fleet-v4.63.1

Bug fixes

• Fixed an issue where the abm token teams were being reset when making updates to the app config

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

de7dd03cc020116b20dcefa8702b21fefff60cc04f4eeb68be4ca69461245c2c  fleet_v4.63.1_linux.tar.gz
6e48ae58ef3ffdf4dc54d46df84503d1645ef99d701448b072cf224f29ed64e8  fleetctl_v4.63.1_linux.tar.gz
9a7114f8b3d27cab33bbb60764d3384ec590a2f5d00a30cfa7ce43ea9ff78611  fleetctl_v4.63.1_linux.zip
c98bf40e8b8c40f45bf99f83fdac35f6a5fab7ba666e5241afd74f5a11aab0cd  fleetctl_v4.63.1_macos.tar.gz
cf37eeec31e1826dac6ee2c244c302ad87adeae461d83dd86e2196c8399b7e39  fleetctl_v4.63.1_macos.zip
d0750ca4fb486789bd7348bf45913c58cc9814ede9e4a791292cddea359b86c5  fleetctl_v4.63.1_windows.tar.gz
e6ebb5fdf2a909be1edf12c3b5b6ae29f16a47c9536b3e4307d77c2a7bc56465  fleetctl_v4.63.1_windows.zip

fleet-v4.64.0

Fleet 4.64.0 (Feb 18, 2025)

Device management (MDM)

• Included current host status and pending action in lock, unlock, and wipe API calls.
• Disk encryption keys are now archived when they are created or updated. They are never fully deleted from the database.
• Hosts that are restored from ABM no longer have old activities in their feed.

Orchestration

• Added bash interpreter support for script execution.
• Updated the activities feed with new design.
• Added fleetctl on Linux ARM binary to releases.
• Added clearer error states to metadata-related fields in the SSO settings form.
• Enforced consistency of on-click behavior of table rows.
• Added gzip compression for static CSS and JS assets to decrease bundle download times.
• Added API endpoint for updating script contents.
• Implemented various UI improvements to the scripts list.
• Added option to populate users and labels on list hosts endpoint.
• Checked the server for validity of any Fleet invites on load.
• Updateed user form validation to require a password be present when switching a user from SSO to password authentication.
• Updated the way new manual labels are created to better support adding large numbers of hosts at one time.
• Replaced "Include Fleet desktop" with host type radio selection buttons when adding Windows or Linux hosts.
• Disabled webhooks if not present in gitops.

Software

• Added ability to target app store apps with include/exclude labels.
• Added ability to edit targets or self service option for app store apps.
• Added details modal for add, edit, and delete app store app global activities.
• Added modal to edit script contents.
• Added download url for fleet maintained apps as url property on fleet/software/fleet_maintained_apps/:id.
• Added "exclude_fleet_maintained_apps" option to GET /api/v1/fleet/software/titles.
• Surfaced download URL for Fleet-maintained app when adding the software to Fleet.
• Surfaced cleaner errors when adding Fleet-maintained apps.
• Revised software installer package validation to mark installers with no version as "unknown" for version rather than rejecting them.
• Resolved false negatives on vulnerabilities for IntelliJ IDEA Community Edition on Windows.
• Resolved false-positives for the pass Homebrew package and jira Python package via a vulnerability feed update available to all Fleet versions on 2025-01-22.
• Fixed a false negative vulnerability reporting for iTerm2 (available to all recent Fleet releases as of January 17th via a vulnerability feed update).

