fleet-v4.84.0

Fleet 4.84.0 (Apr 24, 2026)

IT Admins

• Added support for Entra conditional access to Windows devices.
• Added ability to pin Fleet-maintained apps to a specific major version in GitOps.
• Implemented ACME for MDM protocol communication, and hardware device attestation.
• Added GET /api/v1/fleet/hosts/{id}/reports endpoint (also accessible as /hosts/{id}/queries) that lists the query reports associated with a specific host.
• Added support for labels_include_all conditional scoping for software installers and apps.
• Added validation for software install, uninstall, and post-install scripts.
• Added ability to specify custom patch policy query in an FMA manifest.
• Added ability to re-send Android certificates to a specific host.
• Added Reports tab to Host details page.
• Allowed specifying a Fleet-Maintained App (FMA) as a policy software automation in GitOps.
• Added support for running python scripts on macOS and Linux.
• Added automatic retry (up to 3 times) when the Android agent reports a certificate install failure.
• Added activity logging when a certificate is installed or fails to install on an Android host.
• Enabled the host activity card on the Android host details page.
• Switched Fleet-maintained apps serving location from GitHub to https://maintained-apps.fleetdm.com/manifests. NOTE: If you limit outbound Fleet server traffic, make sure it can access the new FMA manifests location.
• Increased automatic retry limit for failed Apple (macOS, iOS, iPadOS) configuration profiles from 1 to 3. Windows profiles remain at 1 retry.
• Added a new disk_space fleetd table for macOS that reports available disk space including purgeable storage, matching the value shown in Finder's "Get Info" dialog and System Settings → General → Storage.
• Added configuration profile deletion when a Windows configuration profile is deleted or a host moves teams via SyncML <Delete> commands, bringing Windows profile removal to parity with macOS.
• Added support for outputting VPP policy automations in fleetctl generate-gitops.
• Added logging of profile names alongside MDM commands installing or removing them.
• Added indication in the UI when a profile command was deferred via NotNow status.
• Added activity when setup experience is canceled due to software install failure.
• Added cancel activities for each VPP app install skipped due to setup experience cancellation, and switched "failed" activity to "canceled" for package-based software installs in the same situation.
• Added install failure activity when VPP installs fail due to licensing issues during setup experience.

Security Engineers

• Added vulnerability detection for Microsoft 365 Apps and Office products on Windows.
• Added OSV data source for Ubuntu vulnerability scanning.
• Added automatic rotation of Mac recovery lock passwords 1 hour after the password is viewed via the API.
• Updated ingestion/CVE logic to support JetBrains software with 2 version numbers, like WebStorm 2025.1
• Addressed false positive vulnerabilities (CVE-2019-17201, CVE-2019-17202) reported for Admin By Request on macOS and Linux hosts. These CVEs are Windows-specific.
• Generated correct CPE from malformed ipswitch whatsup CPE, ensuring applicable CVEs are matched.
• Added software source to ecosystem matching to help prevent non-deterministic CPE selection when multiple vendors exist for the same product.

