fleet-v4.77.0

Fleet 4.77.0 (Dec 02, 2025)

Security Engineers

• Added activity log entries for: host deletion and expiration, updating or deleting host IdP mappings.
• Resolved multiple false positive vulnerability matches for the VSCode golang extension.
• Resolved false positive CVE matches for Logi Bolt.app.
• Detected vulnerabilities in JetBrains IDE plugins.

IT Admins

• Updated MDM enrollment flow for BYOD macOS hosts to enable end user authentication prior to downloading the MDM profile via the "My device" page.
• Added self-service install support for custom IPA apps on iOS and iPadOS.
• Added support for in-house (".ipa") apps to fleetctl gitops.
• Updated existing POST /setup_experience/script endpoint to allow updating the macOS setup experience script in-place, and modified GitOps to remove the DELETE call.
• Added support for Custom EST certificate authorities.
• Added ability to deploy certificates from Custom SCEP certificate authorities on Windows.
• Added status counts to batch script detail page tabs.
• Added InstallAnywhere as a self-extracting archive for PE metadata extraction.
• Added ingestion of upgrade_codes from Windows software, and provided to all relevant software endpoints.

Other improvements and bug fixes

• Improved performance of /api/latest/fleet/software/versions API endpoint.
• Updated host expiry logic to not delete macOS hosts that checkin via MDM protocol but not via fleetd.
• Optimized the cleanup Apple host profiles query to reduce probability of DB locking.
• Implemented UI logic to call existing manual update IdP API functionality.
• Implemented UI logic and new DELETE endpoint to manually remove host IdP mappings.
• Added experimental FLEET_MDM_ENABLE_CUSTOM_OS_UPDATES_AND_FILEVAULT configuration to allow deploying custom OS settings including Filevault payloads and macOS and Windows update settings.
• Added ability to change software display names in the UI.
• Fixed table styling for selecting table rows.
• Simplified setup experience configuration UI.
• Added better error messages when using build-in labels on GitOps and on the LabelSpecs endpoint.
• Hid software host count and version table when no hosts have the software installed.
• Adjusted UI section headers and layout of Settings > Integrations in Fleet Free.
• Added vulnerability seeding and performance testing tools.
• Moved end user authentication SSO settings under Integrations > SSO in global settings.
• Removed the premium check for host OS settings in host summary UI.
• Reduced Android device reconciler frequency to 1 hour.
• Reduced Android API usage by listing devices instead of getting and checking Android Enterprise disconnects hourly.
• Set the order of software installed during the setup experience to alphanumeric.
• Updated Go to 1.25.3.
• Fixed a layout issue on the script batch details page.
• Fixed installer for Cisco Secure Client not showing as installed in inventory/library due to using the wrong bundle identifier. This application should show up correctly now in the software inventory.
• Fixed errors when trying to run the apple_mdm_iphone_ipad_refetcher cron job.
• Fixed bug that prevented users from editing custom EST certificates URLs.
• Fixed incorrect UI placeholder element by replacing it with it's actual value.
• Fixed issue where vulnerabilities would occasionally show as missing.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.50.1
2. fleet-desktop-v1.50.1 (included with Orbit)
3. osquery-5.20.0 (included with Orbit)
4. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

014f227e5e473510a215d64c7d589eca436a7ae8dd4418af30d50b2f36cbb4ff  fleet_v4.77.0_linux.tar.gz
694ba395c6274c36876a364a1c0c48cbcfa29e0fbe48cd5bdb4b249281657ba8  fleetctl_v4.77.0_linux_amd64.tar.gz
b9c7f4fab027228d1d9ee03d3d91e4f0d21ddcd2d66ca5260b237861285f50a1  fleetctl_v4.77.0_linux_amd64.zip
7f1abd61ec0e113c8f2c1344901a4fc93620da86bcef90b546f82498fe512758  fleetctl_v4.77.0_linux_arm64.tar.gz
8376763b99fa04f89fa4cfd4fdcafd1e3e0d50b7706f70ce12f0e8ef6886bfc8  fleetctl_v4.77.0_linux_arm64.zip
cac4ae3ccb3816d1ef8cd29b347d39126a3c33fc178393fac936ba3489fe4a06  fleetctl_v4.77.0_macos.tar.gz
b641a3e666150e4eeec6cca8e3e4bbf37a0c69605ad54cc0b997c47df684fb48  fleetctl_v4.77.0_macos.zip
e53f1d9ea91c31661bd6e5521911553beaf1af48163d6887f5075f82460a1ddb  fleetctl_v4.77.0_windows_amd64.tar.gz
6dcfca6971b22bd842e30e5f24051fe97f81432bc3d7be81c034fbb98e491004  fleetctl_v4.77.0_windows_amd64.zip
f9cf1cfcf510ca724c55778edad5dff585073aa94797c4fc9e9cc44693cda071  fleetctl_v4.77.0_windows_arm64.tar.gz
9b11e38a413c6f73cdfe680e024a0874e62c249fa2696129f3bb0dcd13e81efe  fleetctl_v4.77.0_windows_arm64.zip

fleet-v4.76.1

Bug fixes

• Updated existing /setup_experience/script POST endpoint to allow updating the macOS setup experience script in-place, and modified gitops to remove the DELETE call