Bug fixes and improvements

• Removed duplicate Linux lock and wipe scripts from repository.
• Clarified text on the policies and queries pages when no policies/queries exist for the selected team (or All Teams).
• Updated the help text for 3 tabs of the Add hosts modal.
• Improved the look and feel of dropdowns in the UI.
• Improved look and feel of dashboard host count cards including hiding platforms with 0 count.
• Added util wrapper func around semver package to allow for custom preprocessing. Upgraded semver library to 3.3.1 and usage everywhere to version 3.
• Added link to information about installing fleetd when packages are generated.
• Optimized software ingestion queries to use existing DB indexes in the software titles table.
• Normalized padding spacing for list headers, lists, and help text across various modals.
• Removed the resend button for failed windows disk encryption profiles and add messaging that tells the user that Fleet with automatically retry this profile again.
• Refactored upstream error logic to allow disabling submit button when form errors are present.
• Improved the verified and verifying tooltips on the Profile Status on OS settings page.
• Improved settings context so that user's updates to the team agent options form when they navigate away and back again.
• Improved the teams dropdown so that it gracefully hides overflow from long team names.
• Updated the os settings Target form deadline input tooltip to make it more clear how the deadline works for hosts.
• Updated language in query comppatibility tooltip to clarify that compatibility is based only on tables.
• Optimized logging by ensuring illegal argument errors will no longer be logged at the ERROR level on the server. Since these are client errors, they will be logged at the DEBUG level instead. This will reduce the amount of noise in the server logs and help debugging other issues.
• Raised the frequency of sending anonymous statistics from every 24 hours to every 1 hour.
• Bumped Node.js version to 20.18.1.
• Bumped github cache action to 4.2.0.
• Added server debug logging for unexpected Apple DDM configuration status.
• Removed fleetctl binary from the fleetdm/fleet docker image.
• Removed erroneous "manage automations" link on dashboard for maintainers.
• Fixed window profiles error message being cut off in the OS settings modal.
• Fixed user page responsiveness to not overflow horizontally.
• Fixed case consistency for "Disk encryption" in host OS settings modal.
• Fixed styling for manage automation buttons and dropdown.
• Fixed a bug where query reports where not being recorded for hosts configured with --logger_snapshot_event_type=true.
• Fixed incorrect source value in device mapping REST API documentation.
• Fixed a bug in Fleet's handling of VPP token renewal requests.
• Fixed mail being sent with the incorrect SMTP Domain (thank you @mccormickt).
• Fixed filtering by vulnerable software for ios or ipad host.
• Fixed issue where some Windows MDM profiles were not being sent to hosts when hosts came back online.
• Fixed a bug where adding or removing a host with an identical name to/from a label caused the same action to be performed on other host(s) with the same name as well.
• Fixed Windows MDM issue where SessionID of 0 was not allowed.
• Fixed a bug with paginating team policies.
• Fixed a bug "software not found for checksum" in software ingestion transaction retries.
• Fixed issue with Windows disk encryption where status updates from "Verifying" to "Verified" were sometimes stuck in the "Verifying" state.
• Fixed a bug where server errors returned from the API were not successfully being incorporated into the user form error states.
• Fixed a bug where team admins are unable to enable or disable MFA for a user.
• Fixed a bug where only the first of multiple software titles with the same name and source but different bundle IDs would be successfully inserted into the database.
• Fixed issue verifying Windows CSP profiles that contain ADMX policies.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.39.1
2. fleet-desktop-v1.39.1 (included with Orbit)
3. fleetd-chrome-v1.3.1

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

51a811aaabbee948566e60a7521d4f9575be7625e8f3f0c730bb5eaa7603c4cb  fleet_v4.64.0_linux.tar.gz
3c28599271ae296c3d4f027ff71576d2ca0b8ceb8b3a79f7c9411fb9d786af5e  fleetctl_v4.64.0_linux.tar.gz
0a56aefb8135635c4bb7cb530b65d2cd6065cffa9a08170d59d5734763fc48f1  fleetctl_v4.64.0_linux.zip
9dd40e358a2e964b1d7768fde0898f3dfc10004895478d8cec2b91be0a5fc5c1  fleetctl_v4.64.0_linux_arm64.tar.gz
c279b7ff8ef5052588e7cd7cd78362e4a086b5c9a0c4291c819929d8435d431f  fleetctl_v4.64.0_linux_arm64.zip
2cc53904097a7916e9712417b611c1e3fc43be4fab4ff0819d8e0ee4e9770032  fleetctl_v4.64.0_macos.tar.gz
62cb7587e55ebb2280f40379d296098fd0b75584279d4ae10649fa28844ca6b7  fleetctl_v4.64.0_macos.zip
935e797b12becaabb66deb818d04f60efd2a81e474e6522ebece8e8111fa8bc7  fleetctl_v4.64.0_windows.tar.gz
4035b2a555671ac1bbe68955a93029b1deec8242e0ef568aee50b91828a1c51a  fleetctl_v4.64.0_windows.zip
08512fa9d118d00b02abb28ea02359d425c7827dadafeb9c922ab6f6c5da61e8  fleetctl_v4.64.0_windows_arm64.tar.gz
bbfae41779201acd34b1bce2f1b2426fcabf36365014881e3aebb44333f4c4e3  fleetctl_v4.64.0_windows_arm64.zip

fleet-v4.63.0

Fleet 4.63.0 (Feb 04, 2025)

Device management (MDM)

• Allowed the delivery of bootstrap packages and software installers using signed URLs from CloudFront CDN. To enable, configured the following server settings:
  • s3_software_installers_cloudfront_url
  • s3_software_installers_cloudfront_url_signing_public_key_id
  • s3_software_installers_cloudfront_url_signing_private_key
• Downgraded the expected or common "BootstrapPackage not found" server error to a debug message. This occurred when the UI or API checked if a bootstrap package existed.
• Removed the arrow icon from the MDM solution table on the dashboard page.

