Fleet Release Notes

Follow

30 release notes curated from 22 sources by the Releasebot Team. Last updated: Jul 6, 2026

Get this feed:
  • Jul 2, 2026
    • Date parsed from source:
      Jul 2, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    fleet-v4.88.0

    Fleet adds bug fixes for Apple and Windows MDM enrollment, including BYOD Apple support with per-host permissions that protect personal devices from remote wipe or lock, plus a fix for fleetd install issues that could stall Windows Autopilot enrollment.

    Bug fixes

    Added support for personal (BYOD) Apple MDM enrollment, tracking per-host enrollment permissions so that personal devices cannot be remotely wiped or locked, and preserving those permissions across SCEP/ACME certificate renewal.

    Fixed an issue where fleetd could intermittently fail to install during Windows MDM enrollment, which could cause the Windows Autopilot Enrollment Status Page to hang.

    Upgrading

    Please visit our update guide for upgrade instructions.

    Documentation

    Documentation for Fleet is available at fleetdm.com/docs.

    Binary Checksum

    SHA256

    85280edd8db7ad2212ba5456997cfacdfeeabaf5b6124732f6fb95df45324163 fleet_v4.88.0_linux.tar.gz

    847f9bfee46cd8a2f637975efbb4e8b5b2a5ed290af3759361721a4623338631 fleetctl_v4.88.0_linux_amd64.tar.gz

    8698436ad196fb0542705d9a1872f7f45a3804e40d87d5e66d889e5def928d73 fleetctl_v4.88.0_linux_amd64.zip

    80d52c9b38960a6ddbaf9e6b1545f2aba24210e5c9274efe716eaf7ec33183a5 fleetctl_v4.88.0_linux_arm64.tar.gz

    e2be3aa46de32dbde7e998ebf4ccf807021dec2468242f22f1efdd77e1f2014a fleetctl_v4.88.0_linux_arm64.zip

    e6cd3e2e28c955a9f64c8f12c50e1e78935b7a30dac0f9253726725633f19b5d fleetctl_v4.88.0_macos.tar.gz

    f192245fde09f6f9a2a14c34d443114104f55ec93841ec330d6149845b9a8794 fleetctl_v4.88.0_macos.zip

    3a113fdf800011ce006a1c68c00f039eaab5d3546c64d21b4bb02209391f55ff fleetctl_v4.88.0_windows_amd64.tar.gz

    109eda99ba889f9aa2d3e676748158cdacfa759125f8484817035beeae42a950 fleetctl_v4.88.0_windows_amd64.zip

    5b370cc2d208ce752b073fc11e24f77ad02294881b8ad01fc7ac6f4bc9518860 fleetctl_v4.88.0_windows_arm64.tar.gz

    4d029140b782793f5051068129410decfb19d819fb41f83880dccc2ee8304596 fleetctl_v4.88.0_windows_arm64.zip

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    v4.88.0: For 4.88 RC: Fix S3 file carve cleanup hang and rework reconciliation

    Fleet ships cherry pick #48561.

    Cherry picks #48561

    Original source
  • All of your release notes in one feed

    Join Releasebot and get updates from Fleet and hundreds of other software products.

    Create account
  • Jun 27, 2026
    • Date parsed from source:
      Jun 27, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    fleet-v4.87.1

    Fleet fixes Apple SCEP profile retry handling, GitOps duplicate-entry errors in software categories, and a URL pagination bug in My device > Software, bringing cleaner behavior across certificates, GitOps, and device software views.

    Bug fixes

    Fixed a bug where an Apple SCEP certificate profile backed by NDES could be marked "failed" and consume one of the host's limited profile retry attempts when its challenge password expired, instead of being automatically resent with a fresh challenge.

    Fixed GitOps runs failing with a software_categories duplicate-entry error when a software category's name differed only by characters MySQL's collation treats as equal (such as the Unicode variation selector in default categories like "🖥️ Productivity").

    Fixed the My device > Software tab appending a macos_applications query parameter to the URL when paginating, even though that page has no /Applications filter.

    Upgrading

    Please visit our update guide for upgrade instructions.

    Documentation

    Documentation for Fleet is available at fleetdm.com/docs.

    Binary Checksum

    SHA256

    f2d4e41a21bb117adf090a5803866214ce976880fab0343252b8396d722c8447 fleet_v4.87.1_linux.tar.gz
    36adc7723f4b03eea01b287f1235010d036d7aa724dc6b1549150c43ce53c04d fleetctl_v4.87.1_linux_amd64.tar.gz
    c16fc64a4d82176d1f81eb3031024669a2c94f12a49eb2de081b9ca79986e399 fleetctl_v4.87.1_linux_amd64.zip
    634d314705e9f081a4a35c2eed0b689234b5883a18c88f2ca6129a251e685d43 fleetctl_v4.87.1_linux_arm64.tar.gz
    14bdf0e98f40e2620055cbf35dc7d2d2e51335a215a56290b74d1f4a5f162e25 fleetctl_v4.87.1_linux_arm64.zip
    a050f589a44152138527e42d0f2727f2f193eff3c9888f21805e6591b66ba14c fleetctl_v4.87.1_macos.tar.gz
    1901517bb3b62293c1666289795bd04438d43d0817a770a8e2655714c1300dc1 fleetctl_v4.87.1_macos.zip
    f1b86d55d567e56168b5760231aec16d1a7f3b6481bd077bdf96044e286958f5 fleetctl_v4.87.1_windows_amd64.tar.gz
    8bd5baa2ef829926b6539e935bdd34562018c640a28e53bdb14fcbf591b11db5 fleetctl_v4.87.1_windows_amd64.zip
    3fdccd663a6facd8b6dcd79d43c576b108090e7dcab9d00b8b3ffcd465781384 fleetctl_v4.87.1_windows_arm64.tar.gz
    08df1022f8fbd6b58995729697c6d520d7bda89253898f28ce405fcf169b4994 fleetctl_v4.87.1_windows_arm64.zip

    Original source
  • Jun 26, 2026
    • Date parsed from source:
      Jun 26, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    v4.87.1

    Fleet adds changes for Fleet v4.87.1.

    Adding changes for Fleet v4.87.1 (#48290)

    Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    orbit-v1.57.0

    Fleet reverts its initial TPM-backed disk encryption support.

    Revert "Initial pass on TPM-backed disk encryption support (#46457)"

    Original source
  • Similar to Fleet with recent updates:

  • Jun 20, 2026
    • Date parsed from source:
      Jun 20, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    v4.87.0

    Fleet adds changes for v4.87.0.

    Adding changes for Fleet v4.87.0 (#47109)

    Original source
  • Jun 20, 2026
    • Date parsed from source:
      Jun 20, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    fleet-v4.87.0

    Fleet releases a major platform update with hundreds of new Windows and macOS managed apps, stronger Android and Apple device controls, custom OS update profiles, Fleet Spotlight, technician fleet transfers, and broad performance, security, and reliability improvements.

    Fleet 4.87.0 (Jun 19, 2026)

    IT Admins

    Added 236 new Fleet-maintained apps for Windows, including Microsoft Office, PowerShell, PowerToys, Power BI, Power Automate, SQL Server Management Studio, Microsoft .NET Runtime 8 and 10, Git, Node.js, Python 3.13 and 3.14, PostgreSQL 15–18, Windsurf, Kiro, Dell Command Update, Lenovo Dock Manager, Nessus Agent, Bitwarden, Canva, Miro, Snagit, Tableau Desktop, VirtualBox, TortoiseGit, GitHub Desktop, and more.

    Added 727 new Fleet-maintained apps for macOS, including Kiro, Codex, OpenCode, Claude DevTools, Granola, Logitune, and hundreds more tools across development, security, productivity, and design.

    Added the ability to deploy custom OS update configuration profiles for Apple and Windows.

    Added support for issuing Lock, Wipe, and Clear passcode commands to Android hosts. Lock and Clear passcode work for both BYO (personal) and COBO (company-owned) Android hosts; Wipe is COBO-only. For BYO hosts, Unenroll now issues an AMAPI WIPE under the hood, which removes only the work profile and leaves personal data intact. All Android commands are issued with duration=315360000s (10 years), matching the pending-forever queue semantics Fleet uses for Apple and Windows MDM.

    Made the Wipe command available to Fleet Free users for Android (company-owned) hosts, in both the UI and the API. Wipe for macOS, iOS, iPadOS, Linux, and Windows hosts remains a Fleet Premium feature.

    Android host display name now uses "{IdP first name}'s {hardware model}" when an IdP account is associated.

    Reduced Windows MDM server and database load by relaxing the device management poll schedule from 1 minute to 8 hours for hosts running a version of fleetd that supports on-demand Windows MDM sync (1.57.0 and later). When commands are queued, the server wakes these devices through fleetd to start a management session, so command delivery stays near real-time. Hosts on older fleetd versions keep the previous poll behavior.

    Renamed Apple Business Manager (ABM) terminology to Apple Business (AB) in the API, GitOps YAML, and fleetctl CLI. The new /api/v1/fleet/ab_tokens and /api/v1/fleet/mdm/apple/ab_public_key endpoints, mdm.apple_business YAML key, and fleetctl get mdm-ab/fleetctl generate mdm-ab commands are canonical. The now-deprecated /abm_tokens, /mdm/apple/abm_public_key, apple_business_manager, mdm-apple-bm aliases continue to work for backwards compatibility and log a deprecation warning when used.

    labels_exclude_any can now be combined with labels_include_all or labels_include_any when uploading MDM configuration profiles, allowing hosts to be included by label membership and excluded by another set of labels simultaneously.

    Added support for setting the end user account type to standard for a standard (non-admin) user or none to skip end-user account creation, both requiring a local admin account.

    Added a "Continuous" option to policy automations that re-runs script and software automations on every subsequent policy failure, with editable automations now available directly on the policy create, edit, and details pages.

    Added the ability for users with the Technician role to transfer hosts between fleets (Fleet Premium only). Global technicians can transfer hosts via the Fleet UI (manage hosts and host details pages) and the REST API. Fleet-scoped technicians can transfer hosts between fleets they manage via the REST API.

    Added Self-service categories page (Premium) under Software > Library for managing custom categories per fleet, including add, edit, and delete flows.

    Added Categories button to the Software > Library page that navigates to the new categories page.

    Replaced the static category sidebar on the My device > Self-service page with a custom-category dropdown driven by the org's self-service categories, and added an "Install all (n)" button per category (with a confirmation modal) that posts to /device/{token}/software/install_all?category_id=:id.

    Added macos_applications filter for host software list.

    Added Fleet "Spotlight" - A command palette that opens when pressing Command + K or Control + K.

    Added a "My device" button on the host details User card so global admins can open the host's end-user My device page in a new tab; Fleet refreshes or generates the device auth token as needed so the link is always valid.

    Showed the end user's IdP full name (e.g. "Jane Doe's device") on the My device page header and browser tab when available; falls back to "My device" otherwise.

    Added support for configuring an optional SES sender domain.

    Security Engineers

    Added support for validating Microsoft Entra v2 access tokens during Windows MDM enrollment. Effective July 1, 2026, new on-premises MDM applications created via the Entra portal flow issue v2 access tokens whose audience (aud) is the application's client ID; adding the client ID lets these applications enroll Windows hosts. Existing v1 tokens (audience = Fleet server URL) continue to work unchanged.

    Hardened in-house iOS app distribution by requiring a per-install token in the manifest and package download URLs. The token is minted when an install is enqueued, bound to the target host, and expires after 6 hours, aligning the in-house download flow with the URL-token authentication already used by Fleet's MDM installer and software installer download endpoints.

    Added GCS IAM authentication support for software installers S3 storage using Google Application Default Credentials (ADC) bearer tokens instead of S3 HMAC keys. Configurable via s3_software_installers_gcs_iam_auth.

    Added GCS IAM authentication support for file carving S3 storage. Configurable via s3_carves_gcs_iam_auth.

    Added route-aware head sampling for OpenTelemetry trace export. When tracing_enabled is on, agent firehose endpoints (osquery distributed read/write, orbit ping/config, device desktop/ping) are sampled at 0.1% by default, admin reads at 2%, and everything else (enroll, SCEP, MDM checkin, cron jobs, GitOps batch) at 100%. Liveness probes (/healthz, /version, /metrics) are dropped unconditionally.

    Added GET/PATCH /debug/trace_sampler (admin only, behind the existing /debug auth) for adjusting ratios or flipping a 100% force_full debug window at runtime. Each Fleet replica polls the new trace_sampler_settings row every 60 seconds and applies changes without a restart.

    Updated the vulnerability processing guide to clarify Linux vulnerability scanning coverage, including a per-distribution table covering OS/kernel, system packages, and cross-platform packages and which scanner is used for each.

    Bug fixes and improvements

    Updated Go to 1.26.4.

    Significantly improved performance of the Apple profile and DDM reconciler.

    Improved the performance of listing labels with host counts by aggregating membership counts in a single pass instead of a per-label subquery, and skipping the unnecessary join to the hosts table when the requesting user can see all hosts.

    Android profiles now use content checksums to determine when to re-sync, avoiding unnecessary re-delivery on unrelated policy changes.

    Long policy resolution text now wraps on the policy details page instead of being truncated.

    Updated initialization semantics around api_endpoints. The catalog is now loaded from the embedded YAML once at package initialization time.

    Added Python 3.14 and Python 3.13 as Windows Fleet-maintained apps.

    Normalized Python's reported version on Windows (e.g. 3.14.5150.0 -> 3.14.5) so software inventory and vulnerability matching use the real version.

    Replaced the "Osquery" column with a richer "Agent" column on the Hosts page that shows Orbit version with a tooltip displaying osquery, Orbit, and Fleet Desktop versions.

    Hid "Issues" and "Private IP address" columns by default for new Fleet instances.

