fleet-v4.83.0

Fleet 4.83.0 (Apr 1, 2026)

IT Admins

• Added ability to deploy an Android web app via setup experience or self-service.
• Added ability to set and manually rotate Mac recovery lock passwords.
• Added ability to lock the pre-filled user information for macOS hosts that login via End User Authentication during Setup Experience.
• Added automatic retries for failed software installs, excluding VPP apps.
• Updated host software library to always allow filtering.
• Added retry functionality when adding software installers to Fleet via GitOps.
• Added fleetctl new command to initialize a GitOps folder.
• Added support for paths: key under reports:, labels: and policies: in GitOps files.
• Added glob support for configuration_profiles in GitOps files.
• Added support for referencing .sh or .ps1 script files directly in the GitOps path field for software packages.
• Implemented webhooks_and_tickets_enabled flag for policies in GitOps.
• Added server config for allowing all Apple MDM declaration types.
• Added ability to use FLEET_JIT_USER_ROLE_FLEET_ as a prefix on SAML attributes.
• Added fleet_name and fleet_id columns to hosts CSV export.
• Added resend button in the OS settings modal for iOS and iPadOS hosts.
• Added patch policies for Fleet-maintained apps that automatically update when the app is updated.

Security Engineers

• Added support for NDES CA for Windows hosts.
• Added vulnerability scanning support for Windows Server 2025 hosts.
• Added OTEL instrumentation to Fleet's internal HTTP client.
• Added Content-Type header to Smallstep authorization requests to prevent Cloudflare from blocking them.
• Added ability to omit secrets: in GitOps files to retain existing enroll secrets on server.
• Fixed python package false positives on Ubuntu, such as python3-setuptools on Ubuntu 24.04 with version 68.1.2-2ubuntu1.2.
• Fixed false positive vulnerabilities for Mattermost Desktop.

Other improvements and bug fixes

• Most top-level keys can now be omitted from GitOps files in place of supplying them with an empty value.
• Improved host search to always match against host email addresses, not only when the query looks like an email.
• Prevented a 500 error on the host details page when an MDM command reference in host_mdm_actions pointed to a non-existent command (orphan reference).
• Allowed Fleet-maintained apps to be added if they have default categories configured that are not available in older builds from this point forward.
• Migrated to using Policy critical option when disallowing Okta conditional access bypass.
• Updated DEP enrollment flow to apply minimum macOS version check when specified.
• Updated GitOps to fail runs when unknown keys are detected in files.
• Updated default last opened time diff to 2m to increase the chances of updating the last opened time for software that is opened frequently.
• Updated the host results endpoint URL to be consistent with the other URLs.
• Added tooltip to batch run result host count to clarify that the count might include deleted hosts.
• Updated table heading and result filter styles.
• Reordered the columns on the Hosts page.
• Updated Fleet desktop to surface custom transparency links to the device user.
• Changed PostJSONWithTimeout to log response body in error case.
• Removedd unused and confusingly-named --mdm_apple_scep_signer_allow_renewal_days config.
• Refactored NewActivity functionality by moving it to the new activity bounded context.
• Modified Android certificate renewal logic to make it easier to test.
• Optimized api/latest/fleet/software/titles endpoint.
• Trimmed incoming ABM suffix for Arch Linux hosts so Arch OSs are grouped together in the database and UI.
• Updated determination process used for selecting which user email address to use when scheduling a maintenance event for a host failing policies.
• Added license checks for fleet-free targeting queries by label.
• Added APNs expiry banner in the UI for Fleet free users.
• Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
• Added Fleet-maintained app utilization to anonymous usage statistics collected by Fleet.
• Surfaced data constraints using the proper HTTP status code on the /api/v1/fleet/scim/users endpoint.
• Updated macOS device details UI to delay showing FileVault "action required" notifications banner during the first hour after MDM enrollment to allow sufficient time for Fleet to automatically escrow keys from ADE devices.
• Added an early return in the PUT /hosts/{id}/device_mapping endpoint so that setting the same IDP email that is already stored no longer triggers unnecessary database updates, activity log entries, or profile resends.
• Improved cleanup functionality so that when deleting a host record, Fleet will now clean up host issues, such as failing policies and critical vulnerabilities associated with the host.
• Improved the way we verify Windows profiles to no longer rely on osquery for faster verification.
• Improved body parsing validation by using http.MaxBytesReader and wrapping gzip decode output too.
• Improved rate-limiting on conditional access endpoints.
• Finished migrating code from go-kit/log to slog.
• Updated UI for disabling stored report results for clarity.
• Revised which versions Fleet tests MySQL against to 9.5.0 (unchanged), 8.4.8, 8.0.44, and 8.0.39, 8.0.44.
• Deprecated several configuration keys in favor of new names: custom_settings -> configuration_profiles, macos_settings -> apple_settings, macos_setup -> setup_experience and macos_setup_assistant -> apple_setup_assistant.
• Deprecated setup_experience.bootstrap_package in favor of setup_experience.macos_bootstrap_package.
• Deprecated setup_experience.manual_agent_install in favor of setup_experience.macos_manual_agent_install.
• Deprecated setup_experience.enable_release_device_manually in favor of setup_experience.apple_enable_release_device_manually.
• Deprecated setup_experience.script in favor of setup_experience.macos_script.
• Fixed an issue where the MDM section on the integration page did not update correctly when Apple MDM is turned off.
• Fixed an issue where iOS/iPadOS hosts couldn't add app store apps from the host library page.
• Fixed inaccurate error message when clearing identity provider settings while end user authentication is enabled.
• Fixed Microsoft NDES CA not being selectable after deleting an existing NDES CA without a page refresh.
• Fixed an issue where Apple setup experience could get stuck, if the device was in the middle of a SCEP renewal, and then re-enrolled.
• Fixed secure.OpenFile to self-heal incorrect file permissions via chmod instead of returning a fatal error.
• Fixed an issue where personal iOS and iPadOS enrollments could see software in the self-service webclip.
• Fixed table footer rendering unexpectedly in the host targets search dropdown.
• Fixed a security issue where canceling a pending lock or wipe command permanently deleted the original locked_host/wiped_host activity from the audit log. The original activity is now preserved, and the subsequent cancellation activity serves as the follow-up record.
• Fixed dropdown rendering center of a row and from pushing down save button below open dropdown options.
• Fixed end user authentication form to allow saving cleared IdP settings.
• Fixed inconsistent link styling in UI.
• Fixed the error resend button overflowing over the edge of the os settings modal table.
• Fixed CPE matching failing for software names that sanitize to FTS5 reserved keywords (AND, OR, NOT).
• Fixed table shifting left when clicking the copy hash icon in host software inventory.
• Fixed a bug where vulnerability counts increased over time due to orphaned entries remaining in the database after hosts were removed.
• Fixed a bug where software installers could create titles with the wrong platform.
• Fixed a bug where Fleet maintained apps for Windows won't show as available in the list when they actually are.
• Fixed host search in live queries returning no results for observer users when many hosts on inaccessible teams matched the search term before accessible ones.
• Fixed live query host/team targeting to correctly scope observer_can_run to the query's own team, preventing observers from targeting hosts on other observed teams.
• Fixed alignment of tooltip text in the certificate details modal.
• Fixed a bug where a policy that links a software to install fails to apply when that software package uses an environment variable in its yaml definition.
• Fixed error message when deleting a certificate authority (that is referenced by a certificate template) to show a helpful message instead of a raw database error.
• Fixed observer query bypass by restricting live query/report team targeting to only teams where the user has sufficient permissions, including global observers who are now limited to the query's own team when observer_can_run is true.
• Fixed a bug where manage hosts page header button text would wrap and distort at certain widths.
• Fixed an issue where $FLEET_SECRET was being double encoded, if set via GitOps.
• Fixed editing reports on free tier failing due to labels_include_any triggering a premium license check.
• Fixed a bug where certain incorrect resolved-in versions were reported for certain vulnerable versions of Citrix Workspace.
• Fixed DigiCert CA UPN variable substitution so each host receives a certificate containing its own unique values instead of another host's substituted values.
• Fixed alignment and spacing of the "rolling" tooltip next to "Arch Linux" in the host vitals card.
• Fixed select-all header checkbox not selecting rows on partial pages where not all rows are selectable.
• Fixed an issue where it was poss...