Orchestration

• Added the ability to install VPP apps on policy failure.
• Implemented user-level settings and used them to persist a user's selection of which columns to display on the hosts table.
• Included a host's team-level queries when the user selected a query to target a specific host via the host details page.
• Included osquery pre-releases in the daily UI constant update GitHub Actions job.
• Displayed the correct path for agent options when a key was placed in the wrong object.
• When running a live query from the edit query form, considered the results of the run in calculating an existing query's performance impact if the user did not change the query from the stored version.
• Improved the validation workflow on the SMTP settings page.
• Clarified the expected behavior of policy host counts, dashboard controls software count, and controls OS updates versions count.
• Rendered the default empty value when a host had no UUID.
• Used an email logo compatible with dark modes.
• Improved readability of the success message on email update by never including the sender address.

Software

• Added the ability to install VPP apps on policy failure.
• Allowed filtering of titles by "any of these platforms" in GET /api/v1/fleet/software/titles.
• Added VPP apps to the automatic installation dropdown for failed policies and included auto-install information on the VPP app details page.
• Updated Fleet-maintained app install scripts for non-PKG-based installers to allow the apps to be installed over an existing installation.
• Clarified that editing VPP teams would remove App Store apps available to the team, not uninstall apps from hosts.
• Pushed the correct paths to the URL on the "My device" page when self-service was not enabled for the host.
• Displayed command line installation instructions when a package was generated.
• Added a fallback for extracting the app name from .pkg installers that had default or incorrect title attributes in their distribution file.
• Stopped VPP apps from being removed from teams whenever the VPP token team assignment was updated.
• Improved software installation for failed policies by adding platform-specific filtering in the software dropdown so that only compatible software was displayed based on each policy's targeted platforms.
• Added a timestamp for the software, OS, and vulnerability detail pages for the host count last update time.

Bug fixes and improvements

• Fixed an issue where the vulnerabilities cron failed in large environments due to large SQL queries.
• Fixed two broken links in the setup experience.
• Fixed a UI bug on the "My device" page where the "Software" tab included filter elements that did not match the expected design.
• Fixed a UI bug on the "Controls" page where incorrect timestamp information was displayed while the "Current versions" table was loading.
• Fixed an issue for batch upload of Apple DDM profiles with fleetctl gitops where the activity feed showed a change even when profiles did not actually change.
• Fixed a software name overflow in various modals.
• Fixed form validation behavior on the SSO settings form.
• Fixed MSI parsing for packages that included long interned strings (e.g., licenses for the OpenVPN Connect installer).
• Fixed a software actions dropdown styling bug.
• Fixed an issue where identical MDM commands were sent twice to the same device when the replica database was being used.
• Fixed a redirect when clicking on any column in the Fleet Maintained Apps table.
• Fixed an issue where deleted Apple config profiles were installed on devices because the devices were offline when the profile was added.
• Fixed a CVE-2024-10327 false positive on Fleet-supported platforms (the vulnerability was iOS-only and iOS vulnerability checking was not supported).
• Fixed missing capabilities in the UI for team admins when creating or editing a user by exposing more information from the API for team admins.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.38.1
2. fleet-desktop-v1.38.1 (included with Orbit)
3. fleetd-chrome-v1.3.1

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

f12474fc401d1c707ee5872d63cf7ffff4e8935d01e381b14ce8f6ec0e581981  fleet_v4.63.0_linux.tar.gz
67e3a087c68dd19fa8db1a59749892b19d6e5a48e8eecf78ab0c3039760f2d1f  fleetctl_v4.63.0_linux.tar.gz
77cd43a63ecc2a6effdd28242caeadafa7a390bfff414aab71b73080e42c82cc  fleetctl_v4.63.0_linux.zip
254c59d6f32b5ac7a8978b9e1f33c55c3cbc3cae8892aa2b5b9475f2b419fa3a  fleetctl_v4.63.0_macos.tar.gz
18092bc9c92086d665c61fec640e1e547bb24550f10c4f809449ef3b2cf592c4  fleetctl_v4.63.0_macos.zip
2543c06b02a4d73dcf0ccf97b0bba33f61a3e85d940d2777f1cff62d92d44ec7  fleetctl_v4.63.0_windows.tar.gz
ee0e1c631c5b402eb861bf59e1dc132882111d809e62d113489af55ec767d7da  fleetctl_v4.63.0_windows.zip

fleet-v4.62.3

Fleet 4.62.3 (Jan 28, 2025)

Bug fixes

• Fixed issue verifying Windows CSP profiles that contain ADMX policies.
• Archived disk encryption keys when they were created or updated. They were never fully deleted from the database.
• Fixed issue where some Windows MDM profiles were not sent to hosts when hosts came back online.
• Removed the resend button for failed Windows disk encryption profiles and added messaging that tells the user that Fleet will automatically retry the profile again.
• Fixed bug where iOS devices were being removed prematurely by expiration policy.
• Removed request timeout on bootstrap package uploads for consistency with software package upload endpoints.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