Other improvements and bug fixes

• Upped the default limit for the software batch endpoint, from 1MiB to 25MiB.
• Added FLEET_MDM_CERTIFICATE_PROFILES_LIMIT server config option to throttle the number of CA certificate profile installations per reconciler cycle, preventing CA server overload in large deployments.
• Added banner to Add software page to inform users that Android web apps require Google Chrome.
• Enabled Windows MDM in fleetctl preview by auto-generating WSTEP certificates on startup.
• Used the same templates for fleetctl new and new instance initialization.
• Added "API time" to GitOps output on API errors.
• Allowed clearing Windows OS update deadline and grace period fields to remove enforcement.
• Updated ordering of setup experience software to take display names into account.
• Updated iOS/iPadOS refetch logic to slowly clear out old/stale results.
• Increased the default SSO session validity period from 5 to 15 minutes.
• Improved performance of distributed read endpoint by reducing mutex contention in shouldUpdate using sync.RWMutex instead of sync.Mutex.
• Allowed OTEL service name to be overridden with standard OTEL_SERVICE_NAME env var.
• Revised which versions Fleet tests MySQL against to remove 8.0.39 and add 8.0.42.
• Allowed typing whitespace on Settings > Integrations > SSO > End users form.
• Removed incorrect report key from get/create/modify API responses.
• Added (query_id, has_data, host_id, last_fetched) index on query_results.
• Improved database query performance for the Host Details > Reports page by adding a has_data virtual generated column to query_results.
• Made sure that fleet names are trimmed and validate to prevent whitespace-only or padded names across API, gitops, frontend, and existing data.
• Hid host details > reports in the UI from platforms that do not support scheduled reporting.
• Updated GitOps label functionality to allow omitting the hosts: key under a manual label to mean "preserve existing host membership", rather than removing all hosts.
• Added Flatcar Container Linux and CoreOS to the list of recognized Linux platforms, fixing host detail queries (IP address, disk space, etc.) not being sent to hosts running these distributions.
• Updated the default fleet selected when navigating to the dashboard and to controls.
• Reduced redundant database queries during policy result submission by computing flipping policies once per host check-in instead of multiple times.
• Reduced redundant database calls in the osquery distributed query results hot path by pre-loading configuration (AppConfig, HostFeatures, TeamMDMConfig, conditional access) once per request instead of once per detail query result.
• Updated UI to use new multiplatform API keys.
• Activated warnings for deprecated API parameters, API URLs, fleetctl commands and fleetctl command options.
• Updated the Request Certificate API to return the proper PEM header for PKCS #7 certificates returned by EST CAs.
• Added "Learn more" link on End User Authentication section.
• Moved Apple MDM worker to a faster cron, and started sending profiles on Post DEP enrollment job, to speed up initial macOS setup.
• Optimized PolicyQueriesForHost and ListPoliciesForHost SQL queries by replacing correlated subqueries with a single aggregated LEFT JOIN for label-based policy scoping, reducing query time by ~77% at scale.
• Improved VPP install failure messaging to explain verification timeouts in Host details and My device install details.
• Refactored large anonymous functions into named functions to improve nil-safety static analysis coverage.
• Renamed "Custom settings" to "Configuration profiles" in Fleet UI.
• Added description to UI to help users understand which fleet a policy belongs to during add/edit.
• Updated Fleet-maintained apps to overwrite software title names on sync and when adding an FMA installer.
• Improved Fleet server performance for the Windows MDM profiles summary and host OS settings filter queries by replacing correlated subqueries with a single aggregation pass.
• Improved Windows MDM server performance at scale by reducing redundant database queries during device check-ins.
• Updated go to 1.26.1
• Fixed a server panic when uploading a Windows MDM profile to a fleet on a free license.
• Fixed MSRC vulnerability scanning to differentiate between Windows Server Core and full desktop installations, preventing false positive/negative CVEs caused by non-deterministic product matching.
• Fixed GitOps policy software resolution failing when URL lookup doesn't match, by falling back to hash-based lookup.
• Fixed GitOps failing to delete a certificate authority when certificate templates still reference it in fleet configs.
• Fixed duplicate text in error message when script validation fails when adding a custom package.
• Fixed issue where the include_available_for_install query param wasn't being applied correctly to the GET /api/latest/fleet/hosts/{id}/software endpoint.
• Fixed disk encryption key modal to not show stale key when switching between hosts.
• Fixed SCIM user not associating with host when IdP username was set before the SCIM user was created.
• Fixed Google Drive version not matching upstream.
• Fixed bug that cleared the MDM lock state if an "idle" message was received right after the lock ACK.
• Fixed team maintainers, admins, and GitOps users being unable to add certificate templates due to missing read access to certificate authorities.
• Fixed fleetd installation failure on macOS when installing it through Host details page > Software > Library as a Custom package.
• Fixed a bug where SQL queries using table aliases (e.g., FROM mounts m) incorrectly reported no compatible platforms.
• Fixed fleetctl gitops failing with "No available VPP Token" when assigning VPP apps alongside a new team.
• Fixed a bug where OS versions were not populated in vulnerability details for OS-only vulnerabilities (e.g., macOS CVEs).
• Fixed a TOCTOU-related issue when checking before deleting last admin.
• Fixed database locking issues on the policy_membership table by batching cleanup DELETE operations and moving them outside the primary GitOps apply transaction.
• Fixed success message on Android software configuration to reference software display name when applicable.
• Fixed a bug where Android host certificate template records were not cleared when a device unenrolled, causing stale certificate stat...

fleet-v4.83.2

Bug fixes

• Fixed a crash on the "My device" page for Fleet Free instances. The page returned a 402 error when the host was assigned to a team because the device endpoint called a premium-only API, and also crashed when accessing undefined policies data.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

08ef96bfc8c7b2d7650169054fa68fc9fa99a33409459d9f569859df34fb5602  fleet_v4.83.2_linux.tar.gz
9594c7a29cb210efe74eb3ac82aeeb6720a0f9a99af17197b21f7fcebbe42128  fleetctl_v4.83.2_linux_amd64.tar.gz
b6e230fe251f8f8a6a03ba3690abb012870c19944002e199a88e61f9051f4f3a  fleetctl_v4.83.2_linux_amd64.zip
46946bb498bf98f0d00265addbffba4e3a192350e6f90567021a04f679b452cb  fleetctl_v4.83.2_linux_arm64.tar.gz
0385f2981215df1e3a1ed9d1ef044066c1038a09564b2500cdda2075006e9b89  fleetctl_v4.83.2_linux_arm64.zip
8bbe2ab6244d9a04fdd555777bc9a1838cd6b988dadf4b30c45983ac0c9786aa  fleetctl_v4.83.2_macos.tar.gz
414340f61c7d31b67000311b6f91ebd0b8d4b4da280c7ffdb08cfea2ab81a0ea  fleetctl_v4.83.2_macos.zip
a52bc3bbd14cbad8227b1d68a68a0192a978381e10f70f24fb6125a0e8c7c1d2  fleetctl_v4.83.2_windows_amd64.tar.gz
0296691003856e6129a1191e8dc23d3e52f46ba627674750e533c658b5e62dc9  fleetctl_v4.83.2_windows_amd64.zip
cb009ccba74c1893607b22d57738507ff324f622d836d94f9fcf6e027dfe869b  fleetctl_v4.83.2_windows_arm64.tar.gz
d66710c52f78484b3a087c35db18d749b674f9921834bf15a299cbcd90c281b8  fleetctl_v4.83.2_windows_arm64.zip

fleet-v4.83.1

Bug fixes

• Fixed policy creation failing when type was omitted.
• Fixed auth token not persisting when logging in via SSO.
• Fleet UI: Fixed infinite page loop pagination bug on software table page happening when viewing a subsequent page and then using the software filter dropdown to filter.
• Fleet UI: Fixed software table page number to be bookmarkable