fleet-v4.82.2

Bug fixes

• Fixed a metadata extraction bug for .pkg macOS installers (introduced in 4.77). It prevented updating some packages that were added in a previous Fleet version. Before this fix, deleting and re-adding the package as a workaround didn’t work. Now it does.
  • You'll know you ran into this bug if you tried updating a package and you saw this error: "The selected package is for different software".
• Fixed FMA apps not showing up for a fleet when added via GitOps after an automated FMA version update with an unchanged binary.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

c73e7ebc8418ea5407fc4f77fd7818fc9a6ef519939f28bba2d5d0a12ec7937b  fleet_v4.82.2_linux.tar.gz
d836f068c89567434a0b533e79213828dcd15733fdc1d4498a2c629c38691a76  fleetctl_v4.82.2_linux_amd64.tar.gz
fa7d4b53775ed2d0ff15a3966c71fc6c9e9e6fbecdb89915124df11424a0f305  fleetctl_v4.82.2_linux_amd64.zip
00f811ae423103a16ec78fbb7f8b70f7fcd7c9af698a987bf5e724cf6670067b  fleetctl_v4.82.2_linux_arm64.tar.gz
034755490342ac0fd9864e810c8e1ad38ac22d248370c9b80837204634967109  fleetctl_v4.82.2_linux_arm64.zip
a0afd5cb2dab1ac7ed32b2841c2b987630bcc0d8e33cba615b2c7e473a36e3b4  fleetctl_v4.82.2_macos.tar.gz
9608053f4491d5100ca88d8cfb6d11b4cd18d3b6c0e26f0e0a08c2b690b4ef09  fleetctl_v4.82.2_macos.zip
732ce2b3f1d3cd39e904ccd3a8546cf1fd94249fdaa955720236c713d55f87a9  fleetctl_v4.82.2_windows_amd64.tar.gz
f7baa714c0e3ce155a13f8fd55733f98bbbbc8361b39836a0095db6dc2e90f2b  fleetctl_v4.82.2_windows_amd64.zip
100a578c7ed57bf0d82e5b8357ba7a957e54290405ea9a5a04f3555e78e6f806  fleetctl_v4.82.2_windows_arm64.tar.gz
f65494eaf8df124e7082aea4846ccb0139bc73e7fc1d68426253540b2e8097ed  fleetctl_v4.82.2_windows_arm64.zip