64a415d17f5cb191371878833b0f2643ff162d74c0873a534ca1cfec27c06398  fleet_v4.62.3_linux.tar.gz
8bb503f0eeac0b99847ffac0fe348b62b21fe680e4a497df0d8a0ff9dd95669b  fleetctl_v4.62.3_linux.tar.gz
9b93da87a2557053ab1b4be3f4b2fd3fc1e321aa0a35d51d0b212aebcfc2084c  fleetctl_v4.62.3_linux.zip
a0d108defb7cf03d0ad1c47fc7986ac02a9fe1a3422bf05fe23a3d6242385cab  fleetctl_v4.62.3_macos.tar.gz
d9573ba1f7d87f269c798d2cec9d34e87426d1035f00f7574555d8e3243f95bb  fleetctl_v4.62.3_macos.zip
167d6433ab19ce1f5f141f11a2628e75d7c2a84dbd67b56f89d36141ec71554a  fleetctl_v4.62.3_windows.tar.gz
39889dc0039c28e8bfd52b0c82b4ce88c82d2a47b30d66a511b3f7923ddbbb4f  fleetctl_v4.62.3_windows.zip

fleet-v4.62.2

Fleet 4.62.2 (Jan 21, 2025)

Bug fixes

• Removed request timeout on bootstrap package uploads for consistency with software package upload endpoints.
• Fixed bug where iOS devices were being removed prematurely by expiration policy.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

6982cc0705fb2f2e112e81c66b354b47ff34fb32ea42e566101436d1bffaac4c  fleet_v4.62.2_linux.tar.gz
194c2d4a0bb0e875145b61e7e192c21d8b211efd52164d4a1f37ebc1537ff2b2  fleetctl_v4.62.2_linux.tar.gz
0be3f859d6ec5fd2959f8214e894402900b3354a8ba1a898e263720332d62203  fleetctl_v4.62.2_linux.zip
be9e4aea96562a6a74dbd0c4c66cef5bfb30a5a4e5e61d5491a2df4565550fa5  fleetctl_v4.62.2_macos.tar.gz
4bc2926d0ddbf2981d9a95207de0ab2c140188d34ad34e192d4f3c7ce928d2ef  fleetctl_v4.62.2_macos.zip
543a8c89684cf35f960295462eb23478ac2ccc4e1dbb2047c3831181a3fc6048  fleetctl_v4.62.2_windows.tar.gz
3b6fd573d6ab6a2f11a58adf4ccd6664464c92cf16fcb23039f2eca5ed09f34a  fleetctl_v4.62.2_windows.zip

fleet-v4.62.1

Fleet 4.62.1 (Jan 14, 2025)

Bug fixes

• Fixed issue when identical MDM commands were sent twice to the same device when replica DB was being used.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

366a2d67fabdbf7af442e735a4189cfd9f81afda4dc583b6e23033c03c3ee542  fleet_v4.62.1_linux.tar.gz
665460af5833437ce59498568786e2d9ce7a60b52d2c1e3e099f3660c7c48988  fleetctl_v4.62.1_linux.tar.gz
f34cb18a89f0092b319430dc57c03affe63a93e77546449acf346474b2a16215  fleetctl_v4.62.1_linux.zip
cd9f67b47c79b3200c28289afbae725abe1570ad1ef0aa40e206600a8055ae9f  fleetctl_v4.62.1_macos.tar.gz
02b2422ac25bc04bfdeda8274124484ad575212ba15e606357237d52cdfb0294  fleetctl_v4.62.1_macos.zip
6bb3265409fa7d4f7a2f8c005f6d7bab211672d7b5cc6d927b984d8300f088bd  fleetctl_v4.62.1_windows.tar.gz
a5f700a80d47246a26d19d7c446ba0eb0315527f15ad92ea7984d0d3d37d92f6  fleetctl_v4.62.1_windows.zip

fleet-v4.62.0

Fleet 4.62.0 (Jan 09, 2025)

Endpoint operations

• Updated macos 13, 14 per latest CIS documents. Added macos 15 support.
• Updated queries API to support above targeted platform filtering.
• Updated UI queries page to filter, sort, paginate, etc. via query params in call to server.
• Added searchable query targets and cleaner UI for uses with many teams or labels.

