untouched.
-func NewDebugLog(uiPath string, enabled bool) *DebugLog {
-	return &DebugLog{uiPath: uiPath, enabled: enabled}
-}
-
-// Path returns the GUI log path to register with the daemon, or "" when the GUI
-// doesn't own its log (manual --log-file) — in that case the daemon shouldn't
-// try to collect a gui-client.log the GUI never writes.
-func (d *DebugLog) Path() string {
-	if !d.enabled {
-		return ""
-	}
-	return d.uiPath
-}
-
-// Apply reacts to a daemon log level (the lowercase logrus name, e.g. "debug").
-// Idempotent: repeated identical levels are no-ops, so the startup replay plus a
-// racing change-event do no harm.
-func (d *DebugLog) Apply(level string) {
-	if !d.enabled {
-		return
-	}
-
-	// "debug or more verbose" (debug/trace) turns the file log on; anything less
-	// verbose turns it off. Compare numerically against logrus' own levels so
-	// there are no hard-coded level-name literals.
-	lvl, err := log.ParseLevel(level)
-	if err != nil {
-		lvl = log.InfoLevel
-	}
-	debug := lvl >= log.DebugLevel
-
-	d.mu.Lock()
-	defer d.mu.Unlock()
-
-	switch {
-	case debug && !d.fileOn:
-		if err := util.SetLogOutputs(log.StandardLogger(), util.LogConsole, d.uiPath); err != nil {
-			log.Errorf("attach GUI file log %s: %v", d.uiPath, err)
-			return
-		}
-		log.SetLevel(lvl)
-		d.fileOn = true
-		log.Infof("GUI file logging enabled (daemon level %s), writing to %s", level, d.uiPath)
-	case !debug && d.fileOn:
-		if err := util.SetLogOutputs(log.StandardLogger(), util.LogConsole); err != nil {
-			log.Errorf("detach GUI file log: %v", err)
-		}
-		log.SetLevel(log.InfoLevel)
-		d.fileOn = false
-		log.Infof("GUI file logging disabled (daemon level: %s)", level)
-	}
-}

client/ui/i18n/locales/de/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "Der Server hat eine ungültige Sitzungsablaufzeit übermittelt. Bitte melden Sie sich erneut an."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "NetBird-Einstellungen aktualisiert"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "Ihre NetBird-Konfiguration wurde durch Ihre IT-Richtlinie aktualisiert."
-    },
     "common.cancel": {
         "message": "Abbrechen"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "Optionaler WireGuard-PSK für zusätzliche symmetrische Verschlüsselung. Nicht identisch mit einem NetBird Setup-Key. Sie kommunizieren nur mit Peers, die denselben Pre-shared Key verwenden."
     },
-    "settings.advanced.psk.configured": {
-        "message": "Ein Pre-shared Key ist gesetzt – geben Sie einen neuen ein, um ihn zu ersetzen."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Debug-Paket"
     },
+    "settings.troubleshooting.intro": {
+        "message": "Ein Debug-Paket hilft dem NetBird-Support bei der Untersuchung von Verbindungsproblemen. <br /> Es ist eine .zip-Datei mit Logs, Systemdetails und Debug-Informationen Ihres Geräts."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Sensible Informationen anonymisieren"
     },
@@ -723,31 +717,19 @@
         "message": "Paket an NetBird-Server hochladen"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Gibt einen Upload-Schlüssel zurück, den Sie mit dem NetBird-Support teilen können."
+        "message": "Lädt das Paket sicher hoch und gibt einen Upload-Schlüssel zurück. Teilen Sie den Schlüssel über GitHub oder Slack mit dem NetBird-Support, anstatt die Datei direkt anzuhängen."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Trace-Logs aktivieren"
+        "message": "Trace-Logs erfassen"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "Hebt das Log-Level auf TRACE an und stellt es danach wieder her."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Aufzeichnungssitzung"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Stellt die Verbindung neu her und wartet, damit Sie das Problem reproduzieren können."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Netzwerkpakete aufzeichnen"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "Speichert eine .pcap-Datei des Netzwerkverkehrs während der Aufzeichnung."
+        "message": "Erhöht das Logging auf TRACE und schaltet NetBird kurz aus und wieder ein, um Verbindungs-Logs zu erfassen. Das vorherige Level wird nach Erstellung des Pakets wiederhergestellt."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Aufzeichnungsdauer"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "Wie lange die Aufzeichnungssitzung läuft."
+        "message": "Wie lange Trace-Logs vor der Paketerstellung erfasst werden sollen."
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "Minute(n)"
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "Upload fehlgeschlagen. Das Paket wurde trotzdem lokal gespeichert."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Wechsel zu Trace-Logging…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "NetBird wird neu verbunden…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Debug-Logs werden erfasst"
+        "message": "Logs werden erfasst"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Vorheriges Log-Level wird wiederhergestellt…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "Debug-Paket wird erstellt…"

client/ui/i18n/locales/en/common.json

@@ -223,14 +223,6 @@
         "message": "The server sent an invalid session deadline. Please sign in again.",
         "description": "Body explaining the server sent an invalid session deadline and the user must sign in again."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "NetBird settings updated",
-        "description": "Title of the desktop notification shown when an MDM (IT-managed) policy changed the daemon configuration at runtime."
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "Your NetBird configuration was updated by your IT policy.",
-        "description": "Body of the MDM policy-applied notification, telling the user their settings were changed by their organization's device-management policy."
-    },
     "common.cancel": {
         "message": "Cancel",
         "description": "Generic Cancel button label, reused across dialogs. Keep short."
@@ -935,14 +927,14 @@
         "message": "Optional WireGuard PSK for extra symmetric encryption. Not the same as a NetBird Setup Key. You will only communicate with peers that use the same pre-shared key.",
         "description": "Helper text for the WireGuard PSK. 'WireGuard', 'PSK', and 'NetBird Setup Key' are product/technical terms — keep them."
     },
-    "settings.advanced.psk.configured": {
-        "message": "A pre-shared key is set — enter a new one to replace it.",
-        "description": "Placeholder shown in the empty PSK input when a pre-shared key is already configured; the field stays blank because the daemon never returns the value."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Debug bundle",
         "description": "Section heading: Debug bundle."
     },
+    "settings.troubleshooting.intro": {
+        "message": "A debug bundle helps NetBird support investigate connection problems. <br /> It's a .zip file with logs, system details and debug information from your device.",
+        "description": "Intro paragraph on the Troubleshoot tab. Contains an HTML '<br />' line break — keep it exactly. '.zip' is a file extension — keep it."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Anonymize Sensitive Information",
         "description": "Toggle label: anonymize sensitive information in the bundle."
@@ -964,39 +956,23 @@
         "description": "Toggle label: upload the bundle to NetBird servers."
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Returns an upload key to share with NetBird support.",
-        "description": "Helper text for uploading the bundle."
+        "message": "Securely uploads the bundle and returns an upload key. Share the key with NetBird support over GitHub or Slack instead of attaching the file directly.",
+        "description": "Helper text for uploading the bundle. 'GitHub' and 'Slack' are brands — keep them."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Enable Trace Logs",
-        "description": "Toggle label: raise daemon log level to TRACE while the bundle is built. 'TRACE' is a log level."
+        "message": "Capture Trace Logs",
+        "description": "Toggle label: capture trace logs. 'TRACE' is a log level."
     },
     "settings.troubleshooting.trace.help": {
-        "message": "Raises the log level to TRACE and restores it after.",
-        "description": "Helper text for the trace toggle. 'TRACE' is a log level — keep as-is."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Capture Session",
-        "description": "Toggle label: open a capture session — reconnect NetBird, wait a duration, optionally record packets."
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Reconnects and waits so you can reproduce the issue.",
-        "description": "Helper text for the master Capture Session toggle."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Capture Network Packets",
-        "description": "Toggle label: capture packets to a .pcap during the capture session."
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "Saves a .pcap of network traffic during the capture window.",
-        "description": "Helper text for the packet recording toggle. '.pcap' is a file extension — keep it."
+        "message": "Raises logging to TRACE and cycles NetBird up and down to capture connection logs. The previous level is restored after the bundle is built.",
+        "description": "Helper text explaining trace capture restarts NetBird briefly. 'TRACE' — keep as-is."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Capture Duration",
         "description": "Label for the trace-capture duration field."
     },
     "settings.troubleshooting.duration.help": {
-        "message": "How long the capture session runs.",
+        "message": "How long to capture trace logs before generating the bundle.",
         "description": "Helper text for the capture duration."
     },
     "settings.troubleshooting.duration.suffix": {
@@ -1051,14 +1027,22 @@
         "message": "Upload failed. The bundle is still saved locally.",
         "description": "Shown when upload failed (no specific reason) but the bundle was saved locally."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Switching to trace logging…",
+        "description": "Progress stage: switching to trace logging. Ends with an ellipsis."
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "Reconnecting NetBird…",
         "description": "Progress stage: reconnecting NetBird. Ends with an ellipsis."
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Capturing debug logs",
+        "message": "Capturing logs",
         "description": "Progress stage: capturing logs. {elapsed} and {total} are time values (e.g. 0:30 / 2:00); keep both."
     },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Restoring previous log level…",
+        "description": "Progress stage: restoring the previous log level. Ends with an ellipsis."
+    },
     "settings.troubleshooting.stage.bundling": {
         "message": "Generating debug bundle…",
         "description": "Progress stage: generating the debug bundle. Ends with an ellipsis."

client/ui/i18n/locales/es/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "El servidor envió un plazo de sesión no válido. Inicie sesión de nuevo."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "Configuración de NetBird actualizada"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "Su configuración de NetBird fue actualizada por su política de TI."
-    },
     "common.cancel": {
         "message": "Cancelar"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "PSK de WireGuard opcional para cifrado simétrico adicional. No es lo mismo que una clave de instalación de NetBird. Solo se comunicará con peers que usen la misma clave precompartida."
     },
-    "settings.advanced.psk.configured": {
-        "message": "Hay una clave precompartida configurada: introduzca una nueva para reemplazarla."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Paquete de diagnóstico"
     },
+    "settings.troubleshooting.intro": {
+        "message": "Un paquete de diagnóstico ayuda al soporte de NetBird a investigar problemas de conexión. <br /> Es un archivo .zip con registros, detalles del sistema e información de depuración de su dispositivo."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Anonimizar información sensible"
     },
@@ -723,31 +717,19 @@
         "message": "Subir el paquete a los servidores de NetBird"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Devuelve una clave de subida para compartir con el soporte de NetBird."
+        "message": "Sube el paquete de forma segura y devuelve una clave de subida. Comparta la clave con el soporte de NetBird por GitHub o Slack en lugar de adjuntar el archivo directamente."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Activar registros de seguimiento"
+        "message": "Capturar registros de seguimiento"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "Eleva el nivel de registro a TRACE y lo restaura después."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Sesión de captura"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Vuelve a conectar y espera para que pueda reproducir el problema."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Capturar paquetes de red"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "Guarda un .pcap del tráfico de red durante la sesión de captura."
+        "message": "Eleva el registro a TRACE y reinicia NetBird para capturar los registros de conexión. El nivel anterior se restaura después de generar el paquete."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Duración de la captura"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "Cuánto tiempo se ejecuta la sesión de captura."
+        "message": "Cuánto tiempo capturar registros de seguimiento antes de generar el paquete."
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "min"
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "Error en la subida. El paquete sigue guardado localmente."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Cambiando al registro de seguimiento…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "Reconectando NetBird…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Capturando registros de depuración"
+        "message": "Capturando registros"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Restaurando el nivel de registro anterior…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "Generando el paquete de diagnóstico…"

client/ui/i18n/locales/fr/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "Le serveur a envoyé une échéance de session invalide. Veuillez vous reconnecter."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "Paramètres NetBird mis à jour"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "Votre configuration NetBird a été mise à jour par votre politique informatique."
-    },
     "common.cancel": {
         "message": "Annuler"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "PSK WireGuard facultative pour un chiffrement symétrique supplémentaire. Différente d’une clé d’installation NetBird. Vous ne communiquerez qu’avec les pairs utilisant la même clé pré-partagée."
     },
-    "settings.advanced.psk.configured": {
-        "message": "Une clé pré-partagée est définie — saisissez-en une nouvelle pour la remplacer."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Lot de diagnostic"
     },
+    "settings.troubleshooting.intro": {
+        "message": "Un lot de diagnostic aide l’assistance NetBird à étudier les problèmes de connexion. <br /> C’est un fichier .zip contenant des journaux, des détails système et des informations de diagnostic provenant de votre appareil."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Anonymiser les informations sensibles"
     },
@@ -723,31 +717,19 @@
         "message": "Envoyer le lot aux serveurs NetBird"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Renvoie une clé d’envoi à partager avec l’assistance NetBird."
+        "message": "Envoie le lot de manière sécurisée et renvoie une clé d’envoi. Partagez la clé avec l’assistance NetBird via GitHub ou Slack plutôt que de joindre directement le fichier."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Activer les journaux trace"
+        "message": "Capturer les journaux trace"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "Élève le niveau de journalisation à TRACE, puis le rétablit ensuite."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Session de capture"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Se reconnecte et attend pour que vous puissiez reproduire le problème."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Capturer les paquets réseau"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "Enregistre un .pcap du trafic réseau pendant la session de capture."
+        "message": "Augmente la journalisation au niveau TRACE et redémarre NetBird pour capturer les journaux de connexion. Le niveau précédent est rétabli une fois le lot généré."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Durée de capture"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "Durée d’exécution de la session de capture."
+        "message": "Durée de capture des journaux trace avant de générer le lot."
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "min"
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "Échec de l’envoi. Le lot reste enregistré localement."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Passage à la journalisation trace…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "Reconnexion de NetBird…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Capture des journaux de débogage"
+        "message": "Capture des journaux"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Rétablissement du niveau de journalisation précédent…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "Génération du lot de diagnostic…"

