fleet-v4.78.2

Bug fixes

• Added additional validation to URL parameter for MS MDM auth endpoint

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

3c0fb6373c6a87c7a8916c4f98066ea6843b02ad2586db9333ae990f63c6ae9e  fleet_v4.78.2_linux.tar.gz
5302b78e17a512fd44add3c9ba9e58f79f52d2e9dc526a2759720a5252e6ee11  fleetctl_v4.78.2_linux_amd64.tar.gz
2fdf8bf785cfa4f354d78feb081e7c904568113913c3cfc8c72dcc4246aff568  fleetctl_v4.78.2_linux_amd64.zip
302814ea80c1684fc0f5d54340bdf37a33e72bae21ee5a8c65e0c4a660ad32f1  fleetctl_v4.78.2_linux_arm64.tar.gz
e4efd7f8f64f71cdc4f0cec00d9ae6e1a9fe7e4356b27307726f061386525690  fleetctl_v4.78.2_linux_arm64.zip
4658b0d3ba46f4b390ed2d2f700e35ae71a6b9aacb47e7ec6f3d62a6366445d4  fleetctl_v4.78.2_macos.tar.gz
e41d2a963f9e9e9aab5a1e2008660c4ccc91d814b8fd7b99b2fcc3f738b275d3  fleetctl_v4.78.2_macos.zip
b89a98d079e077838b9e396e82841da2b0f3e0a9dc46814bd55ce2a3c8e47773  fleetctl_v4.78.2_windows_amd64.tar.gz
3ffd1c548bcca390a10f586afbd48632a318dee790aa05c0b7ac8b4b78ee12a8  fleetctl_v4.78.2_windows_amd64.zip
030fd16627f907a379ea69c05be8612e2fbe99a65a1438cc43a8642284419a7b  fleetctl_v4.78.2_windows_arm64.tar.gz
bfd111fa990523196afeea3a009f56a682b1f5ed41cfc3c8201c0566cc13739f  fleetctl_v4.78.2_windows_arm64.zip

fleet-v4.78.1

Fleet 4.78.1 (Jan 6, 2026)

Bug fixes

• Fixed duplicate entry error when updating upgrade_code during software ingestion
• Fixed case sensitivity mismatches causing duplicate titles during software ingestion
• Added missing upgrade code persistence when adding Windows software to Fleet via GitOps
• Fixed a bug where iOS and iPadOS hosts enrolling via ABM MDM Migration would not have VPP apps installed

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

9f9f6423a4bccf267168b592f90ddd8d2819d3a13942975ed736174897b654dc  fleet_v4.78.1_linux.tar.gz
34cbe82900a2544b1500d8f3ffab6fe0d8aa1031a39afb97e5321841e1d3ac32  fleetctl_v4.78.1_linux_amd64.tar.gz
dd86cd7ab842df19374a061c25318a12c8ab578b49b7423e151c79d3ddcfc9d9  fleetctl_v4.78.1_linux_amd64.zip
23913c1d22c22aaf8a3c777a0a5eec94d4d58a45df9018d26fc63e445989d070  fleetctl_v4.78.1_linux_arm64.tar.gz
3f3a4a631a9b2ccdd4757e3658140c1b75bf02a06a7cef7847e9b139a282b795  fleetctl_v4.78.1_linux_arm64.zip
f63c6323ab579a2bba422f0922073da6eebe55f6fa21e23b0b34f970add44173  fleetctl_v4.78.1_macos.tar.gz
7f0acb9f330a94f830f7ddb8feda33e5d9f4105177db522c72be96881e92da50  fleetctl_v4.78.1_macos.zip
0cdf6372945a219b56c4854f11ba19b7526d06dd6a970e5ba593a2e8051c81ce  fleetctl_v4.78.1_windows_amd64.tar.gz
5f74bde28bc4c1891429cdc5e40a4b481c1a3f74dabb5591c49076abaf9088f9  fleetctl_v4.78.1_windows_amd64.zip
1e73c44d96d9856250215983957adf7275e820e7ae45d153b623f886b2d252b4  fleetctl_v4.78.1_windows_arm64.tar.gz
c758563ab07028deab7c00d9ff42b5220562bbbe1d0406f74478243a6bea867a  fleetctl_v4.78.1_windows_arm64.zip

fleet-v4.78.0

Fleet 4.78.0 (Dec 19, 2025)

IT Admins

• Added support for Android setup experience software installation.
• Added support for Android self-service apps to fleetctl gitops.
• Added support for Android systemUpdate profiles.
• Added ability to create/view/delete Google Play Store software for Android in UI.
• Added $FLEET_VAR_HOST_PLATFORM for Apple platforms (macos, ios, ipados).
• Added support for installation of setup-experience VPP apps on manually-enrolled iOS/iPadOS devices.
• Added ability to deploy user-scoped SCEP profiles for Windows hosts.
• Added a configuration option to require Windows users turn on MDM manually via work or school account, rather than have enrollment happen automatically.
• Added UI to allow Windows hosts to manually enroll into Fleet MDM.
• Added support for $FLEET_VAR_HOST_HARDWARE_SERIAL and $FLEET_VAR_HOST_PLATFORM in Windows profiles.

Security Engineers

• Added ability to filter the activites on the dashboard page.
• Updated to regenerate FileVault profile when Apple MDM is turned on if the device's team has disk encryption enabled.
• Added Okta conditional access configuration to the Fleet UI under Settings -> Integrations -> Conditional access.
• Added endpoint for hosts to update certificate status.
• Added detail column to host_certificate_template table and added certificate_templates property with GitOps support.
• Updated fleetd/certificates/<id> and fleetd/certificates/<id>/status to authenticate using the orbit_node_key provided in the Authentication header.
• Updated MDM-enrolled Android devices to receive certificate templates in managedConfigurations.