Device management (MDM)

• Added ability to use secrets ($FLEET_SECRET_YOURNAME) in scripts and profiles.
• Added ability to scope Fleet-maintained apps and custom packages via labels in UI, API, and CLI.
• Added capability to automatically generate "trigger policies" for custom software packages.
• Added UI for scoping software via labels.
• Added validation to prevent label deletion if it is used to scope the hosts targeted by a software installer.
• Added ability to filter host software based on label scoping.
• Added support for Fleet secret validation in software installer scripts.
• Updated fleetctl gitops to support scope software installers by labels, with the labels_include_any or labels_exclude_any conditions.
• Updated fleetctl gitops to identify secrets in scripts and profiles and saves them on the Fleet server.
• Updated fleetctl gitops so that when it updates profiles, if the secret value has changed, the profile is updated on the host.
• Added /fleet/spec/secret_variables API endpoint.
• Added functionality for skipping automatic installs if the software is not scoped to the host via labels.
• Added the ability to click a software row on the my device page and see the details of that software's installation on the host.
• Allowed software uninstalls and script-based host lock/unlock/wipe to run while global scripts are disabled.

Vulnerability management

• Added missing vulncheck data from NVD feeds.
• Fixed MSI parsing for packages including long interned strings (e.g. licenses for the OpenVPN Connect installer).
• Fixed a panic (and resulting failure to load CVE details) on new installs when OS versions have not been populated yet.
• Fixed CVE-2024-10004 false positive on Fleet-supported platforms (vuln is iOS-only and iOS vuln checking is not supported).

Bug fixes and improvements

• Added license key validation on fleetctl preview if a license key is provided; fixes cases where an invalid license key would cause fleetctl preview to hang.
• Increased maximum length for installer URLs specified in GitOps to 4000 characters.
• Stopped older scheduled queries from filling logs with errors.
• Changed script upload endpoint (POST /api/v1/fleet/scripts) to automatically switch CRLF line endings to LF.
• Fleshed out server response from queries endpoint to include count and meta pagination information.
• Updated platform filtering on queries page to refer to targeted platforms instead of compatible platforms.
• Included osquery pre-releases in daily UI constant update GitHub Actions job.
• Updated to send alert via SNS when a scheduled "cron" job returns errors.
• SNS topic for job error alerts can be configured separately from the existing monitor alert by adding "cron_job_failure_monitoring" to sns_topic_arns_map, otherwise defaults to the using the same topic.
• Improved validation workflow on SMTP settings page.
• Allowed team policy endpoint (PATCH /api/latest/fleet/teams/{team_id}/policies/{policy_id}) to receive explicit null as a value for script_id or software_title_id to unset a script or software installer respectively.
• Aliased EAP versions of JetBrains IDEs to "last release version plus all fixes" (e.g. 2024.3 EAP -> 2024.2.99) to avoid vulnerability false positives.
• Removed server error if no private IP was found by detail_query_network_interface.
• Updated fleetctl dependencies that cause warnings.
• Added service annotation field to Helm Chart.
• Updated so that on policy deletion any associated pending software installer or scripts are deleted.
• Added fallback to FileVersion on EXE installers when FileVersion is set but ProductVersion isn't to allow more custom packages to be uploaded.
• Added Mastodon icon and URL to server email templates.
• Improved table text wrapper in UI.
• Added helpful tooltip for the install software setup experience page.
• Added offset to the tooltips on hover of the profile aggregate status indicators.
• Added the software_title_id field to the added_software activity details.
• Allow maintainers to manage install software or run scripts on policy automations.
• Removed duplicate software records from homebrew casks already reported in the osquery apps table to address false positive vulnerabilities due to lack of bundle_identifier.
• Added the labels_include_any and labels_exclude_any fields to the software installer activities.
• Updated the get host endpoint to include disk encryption stats for a linux host only if the setting is enabled.
• Updated Helm chart to support customization options such as the Google cloud_sql_proxy in the fleet-migration job.
• Updated example windows policies.
• Added a descriptive error when a GitOps file contains script references that are missing paths.
• Removed invalid UUID log message when validating Apple MDM UDID.
• Added validation Fleet secrets embedded into scripts and profiles on ingestion.
• Display the correct percentage of hosts online when there are no hosts online.
• Fixed bug when creating a label to preserve the selected team.
• Fixed export to CSV trimming leading zeros by treating those values as strings.
• Fixed reporting of software uninstall results after a host has been locked/unlocked.
• Fixed issue where minio software was not scanned for vulnerabilities correctly because of unexpected trailing characters in the version string.
• Fixed bug on the "Controls" page where incorrect timestamp information was displayed while the "Current versions" table was loading.
• Fixed policy truncation UI bug.
• Fixed cases where showing results of an inherited query viewed inside a team would include results from hosts not on thta team by adding an optional team_id parameter to queris report endpoint (GET /api/latest/fleet/queries/{query_id}/report).
• Fixed issue where deleted Apple config profiles were installing on devices because devices were offline when the profile was added.
• Fixed UI bug involving pagination of subsections within the "Controls" page.
• Fixed "Verifying" disk encryption status count and filter for macOS hosts to not include hosts where end-user action is required.
• Fixed a bug in determining sort type of query result columns by deducing that type from the data present in those columns.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.37.0
2. fleet-desktop-v1.37.0 (included with Orbit)
3. fleetd-chrome-v1.3.1