    Added hosts page tooltip to MDM status on hover.

    Added certificate rollover process to MDM assets tool.

    Added a migration cleanup tool for recovering failed starts after renumbered migrations.

    Added each platform's percentage of total enrolled hosts to the "Hosts enrolled" card tooltip on the dashboard.

    Updated conditional access policy query to use parameter binding for platform filter.

    Rejected Windows MDM configuration profiles that don't contain at least one supported SyncML top-level element (, , , or ), so non-XML or empty payloads are caught at upload instead of failing on devices.

    Updated to now prevent deleting a label that is in use by an MDM configuration profile or declaration, returning an error instead of silently breaking the profile's label targeting.

    Raised the default FLEET_REDIS_HOST_CACHE_TTL from 60s to 180s and removed the reverse-index GETs that the host-update invalidation path performed. Together these reduce DB reader load and lower Redis CPU usage.

    Surfaced continuous_automations_enabled in GitOps YAML (read and generated by fleetctl generate-gitops).

    Stopped the 1Password autofill icon from appearing on Fleet UI inputs that are not credential fields.

    Hid the "Rotate password" button in the Recovery Lock password modal for users with the Observer role, instead of showing it as disabled.

    Updated Android Enterprise connect to surface real error messages to the user.

    Updated self-service activity copy to passive voice without an "end user" actor (e.g. "GitHub Desktop was installed on this host (self-service).") on both the host activity feed and the dashboard global activity feed.

    Updated GitOps error message about exceptions to include the URL to visit to disable exceptions.

    Updated the error displayed when GitOps encounters an unknown env var to account for cases where the string is a literal that needs escaping.

    Removed orphaned duplicate SCEP certificates from the per-user keychain automatically after an Okta conditional access profile is reinstalled or renewed on macOS hosts.

    Reduced the Apple MDM lock state cleanup timeout from 5 minutes to 1 minute, decreasing the time a recently unlocked host may still appear as locked in Fleet.

    Rejected Windows MDM configuration profiles whose is empty, starts with /, or contains .. path traversal segments, so invalid OMA-DM URIs are caught at upload instead of failing on devices.

    Refactored ListHostSoftware and ModifyAppConfig into smaller helpers so nilaway can analyze them for nil-pointer dereferences.

    Refactored MDM profile label-targeting logic (include all/any, exclude any) into a shared platform-neutral package so Apple and Windows reconcilers use the same rules.

    Slimmed down the POST /api/v1/fleet/targets response to omit unused fields.

    GitOps now prints a message for each software package it will delete.

    Fixed the Add host modal so its read-only installer command fields can no longer be resized.

    Fixed an issue where the checkerboard would be colored based on relative percentages rather than relative absolute value.

    Fixed a race condition where deleting a policy while a host had an outstanding distributed query for that policy caused a foreign key constraint error during /api/v1/osquery/distributed/write.

    Fixed SCEP PKIOperation handler incorrectly decoding base64 + characters as spaces.

    Fixed software installer edits cancelling pending setup experience installs and causing setup experience to fail if all software is required.

    Fixed a bug where navigating to the Fleet root URL returned a 404 in subpath deployments.

    Fixed bug in apply to prevent setup_experience in software items from being renamed to macos_setup.

    Fixed a bug where the "Add custom variable" modal would clear entered values when switching focus to another browser tab or application window.

    Fixed fleetctl preview disabling dashboard chart data collection (Hosts online, Vulnerability exposure) on startup.

    Fixed a race condition after Windows BYOD MDM enrollment (Settings > Access work or school > Connect) where mdm_windows_enrollments.host_uuid stayed empty for several seconds, causing server-side enrollment lookups to miss. The enrollment is now linked to the Fleet host record at the first management session via OMA-DM DevDetail/SMBIOSSerialNumber instead of waiting for osquery's distributed-read backfill.

    Fixed MDM status column in the host table showing "On (automatic)" instead of "On (company-owned)".

    Fixed logout/login redirects to respect the URL prefix in subpath deployments.

    Fixed the mdm_unenrolled activity not appearing in a host's activity timeline on the host details page.

    Fixed software titles displaying the raw package name instead of the admin-set display name in the policy automations list and edit modal, the patch automation CTA, the hosts software filter pill, and the setup experience software row.

    Fixed an issue where ADE-enrolled macOS hosts didn't report FileVault until restarted.

    Fixed Android profiles temporarily failing when transferred to a team with certificates by ensuring certificates are provisioned before dependent profiles are applied.

    Fixed an issue where the "Get host's OS settings" API endpoint returned an error when only Android MDM was enabled.

    Fixed fleetctl get fleets (and fleetctl get teams) so the software section, including each app's setup_experience value, reflects the real configuration instead of being read from the (potentially stale) team config. Software is now fetched from the software titles and setup experience endpoints, which are the source of truth.

    Fixed an issue where GitOps would fail on the first run after deleting the bootstrap package in the UI.

    Fixed login failing with an "Authentication Required" error when Fleet is served over HTTP, by storing the auth token in a non-secure cookie outside of HTTPS contexts.

    Fixed Android devices losing their team assignment and certificate configuration when the host record is deleted and the device re-enrolls.

    Fixed a bug where host vitals labels (e.g. IdP group/department labels) scoped to a fleet/team never got any hosts. The membership cron only looked at global labels, and team-scoped IdP labels also failed to populate due to an incorrect SQL join.

    Fixed inline error for duplicate certificate name not showing when the conflicting certificate is on a different page.

    Fixed a server out-of-memory crash that could occur when Apple's VPP (App and Book Management) API repeatedly returned transient errors (HTTP 500 with Retry-After, or error 9646) during VPP API operations (e.g., app installs, user registration, license seat releases).

    Fixed Fedora wipe to delete btrfs snapshots (including read-only ones) before wiping the filesystem, preventing snapshots from surviving the wipe.

    Fixed Scripts library action buttons (edit, download, delete) being unreachable via keyboard navigation, and added accessible labels so screen readers can distinguish them.

    Fixed corrupted vulnerabilities download removing existing detections.

    Fixed iOS and iPadOS logos on the OS list in dark theme.

    Fixed a bug where deleting one of multiple duplicate DEP hosts did not resolve the duplicate. Fleet no longer recreates a pending host record when another host with the same serial and platform still exists.

    Fixed an issue where updating the device mapping for a host with no user, or a non-existent IdP user, would not resend config profiles using IdP variables.

    Fixed a bug where the carve cleanup cron job called the MySQL implementation instead of the S3-aware implementation on S3-configured deployments, meaning expired carves were never marked as expired in S3. Also fixed a panic in S3 carve cleanup that occurred when there were no non-expired carves.

    Fixed Android Enterprise page not refreshing after connecting or disconnecting Android MDM, so the Enterprise ID and card state are visible without a manual page reload.

    Fixed List certificate templates API docs: query parameter was incorrectly documented as fleet instead of fleet_id, causing the parameter to be silently ignored and returning no results.

    Fixed a bug where Android device check-ins could silently revert admin team transfers.

    Fixed GET /api/v1/fleet/vulnerabilities returning raw SQL errors when using cursor pagination (after) with order_key set to cve, hosts_count, or cve_published.

    Fixed a bug where patch policies with software install automations used an inactive, older installer and not the latest.

    Fixed "Show example payload" button being incorrectly disabled in GitOps mode on the "Other workflows" and "Calendar events" policy automation modals.

    Fixed stale pending MDM profiles reappearing after globally toggling Apple or Windows MDM off and back on.

    Fixed the live policy page not using the full page width like the live query page does.

    Fixed a bug where in GitOps, if a patch policy was specified with a different FMA slug for the install software automation, it would be used for the query instead of the slug for the patch policy itself.

    Fixed false positive vulnerability CVE-2017-17522 reported for Python (this CVE is disputed and not exploitable).

    Fixed false positive vulnerability CVE-2023-36632 reported for Python (this CVE is disputed; the reported behavior is intentional).

    Fixed false positive vulnerability CVE-2024-3219 reported for Python on macOS and Linux hosts (this CVE only affects Windows).

    Fixed the GET /api/v1/fleet/hosts endpoint so that filtering Android hosts by os_name=Android and os_version= returns the matching hosts. Android hosts now populate the operating_systems table on enrollment and on every status report, and also appear in the GET /api/v1/fleet/os_versions aggregation and OS list in the UI with the Android logo.

    Fixed "User email" in device_mapping being unset in GET /api/v1/fleet/hosts for Windows and Linux hosts enrolling with end-user authentication.

    Fixed GET /api/v1/fleet/software/versions returning HTTP 422 "too many placeholders" when called without a per_page parameter on instances with large software inventories.

    Fixed host software list surfacing stale installer metadata after a Fleet-maintained app was replaced, which caused label scope to be evaluated against the previous installer and disagree with the install endpoint.

    Fixed the "host is offline" banner on the My device page incorrectly appearing during the first few minutes after an enrollment.

    Fixed software title icon not-found errors (and other 4xx errors) being reported as server-side exceptions in OTEL traces, APM, Sentry, and the Redis-backed debug errors endpoint.

    Fixed the host's Software UI showing a date decades in the past (e.g. "over 46 years ago") instead of "Never" for apps reporting a sentinel last_opened_time such as 315532800 (1980-01-01 UTC) that were never opened. Added a migration to clear these sentinel values from previously ingested software.

    Fixed latency issues with /vulnerabilities and filtered /software/versions queries.

    Fixed fleetctl gitops to refuse to apply SSO / EUA config that is missing required fields, if SSO is enabled globally or EUA is enabled on any team.

    Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

    Fleet's agent

    The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

    • orbit-v1.56.3
    • fleet-desktop-v1.56.3 (included with Orbit)
    • osquery-5.23.0 (included with Orbit)
    • fleetd-chrome-v1.3.5
    • fleetd-android-v1.5.0

    While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

    Upgrading

    Please visit our upgrade guide for upgrade instructions.

    Documentation

    Documentation for Fleet is available at fleetdm.com/docs.

    Binary Checksum

    SHA256

    84c30873b5c5f19eb106af06b683d1417cfe31e6ea83d20d4accabbbbb0a30c6 fleet_v4.87.0_linux.tar.gz

    5e66cac64e638653d10408c0cb29a4347777c20f42918c71c44f401dcd5782c9 fleetctl_v4.87.0_linux_amd64.tar.gz

    582ca37fa6f8d346b76accc01ba54c84580b5226b4bcac1b77cf16acc0dca758 fleetctl_v4.87.0_linux_amd64.zip

    abfe74b1205db855d84089293e83f0da6879e9189b10d00e4b955103fabdb4ca fleetctl_v4.87.0_linux_arm64.tar.gz

    30dfe07dc79fa29f6041453f679eb0cf447a8ed9ead60ce2b8d3a78320654397 fleetctl_v4.87.0_linux_arm64.zip

    e120376970999454621c8681dd93e5550a8abc215cdaf0fc829e4fdf6920c721 fleetctl_v4.87.0_macos.tar.gz

    3bfa0dab428a5f16d663f01f04ad5a1470c6a717dc6d7c5ee8635f7fa6e27123 fleetctl_v4.87.0_macos.zip

    b90daa7e89a5650bc53ab44278da28a2a73caafcb9d33bce6d5eb9061aaa2c08 fleetctl_v4.87.0_windows_amd64.tar.gz

    0c5b67741f2b656e6ce3d25c363add56edf22b40c772a197a5c632d26da99752 fleetctl_v4.87.0_windows_amd64.zip

    149097c840c4561d9108689db2ac7c492cf52a57ff50b228148af4054fa2823f fleetctl_v4.87.0_windows_arm64.tar.gz

    df24bc4512030f99f58da991fc2f3712a82624ac3bb0b690d21966f4f4924f21 fleetctl_v4.87.0_windows_arm64.zip

    Original source
  • Jun 19, 2026
    • Date parsed from source:
      Jun 19, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    Fleet 4.87.0 | 800+ new apps, custom OS updates, Android commands, and more...

    Fleet releases 4.87.0 with 800+ new Fleet-maintained apps, custom OS update profiles, richer configuration targeting, macOS setup assistant controls, Android lock/wipe/passcode commands, continuous policy retries, and a new command palette.

    Fleet 4.87.0 is now available. See the complete changelog or read on for highlights. For upgrade instructions, visit the upgrade guide in the Fleet docs.

    Highlights

    • 800+ new Fleet-maintained apps
    • Custom OS update profiles
    • Configuration profiles: Include + exclude
    • macOS local account: non-admin (standard) or skip
    • Self-service software categories
    • Android commands: Lock, wipe, & clear passcode
    • Policy automation continuous retry
    • Command palette

    800+ new Fleet-maintained apps

    Available in Fleet Premium

    Fleet 4.87 adds 800+ new Fleet-maintained apps which brings the catalog to over 1,250 apps. IT admins can add any of these under Software > Add software > Fleet-maintained and deploy with a single click.

    Windows gets its biggest catalog expansion yet. Highlights include:

    • Microsoft Office, PowerShell, PowerToys, Power BI, Power Automate, SQL Server Management Studio for Windows-centric environments
    • Git, Node.js, Python 3.13 and 3.14, PostgreSQL 15–18 for development teams
    • Windsurf and Kiro for developers using AI-powered coding IDEs
    • Dell Command Update and Lenovo Dock Manager for hardware fleet management
    • Nessus Agent for vulnerability scanning and Bitwarden for password management

    New macOS apps include Kiro, Codex, and OpenCode for AI-assisted development, plus hundreds more tools across productivity, design, security, and media.

    Custom OS update profiles

    Available in Fleet Premium

    Fleet now supports deploying custom Declarative Device Management (DDM) Software Update enforcement declarations on macOS, iOS, and iPadOS, as well as custom Windows profiles using the Windows Update CSPs. This gives IT admins full control over OS update enforcement, including the exact enforcement deadline time.

