Bug fixes

• Updated conditional access policy query to use parameter binding for platform filter.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

995b74191f79783defd244c5538f93b9ae0da7a2bf99f7668775088cd8f7a735  fleet_v4.86.1_linux.tar.gz
0c5b031e5e973e3f8f96307cfdaa55a33a0ab4e7859eee52150bda51572c7349  fleetctl_v4.86.1_linux_amd64.tar.gz
2883b8166c8b09a584de75708558c926b74df4eab48229972b098d40570952d0  fleetctl_v4.86.1_linux_amd64.zip
eab4e7814d6bd76ec07b662833a0289ecade4b9226efb24b8727459bfc3f3fcc  fleetctl_v4.86.1_linux_arm64.tar.gz
92ceee1089c4be0d74afc5289f6e3faa165efb38d4a1a9059fe06c13794cfbbd  fleetctl_v4.86.1_linux_arm64.zip
d4f7db86dcb60dc241177505819c20619401dbbbd6003c0091a2888e1d921d36  fleetctl_v4.86.1_macos.tar.gz
ab6510afc7686f5416596da16476b5a996dfa86d5b7dded6d77f85ff228f96a0  fleetctl_v4.86.1_macos.zip
faaa144f2c26ca72cefc398fe126ab04808bee859860f0ad913c6571e6594036  fleetctl_v4.86.1_windows_amd64.tar.gz
de073acde2f4ced32dff7a20250058085134d0a220714208aee51ecde345b665  fleetctl_v4.86.1_windows_amd64.zip
d2b2473f6d6e11c6dfb511b6f44d22c2d4f69b4d8c4065129e334d13734ec6a7  fleetctl_v4.86.1_windows_arm64.tar.gz
70ddf117dbd1b86a6eeb2a2cec97fe89611e621040c4e33092c1ce1d247c7d3e  fleetctl_v4.86.1_windows_arm64.zip

Bug fixes

• Fixed a server out-of-memory crash that could occur when Apple's VPP (App and Book Management) API repeatedly returned transient errors (HTTP 500 with Retry-After, or error 9646) during VPP API operations (e.g., app installs, user registration, license seat releases).

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

78ebca78943efcd4e86a0096ab60520014261e2081446e9ef6452c50430d4eea  fleet_v4.85.2_linux.tar.gz
d86d60c67b45fa02de9408a5a8d8ed9770c95ceeb9e0709be17aa65ce9d06b0d  fleetctl_v4.85.2_linux_amd64.tar.gz
ba300343e351f9fe514b46147115836ecb61eaf479ef28e2918eb5d55dec8641  fleetctl_v4.85.2_linux_amd64.zip
8611adc78afb8556b14e745616355a870e85ea6d32e9d11e2e0ae9724841c689  fleetctl_v4.85.2_linux_arm64.tar.gz
642cd1a47ed8e13214785d0fc0c8892d8690adbca062ea3a7bab715983e7a20d  fleetctl_v4.85.2_linux_arm64.zip
2f84e5fe342117b7f1eb4a4349eeaf8a1b6ceaf7b5454230a9cc751c9c1c95bb  fleetctl_v4.85.2_macos.tar.gz
26b95926eb50904b5302f83c0a47760f486c08b1e8c9fb3703ba9a331fe9cd70  fleetctl_v4.85.2_macos.zip
a85f85b022c850a70372e7c1707f76c8f87f187758c5289ed570e26065c430b8  fleetctl_v4.85.2_windows_amd64.tar.gz
8473a426386690468bf4a689027eab588fdaeb73cb4b701fd4e5eb50a5e44a2e  fleetctl_v4.85.2_windows_amd64.zip
c155bb3393354c33da9c8b67ff5974fff690a11af1857d3d5e44008fd47df148  fleetctl_v4.85.2_windows_arm64.tar.gz
4b38085f4df9574f27a1a36f73a2d192f3faeee973face0c357c4b4dc94b7b2d  fleetctl_v4.85.2_windows_arm64.zip

Fleet 4.86.0 (May 29, 2026)