fleet-v4.81.3

Bug fixes

• Added configurable body size limits for the /api/osquery/log and /api/osquery/distributed/write endpoints.
• Fixed false positive PayloadTooLargeError errors.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

bce0a2bdd79381abb94dd04f443f241e04b1e933edbeb9f0b0df34a0ef9c24db  fleet_v4.81.3_linux.tar.gz
b0355092e52a3139cb50eae770c2815099eb47599a113222bcf3b6cf2b340aa9  fleetctl_v4.81.3_linux_amd64.tar.gz
103d5ef83efecdcd94088cf636e785e5476f19d312d01ebefe60133a048cf472  fleetctl_v4.81.3_linux_amd64.zip
c0655b309f702cddb4a749dcb50d504a8d59ce3cfc797a80adbad3a5d0eeae4f  fleetctl_v4.81.3_linux_arm64.tar.gz
6a39dda1a423de92bef0c2ab26f0aca455a168b0efd8a4656bce68192d65ef3f  fleetctl_v4.81.3_linux_arm64.zip
0dca8a860b4d8fdf3e63ac230ed6d35535fc0e41273a582965dca12d1105c926  fleetctl_v4.81.3_macos.tar.gz
b0dc4c32758843c00e838c72e0a9c643d118dd0623f59a07a20c7481c3f24885  fleetctl_v4.81.3_macos.zip
ee8bee43398232d4733d62ac9ff31748f81f9359216ab1673ec54bafdd781469  fleetctl_v4.81.3_windows_amd64.tar.gz
26d11698c033ca7fbe304ad440480d80086b081a219a04d8dbfa6224db13ba77  fleetctl_v4.81.3_windows_amd64.zip
5fe7a8394427e61d06819d4c65ed5ae98dea34977560c6db4aff58afd3934d17  fleetctl_v4.81.3_windows_arm64.tar.gz
0178565774d229634db4ab3534a5bcf778495c13392c0afd45c23cf513b7d37f  fleetctl_v4.81.3_windows_arm64.zip

fleet-v4.82.1

Bug fixes

• Fixed a crash on the "My device" page for Fleet Free instances. The page returned a 402 error when the host was assigned to a team because the device endpoint called a premium-only API, and also crashed when accessing undefined policies data.
• Stopped duplicate Fleet-maintained app entries from showing up in setup experience.
• Reduced database contention during the vulnerability cron.
• Added a secondary index on host_software(software_id) to improve query performance.
• Fixed an issue where the "add Fleet-maintained app" endpoint incorrectly added software to the Unassigned fleet.
• Muted deprecation warnings for body params when the "deprecated-field-names" topic is not enabled.
• Fixed custom app icons not getting set via GitOps when the same software title exists in multiple teams.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

e20f5e600b04e5e76b97cc4d72d25857996401e50b30c349c33d814d25e60a17  fleet_v4.82.1_linux.tar.gz
2bf908c90db1b310e0806b614dc3d01620a36cd30771db713374023a3487cbdd  fleetctl_v4.82.1_linux_amd64.tar.gz
98daf26686fc909ca0aa396c9b379a98c4aa381b082141fa4b5a5c9143145bfe  fleetctl_v4.82.1_linux_amd64.zip
6c9701ab0fe725389aa411766ab2012972d9b7a01bb994ffb9ca65b5884c2034  fleetctl_v4.82.1_linux_arm64.tar.gz
04cb955bcccf23334a24dbe36a35d9f8a8a1b84a1948f9217653c5553f601f6f  fleetctl_v4.82.1_linux_arm64.zip
965147846622d1e4c52689fa8ee044c3dfd884b2c523c13f29a0d676b0e8bd46  fleetctl_v4.82.1_macos.tar.gz
50b332c3bfe7aaefd7dedd6537d8c347b314786b6f90494176f807a75977455d  fleetctl_v4.82.1_macos.zip
740ddd324b592b0e48a0ecd25d8da9df9eb889439e9b23c4fbc45e9cf80b972a  fleetctl_v4.82.1_windows_amd64.tar.gz
5913036d550e30bedafc6f309f0a72058b6e45e65b5d247a0b056f3f2ff71c60  fleetctl_v4.82.1_windows_amd64.zip
b348a265022cd1311db5cd4a8a4faf754ce155dee2360e7e86a5caf4bfcfc64b  fleetctl_v4.82.1_windows_arm64.tar.gz
18330c5416c54739beddfb23d49f4cc9daa30de6e226d2cff3407738477db07e  fleetctl_v4.82.1_windows_arm64.zip

fleet-v4.82.0

Fleet 4.82.0 (Mar 11, 2026)

IT Admins

• Added support for enrolling fully managed Android hosts without a work profile.
• Added capability to uninstall Android apps on the device (and removal from self-service in the managed Google Play store) when an app is removed from Fleet.
• Added ability to allow or disallow end-users to bypass conditional access on a per-policy basis.
• Added filtering by platform and add status to the Software > Add Fleet-maintained apps table.
• Updated Android status reports to re-verify profiles that previously failed.
• Added ability to roll back to previously added versions of Fleet-maintained apps.
• Added new Technician role designed for help desk and IT support teams. Technicians can run scripts, view results, and install or uninstall software.
• Added support for JIT provisioning of the Technician role via SSO SAML attributes.
• Added automatic retries for failed software operations.