client/ui/i18n/locales/hu/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "A szerver érvénytelen munkamenet-határidőt küldött. Kérjük, jelentkezzen be újra."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "NetBird beállítások frissítve"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "A NetBird konfigurációt az IT-szabályzat frissítette."
-    },
     "common.cancel": {
         "message": "Mégse"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "Opcionális WireGuard PSK további szimmetrikus titkosításhoz. Nem azonos a NetBird telepítőkulccsal. Csak olyan Peerekkel kommunikál, akik ugyanazt a pre-shared kulcsot használják."
     },
-    "settings.advanced.psk.configured": {
-        "message": "Pre-shared kulcs be van állítva – új megadásával cserélhető."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Hibakeresési csomag"
     },
+    "settings.troubleshooting.intro": {
+        "message": "A hibakeresési csomag segít a NetBird támogatásnak a kapcsolati problémák kivizsgálásában. <br /> Egy .zip fájl, amely naplókat, rendszerinformációkat és hibakeresési adatokat tartalmaz az eszközéről."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Érzékeny információk anonimizálása"
     },
@@ -723,31 +717,19 @@
         "message": "Csomag feltöltése a NetBird szerverekre"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Egy feltöltési kulcsot ad vissza, amelyet megoszthat a NetBird támogatással."
+        "message": "Biztonságosan feltölti a csomagot, és visszaad egy feltöltési kulcsot. Ossza meg a kulcsot a NetBird támogatással a GitHubon vagy Slacken keresztül a fájl közvetlen csatolása helyett."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Trace naplók engedélyezése"
+        "message": "Trace naplók rögzítése"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "TRACE szintre emeli a naplózást, majd utána visszaállítja."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Rögzítési munkamenet"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Újra csatlakozik és vár, hogy reprodukálhassa a problémát."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Hálózati csomagok rögzítése"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "A rögzítés ideje alatt elmenti a hálózati forgalom .pcap fájlját."
+        "message": "TRACE szintre emeli a naplózást, és újraindítja a NetBird kapcsolatot a kapcsolati naplók rögzítéséhez. Az előző szint a csomag elkészülte után visszaáll."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Rögzítés időtartama"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "Mennyi ideig fusson a rögzítési munkamenet."
+        "message": "Mennyi ideig rögzítse a trace naplókat a csomag elkészítése előtt."
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "perc"
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "Feltöltés sikertelen. A csomag továbbra is el van mentve helyileg."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Váltás trace naplózásra…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "NetBird újracsatlakoztatása…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Hibakeresési naplók rögzítése"
+        "message": "Naplók rögzítése"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Korábbi napló szint visszaállítása…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "Hibakeresési csomag generálása…"

client/ui/i18n/locales/it/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "Il server ha inviato una scadenza di sessione non valida. Effettui di nuovo l'accesso."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "Impostazioni NetBird aggiornate"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "La configurazione di NetBird è stata aggiornata dalla policy IT."
-    },
     "common.cancel": {
         "message": "Annulla"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "PSK WireGuard opzionale per una crittografia simmetrica aggiuntiva. Non è la stessa cosa di una chiave di configurazione NetBird. Comunicherà solo con i peer che usano la stessa chiave pre-condivisa."
     },
-    "settings.advanced.psk.configured": {
-        "message": "Una chiave pre-condivisa è impostata: ne inserisca una nuova per sostituirla."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Pacchetto di debug"
     },
+    "settings.troubleshooting.intro": {
+        "message": "Un pacchetto di debug aiuta il supporto NetBird a indagare sui problemi di connessione. <br /> È un file .zip con log, dettagli di sistema e informazioni di debug del suo dispositivo."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Anonimizza informazioni sensibili"
     },
@@ -723,31 +717,19 @@
         "message": "Carica il pacchetto sui server NetBird"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Restituisce una chiave di caricamento da condividere con il supporto NetBird."
+        "message": "Carica il pacchetto in modo sicuro e restituisce una chiave di caricamento. Condivida la chiave con il supporto NetBird tramite GitHub o Slack invece di allegare direttamente il file."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Abilita log di traccia"
+        "message": "Acquisisci log di traccia"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "Aumenta il livello di log a TRACE e lo ripristina al termine."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Sessione di acquisizione"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Si riconnette e attende per consentirle di riprodurre il problema."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Acquisisci pacchetti di rete"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "Salva un .pcap del traffico di rete durante la sessione di acquisizione."
+        "message": "Aumenta il livello di log a TRACE e riavvia NetBird per acquisire i log di connessione. Il livello precedente viene ripristinato dopo la creazione del pacchetto."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Durata acquisizione"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "Per quanto tempo viene eseguita la sessione di acquisizione."
+        "message": "Per quanto tempo acquisire i log di traccia prima di generare il pacchetto."
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "min."
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "Caricamento non riuscito. Il pacchetto è comunque salvato localmente."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Passaggio al logging di traccia…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "Riconnessione di NetBird…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Acquisizione log di debug"
+        "message": "Acquisizione log"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Ripristino del livello di log precedente…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "Generazione del pacchetto di debug…"

client/ui/i18n/locales/pt/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "O servidor enviou um prazo de sessão inválido. Faça login novamente."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "Definições do NetBird atualizadas"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "A sua configuração do NetBird foi atualizada pela política de TI."
-    },
     "common.cancel": {
         "message": "Cancelar"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "PSK opcional do WireGuard para criptografia simétrica adicional. Não é o mesmo que uma chave de configuração do NetBird. Você só se comunicará com peers que usem a mesma chave pré-compartilhada."
     },
-    "settings.advanced.psk.configured": {
-        "message": "Uma chave pré-compartilhada está definida — introduza uma nova para a substituir."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Pacote de depuração"
     },
+    "settings.troubleshooting.intro": {
+        "message": "Um pacote de depuração ajuda o suporte do NetBird a investigar problemas de conexão. <br /> É um arquivo .zip com logs, detalhes do sistema e informações de depuração do seu dispositivo."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Anonimizar informações sensíveis"
     },
@@ -723,31 +717,19 @@
         "message": "Enviar pacote aos servidores do NetBird"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Retorna uma chave de upload para compartilhar com o suporte do NetBird."
+        "message": "Envia o pacote com segurança e retorna uma chave de upload. Compartilhe a chave com o suporte do NetBird via GitHub ou Slack em vez de anexar o arquivo diretamente."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Habilitar logs de trace"
+        "message": "Capturar logs de trace"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "Eleva o nível de log para TRACE e o restaura em seguida."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Sessão de captura"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Reconecta e aguarda para que você possa reproduzir o problema."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Capturar pacotes de rede"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "Salva um .pcap do tráfego de rede durante a sessão de captura."
+        "message": "Eleva o nível de log para TRACE e reinicia o NetBird para capturar os logs de conexão. O nível anterior é restaurado após a criação do pacote."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Duração da captura"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "Por quanto tempo a sessão de captura é executada."
+        "message": "Por quanto tempo capturar os logs de trace antes de gerar o pacote."
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "min"
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "Falha no upload. O pacote continua salvo localmente."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Alternando para logs de trace…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "Reconectando o NetBird…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Capturando logs de depuração"
+        "message": "Capturando logs"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Restaurando o nível de log anterior…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "Gerando o pacote de depuração…"

client/ui/i18n/locales/ru/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "Сервер передал неверный срок действия сеанса. Пожалуйста, войдите снова."
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "Настройки NetBird обновлены"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "Конфигурация NetBird была обновлена в соответствии с вашей ИТ-политикой."
-    },
     "common.cancel": {
         "message": "Отмена"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "Необязательный PSK WireGuard для дополнительного симметричного шифрования. Это не то же самое, что ключ установки NetBird. Вы будете обмениваться данными только с пирами, использующими тот же общий ключ."
     },
-    "settings.advanced.psk.configured": {
-        "message": "Общий ключ установлен — введите новый, чтобы заменить его."
-    },
     "settings.troubleshooting.section.title": {
         "message": "Отладочный пакет"
     },
+    "settings.troubleshooting.intro": {
+        "message": "Отладочный пакет помогает поддержке NetBird исследовать проблемы с подключением. <br /> Это .zip-файл с журналами, сведениями о системе и отладочной информацией с вашего устройства."
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "Анонимизировать конфиденциальную информацию"
     },
@@ -723,31 +717,19 @@
         "message": "Загрузить пакет на серверы NetBird"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "Возвращает ключ загрузки, который можно передать поддержке NetBird."
+        "message": "Безопасно загружает пакет и возвращает ключ загрузки. Поделитесь ключом с поддержкой NetBird через GitHub или Slack вместо того, чтобы прикреплять файл напрямую."
     },
     "settings.troubleshooting.trace.label": {
-        "message": "Включить журналы TRACE"
+        "message": "Собирать журналы TRACE"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "Повышает уровень журналирования до TRACE и затем восстанавливает прежний."
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "Сеанс записи"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "Переподключается и ожидает, чтобы вы могли воспроизвести проблему."
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "Записывать сетевые пакеты"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "Сохраняет .pcap сетевого трафика во время сеанса записи."
+        "message": "Повышает уровень журналирования до TRACE и перезапускает NetBird (отключение и подключение) для сбора журналов подключения. Прежний уровень восстанавливается после создания пакета."
     },
     "settings.troubleshooting.duration.label": {
         "message": "Длительность записи"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "Как долго длится сеанс записи."
+        "message": "Как долго собирать журналы TRACE перед созданием пакета."
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "мин."
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "Не удалось загрузить. Пакет всё равно сохранён локально."
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "Переключение на журналирование TRACE…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "Переподключение NetBird…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "Сбор отладочных журналов"
+        "message": "Сбор журналов"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "Восстановление прежнего уровня журналирования…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "Создание отладочного пакета…"

client/ui/i18n/locales/zh-CN/common.json

@@ -167,12 +167,6 @@
     "notify.sessionDeadlineRejected.body": {
         "message": "服务器发送了无效的会话截止时间。请重新登录。"
     },
-    "notify.mdm.policyApplied.title": {
-        "message": "NetBird 设置已更新"
-    },
-    "notify.mdm.policyApplied.body": {
-        "message": "您的 NetBird 配置已根据 IT 策略更新。"
-    },
     "common.cancel": {
         "message": "取消"
     },
@@ -701,12 +695,12 @@
     "settings.advanced.psk.help": {
         "message": "可选的 WireGuard PSK，用于额外的对称加密。它与 NetBird 设置密钥不同。您将只能与使用相同预共享密钥的对等节点通信。"
     },
-    "settings.advanced.psk.configured": {
-        "message": "已设置预共享密钥，输入新密钥即可替换。"
-    },
     "settings.troubleshooting.section.title": {
         "message": "调试包"
     },
+    "settings.troubleshooting.intro": {
+        "message": "调试包可帮助 NetBird 支持团队排查连接问题。<br /> 它是一个 .zip 文件，包含来自您设备的日志、系统详情和调试信息。"
+    },
     "settings.troubleshooting.anonymize.label": {
         "message": "匿名化敏感信息"
     },
@@ -723,31 +717,19 @@
         "message": "将调试包上传到 NetBird 服务器"
     },
     "settings.troubleshooting.upload.help": {
-        "message": "返回一个上传密钥，供您分享给 NetBird 支持团队。"
+        "message": "安全地上传调试包并返回一个上传密钥。请通过 GitHub 或 Slack 将该密钥分享给 NetBird 支持团队，而不要直接附上文件。"
     },
     "settings.troubleshooting.trace.label": {
-        "message": "启用跟踪日志"
+        "message": "捕获跟踪日志"
     },
     "settings.troubleshooting.trace.help": {
-        "message": "将日志级别提升到 TRACE，之后再恢复原级别。"
-    },
-    "settings.troubleshooting.capture.label": {
-        "message": "捕获会话"
-    },
-    "settings.troubleshooting.capture.help": {
-        "message": "重新连接并等待，以便您复现问题。"
-    },
-    "settings.troubleshooting.packets.label": {
-        "message": "捕获网络数据包"
-    },
-    "settings.troubleshooting.packets.help": {
-        "message": "在捕获期间将网络流量保存为 .pcap 文件。"
+        "message": "将日志级别提升到 TRACE，并使 NetBird 上下线一次以捕获连接日志。调试包生成后将恢复先前的级别。"
     },
     "settings.troubleshooting.duration.label": {
         "message": "捕获时长"
     },
     "settings.troubleshooting.duration.help": {
-        "message": "捕获会话运行的时长。"
+        "message": "在生成调试包之前捕获跟踪日志的时长。"
     },
     "settings.troubleshooting.duration.suffix": {
         "message": "分钟"
@@ -788,11 +770,17 @@
     "settings.troubleshooting.uploadFailed": {
         "message": "上传失败。调试包仍已保存在本地。"
     },
+    "settings.troubleshooting.stage.preparingTrace": {
+        "message": "正在切换到跟踪日志记录…"
+    },
     "settings.troubleshooting.stage.reconnecting": {
         "message": "正在重新连接 NetBird…"
     },
     "settings.troubleshooting.stage.capturing": {
-        "message": "正在捕获调试日志"
+        "message": "正在捕获日志"
+    },
+    "settings.troubleshooting.stage.restoring": {
+        "message": "正在恢复先前的日志级别…"
     },
     "settings.troubleshooting.stage.bundling": {
         "message": "正在生成调试包…"

client/ui/main.go

@@ -84,16 +84,9 @@ func init() {
 }
 
 func main() {
-	daemonAddr, userSetLogFile := parseFlagsAndInitLog()
+	daemonAddr := parseFlagsAndInitLog()
 	conn := NewConn(daemonAddr)
 
-	// GUI file logging: when the user didn't pass --log-file, the GUI manages a
-	// gui-client.log that follows the daemon's debug level (attached when the
-	// daemon is in debug/trace, detached otherwise, rotated by timberjack) and is
-	// included in the debug bundle. It rides DaemonFeed's SubscribeEvents stream
-	// (passed into NewDaemonFeed below; see guilog.DebugLog).
-	debugLog := newDebugLog(userSetLogFile)
-
 	// tray is captured in the SingleInstance callback below; the var is
 	// declared before app.New so the closure has a stable reference.
 	var tray *Tray
@@ -110,7 +103,7 @@ func main() {
 	// Wails-bound facade over the holder plus the install RPCs.
 	updaterHolder := updater.NewHolder(app.Event)
 	update := services.NewUpdate(conn, updaterHolder)
-	daemonFeed := services.NewDaemonFeed(conn, app.Event, updaterHolder, debugLog)
+	daemonFeed := services.NewDaemonFeed(conn, app.Event, updaterHolder)
 	notifier := notifications.New()
 	// macOS won't surface any toast until the app has requested permission;
 	// the request runs after ApplicationStarted so the notifier's Startup has
@@ -237,30 +230,18 @@ func requestNotificationAuthorization(notifier *notifications.NotificationServic
 }
 
 // parseFlagsAndInitLog parses the CLI flags, initialises the logger, and
-// returns the resolved daemon gRPC address plus userSetLogFile — true when the
-// user passed --log-file explicitly. userSetLogFile is the manual-override
-// signal: when true the GUI leaves logging alone (the daemon's debug level
-// won't attach gui-client.log); when false the GUI manages a per-session
-// gui-client.log driven by the daemon level. The default seed is empty (not
-// "console") so "no flag" and an explicit "--log-file console" are
-// distinguishable; an empty result falls back to console for InitLog.
-func parseFlagsAndInitLog() (string, bool) {
+// returns the resolved daemon gRPC address.
+func parseFlagsAndInitLog() string {
 	daemonAddr := flag.String("daemon-addr", DaemonAddr(), "Daemon gRPC address: unix:///path or tcp://host:port")
-	logFiles := &stringList{}
-	flag.Var(logFiles, "log-file", "Log destination. Repeat to log to multiple targets at once, e.g. `--log-file console --log-file Y:/netbird-ui.log`. Each value is one of: console, syslog, or a file path. File destinations are rotated by lumberjack (same as the daemon). Defaults to console. Passing any value disables the daemon-debug-driven gui-client.log.")
+	logFiles := &stringList{values: []string{"console"}}
+	flag.Var(logFiles, "log-file", "Log destination. Repeat to log to multiple targets at once, e.g. `--log-file console --log-file Y:/netbird-ui.log`. Each value is one of: console, syslog, or a file path. File destinations are rotated by lumberjack (same as the daemon). Defaults to console.")
 	logLevel := flag.String("log-level", "info", "Log level: trace|debug|info|warn|error.")
 	flag.Parse()
 