    Fleet enforces mutual exclusion with its built-in OS update controls: configuring both returns a clear error, so nothing conflicts silently.

    GitHub issue: #38802

    Configuration profiles: Include + exclude

    Available in Fleet Premium

    Configuration profiles now support combining the Include any label targeting, a host receives a profile if it matches any label in the include list, with the new Exclude any option. This way, IT admins can define broad inclusions and exclude specific hosts without writing complex label queries.

    For example: deliver a Wi-Fi profile to all macOS devices (include_any: macOS) while excluding hosts tagged "Guest" or "Loaner." Both options work across all platforms: macOS, iOS, iPadOS, Windows, and Android.

    GitHub issue: #32073

    macOS local account: non-admin (standard) or skip

    Available in Fleet Premium

    Building on the local admin account introduced in 4.85 and password rotation added in 4.86, Fleet now lets IT admins control the end-user account type during macOS Setup Assistant. On the Controls > Setup experience > Users page, choose Standard to create a non-admin end-user account, or Skip to skip end-user account creation entirely. This is useful when the hidden admin is the only local account the device needs. Selecting Standard or Skip automatically requires the hidden local admin to be created.

    GitHub issue: #41781

    Self-service software categories

    Available in Fleet Premium

    IT admins can now create custom software categories to bucket applications by team, role, or project (e.g., "Product development") so end users can get fully set up for their projects. End users see an Install all in category button that installs all apps in a category, in alphanumeric order, with a single click.

    GitHub issue: #39018

    Android commands: Lock, wipe, & clear passcode

    Available in Fleet Premium

    Fleet can now send lock, wipe, and clear passcode commands to Android hosts directly from the Host details page. For company-owned (fully managed) devices, all three commands are available. For personally-owned (BYOD) Android hosts, lock and clear passcode are available and scoped to the work profile. Each action is logged in Fleet's audit logs. The fleetctl CLI tool also supports these via fleetctl mdm lock, fleetctl mdm wipe, and fleetctl mdm clear-passcode commands.

    GitHub issue: #41683

    Policy automation continuous retry

    Available in Fleet Premium

    A new Run automation on every failure option lets IT admins trigger software installation or script-run automations every time a host fails a policy check, not just the first time. If a host falls back out of compliance after an initial remediation or the initial remediation fails, Fleet automatically runs the fix again without manual intervention.

    GitHub issue: #42651

    Command palette

    Fleet now includes a command palette. Press ⌘+K (or Ctrl+K on Windows and Linux) from anywhere in the app to instantly navigate to any page, trigger any action, or jump to any setting. The palette respects your role by showing or hiding items based on your permissions. Fleet Premium users with multiple fleets can jump directly to the fleet switcher with ⌘+Shift+F (Ctrl+Shift+F on Windows and Linux). Sub-pages let you search hosts, software titles, reports, and policies by name without leaving the keyboard.

    GitHub issue: #43757

    Changes

    IT Admins

    • Added 236 new Fleet-maintained apps for Windows, including Microsoft Office, PowerShell, PowerToys, Power BI, Power Automate, SQL Server Management Studio, Microsoft .NET Runtime 8 and 10, Git, Node.js, Python 3.13 and 3.14, PostgreSQL 15–18, Windsurf, Kiro, Dell Command Update, Lenovo Dock Manager, Nessus Agent, Bitwarden, Canva, Miro, Snagit, Tableau Desktop, VirtualBox, TortoiseGit, GitHub Desktop, and more.
    • Added 727 new Fleet-maintained apps for macOS, including Kiro, Codex, OpenCode, Claude DevTools, Granola, Logitune, and hundreds more tools across development, security, productivity, and design.
    • Added the ability to deploy custom OS update configuration profiles for Apple and Windows.
    • Added support for issuing Lock, Wipe, and Clear passcode commands to Android hosts. Lock and Clear passcode work for both BYO (personal) and COBO (company-owned) Android hosts; Wipe is COBO-only. For BYO hosts, Unenroll now issues an AMAPI WIPE under the hood, which removes only the work profile and leaves personal data intact. All Android commands are issued with duration=315360000s (10 years), matching the pending-forever queue semantics Fleet uses for Apple and Windows MDM.
    • Made the Wipe command available to Fleet Free users for Android (company-owned) hosts, in both the UI and the API. Wipe for macOS, iOS, iPadOS, Linux, and Windows hosts remains a Fleet Premium feature.
    • Android host display name now uses "{IdP first name}'s {hardware model}" when an IdP account is associated.
    • Reduced Windows MDM server and database load by relaxing the device management poll schedule from 1 minute to 8 hours for hosts running a version of fleetd that supports on-demand Windows MDM sync (1.57.0 and later). When commands are queued, the server wakes these devices through fleetd to start a management session, so command delivery stays near real-time. Hosts on older fleetd versions keep the previous poll behavior.
    • Renamed Apple Business Manager (ABM) terminology to Apple Business (AB) in the API, GitOps YAML, and fleetctl CLI. The new /api/v1/fleet/ab_tokens and /api/v1/fleet/mdm/apple/ab_public_key endpoints, mdm.apple_business YAML key, and fleetctl get mdm-ab / fleetctl generate mdm-ab commands are canonical. The now-deprecated /abm_tokens, /mdm/apple/abm_public_key, apple_business_manager, mdm-apple-bm aliases continue to work for backwards compatibility and log a deprecation warning when used.
    • labels_exclude_any can now be combined with labels_include_all or labels_include_any when uploading MDM configuration profiles, allowing hosts to be included by label membership and excluded by another set of labels simultaneously.
    • Added support for setting the end user account type to standard for a standard (non-admin) user or none to skip end-user account creation, both requiring a local admin account.
    • Added a "Continuous" option to policy automations that re-runs script and software automations on every subsequent policy failure, with editable automations now available directly on the policy create, edit, and details pages.
    • Added the ability for users with the Technician role to transfer hosts between fleets (Fleet Premium only). Global technicians can transfer hosts via the Fleet UI (manage hosts and host details pages) and the REST API. Fleet-scoped technicians can transfer hosts between fleets they manage via the REST API.
    • Added Self-service categories page (Premium) under Software > Library for managing custom categories per fleet, including add, edit, and delete flows.
    • Added Categories button to the Software > Library page that navigates to the new categories page.
    • Replaced the static category sidebar on the My device > Self-service page with a custom-category dropdown driven by the org's self-service categories, and added an "Install all (n)" button per category (with a confirmation modal) that posts to /device/{token}/software/install_all?category_id=:id.
    • Added macos_applications filter for host software list.
    • Added Fleet "Spotlight" - A command palette that opens when pressing Command + K or Control + K.
    • Added a "My device" button on the host details User card so global admins can open the host's end-user My device page in a new tab; Fleet refreshes or generates the device auth token as needed so the link is always valid.
    • Showed the end user's IdP full name (e.g. "Jane Doe's device") on the My device page header and browser tab when available; falls back to "My device" otherwise.
    • Added support for configuring an optional SES sender domain.

    Security Engineers

    • Added support for validating Microsoft Entra v2 access tokens during Windows MDM enrollment. Effective July 1, 2026, new on-premises MDM applications created via the Entra portal flow issue v2 access tokens whose audience (aud) is the application's client ID; adding the client ID lets these applications enroll Windows hosts. Existing v1 tokens (audience = Fleet server URL) continue to work unchanged.
    • Hardened in-house iOS app distribution by requiring a per-install token in the manifest and package download URLs. The token is minted when an install is enqueued, bound to the target host, and expires after 6 hours, aligning the in-house download flow with the URL-token authentication already used by Fleet's MDM installer and software installer download endpoints.
    • Added GCS IAM authentication support for software installers S3 storage using Google Application Default Credentials (ADC) bearer tokens instead of S3 HMAC keys. Configurable via s3_software_installers_gcs_iam_auth.
    • Added GCS IAM authentication support for file carving S3 storage. Configurable via s3_carves_gcs_iam_auth.
    • Added route-aware head sampling for OpenTelemetry trace export. When tracing_enabled is on, agent firehose endpoints (osquery distributed read/write, orbit ping/config, device desktop/ping) are sampled at 0.1% by default, admin reads at 2%, and everything else (enroll, SCEP, MDM checkin, cron jobs, GitOps batch) at 100%. Liveness probes (/healthz, /version, /metrics) are dropped unconditionally.
    • Added GET / PATCH /debug/trace_sampler (admin only, behind the existing /debug auth) for adjusting ratios or flipping a 100% force_full debug window at runtime. Each Fleet replica polls the new trace_sampler_settings row every 60 seconds and applies changes without a restart.
    • Updated the vulnerability processing guide to clarify Linux vulnerability scanning coverage, including a per-distribution table covering OS/kernel, system packages, and cross-platform packages and which scanner is used for each.