Other improvements and bug fixes

• Improved performance by making the host_count property optional in the GET /labels API endpoints.
• Improved performance by avoiding unneeded extra queries when fetching team information.
• Improved request validation by returning an informative error when trying to filter software_titles with platform without a team_id.
• Allowed users to save Fleet queries even if their SQL is deemed invalid by the Fleet UI.
• Added a new error UI for file uploaders, and applied it in the Okta Conditional Access modal.
• Returned pre-install query output in Install Details modal.
• Translated idp to mdm_idp_accounts on API responses.
• Updated last_restarted_at property for hosts to be more reliable.
• Added Mosyle to the list of well-known MDM platforms.
• Changed where mdm_enrolled activity is created so it occures after the inital Token Update command to allowa the webhook to fire after the host can recieve additonal commands from Fleet MDM.
• Improved MDM command result endpoint response for pending Windows commands.
• Switched configurations referencing Redis 5 to Redis 6. Fleet is no longer verified to work with Redis 5 or below.
• Redacted API tokens in fleetctl config set to prevent accidental logging.
• Updated error message when attempting to run software install script on host with scripts disabled to refer to --enable-scripts flag (instead of --scripts-enabled).
• Updated queries APIs that drive the OS Settings UI to include the status of host cert templates.
• Updated the layout and styling of file uploader buttons across the UI.
• Updated built-in SVG icons to avoid rendering issues when certain combinations of icons are on the same page.
• Added consistant spacing to UI elements on the MDM page.
• Updated Go to 1.25.5.
• Fixed an issue where using bitwise operators in a query incorrectly marked the query as invalid.
• Fixed issue where MDM profile retry limits were interfering with Smallstep SCEP proxy renewal attempts, particularly in cases of expired SCEP challenges.
• Fixed incorrect status code on failure to interpolate certificate template variables.
• Fixed Android configuration profiles downloading as unusable .xml files with content [object Object]. Android profiles now download correctly as .json files with properly formatted JSON content, matching what was originally uploaded.
• Fixed the tab order of elements in the login form.
• Fixed UI bug where the option to resend MDM profiles for macOS hosts was incorrectly presented to non-admin and non-maintainer users.
• Fixed an issue that prevented GitOps from saving multiple queries with the same label.
• Fixed an issue where "Exclude Any" label scoping did work properly for iOS, iPadOS and Android hosts.
• Fixed bug that prevented filtering by platform when listing hosts with failed profiles.
• Fixed software action buttons to disable immediately on click to prevent multiple clicks.
• Fixed an issue where newly-enrolled Windows or Linux hosts were not automatically linked with existing SCIM user account data.
• Fixed UI bug in OS settings modal that caused status tooltip to flicker when refetching host details.
• Fixed a race condition when resending Apple Profiles that would not truly resend the latest profile.
• Fixed a missing redirect to the Fleet website.
• Fixed the connect message on the controls end user auth page so that it is consistant with the other set up experience subsections.
• Fixed a bug where "installed" software sometimes showed up as "uninstalled" when certain other pieces of data were not also present.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.50.2
2. fleet-desktop-v1.50.2 (included with Orbit)
3. osquery-5.21.0 (included with Orbit)
4. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

a75667c3362b5ffa11d1c95e2839aeb4fe74cd274994aee08148fd6179527c74  fleet_v4.78.0_linux.tar.gz
5753557878a06de58c7aabdc2d55f27792ccacaed43ff9cc41ed9ef9f52bd943  fleetctl_v4.78.0_linux_amd64.tar.gz
ed9bf44b737e2285066ccf0c0f0fa328b7d6ec0033edb119183e4ded5d20f2c2  fleetctl_v4.78.0_linux_amd64.zip
1ba0a5d96566efed20a1ce96d3303e42ff2a0b7b8d3527bb35066efdb23ca5a0  fleetctl_v4.78.0_linux_arm64.tar.gz
cfd528a01f463a6b5afcc696fbaffc896b4f4a4e8a8dde6034eff9fa1082f582  fleetctl_v4.78.0_linux_arm64.zip
c6b2ad11c958f38b53168ee9396f6bded3ed5f863c253ade07eaf00921672488  fleetctl_v4.78.0_macos.tar.gz
e721bd5cf7c2fc378dc968cb24d229590bfd376226d50387d2ad1db42c17cb50  fleetctl_v4.78.0_macos.zip
a188080d9c972dc883e1a268a4d040dadf7912901a7a91c25c9e4f640396054b  fleetctl_v4.78.0_windows_amd64.tar.gz
8c41eafab9cb38e4a97b464f86e926da12c7b0531f848a3c306dc04ecfd7960c  fleetctl_v4.78.0_windows_amd64.zip
87e80393f956b137571cf6bce870c3eb0256c155d0ea76cef69fba1d6b5ca49c  fleetctl_v4.78.0_windows_arm64.tar.gz
e3aeddceada71115e53d86f74b8300566660cb44e2229c4cbd4f97d96ee668e7  fleetctl_v4.78.0_windows_arm64.zip

fleet-v4.77.0

Fleet 4.77.0 (Dec 02, 2025)

Security Engineers

• Added activity log entries for: host deletion and expiration, updating or deleting host IdP mappings.
• Resolved multiple false positive vulnerability matches for the VSCode golang extension.
• Resolved false positive CVE matches for Logi Bolt.app.
• Detected vulnerabilities in JetBrains IDE plugins.