-	userSetLogFile := len(logFiles.values) > 0
-	targets := logFiles.values
-	if !userSetLogFile {
-		targets = []string{"console"}
-	}
-
-	if err := util.InitLog(*logLevel, targets...); err != nil {
+	if err := util.InitLog(*logLevel, logFiles.values...); err != nil {
 		log.Fatalf("init log: %v", err)
 	}
-	return *daemonAddr, userSetLogFile
+	return *daemonAddr
 }
 
 // newApplication constructs the Wails application. onSecondInstance is invoked

client/ui/services/daemon_feed.go

@@ -46,11 +46,20 @@ const (
 	// tray (Go side) so the frontend stays passive on this flow.
 	EventSessionWarning = "netbird:session:warning"
 
-	// The SystemEvent.metadata markers the daemon stamps on its internal
-	// control events live in the shared proto package
-	// (proto.MetadataKind*/MetadataKindKey/MetadataLevelKey) so producer
-	// (client/server) and consumer (here) reference the same constants. See
-	// dispatchSystemEvent for how they're recognised.
+	// MetadataKindProfileListChanged is the SystemEvent.metadata["kind"]
+	// marker the daemon stamps on the INFO/SYSTEM event it publishes after a
+	// CLI-driven AddProfile / RemoveProfile (the daemon emits no dedicated
+	// profile RPC event). dispatchSystemEvent recognises it and re-emits the
+	// existing EventProfileChanged so the tray and React profile views refresh
+	// — closing the gap the SubscribeStatus path can't, since a profile
+	// add/remove doesn't change the daemon's status string (the tray's
+	// iconChanged guard would swallow it). The daemon side hard-codes the same
+	// string literal in client/server/server.go (client/server cannot import
+	// this UI package).
+	MetadataKindProfileListChanged = "profile-list-changed"
+	// metadataKindKey is the SystemEvent.metadata key the "kind" marker lives
+	// under. Kept in sync with the daemon-side literal in client/server.
+	metadataKindKey = "kind"
 
 	// StatusDaemonUnavailable is the synthetic Status the UI emits when the
 	// daemon's gRPC socket is unreachable (daemon not running, socket
@@ -189,13 +198,6 @@ type DaemonFeed struct {
 	conn    DaemonConn
 	emitter Emitter
 	updater *updater.Holder
-	// logCtl reacts to the daemon's log level (delivered as a marked
-	// SystemEvent over the same SubscribeEvents stream) by attaching/detaching
-	// the GUI file log. nil when the GUI doesn't manage its log (server build /
-	// not wired), in which case the marker is ignored. Held as a narrow
-	// interface so this package doesn't depend on client/ui/guilog (the concrete
-	// type lives there; main passes it into NewDaemonFeed).
-	logCtl LogController
 
 	mu       sync.Mutex
 	cancel   context.CancelFunc
@@ -215,24 +217,8 @@ type DaemonFeed struct {
 	switchLoginWatchUntil time.Time
 }
 
-// LogController is the subset of client/ui/guilog.DebugLog that DaemonFeed
-// drives: Apply turns the GUI file log on/off for a daemon level, Path is the
-// gui-client.log path to register with the daemon (empty when the GUI doesn't
-// own its log). Kept as an interface so services doesn't import guilog. The
-// daemon delivers log-level changes as marked SystemEvents on the same
-// SubscribeEvents stream this feed consumes, so it rides along here rather than
-// opening a second daemon subscription.
-type LogController interface {
-	Apply(level string)
-	Path() string
-}
-
-// NewDaemonFeed builds the feed. logCtl may be nil (server build / GUI log not
-// managed), in which case log-level markers on the event stream are ignored.
-// Injected at construction rather than via a setter so DaemonFeed (a Wails
-// service) exposes no extra method to the binding generator.
-func NewDaemonFeed(conn DaemonConn, emitter Emitter, updaterHolder *updater.Holder, logCtl LogController) *DaemonFeed {
-	return &DaemonFeed{conn: conn, emitter: emitter, updater: updaterHolder, logCtl: logCtl}
+func NewDaemonFeed(conn DaemonConn, emitter Emitter, updaterHolder *updater.Holder) *DaemonFeed {
+	return &DaemonFeed{conn: conn, emitter: emitter, updater: updaterHolder}
 }
 
 // BeginProfileSwitch is called by ProfileSwitcher at the start of a switch
@@ -539,17 +525,6 @@ func (s *DaemonFeed) subscribeAndStreamEvents(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("subscribe: %w", err)
 	}
-
-	// Re-register the GUI log path on every (re)connect so a daemon restart
-	// re-learns it and a later debug bundle still finds the file. Best-effort —
-	// a failure here must not abort the event stream. Done even when file
-	// logging is off (enabled but not in debug), so the path is known ahead of
-	// any debug toggle.
-	if s.logCtl != nil && s.logCtl.Path() != "" {
-		if _, err := cli.RegisterUILog(ctx, &proto.RegisterUILogRequest{Path: s.logCtl.Path()}); err != nil {
-			log.Warnf("register UI log path: %v", err)
-		}
-	}
 	for {
 		ev, err := stream.Recv()
 		if err != nil {
@@ -574,19 +549,10 @@ func (s *DaemonFeed) dispatchSystemEvent(ev *proto.SystemEvent) {
 	// ProfileContext.refresh already subscribe to) and stop — it's an internal
 	// refresh signal, not a user-facing notification, so it must not reach the
 	// Recent Events list or fire an OS toast.
-	if se.Metadata[proto.MetadataKindKey] == proto.MetadataKindProfileListChanged {
+	if se.Metadata[metadataKindKey] == MetadataKindProfileListChanged {
 		s.emitter.Emit(EventProfileChanged, ProfileRef{})
 		return
 	}
-	// A marked log-level-changed event drives the GUI file log on/off. It's an
-	// internal control signal, not a user-facing notification — handle and stop
-	// so it never reaches the Recent Events list or fires an OS toast.
-	if se.Metadata[proto.MetadataKindKey] == proto.MetadataKindLogLevelChanged {
-		if s.logCtl != nil {
-			s.logCtl.Apply(se.Metadata[proto.MetadataLevelKey])
-		}
-		return
-	}
 	s.emitter.Emit(EventDaemonNotification, se)
 	if warn, ok := authsession.WarningFromMetadata(se.Metadata); ok {
 		s.emitter.Emit(EventSessionWarning, warn)

client/ui/services/debug.go

@@ -8,10 +8,6 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
-	"strings"
-	"time"
-
-	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/version"
@@ -103,51 +99,12 @@ func (s *Debug) RevealFile(_ context.Context, path string) error {
 	return cmd.Start()
 }
 
-// RegisterUILog tells the daemon the absolute path of the GUI's log file so
-// the daemon's debug bundle can collect it (the daemon runs as root and can't
-// resolve the user's config dir). Called by LogLevelWatcher on each daemon
-// (re)connect.
-func (s *Debug) RegisterUILog(ctx context.Context, path string) error {
-	cli, err := s.conn.Client()
-	if err != nil {
-		return err
-	}
-	_, err = cli.RegisterUILog(ctx, &proto.RegisterUILogRequest{Path: path})
-	return err
-}
-
-func (s *Debug) StartBundleCapture(ctx context.Context, timeoutSeconds int32) error {
-	cli, err := s.conn.Client()
-	if err != nil {
-		return err
-	}
-	req := &proto.StartBundleCaptureRequest{}
-	if timeoutSeconds > 0 {
-		req.Timeout = durationpb.New(time.Duration(timeoutSeconds) * time.Second)
-	}
-	_, err = cli.StartBundleCapture(ctx, req)
-	return err
-}
-
-func (s *Debug) StopBundleCapture(ctx context.Context) error {
-	cli, err := s.conn.Client()
-	if err != nil {
-		return err
-	}
-	_, err = cli.StopBundleCapture(ctx, &proto.StopBundleCaptureRequest{})
-	return err
-}
-
 func (s *Debug) SetLogLevel(ctx context.Context, lvl LogLevel) error {
 	cli, err := s.conn.Client()
 	if err != nil {
 		return err
 	}
-	// proto.LogLevel_value keys are the enum names (TRACE/DEBUG/INFO/...), but
-	// callers (the React side, GetLogLevel) use the lowercase logrus names
-	// ("trace"/"debug"/...). Upper-case before the lookup so a lowercase level
-	// doesn't silently fall back to INFO.
-	level, ok := proto.LogLevel_value[strings.ToUpper(lvl.Level)]
+	level, ok := proto.LogLevel_value[lvl.Level]
 	if !ok {
 		level = int32(proto.LogLevel_INFO)
 	}

client/ui/services/forwarding.go

@@ -84,4 +84,4 @@ func portInfoFromProto(p *proto.PortInfo) PortInfo {
 		return PortInfo{Range: &PortRange{Start: r.GetStart(), End: r.GetEnd()}}
 	}
 	return PortInfo{}
-}
+}

client/ui/services/settings.go

@@ -4,75 +4,47 @@ package services
 
 import (
 	"context"
-	"reflect"
 
 	"github.com/netbirdio/netbird/client/proto"
 )
 
-type MDMFields struct {
-	ManagementURL            string `json:"managementURL"`
-	PreSharedKey             bool   `json:"preSharedKey"`
-	WireguardPort            bool `json:"wireguardPort"`
-	RosenpassEnabled         bool `json:"rosenpassEnabled"`
-	RosenpassPermissive      bool `json:"rosenpassPermissive"`
-	DisableClientRoutes      bool `json:"disableClientRoutes"`
-	DisableServerRoutes      bool `json:"disableServerRoutes"`
-	AllowServerSSH           bool `json:"allowServerSSH"`
-	DisableAutoConnect       bool `json:"disableAutoConnect"`
-	BlockInbound             bool `json:"blockInbound"`
-	DisableMetricsCollection bool `json:"disableMetricsCollection"`
-	SplitTunnelMode          bool `json:"splitTunnelMode"`
-	SplitTunnelApps          bool `json:"splitTunnelApps"`
-	DisableAdvancedView      bool `json:"disableAdvancedView"`
-}
-
-type Features struct {
-	DisableProfiles       bool `json:"disableProfiles"`
-	DisableNetworks       bool `json:"disableNetworks"`
-	DisableUpdateSettings bool `json:"disableUpdateSettings"`
-}
-
-type Restrictions struct {
-	MDM      MDMFields `json:"mdm"`
-	Features Features  `json:"features"`
-}
-
-
 // ConfigParams selects which profile/user to read or write config for.
 type ConfigParams struct {
 	ProfileName string `json:"profileName"`
 	Username    string `json:"username"`
 }
 
-
+// Config is the daemon configuration the UI exposes in the settings window.
+// Pointer fields mark "set" vs "unset" so the UI can omit a value to keep the
+// daemon's current setting (matching SetConfigRequest's optional semantics).
 type Config struct {
-	ManagementURL string `json:"managementUrl"`
-	AdminURL      string `json:"adminUrl"`
-	ConfigFile    string `json:"configFile"`
-	LogFile       string `json:"logFile"`
-	PreSharedKeySet               bool   `json:"preSharedKeySet"`
-	InterfaceName                 string `json:"interfaceName"`
-	WireguardPort                 int64  `json:"wireguardPort"`
-	MTU                           int64  `json:"mtu"`
-	DisableAutoConnect            bool   `json:"disableAutoConnect"`
-	ServerSSHAllowed              bool   `json:"serverSshAllowed"`
-	RosenpassEnabled              bool   `json:"rosenpassEnabled"`
-	RosenpassPermissive           bool   `json:"rosenpassPermissive"`
-	DisableNotifications          bool   `json:"disableNotifications"`
-	LazyConnectionEnabled         bool   `json:"lazyConnectionEnabled"`
-	BlockInbound                  bool   `json:"blockInbound"`
-	NetworkMonitor                bool   `json:"networkMonitor"`
-	DisableClientRoutes           bool   `json:"disableClientRoutes"`
-	DisableServerRoutes           bool   `json:"disableServerRoutes"`
-	DisableDNS                    bool   `json:"disableDns"`
-	DisableIPv6                   bool   `json:"disableIpv6"`
-	BlockLANAccess                bool   `json:"blockLanAccess"`
-	EnableSSHRoot                 bool   `json:"enableSshRoot"`
-	EnableSSHSFTP                 bool   `json:"enableSshSftp"`
-	EnableSSHLocalPortForwarding  bool   `json:"enableSshLocalPortForwarding"`
-	EnableSSHRemotePortForwarding bool   `json:"enableSshRemotePortForwarding"`
-	DisableSSHAuth                bool   `json:"disableSshAuth"`
-	SSHJWTCacheTTL                int32  `json:"sshJwtCacheTtl"`
+	ManagementURL                 string  `json:"managementUrl"`
+	AdminURL                      string  `json:"adminUrl"`
+	ConfigFile                    string  `json:"configFile"`
+	LogFile                       string  `json:"logFile"`
+	PreSharedKey                  string  `json:"preSharedKey"`
+	InterfaceName                 string  `json:"interfaceName"`
+	WireguardPort                 int64   `json:"wireguardPort"`
+	MTU                           int64   `json:"mtu"`
+	DisableAutoConnect            bool    `json:"disableAutoConnect"`
+	ServerSSHAllowed              bool    `json:"serverSshAllowed"`
+	RosenpassEnabled              bool    `json:"rosenpassEnabled"`
+	RosenpassPermissive           bool    `json:"rosenpassPermissive"`
+	DisableNotifications          bool    `json:"disableNotifications"`
+	LazyConnectionEnabled         bool    `json:"lazyConnectionEnabled"`
+	BlockInbound                  bool    `json:"blockInbound"`
+	NetworkMonitor                bool    `json:"networkMonitor"`
+	DisableClientRoutes           bool    `json:"disableClientRoutes"`
+	DisableServerRoutes           bool    `json:"disableServerRoutes"`
+	DisableDNS                    bool    `json:"disableDns"`
+	DisableIPv6                   bool    `json:"disableIpv6"`
+	BlockLANAccess                bool    `json:"blockLanAccess"`
+	EnableSSHRoot                 bool    `json:"enableSshRoot"`
+	EnableSSHSFTP                 bool    `json:"enableSshSftp"`
+	EnableSSHLocalPortForwarding  bool    `json:"enableSshLocalPortForwarding"`
+	EnableSSHRemotePortForwarding bool    `json:"enableSshRemotePortForwarding"`
+	DisableSSHAuth                bool    `json:"disableSshAuth"`
+	SSHJWTCacheTTL                int32   `json:"sshJwtCacheTtl"`
 }
 