Security Engineers

• Added ability to scan for kernel vulnerabilities on RHEL based hosts.
• Added AWS GovCloud RDS CA certificates to the RDS MySQL TLS bundle, enabling IAM authentication for Fleet deployments connecting to RDS in AWS GovCloud regions (us-gov-east-1, us-gov-west-1).
• Added CVE alias for python visual studio code extension.
• Added new activity for edited enroll secrets.

Other improvements and bug fixes

• Renamed teams and queries to fleets and reports in the UI, API, CLI, and GitOps.
• Deprecated no-team.yml in GitOps in favor of unassigned.yml.
• Deprecated certain API field names to reflect the renaming of "teams" to "fleets" and "queries" to "reports".
• Updated Android MDM profiles to show up as pending on upload, the same as Apple MDM profiles.
• Improved the speed of a database query that runs every minute to avoid database locking.
• Added configurable body size limits for the /api/osquery/log and /api/osquery/distributed/write endpoints.
• Updated logic to trigger vulnerability webhook when on Fleet free tier.
• Updated storage of the auth token used in the UI.
• Dynamically alphabetized vitals on the host details page.
• Reworked how we handle server/worker delays to fix flaky tests.
• Disabled "Calendar" dropdown option in Policy > Manage automations for Unassigned.
• Added Go slog logging infrastructure and migrated a portion of the code from go-kit/log to slog.
• Added CTA to turn on Android MDM for Android software setup experience if MDM is not configured.
• Left-aligned "Critical" checkbox in Save policy form.
• Improved spacing on the Controls > OS Settings page.
• Updated to not allow editing Fleet-maintained app in the UI while GitOps mode is enabled.
• Updated to accept the previous device authentication token for up to one rotation cycle, so the My Device page URL remains valid after token refresh.
• Updated default macOS, iOS, and iPadOS update deadline time to 7PM (19:00) local time.
• Updated UI to enable adding/removing multiple Microsoft Entra tenant ids.
• Added additional logging for SCEP proxy requests and SCEP profile renewals.
• Added warning message on gitops label rename to clarify to users that renaming a label implies a delete operation.
• Added the ability to specify allowed Entra tenant IDs for enrollments.
• Updated the DEP syncer to properly reassign a profile when ABM unilaterally removes it.
• Increased the maximum script execution timeout from 1 hour (3600 seconds) to 5 hours (18000 seconds).
• Improved error handling on AWS DB failover. Fleet will now fail health check if the primary DB is read-only, or trigger graceful shutdown when write operations encounter read-only errors.
• Generated a server-side device token in the Okta conditional access flow when none exists or the current token is expired.
• Moved the copy button for text areas out of the text area itself and in line with its label.
• Removed unnecessary calls to svc.ds.BulkSetPendingMDMHostProfiles in POST /api/latest/fleet/spec/fleets.
• Internal refactoring: moved /api/_version_/fleet/hosts/{id:[0-9]+}/activities endpoint and MarkActivitiesAsStreamed to new server/activity bounded context.
• Added logging.otel_logs_enabled contributor config option to export server logs to OpenTelemetry.
• Added automatic tagging of prerelease/post-release versions on local build based on branch name.
• Added ability to enable/disable logs by topic.
• Improved detection of DISPLAY variable in X11 sessions.
• Updated the "Used by" column heading on the hosts page to "User email".
• Refactored query used for deleting host_mdm_apple_profiles in bulk to use Primary keys only.
• Added team_id to host details page param in URL to allow retaining team on refresh.
• Added help text on the software details page, below the installer status table, to explain the meanings of the counts.
• Added Country:US to new CA certs created by Fleet.
• Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
• Updated "Manage automations" button on the Queries and Policies pages to now always be visible, and disabled only when the current team has no queries of its own.
• Updated validation rules around the creation of labels to make sure only valid platforms are used.
• Improved host software inventory table's handling of long "Type" values.
• Updated expiration date of the auth token cookie to match the fleet session duration.
• Surfaced FMA version used and whether it's out of date in the UI.
• Updated nats-server dependency to resolve dependency vulnerabilities.
• Improved validation for host transfers.
• Fixed matching logic on App component for pages titles.
• Fixed adding Windows Fleet maintained apps failing when a software title with the same upgrade code already exists.
• Fixed an issue where GitOps would not respect the value set on update_new_hosts for macOS updates.
• Fixed an issue where duplicate kernels were reported in the OS versions API for RHEL-family distributions (RHEL, AlmaLinux, CentOS, Rocky, Fedora).
• Fixed issue where Windows Jetbrains products would not report the correct version number.
• Fixed a bug where custom software installer display names and icons were not used in the setup experience UI.
• Fixed a bug where the list activities API endpoint would fail with a database error when there were more than 65,535 activities and no pagination parameters were specified. The maximum per_page for activities endpoints is now 10,000.
• Fixed issue where MySQL IAM authentication could fail when a custom TLS CA/TLS config was set (for example GovCloud), by ensuring Fleet includes the configured TLS mode in IAM DSNs.
• Fixed styling issues for the UI when no enroll secret is present on a fleet.
• Fixed an issue where some UI users saw a blank gutter on the right side of parts of the UI.
• Fixed a bug where certain macOS app names could be ingested as empty strings due to incorrect ".app" suffix removal.
• Fixed install/uninstall tarballs package to skip recently updated status that is waiting for a change in software inventory
• Fixed a bug where software installers could create titles with the wrong platform.
• Fixed a bug where 2 vulnerability jobs can run in parallel if one is taking longer than 2 hours.
• Fixed issue with hosts incorrectly reporting policy failures after policy label targets changed.
• Fixed client-side errors being incorrectly reported as server errors in OTEL telemetry.
• Fixed issue where the status name was wrapping at smaller viewport widths on the mdm card on the Dashboard page.
• Fixed false negative CVE-2026-20841 on Windows Notepad.
• Fixed false positive CVE for Nextcloud Desktop.
• Fixed rare CPE error when software name sanitizes to empty (e.g. only special characters).
• Fixed Android enrollment to associate hosts with SCIM users, populating full name, groups, and department in host vitals.
• Fixed a hover style issue in the label filter close button.
• Fixed mismatches between disk encryption summary counts vs hosts displayed.
• Fixed truncation of certificate fields containing non-ASCII characters.
• Fixed an issue where policy automation settings in the Other Workflows modal reverted to stale values after saving when using a MySQL read replica.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.
• Fixed DB lock contention during vulnerability cron's software cleanup that caused failures under load.
• Fixed pagination on the host software page incorrectly disabling the "Next" button when a software title has multiple installer versions.
• Fixed a bug where macOS systems previous enrolled in fleet wouldn't always go through setup experience after a wipe
• Fixed stale software titles list after adding a VPP or fleet-maintained app by invalidating the query cache on success.
• Fixed issue where Windows Jetbrains products would not report the correct version number.
• Fixed false positive PayloadTooLargeError errors.
• Fixed software appearance edits not reflected until page refresh.
• Fixed issue where policy automation retries were potentially reading stale data from replica database.
• Fixed label edits not reflected until page refresh.
• Fixed report creation API returning zero timestamps for created_at and updated_at fields.
• Fixed issue where arbitrary order_key values could be used to extract data.
• Fixed stale software titles list after deleting a software installer.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. [orbit-v1.53.0](https://github.com/flee...