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

63e036e9d1f3b6cc751d37d39121928072ac40b5b3b7959a1944515dda134446  fleet_v4.62.0_linux.tar.gz
eedbf8675c9c87d161e2a198877e7269e5ae011f9a766fbb0de28c1dfbfbcbb8  fleetctl_v4.62.0_linux.tar.gz
3c3d768fc34418606543de3fb056b76c79577a2172fd6a85a6fd1aa68c6961e0  fleetctl_v4.62.0_linux.zip
36903fbdb80cf42e36885265ccbf55269ba7c92557a7a34397f61d19140699af  fleetctl_v4.62.0_macos.tar.gz
c0815cbedf16d9b5e2500e4eaa9fa7953a17f47c99d7f8a9e039d068816389fb  fleetctl_v4.62.0_macos.zip
c65503642a3ed80ba0728aba0a674f72e0bb2e94a697124697ef07135c9c4ef1  fleetctl_v4.62.0_windows.tar.gz
d90170b48790b2a36e702ad26d56be24063a97a3095df5b7c93096a29dc1c97f  fleetctl_v4.62.0_windows.zip

fleet-v4.61.0

Fleet 4.61.0 (Dec 17, 2024)

Endpoint operations

• Added support to require email verification (MFA) on each login when setting up a Fleet user outside SSO.
• Extended Linux encryption key escrow support to Ubuntu 20.04.6.
• Added missing APM instrumentation for Fleet API routes.
• Improved label validation when running live queries. Previously, when passing label(s) that do not exist, the labels were ignored. Now, an error is returned indicating which labels were not found. This change affects both the API and fleetctl query command.

Device management (MDM)

• Added functionality for creating an automatic install policy for Fleet-maintained apps.
• Replaced Zoom Fleet-maintained app with Zoom for IT, which does not open any windows during installation.
• Added support for the new windows_migration_enabled setting (can be set via fleetctl, the PATCH /api/latest/fleet/config API endpoint and the UI). Requires a premium license.
• Updated to only show the "follow instructions on My device" banner for Linux hosts whose disks are encrypted but for which Fleet hasn't escrowed a valid key.
• Added App Store app UI: Added different empty state when VPP token is not added at all vs. when it's not assigned to a team to prevent confusion.
• Allowed APNS key to be in unencrypted PKCS8 format, which may happen when migrating from another MDM.
• Allowed calling /api/v1/fleet/software/fleet_maintained_apps with no team ID to retrieve the full global list of maintained apps.
• Added UI changes for windows MDM page and allow for automatic migration for windows hosts.
• Bypassed the setup experience UI if there is no setup experience item to process (no software to install, no script to execute), so that releasing the device is done without going through that window.

Vulnerability management

• Added without_vulnerability_details to software versions endpoint (/api/latest/fleet/software/versions) so CVE details can be truncated when on Fleet Premium.
• Fixed an issue where the github cli software name was not matching against the cpe vulnerability name.

