Skip to content

Releases: fleetdm/fleet


17 Aug 23:06
Choose a tag to compare


  • Added the fleetctl upgrade-packs command to migrate 2017 packs to the new combined schedule and query concept.

  • Updated fleetctl convert to convert packs to the new combined schedule and query format.

  • Updated the POST /mdm/apple/profiles/match endpoint to set the bootstrap package and enable end user authentication settings for each new team created via the endpoint to the corresponding values specified in the app config as of the time the applicable team is created.

  • Added enroll secret for a new team created with fleetctl apply if none is provided.

  • Improved SQL autocomplete with dynamic column, table names, and shown metadata.

  • Cleaned up styling around table search bars.

  • Updated MDM profile verification to fix issue where profiles were marked as failed when a host
    is transferred to a newly created team that has an identical profile as an older team.

  • Added windows MDM automatic enrollment setup pages to Fleet UI.

  • (Beta) Allowed configuring Windows MDM certificates using their contents.

  • Updated the icons on the dashboard to new grey designs.

  • Ensured DEP profiles are assigned even for devices that already exist and have an op type = "modified".

  • Disabled save button for invalid query or policy SQL & missing name.

  • Users with no global or team role cannot access the UI.

  • Text cells truncate with ellipses if longer than column width.

Bug Fixes:

  • Fixed styling issue of the active settings tab.

  • Fixed response status code to 403 when a user cannot change their password either because they were not requested to by the admin or they have Single-Sign-On (SSO) enabled.

  • Fixed issues with end user migration flow.

  • Fixed login form cut off when viewport is too short.

  • Fixed bug where os_version endpoint returned 404 for no teams on controls page.

  • Fixed delays applying profiles when the Puppet module is used in distributed scenarios.

  • Fixed a style issue in the filter host by status dropdown.

  • Fixed an issue when a user with gitops role was used to validate a configuration with fleetctl apply --dry-run.

  • Fixed jumping text on the host page label filter dropdown at low viewport widths.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


4383798d4a91c0ed4fb057c370e86b21d5fba30acac3b220ca810c92350bf79b  fleetctl_v4.36.0_linux.tar.gz
4a84d774d070b494032a44781a7a48821ead27ef5c697c81112b3969a81f8273  fleet_v4.36.0_linux.tar.gz
abe6ae5192e20e5926adb6a1c16cd0e23a77e52701ceb53e2b431358bbdae6ee  fleetctl_v4.36.0_macos.tar.gz
ef8a81b617b55dda21e80f0f9e276d765a3c56e0c37378c897337612206dfbb6  fleetctl_v4.36.0_windows.tar.gz


10 Aug 18:32
Choose a tag to compare


  • Fixed a bug in fleetctl that set the wrong Fleet URL in Windows installers.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


15dbea6acb8a23e8686b6240c4b0fe3260aa91b26a2494719d136ebdb4364dbf  fleet_v4.35.2_linux.tar.gz
224d7a47617a3906431c7d56e99a353321055d766a9f040a85346c5a354642f0  fleetctl_v4.35.2_linux.tar.gz
82f2f2b9e8fd88328fec470400f28b55dc76d1b2174860f56c36e153dd9bd225  fleetctl_v4.35.2_windows.tar.gz
a7539c3bd66832fc48624bffebd4764cf09c089cf69c310f864c5f66478aeee7  fleetctl_v4.35.2_macos.tar.gz


04 Aug 22:34
Choose a tag to compare


  • Fixed a migration to account for columns with NULL values as a result of either creating schedules via the API without providing all values or by a race condition with database replicas.

  • Fixed a bug that occurred when a user tried to create a custom query from the "query" action on a host's details page.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


18279aba31682213d7bcfbba07ef9d53b8c68951595398655035977f58432ad1  fleet_v4.35.1_linux.tar.gz
91ea672f80a90dbb9c5e070378d9dc3731f4c752c6fc5c8a8cfad108cc2af069  fleetctl_v4.35.1_linux.tar.gz
92251375d9fbfd7f4c9581ee5330d7ad35a2a5cb46afa5932100705cdef9db97  fleetctl_v4.35.1_macos.tar.gz
cad9a8eaca600a640301fb0b3ad486e604806f117050975c1fb0f367f4490b74  fleetctl_v4.35.1_windows.tar.gz


01 Aug 16:55
Choose a tag to compare


  • Combined the query and schedule features to provide a single interface for creating, scheduling, and tweaking queries at the global and team level.

  • Merged all functionality of the schedule page into the queries page.

  • Updated the save query modal to include scheduling-related fields.