    Bug fixes and improvements

    • Updated Go to 1.26.4
    • Significantly improved performance of the Apple profile and DDM reconciler.
    • Improved the performance of listing labels with host counts by aggregating membership counts in a single pass instead of a per-label subquery, and skipping the unnecessary join to the hosts table when the requesting user can see all hosts.
    • Android profiles now use content checksums to determine when to re-sync, avoiding unnecessary re-delivery on unrelated policy changes.
    • Long policy resolution text now wraps on the policy details page instead of being truncated.
    • Updated initialization semantics around api_endpoints. The catalog is now loaded from the embedded YAML once at package initialization time.
    • Added Python 3.14 and Python 3.13 as Windows Fleet-maintained apps.
    • Normalized Python's reported version on Windows (e.g. 3.14.5150.0 -> 3.14.5) so software inventory and vulnerability matching use the real version.
    • Replaced the "Osquery" column with a richer "Agent" column on the Hosts page that shows Orbit version with a tooltip displaying osquery, Orbit, and Fleet Desktop versions.
    • Hid "Issues" and "Private IP address" columns by default for new Fleet instances.
    • Added hosts page tooltip to MDM status on hover.
    • Added certificate rollover process to MDM assets tool.
    • Added a migration cleanup tool for recovering failed starts after renumbered migrations.
    • Added each platform's percentage of total enrolled hosts to the "Hosts enrolled" card tooltip on the dashboard.
    • Updated conditional access policy query to use parameter binding for platform filter.
    • Rejected Windows MDM configuration profiles that don't contain at least one supported SyncML top-level element (, , , or ), so non-XML or empty payloads are caught at upload instead of failing on devices.
    • Updated to now prevent deleting a label that is in use by an MDM configuration profile or declaration, returning an error instead of silently breaking the profile's label targeting.
    • Raised the default FLEET_REDIS_HOST_CACHE_TTL from 60s to 180s and removed the reverse-index GETs that the host-update invalidation path performed. Together these reduce DB reader load and lower Redis CPU usage.
    • Surfaced continuous_automations_enabled in GitOps YAML (read and generated by fleetctl generate-gitops).
    • Stopped the 1Password autofill icon from appearing on Fleet UI inputs that are not credential fields.
    • Hid the "Rotate password" button in the Recovery Lock password modal for users with the Observer role, instead of showing it as disabled.
    • Updated Android Enterprise connect to surface real error messages to the user.
    • Updated self-service activity copy to passive voice without an "end user" actor (e.g. "GitHub Desktop was installed on this host (self-service).") on both the host activity feed and the dashboard global activity feed.
    • Updated GitOps error message about exceptions to include the URL to visit to disable exceptions.
    • Updated the error displayed when GitOps encounters an unknown env var to account for cases where the string is a literal that needs escaping.
    • Removed orphaned duplicate SCEP certificates from the per-user keychain automatically after an Okta conditional access profile is reinstalled or renewed on macOS hosts.
    • Reduced the Apple MDM lock state cleanup timeout from 5 minutes to 1 minute, decreasing the time a recently unlocked host may still appear as locked in Fleet.
    • Rejected Windows MDM configuration profiles whose is empty, starts with /, or contains .. path traversal segments, so invalid OMA-DM URIs are caught at upload instead of failing on devices.
    • Refactored ListHostSoftware and ModifyAppConfig into smaller helpers so nilaway can analyze them for nil-pointer dereferences.
    • Refactored MDM profile label-targeting logic (include all/any, exclude any) into a shared platform-neutral package so Apple and Windows reconcilers use the same rules.
    • Slimmed down the POST /api/v1/fleet/targets response to omit unused fields.
    • GitOps now prints a message for each software package it will delete.
    • Fixed the Add host modal so its read-only installer command fields can no longer be resized.
    • Fixed an issue where the checkerboard would be colored based on relative percentages rather than relative absolute value.
    • Fixed a race condition where deleting a policy while a host had an outstanding distributed query for that policy caused a foreign key constraint error during /api/v1/osquery/distributed/write.
    • Fixed SCEP PKIOperation handler incorrectly decoding base64 + characters as spaces.
    • Fixed software installer edits cancelling pending setup experience installs and causing setup experience to fail if all software is required.
    • Fixed a bug where navigating to the Fleet root URL returned a 404 in subpath deployments.
    • Fixed bug in apply to prevent setup_experience in software items from being renamed to macos_setup.
    • Fixed a bug where the "Add custom variable" modal would clear entered values when switching focus to another browser tab or application window.
    • Fixed fleetctl preview disabling dashboard chart data collection (Hosts online, Vulnerability exposure) on startup.
    • Fixed a race condition after Windows BYOD MDM enrollment (Settings > Access work or school > Connect) where mdm_windows_enrollments.host_uuid stayed empty for several seconds, causing server-side enrollment lookups to miss. The enrollment is now linked to the Fleet host record at the first management session via OMA-DM DevDetail/SMBIOSSerialNumber instead of waiting for osquery's distributed-read backfill.
    • Fixed MDM status column in the host table showing "On (automatic)" instead of "On (company-owned)".
    • Fixed logout/login redirects to respect the URL prefix in subpath deployments.
    • Fixed the mdm_unenrolled activity not appearing in a host's activity timeline on the host details page.
    • Fixed software titles displaying the raw package name instead of the admin-set display name in the policy automations list and edit modal, the patch automation CTA, the hosts software filter pill, and the setup experience software row.
    • Fixed an issue where ADE-enrolled macOS hosts didn't report FileVault until restarted.
    • Fixed Android profiles temporarily failing when transferred to a team with certificates by ensuring certificates are provisioned before dependent profiles are applied.
    • Fixed an issue where the "Get host's OS settings" API endpoint returned an error when only Android MDM was enabled.
    • Fixed fleetctl get fleets (and fleetctl get teams) so the software section, including each app's setup_experience value, reflects the real configuration instead of being read from the (potentially stale) team config. Software is now fetched from the software titles and setup experience endpoints, which are the source of truth.
    • Fixed an issue where GitOps would fail on the first run after deleting the bootstrap package in the UI.
    • Fixed login failing with an "Authentication Required" error when Fleet is served over HTTP, by storing the auth token in a non-secure cookie outside of HTTPS contexts.
    • Fixed Android devices losing their team assignment and certificate configuration when the host record is deleted and the device re-enrolls.
    • Fixed a bug where host vitals labels (e.g. IdP group/department labels) scoped to a fleet/team never got any hosts. The membership cron only looked at global labels, and team-scoped IdP labels also failed to populate due to an incorrect SQL join.
    • Fixed inline error for duplicate certificate name not showing when the conflicting certificate is on a different page.
    • Fixed a server out-of-memory crash that could occur when Apple's VPP (App and Book Management) API repeatedly returned transient errors (HTTP 500 with Retry-After, or error 9646) during VPP API operations (e.g., app installs, user registration, license seat releases).
    • Fixed Fedora wipe to delete btrfs snapshots (including read-only ones) before wiping the filesystem, preventing snapshots from surviving the wipe.
    • Fixed Scripts library action buttons (edit, download, delete) being unreachable via keyboard navigation, and added accessible labels so screen readers can distinguish them.
    • Fixed corrupted vulnerabilities download removing existing detections.
    • Fixed iOS and iPadOS logos on the OS list in dark theme.
    • Fixed a bug where deleting one of multiple duplicate DEP hosts did not resolve the duplicate. Fleet no longer recreates a pending host record when another host with the same serial and platform still exists.
    • Fixed an issue where updating the device mapping for a host with no user, or a non-existent IdP user, would not resend config profiles using IdP variables.
    • Fixed a bug where the carve cleanup cron job called the MySQL implementation instead of the S3-aware implementation on S3-configured deployments, meaning expired carves were never marked as expired in S3. Also fixed a panic in S3 carve cleanup that occurred when there were no non-expired carves.
    • Fixed Android Enterprise page not refreshing after connecting or disconnecting Android MDM, so the Enterprise ID and card state are visible without a manual page reload.
    • Fixed List certificate templates API docs: query parameter was incorrectly documented as fleet instead of fleet_id, causing the parameter to be silently ignored and returning no results.
    • Fixed a bug where Android device check-ins could silently revert admin team transfers.
    • Fixed GET /api/v1/fleet/vulnerabilities returning raw SQL errors when using cursor pagination (after) with order_key set to cve, hosts_count, or cve_published.
    • Fixed a bug where patch policies with software install automations used an inactive, older installer and not the latest.
    • Fixed "Show example payload" button being incorrectly disabled in GitOps mode on the "Other workflows" and "Calendar events" policy automation modals.
    • Fixed stale pending MDM profiles reappearing after globally toggling Apple or Windows MDM off and back on.
    • Fixed the live policy page not using the full page width like the live query page does.
    • Fixed a bug where in GitOps, if a patch policy was specified with a different FMA slug for the install software automation, it would be used for the query instead of the slug for the patch policy itself.
    • Fixed false positive vulnerability CVE-2017-17522 reported for Python (this CVE is disputed and not exploitable).
    • Fixed false positive vulnerability CVE-2023-36632 reported for Python (this CVE is disputed; the reported behavior is intentional).
    • Fixed false positive vulnerability CVE-2024-3219 reported for Python on macOS and Linux hosts (this CVE only affects Windows).
    • Fixed the GET /api/v1/fleet/hosts endpoint so that filtering Android hosts by os_name=Android and os_version= returns the matching hosts. Android hosts now populate the operating_systems table on enrollment and on every status report, and also appear in the GET /api/v1/fleet/os_versions aggregation and OS list in the UI with the Android logo.
    • Fixed "User email" in device_mapping being unset in GET /api/v1/fleet/hosts for Windows and Linux hosts enrolling with end-user authentication.
    • Fixed GET /api/v1/fleet/software/versions returning HTTP 422 "too many placeholders" when called without a per_page parameter on instances with large software inventories.
    • Fixed host software list surfacing stale installer metadata after a Fleet-maintained app was replaced, which caused label scope to be evaluated against the previous installer and disagree with the install endpoint.
    • Fixed the "host is offline" banner on the My device page incorrectly appearing during the first few minutes after an enrollment.
    • Fixed software title icon not-found errors (and other 4xx errors) being reported as server-side exceptions in OTEL traces, APM, Sentry, and the Redis-backed debug errors endpoint.
    • Fixed the host's Software UI showing a date decades in the past (e.g. "over 46 years ago") instead of "Never" for apps reporting a sentinel last_opened_time such as 315532800 (1980-01-01 UTC) that were never opened. Added a migration to clear these sentinel values from previously ingested software.
    • Fixed latency issues with /vulnerabilities and filtered /software/versions queries.
    • Fixed fleetctl gitops to refuse to apply SSO / EUA config that is missing required fields, if SSO is enabled globally or EUA is enabled on any team.

    Ready to upgrade?

    Visit our Upgrade guide in the Fleet docs to update to Fleet 4.87.0.

    Manage all your devices like it's 2026
    Open MDM, patching, and vuln management for every OS.
    Read case studies
    Try it yourself

    Original source
  • Jun 12, 2026
    • Date parsed from source:
      Jun 12, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    v4.86.2

    Fleet updates its changelog with gkarr update 4862.

    gkarr update changelog 4862 (#47548)

    Original source
  • Jun 12, 2026
    • Date parsed from source:
      Jun 12, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    fleet-v4.86.2

    Fleet fixes startup, host label, and VPP stability bugs, improving reliability on read-only filesystems, team-scoped labels, and Apple volume purchasing workflows.

    Bug fixes

    Fixed Fleet failing to start on a read-only root filesystem by storing custom org logos in the database when no S3 software installers bucket is configured, instead of writing to local disk.

    Fixed a bug where host vitals labels (e.g. IdP group/department labels) scoped to a fleet/team never got any hosts. The membership cron only looked at global labels, and team-scoped IdP labels also failed to populate due to an incorrect SQL join.

    Fixed a server out-of-memory crash that could occur when Apple's VPP (App and Book Management) API repeatedly returned transient errors (HTTP 500 with Retry-After, or error 9646) during VPP API operations (e.g., app installs, user registration, license seat releases).

    Upgrading

    Please visit our update guide for upgrade instructions.

    Documentation

    Documentation for Fleet is available at fleetdm.com/docs.

    Binary Checksum

    SHA256

    85d05a46359c6cedfc876ea6646e86c46530a5e0253a4144310dc2f8f9b64055 fleet_v4.86.2_linux.tar.gz
    f523b48ac462afbefec073a1f04f622bbc0b2b6263377be85d64b8feb5cc219b fleetctl_v4.86.2_linux_amd64.tar.gz
    e55e5d95c8c20b9be7e1b3d30bea077a37b1530440309ff068e9a13812d6e6be fleetctl_v4.86.2_linux_amd64.zip
    0c921a88d30de3679e903cacd8256d1905f0013438827f7569e7bf8cb301284b fleetctl_v4.86.2_linux_arm64.tar.gz
    406910bcc05ec7b6e4629717d5c990295388677ba2b432cb1d05d8cdd591d7ba fleetctl_v4.86.2_linux_arm64.zip
    d8ccd61b5765c8b4052c09c2b5ac832479bf296f77e8f2789cd6397c21d4375d fleetctl_v4.86.2_macos.tar.gz
    c97d41a5defcdebbc049fae4ddfa1b4167e6f39eb5eb5a45c29d39517c9c1187 fleetctl_v4.86.2_macos.zip
    978ce2ef670afe9ed539426eb635331ca358f83ebebd3823225c530704b9302b fleetctl_v4.86.2_windows_amd64.tar.gz
    8c310d15fdc7264804b6d22a013fbe0bb09804799234668490840b00258f1004 fleetctl_v4.86.2_windows_amd64.zip
    be8bab06e4ff592d7cd3a177ec2cb3487b4f0bf1da1d0afd4f49d7a9299b163e fleetctl_v4.86.2_windows_arm64.tar.gz
    b72948b6f18cf5a01ab5d95702b1d501350a60f9f8fe841a5b07cf9233dea278 fleetctl_v4.86.2_windows_arm64.zip

    Original source
  • Jun 10, 2026
    • Date parsed from source:
      Jun 10, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    orbit-v1.56.3: Cherry-pick #47305: Fix fleetd with pre-packaged osquery flags (#47367)

    Fleet cherry-picks #47305 into the rc-patch-fleetd-v1.56.3 release branch, bringing the related fix for issue #47285 with updated tests and compatibility verification for Fleet Desktop and fleetd.

    Cherry-pick of #47305 into the rc-patch-fleetd-v1.56.3 RC branch.

    Related issue: #47285

    Checklist for submitter

    Changes file added for user-visible changes in changes/,
    orbit/changes/ or ee/fleetd-chrome/changes.

    See Changes files for more information.

    Testing

    Added/updated automated tests (in the original PR #47305)

    Confirmed that the fix is not expected to adversely impact load test results

    fleetd/orbit/Fleet Desktop

    Verified compatibility with the latest released version of Fleet (see Must rule)

    If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes

    Original source
  • May 29, 2026
    • Date parsed from source:
      May 29, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    Fleet 4.86.0 | Rotate local admin password, Windows setup experience, Platform SSO, and more...

    Fleet 4.86.0 releases local admin password rotation, Windows setup failure canceling, Platform SSO for macOS Setup Assistant, custom org logos, automatic SCEP and ACME renewal, and iOS/iPadOS app installs for user-enrolled hosts.

    Highlights

    • Rotate local admin password
    • Windows setup experience: cancel if software fails
    • Platform SSO during macOS Setup Assistant
    • Upload your org logo
    • Automatic SCEP and ACME certificate renewal
    • iOS/iPadOS software for user-enrolled hosts

    Rotate local admin password

    Building on the local admin account introduced in 4.85, Fleet now lets admins rotate the hidden account's password directly from the Host details page. After an admin views the password, Fleet automatically rotates an hour later which limits how long a credential is valid after it's been seen. IT admins can also rotate immediately using the Rotate password button at any time. Every rotation is logged as an activity, whether triggered manually or automatically by Fleet.

    GitHub issue: #37142

    Windows setup experience: cancel if software fails

    Fleet now gives IT admins control over what happens when setup experience software fails during a Windows Autopilot enrollment (OOBE). Turning on Cancel setup if software fails in Controls > Setup experience causes the device to display a failure screen and prompt the end user to restart if any setup software doesn't install successfully. Without this toggle, failed installs are surfaced in host details but the device proceeds to the desktop anyway. A canceled_setup_experience activity is logged when the feature triggers, making it easy to review what went wrong.

    GitHub issue: #38785

    Platform SSO during macOS Setup Assistant

    Fleet now supports configuring Platform SSO with Okta during macOS Automated Device Enrollment (ADE). With this enabled, end users log in to their Mac using the same credentials they use for Okta. Microsoft Entra support is coming soon.

    GitHub issue: #30674

    Upload your org logo

    IT admins can now upload their organization's logo directly to their Fleet instance with no external hosting required. Separate images can be set for light and dark mode. Upload during Fleet's initial setup or update later from Settings > Organization settings. Logos set here appear in Fleet's masthead and can also be managed via the API or GitOps.

    GitHub issue: #39016

    Automatic SCEP and ACME certificate renewal

    Fleet automatically re-pushes configuration profiles containing SCEP or ACME certificates before they expire. This now includes certificates that aren't proxied through Fleet. This covers, for example, certificates deployed for Okta conditional access (SCEP) and Okta Verify (SCEP with a static challenge). The renewal logic follows the same pattern already used for Fleet-proxied SCEP certificates. No Fleet configuration changes are required; just include the $FLEET_VAR_CERTIFICATE_RENEWAL_ID variable in the certificate profile's organizational unit (OU) and Fleet handles the rest.

    GitHub issue: #40639

    iOS/iPadOS software for user-enrolled hosts

    Fleet now supports installing Apple App Store (VPP) and in-house (.ipa) apps on iOS and iPadOS hosts enrolled via Account-driven User Enrollment with a Managed Apple Account. IT admins can install apps from the Host details page, and end users can install from self-service. Setup experience software also installs automatically on enrollment.