Bug fixes and improvements

• Updated Go version to 1.23.4.
• Update help text for policy automation Install software and run script modals.
• Updated to display Windows MDM WSTEP flags in fleet --help.
• Added language in email templates indicating that users should not reply to the automated emails.
• Added better information on what deleting a host does.
• Added a clearer error message when users attempt to turn MDM off on a Windows host.
• Improved side nav empty state UI under /settings.
• Added missing loading spinner for delete modals (delete configuration profile, delete script, delete setup script and delete software).
• Improved performance of updating the nano_enrollments.last_seen_at timestamp of Apple MDM devices by an order of magnitude under load.
• Improved MDM SELECT FROM nano_enrollment_queue MySQL query performance, including calling it on DB reader much of the time.
• Updated Inter font to latest version for woff2 files.
• Added better documentation around how the --label flag works in the fleetctl query command.
• Switched Twitter logo to X logo in Fleet-initiated automated emails.
• Removed duplicate indexes from the database schema..
• Added cleanup job to delete stuck pending Apple profiles, and requeue them.
• Exclude any custom sourced "users" from the host details "used by" display if Fleet doesn't have an email for them.
• Replaced the internal use of the deprecated go.mozilla.org/pkcs7 package with the maintained fork github.com/smallstep/pkcs7.
• Switched email template font to Inter to match previous changes in the rest of the UI.
• Updated resend config profile API from hosts/[hostid}/configuration_profiles/resend/{uuid} to hosts/{hostid}/configuration_profiles/{uuid}/resend.
• Update nanomdm dependency with latest bug fixes and improvements.
• Updated documentation to include firefox_preferences table for Linux and Windows platforms.
• Restored the user's previous scroll, if any, when they change the filter on the host software table.
• Updated a link in the Fleet-maintained apps UI to point to the correct place.
• Removed image borders that are included in Apple's app store icons.
• Redirect when user provides an invalid URL param for fleet-maintained software id.
• Added additional statistics item for number of saved queries.
• Fixed a bug where the name of the setup experience script was not showing up in the activity for that script execution.
• Present a nicely formatted and more informative UI for log destination in two places.
• Fixed bug in fleetdm/fleetctl docker image where the build directory does not exist when generating deb/rpm packages.
• Fixed missing read permission for team maintainers and admins on Fleet maintained apps.
• Fixed a bug that would add "Fleet" to activities where it shouldn't be.
• Fixed ability to clear policy automation that empties webhook URL.
• Fixes a bug with pagination in the profiles and scripts lists.
• Fixed duplicate queries in query stats list in host details.
• Fixed zip and dmg automations showing null platform for installer
• Fixed a typo in the loading modal when adding a Fleet-maintained app.
• Fixed UI bug where "Actions" dropdown on host software page included "Install" and "Uninstall" options for software that is not able to be installed via Fleet.
• Fixed a bug where the HTTP client used for MDM APNs push notifications did not support using a configured proxy.
• Fixed potential deadlocks when deploying Apple configuration profiles.
• Fixed releasing a DEP-enrolled macOS device if mTLS is configured for fleetd.
• Fixed learn more about JIT provisioning link.
• Fixed an issue with the copy for the activity generated by viewing a locked macOS host's PIN.
• Fixed breaking with gitops user role running fleetctl gitops command when MDM is enabled.
• Fixed responsive styles for the ADM table.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.37.0
2. fleet-desktop-v1.37.0 (included with Orbit)
3. fleetd-chrome-v1.3.1

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

14f97001f6b56195c780d9290a08572a83fcce345d5a9210f34673b88bd9d344  fleet_v4.61.0_linux.tar.gz
f80ae28f3244b088098de4ce69f6bde059fee71bfeb12688f9acd25b0becfbae  fleetctl_v4.61.0_linux.tar.gz
bbb36cb827c6c71b4cf345d7cad2523a650a650ecb16dcc65944444d2946cd12  fleetctl_v4.61.0_linux.zip
a7bda439294f71754d81514238208f6a15dcae96988fcf931d01ed5c4dca4d1f  fleetctl_v4.61.0_macos.tar.gz
f193caeaf4ebc870dc5c5ace4537e8810e8a3fc75e740e9b78510666c9e11a99  fleetctl_v4.61.0_macos.zip
e425d22aacdf33348dced3ada6e5e515f21e215d4650955c3f7b0d112def4d49  fleetctl_v4.61.0_windows.tar.gz
763234cb5a254e22c355517500b8a02d383f8d69221a446c4b6664ab9b6ef3ec  fleetctl_v4.61.0_windows.zip

fleet-v4.60.1

Bug fixes

• Fixed a bug that caused breaking with gitops user role running fleetctl gitops command when MDM was enabled.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

c602435261037d0606a86927fb4ee109cf5087c674515db9aef4cd1c6ca8fbca  fleet_v4.60.1_linux.tar.gz
4456037762ef6b5139fc036f22590f9a8601024ef521f13824e9761659e3c601  fleetctl_v4.60.1_linux.tar.gz
506d406e0f90d4cb124fcd2fd6fe67802c40a06900884e7e6a90cb18a2ffa675  fleetctl_v4.60.1_linux.zip
28f921c0eb60bb7545e1ebd9c3ab52343a0042d425cc7ce842630b598e3cd6d9  fleetctl_v4.60.1_macos.tar.gz
cd99fb722dc3ec8015c47c6c5cd36f9f63bd759e96f362ebcc6bf251d755e9b9  fleetctl_v4.60.1_macos.zip
75c672b3b89f736b12f4f3ed9c69f68209399ccc33e00ba8bd4afae69f98279a  fleetctl_v4.60.1_windows.tar.gz
bc0c8a6802ef130bf79305b305b1eede3f38ca4462da708a7de1b6f917898d9c  fleetctl_v4.60.1_windows.zip

fleet-v4.60.0

Fleet 4.60.0 (Nov 27, 2024)

Endpoint operations

• Added support for labels_include_any to gitops.
• Added major improvements to keyboard accessibility throughout app (e.g. checkboxes, dropdowns, table navigation).
• Added activity item for fleetd enrollment with host serial and display name.
• Added capability for Fleet to serve YARA rules to agents over HTTPS authenticated via node key (requires osquery 5.14+).
• Added a query to allow users to turn on/off automations while being transparent of the current log destination.
• Updated UI to allow users to view scripts (from both the scripts page and host details page) without downloading them.
• Updated activity feed to generate an activity when activity automations are enabled, edited, or disabled.
• Cancelled pending script executions when a script is edited or deleted.