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

39c17ecb56815ecef51cb91fae7228bf13b67a8be1e8cb101f863276ef263e82  fleet_v4.76.1_linux.tar.gz
af2b6a9813222a215b5756f7593fdcc666e5cda9212e16612b7583cb6bcd067d  fleetctl_v4.76.1_linux_amd64.tar.gz
48bb1af1b6256214400db94ea7c0263207b8a43a32aaa255ab4cd2a7b2662a4a  fleetctl_v4.76.1_linux_amd64.zip
4f2adb5fb1262cfce62f185fa0e9d0934730e46dd1a66fe73d7824b44c8fe86c  fleetctl_v4.76.1_linux_arm64.tar.gz
cc0f256a095064fd83ea244a676cecbadfd4572883802a347cf643d07cfb4ce0  fleetctl_v4.76.1_linux_arm64.zip
40226d6081351c2042e641471aa21064d368bff30a47ff11c2dbcef54b131d83  fleetctl_v4.76.1_macos.tar.gz
ae1eb85029e3ea9abea1cd3e4a8aa8c1680862b13cd9a03a4bb653747c219554  fleetctl_v4.76.1_macos.zip
bd39ce43c6d408e3448f21043f7b95f9618218ff4d7b0100be7143f8c1d9cd18  fleetctl_v4.76.1_windows_amd64.tar.gz
95a1781fd00fa9e4202c8c4bbc8ec9f6e74715b440c06159b407a8f8aaba52f4  fleetctl_v4.76.1_windows_amd64.zip
af958f7bad34d11ecc2be44b2d1860dc2b90c9d2743642609ae56ed46026e294  fleetctl_v4.76.1_windows_arm64.tar.gz
d4584c2524488468f45c14db870a1afa3d9ed2b8010b0d584b775338ad52d13e  fleetctl_v4.76.1_windows_arm64.zip

fleet-v4.76.0

Fleet 4.76.0 (Nov 7, 2025)

Security Engineers

• Added support for software inventory on Android hosts.
• Added support for npm packages in software inventory and vulnerability matching for macOS and Linux hosts.
• Added support for JetBrains inventory on hosts.
• Added vulnerbaility detection in JetBrains plugins.
• Added support for VSCode fork (Cursor, Windsurf, VSCodium, VSCodium Insiders, and Trae) extensions in software inventory.
• Added Santa tables to fleetd.

IT Admins

• Added ability to install software for iOS and iPadOS hosts during the setup experience.
• Added ability to specify VPP apps for automatic installation during ADE iOS and iPadOS host enrollment.
• Added the ability to lock iOS and iPadOS devices through lost mode.
• Added support for locking and unlocking iOS and iPadOS devices from the UI.
• Added configuration option to setup experience for macOS hosts to halt if any software install fails.
• Added gigs_all_disk_space vital collection, storage, service, and UI rendering for Linux hosts.
• Added new server config flag for specifying the cleanup age for completed distributed targets.