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

441e87e397898df479f0ef2cece844a40d43954e5481e2ff5ca02b45ddf2e589  fleet_v4.83.1_linux.tar.gz
66db9fb3c7eb517afc7e6200ae5187b6697c032ba49bebd0d68cce6e34a522c1  fleetctl_v4.83.1_linux_amd64.tar.gz
3ba7302fe8d7ed6940d249163fb1f4ddedb1b83adc61928e31994482ea8d2f47  fleetctl_v4.83.1_linux_amd64.zip
c474120d20e4faedd57d8a82fc5fd9d87f29b03f0307daba1815cb6ae3c614d9  fleetctl_v4.83.1_linux_arm64.tar.gz
56f9bdb2f2532f855ef568a908a20c211b0d64afb673c5de9cec22fe5e138e51  fleetctl_v4.83.1_linux_arm64.zip
89576e2506797b631d80672f02a9e5ce7e3fc80dbcbc8a7f2db615568c158cca  fleetctl_v4.83.1_macos.tar.gz
2b28948788d53bdbf72a53e064f5de781409c4e2df2b4a0db6517ef5f905e3c5  fleetctl_v4.83.1_macos.zip
7a83a83b1cce5ca3cdf66d27fb57c0b4470797143fc2771df3ce8f405153c63d  fleetctl_v4.83.1_windows_amd64.tar.gz
4d6ef7d46b6cf2e3d1c9da8457e7c4959b2fe05f70fb39baff423d57508bbf50  fleetctl_v4.83.1_windows_amd64.zip
4eca5f033644966859eb44df73962b98d687c926ee56d83276982cf166515a7a  fleetctl_v4.83.1_windows_arm64.tar.gz
5fd20d2dc1a9a62ddb256f52ef06d707db9edb44d4005f7b955d20904df3e2cb  fleetctl_v4.83.1_windows_arm64.zip

fleet-v4.83.0

Fleet 4.83.0 (Apr 1, 2026)

IT Admins

• Added ability to deploy an Android web app via setup experience or self-service.
• Added ability to set and manually rotate Mac recovery lock passwords.
• Added ability to lock the pre-filled user information for macOS hosts that login via End User Authentication during Setup Experience.
• Added automatic retries for failed software installs, excluding VPP apps.
• Updated host software library to always allow filtering.
• Added retry functionality when adding software installers to Fleet via GitOps.
• Added fleetctl new command to initialize a GitOps folder.
• Added support for paths: key under reports:, labels: and policies: in GitOps files.
• Added glob support for configuration_profiles in GitOps files.
• Added support for referencing .sh or .ps1 script files directly in the GitOps path field for software packages.
• Implemented webhooks_and_tickets_enabled flag for policies in GitOps.
• Added server config for allowing all Apple MDM declaration types.
• Added ability to use FLEET_JIT_USER_ROLE_FLEET_ as a prefix on SAML attributes.
• Added fleet_name and fleet_id columns to hosts CSV export.
• Added resend button in the OS settings modal for iOS and iPadOS hosts.
• Added patch policies for Fleet-maintained apps that automatically update when the app is updated.

Security Engineers

• Added support for NDES CA for Windows hosts.
• Added vulnerability scanning support for Windows Server 2025 hosts.
• Added OTEL instrumentation to Fleet's internal HTTP client.
• Added Content-Type header to Smallstep authorization requests to prevent Cloudflare from blocking them.
• Added ability to omit secrets: in GitOps files to retain existing enroll secrets on server.
• Fixed python package false positives on Ubuntu, such as python3-setuptools on Ubuntu 24.04 with version 68.1.2-2ubuntu1.2.
• Fixed false positive vulnerabilities for Mattermost Desktop.