Device management (MDM)

• Added better handling of timeout and insufficient permissions errors in NDES SCEP proxy.
• Added info banner for cloud customers to help with their windows autoenrollment setup.
• Added DB support for "include any" label profile deployment.
• Added support for "include any" label/profile relationships to the profile reconciliation machinery.
• Added team_identifier signature information to Apple macOS applications to the /api/latest/fleet/hosts/:id/software API endpoint.
• Added indicator of how fresh a software title's host and version counts are on the title's details page.
• Added UI for allowing users to install custom profiles on hosts that include any of the defined labels.
• Added UI features supporting disk encryption for Ubuntu and Fedora Linux.
• Added support for deb packages compressed with zstd.

Vulnerability management

• Allowed skipping computationally heavy population of vulnerability details when populating host software on hosts list endpoint (GET /api/latest/fleet/hosts) when using Fleet Premium (populate_software=without_vulnerability_descriptions).

Bug fixes and improvements

• Improved memory usage of the Fleet server when uploading a large software installer file. Note that the installer will now use (temporary) disk space and sufficient storage space is required.
• Improved performance of adding and removing profiles to large teams by an order of magnitude.
• Disabled accessibility via keyboard for forms that are disabled via a slider.
• Updated software batch endpoint status code from 200 (OK) to 202 (Accepted).
• Updated a package used for testing (msw) to improve security.
• Updated to reboot linux machine on unlock to work around GDM bug on Ubuntu 24.04.
• Updated GitOps to return an error if the deprecated apple_bm_default_team key is used and there are more than 1 ABM tokens in Fleet.
• Dismissed error flash on the my device page when navigating to another URL.
• Modified the Fleet setup experience feature to not run if there is no software or script configured for the setup experience.
• Set a more accurate minimum height for the Add hosts > ChromeOS > Policy for extension field, avoiding a scrollbar.
• Added UI prompt for user to reenter the password if SCEP/NDES url or username has changed.
• Updated ABM public key to download as as PEM format instead of CRT.
• Fixed issue with uploading macOS software packages that do not have a top level Distribution.xml, but do have a top level PackageInfo.xml. For example, Okta Verify.app.
• Fixed some cases where Fleet Maintained Apps generated incorrect uninstall scripts.
• Fixed a bug where a device that was removed from ABM and then added back wouldn't properly re-enroll in Fleet MDM.
• Fixed name/version parsing issue with PE (EXE) installer self-extracting archives such as Opera.
• Fixed a bug where the create and update label endpoints could return outdated information in a deployment using a mysql replica.
• Fixed the MDM configuration profiles deployment when based on excluded labels.
• Fixed gitops path resolution for installer queries and scripts to always be relative to where the query file or script is referenced. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. installers in a subdirectory referencing scripts elsewhere).
• Fixed issue where minimum OS version enforcement was not being applied during Apple ADE if MDM IdP integration was enabled.
• Fixed a bug where users would be allowed to attempt an install of an App Store app on a host that was not MDM enrolled.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.36.0
2. fleet-desktop-v1.36.0 (included with Orbit)
3. fleetd-chrome-v1.3.1

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

ae0ab2cbd84b0b4db7cf8f0a700a59018a5ac8587216d0af361824096f0c789f  fleet_v4.60.0_linux.tar.gz
89ecf2ac3a2cd9c30bd3ccf975a1d325e04d04762dfc8e2da99f13b28fd06885  fleetctl_v4.60.0_linux.tar.gz
75e95310fdbd9ddd32f0ebc2d609be1961791ba91c73b4016cd19f8264f3441b  fleetctl_v4.60.0_linux.zip
31c40735cb8a1cdd4aaa8b543d175de5be0e9c8f284a844ced4a1749fc77890b  fleetctl_v4.60.0_macos.tar.gz
5c4a07f6baddbfe7e7420244d4e128617382fac910b77891b8552ac1c114bdd7  fleetctl_v4.60.0_macos.zip
8a02fe28ca9cac37ea7106cef3be7055b09893c6c38080d452579ae9aa3c693f  fleetctl_v4.60.0_windows.tar.gz
0380415b15075d63977abe88ef43c3236c25be2cb87b2cf877b2f648b792eae7  fleetctl_v4.60.0_windows.zip