IT Admins

• Updated MDM enrollment flow for BYOD macOS hosts to enable end user authentication prior to downloading the MDM profile via the "My device" page.
• Added self-service install support for custom IPA apps on iOS and iPadOS.
• Added support for in-house (".ipa") apps to fleetctl gitops.
• Updated existing POST /setup_experience/script endpoint to allow updating the macOS setup experience script in-place, and modified GitOps to remove the DELETE call.
• Added support for Custom EST certificate authorities.
• Added ability to deploy certificates from Custom SCEP certificate authorities on Windows.
• Added status counts to batch script detail page tabs.
• Added InstallAnywhere as a self-extracting archive for PE metadata extraction.
• Added ingestion of upgrade_codes from Windows software, and provided to all relevant software endpoints.

Other improvements and bug fixes

• Improved performance of /api/latest/fleet/software/versions API endpoint.
• Updated host expiry logic to not delete macOS hosts that checkin via MDM protocol but not via fleetd.
• Optimized the cleanup Apple host profiles query to reduce probability of DB locking.
• Implemented UI logic to call existing manual update IdP API functionality.
• Implemented UI logic and new DELETE endpoint to manually remove host IdP mappings.
• Added experimental FLEET_MDM_ENABLE_CUSTOM_OS_UPDATES_AND_FILEVAULT configuration to allow deploying custom OS settings including Filevault payloads and macOS and Windows update settings.
• Added ability to change software display names in the UI.
• Fixed table styling for selecting table rows.
• Simplified setup experience configuration UI.
• Added better error messages when using build-in labels on GitOps and on the LabelSpecs endpoint.
• Hid software host count and version table when no hosts have the software installed.
• Adjusted UI section headers and layout of Settings > Integrations in Fleet Free.
• Added vulnerability seeding and performance testing tools.
• Moved end user authentication SSO settings under Integrations > SSO in global settings.
• Removed the premium check for host OS settings in host summary UI.
• Reduced Android device reconciler frequency to 1 hour.
• Reduced Android API usage by listing devices instead of getting and checking Android Enterprise disconnects hourly.
• Set the order of software installed during the setup experience to alphanumeric.
• Updated Go to 1.25.3.
• Fixed a layout issue on the script batch details page.
• Fixed installer for Cisco Secure Client not showing as installed in inventory/library due to using the wrong bundle identifier. This application should show up correctly now in the software inventory.
• Fixed errors when trying to run the apple_mdm_iphone_ipad_refetcher cron job.
• Fixed bug that prevented users from editing custom EST certificates URLs.
• Fixed incorrect UI placeholder element by replacing it with it's actual value.
• Fixed issue where vulnerabilities would occasionally show as missing.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.50.1
2. fleet-desktop-v1.50.1 (included with Orbit)
3. osquery-5.20.0 (included with Orbit)
4. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

014f227e5e473510a215d64c7d589eca436a7ae8dd4418af30d50b2f36cbb4ff  fleet_v4.77.0_linux.tar.gz
694ba395c6274c36876a364a1c0c48cbcfa29e0fbe48cd5bdb4b249281657ba8  fleetctl_v4.77.0_linux_amd64.tar.gz
b9c7f4fab027228d1d9ee03d3d91e4f0d21ddcd2d66ca5260b237861285f50a1  fleetctl_v4.77.0_linux_amd64.zip
7f1abd61ec0e113c8f2c1344901a4fc93620da86bcef90b546f82498fe512758  fleetctl_v4.77.0_linux_arm64.tar.gz
8376763b99fa04f89fa4cfd4fdcafd1e3e0d50b7706f70ce12f0e8ef6886bfc8  fleetctl_v4.77.0_linux_arm64.zip
cac4ae3ccb3816d1ef8cd29b347d39126a3c33fc178393fac936ba3489fe4a06  fleetctl_v4.77.0_macos.tar.gz
b641a3e666150e4eeec6cca8e3e4bbf37a0c69605ad54cc0b997c47df684fb48  fleetctl_v4.77.0_macos.zip
e53f1d9ea91c31661bd6e5521911553beaf1af48163d6887f5075f82460a1ddb  fleetctl_v4.77.0_windows_amd64.tar.gz
6dcfca6971b22bd842e30e5f24051fe97f81432bc3d7be81c034fbb98e491004  fleetctl_v4.77.0_windows_amd64.zip
f9cf1cfcf510ca724c55778edad5dff585073aa94797c4fc9e9cc44693cda071  fleetctl_v4.77.0_windows_arm64.tar.gz
9b11e38a413c6f73cdfe680e024a0874e62c249fa2696129f3bb0dcd13e81efe  fleetctl_v4.77.0_windows_arm64.zip

fleet-v4.76.1

Bug fixes

• Updated existing /setup_experience/script POST endpoint to allow updating the macOS setup experience script in-place, and modified gitops to remove the DELETE call