Other improvements and bug fixes

• Most top-level keys can now be omitted from GitOps files in place of supplying them with an empty value.
• Improved host search to always match against host email addresses, not only when the query looks like an email.
• Prevented a 500 error on the host details page when an MDM command reference in host_mdm_actions pointed to a non-existent command (orphan reference).
• Allowed Fleet-maintained apps to be added if they have default categories configured that are not available in older builds from this point forward.
• Migrated to using Policy critical option when disallowing Okta conditional access bypass.
• Updated DEP enrollment flow to apply minimum macOS version check when specified.
• Updated GitOps to fail runs when unknown keys are detected in files.
• Updated default last opened time diff to 2m to increase the chances of updating the last opened time for software that is opened frequently.
• Updated the host results endpoint URL to be consistent with the other URLs.
• Added tooltip to batch run result host count to clarify that the count might include deleted hosts.
• Updated table heading and result filter styles.
• Reordered the columns on the Hosts page.
• Updated Fleet desktop to surface custom transparency links to the device user.
• Changed PostJSONWithTimeout to log response body in error case.
• Removedd unused and confusingly-named --mdm_apple_scep_signer_allow_renewal_days config.
• Refactored NewActivity functionality by moving it to the new activity bounded context.
• Modified Android certificate renewal logic to make it easier to test.
• Optimized api/latest/fleet/software/titles endpoint.
• Trimmed incoming ABM suffix for Arch Linux hosts so Arch OSs are grouped together in the database and UI.
• Updated determination process used for selecting which user email address to use when scheduling a maintenance event for a host failing policies.
• Added license checks for fleet-free targeting queries by label.
• Added APNs expiry banner in the UI for Fleet free users.
• Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
• Added Fleet-maintained app utilization to anonymous usage statistics collected by Fleet.
• Surfaced data constraints using the proper HTTP status code on the /api/v1/fleet/scim/users endpoint.
• Updated macOS device details UI to delay showing FileVault "action required" notifications banner during the first hour after MDM enrollment to allow sufficient time for Fleet to automatically escrow keys from ADE devices.
• Added an early return in the PUT /hosts/{id}/device_mapping endpoint so that setting the same IDP email that is already stored no longer triggers unnecessary database updates, activity log entries, or profile resends.
• Improved cleanup functionality so that when deleting a host record, Fleet will now clean up host issues, such as failing policies and critical vulnerabilities associated with the host.
• Improved the way we verify Windows profiles to no longer rely on osquery for faster verification.
• Improved body parsing validation by using http.MaxBytesReader and wrapping gzip decode output too.
• Improved rate-limiting on conditional access endpoints.
• Finished migrating code from go-kit/log to slog.
• Updated UI for disabling stored report results for clarity.
• Revised which versions Fleet tests MySQL against to 9.5.0 (unchanged), 8.4.8, 8.0.44, and 8.0.39, 8.0.44.
• Deprecated several configuration keys in favor of new names: custom_settings -> configuration_profiles, macos_settings -> apple_settings, macos_setup -> setup_experience and macos_setup_assistant -> apple_setup_assistant.
• Deprecated setup_experience.bootstrap_package in favor of setup_experience.macos_bootstrap_package.
• Deprecated setup_experience.manual_agent_install in favor of setup_experience.macos_manual_agent_install.
• Deprecated setup_experience.enable_release_device_manually in favor of setup_experience.apple_enable_release_device_manually.
• Deprecated setup_experience.script in favor of setup_experience.macos_script.
• Fixed an issue where the MDM section on the integration page did not update correctly when Apple MDM is turned off.
• Fixed an issue where iOS/iPadOS hosts couldn't add app store apps from the host library page.
• Fixed inaccurate error message when clearing identity provider settings while end user authentication is enabled.
• Fixed Microsoft NDES CA not being selectable after deleting an existing NDES CA without a page refresh.
• Fixed an issue where Apple setup experience could get stuck, if the device was in the middle of a SCEP renewal, and then re-enrolled.
• Fixed secure.OpenFile to self-heal incorrect file permissions via chmod instead of returning a fatal error.
• Fixed an issue where personal iOS and iPadOS enrollments could see software in the self-service webclip.
• Fixed table footer rendering unexpectedly in the host targets search dropdown.
• Fixed a security issue where canceling a pending lock or wipe command permanently deleted the original locked_host/wiped_host activity from the audit log. The original activity is now preserved, and the subsequent cancellation activity serves as the follow-up record.
• Fixed dropdown rendering center of a row and from pushing down save button below open dropdown options.
• Fixed end user authentication form to allow saving cleared IdP settings.
• Fixed inconsistent link styling in UI.
• Fixed the error resend button overflowing over the edge of the os settings modal table.
• Fixed CPE matching failing for software names that sanitize to FTS5 reserved keywords (AND, OR, NOT).
• Fixed table shifting left when clicking the copy hash icon in host software inventory.
• Fixed a bug where vulnerability counts increased over time due to orphaned entries remaining in the database after hosts were removed.
• Fixed a bug where software installers could create titles with the wrong platform.
• Fixed a bug where Fleet maintained apps for Windows won't show as available in the list when they actually are.
• Fixed host search in live queries returning no results for observer users when many hosts on inaccessible teams matched the search term before accessible ones.
• Fixed live query host/team targeting to correctly scope observer_can_run to the query's own team, preventing observers from targeting hosts on other observed teams.
• Fixed alignment of tooltip text in the certificate details modal.
• Fixed a bug where a policy that links a software to install fails to apply when that software package uses an environment variable in its yaml definition.
• Fixed error message when deleting a certificate authority (that is referenced by a certificate template) to show a helpful message instead of a raw database error.
• Fixed observer query bypass by restricting live query/report team targeting to only teams where the user has sufficient permissions, including global observers who are now limited to the query's own team when observer_can_run is true.
• Fixed a bug where manage hosts page header button text would wrap and distort at certain widths.
• Fixed an issue where $FLEET_SECRET was being double encoded, if set via GitOps.
• Fixed editing reports on free tier failing due to labels_include_any triggering a premium license check.
• Fixed a bug where certain incorrect resolved-in versions were reported for certain vulnerable versions of Citrix Workspace.
• Fixed DigiCert CA UPN variable substitution so each host receives a certificate containing its own unique values instead of another host's substituted values.
• Fixed alignment and spacing of the "rolling" tooltip next to "Arch Linux" in the host vitals card.
• Fixed select-all header checkbox not selecting rows on partial pages where not all rows are selectable.
• Fixed an issue where it was poss...

