elastic · szwarckonrad · Oct 3, 2025 · Oct 2, 2025 · Oct 3, 2025
@@ -174,6 +174,8 @@ export default function ({ getService }: FtrProviderContext) {
         'global_artifact_management_all',
         'trusted_applications_all',
         'trusted_applications_read',
+        'trusted_devices_all',
+        'trusted_devices_read',
         'host_isolation_exceptions_all',
         'host_isolation_exceptions_read',
         'blocklist_all',
@@ -204,6 +206,8 @@ export default function ({ getService }: FtrProviderContext) {
         'global_artifact_management_all',
         'trusted_applications_all',
         'trusted_applications_read',
+        'trusted_devices_all',
+        'trusted_devices_read',
         'host_isolation_exceptions_all',
         'host_isolation_exceptions_read',
         'blocklist_all',

@@ -300,6 +300,8 @@ export default function ({ getService }: FtrProviderContext) {
               'file_operations_all',
               'execute_operations_all',
               'scan_operations_all',
+              'trusted_devices_all',
+              'trusted_devices_read',
               'workflow_insights_all',
               'workflow_insights_read',
             ],
@@ -327,6 +329,8 @@ export default function ({ getService }: FtrProviderContext) {
               'read',
               'trusted_applications_all',
               'trusted_applications_read',
+              'trusted_devices_all',
+              'trusted_devices_read',
               'file_operations_all',
               'execute_operations_all',
               'scan_operations_all',

@@ -298,7 +298,7 @@ export const allowedExperimentalValues = Object.freeze({
    * Enables Trusted Devices artifact management for device control protections.
    * Allows users to manage trusted USB and external devices
    */
-  trustedDevices: false,
+  trustedDevices: true,
 
   /**
    * Enables the ability to import and migration dashboards through automatic migration service

@@ -33,13 +33,6 @@ describe(
   'Trusted Devices',
   {
     tags: ['@ess', '@serverless', '@skipInServerlessMKI'],
-    env: {
-      ftrConfig: {
-        kbnServerArgs: [
-          `--xpack.securitySolution.enableExperimental=${JSON.stringify(['trustedDevices'])}`,
-        ],
-      },
-    },
   },
   () => {
     let indexedPolicy: IndexedFleetEndpointPolicyResponse;

@@ -12,13 +12,6 @@ describe(
   'Trusted devices RBAC',
   {
     tags: ['@ess', '@serverless', '@skipInServerlessMKI'],
-    env: {
-      ftrConfig: {
-        kbnServerArgs: [
-          `--xpack.securitySolution.enableExperimental=${JSON.stringify(['trustedDevices'])}`,
-        ],
-      },
-    },
   },
 
   getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('trustedDevices'), [

@@ -164,10 +164,7 @@ describe(
         cy.get('[data-test-subj~="sideNavPanel-id-securityGroup:assets"]');
 
         for (const page of allPages) {
-          if (page.selector !== Selectors.TRUSTED_DEVICES) {
-            // Skip Trusted Devices for now — soc_manager does not yet have the required privilege in controller (MKI would fail otherwise).
-            cy.get(page.selector);
-          }
+          cy.get(page.selector);
         }
       });
     });

@@ -18,11 +18,6 @@ describe(
     env: {
       ftrConfig: {
         productTypes: [{ product_line: 'security', product_tier: 'complete' }],
-        // This is not needed for this test, but it's a good example of
-        // how to enable experimental features in the Cypress tests.
-        kbnServerArgs: [
-          `--xpack.securitySolution.enableExperimental=${JSON.stringify(['trustedDevices'])}`,
-        ],
       },
     },
   },

@@ -24,9 +24,6 @@ describe(
           { product_line: 'security', product_tier: 'complete' },
           { product_line: 'endpoint', product_tier: 'complete' },
         ],
-        kbnServerArgs: [
-          `--xpack.securitySolution.enableExperimental=${JSON.stringify(['trustedDevices'])}`,
-        ],
       },
     },
   },

@@ -18,9 +18,6 @@ describe(
     env: {
       ftrConfig: {
         productTypes: [{ product_line: 'security', product_tier: 'essentials' }],
-        kbnServerArgs: [
-          `--xpack.securitySolution.enableExperimental=${JSON.stringify(['trustedDevices'])}`,
-        ],
       },
     },
   },

@@ -24,9 +24,6 @@ describe(
           { product_line: 'security', product_tier: 'essentials' },
           { product_line: 'endpoint', product_tier: 'essentials' },
         ],
-        kbnServerArgs: [
-          `--xpack.securitySolution.enableExperimental=${JSON.stringify(['trustedDevices'])}`,
-        ],
       },
     },
   },

@@ -40,9 +40,6 @@ describe(
           { product_line: 'security', product_tier: 'complete' },
           { product_line: 'endpoint', product_tier: 'complete' },
         ],
-        kbnServerArgs: [
-          `--xpack.securitySolution.enableExperimental=${JSON.stringify(['trustedDevices'])}`,
-        ],
       },
     },
   },