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

39c17ecb56815ecef51cb91fae7228bf13b67a8be1e8cb101f863276ef263e82  fleet_v4.76.1_linux.tar.gz
af2b6a9813222a215b5756f7593fdcc666e5cda9212e16612b7583cb6bcd067d  fleetctl_v4.76.1_linux_amd64.tar.gz
48bb1af1b6256214400db94ea7c0263207b8a43a32aaa255ab4cd2a7b2662a4a  fleetctl_v4.76.1_linux_amd64.zip
4f2adb5fb1262cfce62f185fa0e9d0934730e46dd1a66fe73d7824b44c8fe86c  fleetctl_v4.76.1_linux_arm64.tar.gz
cc0f256a095064fd83ea244a676cecbadfd4572883802a347cf643d07cfb4ce0  fleetctl_v4.76.1_linux_arm64.zip
40226d6081351c2042e641471aa21064d368bff30a47ff11c2dbcef54b131d83  fleetctl_v4.76.1_macos.tar.gz
ae1eb85029e3ea9abea1cd3e4a8aa8c1680862b13cd9a03a4bb653747c219554  fleetctl_v4.76.1_macos.zip
bd39ce43c6d408e3448f21043f7b95f9618218ff4d7b0100be7143f8c1d9cd18  fleetctl_v4.76.1_windows_amd64.tar.gz
95a1781fd00fa9e4202c8c4bbc8ec9f6e74715b440c06159b407a8f8aaba52f4  fleetctl_v4.76.1_windows_amd64.zip
af958f7bad34d11ecc2be44b2d1860dc2b90c9d2743642609ae56ed46026e294  fleetctl_v4.76.1_windows_arm64.tar.gz
d4584c2524488468f45c14db870a1afa3d9ed2b8010b0d584b775338ad52d13e  fleetctl_v4.76.1_windows_arm64.zip

fleet-v4.76.0

Fleet 4.76.0 (Nov 7, 2025)

Security Engineers

• Added support for software inventory on Android hosts.
• Added support for npm packages in software inventory and vulnerability matching for macOS and Linux hosts.
• Added support for JetBrains inventory on hosts.
• Added vulnerbaility detection in JetBrains plugins.
• Added support for VSCode fork (Cursor, Windsurf, VSCodium, VSCodium Insiders, and Trae) extensions in software inventory.
• Added Santa tables to fleetd.

IT Admins

• Added ability to install software for iOS and iPadOS hosts during the setup experience.
• Added ability to specify VPP apps for automatic installation during ADE iOS and iPadOS host enrollment.
• Added the ability to lock iOS and iPadOS devices through lost mode.
• Added support for locking and unlocking iOS and iPadOS devices from the UI.
• Added configuration option to setup experience for macOS hosts to halt if any software install fails.
• Added gigs_all_disk_space vital collection, storage, service, and UI rendering for Linux hosts.
• Added new server config flag for specifying the cleanup age for completed distributed targets.

Other improvements and bug fixes

• Added link component shown in the host column to the host details page.
• Added flash warning when an unauthorized user tries to access teams settings.
• Added descriptive error in cases of manual macOS profile download failure.
• Updated the macOS setup experience to use the new web UI.
• Updated the UI for adding new scripts to the scripts library.
• Changed display logic for the organization logo component on the My Device page to prevent flickering.
• Improved performance of /api/latest/fleet/os_versions endpoint, especially for deployments with Linux hosts.
• Optimized MySQL queries on /api/latest/fleet/vulnerabilities and /api/latest/fleet/software/versions to improve performance for Fleet UI use cases.
• Optimized /config API endpoint to use the primary DB node for both persisting changes and fetching modified app config.
• Improved live query response times by adding a new server config flag for specifying the cleanup age for completed distributed targets.
• Improved query performance by using a lighter-weight query for checking if a team is enabled for conditional access.
• Changed license warning to only show one time during GitOps runs.
• Updated to allow setting an org support url to use the "file" protocol in the url.
• Changed the default name of Host Identity CA to 'Fleet Host Identity CA' to avoid conflict with Fleet's Apple MDM CA.
• Updated host details run script user flows to include a confirmation step.
• Applied singular word form to GitOps log messages when a single entity is referenced in the message.
• Updated the "Setting up your device" page to show status of setup script run.
• Deprecate browser in favor of extension_for in API responses and JSON/YAML outputs.
• Added migration to clear the platform field on all builtin labels.
• Added migration to relink missing SCIM user data to hosts.
• Updated host certificate renewal flow for NDES, Smallstep, custom scep proxy CAs to support $FLEET_VAR_SCEP_RENEWAL_ID in the OU field rather than CN.
• Updated device mapping API to allow an "idp" source to manually set IDP user mappings.
• Updated styling to be more consistent in edit policies view for FireFox.
• Replaced outdated Firefox icon with a new one that follows brand guidelines.
• Allowed testing a new or edited policy query via live query while in GitOps Mode.
• Fixed missing "failed" VPP app install activities when installation is canceled due to MDM being turned off for a host.
• Fixed bug where uploading a software installer failed because it was "not found in the datastore".
• Fixed missing aboslute timestamp tooltips on script creation date in script list, query modification date in query list.
• Fixed bug with the ChangeManagement component where the GitOps checkbox local UI state was being reset due to GET request after PATCH request.
• Fixed MySQL deadlocks when multiple hosts are updating their certificates in host vitals at the same time.
• Fixed an issue where longer variable names ($FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART) with the same base ($FLEET_VAR_HOST_END_USER_IDP_USERNAME) was not processed in the right order.
• Fixed UI bug where "Show disk encryption key" option was incorrectly displayed for hosts enrolled with a third-party MDM solution.
• Fixed WhatsApp and VS Code icons not displaying correctly
• Fixed bad software ingestion debug message and added filter for invalid software with missing names.
• Fixed a bug where a software installer could be installed in the same team and same platform (macOS) where an App Store app already existed for the same software title, and vice-versa (App Store app added when a sofware package already existed, this one was only possible just via fleetctl gitops).
• Fixed listing hosts with populate_software not returning hash_sha256 for macos apps.
• Fixed bug where batch setting MDM profiles could cause a nil pointer dereference when processing an invalid profile (e.g., cannot parse mobileconfig because it is bad xml).
• Fixed bug hiding the UI elements post install script output in Software Install Details modal.
• Fixed software title host count mismatch that was caused by including software installers in the count.
• Fixed a scenario where a wiped Windows host re-enrolled as a distinct host row in Fleet and the previous host's page could not be loaded successfully.
• Fixed an issue where a host transfer on mdm_enrolled activity would be reversed by orbit enroll.
• Fixed a bug in live queries that caused livequery:{$CAMPAIGN_ID} Redis keys to not be cleaned up or expire.
• Fixed inconsistency in GitOps for App store apps if no VPP token was found, so that both dry run and actual run fails.
• Fixed the software title counts by status to be consistent with the status reported in the host's software list and filter by status.
• Fixed outdated tooltip on dark background logo URL field in Organization info settings.
• Fixed fleetctl generate-gitops when MDM is not turned on.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.48.1
2. fleet-desktop-v1.49.1 (included with Orbit)
3. osquery-5.20.0 (included with Orbit)
4. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