fleet-v4.82.2

Bug fixes

• Fixed a metadata extraction bug for .pkg macOS installers (introduced in 4.77). It prevented updating some packages that were added in a previous Fleet version. Before this fix, deleting and re-adding the package as a workaround didn’t work. Now it does.
  • You'll know you ran into this bug if you tried updating a package and you saw this error: "The selected package is for different software".
• Fixed FMA apps not showing up for a fleet when added via GitOps after an automated FMA version update with an unchanged binary.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

c73e7ebc8418ea5407fc4f77fd7818fc9a6ef519939f28bba2d5d0a12ec7937b  fleet_v4.82.2_linux.tar.gz
d836f068c89567434a0b533e79213828dcd15733fdc1d4498a2c629c38691a76  fleetctl_v4.82.2_linux_amd64.tar.gz
fa7d4b53775ed2d0ff15a3966c71fc6c9e9e6fbecdb89915124df11424a0f305  fleetctl_v4.82.2_linux_amd64.zip
00f811ae423103a16ec78fbb7f8b70f7fcd7c9af698a987bf5e724cf6670067b  fleetctl_v4.82.2_linux_arm64.tar.gz
034755490342ac0fd9864e810c8e1ad38ac22d248370c9b80837204634967109  fleetctl_v4.82.2_linux_arm64.zip
a0afd5cb2dab1ac7ed32b2841c2b987630bcc0d8e33cba615b2c7e473a36e3b4  fleetctl_v4.82.2_macos.tar.gz
9608053f4491d5100ca88d8cfb6d11b4cd18d3b6c0e26f0e0a08c2b690b4ef09  fleetctl_v4.82.2_macos.zip
732ce2b3f1d3cd39e904ccd3a8546cf1fd94249fdaa955720236c713d55f87a9  fleetctl_v4.82.2_windows_amd64.tar.gz
f7baa714c0e3ce155a13f8fd55733f98bbbbc8361b39836a0095db6dc2e90f2b  fleetctl_v4.82.2_windows_amd64.zip
100a578c7ed57bf0d82e5b8357ba7a957e54290405ea9a5a04f3555e78e6f806  fleetctl_v4.82.2_windows_arm64.tar.gz
f65494eaf8df124e7082aea4846ccb0139bc73e7fc1d68426253540b2e8097ed  fleetctl_v4.82.2_windows_arm64.zip

fleet-v4.81.3

Bug fixes

• Added configurable body size limits for the /api/osquery/log and /api/osquery/distributed/write endpoints.
• Fixed false positive PayloadTooLargeError errors.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

bce0a2bdd79381abb94dd04f443f241e04b1e933edbeb9f0b0df34a0ef9c24db  fleet_v4.81.3_linux.tar.gz
b0355092e52a3139cb50eae770c2815099eb47599a113222bcf3b6cf2b340aa9  fleetctl_v4.81.3_linux_amd64.tar.gz
103d5ef83efecdcd94088cf636e785e5476f19d312d01ebefe60133a048cf472  fleetctl_v4.81.3_linux_amd64.zip
c0655b309f702cddb4a749dcb50d504a8d59ce3cfc797a80adbad3a5d0eeae4f  fleetctl_v4.81.3_linux_arm64.tar.gz
6a39dda1a423de92bef0c2ab26f0aca455a168b0efd8a4656bce68192d65ef3f  fleetctl_v4.81.3_linux_arm64.zip
0dca8a860b4d8fdf3e63ac230ed6d35535fc0e41273a582965dca12d1105c926  fleetctl_v4.81.3_macos.tar.gz
b0dc4c32758843c00e838c72e0a9c643d118dd0623f59a07a20c7481c3f24885  fleetctl_v4.81.3_macos.zip
ee8bee43398232d4733d62ac9ff31748f81f9359216ab1673ec54bafdd781469  fleetctl_v4.81.3_windows_amd64.tar.gz
26d11698c033ca7fbe304ad440480d80086b081a219a04d8dbfa6224db13ba77  fleetctl_v4.81.3_windows_amd64.zip
5fe7a8394427e61d06819d4c65ed5ae98dea34977560c6db4aff58afd3934d17  fleetctl_v4.81.3_windows_arm64.tar.gz
0178565774d229634db4ab3534a5bcf778495c13392c0afd45c23cf513b7d37f  fleetctl_v4.81.3_windows_arm64.zip

fleet-v4.82.1

Bug fixes

• Fixed a crash on the "My device" page for Fleet Free instances. The page returned a 402 error when the host was assigned to a team because the device endpoint called a premium-only API, and also crashed when accessing undefined policies data.
• Stopped duplicate Fleet-maintained app entries from showing up in setup experience.
• Reduced database contention during the vulnerability cron.
• Added a secondary index on host_software(software_id) to improve query performance.
• Fixed an issue where the "add Fleet-maintained app" endpoint incorrectly added software to the Unassigned fleet.
• Muted deprecation warnings for body params when the "deprecated-field-names" topic is not enabled.
• Fixed custom app icons not getting set via GitOps when the same software title exists in multiple teams.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