 // SetConfigParams is a partial update — only fields with non-nil pointers
@@ -108,6 +80,14 @@ type SetConfigParams struct {
 	SSHJWTCacheTTL                *int32  `json:"sshJwtCacheTtl,omitempty"`
 }
 
+// Features reports which UI surfaces the daemon has disabled. The Fyne UI uses
+// these flags to grey out menu items the operator turned off server-side.
+type Features struct {
+	DisableProfiles       bool `json:"disableProfiles"`
+	DisableUpdateSettings bool `json:"disableUpdateSettings"`
+	DisableNetworks       bool `json:"disableNetworks"`
+}
+
 // Settings groups the daemon RPCs that read and write the daemon config.
 type Settings struct {
 	conn DaemonConn
@@ -134,7 +114,7 @@ func (s *Settings) GetConfig(ctx context.Context, p ConfigParams) (Config, error
 		AdminURL:                      resp.GetAdminURL(),
 		ConfigFile:                    resp.GetConfigFile(),
 		LogFile:                       resp.GetLogFile(),
-		PreSharedKeySet:               resp.GetPreSharedKey() != "",
+		PreSharedKey:                  resp.GetPreSharedKey(),
 		InterfaceName:                 resp.GetInterfaceName(),
 		WireguardPort:                 resp.GetWireguardPort(),
 		MTU:                           resp.GetMtu(),
@@ -199,47 +179,18 @@ func (s *Settings) SetConfig(ctx context.Context, p SetConfigParams) error {
 	return err
 }
 
-// MDM + Features Restrictions
-func (s *Settings) GetRestrictions(ctx context.Context) (Restrictions, error) {
+func (s *Settings) GetFeatures(ctx context.Context) (Features, error) {
 	cli, err := s.conn.Client()
 	if err != nil {
-		return Restrictions{}, err
+		return Features{}, err
 	}
-	cfgResp, err := cli.GetConfig(ctx, &proto.GetConfigRequest{})
+	resp, err := cli.GetFeatures(ctx, &proto.GetFeaturesRequest{})
 	if err != nil {
-		return Restrictions{}, err
+		return Features{}, err
 	}
-	featResp, err := cli.GetFeatures(ctx, &proto.GetFeaturesRequest{})
-	if err != nil {
-		return Restrictions{}, err
-	}
-	r := Restrictions{
-		Features: Features{
-			DisableProfiles:       featResp.GetDisableProfiles(),
-			DisableNetworks:       featResp.GetDisableNetworks(),
-			DisableUpdateSettings: featResp.GetDisableUpdateSettings(),
-		},
-	}
-	managed := cfgResp.GetMDMManagedFields()
-	if len(managed) > 0 {
-		set := make(map[string]struct{}, len(managed))
-		for _, k := range managed {
-			set[k] = struct{}{}
-		}
-		v := reflect.ValueOf(&r.MDM).Elem()
-		t := v.Type()
-		for i := 0; i < t.NumField(); i++ {
-			if v.Field(i).Kind() != reflect.Bool {
-				continue
-			}
-			if _, ok := set[t.Field(i).Tag.Get("json")]; ok {
-				v.Field(i).SetBool(true)
-			}
-		}
-		if _, ok := set["managementURL"]; ok {
-			r.MDM.ManagementURL = cfgResp.GetManagementUrl()
-		}
-	}
-	r.MDM.DisableAdvancedView = featResp.GetDisableAdvancedView()
-	return r, nil
+	return Features{
+		DisableProfiles:       resp.GetDisableProfiles(),
+		DisableUpdateSettings: resp.GetDisableUpdateSettings(),
+		DisableNetworks:       resp.GetDisableNetworks(),
+	}, nil
 }

client/ui/services/windowmanager.go

@@ -145,17 +145,17 @@ func DialogWindowOptions(name, title, url string, linuxIcon []byte) application.
 // than hiding means the macOS dock-reopen handler doesn't find a hidden
 // window to resurrect.
 type WindowManager struct {
-	app               *application.App
-	mainWindow        *application.WebviewWindow
-	translator        ErrorTranslator
-	prefs             LanguagePreference
-	linuxIcon         []byte
-	settings          *application.WebviewWindow
-	browserLogin      *application.WebviewWindow
+	app                  *application.App
+	mainWindow           *application.WebviewWindow
+	translator           ErrorTranslator
+	prefs                LanguagePreference
+	linuxIcon            []byte
+	settings             *application.WebviewWindow
+	browserLogin         *application.WebviewWindow
 	sessionExpiration *application.WebviewWindow
-	installProgress   *application.WebviewWindow
-	welcome           *application.WebviewWindow
-	errorDialog       *application.WebviewWindow
+	installProgress      *application.WebviewWindow
+	welcome              *application.WebviewWindow
+	errorDialog          *application.WebviewWindow
 	// hiddenForLogin remembers windows that were visible when the
 	// BrowserLogin popup opened. They were Hide()n to keep focus on the
 	// SSO flow without resorting to AlwaysOnTop, and are restored when

client/ui/tray.go

@@ -33,7 +33,6 @@ const (
 	notifyIDUpdatePrefix = "netbird-update-"
 	notifyIDEvent        = "netbird-event-"
 	notifyIDTrayError    = "netbird-tray-error"
-	notifyIDMDMPolicy    = "netbird-mdm-policy"
 
 	statusError = "Error"
 
@@ -89,15 +88,13 @@ type Tray struct {
 	// language switch.
 	loc *Localizer
 
-	// menu and the *Item/*Submenu fields below are reassigned by buildMenu
-	// on every relayout — touch them only with menuMu held. Exceptions:
-	// the Connect/Disconnect OnClick closures capture their own item, and
-	// refreshSessionExpiresLabel snapshots its item under menuMu.
 	menu       *application.Menu
 	statusItem *application.MenuItem
 	// sessionExpiresItem displays the SSO session deadline as a humanised
-	// remaining-time label ("Session: 47m"). Painted by relayoutMenu from
-	// the sessionMu cache; a 30s ticker keeps the countdown moving.
+	// remaining-time label ("Session: 47m"). Hidden when no deadline is
+	// tracked (non-SSO peer or login-expiration disabled on the account).
+	// Refreshed by applyStatus on every Status push and by a 1-minute
+	// ticker between pushes so the countdown moves naturally.
 	sessionExpiresItem *application.MenuItem
 	upItem             *application.MenuItem
 	downItem           *application.MenuItem
@@ -182,10 +179,11 @@ type Tray struct {
 	profiles     []services.Profile
 	profilesUser string
 
-	// menuMu serialises relayoutMenu (buildMenu + SetMenu) and guards the
-	// menu/item-pointer fields above. relayoutMenu is the only post-startup
-	// SetMenu call site — a menu snapshot pushed outside the lock could
-	// reinstall a stale tree.
+	// menuMu serialises relayoutMenu — the full buildMenu + SetMenu cycle.
+	// loadProfiles (under profileLoadMu) and refreshExitNodes (under
+	// exitNodesRebuildMu) both drive a relayout from independent mutexes, and
+	// applyLanguage drives one from the Localizer goroutine; without this guard
+	// two relayouts could interleave their t.menu swap and SetMenu push.
 	menuMu sync.Mutex
 
 	// exitNodesMu guards the t.exitNodes row cache so reading the cached
@@ -201,16 +199,6 @@ type Tray struct {
 	// succession and each may kick a refresh, but the ListNetworks fetch +
 	// submenu rebuild + SetMenu must not run concurrently with itself.
 	exitNodesRebuildMu sync.Mutex
-
-	// featureMu guards the daemon feature kill switches mirrored on the
-	// tray. Fetched once at startup and refreshed on every config_changed
-	// system event (the daemon re-applies MDM policy on each engine spawn
-	// and signals it via that event). Folded into the Profiles and Exit
-	// Node menu enablement by featuresDisabled so an operator- or
-	// MDM-disabled surface greys out without a periodic GetFeatures poll.
-	featureMu       sync.Mutex
-	disableProfiles bool
-	disableNetworks bool
 }
 
 func NewTray(app *application.App, window *application.WebviewWindow, svc TrayServices) *Tray {
@@ -243,18 +231,21 @@ func NewTray(app *application.App, window *application.WebviewWindow, svc TraySe
 	}
 	t.menu = t.buildMenu()
 	t.tray.SetMenu(t.menu)
-	// Left-click on the tray icon opens the menu, and the window is reached
-	// through the explicit "Open NetBird" entry. This matches macOS
-	// NSStatusItem convention (click → menu), the Linux StatusNotifierItem
-	// spec, and the legacy Fyne client. macOS and Linux give us click→menu
-	// natively, so bindTrayClick is a no-op there (binding OnClick→OpenMenu
-	// on macOS would freeze the tray — see tray_click_other.go). Windows has
-	// no native left-click handler, so bindTrayClick wires one explicitly
-	// (see tray_click_windows.go). On Linux we deliberately skip AttachWindow:
-	// it plus Wails3's applySmartDefaults would pop the window alongside the
-	// menu on environments like GNOME Shell with the AppIndicator extension.
-	// Right-click opens the menu through Wails' default rightClickHandler on
-	// every platform.
+	// Tray click behaviour is per-platform (see tray_click_{linux,windows,
+	// other}.go), bound here by bindTrayClick:
+	//   - macOS: no-op. NSStatusItem opens the menu on left-click natively;
+	//     binding OnClick→OpenMenu there froze the tray (blocking mouseDown:
+	//     starves the main GCD queue — see tray_click_windows.go).
+	//   - Windows: left-click opens the menu, double-click opens the window
+	//     (Wails' Windows systray has no useful default left-click handler).
+	//   - Linux: left-click opens the main window via ShowWindow(); the menu
+	//     is reached by right-click (Wails' SecondaryActivate→OpenMenu, and
+	//     the XEmbed GTK popup on minimal WMs). Both the real-SNI-host and the
+	//     in-process-watcher/XEmbed paths route left-click through Wails'
+	//     linuxSystemTray.Activate, so one OnClick covers both. We deliberately
+	//     skip AttachWindow on Linux: it plus Wails3's applySmartDefaults would
+	//     pop the window alongside the menu on GNOME Shell + AppIndicator.
+	// The explicit "Open NetBird" menu entry still opens the window everywhere.
 	bindTrayClick(t)
 
 	app.Event.On(services.EventStatusSnapshot, t.onStatusEvent)
@@ -273,10 +264,6 @@ func NewTray(app *application.App, window *application.WebviewWindow, svc TraySe
 	// nil-deref).
 	app.Event.OnApplicationEvent(events.Common.ApplicationStarted, func(*application.ApplicationEvent) {
 		go t.loadProfiles()
-		// Seed the feature kill switches so a DisableProfiles / DisableNetworks
-		// policy already greys out the matching menus on the first paint
-		// (config_changed events refresh them afterwards).
-		go t.refreshRestrictions()
 		go t.runSessionExpiryTicker()
 		// Notification-category registration must run after the Wails
 		// notifications service Startup has populated wn.appName /
@@ -392,8 +379,6 @@ func (t *Tray) relayoutMenu() {
 	exitNodeEntries := append([]exitNodeEntry(nil), t.exitNodes...)
 	t.exitNodesMu.Unlock()
 
-	disableProfiles, disableNetworks := t.featuresDisabled()
-
 	daemonUnavailable := strings.EqualFold(lastStatus, services.StatusDaemonUnavailable)
 	connecting := strings.EqualFold(lastStatus, services.StatusConnecting)
 
@@ -412,24 +397,21 @@ func (t *Tray) relayoutMenu() {
 		}
 	}
 	if t.upItem != nil {
-		// Connect stays visible in the NeedsLogin states too — Up drives
-		// the SSO re-auth flow; hidden only when it would be a no-op.
 		t.upItem.SetHidden(connected || connecting || daemonUnavailable)
 		t.upItem.SetEnabled(!connected && !connecting && !daemonUnavailable)
 	}
 	if t.downItem != nil {
-		// Disconnect doubles as the abort path while still Connecting.
 		t.downItem.SetHidden(!connected && !connecting)
 		t.downItem.SetEnabled(connected || connecting)
 	}
 	if t.exitNodeItem != nil {
-		t.exitNodeItem.SetEnabled(connected && len(exitNodeEntries) > 0 && !disableNetworks)
+		t.exitNodeItem.SetEnabled(connected && len(exitNodeEntries) > 0)
 	}
 	if t.settingsItem != nil {
 		t.settingsItem.SetEnabled(!daemonUnavailable)
 	}
 	if t.profileSubmenuItem != nil {
-		t.profileSubmenuItem.SetEnabled(!daemonUnavailable && !disableProfiles)
+		t.profileSubmenuItem.SetEnabled(!daemonUnavailable)
 	}
 	if daemonVersion != "" && t.daemonVersionItem != nil {
 		t.daemonVersionItem.SetLabel(t.loc.T("tray.menu.daemonVersion", "version", daemonVersion))
@@ -472,16 +454,11 @@ func (t *Tray) buildMenu() *application.Menu {
 	menu.AddSeparator()
 
 	// Only the action that applies to the current state is visible: Connect
-	// when disconnected, Disconnect when connected. The OnClick closures
-	// capture the local item — t.upItem/t.downItem are menuMu-guarded and
-	// must not be read from the click goroutine.
-	upItem := menu.Add(t.loc.T("tray.menu.connect"))
-	upItem.OnClick(func(*application.Context) { t.handleConnect(upItem) })
-	t.upItem = upItem
-	downItem := menu.Add(t.loc.T("tray.menu.disconnect"))
-	downItem.OnClick(func(*application.Context) { t.handleDisconnect(downItem) })
-	downItem.SetHidden(true)
-	t.downItem = downItem
+	// when disconnected, Disconnect when connected. applyStatus swaps them on
+	// each daemon status change.
+	t.upItem = menu.Add(t.loc.T("tray.menu.connect")).OnClick(func(*application.Context) { t.handleConnect() })
+	t.downItem = menu.Add(t.loc.T("tray.menu.disconnect")).OnClick(func(*application.Context) { t.handleDisconnect() })
+	t.downItem.SetHidden(true)
 
 	menu.AddSeparator()
 
@@ -593,9 +570,7 @@ func (t *Tray) buildMenu() *application.Menu {
 	return menu
 }
 