IT Admins

• Added automatic rotation of managed local admin account passwords after they have been viewed.
• Added a require_all_software_windows setting to cancel the Windows setup experience if any software install fails during Autopilot enrollment, matching the existing macOS behavior.
• Added GitOps support for uploading custom org logos. fleetctl gitops accepts org_logo_path_dark_mode and org_logo_path_light_mode keys to upload local files, and fleetctl generate-gitops exports Fleet-hosted logos as local files alongside path keys while keeping external URLs as org_logo_url_*_mode keys.
• Added support for installing VPP and in-house (.ipa) apps on iOS and iPadOS hosts enrolled via Account-Driven User Enrollment with a Managed Apple Account.
• Enabled self-service software installs from the My device page for user-enrolled iOS and iPadOS hosts.
• Enabled setup experience software in Controls > Setup experience to install automatically on user-enrolled iOS and iPadOS hosts at enrollment.
• Provisioned a VPP client user per Managed Apple Account on first install, and associated VPP licenses to the user rather than the device, supporting Apple's up-to-5-devices-per-user licensing semantics.
• Added managed app configuration for iOS and iPadOS apps (VPP and in-house), configurable via UI, REST API, and GitOps, with $FLEET_VAR_* substitution.
• Added support for VPP apps purchased from non-US-based Apple Business accounts.
• Added the ability to upload a custom organization logo for light and dark modes, hosted by Fleet, replacing the previous URL-only flow on the setup screen and organization settings page.
• Added include_all label scope to policies, and include_all and include_any label scopes to reports, including support via GitOps and fleetctl.
• Added a "Custom" target dropdown when creating or updating reports under the premium tier.
• Added an "Include all" option to the "Custom" target dropdown on Policies for premium users only.
• Added permissions for the GitOps user to list software titles.
• Added support for setting gitops_mode_enabled and repository_url via GitOps.
• Added output to GitOps for scripts, indicating how many scripts would be applied (dry run) or were applied.
• Added activity entries for retried software installs and script runs from policy automations.
• Added an activity when hosts fail enrollment profile renewal.
• Added activities when users create, edit, or delete labels (created_label, edited_label, and deleted_label).
• Added "Hosts online", "Hosts enrolled", and "Vulnerability exposure" charts to the dashboard.
• Added an option to convert and return a PEM-encoded X.509 certificate instead of a PEM-encoded PKCS7 envelope from the Request a Certificate endpoint.
• Added a deprecation warning when using setup_experience.software or macos_setup.software keys in config.
• Released fleetctl as a pkg for macOS.
• Released fleetctl as an msi for Windows.
• Enabled wiping a host to cancel all of its upcoming activities.
• Updated the default automatic enrollment profile, and added the ability to download and view the applied default profile.
• Updated OS version reporting for iOS and iPadOS to include the Rapid Security Response suffix (e.g. (a)) when the device reports a SupplementalOSVersionExtra field via MDM.
• Updated fleetd and MDM enroll activities to display the serial number and preserve the osquery-provided display name.
• Required the --host flag for fleetctl get mdm-commands, and deprecated GET /api/v1/fleet/commands without a host_identifier.
• Cleared host vitals on ABM host re-enrollment, with a config option to preserve past host activities.

Security Engineers

• Added macOS 26 CIS Benchmark v1.0.0.
• Updated CIS Windows 11 Enterprise benchmark policies from v4.0.0 to v5.0.1, adding 17 new L1 policies and updating 42 existing policy titles.
• Surfaced hardware-bound ACME certificates on macOS host vitals by retrieving them via the MDM CertificateList command when an ACME-bearing configuration profile is installed or re-installed.
• Added SVG support for custom organization logos, with strict server-side sanitization to reject scripts and other unsafe SVG content.
• Added support for the subject_alternative_name field on Android certificate templates.
• Optimized OSV vulnerability scanning to query distinct software per OS version rather than per host, reducing redundant database queries for many hosts sharing the same packages.
• Improved vulnerability scanning performance by using a per-vendor product cache during CVE matching to optimize translate_cpe_to_cve.