e20f5e600b04e5e76b97cc4d72d25857996401e50b30c349c33d814d25e60a17  fleet_v4.82.1_linux.tar.gz
2bf908c90db1b310e0806b614dc3d01620a36cd30771db713374023a3487cbdd  fleetctl_v4.82.1_linux_amd64.tar.gz
98daf26686fc909ca0aa396c9b379a98c4aa381b082141fa4b5a5c9143145bfe  fleetctl_v4.82.1_linux_amd64.zip
6c9701ab0fe725389aa411766ab2012972d9b7a01bb994ffb9ca65b5884c2034  fleetctl_v4.82.1_linux_arm64.tar.gz
04cb955bcccf23334a24dbe36a35d9f8a8a1b84a1948f9217653c5553f601f6f  fleetctl_v4.82.1_linux_arm64.zip
965147846622d1e4c52689fa8ee044c3dfd884b2c523c13f29a0d676b0e8bd46  fleetctl_v4.82.1_macos.tar.gz
50b332c3bfe7aaefd7dedd6537d8c347b314786b6f90494176f807a75977455d  fleetctl_v4.82.1_macos.zip
740ddd324b592b0e48a0ecd25d8da9df9eb889439e9b23c4fbc45e9cf80b972a  fleetctl_v4.82.1_windows_amd64.tar.gz
5913036d550e30bedafc6f309f0a72058b6e45e65b5d247a0b056f3f2ff71c60  fleetctl_v4.82.1_windows_amd64.zip
b348a265022cd1311db5cd4a8a4faf754ce155dee2360e7e86a5caf4bfcfc64b  fleetctl_v4.82.1_windows_arm64.tar.gz
18330c5416c54739beddfb23d49f4cc9daa30de6e226d2cff3407738477db07e  fleetctl_v4.82.1_windows_arm64.zip

fleet-v4.82.0

Fleet 4.82.0 (Mar 11, 2026)

IT Admins

• Added support for enrolling fully managed Android hosts without a work profile.
• Added capability to uninstall Android apps on the device (and removal from self-service in the managed Google Play store) when an app is removed from Fleet.
• Added ability to allow or disallow end-users to bypass conditional access on a per-policy basis.
• Added filtering by platform and add status to the Software > Add Fleet-maintained apps table.
• Updated Android status reports to re-verify profiles that previously failed.
• Added ability to roll back to previously added versions of Fleet-maintained apps.
• Added new Technician role designed for help desk and IT support teams. Technicians can run scripts, view results, and install or uninstall software.
• Added support for JIT provisioning of the Technician role via SSO SAML attributes.
• Added automatic retries for failed software operations.

Security Engineers

• Added ability to scan for kernel vulnerabilities on RHEL based hosts.
• Added AWS GovCloud RDS CA certificates to the RDS MySQL TLS bundle, enabling IAM authentication for Fleet deployments connecting to RDS in AWS GovCloud regions (us-gov-east-1, us-gov-west-1).
• Added CVE alias for python visual studio code extension.
• Added new activity for edited enroll secrets.