Other improvements and bug fixes

• Added link component shown in the host column to the host details page.
• Added flash warning when an unauthorized user tries to access teams settings.
• Added descriptive error in cases of manual macOS profile download failure.
• Updated the macOS setup experience to use the new web UI.
• Updated the UI for adding new scripts to the scripts library.
• Changed display logic for the organization logo component on the My Device page to prevent flickering.
• Improved performance of /api/latest/fleet/os_versions endpoint, especially for deployments with Linux hosts.
• Optimized MySQL queries on /api/latest/fleet/vulnerabilities and /api/latest/fleet/software/versions to improve performance for Fleet UI use cases.
• Optimized /config API endpoint to use the primary DB node for both persisting changes and fetching modified app config.
• Improved live query response times by adding a new server config flag for specifying the cleanup age for completed distributed targets.
• Improved query performance by using a lighter-weight query for checking if a team is enabled for conditional access.
• Changed license warning to only show one time during GitOps runs.
• Updated to allow setting an org support url to use the "file" protocol in the url.
• Changed the default name of Host Identity CA to 'Fleet Host Identity CA' to avoid conflict with Fleet's Apple MDM CA.
• Updated host details run script user flows to include a confirmation step.
• Applied singular word form to GitOps log messages when a single entity is referenced in the message.
• Updated the "Setting up your device" page to show status of setup script run.
• Deprecate browser in favor of extension_for in API responses and JSON/YAML outputs.
• Added migration to clear the platform field on all builtin labels.
• Added migration to relink missing SCIM user data to hosts.
• Updated host certificate renewal flow for NDES, Smallstep, custom scep proxy CAs to support $FLEET_VAR_SCEP_RENEWAL_ID in the OU field rather than CN.
• Updated device mapping API to allow an "idp" source to manually set IDP user mappings.
• Updated styling to be more consistent in edit policies view for FireFox.
• Replaced outdated Firefox icon with a new one that follows brand guidelines.
• Allowed testing a new or edited policy query via live query while in GitOps Mode.
• Fixed missing "failed" VPP app install activities when installation is canceled due to MDM being turned off for a host.
• Fixed bug where uploading a software installer failed because it was "not found in the datastore".
• Fixed missing aboslute timestamp tooltips on script creation date in script list, query modification date in query list.
• Fixed bug with the ChangeManagement component where the GitOps checkbox local UI state was being reset due to GET request after PATCH request.
• Fixed MySQL deadlocks when multiple hosts are updating their certificates in host vitals at the same time.
• Fixed an issue where longer variable names ($FLEET_VAR_HOST_END_USER_IDP_USERNAME_LOCAL_PART) with the same base ($FLEET_VAR_HOST_END_USER_IDP_USERNAME) was not processed in the right order.
• Fixed UI bug where "Show disk encryption key" option was incorrectly displayed for hosts enrolled with a third-party MDM solution.
• Fixed WhatsApp and VS Code icons not displaying correctly
• Fixed bad software ingestion debug message and added filter for invalid software with missing names.
• Fixed a bug where a software installer could be installed in the same team and same platform (macOS) where an App Store app already existed for the same software title, and vice-versa (App Store app added when a sofware package already existed, this one was only possible just via fleetctl gitops).
• Fixed listing hosts with populate_software not returning hash_sha256 for macos apps.
• Fixed bug where batch setting MDM profiles could cause a nil pointer dereference when processing an invalid profile (e.g., cannot parse mobileconfig because it is bad xml).
• Fixed bug hiding the UI elements post install script output in Software Install Details modal.
• Fixed software title host count mismatch that was caused by including software installers in the count.
• Fixed a scenario where a wiped Windows host re-enrolled as a distinct host row in Fleet and the previous host's page could not be loaded successfully.
• Fixed an issue where a host transfer on mdm_enrolled activity would be reversed by orbit enroll.
• Fixed a bug in live queries that caused livequery:{$CAMPAIGN_ID} Redis keys to not be cleaned up or expire.
• Fixed inconsistency in GitOps for App store apps if no VPP token was found, so that both dry run and actual run fails.
• Fixed the software title counts by status to be consistent with the status reported in the host's software list and filter by status.
• Fixed outdated tooltip on dark background logo URL field in Organization info settings.
• Fixed fleetctl generate-gitops when MDM is not turned on.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.48.1
2. fleet-desktop-v1.49.1 (included with Orbit)
3. osquery-5.20.0 (included with Orbit)
4. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

0fbb04d29e075b25a80d1c5acfdf60e9bfb38289cdf123a8f72b78dfe3bd805f  fleet_v4.76.0_linux.tar.gz
9d3eadeae6d3f1a2fbe65032c2a667945040d8a5db17f664c7532f5109701dd0  fleetctl_v4.76.0_linux_amd64.tar.gz
fa78a4fdddef9bf9ebb7eaeba43b719c24dc1629a30e46feed57855a4ad9d3ab  fleetctl_v4.76.0_linux_amd64.zip
7f030c055185d50d47852f152f8ec8bfc86bf883435a4b4ca6317a50b7e849b6  fleetctl_v4.76.0_linux_arm64.tar.gz
3d59a661cf054db548f0aca6da4ab68fa8d94e11ae749fd0e8896a09dac8aec9  fleetctl_v4.76.0_linux_arm64.zip
2e3a52d862238877e190733e597eadb801f6ef63cf32c0247b2f3237ea2f9c11  fleetctl_v4.76.0_macos.tar.gz
5a8f36ed77cf1d80cce10cca2ac66c4cb04c1deb32d9364512de2cf1d3c7bd01  fleetctl_v4.76.0_macos.zip
849e04c80a830095739a84541525d7d79ff4e2485c98d7765f987f5fd12db546  fleetctl_v4.76.0_windows_amd64.tar.gz
584d9a2d476182d2307c275070257e80ab903d1eb51f329bfef88d0a647eaefc  fleetctl_v4.76.0_windows_amd64.zip
8aacc129b1483b044ea576e3efd3b9d418a7634edb16623349a784f7ff9c7582  fleetctl_v4.76.0_windows_arm64.tar.gz
1bf46c17000a3e83e2ae68b368d78b32e1ddf9dee9d9ed333534ef9eec818f0c  fleetctl_v4.76.0_windows_arm64.zip

fleet-v4.75.1

Bug fixes

• Fixed fleetctl generate-gitops when MDM is not turned on.
• Reduced load on migration from 4.74.0 and below.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