fleet-v4.81.2

Bug fixes

• Fixed a bug where macOS systems previous enrolled in fleet wouldn't always go through setup experience after a wipe.
• Fixed issue where policy automation retries were potentially reading stale data from replica database.
• Updated the DEP syncer to properly reassign a profile when ABM unilaterally removes it

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

33221c6628170521ba5da1103ea095bd8ca912429f7304111be49f50b3583fcb  fleet_v4.81.2_linux.tar.gz
8b23b40e0e05ab9bd40f662d539409d5cb2a08fdf22dca335e3fadb2808487c6  fleetctl_v4.81.2_linux_amd64.tar.gz
f3c9477428f7497de2a50af243ad0c1c9e305ba9e3ca8f9da22f0dd2b2ce80a5  fleetctl_v4.81.2_linux_amd64.zip
78720604057ff3da7ddc4afeb7c5d3cb82405b52d3df004db8327e0a38034476  fleetctl_v4.81.2_linux_arm64.tar.gz
a11b57408429266f247179e4b9d11b986d800773767721dd3bd69f1168231393  fleetctl_v4.81.2_linux_arm64.zip
a8ccd31eb28c7abb7427d2dbf7dc580e12717c4a23dea9bdc69353ccad4cbc4b  fleetctl_v4.81.2_macos.tar.gz
aa6c07d0c47af24982c3de846ed75b23f0bb49e98a9fb525fef4e1322440703d  fleetctl_v4.81.2_macos.zip
6528dbd77c9fa2231139875fc3bc91478c25d5f6cbb258de1c01fbb8b3550e34  fleetctl_v4.81.2_windows_amd64.tar.gz
84b5c6631a0cffaf018d856d629fcd4023e9957e6248f40da0f9fdece5b4f52f  fleetctl_v4.81.2_windows_amd64.zip
dca40c88bf2668a642b9be03d5c683222abbd0e91481255e21b5b99664c2615d  fleetctl_v4.81.2_windows_arm64.tar.gz
e6415227de8f2c7b97d16a4f7bf060664f69ef0d3b117106840851a06524ebaf  fleetctl_v4.81.2_windows_arm64.zip

fleet-v4.81.1

Fleet 4.81.1 (Mar 2, 2026)