-// handleConnect receives the clicked item from the buildMenu closure —
-// t.upItem is menuMu-guarded and must not be read here.
-func (t *Tray) handleConnect(upItem *application.MenuItem) {
+func (t *Tray) handleConnect() {
 	// NeedsLogin/SessionExpired/LoginFailed mean the daemon won't honor a
 	// plain Up RPC ("up already in progress: current status NeedsLogin") —
 	// it needs the Login → WaitSSOLogin → Up sequence instead. Emit
@@ -612,7 +587,7 @@ func (t *Tray) handleConnect(upItem *application.MenuItem) {
 		t.app.Event.Emit(services.EventTriggerLogin)
 		return
 	}
-	upItem.SetEnabled(false)
+	t.upItem.SetEnabled(false)
 	// Arm the SSO auto-handoff: Up() is async and the daemon may flip to
 	// NeedsLogin once it detects an SSO peer with no cached token. The
 	// flag is consumed by applyStatus on that transition, which then
@@ -630,7 +605,7 @@ func (t *Tray) handleConnect(upItem *application.MenuItem) {
 			t.statusMu.Lock()
 			t.pendingConnectLogin = false
 			t.statusMu.Unlock()
-			upItem.SetEnabled(true)
+			t.upItem.SetEnabled(true)
 		}
 	}()
 }
@@ -641,9 +616,8 @@ func (t *Tray) handleConnect(upItem *application.MenuItem) {
 // no-op. Also clears Peers' optimistic-Connecting guard so the daemon's
 // Idle push (and any subsequent updates) paint through immediately
 // instead of being swallowed by the profile-switch suppression filter.
-// Receives the clicked item from the buildMenu closure (see handleConnect).
-func (t *Tray) handleDisconnect(downItem *application.MenuItem) {
-	downItem.SetEnabled(false)
+func (t *Tray) handleDisconnect() {
+	t.downItem.SetEnabled(false)
 	t.profileMu.Lock()
 	if t.switchCancel != nil {
 		t.switchCancel()
@@ -655,7 +629,7 @@ func (t *Tray) handleDisconnect(downItem *application.MenuItem) {
 		if err := t.svc.Connection.Down(context.Background()); err != nil {
 			log.Errorf("disconnect: %v", err)
 			t.notifyError(t.loc.T("notify.error.disconnect"))
-			downItem.SetEnabled(true)
+			t.downItem.SetEnabled(true)
 		}
 	}()
 }

client/ui/tray_click_linux.go

@@ -0,0 +1,31 @@
+//go:build linux && !(linux && 386)
+
+package main
+
+// bindTrayClick wires the tray icon's left-click handler on Linux.
+//
+// Both Linux click paths converge on Wails' linuxSystemTray.Activate, which
+// fires the registered clickHandler:
+//   - Real SNI hosts (KDE Plasma, Waybar, GNOME Shell + AppIndicator) invoke
+//     org.kde.StatusNotifierItem.Activate over D-Bus on left-click.
+//   - The in-process StatusNotifierWatcher + XEmbed host used on minimal WMs
+//     (Fluxbox, i3, dwm, OpenBox) maps a Button1 press to that same Activate
+//     call itself (xembed_host_linux.go), so it routes through the same hook.
+// Registering OnClick here therefore covers both paths with one handler — no
+// changes to the watcher or XEmbed C code are needed. Left-click now opens the
+// main window; right-click still opens the menu via Wails' default
+// SecondaryActivate→OpenMenu handler (and the XEmbed GTK popup on minimal WMs).
+//
+// We do NOT register OnDoubleClick: Wails' Linux SNI backend never fires it
+// (unlike Windows). And we deliberately skip AttachWindow — it plus Wails3's
+// applySmartDefaults would pop the window alongside the menu on GNOME Shell
+// with the AppIndicator extension (see the bindTrayClick comment in tray.go).
+//
+// ShowWindow() is the same dispatcher the explicit "Open NetBird" menu entry
+// and SIGUSR1 use: it brings the install-progress / browser-login window
+// forward when one of those flows is active, otherwise routes through
+// WindowManager.ShowMain so the window re-centers on minimal WMs / the XEmbed
+// path instead of landing in the top-left corner.
+func bindTrayClick(t *Tray) {
+	t.tray.OnClick(func() { t.ShowWindow() })
+}

client/ui/tray_click_other.go

@@ -1,8 +1,13 @@
-//go:build !windows && !android && !ios && !freebsd && !js
+//go:build !windows && !android && !ios && !freebsd && !js && (!linux || (linux && 386))
 
 package main
 
 func bindTrayClick(*Tray) {
-	// No-op: macOS/Linux native trays open the menu on click themselves.
-	// Only Windows needs an explicit handler (tray_click_windows.go).
+	// No-op: macOS's native NSStatusItem opens the menu on click itself, and
+	// binding OnClick→anything blocking there froze the tray historically
+	// (see tray_click_windows.go). Windows wires an explicit handler
+	// (tray_click_windows.go); Linux opens the window on left-click
+	// (tray_click_linux.go). The (linux && 386) arm keeps a no-op fallback for
+	// the i386 Linux build, which excludes the cgo XEmbed/SNI files that
+	// tray_click_linux.go's build tag matches.
 }

client/ui/tray_events.go

@@ -6,10 +6,8 @@ import (
 	"fmt"
 	"strings"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/wailsapp/wails/v3/pkg/application"
 
-	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ui/authsession"
 	"github.com/netbirdio/netbird/client/ui/services"
 )
@@ -24,39 +22,6 @@ func (t *Tray) onSystemEvent(ev *application.CustomEvent) {
 	if !ok {
 		return
 	}
-	// config_changed: the daemon re-applied its effective config (engine
-	// spawn, Up, or MDM policy diff) and signals the UI to re-sync. It
-	// carries no UserMessage, so it must be handled before the user-facing
-	// message gate below. Re-fetch the feature kill switches (DisableProfiles
-	// / DisableNetworks) and the notifications gate so CLI- or MDM-driven
-	// changes reflect in the tray without a periodic poll. This replaces the
-	// legacy Fyne UI's 2s GetFeatures poll.
-	if se.Category == "system" && se.Metadata[proto.MetadataTypeKey] == proto.MetadataTypeConfigChanged {
-		log.Infof("config_changed event received (source=%s); refreshing tray restrictions", se.Metadata[proto.MetadataSourceKey])
-		go t.refreshRestrictions()
-		go t.loadConfig()
-		// An MDM-driven config change gets a user-facing toast so the
-		// operator knows their IT policy was applied. The daemon also
-		// emits a separate "policy_applied" event carrying an English
-		// UserMessage, but that text has no locale context — it's
-		// suppressed in shouldSkipSystemEvent and the tray builds the
-		// localised toast here instead. Other sources (startup, up_rpc)
-		// stay silent, matching the daemon's empty-UserMessage intent.
-		// Gated by the notifications toggle like every other INFO event.
-		if se.Metadata[proto.MetadataSourceKey] == proto.MetadataSourceMDM {
-			t.profileMu.Lock()
-			enabled := t.notificationsEnabled
-			t.profileMu.Unlock()
-			if enabled {
-				t.notify(
-					t.loc.T("notify.mdm.policyApplied.title"),
-					t.loc.T("notify.mdm.policyApplied.body"),
-					notifyIDMDMPolicy,
-				)
-			}
-		}
-		return
-	}
 	// Session-warning and deadline-rejected events carry no UserMessage —
 	// the tray builds the localised notification body locally from metadata.
 	// Every other event needs a non-empty UserMessage to show anything meaningful.
@@ -147,13 +112,6 @@ func titleCase(s string) string {
 //     partner already drove the user-facing toast, so the v6 row is
 //     suppressed to avoid a duplicate notification)
 func shouldSkipSystemEvent(se services.SystemEvent) bool {
-	// The daemon's MDM "policy_applied" event carries a hardcoded English
-	// UserMessage. The tray shows its own localised toast on the paired
-	// config_changed (source=mdm) event instead, so drop this one to avoid
-	// a duplicate, non-localised notification.
-	if se.Metadata[proto.MetadataTypeKey] == proto.MetadataTypePolicyApplied {
-		return true
-	}
 	if _, isUpdate := se.Metadata["new_version_available"]; isUpdate {
 		return true
 	}

client/ui/tray_features.go

@@ -1,47 +0,0 @@
-//go:build !android && !ios && !freebsd && !js
-
-package main
-
-import (
-	"context"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// refreshRestrictions pulls the daemon's operator-disabled UI surfaces
-// (DisableProfiles / DisableNetworks) and re-applies the tray menu gating.
-// Called once at startup (ApplicationStarted) and on every config_changed
-// system event — the daemon re-applies its MDM policy on each engine spawn
-// and emits that event, so this is the tray's signal to re-sync the kill
-// switches.
-func (t *Tray) refreshRestrictions() {
-	r, err := t.svc.Settings.GetRestrictions(context.Background())
-	if err != nil {
-		log.Debugf("get restrictions: %v", err)
-		return
-	}
-	t.featureMu.Lock()
-	changed := t.disableProfiles != r.Features.DisableProfiles ||
-		t.disableNetworks != r.Features.DisableNetworks
-	t.disableProfiles = r.Features.DisableProfiles
-	t.disableNetworks = r.Features.DisableNetworks
-	t.featureMu.Unlock()
-	// Repaint only when a flag actually flipped: relayoutMenu rebuilds the
-	// whole menu tree, so a no-op refresh (the common case) must not churn
-	// it. relayoutMenu and fillProfileSubmenu read the cached flags via
-	// featuresDisabled, so the new state applies regardless of which relayout
-	// (this one, a status push, or a profile reload) runs last.
-	if changed {
-		t.relayoutMenu()
-	}
-}
-
-// featuresDisabled returns the cached DisableProfiles / DisableNetworks kill
-// switches under featureMu. Read by relayoutMenu, refreshMenuItemsForStatus,
-// and fillProfileSubmenu to grey out the Profiles and Exit Node menus when
-// the operator (or an MDM policy) disabled those surfaces server-side.
-func (t *Tray) featuresDisabled() (profiles, networks bool) {
-	t.featureMu.Lock()
-	defer t.featureMu.Unlock()
-	return t.disableProfiles, t.disableNetworks
-}

client/ui/tray_profiles.go

@@ -54,6 +54,9 @@ func (t *Tray) loadConfig() {
 // into the live submenu) is what makes KDE/Plasma actually repaint and keep
 // the click→id mapping live — see relayoutMenu's doc comment.
 func (t *Tray) loadProfiles() {
+	if t.profileSubmenu == nil {
+		return
+	}
 	t.profileLoadMu.Lock()
 	defer t.profileLoadMu.Unlock()
 	ctx := context.Background()
@@ -93,13 +96,6 @@ func (t *Tray) fillProfileSubmenu() {
 
 	sort.Slice(profiles, func(i, j int) bool { return profiles[i].Name < profiles[j].Name })
 
-	// When the daemon (or an MDM policy) disables profiles, the parent menu
-	// is greyed out by relayoutMenu/refreshMenuItemsForStatus, but Wails'
-	// systray does not reliably propagate a disabled parent to its children
-	// on every platform — so disable each row and "Manage Profiles" too,
-	// mirroring the legacy Fyne UI's profile.setEnabled lock.
-	disableProfiles, _ := t.featuresDisabled()
-
 	t.profileSubmenu.Clear()
 	var activeName, activeEmail string
 	for _, p := range profiles {
@@ -122,18 +118,15 @@ func (t *Tray) fillProfileSubmenu() {
 			}
 			t.switchProfile(name)
 		})
-		item.SetEnabled(!disableProfiles)
 		if active {
 			activeName = name
 			activeEmail = p.Email
 		}
 	}
 	t.profileSubmenu.AddSeparator()
-	manageProfiles := t.profileSubmenu.Add(t.loc.T("tray.menu.manageProfiles"))
-	manageProfiles.OnClick(func(*application.Context) {
+	t.profileSubmenu.Add(t.loc.T("tray.menu.manageProfiles")).OnClick(func(*application.Context) {
 		t.svc.WindowManager.OpenSettings("profiles")
 	})
-	manageProfiles.SetEnabled(!disableProfiles)
 	log.Infof("tray fillProfileSubmenu: %d profile(s) for user %q, active=%q", len(profiles), username, activeName)
 	if t.profileSubmenuItem != nil && activeName != "" {
 		t.profileSubmenuItem.SetLabel(activeName)

client/ui/tray_session.go

@@ -50,10 +50,11 @@ func (t *Tray) handleSessionExpired() {
 	}
 }
 
-// applySessionExpiry refreshes the cached SSO deadline and reports whether
-// it changed. Cache-only — the tray row is painted by relayoutMenu;
-// applyStatus drives a relayout when this returns true.
-func (t *Tray) applySessionExpiry(deadline *time.Time, connected bool) bool {
+// applySessionExpiry refreshes the "Session: 47m" tray row from the latest
+// SSO deadline carried on the Status snapshot. Hidden when no deadline is
+// tracked or the tunnel is down; otherwise renders the remaining time via
+// formatSessionRemaining.
+func (t *Tray) applySessionExpiry(deadline *time.Time, connected bool) {
 	var d time.Time
 	if connected && deadline != nil {
 		d = *deadline
@@ -75,7 +76,17 @@ func (t *Tray) applySessionExpiry(deadline *time.Time, connected bool) bool {
 				deadline.Format(time.RFC3339), time.Until(*deadline), connected)
 		}
 	}
-	return changed
+
+	if t.sessionExpiresItem == nil {
+		return
+	}
+	if d.IsZero() {
+		t.sessionExpiresItem.SetHidden(true)
+		return
+	}
+	remaining := t.formatSessionRemaining(time.Until(d))
+	t.sessionExpiresItem.SetLabel(t.loc.T("tray.session.expiresIn", "remaining", remaining))
+	t.sessionExpiresItem.SetHidden(false)
 }
 
 // runSessionExpiryTicker keeps the "Expires in …" countdown row fresh by
@@ -88,15 +99,10 @@ func (t *Tray) runSessionExpiryTicker() {
 	}
 }
 
-// refreshSessionExpiresLabel recomputes the countdown row label from the
-// cached SSO deadline. The item is snapshotted under menuMu (buildMenu
-// reassigns it on every relayout); no full relayout here — a 30s-cadence
-// rebuild could disturb an open menu.
+// refreshSessionExpiresLabel recomputes the "Session expires in …" tray
+// row label from the cached SSO deadline.
 func (t *Tray) refreshSessionExpiresLabel() {
-	t.menuMu.Lock()
-	item := t.sessionExpiresItem
-	t.menuMu.Unlock()
-	if item == nil {
+	if t.sessionExpiresItem == nil {
 		return
 	}
 	t.sessionMu.Lock()
@@ -106,7 +112,7 @@ func (t *Tray) refreshSessionExpiresLabel() {
 		return
 	}
 	remaining := t.formatSessionRemaining(time.Until(deadline))
-	item.SetLabel(t.loc.T("tray.session.expiresIn", "remaining", remaining))
+	t.sessionExpiresItem.SetLabel(t.loc.T("tray.session.expiresIn", "remaining", remaining))
 }
 