@@ -393,6 +393,8 @@ describe('ManifestManager', () => {
       ARTIFACT_NAME_BLOCKLISTS_MACOS,
       ARTIFACT_NAME_BLOCKLISTS_WINDOWS,
       ARTIFACT_NAME_BLOCKLISTS_LINUX,
+      ARTIFACT_NAME_TRUSTED_DEVICES_MACOS,
+      ARTIFACT_NAME_TRUSTED_DEVICES_WINDOWS,
     ];
 
     const getArtifactIds = (artifacts: InternalArtifactSchema[]) => [
@@ -425,7 +427,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       for (const artifact of artifacts) {
@@ -480,7 +482,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({
@@ -569,7 +571,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       expect(artifacts[0]).toStrictEqual(oldManifest.getAllArtifacts()[0]);
@@ -672,7 +674,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(16);
+      expect(artifacts.length).toBe(18);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({
@@ -784,7 +786,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(16);
+      expect(artifacts.length).toBe(18);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({
@@ -839,6 +841,8 @@ describe('ManifestManager', () => {
       ARTIFACT_NAME_BLOCKLISTS_MACOS,
       ARTIFACT_NAME_BLOCKLISTS_WINDOWS,
       ARTIFACT_NAME_BLOCKLISTS_LINUX,
+      ARTIFACT_NAME_TRUSTED_DEVICES_MACOS,
+      ARTIFACT_NAME_TRUSTED_DEVICES_WINDOWS,
     ];
 
     const getArtifactIds = (artifacts: InternalArtifactSchema[]) => [
@@ -890,7 +894,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({
@@ -971,7 +975,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({
@@ -1055,7 +1059,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
       expect(getArtifactIds(artifacts)).toStrictEqual(SUPPORTED_ARTIFACT_NAMES);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({ entries: [] });
@@ -1083,28 +1087,8 @@ describe('ManifestManager', () => {
     });
   });
 
-  describe('buildNewManifest with trustedDevices experimental feature', () => {
+  describe('buildNewManifest with trustedDevices', () => {
     const SUPPORTED_ARTIFACT_NAMES_WITH_TRUSTED_DEVICES = [
-      ARTIFACT_NAME_EXCEPTIONS_MACOS,
-      ARTIFACT_NAME_EXCEPTIONS_WINDOWS,
-      ARTIFACT_NAME_EXCEPTIONS_LINUX,
-      ARTIFACT_NAME_TRUSTED_APPS_MACOS,
-      ARTIFACT_NAME_TRUSTED_APPS_WINDOWS,
-      ARTIFACT_NAME_TRUSTED_APPS_LINUX,
-      ARTIFACT_NAME_TRUSTED_DEVICES_MACOS,
-      ARTIFACT_NAME_TRUSTED_DEVICES_WINDOWS,
-      ARTIFACT_NAME_EVENT_FILTERS_MACOS,
-      ARTIFACT_NAME_EVENT_FILTERS_WINDOWS,
-      ARTIFACT_NAME_EVENT_FILTERS_LINUX,
-      ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_MACOS,
-      ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_WINDOWS,
-      ARTIFACT_NAME_HOST_ISOLATION_EXCEPTIONS_LINUX,
-      ARTIFACT_NAME_BLOCKLISTS_MACOS,
-      ARTIFACT_NAME_BLOCKLISTS_WINDOWS,
-      ARTIFACT_NAME_BLOCKLISTS_LINUX,
-    ];
-
-    const SUPPORTED_ARTIFACT_NAMES_WITHOUT_TRUSTED_DEVICES = [
       ARTIFACT_NAME_EXCEPTIONS_MACOS,
       ARTIFACT_NAME_EXCEPTIONS_WINDOWS,
       ARTIFACT_NAME_EXCEPTIONS_LINUX,
@@ -1120,25 +1104,16 @@ describe('ManifestManager', () => {
       ARTIFACT_NAME_BLOCKLISTS_MACOS,
       ARTIFACT_NAME_BLOCKLISTS_WINDOWS,
       ARTIFACT_NAME_BLOCKLISTS_LINUX,
+      ARTIFACT_NAME_TRUSTED_DEVICES_MACOS,
+      ARTIFACT_NAME_TRUSTED_DEVICES_WINDOWS,
     ];
 
     const getArtifactIds = (artifacts: InternalArtifactSchema[]) => [
       ...new Set(artifacts.map((artifact) => artifact.identifier)).values(),
     ];
 