Bug fixes

• Fixed an issue where some UI users saw a blank gutter on the right side of parts of the UI.
• Updated UI to enable adding/removing multiple Microsoft Entra tenant ids.
• Fixed a hover style issue in the label filter close button.
• Fixed false positive CVE for Nextcloud Desktop.
• Fixed rare CPE error when software name sanitizes to empty (e.g. only special characters).
• Fixed false negative CVE-2026-20841 on Windows Notepad.
• Fixed issue with hosts incorrectly reporting policy failures after policy label targets changed.
• Updated storage of the auth token used in the UI; move if from local storage to a cookie.
• Improved spacing on the Controls > OS Settings page.
• Added the ability to specify allowed Entra tenant IDs for enrollments.
• Added CTA to turn on Android MDM for Android software setup experience if MDM is not configured.
• Added CVE alias for Python Visual Studio Code extension.
• Improved validation for host transfers.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.
• Moved the copy button for text areas out of the text area itself and in line with its label.
• Fixed some styling issues for the UI when no enroll secret is present on a fleet.
• Left-aligned "Critical" checkbox in Save policy form.
• Fixed query results cleanup cron failing with "too many placeholders" error by filtering to only saved queries and batching the SQL IN clause.
• Fixed matching logic on App component for pages titles.
• Fixed issue where the status name was wrapping at smaller viewport witdths on the mdm card on the Dashboard page.
• Disallowed editing Fleet-maintained app in the UI while GitOps mode is enabled.
• Fixed error handling on failed VPP install commands not initiated by Fleet VPP app installation.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

788cda125084fe897ee9bdc25ab37ae7d2af2d75ff8ac3903dfb99e6e3c19ebf  fleet_v4.81.1_linux.tar.gz
bb988a67614d8d2c7d39b44a52603f485b4bb457adc48e650889a3fc49930567  fleetctl_v4.81.1_linux_amd64.tar.gz
7d02c52467866a9a47e964690af9e34965b54ade09128d4e343f70378ff74c38  fleetctl_v4.81.1_linux_amd64.zip
40114d99dd63f8ebb3942c879d74c64e31bba230b7b14290f94c7d11cd8fdf5d  fleetctl_v4.81.1_linux_arm64.tar.gz
98d1ac9e4340820ae90f051e7b34c9e533defbd81e831fb2c9705b2133942a6b  fleetctl_v4.81.1_linux_arm64.zip
f9e48f32708ab5d91e136b7a1f951cd97075221c0a168165f6e9acb8bb8b56a8  fleetctl_v4.81.1_macos.tar.gz
2cdc32a926b7d64a72742bd4e89cd88c57b092d3257741b78d9aac17913a7ac5  fleetctl_v4.81.1_macos.zip
e14bdd333bf308776ee5da69c74abe04cf60ee504c343acf539f6e23edccfa37  fleetctl_v4.81.1_windows_amd64.tar.gz
9eece89fecb34f2c600774847a0daaeabd94f7ee6c6e68fabc4d8ef2a33edf09  fleetctl_v4.81.1_windows_amd64.zip
1df0878f3bf750e68aa3f9a7e58d7e3cde5d2aee459d80ba1fa355468e35b7ea  fleetctl_v4.81.1_windows_arm64.tar.gz
366fd322ad0121add63fe65f49276b4fc225bf3e9eed2394ae203cb1add690c9  fleetctl_v4.81.1_windows_arm64.zip

fleet-v4.80.3

Fleet 4.80.3 (Feb 20, 2026)

Bug fixes

• Fixed validation and error handling issues.

Fleet-maintained app updates and vulnerability feed fixes are applied, whether or not you upgrade.

Fleet's agent and fleetctl CLI

The following version of Fleet's agent (fleetd) and fleetctl support the latest changes to Fleet:

1. orbit-v1.52.1
2. fleet-desktop-v1.52.1 (included with Orbit)
3. osquery-5.21.0 (included with Orbit)
4. fleetd-chrome-v1.3.5
5. fleetd-android-v1.0.2

While newer versions of fleetd and fleetctl still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

c83b87c6cddf052c4b44798d1d618563f7e965201cbe9c11638a5b72ad2a6a2c  fleet_v4.80.3_linux.tar.gz
a0cf0ead01feda43be097d0ce868ac56d5473885ef51b76be82f3bd7c7dcda0c  fleetctl_v4.80.3_linux_amd64.tar.gz
6c39466958adbe599a412059702ddce3868b9799da611112e8b9c4f77888b87f  fleetctl_v4.80.3_linux_amd64.zip
e8f983a032bf602aaa51332528aa88d50590ad317518ec0325bb2b52416fd745  fleetctl_v4.80.3_linux_arm64.tar.gz
d7c615162205455dbb097a1e3a5c28e78d27eba503777b54273b9224648258c7  fleetctl_v4.80.3_linux_arm64.zip
8b3e22ed1ba700d89e0d1783e200f64bb5501ee878d6cd0776c0be531bdba046  fleetctl_v4.80.3_macos.tar.gz
47fed78d73ecd1307ecad2589193e5532b870f5dc8707a1d9796c97a3218d718  fleetctl_v4.80.3_macos.zip
a5a86cf892f5bc32242ddc74085669e033ba5a6c350928a1c29be97281422092  fleetctl_v4.80.3_windows_amd64.tar.gz
396d990f3cd5ff2b9ee2a73393f3a54b092e58cda3d9af2387f83f11969674a4  fleetctl_v4.80.3_windows_amd64.zip
adebdb0c9dddfdd3a7db335c018e2d5dcb9e8aac96b3c4927ed082cd6cab2f9d  fleetctl_v4.80.3_windows_arm64.tar.gz
ad59b2d4d6a45b235848663d3fff566fec758f0b03b4e9b8718de3981794d070  fleetctl_v4.80.3_windows_arm64.zip

fleet-v4.81.0

Fleet 4.81.0 (Feb 20, 2026)