Other improvements and bug fixes

• Renamed teams and queries to fleets and reports in the UI, API, CLI, and GitOps.
• Deprecated no-team.yml in GitOps in favor of unassigned.yml.
• Deprecated certain API field names to reflect the renaming of "teams" to "fleets" and "queries" to "reports".
• Updated Android MDM profiles to show up as pending on upload, the same as Apple MDM profiles.
• Improved the speed of a database query that runs every minute to avoid database locking.
• Added configurable body size limits for the /api/osquery/log and /api/osquery/distributed/write endpoints.
• Updated logic to trigger vulnerability webhook when on Fleet free tier.
• Updated storage of the auth token used in the UI.
• Dynamically alphabetized vitals on the host details page.
• Reworked how we handle server/worker delays to fix flaky tests.
• Disabled "Calendar" dropdown option in Policy > Manage automations for Unassigned.
• Added Go slog logging infrastructure and migrated a portion of the code from go-kit/log to slog.
• Added CTA to turn on Android MDM for Android software setup experience if MDM is not configured.
• Left-aligned "Critical" checkbox in Save policy form.
• Improved spacing on the Controls > OS Settings page.
• Updated to not allow editing Fleet-maintained app in the UI while GitOps mode is enabled.
• Updated to accept the previous device authentication token for up to one rotation cycle, so the My Device page URL remains valid after token refresh.
• Updated default macOS, iOS, and iPadOS update deadline time to 7PM (19:00) local time.
• Updated UI to enable adding/removing multiple Microsoft Entra tenant ids.
• Added additional logging for SCEP proxy requests and SCEP profile renewals.
• Added warning message on gitops label rename to clarify to users that renaming a label implies a delete operation.
• Added the ability to specify allowed Entra tenant IDs for enrollments.
• Updated the DEP syncer to properly reassign a profile when ABM unilaterally removes it.
• Increased the maximum script execution timeout from 1 hour (3600 seconds) to 5 hours (18000 seconds).
• Improved error handling on AWS DB failover. Fleet will now fail health check if the primary DB is read-only, or trigger graceful shutdown when write operations encounter read-only errors.
• Generated a server-side device token in the Okta conditional access flow when none exists or the current token is expired.
• Moved the copy button for text areas out of the text area itself and in line with its label.
• Removed unnecessary calls to svc.ds.BulkSetPendingMDMHostProfiles in POST /api/latest/fleet/spec/fleets.
• Internal refactoring: moved /api/_version_/fleet/hosts/{id:[0-9]+}/activities endpoint and MarkActivitiesAsStreamed to new server/activity bounded context.
• Added logging.otel_logs_enabled contributor config option to export server logs to OpenTelemetry.
• Added automatic tagging of prerelease/post-release versions on local build based on branch name.
• Added ability to enable/disable logs by topic.
• Improved detection of DISPLAY variable in X11 sessions.
• Updated the "Used by" column heading on the hosts page to "User email".
• Refactored query used for deleting host_mdm_apple_profiles in bulk to use Primary keys only.
• Added team_id to host details page param in URL to allow retaining team on refresh.
• Added help text on the software details page, below the installer status table, to explain the meanings of the counts.
• Added Country:US to new CA certs created by Fleet.
• Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
• Updated "Manage automations" button on the Queries and Policies pages to now always be visible, and disabled only when the current team has no queries of its own.
• Updated validation rules around the creation of labels to make sure only valid platforms are used.
• Improved host software inventory table's handling of long "Type" values.
• Updated expiration date of the auth token cookie to match the fleet session duration.
• Surfaced FMA version used and whether it's out of date in the UI.
• Updated nats-server dependency to resolve dependency vulnerabilities.
• Improved validation for host transfers.
• Fixed matching logic on App component for pages titles.
• Fixed adding Windows Fleet maintained apps failing when a software title with the same upgrade code already exists.
• Fixed an issue where GitOps would not respect the value set on update_new_hosts for macOS updates.
• Fixed an issue where duplicate kernels were reported in the OS versions API for RHEL-family distributions (RHEL, AlmaLinux, CentOS, Rocky, Fedora).
• Fixed issue where Windows Jetbrains products would not report the correct version number.
• Fixed a bug where custom software installer display names and icons were not used in the setup experience UI.
• Fixed a bug where the list activities API endpoint would fail with a database error when there were more than 65,535 activities and no pagination parameters were specified. The maximum per_page for activities endpoints is now 10,000.
• Fixed issue where MySQL IAM authentication could fail when a custom TLS CA/TLS config was set (for example GovCloud), by ensuring Fleet includes the configured TLS mode in IAM DSNs.
• Fixed styling issues for the UI when no enroll secret is present on a fleet.
• Fixed an issue where some UI users saw a blank gutter on the right side of parts of the UI.
• Fixed a bug where certain macOS app names could be ingested as empty strings due to incorrect ".app" suffix removal.
• Fixed install/uninstall tarballs package to skip recently updated status that is waiting for a change in software inventory
• Fixed a bug where software installers could create titles with the wrong platform.
• Fixed a bug where 2 vulnerability jobs can run in parallel if one is taking longer than 2 hours.
• Fixed issue with hosts incorrectly reporting policy failures after policy label targets changed.
• Fixed client-side errors being incorrectly reported as server errors in OTEL telemetry.
• Fixed issue where the status name was wrapping at smaller viewport widths on the mdm card on the Dashboard page.
• Fixed false negative CVE-2026-20841 on Windows Notepad.
• Fixed false positive CVE for Nextcloud Desktop.
• Fixed rare CPE error when software name sanitizes to empty (e.g. only special characters).
• Fixed Android enrollment to associate hosts with SCIM users, populating full name, groups, and department in host vitals.
• Fixed a hover style issue in the label filter close button.
• Fixed mismatches between disk encryption summary counts vs hosts displayed.
• Fixed truncation of certificate fields containing non-ASCII characters.
• Fixed an issue where policy automation settings in the Other Workflows modal reverted to stale values after saving when using a MySQL read replica.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.
• Fixed DB lock contention during vulnerability cron's software cleanup that caused failures under load.
• Fixed pagination on the host software page incorrectly disabling the "Next" button when a software title has multiple installer versions.
• Fixed a bug where macOS systems previous enrolled in fleet wouldn't always go through setup experience after a wipe
• Fixed stale software titles list after adding a VPP or fleet-maintained app by invalidating the query cache on success.
• Fixed issue where Windows Jetbrains products would not report the correct version number.
• Fixed false positive PayloadTooLargeError errors.
• Fixed software appearance edits not reflected until page refresh.
• Fixed issue where policy automation retries were potentially reading stale data from replica database.
• Fixed label edits not reflected until page refresh.
• Fixed report creation API returning zero timestamps for created_at and updated_at fields.
• Fixed issue where arbitrary order_key values could be used to extract data.
• Fixed stale software titles list after deleting a software installer.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. [orbit-v1.53.0](https://github.com/flee...

fleet-v4.81.2

Bug fixes

• Fixed a bug where macOS systems previous enrolled in fleet wouldn't always go through setup experience after a wipe.
• Fixed issue where policy automation retries were potentially reading stale data from replica database.
• Updated the DEP syncer to properly reassign a profile when ABM unilaterally removes it