0fbb04d29e075b25a80d1c5acfdf60e9bfb38289cdf123a8f72b78dfe3bd805f  fleet_v4.76.0_linux.tar.gz
9d3eadeae6d3f1a2fbe65032c2a667945040d8a5db17f664c7532f5109701dd0  fleetctl_v4.76.0_linux_amd64.tar.gz
fa78a4fdddef9bf9ebb7eaeba43b719c24dc1629a30e46feed57855a4ad9d3ab  fleetctl_v4.76.0_linux_amd64.zip
7f030c055185d50d47852f152f8ec8bfc86bf883435a4b4ca6317a50b7e849b6  fleetctl_v4.76.0_linux_arm64.tar.gz
3d59a661cf054db548f0aca6da4ab68fa8d94e11ae749fd0e8896a09dac8aec9  fleetctl_v4.76.0_linux_arm64.zip
2e3a52d862238877e190733e597eadb801f6ef63cf32c0247b2f3237ea2f9c11  fleetctl_v4.76.0_macos.tar.gz
5a8f36ed77cf1d80cce10cca2ac66c4cb04c1deb32d9364512de2cf1d3c7bd01  fleetctl_v4.76.0_macos.zip
849e04c80a830095739a84541525d7d79ff4e2485c98d7765f987f5fd12db546  fleetctl_v4.76.0_windows_amd64.tar.gz
584d9a2d476182d2307c275070257e80ab903d1eb51f329bfef88d0a647eaefc  fleetctl_v4.76.0_windows_amd64.zip
8aacc129b1483b044ea576e3efd3b9d418a7634edb16623349a784f7ff9c7582  fleetctl_v4.76.0_windows_arm64.tar.gz
1bf46c17000a3e83e2ae68b368d78b32e1ddf9dee9d9ed333534ef9eec818f0c  fleetctl_v4.76.0_windows_arm64.zip

fleet-v4.75.1

Bug fixes

• Fixed fleetctl generate-gitops when MDM is not turned on.
• Reduced load on migration from 4.74.0 and below.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

579c79becb7bea7812185150fd0706e161b3f4753f81302d920aba9bfc2bf3a4  fleet_v4.75.1_linux.tar.gz
77afc5ca0f1051f41b787c52ffd401fbe1eaefc4a7d1859732f87f8491828b99  fleetctl_v4.75.1_linux_amd64.tar.gz
c170ac336de734ddd86d3039761bf58be3261ff34685a1df2539d9661113e713  fleetctl_v4.75.1_linux_amd64.zip
91a2d95d08a52327882385883c43ad51b7a580c49f8db3ee887808c9d3222e72  fleetctl_v4.75.1_linux_arm64.tar.gz
a8a628d01e789611452ef3ce715eb7fc7f5e1bac5658a2c4965ab7b9a059b7d4  fleetctl_v4.75.1_linux_arm64.zip
b7571b281fdb8ea4e419248c3cff4f5df772133527e3c2645f46c42a6eb0f5ac  fleetctl_v4.75.1_macos.tar.gz
149dfe86fcf295e66e05e53f511988f859452e9f167f5dcfa0389f7f29bc1c36  fleetctl_v4.75.1_macos.zip
aca922953dda7f9760df7d2f3fd707e6f0edb9b92c18f037adb4a06a66d6e7aa  fleetctl_v4.75.1_windows_amd64.tar.gz
9465a688d4ded8193490edd889f9859cefae3550eea5ab783558db370f5b3ed8  fleetctl_v4.75.1_windows_amd64.zip
1bc35a50adba0336d86a6dcb7d21a9226d1fae0422b6993f465ed90249e2819e  fleetctl_v4.75.1_windows_arm64.tar.gz
4d6c09b7afa67ba3a129a2e9eeb9d8b45aa75c43cb70e4939c63f4570204ebf2  fleetctl_v4.75.1_windows_arm64.zip

fleet-v4.75.0

NOTE: Fleet added Santa tables: santa_allowed, santa_denied, santa_status. If you already deploy a custom Santa extension (like Trail of Bits) with tables that have the same names (exactly), Fleet's agent will crash. To resolve, update variables in this script and run it on macOS hosts to uninstall your custom Santa extension.