    GitHub issue: #31138

    Changes

    IT Admins

    • Added automatic rotation of managed local admin account passwords after they have been viewed.
    • Added a require_all_software_windows setting to cancel the Windows setup experience if any software install fails during Autopilot enrollment, matching the existing macOS behavior.
    • Added GitOps support for uploading custom org logos. fleetctl gitops accepts org_logo_path_dark_mode and org_logo_path_light_mode keys to upload local files, and fleetctl generate-gitops exports Fleet-hosted logos as local files alongside path keys while keeping external URLs as org_logo_url_*_mode keys.
    • Added support for installing VPP and in-house (.ipa) apps on iOS and iPadOS hosts enrolled via Account-Driven User Enrollment with a Managed Apple Account.
    • Enabled self-service software installs from the My device page for user-enrolled iOS and iPadOS hosts.
    • Enabled setup experience software in Controls > Setup experience to install automatically on user-enrolled iOS and iPadOS hosts at enrollment.
    • Provisioned a VPP client user per Managed Apple Account on first install, and associated VPP licenses to the user rather than the device, supporting Apple's up-to-5-devices-per-user licensing semantics.
    • Added managed app configuration for iOS and iPadOS apps (VPP and in-house), configurable via UI, REST API, and GitOps, with $FLEET_VAR_* substitution.
    • Added support for VPP apps purchased from non-US-based Apple Business accounts.
    • Added the ability to upload a custom organization logo for light and dark modes, hosted by Fleet, replacing the previous URL-only flow on the setup screen and organization settings page.
    • Added include_all label scope to policies, and include_all and include_any label scopes to reports, including support via GitOps and fleetctl.
    • Added a "Custom" target dropdown when creating or updating reports under the premium tier.
    • Added an "Include all" option to the "Custom" target dropdown on Policies for premium users only.
    • Added permissions for the GitOps user to list software titles.
    • Added support for setting gitops_mode_enabled and repository_url via GitOps.
    • Added output to GitOps for scripts, indicating how many scripts would be applied (dry run) or were applied.
    • Added activity entries for retried software installs and script runs from policy automations.
    • Added an activity when hosts fail enrollment profile renewal.
    • Added activities when users create, edit, or delete labels (created_label, edited_label, and deleted_label).
    • Added "Hosts online", "Hosts enrolled", and "Vulnerability exposure" charts to the dashboard.
    • Added an option to convert and return a PEM-encoded X.509 certificate instead of a PEM-encoded PKCS7 envelope from the Request a Certificate endpoint.
    • Added a deprecation warning when using setup_experience.software or macos_setup.software keys in config.
    • Released fleetctl as a pkg for macOS.
    • Released fleetctl as an msi for Windows.
    • Enabled wiping a host to cancel all of its upcoming activities.
    • Updated the default automatic enrollment profile, and added the ability to download and view the applied default profile.
    • Updated OS version reporting for iOS and iPadOS to include the Rapid Security Response suffix (e.g. (a)) when the device reports a SupplementalOSVersionExtra field via MDM.
    • Updated fleetd and MDM enroll activities to display the serial number and preserve the osquery-provided display name.
    • Required the --host flag for fleetctl get mdm-commands, and deprecated GET /api/v1/fleet/commands without a host_identifier.
    • Cleared host vitals on ABM host re-enrollment, with a config option to preserve past host activities.

    Security Engineers

    • Added macOS 26 CIS Benchmark v1.0.0.
    • Updated CIS Windows 11 Enterprise benchmark policies from v4.0.0 to v5.0.1, adding 17 new L1 policies and updating 42 existing policy titles.
    • Surfaced hardware-bound ACME certificates on macOS host vitals by retrieving them via the MDM CertificateList command when an ACME-bearing configuration profile is installed or re-installed.
    • Added SVG support for custom organization logos, with strict server-side sanitization to reject scripts and other unsafe SVG content.
    • Added support for the subject_alternative_name field on Android certificate templates.
    • Optimized OSV vulnerability scanning to query distinct software per OS version rather than per host, reducing redundant database queries for many hosts sharing the same packages.
    • Improved vulnerability scanning performance by using a per-vendor product cache during CVE matching to optimize translate_cpe_to_cve.

    Bug fixes and improvements

    • Updated Go to 1.26.3.
    • Removed debug symbols from fleet and fleetctl executables to reduce binary size.
    • Reduced database load from GET /api/latest/fleet/device/{token}/desktop and other Fleet Desktop endpoints when invalid or expired device auth tokens are presented, by resolving the token to a host ID with a single-table indexed lookup before running the multi-join host-details query.
    • Improved Windows MDM performance when transferring large numbers of hosts between teams or applying bulk profile changes. These operations now return quickly and roll out profile updates to Windows hosts in the background, so host check-ins and other MDM activity are no longer slowed down while a large change is in progress.
    • Added a Redis-backed cache for host lookups on the osquery and orbit authentication paths. Successful lookups are cached for 60s (±10% jitter) and invalidated on writes that mutate cached host fields. Reduces reader-side DB load at scale without changing the HTTP contract. Requires Redis 6.2 or later.
    • Added a missing uninstall option on the host software library even when an installer has no matching software in the host's inventory.
    • Improved Windows MDM profile removal performance by scoping the desired-state subquery.
    • Improved Windows MDM profile removal performance by skipping redundant database writes for verified-remove ACKs.
    • Consolidated non-variable templated Windows MDM profile command inserts from one per-profile to a single bulk insert.
    • Added a periodic cron job to clean up the Windows MDM command queue, reducing write pressure during ACK transactions.
    • Made host team assignment sticky across orbit and osquery re-enrollments.
    • Improved errors returned from the API when running fleetctl commands by dropping path and status code.
    • Improved validation of order parameters on list endpoints.
    • Added the orbit.debug_logging_on_enroll_duration agent option to enable orbit debug logging for a specified time period after enrollment.
    • Improved validation for invalid order_key values in /api/v1/fleet/commands, /api/v1/fleet/mdm/commands, and /api/v1/fleet/mdm/apple/commands endpoints.
    • Improved the error message when the name key is omitted from a GitOps YAML file.
    • Improved the error message when deleting a label used for targeting a software installation.
    • Updated fleetctl gitops to warn when labels: is specified in no-team or unassigned files, where it is not supported.
    • Updated the expired Fleet Premium license CLI banner to link to https://fleetdm.com/learn-more-about/downgrading instead of a stale FAQ anchor.
    • Updated the Edit label page to reference "fleets" instead of "teams" when a label is associated with a fleet.
    • Updated the setup experience Users card with a link to PSSO local account documentation.
    • Updated empty state copy to be action-oriented. Headers describe the current state ("No hosts", "No policies for this fleet") instead of prompting action. Body text explains what to expect. CTA buttons are explicit ("Add policy", "Schedule a report") and permission-gated.
    • Updated empty states on Hosts, Reports, Policies, and Software pages so search bars, filters, and dropdowns remain visible but disabled when empty, avoiding layout shift when the first item is added. Item count remains visible.
    • Updated Settings, Fleets, Ticket destinations, Certificates, and Identity provider pages with consistent page descriptions and learn-more links.
    • Updated empty state visuals to a fresher, consistent design.
    • Updated timestamps with tooltips on the host Vitals component to always use cursor: pointer.
    • Updated the version of the checkout action in the fleetctl new template to avoid Node warnings.
    • Updated the MSI builder to skip packaging the unusable "dummy" secret value when building fleetd-base.msi for Autopilot installs.
    • Scoped install commands for user-enrolled hosts to the host's Managed Apple Account (clientUserIds) instead of serialNumbers, so apps install on the correct user account on the device.
    • Surfaced a clear host-level error when license association fails during install (for example, no licenses available or the user has reached the 5-device limit) instead of failing silently.
    • Made created_at upper-bound filtering consistent on the list activities API. The endpoint now caps results at now by default whether or not start_created_at is provided, matching the documented behavior of end_created_at.
    • Unified access to global and team policies in the UI by using the now-generic GET /api/latest/fleet/policies/:id endpoint.
    • Wrapped Get-ItemProperty calls in try/catch blocks during registry enumeration to gracefully handle terminating exceptions (e.g. System.InvalidCastException) from malformed registry entries, logging the offending path instead of aborting.
    • Replaced the cryptic "startTLS error: ..." flash with a prescriptive message when saving SMTP settings fails because SSL/TLS is disabled but STARTTLS is still enabled. Added a tooltip on the SSL/TLS checkbox pointing to the STARTTLS toggle in Advanced options.
    • Removed a dead SQL condition in hostVPPInstalls that was misleading but harmless. Android VPP apps never produce nano_command_results entries (they use Google's Android Management API, not nanoMDM), so the previous (hvsi.platform != 'android' OR ncr.id IS NULL) guard was a tautology. Replaced with a clarifying comment.
    • Fixed filtering on the /api/v1/fleet/labels/:id/hosts endpoint.
    • Fixed the usage_statistics cron failing against fleetdm.com when a large number of near-identical network errors accumulated in the error store.
    • Fixed fleetctl gitops failing with HTTP 500 on subsequent runs when a custom software icon's bytes were missing or had failed integrity in the icon store. The server now returns a 409 Conflict from the metadata-only icon update path, and the gitops client falls back to a full upload to recover the bytes automatically.
    • Fixed SAML JIT provisioning so FLEET_JIT_USER_ROLE_* attributes with empty, whitespace-only, or missing values are treated as null and ignored instead of failing SSO login.
    • Fixed an issue where GitOps controls with only certain keys would not be seen as set.
    • Fixed recovery lock password not being retrievable for hosts transferred to a team with recovery lock disabled.
    • Fixed Fleet's Docker image failing to start in Kubernetes with an unknown userid error, triggered by a fleetctl dependency side effect.
    • Fixed a GitOps failure ("converting NULL to uint is unsupported") when moving labels from global to fleet scope, caused by deleted label associations with NULL label_id values in mdm_configuration_profile_labels and mdm_declaration_labels.
    • Fixed fleetctl gitops --dry-run intermittently failing with "Resource Not Found" when a team's software config was empty.
    • Fixed the MDM SSO callback returning a "missing profile" error for Android enrollment when Apple MDM is not configured.
    • Fixed the team PATCH endpoint rejecting mdm.enable_disk_encryption on Fleet deployments where only Windows MDM is configured. Team-level BitLocker enforcement can now be toggled when either Apple MDM or Windows MDM is configured.
    • Fixed an issue where the disk encryption table on the Controls > Disk encryption page did not support horizontal scrolling at narrow viewport widths.
    • Fixed Linux total disk space being double-counted when a filesystem was bind-mounted at multiple paths (e.g. snap-confine's /tmp/snap.rootfs_*).
    • Fixed fleetctl gitops rejecting path: values whose actual filenames contained glob metacharacters even when the file existed at that literal path.
    • Fixed GitOps failing when it attempted to create a label and a consumer of that label (e.g. a profile) in the same run.
    • Fixed gitops --dry-run to reject label specs with invalid platform values.
    • Fixed the SSO invite acceptance flow by resolving the email from the invite token.
    • Fixed batch script endpoints to return 404 Not Found instead of 200 when the batch execution ID does not exist: /api/v1/fleet/scripts/batch/:id, /api/v1/fleet/scripts/batch/summary/:id, and /api/v1/fleet/scripts/batch/:id/cancel.
    • Fixed a class of silent SCEP managed-certificate renewal failures by recovering host_mdm_managed_certificates rows that previously got stuck after the cert ingest matcher missed linking a renewed certificate.
    • Fixed the upcoming activity count on the host details page not updating after installing or uninstalling software.
    • Fixed an issue where GitOps incorrectly rejected keys in Google Calendar API key JSON.
    • Fixed 500 errors on POST /api/v1/fleet/scim/Users when the matched host was already mapped to a SCIM user. The host now gets reassigned to the newly-created SCIM user.
    • Fixed an incorrect CPE match on the "slate" Homebrew program.
    • Fixed a bug where applying GitOps to a script-only package by hash_sha256 reference would wipe the install script, causing self-service installs to silently no-op.
    • Fixed fleetctl vulnerability-data-stream to also download OSV (Ubuntu and RHEL) artifacts.
    • Fixed a missing deleted_policy activity when a patch policy is removed by GitOps as a result of its underlying Fleet-maintained app installer being removed from the YAML.
    • Fixed a nil-pointer panic in the Android Enterprise Pub/Sub endpoint that occurred when Google's Android Management API sent a device payload missing hardwareInfo, softwareInfo, or memoryInfo.
    • Fixed an issue where, if a custom Apple MDM URL was set, SSO for end user auth would fail.
    • Fixed slow load times and timeouts on the list MDM commands API (GET /api/v1/fleet/commands) on Fleet deployments with many Windows hosts. The endpoint now caps per_page at 1,000 (default 10) and page at 100. Requests above either limit return HTTP 400. To traverse beyond 100 pages, use cursor pagination via the after query parameter.
    • Fixed GitOps dry-run to correctly detect the conflict when both macos_manual_agent_install and macos_script are configured under setup_experience. Previously, the dry-run would succeed while the actual GitOps run would fail.
    • Fixed fleetctl gitops apply not clearing stale broken mdm_configuration_profile_labels rows after a referenced label was deleted, which caused profiles to remain enforced on hosts regardless of updated label targeting.
    • Fixed GET /api/v1/fleet/commands returning a SQL error when called with host_identifier and the after cursor parameter, particularly with order_key=command_uuid or order_key=hostname.
    • Fixed a UI bug where editing an existing global user to enable two-factor authentication failed with a 422 error.
    • Fixed an issue where an old APNs cert would stay in memory until a restart, instead of correctly updating in place.
    • Fixed a UI inconsistency with non-center-aligned Fleet premium messages on Fleet Free.
    • Fixed a bug where duplicate software installers for Linux could be added.
    • Fixed the "Back to host details" button on a report's details page navigating to the reports list instead of the host's details page after creating a report from a host.
    • Fixed IdP host vitals (full name, department, groups) not populating on the host details page for macOS devices migrated from another MDM via the Tahoe (macOS 26+) end-user-authentication flow.
    • Fixed POST /api/v1/fleet/queries returning HTTP 500 when name or query is JSON null. The endpoint now returns HTTP 400.
    • Fixed GET /api/latest/fleet/policies/:id (and alias GET /api/v1/fleet/global/policies/:id) to return and properly populate team policies, and to perform an authorization check on team policies before returning.
    • Fixed an issue where GitOps dry-run would not validate Apple config profile payload scope conflicts or the use of unknown Fleet variables in all types of profiles.
    • Fixed Android hosts being auto-deleted by host expiry on every cleanup tick after re-enrolling, which previously caused an hourly enroll/delete loop while host expiry was enabled.
    • Fixed an issue where replica lag could lead to devices not being assigned a setup experience profile on device sync from DEP.
    • Fixed the Location and MDM status vitals on the My device page rendering as clickable links even though they had no associated modal, by rendering them as plain text in read-only contexts.
    • Fixed the Export hosts button to always reflect the current sort, search, and filter state instead of potentially using stale values.
    • Fixed a false-positive update_conditional_access_bypass activity that was created whenever any app config setting was changed while Okta conditional access was already configured with bypass_disabled: true. Also stopped the related side effect of clearing existing conditional access bypass records on those unrelated saves.
    • Fixed UI elements in the script library not respecting GitOps mode when enabled.
    • Fixed POST /packs with a JSON null name silently creating a pack with an empty name. The endpoint now returns a 400 Bad Request, matching the behavior for an empty-string name.
    • Fixed stale "Selected hosts" on the Edit label page after a previous edit by invalidating the related query caches on success, and when navigating between manual labels by scoping the hosts cache per label and keying the form on the actual host set.
    • Fixed subtle text alignment issues in the UI.
    • Fixed a file descriptor leak in vulnerability processing where deleted goval_dictionary sqlite files were kept open until Fleet server restart.
    • Fixed setup experience remaining stuck for up to 90 minutes after a software installer was edited or deleted while a host was installing it.
    • Fixed the Policy details modal not closing when navigating back to the Host details page with the browser's back button.
    • Fixed software titles list sorting to use display name instead of installer filename when a custom display name is set.
    • Fixed the missing "Conditional access" section header on the Settings > Integrations > Conditional access page on Fleet Free.
    • Fixed fleetctl gitops silently accepting labels with invalid parameter combinations (e.g. manual labels with query/criteria/platform).
    • Fixed validation that rejected enabling end user authentication on Fleet deployments without Apple MDM configured. End user authentication covers macOS Setup Assistant, Windows MDM, and Linux Orbit enrollment, so the toggle now works on Windows-only and Linux-only fleets as long as the IdP is configured.
    • Fixed an issue where the MDM solution name reported for a host could flip between values across osquery ingestions when the MDM server URL contained substrings matching multiple known MDM vendors.
    • Fixed a bug where enable_host_users defaulted to false on a fresh Fleet install instead of the documented default true, causing the host details page to show "User collection has been disabled."
    • Fixed the IdP "Department" host vital not populating for users whose IdP-to-SCIM mapping included enterprise extension attributes that Fleet does not store.
    • Fixed the Actions dropdown in the Run script modal within the Host details page automatically closing after 2-3s.
    • Fixed GitOps dry runs failing when a VPP app references a label that was added in the same run.
    • Fixed a bug where enrolling an Android device on a Fleet instance with Apple MDM disabled produced a duplicate host record.
    • Fixed Fleet-scoped users getting a 403 when viewing past activities on a host that has user-initiated activities (e.g. lock/wipe/run script/install software), and fixed missing permissions on host activity items for fleet-scoped users.
    • See the changelog for the full list of bug fixes and improvements.