  • Updated queries table schema to allow storing scheduling information and configuration in the queries table.

  • Users now able to manage scheduled queries using automations modal.

  • The osquery/config endpoint now includes scheduled queries for the host's team stored in the queries table.

  • Query editor now includes frequency and other advanced options.

  • Updated macOS MDM setup UI in Fleet UI.

  • Changed how team assignment works for the Puppet module, for more details see the README.

  • Allow the Puppet module to read different Fleet URL/token combinations for different environments.

  • Updated server logging for webhook requests to mask URL query values if the query param name includes "secret", "token", "key", "password".

  • Added support for Azure JWT tokens.

  • Set DeferForceAtUserLoginMaxBypassAttempts to 1 in the default FileVault profile installed by Fleet.

  • Added dark and light mode logo uploads and show the appropriate logo to the macOS MDM migration flow.

  • Added MSI installer deployement support through MS-MDM.

  • Added support for Windows MDM STS Auth Endpoint.

  • Added support for installing Fleetd after enrolling through Azure account.

  • Added support for MDM TOS endpoint.

  • Updated the "Platforms" column to the more explicit "Compatible with".

  • Improved delivery of Apple MDM profiles by not re-sending InstallProfile commands if a host switches teams but the profile contents are the same.

  • Improved error handling and messaging of SSO login during AEP(DEP) enrollments.

  • Improved the reporting of the Puppet module to only report as changed profiles that actually changed during a run.

  • Updated ingestion of host detail queries for MDM so hosts that report empty results are counted as "Off".

  • Upgraded Go version to v1.19.11.

  • If a policy was defined with an invalid query, the desktop endpoint now counts that policy as a failed policy.

  • Fixed issue where Orbit repeatedly tries to launch Nudge in the event of a launch error.

  • Fixed Observer + should be able to run any query by clicking create new query.

  • Fixed the styling of the initial setup flow.

  • Fixed URL used to check Gravatar network availability.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


21d5632e04f7ebf95e892be298abff9b6da692926a86a94b4b0170558d794164  fleetctl_v4.35.0_linux.tar.gz
4da40b3667932473a3918d83a073cd9c654432624ece8376820db3977ac10780  fleet_v4.35.0_linux.tar.gz
5a4f205ab275e680a9a6b6491d10b38646db6d7f6e36c88faae93f749e85d185  fleetctl_v4.35.0_windows.tar.gz
fa11cdbf925b810dbfbd59640555a22bba88c2f0c67bd5beb4dbd6972517d77c  fleetctl_v4.35.0_macos.tar.gz


17 Jul 20:45
Choose a tag to compare


  • Fixed Observer+ not being able to run some queries.

  • If a policy was defined with an invalid query, the desktop endpoint should count that policy as a failed policy.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


9958d777dacb2ec8b6e9a98bda3aa5024875da60ce7b5183839bfa69c832f550  fleetctl_v4.34.1_macos.tar.gz
a905a0fadecba778dc4fd1b309c8cb3613c81faf086edb6e09f1e245d567ea5f  fleetctl_v4.34.1_linux.tar.gz
e109127daa6697ee0883e01a5fde1618feee059a74f47cc4a3c69035e75dc5b4  fleetctl_v4.34.1_windows.tar.gz
eadd6f647b54106773e3cf5e98fd1dd73c4f1cc1088ea233b5d3b761ffc01af6  fleet_v4.34.1_linux.tar.gz


12 Jul 19:14
Choose a tag to compare


  • Added execution of programmatic Windows MDM enrollment on eligible devices when Windows MDM is enabled.

  • Microsoft MDM Enrollment Protocol: Added support for the RequestSecurityToken messages.

  • Microsoft MDM Enrollment Protocol: Added support for the DiscoveryRequest messages.

  • Microsoft MDM Enrollment Protocol: Added support for the GetPolicies messages.

  • Added enabled_windows_mdm and disabled_windows_mdm activities when a user turns on/off Windows MDM.

  • Added support to enable and configure Windows MDM and to notify devices that are able to programmatically enroll.

  • Added ability to turn Windows MDM on and off from the Fleet UI.

  • Added enable and disable Windows MDM activity UI.

  • Updated MDM detail query ingestion to switch MDM profiles from "verifying" or "verified" status to "failed" status when osquery reports that this profile is not installed on the host.

  • Added notification and execution of programmatic Windows MDM unenrollment on eligible devices when Windows MDM is disabled.

  • Added the FLEET_DEV_MDM_ENABLED environment variable to enable the Windows MDM feature during its development and beta period.