IT Admins

• Added support for dynamic SCEP challenges for Okta certs.
• Added a feature to allow IT admins to specify non-atomic Windows MDM profiles.
• Added GitOps support to fleet yaml to apply display_name to software package.
• Added enrollment support for iPod touch.
• Added hash_sha256 and package_name query parameters to the GET /api/v1/fleet/software/titles endpoint to allow checking if a custom software package already exists before uploading. Both parameters require team_id to be specified.
• Added ability to set default URL for Fleet Desktop.
• Added logic to skip setup experience for hosts that were enrolled > 1 day ago.
• Updated maximum software installer size to be configurable and bumped the default from 3 GB to 10 GiB.
• Added a check to fail any pending in-house app installs and cancel upcoming activities when unenrolling a host.
• Added gzip_responses server configuration option that allows the server to gzip API responses when the client indicates support through the Accept-Encoding: gzip request header.
• Allowed specifying an Apple Connect JWT for interacting directly with Apple APIs when retrieving VPP app metadata.
• Added logic to .pkg metadata extraction to match the root bundle identifier.
• Moved Windows automatic enrollment configuration instructions out of the UI and into the Windows MDM setup guide.

Security Engineers

• Added conditional_access.cert_serial_format server option to allow specifying the Okta conditional access certificate serial format.
• Improved authentication of POST /api/v1/osquery/carve/block requests by parsing and validating session_id and request_id before processing data.
• Redirected users to device policy page when failing conditional access requirements.
• Limited disk encryption key escrowing when global or team setting enabled.
• Differentiated IMP and Integrative Modeling Platform (IMP) while running vulnerability scanning.
• Fixed false negative for Adobe Reader DC CVE-2025-54257 & CVE-2025-54255.

Other improvements and bug fixes

• Added an environment variable to allow reverting to the old behavior of installing the bootstrap package during macOS MDM migration.
• Added --with-table-sizes option to prepare command to get approximate row counts of all database tables after a migration completes.
• Updated Fleet UI so that if software is detected as installed on software library page, hide any Fleet install/uninstall failures from page. Admin can view these failures from host details > activities.
• Updated Android certificate app to re-enroll if the host was deleted in Fleet.
• Updated fleetctl generate-gitops to output Fleet-maintained apps in a dedicated fleet_maintained_apps section of the YAML files.
• When a host is deleted, any associated VPP software installation records are also deleted.
• Global observers and maintainers can now officially read user details, which were already visible to them via the activity feed.
• Iru (Kandji's new name) added to the list of well-known MDM platforms.
• Improved error message when viewing disk encryption key fails because MDM has been turned off and the decryption certificate is no longer valid.
• Updated UI to show VPP version for adding software during setup.
• User sessions and password reset tokens are now cleared whenever a user's password is changed.
• Disallowed use of FLEET_DEV_* environment variables unless --dev is passed when serving Fleet.
• Handled the NotNow status from the device during DEP setup experience so it does not delay the release of the device.
• Allowed overriding individual configuration variables for MySQL and object storage when --dev is passed when serving Fleet.
• Updated DEP syncing code to use server-protocol-version 9 and handle THROTTLED responses.
• Updated UI styling to the Packs flow.
• Surfaced Google error message for Android profile failures after max retries instead of a generic error.
• Optimized recording of scheduled query results in the database.
• Improved API error message when adding profiles or software with non-existent labels.
• Ignored parenthesized build numbers in UI when comparing versions for update availability (e.g. 5.0 (build 3400)).
• Improved DEP process cooldowns, by limiting how many we process in a single as per Apple's recommendations.
• Improved OpenTelemetry tracing: added proper shutdown to flush pending spans, and added service name/version resource attributes for better trace identification.
• Improved OpenTelemetry error handling: client errors (4xx) no longer set span status to Error or appear in the Exceptions tab, following OTEL semantic conventions. Added separate metrics for client vs server errors (fleet.http.client_errors, fleet.http.server_errors) with error type attribution. Client errors are also no longer sent to APM/Sentry.
• Internal refactoring: introduced activity bounded context as part of modular monolith architecture. Moved /api/latest/fleet/activities endpoint to new server/activity/ packages.
• Removed a debug-level warning asserting that macOS devices were unauthenticated when enrolling to Fleet.
• Updated gitops related tests to validate that users can get/set the alternative browser hosts fleet desktop setting.
• Updated to Go 1.25.7.
• Fixed a bug with the PATCH /software/titles/{id}/package where the categories could not be updated by themselves, another field had to be updated for them to be modified.
• Fixed an issue setting the bootstrap package on teams created by the puppet plugin.
• Fixed an issue where enabling manual agent installation for macOS devices would incorrectly block the addition of setup experience software titles for all platforms.
• Fixed Smallstep CA integration to send Authorization header with first request.
• Fixed an issue where deleted Windows and Linux hosts could re-enroll without re-authenticating when End User Authentication was enabled.
• Fixed a permission issue on software installer custom icons where a team maintainer could not view, edit or delete a custom icon.
• Fixed bug where unfinished Entra Integration setup breaks the UI.
• Fixed SCEP proxy so that it uses standard base64 encoding for PKIOperation GET requests, ensuring compatibility with standard SCEP servers.
• Fixed an issue where queries with common table expressions (CTEs) were marked as having invalid syntax.
• Fixed a bug where installing Xcode via VPP apps on macOS resulted in a failure due to not being able to verify the install.
• Fixed a bug where non utf8 encodings caused an error in pkg metadata extraction.
• Improved error message where there is issue getting the enrollment token during ota enrollment.
• Fixed CVE false positive on ninxsoft/Mist.
• Fixed an issue where last_install details were not returned in the Host Software API for failed software installs, preventing users from viewing failure information.
• Fixed saving of policy automation in UI that triggers software installs and script runs.
• Fixed a bug where changes to scripts were causing custom software display names to be deleted.
• Fixed bug where custom icons were ignored for fleet maintained apps in GitOps files.
• Fixed panic in gRPC launcher API handler.
• Fixed a bug where installed software would not show up in the software inventory of an ADE-enrolled macOS host after a wipe and a re-enrollment.
• Fixed issue where MySQL read replicas were not using TLS.
• Fixed bug where fleetctl gitops was not sending software categories correctly in all cases.
• Fixed an issue in fleetctl gitops that would reset VPP token team assignment when using "All teams".
• Fixed bug in host activity card UI where activities related to MDM commands should be hidden when Apple MDM features are turned off in Fleet.
• Fixed unnecessary error logging when no CPE match is found for software items like VSCode extensions and JetBrains plugins.
• Fixed created_at and updated_at timestamps on API responses for Label and Team creation.
• Fixed issues where different variations of the same software weren't linked to the same software title.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.52.1
2. fleet-desktop-v1.52.1 (included with Orbit)
3. osquery-5.21.0 (included with Orbit)
4. fleetd-chrome-v1.3.5
5. fleetd-android-v1.0.2