 // formatSessionRemaining renders the time-to-deadline as a localised

client/ui/tray_status.go

@@ -58,19 +58,9 @@ func (t *Tray) applyStatus(st services.Status) {
 		t.app.Event.Emit(services.EventTriggerLogin)
 	}
 
-	// Cache-only; the row is painted by the relayout below.
-	sessionChanged := t.applySessionExpiry(st.SessionExpiresAt, connected)
-
 	if iconChanged {
 		t.applyIcon()
-	}
-	// All repainting goes through relayoutMenu (menuMu-serialised, paints
-	// from the caches committed above): applyStatus runs concurrently with
-	// itself and with relayouts (Wails dispatches listeners on fresh
-	// goroutines), so in-place item mutation here would race the buildMenu
-	// pointer swap.
-	if iconChanged || daemonVersionChanged || sessionChanged {
-		t.relayoutMenu()
+		t.refreshMenuItemsForStatus(st, connected)
 	}
 	// Re-fetch the selectable exit-node list whenever the daemon's routed-
 	// networks revision bumps (a route candidate added/removed, or a selection
@@ -81,14 +71,18 @@ func (t *Tray) applyStatus(st services.Status) {
 	if iconChanged || revisionChanged {
 		go t.refreshExitNodes()
 	}
-	// The daemon emits no active-profile event, so profile flips driven
-	// elsewhere (CLI, autoconnect) surface via status transitions.
-	if iconChanged {
-		go t.loadProfiles()
+	if daemonVersionChanged && t.daemonVersionItem != nil {
+		// The version row lives in the About submenu, which KDE/Plasma caches on
+		// first open and never re-fetches on a plain SetLabel (see relayoutMenu's
+		// doc comment). Drive a full relayout so the new version actually paints.
+		// relayoutMenu repaints the label from the cached lastDaemonVersion.
+		t.relayoutMenu()
 	}
 	if sessionExpiredEnter {
 		t.handleSessionExpired()
 	}
+
+	t.applySessionExpiry(st.SessionExpiresAt, connected)
 }
 
 // consumePendingConnectLogin acts on the SSO auto-handoff flag armed by
@@ -117,14 +111,83 @@ func (t *Tray) consumePendingConnectLogin(status string) bool {
 	return false
 }
 
-// applyStatusIndicator sets the coloured status dot. Called only from
-// relayoutMenu (menuMu held): on macOS the bitmap repaints via the
-// relayout's trailing SetMenu — no SetMenu here, the tree is half-built.
+// refreshMenuItemsForStatus updates the status row, Connect/Disconnect
+// enablement, Settings/Profiles gating, and Profiles submenu on a status-text
+// transition (called from applyStatus only when iconChanged).
+func (t *Tray) refreshMenuItemsForStatus(st services.Status, connected bool) {
+	daemonUnavailable := strings.EqualFold(st.Status, services.StatusDaemonUnavailable)
+	connecting := strings.EqualFold(st.Status, services.StatusConnecting)
+	if t.statusItem != nil {
+		// Label-only: row is informational (no OnClick). Enablement
+		// is platform-dependent via statusRowEnabled — Windows
+		// keeps it enabled so the Win32 disabled-state mask does
+		// not desaturate the coloured dot; macOS/Linux disable it.
+		// Swap the displayed text so the user sees a familiar
+		// phrase instead of the raw daemon enum.
+		t.statusItem.SetLabel(t.loc.StatusLabel(st.Status))
+		t.statusItem.SetEnabled(statusRowEnabled())
+		t.applyStatusIndicator(st.Status)
+	}
+	if t.upItem != nil {
+		// Connect stays visible/clickable in NeedsLogin/SessionExpired/
+		// LoginFailed too — the daemon's Up RPC kicks off the SSO flow
+		// when re-auth is required, mirroring the legacy Fyne client
+		// where the same button drove the initial and the re-login
+		// paths. Hidden only when the action would be a no-op (tunnel
+		// up, daemon mid-connect — Disconnect takes the slot) or
+		// would fail with no useful side effect (daemon unreachable).
+		t.upItem.SetHidden(connected || connecting || daemonUnavailable)
+		t.upItem.SetEnabled(!connected && !connecting && !daemonUnavailable)
+	}
+	if t.downItem != nil {
+		// Disconnect is the abort path while the daemon is still
+		// retrying the management dial — without it the user has no
+		// way to stop the loop short of killing the daemon.
+		t.downItem.SetHidden(!connected && !connecting)
+		t.downItem.SetEnabled(connected || connecting)
+	}
+	// Exit Node parent-item enablement (greyed unless the tunnel is up
+	// AND at least one candidate exists) is owned by refreshExitNodes,
+	// triggered by applyStatus on this same transition. Settings just needs
+	// the daemon socket reachable.
+	if t.settingsItem != nil {
+		t.settingsItem.SetEnabled(!daemonUnavailable)
+	}
+	if t.profileSubmenuItem != nil {
+		t.profileSubmenuItem.SetEnabled(!daemonUnavailable)
+	}
+	// Refresh the Profiles submenu on every status-text transition: the
+	// daemon does not emit an active-profile event, so the startup race
+	// (UI loads profiles before autoconnect picks the persisted profile)
+	// and a CLI "profile select && up" both surface here. loadProfiles
+	// fetches the rows and drives a full relayoutMenu (serialised by menuMu),
+	// so it cannot race the SetHidden/SetEnabled writes on the static items
+	// above — the Wails 3 alpha menu API is not goroutine-safe and reads
+	// item.disabled/item.hidden at NSMenuItem construction time.
+	go t.loadProfiles()
+}
+
+// applyStatusIndicator sets the small coloured dot shown on the status
+// menu entry. The dot mirrors the tray icon's state through a fixed
+// palette: green for Connected, yellow for Connecting, blue for the
+// login states, red for hard errors, grey for the idle/disconnected
+// pair and a darker grey when the daemon socket is unreachable.
+//
+// Wails v3 alpha's setMenuItemBitmap calls NSMenuItem.setImage from
+// whichever thread invoked SetBitmap — unlike setMenuItemLabel/Disabled/
+// Hidden/Checked which dispatch_sync onto the main queue. The off-thread
+// AppKit call leaves the visible dot stale until the next time the menu
+// is reopened (close+reopen workaround). Rebuilding via tray.SetMenu
+// reruns processMenu inside InvokeSync, so the bitmap is applied to a
+// fresh NSMenuItem on the main thread and macOS picks it up.
 func (t *Tray) applyStatusIndicator(status string) {
 	if t.statusItem == nil {
 		return
 	}
 	t.statusItem.SetBitmap(statusIndicatorBitmap(status))
+	if t.menu != nil {
+		t.tray.SetMenu(t.menu)
+	}
 }
 
 func statusIndicatorBitmap(status string) []byte {

client/ui/uilogpath.go

@@ -1,41 +0,0 @@
-//go:build !android && !ios && !freebsd && !js
-
-package main
-
-import (
-	"os"
-	"path/filepath"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/ui/guilog"
-)
-
-// uiLogFileName is the base name of the GUI's log. Rotated siblings
-// (gui-client.log.*, *.gz) share the prefix; the daemon's debug bundle globs
-// "gui-client*.log.*" to collect them (see addUILog in client/internal/debug).
-const uiLogFileName = "gui-client.log"
-
-// uiLogPath resolves os.UserConfigDir()/netbird/gui-client.log — the per-OS-user
-// path the GUI writes its log to while the daemon is in debug, and the path it
-// registers with the daemon for debug-bundle collection. Native separators are
-// preserved (the daemon os.Open()s this path).
-func uiLogPath() (string, error) {
-	dir, err := os.UserConfigDir()
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(dir, "netbird", uiLogFileName), nil
-}
-
-// newDebugLog builds the GUI debug log. userSetLogFile disables it (manual
-// --log-file override). If the config dir can't be resolved it's created
-// disabled, so the GUI keeps working without file logging.
-func newDebugLog(userSetLogFile bool) *guilog.DebugLog {
-	path, err := uiLogPath()
-	if err != nil {
-		log.Warnf("resolve GUI log path: %v; GUI file logging disabled", err)
-		return guilog.NewDebugLog("", false)
-	}
-	return guilog.NewDebugLog(path, !userSetLogFile)
-}

docs/io.netbird.client.plist

@@ -1,133 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<!--
-    NetBird MDM preferences (macOS) — bare plist for MDM platforms that
-    accept a managed-preferences plist tied to a bundle identifier
-    (e.g. JumpCloud "Mac Application Custom Settings", Mosyle "Custom
-    Settings", Jamf "Application & Custom Settings" → External
-    Application).
-
-    Bundle identifier (preference domain): io.netbird.client
-
-    The MDM provider will wrap this plist into a Configuration Profile
-    payload of type com.apple.ManagedClient.preferences and push it to
-    target devices via the Apple MDM protocol. The OS materializes the
-    final file at:
-        /Library/Managed Preferences/io.netbird.client.plist
-    which is what the NetBird daemon's client/mdm/policy_darwin.go
-    loader reads on every 1-minute MDM reload tick.
-
-    For MDM platforms that expect a full Configuration Profile instead
-    of a bare plist (Custom Configuration Profile / .mobileconfig upload),
-    use docs/netbird-macos.mobileconfig — same keys, additional Payload*
-    envelope.
-
-    Editing this file:
-      - Remove or comment out any key you do NOT want to enforce. The
-        daemon treats an absent key as "no enforcement" for that field.
-      - Keep the document well-formed XML. Validate locally with:
-            plutil -lint docs/io.netbird.client.plist
-      - Keys are camelCase; values are typed (<string>, <true/>, <false/>,
-        <integer>). See docs/src/pages/client/mdm-integration.mdx (the
-        public docs page) for the full reference.
-
-    Persistence caveat:
-      macOS wipes /Library/Managed Preferences/ at every boot on
-      devices that are NOT MDM-enrolled. This plist only sticks across
-      reboots when delivered through a real MDM channel. For local
-      testing on an un-enrolled host, write the file manually as root
-      and accept it will not survive the next boot.
--->
-<plist version="1.0">
-<dict>
-
-    <!-- ===== Identity / auth ===== -->
-    <key>managementURL</key>
-    <string>https://api.netbird.io:443</string>
-
-    <!--
-        Pre-shared key: secret. Remove the entry entirely when not used;
-        do NOT leave an empty <string></string>, which the daemon would
-        otherwise treat as a deliberate empty-PSK enforcement.
-    -->
-    <!--
-    <key>preSharedKey</key>
-    <string>REPLACE_ME</string>
-    -->
-
-    <!-- ===== Engine / runtime behavior =====
-         Each key is optional. Remove or comment out to leave the
-         field unmanaged on the client. -->
-
-    <key>allowServerSSH</key>
-    <true/>
-
-    <!--
-    <key>disableAutoConnect</key>
-    <false/>
-
-    <key>disableClientRoutes</key>
-    <false/>
-
-    <key>disableServerRoutes</key>
-    <false/>
-
-    <key>blockInbound</key>
-    <false/>
-
-    <key>rosenpassEnabled</key>
-    <true/>
-
-    <key>rosenpassPermissive</key>
-    <false/>
-    -->
-
-    <!-- ===== WireGuard UDP port =====
-         Range 1-65535. Omit to keep the daemon default. -->
-    <!--
-    <key>wireguardPort</key>
-    <integer>51820</integer>
-    -->
-
-    <!-- ===== UI / lockdown kill switches =====
-         disableUpdateSettings   : block every config change from UI and CLI
-                                   on this device (Settings view stays
-                                   readable but read-only).
-         disableProfiles         : hide the profile menu, reject profile CRUD.
-         disableNetworks         : hide the Networks / Exit Node menus,
-                                   reject the related RPCs.
-         disableAdvancedView     : hide the advanced-view section of the new
-                                   UI. Tristate at the daemon: set to true to
-                                   hide, false to explicitly show, omit the
-                                   key to let the UI apply its own default.
-         disableMetricsCollection: opt out of anonymous usage telemetry. -->
-    <!--
-    <key>disableUpdateSettings</key>
-    <true/>
-
-    <key>disableProfiles</key>
-    <true/>
-
-    <key>disableNetworks</key>
-    <true/>
-
-    <key>disableAdvancedView</key>
-    <true/>
-
-    <key>disableMetricsCollection</key>
-    <false/>
-    -->
-
-    <!-- ===== Split tunnel =====
-         Android-only at the client level. Safe to ship on macOS for
-         mixed-platform fleets; the macOS daemon parses and ignores. -->
-    <!--
-    <key>splitTunnelMode</key>
-    <string>allow</string>
-
-    <key>splitTunnelApps</key>
-    <string>com.acme.app1,com.acme.app2</string>
-    -->
-
-</dict>
-</plist>