Fleet 4.75.0 (Oct 17, 2025)

Security Engineers

• Added support for Smallstep certificate authority.
• Added false-positive filtering for Linux vulnerability scanning.
• Added support for Arch Linux hosts.
• Added software inventory ingestion from Arch Linux hosts.
• Added new rate limiting implementation for Fleet Desktop API endpoints to support all/many hosts of a deployment behind NAT (single IP).
• Added support for reading server private_key from AWS Secrets Manager.
• Added support for vulnerabilities feed CPE translation JSON to override sw_edition field.
• Added filter for removing duplicate RPM python packages and renaming pip packages to match OVAL definitions (same as Ubuntu).
• Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
• Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.

IT Admins

• Added configuration profile support for Android hosts.
• Added activity logging for Android profile creation, modification, and deletion.
• Added support for software installation during Windows setup experience.
• Added support for Arch Linux hosts.
• Added software inventory ingestion from Arch Linux hosts.
• Added support to fleetctl to generate fleetd installers for Arch Linux (.pkg.tar.zst).
• Added software name into checksum calculation for macOS apps.
• Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
• Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.
• Added OpenTelemetry instrumentation to scheduled jobs and several API endpoints.
• Added CRON job to reconcile Android profiles.
• Added retries with backoff when Apple's assets API fails with a timeout error.
• Added ability to unenroll personal iOS/iPadOS devices from Fleet.
• Added support for assigning host labels based on idP attributes for iOS and iPadOS hosts.
• Added ability to turn off MDM for iOS and iPadOS devices when refetcher returns device token is inactive.

  Note: The package will need to be updated out-of-band once, because the pre-removal script from previously-generated packages is called upon an upgrade. The old pre-removal script stopped Orbit unconditionally.

• Added support for hosts enrolled with Company Portal using the legacy SSO extension (for Entra's conditional access).

Other improvements and bug fixes

• Updated DEB and RPM packages generated by fleetctl package to now be safe to upgrade in-band through the Software page.
• Updated to return count in list host certificates API response, and use it in the certificate table.
• Updated setup experience to try software installs up to 3 times by default in case of intermittent failures.
• Modified the Apple profile reconciliation CRON logic to query for installs and removals within a transaction to avoid race conditions around team or label changes.
• Fixed inconsistent spacing in Controls OS settings headers.
• Validated setting manual_agent_install option on the server.
• Ignore warning when LastOpenedAt for software is nil on macOS.
• Improved install action tooltips and modals including timestamps to VPP successful installs.
• Changed the response code for UserAuthenticate checkin messages, which are unsupported, from a 5XX to "410 Gone" as specified in the Apple MDM protocol docs for servers that do not implement this method.
• Ensured UI consistency by adding a border to the empty state of End User Authentication section.
• Added easy to understand error messages when configuring Entra conditional access in Fleet.
• Updated docs for the pwd_policy table to better reflect the meaning of days_to_expiration.
• Improved the layout of the IdP-driven label form.
• Updated Hosts table > hostname column to truncate overflowing hostnames and place the full name in a tooltip on hover.
• Removed duplicate tar.gz copies of osqueryd and Fleet Desktop from built packages (DEB/RPM/PKG).
• Extended the number of errors Fleet looks for when determining whether we should invalidate the prepared statements cache.
• Updated instructions in Linux key escrow modal.
• Adjusted log level to "info" instead of "error" when Windows MDM endpoints generate client errors (e.g. empty binary security token).
• Disabled debug logging by default in fleetctl preview and reformatted login information.
• Improved handling of host details page label pills for labels with very long names.
• Modified Controls > OS settings > Custom settings so profile upload time is based on updated_at instead of created_at.
• Added check to GitOps command to throw error if positional arguments are detected.
• Added an error message when software is defined in a package YAML file in GitOps but some fields expected in that file were set at the team level. Previously, GitOps would silently ignore the fields set at the team level in this case.
• Updated the OS updates current versions empty state to match consistancy with other empty states.
• Updated message shown in the 'Delete Script' modal.
• Added a delay to the platform compatibility tooltip showing when creating or editing a query.
• Added error when uploading signed profiles instead of when trying to deliver them.
• Updated old end user migration workflow preview, and switch to video for product consistency.
• Replaced outdated Firefox icon with a new one that follows brand guidelines.
• Updated UI to make policy pass/fail icons and copy consistent across host details, my device, and manage policies tables.
• Removed the software renaming fix introduced in 4.73.3 due to MySQL DB performance issues.
• Optimized software ingestione rename functionality to generate less lock contention during high concurrency.
• Optimized ingestion of software names on macOS apps when vendor-supplied bundle executable names are unclear.
• Optimized software title reconciliation in vulnerabilities cron job.
• Revised macOS software ingestion to correctly show application names for Steam games instead of run.sh.
• Added logic to detect and fix migration issues caused by improperly published Fleet v4.73.2 Linux binary.
• Updated go to 1.25.1.
• Fixed inconsistent subtitle text style in Custom Settings.
• Fixed SentinelOne pkg generating wrong bundle identifier for auto-install policy.
• Fixed required query parameters using field name instead of parameter name in error messages
• Fixed a bug where blocking of VPP installs on personally enrolled Apple devices was not in place.
• Fixed edit teams action in VPP table dropdown not being blocked when Fleet is in GitOps mode.
• Fixed certificate ingest parser to no longer break on multiple equal signs in certificate key pair values.
• Fixed certificate ingest parser to allow for only multiple relative distinguished names separated by +.
• Fixed 422 error when hitting /api/v1/fleet/commands endpoint with team filter.
• Fixed deletion of conditional access integration by adding a spinner and clearing the tenant ID after the deletion.
• Fixed an issue on ChromeOS and Windows where the cursor in the SQL editor is misaligned.
• Fixed issue where "Controls" link in the top nav didn't always go to the default controls page.
• Fixed cases where Firefox ESR installations would have false-positive vulnerabilities reported that were backported to the ESR.
• Fixed clicking the currently selected navbar item would cause a full-page rerender.
• Fixed EULA path to be relative to the YAML file in fleetctl gitops, as it is for other settings.
• Fixed bundle identifier for privileges macos software pkg and fixed existing software installers to use corrected software title. The privileges application should show the correct status in software inventory.
• Fixed the reported version of fleetd on the Software tab for Linux hosts.
• Fixed invalid GET and DELETE requests that incorrectly included request bodies in client code, ensuring HTTP compliance.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.48.1
2. fleet-desktop-v1.48.1 (included with Orbit)
3. osquery-5.19.0 (included with Orbit)
4. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