    Ready to upgrade?

    Visit our Upgrade guide in the Fleet docs to update to Fleet 4.86.0.

    Original source
  • May 14, 2026
    • Date parsed from source:
      May 14, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    Fleet 4.85.0 | Vulnerability exposure dashboard, local admin accounts, dark mode, and more...

    Fleet releases 4.85.0 with a new vulnerability exposure dashboard, more accurate RHEL vulnerability data, dark mode, scoped API-only users, major-version pinning for Fleet-maintained apps, and new macOS admin account setup options, plus performance boosts and broad bug fixes.

    Fleet 4.85.0 is now available. See the complete changelog or read on for highlights. For upgrade instructions, visit the upgrade guide in the Fleet docs.

    Highlights

    • Vulnerability exposure dashboard
    • More accurate vulnerability data
    • Pin Fleet-maintained apps to a major version
    • Create a local admin account during macOS setup
    • Scoped API-only users
    • Dark mode

    Vulnerability exposure dashboard

    Fleet now includes a vulnerability exposure report that tracks your organization's patching progress over time. The chart covers critical vulnerabilities in major browsers, Microsoft Office, operating systems, and Adobe Reader. The report joins Fleet's growing dashboard alongside new "Hosts online" and "Hosts enrolled" reports also added in 4.85.

    The vulnerability exposure report is disabled by default (feature flag) because Fleet saw performance issues on instances with >1,000 hosts. Fleet is already using it internally, and it's a great time to start experimenting. For larger deployments, we recommend enabling it on a test fleet first before rolling out more broadly. Performance improvements are coming soon. Note that leaving it out of a GitOps config (YAML) is a no-op for now (won't auto-enable or disable).

    GitHub issue: #43769

    More accurate vulnerability data

    Fleet has migrated Red Hat Enterprise Linux (RHEL) 8 and 9 vulnerability (CVE) scanning from OVAL XML feeds to OSV JSON. This is the format Red Hat began publishing natively in November 2024. This eliminates a class of false positives: OVAL grouped CVEs by advisory and sometimes attributed them to packages that weren't actually vulnerable, while OSV maps each CVE to exact affected package versions. No Fleet configuration changes are required; the transition happens automatically on upgrade.

    GitHub issue: #40056

    Pin Fleet-maintained apps to a major version

    IT admins using GitOps can now pin a Fleet-maintained app to a specific major version using a caret constraint (e.g. ^3). Hosts stay patched because Fleet automatically installs updates within that major version but won't install a new major release you haven't tested or licensed. Set it once in your YAML and patching takes care of itself within the version you control. Versioning pinning in the UI is coming soon.

    GitHub issue: #38988

    Create a local admin account during macOS setup

    During macOS Automated Device Enrollment (ADE), Fleet can now create a hidden admin account. This gives IT admins a way in if hands-on access is otherwise needed. Admins can view and copy the generated password, unique per-host, from the Host details page. Activity is logged on account creation and password views.

    GitHub issue: #37141

    Scoped API-only users

    Fleet Premium now supports scoped API-only users, letting us restrict a token to a specified list of allowed API endpoints. If a token leaks, the blast radius is limited to those endpoints. Scoped API-only users can be created via the Fleet UI, fleetctl, or the REST API.

    GitHub issue: #38044

    Dark mode

    Fleet now ships with a dark theme. Now, by default, Fleet automatically follows your browser light/dark mode preference. If you want to choose, you can pick between modes on your My account page. Whether you're working in the dark or just prefer dark mode on principle, Fleet now looks the part.

    GitHub issue: #42977

    Changes

    IT Admins

    • Added "Hosts online", "Vulnerability exposure", and "Hosts enrolled" charts to the dashboard.
    • Added support for Fleet variables in Apple's declaration profiles (DDM).
    • Added a dark theme to the Fleet UI, selectable in account settings with light, dark, and system options.
    • Added support for passing end-user authentication context to the Fleet MSI installer during Windows MDM enrollment, so end users are not prompted to authenticate twice when EUA is enabled.
    • Added Clear Passcode feature for iOS and iPadOS.
    • Added conditional HTTP downloads using ETag headers for software in GitOps, skipping re-download when content hasn't changed.
    • Added always_download option for software in GitOps to bypass the new conditional download feature.
    • Added automatic escaping of JSON special characters in GitOps variables used in .json configuration profiles (Apple DDM declarations and Android profiles).
    • Updated fleetctl gitops to process Android certificates before Android profiles.
    • Added permissions for the GitOps user to list software titles.
    • Enabled renewing and deleting AB tokens in the UI in GitOps mode.
    • Added ability to save policies whose SQL is flagged as a syntax error.
    • Withheld Android Wi-Fi configuration profiles (openNetworkConfiguration with ClientCertKeyPairAlias) until the referenced certificate is installed or terminally failed on the device.
    • Updated the host OS settings detail column to show the reason when an Android profile is pending due to a certificate dependency.
    • Added an admin setting to control retention of vulnerability-exposure data used by the dashboard chart.
    • Added new policy details page with a read-only view of policy information.
    • Updated edit policy page to redirect users with read-only access to the policy details page.
    • Added dedicated /policies/:id/live route for running policies.
    • fleetctl is now also released as an msi for Windows.
    • fleetctl is now also released as a pkg for macOS.

    Security Engineers

    • Added UI pages for creating and editing API-only users with support for fleet assignment, role selection, and API endpoint access control.
    • Added new middleware (APIOnlyEndpointCheck) that enforces a 403 response for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions.
    • Added POST /users/api_only endpoint for creating API-only users.
    • Added PATCH /users/api_only/{id} endpoint for updating existing API-only users.
    • Updated fleetctl user create --api-only to remove email and password field requirements.
    • Added a new premium GET /api/version/fleet/rest_api endpoint that returns the contents of the embedded api_endpoints.yml artifact.
    • Updated GET /users/{id} response to include the new api_endpoints field for API-only users.
    • Added user_api_endpoints table to track per-user API endpoint permissions.
    • Added an option to convert and return a PEM-encoded X.509 certificate instead of a PEM-encoded PKCS7 envelope from the Request a Certificate endpoint.
    • Updated macOS 15 CIS benchmark to include v2.0.0 changes.
    • Updated the macOS 14 (Sonoma) CIS policy set to benchmark v3.0.0.

    Bug fixes and improvements

    • Updated Go to 1.26.3.
    • Improved MySQL writer performance by skipping no-op UPDATE host_orbit_info and UPDATE host_disks writes when the stored values already match the incoming ingest values from osquery, cutting these writes to near zero at steady state.
    • Improved Fleet-maintained apps (FMA) sync performance by adding an index on software.bundle_identifier that eliminates a full table scan during the hourly sync, reducing writer CPU load on large deployments.
    • Improved the performance of deleting Windows MDM configuration profiles at scale by collapsing the per-profile update loop into a single batched statement that spans multiple profiles per chunk.
    • Made fleet name uniqueness rules consistent across the UI, API, and GitOps paths. Fleet names must now differ by more than letter case, and conflicts return a 409 error on all code paths.
    • Changed the team's script_execution_timeout in agent options to default to the global agent options value when unset.
    • Updated copy, show, and other action buttons app-wide for a more consistent style.
    • Improved button and link styling.
    • Improved the OS settings modal layout.
    • Improved host policy empty state.
    • Updated empty states to a fresher, consistent design.
    • Unified access to global and team policies in the UI by using the now-generic GET /api/latest/fleet/policies/:id endpoint.
    • Updated the enrollment page enroll button to render at full screen width for larger-resolution mobile devices.
    • Updated the error message returned when an invalid domain is supplied for MDM Apple CSR signing.
    • Updated EULA PDF upload size check to use the default max request body size.
    • Added activity when a Windows MDM wipe command fails.
    • Improved documentation for MySQL read replica configuration, clarifying that all settings (including region for IAM authentication) must be explicitly set for the read replica.
    • Modified the MSI builder to not package the unusable "dummy" secret value when building fleetd-base.msi for Autopilot installs.
    • Upgraded to TypeScript 6.0 for the app frontend.
    • Moved some core UI form components to TypeScript for better predictability and reliability.
    • Removed the unused windows_updates MySQL table and ingestion code.
    • Implemented the chart bounded context and schema to support charting capabilities in Fleet.
    • Added gitOpsModeEnabled and gitOpsModeExceptions to the anonymous statistics payload.
    • Added startup validation that panics if any route declared in service/api_endpoints.yml is not registered in the router.
    • Stopped turning on Prometheus serving by default with a hard-coded username and password when the server is started with --dev.
    • Fixed a Windows BitLocker encrypt/decrypt loop on machines with secondary drives using auto-unlock. Fleet now detects disk encryption using conversion_status (not just protection_status), preventing the server from repeatedly requesting encryption when the disk is already encrypted. Added bitlocker_protection_status tracking so the UI shows "Action required" when BitLocker protection is off instead of misleadingly showing "Verified."
    • Fixed a race condition where a host could silently revert to its previous team after an admin team transfer.
    • Fixed a server panic (502) when an Android pubsub status report arrived for a host that had been deleted from Fleet.
    • Fixed an issue where Fleet would send an AccountConfiguration command to iOS and iPadOS devices when end user authentication was enabled; AccountConfiguration is macOS-only.
    • Fixed a bug where pending MDM profile rows persisted in the database after Apple or Windows MDM was turned off, causing stale profiles to reappear when MDM was re-enabled. Also fixed cleanup of pending Windows profile rows when a device unenrolls from MDM.
    • Fixed MDM SSO callback returning a "missing profile" error for Android enrollment when Apple MDM is not configured.
    • Fixed validation that rejected enabling end user authentication on Fleet deployments without Apple MDM configured. End user authentication covers macOS Setup Assistant, Windows MDM, and Linux Orbit enrollment, so the toggle now works on Windows-only and Linux-only fleets as long as the IdP is configured.
    • Fixed a class of silent SCEP managed-certificate renewal failures by recovering host_mdm_managed_certificates rows that previously got stuck after the cert ingest matcher missed linking a renewed certificate.
    • Fixed an issue where replica lag could lead to devices not being assigned a setup experience profile on device sync from DEP.
    • Fixed GET /api/latest/fleet/policies/:id (and alias GET /api/v1/fleet/global/policies/:id ) to return and properly populate team policies.
    • Fixed GET /api/latest/fleet/policies/:id (and alias GET /api/v1/fleet/global/policies/:id ) to perform an authorization check on team policies before returning.
    • Fixed a UI bug where editing an existing global user to enable two-factor authentication failed with a 422 error.
    • Fixed a bug where renaming a patch policy in a GitOps file caused it to be deleted initially.
    • Fixed an issue where the DDM reconciler would not self-heal for stuck remove/pending profiles due to resend with update.
    • Fixed an issue where a host DDM cleanup function was not executed for stale remove/pending profiles that weren't reported by the device.
    • Fixed an issue where batch processing many DDM profile changes would result in stuck remove/pending profiles.
    • Fixed an issue where sending a differently cased display name for a DDM profile via the batch endpoint would result in recreating the DDM profile and triggering a resend.
    • Fixed a GitOps failure ("converting NULL to uint is unsupported") when moving labels from global to fleet scope, caused by deleted label associations with NULL label_id values in mdm_configuration_profile_labels and mdm_declaration_labels.
    • Fixed an issue where Fleet would not remove the host OS setting entry if a RemoveProfile command failed with error code 89 (profile not found on device).
    • Fixed an issue where adding a custom icon for a script-only package was not allowed in GitOps.
    • Fixed an issue where duplicate Disk Encryption activity types showed up.
    • Fixed the host details activity feed showing the previously opened host's activities by including the host ID in the activity query cache keys.
    • Fixed navigation to the settings page for multi-team admin users.
    • Fixed styling bugs in GitOps mode UI.
    • Fixed padding between GitOps exceptions checkboxes.
    • Fixed a nil pointer dereference in the contributor API spec/policies.