  • Added the mdm_enabled feature flag information to the response payload of the PATCH /config endpoint.

  • When creating a PolicySpec, return the proper HTTP status code if the team is not found.

  • Added CPEMatchingRule type, used for correcting false positives caused by incorrect entries in the NVD dataset.

  • Optimized macOS CIS query "Ensure Appropriate Permissions Are Enabled for System Wide Applications" (5.1.5).

  • Updated macOS CIS policies 5.1.6 and 5.1.7 to use a new fleetd table find_cmd instead of relying on the osquery file table to improve performance.

  • Implemented the privacy_preferences table for the Fleetd Chrome extension.

  • Warnings in fleetctl now go to stderr instead of stdout.

  • Updated UI for transferred hosts activity items.

  • Added Organization support URL input on the setting page organization info form.

  • Added improved ABM 400 error message to the UI.

  • Hide any osquery tables or columns from Fleet UI that has hidden set to true to match Fleet website.

  • Ignore casing in SAML response for display name. For example the display name attribute can be provided now as displayname or displayName.

  • Provide feedback to users when fleetctl login is using EMAIL and PASSWORD environment variables.

  • Added a new activity transferred_hosts created when hosts are transferred to a new team (or no team).

  • Added milliseconds to the timestamp of auto-generated team name when creating a new team in GET /mdm/apple/profiles/match.

  • Improved dashboard loading states.

  • Improved UI for selecting targets.

  • Made sure that all configuration profiles and commands are sent to devices if MDM is turned on, even if the device never turned off MDM.

  • Fixed bug when reading filevault key in osquery and created new Fleet osquery extension table to read the file directly rather than via filelines table.

  • Fixed UI bug on host details and device user pages that caused the software search to not work properly when searching by CVE.

  • Fixed not validating the schema used in the Metadata URL.

  • Fixed improper HTTP status code if SMTP is invalid.

  • Fixed false positives for iCloud on macOS.

  • Fixed styling of copy message when copying fields.

  • Fixed a bug where an empty file uploaded to POST /api/latest/fleet/mdm/apple/setup/eula resulted in a 500; now returns a 400 Bad Request.

  • Fixed vulnerability dropdown that was hiding if no vulnerabilities.

  • Fixed scroll behavior with disk encryption status.

  • Fixed empty software image in sandbox mode.

  • Fixed improper HTTP status code when fleet/forgot_password endpoint is rate limited.

  • Fixed MaxBurst limit parameter for fleet/forgot_password endpoint.

  • Fixed a bug where reading from the replica would not read recent writes when matching a set of MDM profiles to a team (the GET /mdm/apple/profiles/match endpoint).

  • Fixed an issue that displayed Nudge to macOS hosts if MDM was configured but MDM features weren't turned on for the host.

  • Fixed tooltip word wrapping on the error cell in the macOS settings table.

  • Fixed extraneous loading spinner rendering on the software page.

  • Fixed styling bug on setup caused by new font being much wider.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


56d71ec5b70c96309a459e6035c013b0d503e460c718f5b11c4062d3ce302ffd  fleetctl_v4.34.0_macos.tar.gz
72575600dc2febca97bc43bd79f996e779774b0c627bb347d1597be84c39e60c  fleetctl_v4.34.0_windows.tar.gz
930c56dadcb274dd72093c08b7773c393ca659e3a42a704513b7791c1c3e7233  fleet_v4.34.0_linux.tar.gz
b29560f0a7d69c83358690a770e22ee5a10d165f253e737c8073fb043bca05fe  fleetctl_v4.34.0_linux.tar.gz


20 Jun 22:20
Choose a tag to compare


  • Fixed ChromeOS add host instructions to use variable Fleet URL.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


6b701f5b813ba99d206ec3e84509b9ba1cc0466a59b31065fbd81ca77c3c371c  fleetctl_v4.33.1_macos.tar.gz
c8f688a7a3edf06d6ac0f3cf1a119c5bda5c3643290830680b5fb842473fa872  fleetctl_v4.33.1_windows.tar.gz
cf2396ab47185b5870bcf07e2775fc1b8c6f2c2f3d22cdee3aab64c9f4cd47ca  fleet_v4.33.1_linux.tar.gz
e329e02f07c845519eedd8925129a25cf60d04b1d0fb663b1a879b756fe17c75  fleetctl_v4.33.1_linux.tar.gz


13 Jun 17:20
Choose a tag to compare


  • Upgraded Go version to 1.19.10.

  • Added support for ChromeOS devices.