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

33221c6628170521ba5da1103ea095bd8ca912429f7304111be49f50b3583fcb  fleet_v4.81.2_linux.tar.gz
8b23b40e0e05ab9bd40f662d539409d5cb2a08fdf22dca335e3fadb2808487c6  fleetctl_v4.81.2_linux_amd64.tar.gz
f3c9477428f7497de2a50af243ad0c1c9e305ba9e3ca8f9da22f0dd2b2ce80a5  fleetctl_v4.81.2_linux_amd64.zip
78720604057ff3da7ddc4afeb7c5d3cb82405b52d3df004db8327e0a38034476  fleetctl_v4.81.2_linux_arm64.tar.gz
a11b57408429266f247179e4b9d11b986d800773767721dd3bd69f1168231393  fleetctl_v4.81.2_linux_arm64.zip
a8ccd31eb28c7abb7427d2dbf7dc580e12717c4a23dea9bdc69353ccad4cbc4b  fleetctl_v4.81.2_macos.tar.gz
aa6c07d0c47af24982c3de846ed75b23f0bb49e98a9fb525fef4e1322440703d  fleetctl_v4.81.2_macos.zip
6528dbd77c9fa2231139875fc3bc91478c25d5f6cbb258de1c01fbb8b3550e34  fleetctl_v4.81.2_windows_amd64.tar.gz
84b5c6631a0cffaf018d856d629fcd4023e9957e6248f40da0f9fdece5b4f52f  fleetctl_v4.81.2_windows_amd64.zip
dca40c88bf2668a642b9be03d5c683222abbd0e91481255e21b5b99664c2615d  fleetctl_v4.81.2_windows_arm64.tar.gz
e6415227de8f2c7b97d16a4f7bf060664f69ef0d3b117106840851a06524ebaf  fleetctl_v4.81.2_windows_arm64.zip

fleet-v4.81.1

Fleet 4.81.1 (Mar 2, 2026)

Bug fixes

• Fixed an issue where some UI users saw a blank gutter on the right side of parts of the UI.
• Updated UI to enable adding/removing multiple Microsoft Entra tenant ids.
• Fixed a hover style issue in the label filter close button.
• Fixed false positive CVE for Nextcloud Desktop.
• Fixed rare CPE error when software name sanitizes to empty (e.g. only special characters).
• Fixed false negative CVE-2026-20841 on Windows Notepad.
• Fixed issue with hosts incorrectly reporting policy failures after policy label targets changed.
• Updated storage of the auth token used in the UI; move if from local storage to a cookie.
• Improved spacing on the Controls > OS Settings page.
• Added the ability to specify allowed Entra tenant IDs for enrollments.
• Added CTA to turn on Android MDM for Android software setup experience if MDM is not configured.
• Added CVE alias for Python Visual Studio Code extension.
• Improved validation for host transfers.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.
• Moved the copy button for text areas out of the text area itself and in line with its label.
• Fixed some styling issues for the UI when no enroll secret is present on a fleet.
• Left-aligned "Critical" checkbox in Save policy form.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.
• Fixed matching logic on App component for pages titles.
• Fixed issue where the status name was wrapping at smaller viewport witdths on the mdm card on the Dashboard page.
• Disallowed editing Fleet-maintained app in the UI while GitOps mode is enabled.
• Fixed error handling on failed VPP install commands not initiated by Fleet VPP app installation.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

788cda125084fe897ee9bdc25ab37ae7d2af2d75ff8ac3903dfb99e6e3c19ebf  fleet_v4.81.1_linux.tar.gz
bb988a67614d8d2c7d39b44a52603f485b4bb457adc48e650889a3fc49930567  fleetctl_v4.81.1_linux_amd64.tar.gz
7d02c52467866a9a47e964690af9e34965b54ade09128d4e343f70378ff74c38  fleetctl_v4.81.1_linux_amd64.zip
40114d99dd63f8ebb3942c879d74c64e31bba230b7b14290f94c7d11cd8fdf5d  fleetctl_v4.81.1_linux_arm64.tar.gz
98d1ac9e4340820ae90f051e7b34c9e533defbd81e831fb2c9705b2133942a6b  fleetctl_v4.81.1_linux_arm64.zip
f9e48f32708ab5d91e136b7a1f951cd97075221c0a168165f6e9acb8bb8b56a8  fleetctl_v4.81.1_macos.tar.gz
2cdc32a926b7d64a72742bd4e89cd88c57b092d3257741b78d9aac17913a7ac5  fleetctl_v4.81.1_macos.zip
e14bdd333bf308776ee5da69c74abe04cf60ee504c343acf539f6e23edccfa37  fleetctl_v4.81.1_windows_amd64.tar.gz
9eece89fecb34f2c600774847a0daaeabd94f7ee6c6e68fabc4d8ef2a33edf09  fleetctl_v4.81.1_windows_amd64.zip
1df0878f3bf750e68aa3f9a7e58d7e3cde5d2aee459d80ba1fa355468e35b7ea  fleetctl_v4.81.1_windows_arm64.tar.gz
366fd322ad0121add63fe65f49276b4fc225bf3e9eed2394ae203cb1add690c9  fleetctl_v4.81.1_windows_arm64.zip