While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

5a02732037853669a1114c0c30e6a7475cc7cba71aea80e56ab9724842296721  fleet_v4.81.0_linux.tar.gz
366a04a50706741fc3e0bb382239d9088918af637d45c493edfa271cc91a26e7  fleetctl_v4.81.0_linux_amd64.tar.gz
b6f0026ee342c3465855b77d90f7cb1c705f4d34f98898967fd3523dea5add72  fleetctl_v4.81.0_linux_amd64.zip
b1e56569e931b09d336a9c01d8b70378a09707e53aa0799121f69aeb701c95fd  fleetctl_v4.81.0_linux_arm64.tar.gz
d3045c717970e7b9f2d0789910d0d316bcd78eb783c3630da4ae92755f9367a1  fleetctl_v4.81.0_linux_arm64.zip
5ee195aee4aeb267ac7f7fffd010bf02d7ddf6df1eac71b073a52062ee85485f  fleetctl_v4.81.0_macos.tar.gz
49b0ea207ae0d287...

fleet-v4.80.2

Bug fixes

• Updated to Go 1.25.7.
• Fix issue where MySQL read replicas were not using TLS.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

ba950de7d2fb79f852cf43b5865e5c795a149f7a70b8d7ea741d2544b8ecfd6e  fleet_v4.80.2_linux.tar.gz
c4ada390ef700218cc9f665a5c7d1fbbdb891282af50401c48870f9764828705  fleetctl_v4.80.2_linux_amd64.tar.gz
6c83720b1abef156c95a20faddf5c84205f98025a2da2287b9ff595ba348cd45  fleetctl_v4.80.2_linux_amd64.zip
762b1b2b4f03bf99be87ddf9c2294b0ae95ef9e90da3fe139c2a6fb5df4c9ed2  fleetctl_v4.80.2_linux_arm64.tar.gz
bc8b9fa27095debd1a4d1b52508b66bbff0ca96e76b8255d2ecd870bd706c857  fleetctl_v4.80.2_linux_arm64.zip
a76588288387188b5756c042377c4eadc6ab38ab971871770f778d75af5edf66  fleetctl_v4.80.2_macos.tar.gz
149f90613a279dc0e20a84e83982f6f06b7d3d1174cca0353e7a9e3df281eaee  fleetctl_v4.80.2_macos.zip
62f322d0e2618df5cd1f775be2699eb185c45c38fef23f01e61756adaafd6f43  fleetctl_v4.80.2_windows_amd64.tar.gz
2d319d5d294d28d12d8d4da7f4dca2d9c73b5582b055f17371387e5983157e87  fleetctl_v4.80.2_windows_amd64.zip
52ab9120599d646595e525c6e8d5510b45a06dd1a344f7b47e50bc5298d24563  fleetctl_v4.80.2_windows_arm64.tar.gz
9156bbc099ca4bdddd55804ca2469f415c6deeb3817e6becc3648ffc104ae97b  fleetctl_v4.80.2_windows_arm64.zip