579c79becb7bea7812185150fd0706e161b3f4753f81302d920aba9bfc2bf3a4  fleet_v4.75.1_linux.tar.gz
77afc5ca0f1051f41b787c52ffd401fbe1eaefc4a7d1859732f87f8491828b99  fleetctl_v4.75.1_linux_amd64.tar.gz
c170ac336de734ddd86d3039761bf58be3261ff34685a1df2539d9661113e713  fleetctl_v4.75.1_linux_amd64.zip
91a2d95d08a52327882385883c43ad51b7a580c49f8db3ee887808c9d3222e72  fleetctl_v4.75.1_linux_arm64.tar.gz
a8a628d01e789611452ef3ce715eb7fc7f5e1bac5658a2c4965ab7b9a059b7d4  fleetctl_v4.75.1_linux_arm64.zip
b7571b281fdb8ea4e419248c3cff4f5df772133527e3c2645f46c42a6eb0f5ac  fleetctl_v4.75.1_macos.tar.gz
149dfe86fcf295e66e05e53f511988f859452e9f167f5dcfa0389f7f29bc1c36  fleetctl_v4.75.1_macos.zip
aca922953dda7f9760df7d2f3fd707e6f0edb9b92c18f037adb4a06a66d6e7aa  fleetctl_v4.75.1_windows_amd64.tar.gz
9465a688d4ded8193490edd889f9859cefae3550eea5ab783558db370f5b3ed8  fleetctl_v4.75.1_windows_amd64.zip
1bc35a50adba0336d86a6dcb7d21a9226d1fae0422b6993f465ed90249e2819e  fleetctl_v4.75.1_windows_arm64.tar.gz
4d6c09b7afa67ba3a129a2e9eeb9d8b45aa75c43cb70e4939c63f4570204ebf2  fleetctl_v4.75.1_windows_arm64.zip

fleet-v4.75.0

NOTE: Fleet added Santa tables: santa_allowed, santa_denied, santa_status. If you already deploy a custom Santa extension (like Trail of Bits) with tables that have the same names (exactly), Fleet's agent will crash. To resolve, update variables in this script and run it on macOS hosts to uninstall your custom Santa extension.

Fleet 4.75.0 (Oct 17, 2025)

Security Engineers

• Added support for Smallstep certificate authority.
• Added false-positive filtering for Linux vulnerability scanning.
• Added support for Arch Linux hosts.
• Added software inventory ingestion from Arch Linux hosts.
• Added new rate limiting implementation for Fleet Desktop API endpoints to support all/many hosts of a deployment behind NAT (single IP).
• Added support for reading server private_key from AWS Secrets Manager.
• Added support for vulnerabilities feed CPE translation JSON to override sw_edition field.
• Added filter for removing duplicate RPM python packages and renaming pip packages to match OVAL definitions (same as Ubuntu).
• Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
• Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.

IT Admins

• Added configuration profile support for Android hosts.
• Added activity logging for Android profile creation, modification, and deletion.
• Added support for software installation during Windows setup experience.
• Added support for Arch Linux hosts.
• Added software inventory ingestion from Arch Linux hosts.
• Added support to fleetctl to generate fleetd installers for Arch Linux (.pkg.tar.zst).
• Added software name into checksum calculation for macOS apps.
• Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
• Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.
• Added OpenTelemetry instrumentation to scheduled jobs and several API endpoints.
• Added CRON job to reconcile Android profiles.
• Added retries with backoff when Apple's assets API fails with a timeout error.
• Added ability to unenroll personal iOS/iPadOS devices from Fleet.
• Added support for assigning host labels based on idP attributes for iOS and iPadOS hosts.
• Added ability to turn off MDM for iOS and iPadOS devices when refetcher returns device token is inactive.

  Note: The package will need to be updated out-of-band once, because the pre-removal script from previously-generated packages is called upon an upgrade. The old pre-removal script stopped Orbit unconditionally.

• Added support for hosts enrolled with Company Portal using the legacy SSO extension (for Entra's conditional access).