docs/netbird-macos.mobileconfig

@@ -1,161 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<!--
-    NetBird MDM configuration profile (macOS).
-
-    Wraps a `com.apple.ManagedClient.preferences` payload that pushes the
-    NetBird MDM policy into:
-        /Library/Managed Preferences/io.netbird.client.plist
-
-    Read at runtime by the netbird daemon's macOS loader
-    (client/mdm/policy_darwin.go — Phase 2). Key names match the canonical
-    lowerCamelCase form used in docs/netbird.admx and the mdm.Key*
-    constants in client/mdm/policy.go.
-
-    Bundle identifier: io.netbird.client
-        (confirm against the signed pkg before fleet roll-out)
-
-    Distribution:
-      - sign with `productsign --sign "Developer ID Installer: ..." ...`
-        before fleet roll-out (Apple-Configurator-2 won't install an
-        unsigned profile on Sonoma+ without user override).
-      - For local dev install: `sudo profiles install -path netbird-macos.mobileconfig`.
-      - For MDM (Jamf/Kandji/Mosyle/Intune): upload as a Custom Profile.
-
-    Editing:
-      - Replace UUID placeholders below with fresh UUIDs (`uuidgen` on
-        macOS) when forking this template for a real fleet — each
-        deployment should have unique UUIDs so the OS treats it as a
-        distinct profile.
-      - Tune the PayloadContent values to the policy you want to enforce.
-      - Remove any key you do NOT want to enforce (the daemon treats an
-        absent key as "no enforcement" for that field).
-
-    iOS note:
-      This file is macOS-specific. iOS uses managed app config via
-      UserDefaults[com.apple.configuration.managed] under a different
-      payload type (com.apple.app.configuration.managed); the wrapper
-      structure is the same but the inner payload dictionary differs.
-      See docs/netbird-ios.mobileconfig (Phase 5) when shipped.
--->
-<plist version="1.0">
-<dict>
-    <!-- Outer profile envelope -->
-    <key>PayloadType</key>
-    <string>Configuration</string>
-    <key>PayloadVersion</key>
-    <integer>1</integer>
-    <key>PayloadIdentifier</key>
-    <string>io.netbird.client.mdm</string>
-    <key>PayloadUUID</key>
-    <string>11111111-1111-1111-1111-111111111111</string>
-    <key>PayloadDisplayName</key>
-    <string>NetBird MDM Policy</string>
-    <key>PayloadDescription</key>
-    <string>Enforces NetBird client configuration. Values written here override any local user / CLI / on-disk setting and are re-applied at every daemon boot and on every 1-minute MDM reload tick.</string>
-    <key>PayloadOrganization</key>
-    <string>NetBird</string>
-    <key>PayloadScope</key>
-    <string>System</string>
-    <key>PayloadRemovalDisallowed</key>
-    <false/>
-
-    <key>PayloadContent</key>
-    <array>
-        <dict>
-            <!-- Managed preferences payload: writes /Library/Managed Preferences/io.netbird.client.plist -->
-            <key>PayloadType</key>
-            <string>com.apple.ManagedClient.preferences</string>
-            <key>PayloadVersion</key>
-            <integer>1</integer>
-            <key>PayloadIdentifier</key>
-            <string>io.netbird.client.mdm.preferences</string>
-            <key>PayloadUUID</key>
-            <string>22222222-2222-2222-2222-222222222222</string>
-            <key>PayloadDisplayName</key>
-            <string>NetBird Managed Preferences</string>
-            <key>PayloadEnabled</key>
-            <true/>
-
-            <key>PayloadContent</key>
-            <dict>
-                <key>io.netbird.client</key>
-                <dict>
-                    <key>Forced</key>
-                    <array>
-                        <dict>
-                            <key>mcx_preference_settings</key>
-                            <dict>
-
-                                <!-- ===== Identity / auth (strings) ===== -->
-                                <key>managementURL</key>
-                                <string>https://api.netbird.io:443</string>
-
-                                <!-- Pre-shared key: secret. Remove the entry entirely
-                                     when not used; do NOT leave an empty string. -->
-                                <!--
-                                <key>preSharedKey</key>
-                                <string>REPLACE_ME</string>
-                                -->
-
-                                <!-- ===== Engine / runtime behavior (bool) =====
-                                     Remove any key to leave the field unmanaged. -->
-                                <!--
-                                <key>disableAutoConnect</key>
-                                <false/>
-                                <key>disableClientRoutes</key>
-                                <false/>
-                                <key>disableServerRoutes</key>
-                                <false/>
-                                <key>blockInbound</key>
-                                <false/>
-                                -->
-                                <key>allowServerSSH</key>
-                                <true/>
-                                <!--
-                                <key>rosenpassEnabled</key>
-                                <true/>
-                                <key>rosenpassPermissive</key>
-                                <false/>
-                                -->
-
-                                <!-- ===== WireGuard UDP port (int) =====
-                                     Range 1-65535. Omit to keep the default. -->
-                                <!--
-                                <key>wireguardPort</key>
-                                <integer>51820</integer>
-                                -->
-
-                                <!-- ===== Split tunnel (Android-only at the daemon level)
-                                     Pushed harmlessly on macOS for fleets with mixed
-                                     desktop+mobile devices; the macOS daemon ignores it. -->
-                                <!--
-                                <key>splitTunnelMode</key>
-                                <string>allow</string>
-                                <key>splitTunnelApps</key>
-                                <string>com.acme.app1,com.acme.app2</string>
-                                -->
-
-                                <!-- ===== UI / kill switches (bool) ===== -->
-                                <!--
-                                <key>disableUpdateSettings</key>
-                                <true/>
-                                <key>disableProfiles</key>
-                                <true/>
-                                <key>disableNetworks</key>
-                                <true/>
-                                <key>disableAdvancedView</key>
-                                <true/>
-                                <key>disableMetricsCollection</key>
-                                <false/>
-                                -->
-
-                            </dict>
-                        </dict>
-                    </array>
-                </dict>
-            </dict>
-        </dict>
-    </array>
-</dict>
-</plist>

docs/netbird-macos.sh

@@ -1,191 +0,0 @@
-#!/bin/bash
-#
-# SYNOPSIS
-#   Push the NetBird MDM policy to a macOS device via JumpCloud Commands.
-#
-# DESCRIPTION
-#   This is the macOS counterpart of docs/netbird-policy.reg.ps1.
-#   It writes the values declared in the "POLICY VALUES" block below to
-#   the managed-preferences plist that the NetBird daemon's
-#   client/mdm/policy_darwin.go loader reads on every 1-minute MDM
-#   reload tick:
-#
-#       /Library/Managed Preferences/io.netbird.client.plist
-#
-#   Once the plist lands, the daemon picks up the new values without
-#   restart (the ticker calls Config.apply() → applyMDMPolicy() and
-#   restarts the engine on diff).
-#
-# DEPLOYMENT (JumpCloud)
-#   1. Admin Console -> Device Management -> Commands -> +.
-#   2. Type: Mac, Shell, Run as: root.
-#   3. Paste this file verbatim into the command body.
-#   4. Bind to the target system group, save, run.
-#
-# IMPORTANT: PERSISTENCE
-#   macOS wipes /Library/Managed Preferences/ at every boot on devices
-#   that are NOT MDM-enrolled. For a persistent fleet rollout, push the
-#   companion docs/netbird-macos.mobileconfig as a Custom Configuration
-#   Profile (Admin Console -> MDM -> Mac Custom Configuration Profiles)
-#   instead of this script. Use this script when:
-#     - the device is MDM-enrolled (file survives reboots), or
-#     - you need a one-shot test push before reboot, or
-#     - you orchestrate via JumpCloud Commands and want the same
-#       variable-driven workflow as the Windows .ps1 sibling.
-#
-# IDEMPOTENCY: re-running with the same values is a no-op from the
-# daemon's point of view (the 1-minute reload ticker diff returns empty).
-#
-# SECURITY: PreSharedKey is redacted in this script's log output.
-
-set -euo pipefail
-
-### POLICY VALUES — EDIT THIS BLOCK ###########################################
-#
-# Set each variable below to the desired value. Set to empty string ""
-# or to NULL to omit a key entirely (the daemon treats an absent key
-# as "no enforcement" for that field). Booleans use "true"/"false"
-# (lowercase). Integers as decimal.
-#
-# Reference for key names + accepted values:
-#   client/mdm/policy.go (Key* constants)
-#   docs/netbird-macos.mobileconfig (sample profile)
-#   docs/netbird.admx + .adml (Windows ADMX schema)
-#
-NULL='__UNSET__'
-managementURL='https://api.netbird.io:443'
-preSharedKey="$NULL"                       # secret; redacted in log
-allowServerSSH='true'
-blockInbound="$NULL"
-disableAutoConnect="$NULL"
-disableClientRoutes="$NULL"
-disableServerRoutes="$NULL"
-disableMetricsCollection="$NULL"
-disableUpdateSettings="$NULL"
-disableProfiles="$NULL"
-disableNetworks="$NULL"
-disableAdvancedView="$NULL"           # tristate at the daemon
-rosenpassEnabled="$NULL"
-rosenpassPermissive="$NULL"
-wireguardPort='51820'
-splitTunnelMode="$NULL"                    # "allow" or "disallow", Android-only at the daemon level
-splitTunnelApps="$NULL"                    # comma-separated app IDs, Android-only
-##############################################################################
-
-readonly PLIST_DIR='/Library/Managed Preferences'
-readonly PLIST_PATH="$PLIST_DIR/io.netbird.client.plist"
-readonly LOG_TAG='netbird-mdm'
-
-# log sends a message to the system logger using the configured tag and echoes the message to stdout prefixed by an ISO 8601 UTC timestamp and the tag.
-log() {
-  /usr/bin/logger -t "$LOG_TAG" "$*"
-  printf '%s [%s] %s\n' "$(date -u '+%Y-%m-%dT%H:%M:%SZ')" "$LOG_TAG" "$*"
-}
-
-# is_set returns success if the provided value is non-empty and is not equal to the special NULL marker.
-is_set() {
-  local value="$1"
-  [[ -n "$value" && "$value" != "$NULL" ]]
-}
-
-# start_plist creates the temporary plist file at "$PLIST_PATH.tmp" containing the XML plist header and opening `<dict>` for the policy plist.
-start_plist() {
-  cat > "$PLIST_PATH.tmp" <<'EOF'
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-EOF
-}
-
-# end_plist appends the closing `</dict>` and `</plist>` tags to the temporary plist file.
-end_plist() {
-  cat >> "$PLIST_PATH.tmp" <<'EOF'
-</dict>
-</plist>
-EOF
-}
-
-# emit_string appends a plist `<key>`/`<string>` entry for the given key and value to "$PLIST_PATH.tmp", XML-escaping `&`, `<`, and `>`, and logs the assignment (masking the logged value as `********** (secret)` when the key is `preSharedKey`).
-emit_string() {
-  local key="$1" value="$2" log_value="$2"
-  # Escape XML entities in the value
-  local escaped
-  escaped="$(printf '%s' "$value" | sed -e 's/&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g')"
-  printf '    <key>%s</key>\n    <string>%s</string>\n' "$key" "$escaped" >> "$PLIST_PATH.tmp"
-  if [[ "$key" == "preSharedKey" ]]; then
-    log_value='********** (secret)'
-  fi
-  log "set $key = $log_value"
-}
-
-# emit_bool writes a boolean plist entry for a given key into the temporary plist file.
-# emit_bool writes a boolean plist entry for a key when the provided value matches an accepted boolean token; logs an error and skips the key on invalid input.
-emit_bool() {
-  local key="$1" value="$2"
-  local xml_bool
-  case "$value" in
-    true|True|TRUE|1|yes)  xml_bool='<true/>'  ; value='true'  ;;
-    false|False|FALSE|0|no) xml_bool='<false/>' ; value='false' ;;
-    *) log "invalid boolean for $key: $value (must be true/false); skipping"; return ;;
-  esac
-  printf '    <key>%s</key>\n    %s\n' "$key" "$xml_bool" >> "$PLIST_PATH.tmp"
-  log "set $key = $value"
-}
-
-# emit_int validates that VALUE contains only decimal digits and, if valid, appends an `<integer>` plist entry for KEY to the temporary plist (`$PLIST_PATH.tmp`) and logs the assignment; on invalid input it logs a skip and does not emit the key.
-emit_int() {
-  local key="$1" value="$2"
-  if ! [[ "$value" =~ ^[0-9]+$ ]]; then
-    log "invalid integer for $key: $value (must be decimal); skipping"
-    return
-  fi
-  printf '    <key>%s</key>\n    <integer>%s</integer>\n' "$key" "$value" >> "$PLIST_PATH.tmp"
-  log "set $key = $value"
-}
-
-# main builds the NetBird MDM plist from configured policy variables, validates and installs it to /Library/Managed Preferences/io.netbird.client.plist (root:wheel, 644) and optionally triggers the NetBird daemon to reload.
-main() {
-  log "applying NetBird MDM policy to $PLIST_PATH"
-  /bin/mkdir -p "$PLIST_DIR"
-  start_plist
-
-  is_set "$managementURL"             && emit_string  managementURL             "$managementURL"
-  is_set "$preSharedKey"              && emit_string  preSharedKey              "$preSharedKey"
-  is_set "$allowServerSSH"            && emit_bool    allowServerSSH            "$allowServerSSH"
-  is_set "$blockInbound"              && emit_bool    blockInbound              "$blockInbound"
-  is_set "$disableAutoConnect"        && emit_bool    disableAutoConnect        "$disableAutoConnect"
-  is_set "$disableClientRoutes"       && emit_bool    disableClientRoutes       "$disableClientRoutes"
-  is_set "$disableServerRoutes"       && emit_bool    disableServerRoutes       "$disableServerRoutes"
-  is_set "$disableMetricsCollection"  && emit_bool    disableMetricsCollection  "$disableMetricsCollection"
-  is_set "$disableUpdateSettings"     && emit_bool    disableUpdateSettings     "$disableUpdateSettings"
-  is_set "$disableProfiles"           && emit_bool    disableProfiles           "$disableProfiles"
-  is_set "$disableNetworks"           && emit_bool    disableNetworks           "$disableNetworks"
-  is_set "$disableAdvancedView"       && emit_bool    disableAdvancedView       "$disableAdvancedView"
-  is_set "$rosenpassEnabled"          && emit_bool    rosenpassEnabled          "$rosenpassEnabled"
-  is_set "$rosenpassPermissive"       && emit_bool    rosenpassPermissive       "$rosenpassPermissive"
-  is_set "$wireguardPort"             && emit_int     wireguardPort             "$wireguardPort"
-  is_set "$splitTunnelMode"           && emit_string  splitTunnelMode           "$splitTunnelMode"
-  is_set "$splitTunnelApps"           && emit_string  splitTunnelApps           "$splitTunnelApps"
-
-  end_plist
-
-  if ! /usr/bin/plutil -lint "$PLIST_PATH.tmp" >/dev/null 2>&1; then
-    log "ERROR: generated plist failed plutil lint; not installing"
-    /usr/bin/plutil -lint "$PLIST_PATH.tmp" >&2 || true
-    /bin/rm -f "$PLIST_PATH.tmp"
-    exit 1
-  fi
-
-  /bin/mv -f "$PLIST_PATH.tmp" "$PLIST_PATH"
-  /usr/sbin/chown root:wheel "$PLIST_PATH"
-  /bin/chmod 644 "$PLIST_PATH"
-
-  log "policy installed; NetBird daemon will pick it up within the next 1-minute reload tick"
-
-  # Optional: kick the daemon for an immediate apply. Safe — does
-  # nothing on a host where NetBird is not yet installed.
-  /bin/launchctl kickstart -k system/io.netbird.client 2>/dev/null || true
-}
-
-main "$@"