-    test('builds manifest with trusted devices when feature flag enabled', async () => {
-      const context = buildManifestManagerContextMock({
-        experimentalFeatures: ['trustedDevices'],
-      });
-      // Set up licensing to allow trusted devices (both PLI and enterprise)
-      context.productFeaturesService.isEnabled = jest.fn().mockImplementation((key) => {
-        return (
-          key === ProductFeatureKey.endpointTrustedDevices ||
-          key === ProductFeatureKey.endpointArtifactManagement
-        );
-      });
-      context.licenseService = createLicenseServiceMock();
-      context.licenseService.isEnterprise = jest.fn().mockReturnValue(true);
+    test('builds manifest with trusted devices', async () => {
+      const context = buildManifestManagerContextMock({});
       const manifestManager = new ManifestManager(context);
 
       context.exceptionListClient.findExceptionListItem = mockFindExceptionListItemResponses({});
@@ -1182,66 +1157,13 @@ describe('ManifestManager', () => {
       }
     });
 
-    test('builds manifest without trusted devices when feature flag disabled', async () => {
-      const context = buildManifestManagerContextMock({
-        experimentalFeatures: [], // No trustedDevices feature
-      });
-      const manifestManager = new ManifestManager(context);
-
-      context.exceptionListClient.findExceptionListItem = mockFindExceptionListItemResponses({});
-      context.packagePolicyService.fetchAllItemIds = getMockPolicyFetchAllItemIds([
-        TEST_POLICY_ID_1,
-      ]);
-
-      const manifest = await manifestManager.buildNewManifest();
-
-      expect(manifest?.getSchemaVersion()).toStrictEqual('v1');
-      expect(manifest?.getSemanticVersion()).toStrictEqual('1.0.0');
-      expect(manifest?.getSavedObjectVersion()).toBeUndefined();
-
-      const artifacts = manifest.getAllArtifacts();
-
-      expect(artifacts.length).toBe(15); // Standard artifacts only
-      expect(getArtifactIds(artifacts)).toStrictEqual(
-        SUPPORTED_ARTIFACT_NAMES_WITHOUT_TRUSTED_DEVICES
-      );
-
-      // Verify trusted devices artifacts are NOT present
-      const trustedDevicesMacosArtifact = artifacts.find(
-        (a) => a.identifier === ARTIFACT_NAME_TRUSTED_DEVICES_MACOS
-      );
-      const trustedDevicesWindowsArtifact = artifacts.find(
-        (a) => a.identifier === ARTIFACT_NAME_TRUSTED_DEVICES_WINDOWS
-      );
-
-      expect(trustedDevicesMacosArtifact).toBeUndefined();
-      expect(trustedDevicesWindowsArtifact).toBeUndefined();
-
-      for (const artifact of artifacts) {
-        expect(manifest.isDefaultArtifact(artifact)).toBe(true);
-        expect(manifest.getArtifactTargetPolicies(artifact)).toStrictEqual(
-          new Set([TEST_POLICY_ID_1])
-        );
-      }
-    });
-
-    test('builds manifest with trusted devices entries when feature flag enabled and trusted devices data present', async () => {
+    test('builds manifest with trusted devices entries when trusted devices data present', async () => {
       const trustedDeviceListItem = getExceptionListItemSchemaMock({
         os_types: ['windows'],
         tags: ['policy:all'],
       });
 
-      const context = buildManifestManagerContextMock({
-        experimentalFeatures: ['trustedDevices'],
-      });
-      context.productFeaturesService.isEnabled = jest.fn().mockImplementation((key) => {
-        return (
-          key === ProductFeatureKey.endpointTrustedDevices ||
-          key === ProductFeatureKey.endpointArtifactManagement
-        );
-      });
-      context.licenseService = createLicenseServiceMock();
-      context.licenseService.isEnterprise = jest.fn().mockReturnValue(true);
+      const context = buildManifestManagerContextMock({});
       const manifestManager = new ManifestManager(context);
 
       context.exceptionListClient.findExceptionListItem = mockFindExceptionListItemResponses({
@@ -1314,7 +1236,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({
         entries: translateToEndpointExceptions([expectedExceptionListItem], 'v1', defaultFeatures),
@@ -1354,7 +1276,7 @@ describe('ManifestManager', () => {
 
       const artifacts = manifest.getAllArtifacts();
 
-      expect(artifacts.length).toBe(15);
+      expect(artifacts.length).toBe(17);
 
       expect(getArtifactObject(artifacts[0])).toStrictEqual({
         entries: translateToEndpointExceptions([expectedExceptionListItem], 'v1', defaultFeatures),
@@ -2468,13 +2390,6 @@ describe('ManifestManager', () => {
         manifestManager = new ManifestManager(context);
       });
 
-      test('should return false for trusted devices artifacts when feature flag is disabled', () => {
-        const shouldRetrieve = (
-          manifestManager as unknown as ManifestManagerWithPrivateMethods
-        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.trustedDevices.id);
-        expect(shouldRetrieve).toBe(false);
-      });
-
       test('should return true for other artifact types regardless of feature flag', () => {
         const shouldRetrieveExceptions = (
           manifestManager as unknown as ManifestManagerWithPrivateMethods