Other improvements and bug fixes

• Updated DEB and RPM packages generated by fleetctl package to now be safe to upgrade in-band through the Software page.
• Updated to return count in list host certificates API response, and use it in the certificate table.
• Updated setup experience to try software installs up to 3 times by default in case of intermittent failures.
• Modified the Apple profile reconciliation CRON logic to query for installs and removals within a transaction to avoid race conditions around team or label changes.
• Fixed inconsistent spacing in Controls OS settings headers.
• Validated setting manual_agent_install option on the server.
• Ignore warning when LastOpenedAt for software is nil on macOS.
• Improved install action tooltips and modals including timestamps to VPP successful installs.
• Changed the response code for UserAuthenticate checkin messages, which are unsupported, from a 5XX to "410 Gone" as specified in the Apple MDM protocol docs for servers that do not implement this method.
• Ensured UI consistency by adding a border to the empty state of End User Authentication section.
• Added easy to understand error messages when configuring Entra conditional access in Fleet.
• Updated docs for the pwd_policy table to better reflect the meaning of days_to_expiration.
• Improved the layout of the IdP-driven label form.
• Updated Hosts table > hostname column to truncate overflowing hostnames and place the full name in a tooltip on hover.
• Removed duplicate tar.gz copies of osqueryd and Fleet Desktop from built packages (DEB/RPM/PKG).
• Extended the number of errors Fleet looks for when determining whether we should invalidate the prepared statements cache.
• Updated instructions in Linux key escrow modal.
• Adjusted log level to "info" instead of "error" when Windows MDM endpoints generate client errors (e.g. empty binary security token).
• Disabled debug logging by default in fleetctl preview and reformatted login information.
• Improved handling of host details page label pills for labels with very long names.
• Modified Controls > OS settings > Custom settings so profile upload time is based on updated_at instead of created_at.
• Added check to GitOps command to throw error if positional arguments are detected.
• Added an error message when software is defined in a package YAML file in GitOps but some fields expected in that file were set at the team level. Previously, GitOps would silently ignore the fields set at the team level in this case.
• Updated the OS updates current versions empty state to match consistancy with other empty states.
• Updated message shown in the 'Delete Script' modal.
• Added a delay to the platform compatibility tooltip showing when creating or editing a query.
• Added error when uploading signed profiles instead of when trying to deliver them.
• Updated old end user migration workflow preview, and switch to video for product consistency.
• Replaced outdated Firefox icon with a new one that follows brand guidelines.
• Updated UI to make policy pass/fail icons and copy consistent across host details, my device, and manage policies tables.
• Removed the software renaming fix introduced in 4.73.3 due to MySQL DB performance issues.
• Optimized software ingestione rename functionality to generate less lock contention during high concurrency.
• Optimized ingestion of software names on macOS apps when vendor-supplied bundle executable names are unclear.
• Optimized software title reconciliation in vulnerabilities cron job.
• Revised macOS software ingestion to correctly show application names for Steam games instead of run.sh.
• Added logic to detect and fix migration issues caused by improperly published Fleet v4.73.2 Linux binary.
• Updated go to 1.25.1.
• Fixed inconsistent subtitle text style in Custom Settings.
• Fixed SentinelOne pkg generating wrong bundle identifier for auto-install policy.
• Fixed required query parameters using field name instead of parameter name in error messages
• Fixed a bug where blocking of VPP installs on personally enrolled Apple devices was not in place.
• Fixed edit teams action in VPP table dropdown not being blocked when Fleet is in GitOps mode.
• Fixed certificate ingest parser to no longer break on multiple equal signs in certificate key pair values.
• Fixed certificate ingest parser to allow for only multiple relative distinguished names separated by +.
• Fixed 422 error when hitting /api/v1/fleet/commands endpoint with team filter.
• Fixed deletion of conditional access integration by adding a spinner and clearing the tenant ID after the deletion.
• Fixed an issue on ChromeOS and Windows where the cursor in the SQL editor is misaligned.
• Fixed issue where "Controls" link in the top nav didn't always go to the default controls page.
• Fixed cases where Firefox ESR installations would have false-positive vulnerabilities reported that were backported to the ESR.
• Fixed clicking the currently selected navbar item would cause a full-page rerender.
• Fixed EULA path to be relative to the YAML file in fleetctl gitops, as it is for other settings.
• Fixed bundle identifier for privileges macos software pkg and fixed existing software installers to use corrected software title. The privileges application should show the correct status in software inventory.
• Fixed the reported version of fleetd on the Software tab for Linux hosts.
• Fixed invalid GET and DELETE requests that incorrectly included request bodies in client code, ensuring HTTP compliance.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.48.1
2. fleet-desktop-v1.48.1 (included with Orbit)
3. osquery-5.19.0 (included with Orbit)
4. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

f37a55734f73bc4930afb8dc4999655de56496f090a2f22bb60271b1fc748203  fleet_v4.75.0_linux.tar.gz
471c043b64479b986329d7b7ca29887bebc5c62349ad8b0878ed77c1250c32b6  fleetctl_v4.75.0_linux_amd64.tar.gz
fcb00a0a26053a6398a26d3ea73efd956a291505d1542b151d29e5d69fbbb802  fleetctl_v4.75.0_linux_amd64.zip
75becdcd6a98ddcdb7d82d92b2f32c7da441030a1e32648b58713737e2...

fleet-v4.73.5

Bug fixes

• Fixed edge case when renaming macOS software mapped to multiple checksums.
• During software ingestion, re-added software rename functionality to generate less lock contention during high concurrency.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

94bd10f26d06c613829af110870286b9ef5c16c85356506872b3816fe973a8a4  fleet_v4.73.5_linux.tar.gz
274f6562a1e5c4ae4af745ce64ba9ddc7554bf98f4ca225ad1cd86f91677e0f1  fleetctl_v4.73.5_linux_amd64.tar.gz
169ffe91fb732fe10bb1bd8ddc41c59dd11175a46fd78927f277af50c32398d5  fleetctl_v4.73.5_linux_amd64.zip
a4c1095e4ebe62ff71069370e7c9b2d94063835c98d3568d69829df8d7d0e5e9  fleetctl_v4.73.5_linux_arm64.tar.gz
7e7a0acc8319dc89e8d942ff7fb9460918f328f5330902c4660cb0b920da805a  fleetctl_v4.73.5_linux_arm64.zip
5077d23f8e4bd3b130a7663e1c01b59ad39ca33d9f7500f74d9f85122215e160  fleetctl_v4.73.5_macos.tar.gz
902f092c2eb6d39d783202c75cc5cb2f6c0ef864cbfb8933bbaeebc5ac3fb054  fleetctl_v4.73.5_macos.zip
d3e95ecced5397d76ec1216ef063e15aa289ee9d774d02a1c024fb342f50b5d0  fleetctl_v4.73.5_windows_amd64.tar.gz
d45ab01e25caf87a68bafff69b15b957231538622e6aaf23cf4b93b4cb8982db  fleetctl_v4.73.5_windows_amd64.zip
d7ec75594a0abfc4db039ca92a0a44d45e1bd3413a758e99da5557e2b86ef2b4  fleetctl_v4.73.5_windows_arm64.tar.gz
5c3a79b40745aa9d93d2adea4f76bf9a906bff1775150b89005ee04afcfaeaf8  fleetctl_v4.73.5_windows_arm64.zip