docs/netbird-policy.reg.ps1

@@ -1,94 +0,0 @@
-#requires -Version 5.1
-<#
-.SYNOPSIS
-  Push the NetBird MDM policy to a Windows device via JumpCloud Commands
-  by importing a sidecar netbird-policy.reg file.
-
-.DESCRIPTION
-  Windows counterpart of docs/netbird-macos.sh. Outcome:
-  HKLM\Software\Policies\NetBird populated from the attached
-  netbird-policy.reg file, daemon picks up the change via the
-  1-minute MDM reload ticker.
-
-  Deployment:
-    1. Admin Console -> Device Management -> Commands -> +.
-    2. Type: Windows PowerShell. Run as: SYSTEM.
-    3. Paste this file verbatim into the command body.
-    4. In the same command, attach `netbird-policy.reg` as a file.
-       JumpCloud copies attached files into the command's working
-       directory before invoking the script, so `$PSScriptRoot` or
-       Get-Location resolves to where the .reg lives.
-    5. Bind to the target system group, save, run.
-
-  Producing the .reg file:
-    On a reference machine, after configuring the policy values either
-    via gpedit (GPO) or manual `reg add`, export with:
-
-        reg export "HKLM\Software\Policies\NetBird" netbird-policy.reg /y
-
-    Then attach the resulting file to the JumpCloud command.
-
-  Semantics:
-    - The script nukes the existing HKLM\Software\Policies\NetBird key
-      before importing the .reg, so the .reg is the SINGLE SOURCE OF
-      TRUTH. Any value present in the registry but absent from the .reg
-      is removed. This is what an MDM admin almost always wants.
-    - Setting the .reg to an empty (header-only) file effectively unsets
-      the policy.
-
-  Idempotency: re-running the script with the same .reg is a no-op from
-  the daemon's perspective (values identical → 1-min ticker sees no
-  diff → engine not restarted).
-
-  Exit codes: 0 = success; 1 = .reg missing or reg.exe error.
-#>
-
-$ErrorActionPreference = "Stop"
-
-$RegFileName = "netbird-policy.reg"
-$RegKey      = "HKLM\Software\Policies\NetBird"
-
-# Resolve the attached .reg file: JumpCloud copies command attachments
-# into C:\Windows\Temp\ before invoking the script. Cwd / $PSScriptRoot
-# fallbacks cover the local-dev case where you might dot-source this
-# from elsewhere.
-$candidates = @(
-    (Join-Path "$env:WINDIR\Temp" $RegFileName)
-    (Join-Path (Get-Location)     $RegFileName)
-    (Join-Path $PSScriptRoot      $RegFileName)
-) | Where-Object { Test-Path $_ }
-
-if ($candidates.Count -eq 0) {
-    Write-Error "[netbird-mdm] $RegFileName not found in working directory or `$PSScriptRoot. Attach the file to the JumpCloud command."
-    exit 1
-}
-$regFile = $candidates[0]
-Write-Host "[netbird-mdm] using $regFile"
-
-# Wipe the existing policy key so the .reg is authoritative.
-$existed = Test-Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\NetBird"
-if ($existed) {
-    & reg.exe delete $RegKey /f | Out-Null
-    if ($LASTEXITCODE -ne 0) {
-        Write-Error "[netbird-mdm] failed to clear $RegKey before import (exit $LASTEXITCODE)"
-        exit 1
-    }
-    Write-Host "[netbird-mdm] cleared previous values under $RegKey"
-}
-
-# Import. reg.exe writes both data and (re-)creates the key if needed.
-& reg.exe import $regFile
-if ($LASTEXITCODE -ne 0) {
-    Write-Error "[netbird-mdm] reg import failed (exit $LASTEXITCODE)"
-    exit 1
-}
-
-# Audit dump so the JumpCloud per-execution log captures the applied state.
-Write-Host "[netbird-mdm] final policy state under $RegKey :"
-& reg.exe query $RegKey /s
-
-# Daemon's 1-min reload ticker picks up the change automatically.
-# Uncomment to force immediate convergence (skips the ticker wait):
-#   Restart-Service netbird -Force -ErrorAction SilentlyContinue
-
-exit 0

docs/netbird.adml

@@ -1,98 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                           revision="1.0"
-                           schemaVersion="1.0"
-                           xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
-  <displayName>NetBird Client Policies</displayName>
-  <description>Group Policy template for NetBird client MDM-managed settings. Values are written under HKLM\Software\Policies\NetBird and consumed by the netbird daemon at startup and every 1-minute reload tick.</description>
-  <resources>
-    <stringTable>
-
-      <!-- Categories -->
-      <string id="NetBird_Category">NetBird</string>
-      <string id="SUPPORTED_NetBird_All">NetBird Client 0.40+</string>
-
-      <!-- Identity / auth -->
-      <string id="ManagementURL_Name">Management URL</string>
-      <string id="ManagementURL_Help">URL of the NetBird management server. Format: https://host[:port]. When set, users cannot override this value via UI or CLI.</string>
-
-      <string id="PreSharedKey_Name">Pre-shared key</string>
-      <string id="PreSharedKey_Help">WireGuard pre-shared key used as an additional symmetric secret on every peer-to-peer tunnel. Secret value.</string>
-
-      <!-- Settings: engine / runtime behavior -->
-      <string id="DisableAutoConnect_Name">Disable auto-connect</string>
-      <string id="DisableAutoConnect_Help">When enabled, the NetBird tunnel does not auto-connect at daemon startup. Equivalent to --disable-auto-connect.</string>
-
-      <string id="DisableClientRoutes_Name">Disable client routes</string>
-      <string id="DisableClientRoutes_Help">When enabled, this client will not consume routes advertised by routing peers. Equivalent to --disable-client-routes.</string>
-
-      <string id="DisableServerRoutes_Name">Disable server routes</string>
-      <string id="DisableServerRoutes_Help">When enabled, this client will not act as a routing peer for other clients. Equivalent to --disable-server-routes.</string>
-
-      <string id="BlockInbound_Name">Block inbound</string>
-      <string id="BlockInbound_Help">When enabled, the client firewall blocks all inbound peer traffic on the WireGuard interface. Equivalent to --block-inbound.</string>
-
-      <string id="AllowServerSSH_Name">Allow server SSH</string>
-      <string id="AllowServerSSH_Help">When enabled, this client accepts incoming SSH sessions via NetBird SSH. Equivalent to --allow-server-ssh.</string>
-
-      <string id="RosenpassEnabled_Name">Enable Rosenpass</string>
-      <string id="RosenpassEnabled_Help">Enables Rosenpass post-quantum key exchange on WireGuard tunnels. Both peers must support it.</string>
-
-      <string id="RosenpassPermissive_Name">Rosenpass permissive</string>
-      <string id="RosenpassPermissive_Help">When enabled, the client falls back to plain WireGuard if a peer does not support Rosenpass; otherwise it refuses the connection.</string>
-
-      <string id="WireguardPort_Name">WireGuard port</string>
-      <string id="WireguardPort_Help">UDP port used by the local WireGuard interface. Allowed range: 1-65535.</string>
-
-      <string id="SplitTunnel_Name">Split tunnel</string>
-      <string id="SplitTunnel_Help">Restrict the NetBird tunnel to or from a chosen list of application package names. Choose either the allow mode (only the listed apps route through NetBird) or the disallow mode (the listed apps bypass NetBird; everything else routes through). The mode is mutually exclusive — only one can be active at a time. Android-only at the daemon level; Windows/macOS/iOS clients ignore this policy.</string>
-      <string id="SplitTunnel_Allow">Allow only listed apps (everything else bypasses)</string>
-      <string id="SplitTunnel_Disallow">Disallow listed apps (everything else routes)</string>
-
-      <!-- UI -->
-      <string id="DisableUpdateSettings_Name">Disable update settings</string>
-      <string id="DisableUpdateSettings_Help">When enabled, blocks every configuration change from the client UI and from the CLI (netbird up / login / setconfig). The Settings view stays viewable but read-only. Equivalent to --disable-update-settings.</string>
-
-      <string id="DisableProfiles_Name">Disable profiles</string>
-      <string id="DisableProfiles_Help">When enabled, the client UI/CLI cannot list, create, switch or remove NetBird connection profiles. Equivalent to --disable-profiles.</string>
-
-      <string id="DisableNetworks_Name">Disable networks</string>
-      <string id="DisableNetworks_Help">When enabled, the client UI/CLI cannot list, select or deselect NetBird networks (the corresponding daemon RPCs return Unavailable). Equivalent to --disable-networks.</string>
-
-      <string id="DisableAdvancedView_Name">Disable advanced view</string>
-      <string id="DisableAdvancedView_Help">When enabled, the client UI hides the advanced-view section of the new UI revision. Tristate at the daemon: 1 (enabled) hides the section; 0 (disabled) explicitly shows it; not configured leaves the UI's default behavior in place. MDM is the sole source — no equivalent CLI flag exists.</string>
-
-      <string id="DisableMetricsCollection_Name">Disable metrics collection</string>
-      <string id="DisableMetricsCollection_Help">When enabled, the client does not collect or report local usage metrics.</string>
-
-    </stringTable>
-    <presentationTable>
-
-      <presentation id="ManagementURL_Pres">
-        <textBox refId="ManagementURL_Text">
-          <label>Management URL:</label>
-          <defaultValue>https://api.netbird.io:443</defaultValue>
-        </textBox>
-      </presentation>
-
-      <presentation id="PreSharedKey_Pres">
-        <textBox refId="PreSharedKey_Text">
-          <label>Pre-shared key:</label>
-        </textBox>
-      </presentation>
-
-      <presentation id="WireguardPort_Pres">
-        <decimalTextBox refId="WireguardPort_Decimal" defaultValue="51820">WireGuard UDP port:</decimalTextBox>
-      </presentation>
-
-      <presentation id="SplitTunnel_Pres">
-        <dropdownList refId="SplitTunnel_Mode" defaultItem="0">Mode:</dropdownList>
-        <textBox refId="SplitTunnel_Apps">
-          <label>Package names (comma-separated):</label>
-        </textBox>
-      </presentation>
-
-    </presentationTable>
-  </resources>
-</policyDefinitionResources>

docs/netbird.admx

@@ -1,235 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-                   revision="1.0"
-                   schemaVersion="1.0"
-                   xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
-  <policyNamespaces>
-    <target prefix="netbird" namespace="NetBird.Policies.Client" />
-  </policyNamespaces>
-  <resources minRequiredRevision="1.0" />
-  <supportedOn>
-    <definitions>
-      <definition name="SUPPORTED_NetBird_All" displayName="$(string.SUPPORTED_NetBird_All)" />
-    </definitions>
-  </supportedOn>
-  <categories>
-    <category name="NetBird" displayName="$(string.NetBird_Category)" />
-  </categories>
-  <policies>
-
-    <!-- ============================================================ -->
-    <!-- TOP-LEVEL: foundational identity / authentication              -->
-    <!-- ============================================================ -->
-
-    <policy name="ManagementURL"
-            class="Machine"
-            displayName="$(string.ManagementURL_Name)"
-            explainText="$(string.ManagementURL_Help)"
-            key="Software\Policies\NetBird"
-            presentation="$(presentation.ManagementURL_Pres)">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <elements>
-        <text id="ManagementURL_Text" valueName="ManagementURL" required="true" />
-      </elements>
-    </policy>
-
-    <policy name="PreSharedKey"
-            class="Machine"
-            displayName="$(string.PreSharedKey_Name)"
-            explainText="$(string.PreSharedKey_Help)"
-            key="Software\Policies\NetBird"
-            presentation="$(presentation.PreSharedKey_Pres)">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <elements>
-        <text id="PreSharedKey_Text" valueName="PreSharedKey" />
-      </elements>
-    </policy>
-
-    <!-- ============================================================ -->
-    <!-- SETTINGS: engine / runtime / connection behavior              -->
-    <!-- ============================================================ -->
-
-    <policy name="DisableAutoConnect"
-            class="Machine"
-            displayName="$(string.DisableAutoConnect_Name)"
-            explainText="$(string.DisableAutoConnect_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableAutoConnect">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="DisableClientRoutes"
-            class="Machine"
-            displayName="$(string.DisableClientRoutes_Name)"
-            explainText="$(string.DisableClientRoutes_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableClientRoutes">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="DisableServerRoutes"
-            class="Machine"
-            displayName="$(string.DisableServerRoutes_Name)"
-            explainText="$(string.DisableServerRoutes_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableServerRoutes">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="BlockInbound"
-            class="Machine"
-            displayName="$(string.BlockInbound_Name)"
-            explainText="$(string.BlockInbound_Help)"
-            key="Software\Policies\NetBird"
-            valueName="BlockInbound">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="AllowServerSSH"
-            class="Machine"
-            displayName="$(string.AllowServerSSH_Name)"
-            explainText="$(string.AllowServerSSH_Help)"
-            key="Software\Policies\NetBird"
-            valueName="AllowServerSSH">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="RosenpassEnabled"
-            class="Machine"
-            displayName="$(string.RosenpassEnabled_Name)"
-            explainText="$(string.RosenpassEnabled_Help)"
-            key="Software\Policies\NetBird"
-            valueName="RosenpassEnabled">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="RosenpassPermissive"
-            class="Machine"
-            displayName="$(string.RosenpassPermissive_Name)"
-            explainText="$(string.RosenpassPermissive_Help)"
-            key="Software\Policies\NetBird"
-            valueName="RosenpassPermissive">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="WireguardPort"
-            class="Machine"
-            displayName="$(string.WireguardPort_Name)"
-            explainText="$(string.WireguardPort_Help)"
-            key="Software\Policies\NetBird"
-            presentation="$(presentation.WireguardPort_Pres)">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <elements>
-        <decimal id="WireguardPort_Decimal" valueName="WireguardPort"
-                 minValue="1" maxValue="65535" required="true" />
-      </elements>
-    </policy>
-
-    <policy name="SplitTunnel"
-            class="Machine"
-            displayName="$(string.SplitTunnel_Name)"
-            explainText="$(string.SplitTunnel_Help)"
-            key="Software\Policies\NetBird"
-            presentation="$(presentation.SplitTunnel_Pres)">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <elements>
-        <enum id="SplitTunnel_Mode" valueName="SplitTunnelMode" required="true">
-          <item displayName="$(string.SplitTunnel_Allow)"><value><string>allow</string></value></item>
-          <item displayName="$(string.SplitTunnel_Disallow)"><value><string>disallow</string></value></item>
-        </enum>
-        <text id="SplitTunnel_Apps" valueName="SplitTunnelApps" required="true" />
-      </elements>
-    </policy>
-
-    <!-- ============================================================ -->
-    <!-- UI: visibility / UX kill switches                             -->
-    <!-- ============================================================ -->
-
-    <policy name="DisableUpdateSettings"
-            class="Machine"
-            displayName="$(string.DisableUpdateSettings_Name)"
-            explainText="$(string.DisableUpdateSettings_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableUpdateSettings">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="DisableProfiles"
-            class="Machine"
-            displayName="$(string.DisableProfiles_Name)"
-            explainText="$(string.DisableProfiles_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableProfiles">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="DisableNetworks"
-            class="Machine"
-            displayName="$(string.DisableNetworks_Name)"
-            explainText="$(string.DisableNetworks_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableNetworks">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="DisableAdvancedView"
-            class="Machine"
-            displayName="$(string.DisableAdvancedView_Name)"
-            explainText="$(string.DisableAdvancedView_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableAdvancedView">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-    <policy name="DisableMetricsCollection"
-            class="Machine"
-            displayName="$(string.DisableMetricsCollection_Name)"
-            explainText="$(string.DisableMetricsCollection_Help)"
-            key="Software\Policies\NetBird"
-            valueName="DisableMetricsCollection">
-      <parentCategory ref="NetBird" />
-      <supportedOn ref="SUPPORTED_NetBird_All" />
-      <enabledValue><decimal value="1" /></enabledValue>
-      <disabledValue><decimal value="0" /></disabledValue>
-    </policy>
-
-  </policies>
-</policyDefinitions>