f37a55734f73bc4930afb8dc4999655de56496f090a2f22bb60271b1fc748203  fleet_v4.75.0_linux.tar.gz
471c043b64479b986329d7b7ca29887bebc5c62349ad8b0878ed77c1250c32b6  fleetctl_v4.75.0_linux_amd64.tar.gz
fcb00a0a26053a6398a26d3ea73efd956a291505d1542b151d29e5d69fbbb802  fleetctl_v4.75.0_linux_amd64.zip
75becdcd6a98ddcdb7d82d92b2f32c7da441030a1e32648b58713737e2...

fleet-v4.73.5

Bug fixes

• Fixed edge case when renaming macOS software mapped to multiple checksums.
• During software ingestion, re-added software rename functionality to generate less lock contention during high concurrency.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

94bd10f26d06c613829af110870286b9ef5c16c85356506872b3816fe973a8a4  fleet_v4.73.5_linux.tar.gz
274f6562a1e5c4ae4af745ce64ba9ddc7554bf98f4ca225ad1cd86f91677e0f1  fleetctl_v4.73.5_linux_amd64.tar.gz
169ffe91fb732fe10bb1bd8ddc41c59dd11175a46fd78927f277af50c32398d5  fleetctl_v4.73.5_linux_amd64.zip
a4c1095e4ebe62ff71069370e7c9b2d94063835c98d3568d69829df8d7d0e5e9  fleetctl_v4.73.5_linux_arm64.tar.gz
7e7a0acc8319dc89e8d942ff7fb9460918f328f5330902c4660cb0b920da805a  fleetctl_v4.73.5_linux_arm64.zip
5077d23f8e4bd3b130a7663e1c01b59ad39ca33d9f7500f74d9f85122215e160  fleetctl_v4.73.5_macos.tar.gz
902f092c2eb6d39d783202c75cc5cb2f6c0ef864cbfb8933bbaeebc5ac3fb054  fleetctl_v4.73.5_macos.zip
d3e95ecced5397d76ec1216ef063e15aa289ee9d774d02a1c024fb342f50b5d0  fleetctl_v4.73.5_windows_amd64.tar.gz
d45ab01e25caf87a68bafff69b15b957231538622e6aaf23cf4b93b4cb8982db  fleetctl_v4.73.5_windows_amd64.zip
d7ec75594a0abfc4db039ca92a0a44d45e1bd3413a758e99da5557e2b86ef2b4  fleetctl_v4.73.5_windows_arm64.tar.gz
5c3a79b40745aa9d93d2adea4f76bf9a906bff1775150b89005ee04afcfaeaf8  fleetctl_v4.73.5_windows_arm64.zip

fleet-v4.74.0

Fleet 4.74.0 (Oct 6, 2025)

This release includes breaking changes in the software YAML. For migration instructions and more information, please see this public document.

Security Engineers

• Added support for Hydrant as a Certificate Authority and added an experimental API that can be used to have Fleet request a certificate from a Hydrant.
• Added a check to disallow FLEET_SECRET variables in Apple configuration profile <PayloadDisplayName> fields for security.
• Added /batch/{batch_execution_id:[a-zA-Z0-9-]+}/host-results API endpoint to list hosts targeted in batch.
• Added POST /api/v1/fleet/configuration_profiles/batch API endpoint to batch modify MDM configuration profiles.
• Added a new page in the UI for batch script run details.
• Added support for AWS RDS (MySQL) IAM authentication.
• Added support for AWS ElastiCache (Redis) IAM authentication.
• Added support for hosts enrolled with Company Portal using the legacy SSO extension for Entra's conditional access.

IT Admins

• Added setup experience software items for Linux devices.
• Added ability to upload custom software icons.
• Added API endpoints for Linux setup experience.
  • Device API endpoints for fleetd: POST /api/fleet/orbit/setup_experience/init and POST /api/v1/fleet/device/{token}/setup_experience/status.
  • PUT /api/v1/fleet/setup_experience/software and GET /api/v1/fleet/setup_experience/software now have a platform argument (linux or macos, defaults to macos).
• Added IdP fullname attribute as a valid Fleet variable for Apple configuration profiles.
• Added the username of the managed user account user-scoped profiles are delivered to for macOS hosts.
• Enabled configuring webhook and ticket policy (Jira/Zendesk) automations for "No team".
• Added support for writing multiple packages in a single GitOps YAML file included under software.packages.
• Moved self_service, labels_include_any, labels_exclude_any, categories, and setup_experience declarations to team level for software in GitOps; setup_experience can now be set on a software package, Fleet Maintained App, or App Store app.
• Changed GET /host/:id to return an empty array for software field when exclude_software=true.
• Updated generate-gitops command to output filenames with emojis and other special characters where applicable.
• Added a Fleet-maintained app for macOS: Omnissa Horizon Client.
• Added opening instructions to self-service macOS apps and Windows programs.