fleet-v4.74.0

Fleet 4.74.0 (Oct 6, 2025)

This release includes breaking changes in the software YAML. For migration instructions and more information, please see this public document.

Security Engineers

• Added support for Hydrant as a Certificate Authority and added an experimental API that can be used to have Fleet request a certificate from a Hydrant.
• Added a check to disallow FLEET_SECRET variables in Apple configuration profile <PayloadDisplayName> fields for security.
• Added /batch/{batch_execution_id:[a-zA-Z0-9-]+}/host-results API endpoint to list hosts targeted in batch.
• Added POST /api/v1/fleet/configuration_profiles/batch API endpoint to batch modify MDM configuration profiles.
• Added a new page in the UI for batch script run details.
• Added support for AWS RDS (MySQL) IAM authentication.
• Added support for AWS ElastiCache (Redis) IAM authentication.
• Added support for hosts enrolled with Company Portal using the legacy SSO extension for Entra's conditional access.

IT Admins

• Added setup experience software items for Linux devices.
• Added ability to upload custom software icons.
• Added API endpoints for Linux setup experience.
  • Device API endpoints for fleetd: POST /api/fleet/orbit/setup_experience/init and POST /api/v1/fleet/device/{token}/setup_experience/status.
  • PUT /api/v1/fleet/setup_experience/software and GET /api/v1/fleet/setup_experience/software now have a platform argument (linux or macos, defaults to macos).
• Added IdP fullname attribute as a valid Fleet variable for Apple configuration profiles.
• Added the username of the managed user account user-scoped profiles are delivered to for macOS hosts.
• Enabled configuring webhook and ticket policy (Jira/Zendesk) automations for "No team".
• Added support for writing multiple packages in a single GitOps YAML file included under software.packages.
• Moved self_service, labels_include_any, labels_exclude_any, categories, and setup_experience declarations to team level for software in GitOps; setup_experience can now be set on a software package, Fleet Maintained App, or App Store app.
• Changed GET /host/:id to return an empty array for software field when exclude_software=true.
• Updated generate-gitops command to output filenames with emojis and other special characters where applicable.
• Added a Fleet-maintained app for macOS: Omnissa Horizon Client.
• Added opening instructions to self-service macOS apps and Windows programs.

Other improvements and bug fixes

• Added index to distributed_query_campaign_targets table to speed up DB performance for live queries.

WARNING: For deployments with millions of rows in distributed_query_campaign_targets, the database migration to add the index may take significant time. We recommend testing migration duration in a staging environment first. The initial cleanup of old campaign targets will occur progressively over multiple hours to avoid database overload.