    Ready to upgrade?

    Visit our Upgrade guide in the Fleet docs to update to Fleet 4.85.0.

    Manage all your devices like it's 2026
    Open MDM, patching, and vuln management for every OS.
    Read case studies
    Try it yourself

    Original source
  • Apr 24, 2026
    • Date parsed from source:
      Apr 24, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    Fleet 4.84.0 | Python scripts, Entra for Windows, auto-rotate Recovery Lock, and more...

    Fleet releases 4.84.0 with GitOps exceptions, automatic Recovery Lock password rotation, Python scripts on macOS and Linux, Windows Entra conditional access, and Windows profile removal on deletion, plus performance, security, and usability improvements across the platform.

    Highlights

    • GitOps mode exceptions
    • Automatically rotate Recovery Lock passwords
    • Run Python scripts on macOS & Linux
    • Entra conditional access for Windows
    • Remove settings from Windows when profile is deleted

    GitOps mode exceptions

    Fleet now lets IT admins opt specific resources out of GitOps enforcement. When GitOps mode is enabled, admins can configure exceptions for software, labels, and enroll secrets — allowing those resources to be managed via the UI or API instead of git.

    This makes it easier to ramp up with GitOps incrementally: start by managing policies and profiles in git, then add software and labels later as the team gets comfortable. Exceptions are configured per resource type and require global admin permissions. If an exception is enabled and the corresponding key is present in a YAML file, GitOps will surface a clear error during the dry run to prevent the UI-managed changes from being silently overwritten.

    Note:

    • After upgrading, existing Fleet instances will have the labels exception enabled automatically. This way, your next GitOps run after upgrade doesn't wipe any labels not defined in git. If your GitOps YAML files include a labels: key, you will encounter new errors.
    • To resolve, either remove labels: from your YAML files (to manage labels via the UI or API going forward) or disable the labels exception in Settings > Integrations > Change management (to manage labels via GitOps). If you disable the exception, make sure you move any labels managed via the UI into your YAML, otherwise your next GitOps run will wipe them out. Feel free to reach out to Fleet if you need a hand.

    GitHub issue: #40171

    Automatically rotate Recovery Lock passwords

    Fleet now automatically rotates macOS Recovery Lock passwords after an IT admin views them. Previously, Fleet escrowed a unique password per host and let IT admins rotate it on demand — but rotation was a manual step. Now, after a password is viewed, Fleet schedules an automatic rotation (1 hr after view) so passwords aren't reused.

    Admins can still trigger a manual rotation at any time from the Host details page. The rotation generates an audit log entry so the action is traceable.

    GitHub issue: #41003

    Run Python scripts on macOS & Linux

    Fleet now supports Python scripts alongside shell (.sh) and PowerShell (.ps1) scripts. IT admins can upload .py files in Controls > Scripts and run them on macOS and Linux hosts — on demand, in bulk, or as a policy automation.

    Python scripts follow the same rules as other script types: they respect Fleet's script timeout, support custom variables, and can be defined in GitOps.

    GitHub issue: #38793

    Entra conditional access for Windows

    Fleet now supports Microsoft Entra conditional access for Windows hosts. IT admins can mark policies as conditional access policies targeting Windows hosts — when a host fails one of those policies, Entra blocks the end user from accessing corporate resources such as Microsoft Teams and Office.

    This extends the existing macOS conditional access integration to Windows, using the same Fleet + Entra setup. To configure, head to Integrations > Conditional access and enable conditional access on any policy targeting Windows.

    GitHub issue: #38041

    Remove settings from Windows when profile is deleted

    When an IT admin deletes a Windows configuration profile in Fleet, Fleet now actively removes those settings from enrolled hosts. This ensures that hosts match the intended configuration state regardless of when they enrolled.

    Previously, deleting a profile only prevented it from being applied to newly enrolled hosts. Existing hosts retained the settings silently. Now, Fleet sends a removal command so the configuration is reverted on all affected hosts.

    GitHub issue: #33418

    Changes

    IT Admins

    • Added support for Entra conditional access to Windows devices.
    • Added ability to pin Fleet-maintained apps to a specific major version in GitOps.
    • Implemented ACME for MDM protocol communication, and hardware device attestation.
    • Added GET /api/v1/fleet/hosts/{id}/reports endpoint (also accessible as /hosts/{id}/queries) that lists the query reports associated with a specific host.
    • Added support for labels_include_all conditional scoping for software installers and apps.
    • Added validation for software install, uninstall, and post-install scripts.
    • Added ability to specify custom patch policy query in an FMA manifest.
    • Added ability to re-send Android certificates to a specific host.
    • Added Reports tab to Host details page.
    • Allowed specifying a Fleet-Maintained App (FMA) as a policy software automation in GitOps.
    • Added support for running python scripts on macOS and Linux.
    • Added automatic retry (up to 3 times) when the Android agent reports a certificate install failure.
    • Added activity logging when a certificate is installed or fails to install on an Android host.
    • Enabled the host activity card on the Android host details page.
    • Switched Fleet-maintained apps serving location from GitHub to https://maintained-apps.fleetdm.com/manifests. NOTE: If you limit outbound Fleet server traffic, make sure it can access the new FMA manifests location.
    • Increased automatic retry limit for failed Apple (macOS, iOS, iPadOS) configuration profiles from 1 to 3. Windows profiles remain at 1 retry.
    • Added a new disk_space fleetd table for macOS that reports available disk space including purgeable storage, matching the value shown in Finder's "Get Info" dialog and System Settings → General → Storage.
    • Added configuration profile deletion when a Windows configuration profile is deleted or a host moves teams via SyncML commands, bringing Windows profile removal to parity with macOS.
    • Added support for outputting VPP policy automations in fleetctl generate-gitops.
    • Added logging of profile names alongside MDM commands installing or removing them.
    • Added indication in the UI when a profile command was deferred via NotNow status.
    • Added activity when setup experience is canceled due to software install failure.
    • Added cancel activities for each VPP app install skipped due to setup experience cancellation, and switched "failed" activity to "canceled" for package-based software installs in the same situation.
    • Added install failure activity when VPP installs fail due to licensing issues during setup experience.

    Security Engineers

    • Added vulnerability detection for Microsoft 365 Apps and Office products on Windows.
    • Added OSV data source for Ubuntu vulnerability scanning.
    • Added automatic rotation of Mac recovery lock passwords 1 hour after the password is viewed via the API.
    • Updated ingestion/CVE logic to support JetBrains software with 2 version numbers, like WebStorm 2025.1
    • Addressed false positive vulnerabilities (CVE-2019-17201, CVE-2019-17202) reported for Admin By Request on macOS and Linux hosts. These CVEs are Windows-specific.
    • Generated correct CPE from malformed ipswitch whatsup CPE, ensuring applicable CVEs are matched.
    • Added software source to ecosystem matching to help prevent non-deterministic CPE selection when multiple vendors exist for the same product.

    Other improvements and bug fixes

    • Upped the default limit for the software batch endpoint, from 1MiB to 25MiB.
    • Added FLEET_MDM_CERTIFICATE_PROFILES_LIMIT server config option to throttle the number of CA certificate profile installations per reconciler cycle, preventing CA server overload in large deployments.
    • Added banner to Add software page to inform users that Android web apps require Google Chrome.
    • Enabled Windows MDM in fleetctl preview by auto-generating WSTEP certificates on startup.
    • Used the same templates for fleetctl new and new instance initialization.
    • Added "API time" to GitOps output on API errors.
    • Allowed clearing Windows OS update deadline and grace period fields to remove enforcement.
    • Updated ordering of setup experience software to take display names into account.
    • Updated iOS/iPadOS refetch logic to slowly clear out old/stale results.
    • Increased the default SSO session validity period from 5 to 15 minutes.
    • Improved performance of distributed read endpoint by reducing mutex contention in shouldUpdate using sync.RWMutex instead of sync.Mutex.
    • Allowed OTEL service name to be overridden with standard OTEL_SERVICE_NAME env var.
    • Revised which versions Fleet tests MySQL against to remove 8.0.39 and add 8.0.42.
    • Allowed typing whitespace on Settings > Integrations > SSO > End users form.
    • Removed incorrect report key from get/create/modify API responses.
    • Added (query_id, has_data, host_id, last_fetched) index on query_results.
    • Improved database query performance for the Host Details > Reports page by adding a has_data virtual generated column to query_results.
    • Made sure that fleet names are trimmed and validate to prevent whitespace-only or padded names across API, gitops, frontend, and existing data.
    • Hid host details > reports in the UI from platforms that do not support scheduled reporting.
    • Updated GitOps label functionality to allow omitting the hosts: key under a manual label to mean "preserve existing host membership", rather than removing all hosts.
    • Added Flatcar Container Linux and CoreOS to the list of recognized Linux platforms, fixing host detail queries (IP address, disk space, etc.) not being sent to hosts running these distributions.
    • Updated the default fleet selected when navigating to the dashboard and to controls.
    • Reduced redundant database queries during policy result submission by computing flipping policies once per host check-in instead of multiple times.
    • Reduced redundant database calls in the osquery distributed query results hot path by pre-loading configuration (AppConfig, HostFeatures, TeamMDMConfig, conditional access) once per request instead of once per detail query result.
    • Updated UI to use new multiplatform API keys.
    • Activated warnings for deprecated API parameters, API URLs, fleetctl commands and fleetctl command options.
    • Updated the Request Certificate API to return the proper PEM header for PKCS #7 certificates returned by EST CAs.
    • Added "Learn more" link on End User Authentication section.
    • Moved Apple MDM worker to a faster cron, and started sending profiles on Post DEP enrollment job, to speed up initial macOS setup.
    • Optimized PolicyQueriesForHost and ListPoliciesForHost SQL queries by replacing correlated subqueries with a single aggregated LEFT JOIN for label-based policy scoping, reducing query time by ~77% at scale.
    • Improved VPP install failure messaging to explain verification timeouts in Host details and My device install details.
    • Refactored large anonymous functions into named functions to improve nil-safety static analysis coverage.
    • Renamed "Custom settings" to "Configuration profiles" in Fleet UI.
    • Added description to UI to help users understand which fleet a policy belongs to during add/edit.
    • Updated Fleet-maintained apps to overwrite software title names on sync and when adding an FMA installer.
    • Improved Fleet server performance for the Windows MDM profiles summary and host OS settings filter queries by replacing correlated subqueries with a single aggregation pass.
    • Improved Windows MDM server performance at scale by reducing redundant database queries during device check-ins.
    • Updated go to 1.26.1
    • Fixed a server panic when uploading a Windows MDM profile to a fleet on a free license.
    • Fixed MSRC vulnerability scanning to differentiate between Windows Server Core and full desktop installations, preventing false positive/negative CVEs caused by non-deterministic product matching.
    • Fixed GitOps policy software resolution failing when URL lookup doesn't match, by falling back to hash-based lookup.
    • Fixed GitOps failing to delete a certificate authority when certificate templates still reference it in fleet configs.
    • Fixed duplicate text in error message when script validation fails when adding a custom package.
    • Fixed issue where the include_available_for_install query param wasn't being applied correctly to the GET /api/latest/fleet/hosts/{id}/software endpoint.
    • Fixed disk encryption key modal to not show stale key when switching between hosts.
    • Fixed SCIM user not associating with host when IdP username was set before the SCIM user was created.
    • Fixed Google Drive version not matching upstream.
    • Fixed bug that cleared the MDM lock state if an "idle" message was received right after the lock ACK.
    • Fixed team maintainers, admins, and GitOps users being unable to add certificate templates due to missing read access to certificate authorities.
    • Fixed fleetd installation failure on macOS when installing it through Host details page > Software > Library as a Custom package.
    • Fixed a bug where SQL queries using table aliases (e.g., FROM mounts m) incorrectly reported no compatible platforms.
    • Fixed fleetctl gitops failing with "No available VPP Token" when assigning VPP apps alongside a new team.
    • Fixed a bug where OS versions were not populated in vulnerability details for OS-only vulnerabilities (e.g., macOS CVEs).
    • Fixed a TOCTOU-related issue when checking before deleting last admin.
    • Fixed database locking issues on the policy_membership table by batching cleanup DELETE operations and moving them outside the primary GitOps apply transaction.
    • Fixed success message on Android software configuration to reference software display name when applicable.
    • Fixed a bug where Android host certificate template records were not cleared when a device unenrolled, causing stale certificate statuses after re-enrollment.
    • Fixed a bug where the organization logo URL entered during setup was only saved for dark backgrounds and not for light backgrounds.
    • Fixed an issue where setup experience items (software to install) were not enqueued for Linux distributions that did not report a "platform-like" value, e.g. Arch Linux and Omarchy.
    • Fixed a bug where filtering hosts by software version for a software version not present on the selected team returned nil software instead of a lightweight report of the software.
    • Fixed Fleet's usage of the incorrectly spelled 'vulnerabities' in favor of 'vulnerabilities' in MSRC bulletins.
    • Fixed nondeterministic CPE matching when multiple CPE candidates share the same product name.
    • Fixed a bug where Windows hosts with an empty display_version in the database would get 0 CVEs from MSRC vulnerability scanning.
    • Fixed a bug where fleetctl generate-gitops failed if a Fleet-maintained app was associated to a software title with a different name (e.g. names with different versions).
    • Fixed fleetctl generate-gitops failing to include VPP fleet assignments.
    • Fixed query results table deduplicating rows when query data contains an id column, and fixed id column header and cell styling.
    • Fixed missing underline on "Reports" nav item when active in top navigation.
    • Fixed bug where adding a patch policy for a new installer in the UI caused gitops runs that didn't include that installer to fail.
    • Fixed browser back button requiring an extra click to leave the Policies and Reports pages.
    • Fixed a bug where Fleet continued to show a stale Recovery Lock password after a macOS host left MDM, by soft-deleting the stored password whenever the host leaves MDM (re-enrollment, CheckOut, admin unenroll, or a periodic sweep of hosts osquery reports as unenrolled) and hiding the password on the host details page until the host is enrolled again.
    • Fixed an issue where silent migration status would persist even after re-enrolling the device normally, causing SCEP renewal to fail.
    • Fixed issue where the "Change Management" form would reset when the page lost and regained focus.