  • Added instructions to inform users how to add ChromeOS hosts.

  • Added ChromeOS details to the dashboard, manage hosts, and host details pages.

  • Added ability for users to create policies that target ChromeOS.

  • Added built-in label for ChromeOS.

  • Added query to fill in device_mapping from ChromeOS hosts.

  • Improved the performance of live query results rendering to address usability issues when querying tens of thousands of hosts.

  • Reduced size of live query websocket message by removing unused host data.

  • Added the POST /fleet/mdm/apple/profiles/preassign endpoint to store profiles to be assigned to a host for subsequent matching with an existing (or new) team.

  • Added the POST /fleet/mdm/apple/profiles/match endpoint to match pre-assigned profiles to an existing team or create one if needed, and assign the host to that team.

  • Updated GET /mdm/apple/profiles endpoint to return empty array instead of null if no profiles are found.

  • Improved ingestion of MDM devices from ABM:

    • If a device's operation_type is modified, but the device doesn't exist in Fleet yet, a DEP profile will be assigned to the device and a new record will be created in Fleet.
    • If a device's operation_type is deleted, the device won't be prompted to migrate to Fleet if the feature has been configured.
  • Added "Verified" profile status for profiles verified with osquery.

  • Added "Action required" status for disk encryption profile in UI for host details and device user pages.

  • Added UI for the end user authentication page for MDM macos setup.

  • Added new host detail query to verify MDM profiles and updated API to include verified status.

  • Added documentation in the guide for fleetctl get mdm-commands.

  • Moved post-DEP (automatic) MDM enrollment to a worker job for increased resiliency with retries.

  • Added better UI error for manual enroll MDM modal.

  • Updated GET /api/_version_/fleet/config to now omits fields smtp_settings and sso_settings if not set.

  • Added a response payload to the POST /api/latest/fleet/spec/teams contributor API endpoint so that it returns an object with a team_ids_by_name key which maps team names with their corresponding id.

  • Ensure we send post-enrollment commands to MDM devices that are re-enrolling after being wiped.

  • Added error message to UI when Redis disconnects during a live query session.

  • Optimized query used for listing activities on the dashboard.

  • Added ability for users to delete multiple pages of hosts.

  • Added ability to deselect label filter on host table.

  • Added support for value null on FLEET_JIT_USER_ROLE_GLOBAL and FLEET_JIT_USER_ROLE_TEAM_* SAML attributes. Fleet will accept and ignore such null attributes.

  • Deprecate enable_jit_role_sync setting and only change role for existing users if role attributes are set in the SAMLResponse.

  • Improved styling in sandbox mode.

  • Patched a potential security issue.

  • Improved icon clarity.

  • Fixed issues with the MDM migration flow.

  • Fixed a bug with applying team specs via fleetctl apply and updating a team via the PATCH /api/latest/fleet/mdm/teams/{id} endpoint so that the MDM updates settings (minimum_version and deadline) are not cleared if not provided in the payload.

  • Fixed table formatting for the output of fleetctl get mdm-command-results.

  • Fixed the /api/latest/fleet/mdm/apple_bm endpoint so that it returns 400 instead of 500 when it fails to authenticate with Apple's Business Manager API, as this indicates a Fleet configuration issue with the Apple BM certificate or token.

  • Fixed a bug that would show MDM URLs for the same server as different servers if they contain query parameters.

  • Fixed an issue preventing a user with the gitops role from applying some MDM settings via fleetctl apply (the macos_setup_assistant and bootstrap_package settings).

  • Fixed GET /api/v1/fleet/spec/labels/{name} endpoint so that it now includes the label id.

  • Fixed Observer/Observer+ role being able to see team secrets.

  • Fixed UI bug where inherited_page=0 was incorrectly added to some URLs.

  • Fixed misaligned icons in UI.

  • Fixed tab misalignment caused by new font.

  • Fixed dashed line styling on multiline activities.

  • Fixed a bug in the users table where users that are observer+ for all of more than one team were listed as "Various roles".

  • Fixed 500 error being returned if SSO session is not found.

  • Fixed issue with chrome_extensions virtual table not returning a path value on fleetd-chrome, which was breaking software ingestion.

  • Fixed bug with page navigation inside 'My Device' page.