• Added clean up of live query campaign targets 24 hours after campaign completion. This keeps the DB size in check for performance of large and frequent live query campaigns.
• Improved OpenTelemetry integration to add tracing to async tasks (host seen, labels, policies, query stats) and improve HTTP span naming, enabled gzip compression, reduced batch size to prevent gRPC errors.
• Updated output from packages_only=true so that it only returns software with available installers.
• Added tarballs summary card back into UI.
• Improved the sorting of batch scripts in the Batch Progress UI. Batches in the "started" state now sort by started date, and batches in the "finished" state now sort by the finished date.
• Removed inaccurate host count timestamp on the software version details page.
• Downgraded "distributed query is denylisted" error to a warning on the Fleet server since this message indicates a likely issue on the host and not the server. We will surface this issue in the UI in the future.
• Improved performance for YARA rules: when modifying config (PATCH /api/latest/fleet/config) with a large number of yara rules and when large numbers of hosts fetch rules via /api/osquery/yara/{name} endpoint.
• Improved performance when updating multiple policies in the UI. The policies are now updated in series to reduce server/DB load.
• Added user icon to OS settings custom profiles on host details page if they are user scoped.
• Added clearer error messages when a new password doesn't meet the password criteria.
• Removed extra spacing from under disk encryption table.
• Updated fleetctl get mdm-command-results to show output in a vertical format instead of a table.
• Optimized os_versions API response time.
• Added logic to detect and fix migration issues caused by improperly published Fleet v4.73.2 Linux binary.
• Refactored ApplyQueries DS method so that queries are upserted in batches, this was done to avoid deadlocks during large gitops runs.
• Refactored the way failing policies are computed on host details endpoint to avoid discrepancies due to read replica delays and async computation.
• Refactored PATH fleet/config endpoint to use the primary DB node for both persisting changes and fetching modified App Config.
• Fixed missing ticket integration options in Policies -> Other workflows modal for teams.
• Fixed deduplicating bug in UI to only count unique vulns when counting software title vulnerabilities across versions in various software title vulnerabilities count, and host software title vulnerabilities count.
• Fixed cases where the default auto-install policy for .deb packages would treat installed-then-uninstalled software as still installed.
• Fixed the message rendered from user_failed_login global activities on the Activity feed if the email is not specified.
• Fixed fleetctl printing binary data to terminal in debug mode.
• Fixed a bug where incorrect CVEs were received from MSRC feed.
• Fixed Fleet-installed host count not updating after software is installed over an older version.
• Fixed UI issue in the Dashboard page. The software card is now rendered while content is been fetched to avoid the layout to jump around.
• Fixed error when updating a script to exactly match the contents of another script.
• Fixed an issue where string concatenations in a LIKE expression caused a syntax error in the query editor.
• Fixed fleetctl gitops issue uploading an Apple configuration profile with a FLEET_SECRET in a <data> field.
• Fixed Linux lock script on Ubuntu with GDM to now switch UI to text mode to work around GUI issues.
• Fixed Google Cloud Storage (GCS) support broken since Fleet 4.71.0 by implementing a workaround for AWS Go SDK v2 signature compatibility issues with GCS endpoints.
• Fixed banner link colors in UI.
• Fixed an alignment issue on the My device page.
• Fix deadlocks when updating automations for 10+ policies at one time.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.47.2
2. fleet-desktop-v1.48.1 (included with Orbit)
3. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

530df71bda192c2468c2d0e26bfbcd76137decab25c7f80749e67c6bdce84167  fleet_v4.74.0_linux.tar.gz
fa54e95129c4c33dd15245de7107cbcea666c9b83fc5facc54f1be9995ab1984  fleetctl_v4.74.0_linux_amd64.tar.gz
94865880a4514d2a0ccfb6e47746d13b030675286f8053b4e274934144b6a140  fleetctl_v4.74.0_linux_amd64.zip
d1ae2a3ab9d51456cda7fe3e165f2a42213db95090d3a92bb94ebf302bd61b77  fleetctl_v4.74.0_linux_arm64.tar.gz
63acdbcbea1de155a45381e97dfb86cff286ff8d551ca803292fada84171153f  fleetctl_v4.74.0_linux_arm64.zip
751d6b30d2cb0afd040fce9af784305c1a72c5d129fe1df1e47cd1a280f81019  fleetctl_v4.74.0_macos.tar.gz
696c8e59a2890bf03e68359db62ea5994ae273202748bc7fbdc6a6ab22761783  fleetctl_v4.74.0_macos.zip
44a549e26072d749a5328e8fbf2a831cfc69689254a9c424d13a862b41a232ac  fleetctl_v4.74.0_windows_amd64.tar.gz
2cefc31893421fb2400d88323c5fbef0e6d57ec52fe5473eda2d6aaac563ee1d  fleetctl_v4.74.0_windows_amd64.zip
701d0df3ad16e370303eca9cc16d0669079c93d0835e8513aa5e06187b069038  fleetctl_v4.74.0_windows_arm64.tar.gz
9f03fdde86877beb19547fcd09473edb65dec20c650598e4ae26f932f9df66b0  fleetctl_v4.74.0_windows_arm64.zip

fleet-v4.73.4

Bug fixes

• Added logic to detect and fix migration issues caused by improperly published Fleet v4.73.2 Linux binary
• Removing the software renaming fix introduced in 4.73.3 due to MySQL DB performance issues.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

edf98e19e61f63f4f6143f325e6a7eeef777ef48f3e7682d0b0d6bbf1995daa3  fleet_v4.73.4_linux.tar.gz
e805fd97450f04f5e8bfef436f798998eb37118a0c849b58155b4480da3f51f0  fleetctl_v4.73.4_linux_amd64.tar.gz
20cc65fdda7738646219bc36cdeb6f8ca702cbf46fcef0f7e20fd8fb0976b92b  fleetctl_v4.73.4_linux_amd64.zip
50dd3c882b487c1ff9fac7deaa6bd7e1912ee2296aee9d05adab8daa909a9a24  fleetctl_v4.73.4_linux_arm64.tar.gz
958875f37dae9a1f5ca30f336bc3eecf0da006a75cefe0ecb2a787498a26f165  fleetctl_v4.73.4_linux_arm64.zip
a34261aeb76d61cfc14e58923636f75c43dbaba337a25d36d6c71144bc0de131  fleetctl_v4.73.4_macos.tar.gz
a74bcb8e265ebebbb92fe3b7c8d99164c7a412e544724ae90c5fc9e44592ac3c  fleetctl_v4.73.4_macos.zip
3a22ccba53366baf3da55b19a9a2e91027ebac22db6cda88c3c03cdf9cea3069  fleetctl_v4.73.4_windows_amd64.tar.gz
c02973c12472c730cf1a24b1d6dad5a6360267a9059dd1bc4a1c1ac67c23cabb  fleetctl_v4.73.4_windows_amd64.zip
5dce20f2b79ebcc4c9333e8f68bbadf0f76bbc47a2a4fedf1154b123632c4924  fleetctl_v4.73.4_windows_arm64.tar.gz
b240008226f216c37d820272e53549b68ea2fc0d61ff6790c81cbf8d9a9bf7fa  fleetctl_v4.73.4_windows_arm64.zip