Other improvements and bug fixes

• Added index to distributed_query_campaign_targets table to speed up DB performance for live queries.

WARNING: For deployments with millions of rows in distributed_query_campaign_targets, the database migration to add the index may take significant time. We recommend testing migration duration in a staging environment first. The initial cleanup of old campaign targets will occur progressively over multiple hours to avoid database overload.

• Added clean up of live query campaign targets 24 hours after campaign completion. This keeps the DB size in check for performance of large and frequent live query campaigns.
• Improved OpenTelemetry integration to add tracing to async tasks (host seen, labels, policies, query stats) and improve HTTP span naming, enabled gzip compression, reduced batch size to prevent gRPC errors.
• Updated output from packages_only=true so that it only returns software with available installers.
• Added tarballs summary card back into UI.
• Improved the sorting of batch scripts in the Batch Progress UI. Batches in the "started" state now sort by started date, and batches in the "finished" state now sort by the finished date.
• Removed inaccurate host count timestamp on the software version details page.
• Downgraded "distributed query is denylisted" error to a warning on the Fleet server since this message indicates a likely issue on the host and not the server. We will surface this issue in the UI in the future.
• Improved performance for YARA rules: when modifying config (PATCH /api/latest/fleet/config) with a large number of yara rules and when large numbers of hosts fetch rules via /api/osquery/yara/{name} endpoint.
• Improved performance when updating multiple policies in the UI. The policies are now updated in series to reduce server/DB load.
• Added user icon to OS settings custom profiles on host details page if they are user scoped.
• Added clearer error messages when a new password doesn't meet the password criteria.
• Removed extra spacing from under disk encryption table.
• Updated fleetctl get mdm-command-results to show output in a vertical format instead of a table.
• Optimized os_versions API response time.
• Added logic to detect and fix migration issues caused by improperly published Fleet v4.73.2 Linux binary.
• Refactored ApplyQueries DS method so that queries are upserted in batches, this was done to avoid deadlocks during large gitops runs.
• Refactored the way failing policies are computed on host details endpoint to avoid discrepancies due to read replica delays and async computation.
• Refactored PATH fleet/config endpoint to use the primary DB node for both persisting changes and fetching modified App Config.
• Fixed missing ticket integration options in Policies -> Other workflows modal for teams.
• Fixed deduplicating bug in UI to only count unique vulns when counting software title vulnerabilities across versions in various software title vulnerabilities count, and host software title vulnerabilities count.
• Fixed cases where the default auto-install policy for .deb packages would treat installed-then-uninstalled software as still installed.
• Fixed the message rendered from user_failed_login global activities on the Activity feed if the email is not specified.
• Fixed fleetctl printing binary data to terminal in debug mode.
• Fixed a bug where incorrect CVEs were received from MSRC feed.
• Fixed Fleet-installed host count not updating after software is installed over an older version.
• Fixed UI issue in the Dashboard page. The software card is now rendered while content is been fetched to avoid the layout to jump around.
• Fixed error when updating a script to exactly match the contents of another script.
• Fixed an issue where string concatenations in a LIKE expression caused a syntax error in the query editor.
• Fixed fleetctl gitops issue uploading an Apple configuration profile with a FLEET_SECRET in a <data> field.
• Fixed Linux lock script on Ubuntu with GDM to now switch UI to text mode to work around GUI issues.
• Fixed Google Cloud Storage (GCS) support broken since Fleet 4.71.0 by implementing a workaround for AWS Go SDK v2 signature compatibility issues with GCS endpoints.
• Fixed banner link colors in UI.
• Fixed an alignment issue on the My device page.
• Fix deadlocks when updating automations for 10+ policies at one time.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.47.2
2. fleet-desktop-v1.48.1 (included with Orbit)
3. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

530df71bda192c2468c2d0e26bfbcd76137decab25c7f80749e67c6bdce84167  fleet_v4.74.0_linux.tar.gz
fa54e95129c4c33dd15245de7107cbcea666c9b83fc5facc54f1be9995ab1984  fleetctl_v4.74.0_linux_amd64.tar.gz
94865880a4514d2a0ccfb6e47746d13b030675286f8053b4e274934144b6a140  fleetctl_v4.74.0_linux_amd64.zip
d1ae2a3ab9d51456cda7fe3e165f2a42213db95090d3a92bb94ebf302bd61b77  fleetctl_v4.74.0_linux_arm64.tar.gz
63acdbcbea1de155a45381e97dfb86cff286ff8d551ca803292fada84171153f  fleetctl_v4.74.0_linux_arm64.zip
751d6b30d2cb0afd040fce9af784305c1a72c5d129fe1df1e47cd1a280f81019  fleetctl_v4.74.0_macos.tar.gz
696c8e59a2890bf03e68359db62ea5994ae273202748bc7fbdc6a6ab22761783  fleetctl_v4.74.0_macos.zip
44a549e26072d749a5328e8fbf2a831cfc69689254a9c424d13a862b41a232ac  fleetctl_v4.74.0_windows_amd64.tar.gz
2cefc31893421fb2400d88323c5fbef0e6d57ec52fe5473eda2d6aaac563ee1d  fleetctl_v4.74.0_windows_amd64.zip
701d0df3ad16e370303eca9cc16d0669079c93d0835e8513aa5e06187b069038  fleetctl_v4.74.0_windows_arm64.tar.gz
9f03fdde86877beb19547fcd09473edb65dec20c650598e4ae26f932f9df66b0  fleetctl_v4.74.0_windows_arm64.zip