    Ready to upgrade?

    Visit our Upgrade guide in the Fleet docs to update to Fleet 4.84.0.

    Manage all your devices like it's 2026

    Open MDM, patching, and vuln management for every OS.

    Read case studies

    Try it yourself

    Original source
  • Apr 1, 2026
    • Date parsed from source:
      Apr 1, 2026
    • First seen by Releasebot:
      Jul 6, 2026
    Fleet logo

    Fleet

    Fleet 4.83.0 | Recovery Lock passwords, patch policies, and more...

    Fleet releases 4.83.0 with YAML validation for unknown keys, macOS Recovery Lock password management, patch policies for Fleet-maintained apps, and new control over end user info during macOS setup, alongside broad admin, security, GitOps, and bug-fix improvements.

    Fleet 4.83.0 is now available. See the complete changelog or read on for highlights. For upgrade instructions, visit the upgrade guide in the Fleet docs.

    Highlights

    • YAML validation for extraneous keys
    • macOS Recovery Lock passwords
    • Patch policies for Fleet-maintained apps
    • Lock end user info during macOS setup

    YAML validation for extraneous keys

    Fleet now returns a clear error when a YAML file contains an unrecognized or misspelled key. Previously, Fleet silently ignored unknown keys, which could cause configurations to take effect without the intended settings applied.

    This is especially useful for catching typos and errors in AI-generated GitOps PRs before a misconfiguration takes effect.

    Note: After upgrading, you may encounter new errors from previously ignored misspelled or misplaced keys. Reach out to Fleet if you need help.

    GitHub issue: #40496

    macOS Recovery Lock passwords

    Fleet now automatically escrows a unique Recovery Lock password for each macOS host and lets admins rotate it on demand. Learn how to enable this.

    The Recovery Lock passwords prevents unauthorized access to macOS Recovery Mode. When needed, admins can look up and share the password with an end user and then rotate it afterward so it can't be reused. Automatic rotation after view is coming soon.

    GitHub issues: #37497, #37498

    Patch policies for Fleet-maintained apps

    Fleet now supports patch policies for Fleet-maintained apps (FMAs). Unlike traditional policies where admins write and maintain the latest version in the SQL themselves, a patch policy automatically generates and updates the SQL when a new version of the app is released. This removes the maintenance burden of keeping patch policies in sync with new software versions. Learn more.

    GitHub issue: #31914

    Lock end user info during macOS setup

    Fleet now lets IT admins control whether end users can edit their macOS local account "Full Name" and "Account Name" during the Setup Assistant (out-of-box enrollment flow). When Lock end user info is enabled, end users cannot modify these fields during setup.

    To configure, head to Controls > Setup experience and expand the new Advanced options section. The Lock end user info option is only available when IdP authentication is turned on. This setting is also supported via GitOps using the controls.setup_experience.lock_end_user_info key.

    GitHub issue: #38669

    Changes

    IT Admins

    • Added ability to deploy an Android web app via setup experience or self-service.
    • Added ability to set and manually rotate Mac recovery lock passwords.
    • Added ability to lock the pre-filled user information for macOS hosts that login via End User Authentication during Setup Experience.
    • Added automatic retries for failed software installs, excluding VPP apps.
    • Updated host software library to always allow filtering.
    • Added retry functionality when adding software installers to Fleet via GitOps.
    • Added fleetctl new command to initialize a GitOps folder.
    • Added support for paths: key under reports:, labels: and policies: in GitOps files.
    • Added glob support for configuration_profiles in GitOps files.
    • Added support for referencing .sh or .ps1 script files directly in the GitOps path field for software packages.
    • Implemented webhooks_and_tickets_enabled flag for policies in GitOps.
    • Added server config for allowing all Apple MDM declaration types.
    • Added ability to use FLEET_JIT_USER_ROLE_FLEET_ as a prefix on SAML attributes.
    • Added fleet_name and fleet_id columns to hosts CSV export.
    • Added resend button in the OS settings modal for iOS and iPadOS hosts.
    • Added patch policies for Fleet-maintained apps that automatically update when the app is updated.

    Security Engineers

    • Added support for NDES CA for Windows hosts.
    • Added vulnerability scanning support for Windows Server 2025 hosts.
    • Added OTEL instrumentation to Fleet's internal HTTP client.
    • Added Content-Type header to Smallstep authorization requests to prevent Cloudflare from blocking them.
    • Added ability to omit secrets: in GitOps files to retain existing enroll secrets on server.
    • Fixed python package false positives on Ubuntu, such as python3-setuptools on Ubuntu 24.04 with version 68.1.2-2ubuntu1.2.
    • Fixed false positive vulnerabilities for Mattermost Desktop.

    Other improvements and bug fixes

    • Most top-level keys can now be omitted from GitOps files in place of supplying them with an empty value.
    • Improved host search to always match against host email addresses, not only when the query looks like an email.
    • Prevented a 500 error on the host details page when an MDM command reference in host_mdm_actions pointed to a non-existent command (orphan reference).
    • Allowed Fleet-maintained apps to be added if they have default categories configured that are not available in older builds from this point forward.
    • Migrated to using Policy critical option when disallowing Okta conditional access bypass.
    • Updated DEP enrollment flow to apply minimum macOS version check when specified.
    • Updated GitOps to fail runs when unknown keys are detected in files.
    • Updated default last opened time diff to 2m to increase the chances of updating the last opened time for software that is opened frequently.
    • Updated the host results endpoint URL to be consistent with the other URLs.
    • Added tooltip to batch run result host count to clarify that the count might include deleted hosts.
    • Updated table heading and result filter styles.
    • Reordered the columns on the Hosts page.
    • Updated Fleet desktop to surface custom transparency links to the device user.
    • Changed PostJSONWithTimeout to log response body in error case.
    • Removed unused and confusingly-named --mdm_apple_scep_signer_allow_renewal_days config.
    • Refactored NewActivity functionality by moving it to the new activity bounded context.
    • Modified Android certificate renewal logic to make it easier to test.
    • Optimized api/latest/fleet/software/titles endpoint.
    • Trimmed incoming ABM suffix for Arch Linux hosts so Arch OSs are grouped together in the database and UI.
    • Updated determination process used for selecting which user email address to use when scheduling a maintenance event for a host failing policies.
    • Added license checks for fleet-free targeting queries by label.
    • Added APNs expiry banner in the UI for Fleet free users.
    • Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
    • Added Fleet-maintained app utilization to anonymous usage statistics collected by Fleet.
    • Surfaced data constraints using the proper HTTP status code on the /api/v1/fleet/scim/users endpoint.
    • Updated macOS device details UI to delay showing FileVault "action required" notifications banner during the first hour after MDM enrollment to allow sufficient time for Fleet to automatically escrow keys from ADE devices.
    • Added an early return in the PUT /hosts/{id}/device_mapping endpoint so that setting the same IDP email that is already stored no longer triggers unnecessary database updates, activity log entries, or profile resends.
    • Improved cleanup functionality so that when deleting a host record, Fleet will now clean up host issues, such as failing policies and critical vulnerabilities associated with the host.
    • Improved the way we verify Windows profiles to no longer rely on osquery for faster verification.
    • Improved body parsing validation by using http.MaxBytesReader and wrapping gzip decode output too.
    • Improved rate-limiting on conditional access endpoints.
    • Finished migrating code from go-kit/log to slog.
    • Updated UI for disabling stored report results for clarity.
    • Revised which versions Fleet tests MySQL against to 9.5.0 (unchanged), 8.4.8, 8.0.44, and 8.0.39.
    • Deprecated several configuration keys in favor of new names: custom_settings -> configuration_profiles, macos_settings -> apple_settings, macos_setup -> setup_experience, and macos_setup_assistant -> apple_setup_assistant.
    • Deprecated setup_experience.bootstrap_package in favor of setup_experience.macos_bootstrap_package.
    • Deprecated setup_experience.manual_agent_install in favor of setup_experience.macos_manual_agent_install.
    • Deprecated setup_experience.enable_release_device_manually in favor of setup_experience.apple_enable_release_device_manually.
    • Deprecated setup_experience.script in favor of setup_experience.macos_script.
    • Fixed an issue where the MDM section on the integration page did not update correctly when Apple MDM is turned off.
    • Fixed an issue where iOS/iPadOS hosts couldn't add app store apps from the host library page.
    • Fixed inaccurate error message when clearing identity provider settings while end user authentication is enabled.
    • Fixed Microsoft NDES CA not being selectable after deleting an existing NDES CA without a page refresh.
    • Fixed an issue where Apple setup experience could get stuck, if the device was in the middle of a SCEP renewal, and then re-enrolled.
    • Fixed secure.OpenFile to self-heal incorrect file permissions via chmod instead of returning a fatal error.
    • Fixed an issue where personal iOS and iPadOS enrollments could see software in the self-service webclip.
    • Fixed table footer rendering unexpectedly in the host targets search dropdown.
    • Fixed a security issue where canceling a pending lock or wipe command permanently deleted the original locked_host / wiped_host activity from the audit log. The original activity is now preserved, and the subsequent cancellation activity serves as the follow-up record.
    • Fixed dropdown rendering center of a row and from pushing down save button below open dropdown options.
    • Fixed end user authentication form to allow saving cleared IdP settings.
    • Fixed inconsistent link styling in UI.
    • Fixed the error resend button overflowing over the edge of the OS settings modal table.
    • Fixed CPE matching failing for software names that sanitize to FTS5 reserved keywords (AND, OR, NOT).
    • Fixed table shifting left when clicking the copy hash icon in host software inventory.
    • Fixed a bug where vulnerability counts increased over time due to orphaned entries remaining in the database after hosts were removed.
    • Fixed a bug where software installers could create titles with the wrong platform.
    • Fixed a bug where Fleet maintained apps for Windows won't show as available in the list when they actually are.
    • Fixed host search in live queries returning no results for observer users when many hosts on inaccessible teams matched the search term before accessible ones.
    • Fixed live query host/team targeting to correctly scope observer_can_run to the query's own team, preventing observers from targeting hosts on other observed teams.
    • Fixed alignment of tooltip text in the certificate details modal.
    • Fixed a bug where a policy that links a software to install fails to apply when that software package uses an environment variable in its yaml definition.
    • Fixed error message when deleting a certificate authority (that is referenced by a certificate template) to show a helpful message instead of a raw database error.
    • Fixed observer query bypass by restricting live query/report team targeting to only teams where the user has sufficient permissions, including global observers who are now limited to the query's own team when observer_can_run is true.
    • Fixed a bug where manage hosts page header button text would wrap and distort at certain widths.
    • Fixed an issue where $FLEET_SECRET was being double encoded, if set via GitOps.
    • Fixed editing reports on free tier failing due to labels_include_any triggering a premium license check.
    • Fixed a bug where certain incorrect resolved-in versions were reported for certain vulnerable versions of Citrix Workspace.
    • Fixed DigiCert CA UPN variable substitution so each host receives a certificate containing its own unique values instead of another host's substituted values.
    • Fixed alignment and spacing of the "rolling" tooltip next to "Arch Linux" in the host vitals card.
    • Fixed select-all header checkbox not selecting rows on partial pages where not all rows are selectable.
    • Fixed an issue where it was possible to configure manual_agent_install without specifiying a bootstrap package via the API and GitOps.
    • Fixed dead rows accumulating in software host counts tables by using an atomic table swap instead of in-place updates during the sync process.
    • Fixed a bug where script packages (.sh, .ps1) incorrectly used the unsaved script size limit (10K characters) instead of the saved script limit (500K characters), preventing large scripts from being added as software packages.
    • Fixed an issue where Windows MDM profiles could remain in pending if hosts acknowledged them too quickly after upload.
    • Fixed an issue where users with the same ID as an invited user would be hidden from the users table, and fixed the users count to include invited users.

    Ready to upgrade?

    Visit our Upgrade guide in the Fleet docs to update to Fleet 4.83.0.

    Manage all your devices like it's 2026

    Open MDM, patching, and vuln management for every OS.

    Read case studies

    Try it yourself

    Original source
Releasebot

Curated by the Releasebot team

Releasebot is an aggregator of official release notes from hundreds of software vendors and thousands of sources.

Our editorial process involves the manual review and audit of release notes procured with the help of automated systems.