fleet-v4.73.3

NOTE: We have received reports of increased database load during software ingestion in v4.73.3. A fix is in progress and will be included in v4.73.4.

Bug fixes

• Improved software ingestion DB lock times by pre-inserting software/titles in smaller batches when hosts check in.
• Re-added and optimized fix for macos software ingestion to prevent duplicate software due to end user renaming software on host.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

934cdb6fd20afb029fd99608d7972af2ae4658580362b505faa4ca0a06bcb96c  fleet_v4.73.3_linux.tar.gz
19eb88339d929ffd07c72dce7e41817f0cd316a7a4c89c7adab34ba228ed08ed  fleetctl_v4.73.3_linux_amd64.tar.gz
ce318c62458f5425e00204f91c66e05ab3d66da5c59541d4723c254ff7683f21  fleetctl_v4.73.3_linux_amd64.zip
8174d7de77065a7b50e82f83691c50fca8144ffcbbbcdb199f5d59ba30a35b8f  fleetctl_v4.73.3_linux_arm64.tar.gz
2f517fed155756a3c8377813d1655454beb15ab20428680b2e444ac793b9c14f  fleetctl_v4.73.3_linux_arm64.zip
48f293af536ab72d0a6ff9b9643df6e9cbe82cb9e6b197de24c465df15a4d574  fleetctl_v4.73.3_macos.tar.gz
e8f353c1fb9d1cf6183393a987ffb09a6796cb8b244e4af9cacb1b63f6c7b55d  fleetctl_v4.73.3_macos.zip
e73f53fc4d546e1af86bebecbd9b0accd2ab2c803c3f48d969eabb4708cd674d  fleetctl_v4.73.3_windows_amd64.tar.gz
86b93bc8fbaac95e8c6082633e6e2c47a7685d8a6d9952dd35a34dfad740dda4  fleetctl_v4.73.3_windows_amd64.zip
f38f43ef9478985ef342ac1cb70491c11ec9453d017346177ade5cde0a9fb1df  fleetctl_v4.73.3_windows_arm64.tar.gz
e06bdc22cde34ad22080c126a3d8816d8cb143bf31e59addf8949ffb90c1efb2  fleetctl_v4.73.3_windows_arm64.zip

fleet-v4.73.2

Bug fixes

• Optimized the query used to list a host’s script results so it performs well with large result sets.
• Fixed MySQL DB performance regressions introduced in Fleet 4.73.0/4.73.1 affecting OS versions and software titles read queries.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

e72f2f9760e09931d1aed05fbe48ac2e16e1b788deb2faffa053d2d0669da89c  fleet_v4.73.2_linux.tar.gz
e48eeb6de0b3ed3eb179cd31818e51b86d86d5ba3f1af5af44605c6ebcc22d05  fleetctl_v4.73.2_linux_amd64.tar.gz
bc8cdf540e25ef0b7574f02e19e26124ba46a46e79f6b43a07c2d47d4bce74a5  fleetctl_v4.73.2_linux_amd64.zip
87716778ae105fb78d5f0cece665399aab47fc9b28acab6a71f1d12e514f2f5f  fleetctl_v4.73.2_linux_arm64.tar.gz
0e9925abdbbf57702ee209ece0db7ab8578cbb927cfad92398bd858277bc8bf7  fleetctl_v4.73.2_linux_arm64.zip
c35c622cc8b58636290487b062052f07719f0dc54ee466ddf1f4490d0724e05c  fleetctl_v4.73.2_macos.tar.gz
2473e7ac284f18997a3c16db853c2adac7776046dc5ac32ff6d6bab61325a048  fleetctl_v4.73.2_macos.zip
225ae8ea860e41868da7a538a3d8bf9e565cd03951c37f4d2e16e3f55c8c9746  fleetctl_v4.73.2_windows_amd64.tar.gz
4cb519cf0daeb6591e378a5543f4ecead7dee32d158620b32a918e6dc5890e56  fleetctl_v4.73.2_windows_amd64.zip
7ed349f9b0c43ee871fc27593f0569e52dc462b6a00a333c43405e546c8ae8a9  fleetctl_v4.73.2_windows_arm64.tar.gz
3f45ec61dd14b9c6ac521f7918c253cd8747bf84ff302a8070b18fecc53accd1  fleetctl_v4.73.2_windows_arm64.zip