  • Fixed a styling bug in the add hosts modal in sandbox mode.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


38fba86d16b314d12c22793917092fedd500037b87fbbd305031470d88dc99b4  fleet_v4.33.0_linux.tar.gz
b8d55372d8ffb29f91a742de2cb858a71ef76e05e2b71587fe824b5af154b8dc  fleetctl_v4.33.0_windows.tar.gz
d3ee828910273d33ae01a3a198e11d5248834d9fa99b4d05360deb32464fc99f  fleetctl_v4.33.0_linux.tar.gz
35660a2ce4589432ac1e6a52ad004f01d1258e3afaac30fefdc02072f6d2db7d  fleetctl_v4.33.0_macos.tar.gz


24 May 22:57
Choose a tag to compare


  • Added support to add a EULA as part of the AEP/DEP unboxing flow.

  • DEP enrollments configured with SSO now pre-populate the username/fullname fields during account

  • Integrated the macOS setup assistant feature with Apple DEP so that the setup assistants are assigned to the enrolled devices.

  • Re-assign and update the macOS setup assistants (and the default one) whenever required, such as
    when it is modified, when a host is transferred, a team is deleted, etc.

  • Added device-authenticated endpoint to signal the Fleet server to send a webhook request with the
    device UUID and serial number to the webhook URL configured for MDM migration.

  • Added UI for new automatic enrollment under the integration settings.

  • Added UI for end-user migration setup.

  • Changed macOS settings UI to always show the profile status aggregate data.

  • Revised validation errors returned for fleetctl mdm run-command.

  • Added mdm.macos_migration to app config.

  • Added PATCH /mdm/apple/setup endpoint.

  • Added enable_end_user_authentication to mdm.macos_setup in global app config and team config

  • Now tries to infer the bootstrap package name from the URL on upload if a content-disposition header is not provided.

  • Added wildcards to host search so when searching for different accented characters you get more results.

  • Can now reorder (and bookmark) policy tables by failing count.

  • On the login and password reset pages, added email validation and fixed some minor styling bugs.

  • Ensure sentence casing on labels on host details page.

  • Fix 3 Windows CIS benchmark policies that had false positive results initally merged March 24.

  • Fix of Fleet Server returning a duplicate OS version for Windows.

  • Improved loading UI for disk encryption controls page.

  • The 'GET /api/v1/fleet/hosts/{id}' and 'GET /api/v1/fleet/hosts/identifier/{identifier}' now
    include the software installed path on their payload.

  • Third party vulnerability integrations now include the installed path of the vulnerable software
    on each host.

  • Greyed out unusable select all queries checkbox.

  • Added page header for macOS updates UI.

  • Back to queries button returns to previous table state.

  • Bookmarkable URLs are now source of truth for Manage Queries page table state.

  • Added mechanism to refetch MDM enrollment status of a host pending unenrollment (due to a migration to Fleet) at a high interval.

  • Made sure every modal in the UI conforms to a consistent system of widths.

  • Team admins and team maintainers cannot save/update a global policy so hide the save button when viewing or running a global policy.

  • Policy description has text area instead of one-line area.

  • Users can now see the filepath of software on a host.

  • Added version info metadata file to Windows installer.

  • Fixed a bug where policy automations couldn't be updated without a webhook URL.

  • Fixed tooltip misalignment on software page.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


014cc7b4e8646fb23a4f97db3e17a55c4b4eb764b096bdf4762a400bab705b12  fleet_v4.32.0_linux.tar.gz
95b59b4a119863daa72c5e4db2ed0e1c52c987232c5d8a571aa6c0bd9b1c09f8  fleetctl_v4.32.0_macos.tar.gz
98828cde489d75198217e920f7919d8060153058bebc9948bdfe84501e02afe7  fleetctl_v4.32.0_linux.tar.gz
c6d4e32c6b901d5b1a5cd645d80f4c199a95a4a764b6cc4f1a0820b760f9be39  fleetctl_v4.32.0_windows.tar.gz


10 May 22:32
Choose a tag to compare


  • Fixed a bug that prevented bootstrap packages and the fleetd agent from being installed when the server had a database replica configured.


Please visit our update guide for upgrade instructions.


Documentation for Fleet is available at

Binary Checksum


40c2dc4d1222d6c7755f52f2a255c6b6f21ce82ea15139c0edc19f25107ce183  fleetctl_v4.31.1_macos.tar.gz
6aad26eaec54d2c7a94d5caf4aaf44ef1ef66b76b675cb4b12e14c75f7a6217c  fleetctl_v4.31.1_linux.tar.gz
ef60103ec80134aee703fc5b0084c8bd487ea0c920e5085ec4c7374f1c69aaae  fleet_v4.31.1_linux.tar.gz
ffb512076952d550094c243320314cffed0596e6b68e661ea47214c470d351d8  fleetctl_v4.31.1_windows.tar.gz