Bug fixes and improvements

• Updated Go to 1.26.3.
• Removed debug symbols from fleet and fleetctl executables to reduce binary size.
• Reduced database load from GET /api/latest/fleet/device/{token}/desktop and other Fleet Desktop endpoints when invalid or expired device auth tokens are presented, by resolving the token to a host ID with a single-table indexed lookup before running the multi-join host-details query.
• Improved Windows MDM performance when transferring large numbers of hosts between teams or applying bulk profile changes. These operations now return quickly and roll out profile updates to Windows hosts in the background, so host check-ins and other MDM activity are no longer slowed down while a large change is in progress.
• Added a Redis-backed cache for host lookups on the osquery and orbit authentication paths. Successful lookups are cached for 60s (±10% jitter) and invalidated on writes that mutate cached host fields. Reduces reader-side DB load at scale without changing the HTTP contract. Requires Redis 6.2 or later.
• Added a missing uninstall option on the host software library even when an installer has no matching software in the host's inventory.
• Improved Windows MDM profile removal performance by scoping the desired-state subquery.
• Improved Windows MDM profile removal performance by skipping redundant database writes for verified-remove ACKs.
• Consolidated non-variable templated Windows MDM profile command inserts from one per-profile to a single bulk insert.
• Added a periodic cron job to clean up the Windows MDM command queue, reducing write pressure during ACK transactions.
• Made host team assignment sticky across orbit and osquery re-enrollments.
• Improved errors returned from the API when running fleetctl commands by dropping path and status code.
• Improved validation of order parameters on list endpoints.
• Added the orbit.debug_logging_on_enroll_duration agent option to enable orbit debug logging for a specified time period after enrollment.
• Improved validation for invalid order_key values in /api/v1/fleet/commands, /api/v1/fleet/mdm/commands, and /api/v1/fleet/mdm/apple/commands endpoints.
• Improved the error message when the name key is omitted from a GitOps YAML file.
• Improved the error message when deleting a label used for targeting a software installation.
• Updated fleetctl gitops to warn when labels: is specified in no-team or unassigned files, where it is not supported.
• Updated the expired Fleet Premium license CLI banner to link to https://fleetdm.com/learn-more-about/downgrading instead of a stale FAQ anchor.
• Updated the Edit label page to reference "fleets" instead of "teams" when a label is associated with a fleet.
• Updated the setup experience Users card with a link to PSSO local account documentation.
• Updated empty state copy to be action-oriented. Headers describe the current state ("No hosts", "No policies for this fleet") instead of prompting action. Body text explains what to expect. CTA buttons are explicit ("Add policy", "Schedule a report") and permission-gated.
• Updated empty states on Hosts, Reports, Policies, and Software pages so search bars, filters, and dropdowns remain visible but disabled when empty, avoiding layout shift when the first item is added. Item count remains visible.
• Updated Settings, Fleets, Ticket destinations, Certificates, and Identity provider pages with consistent page descriptions and learn-more links.
• Updated empty state visuals to a fresher, consistent design.
• Updated timestamps with tooltips on the host Vitals component to always use cursor: pointer.
• Updated the version of the checkout action in the fleetctl new template to avoid Node warnings.
• Updated the MSI builder to skip packaging the unusable "dummy" secret value when building fleetd-base.msi for Autopilot installs.
• Scoped install commands for user-enrolled hosts to the host's Managed Apple Account (clientUserIds) instead of serialNumbers, so apps install on the correct user account on the device.
• Surfaced a clear host-level error when license association fails during install (for example, no licenses available or the user has reached the 5-device limit) instead of failing silently.
• Made created_at upper-bound filtering consistent on the list activities API. The endpoint now caps results at now by default whether or not start_created_at is provided, matching the documented behavior of end_created_at.
• Unified access to global and team policies in the UI by using the now-generic GET /api/latest/fleet/policies/:id endpoint.
• Wrapped Get-ItemProperty calls in try/catch blocks during registry enumeration to gracefully handle terminating exceptions (e.g. System.InvalidCastException) from malformed registry entries, logging the offending path instead of aborting.
• Replaced the cryptic "startTLS error: ..." flash with a prescriptive message when saving SMTP settings fails because SSL/TLS is disabled but STARTTLS is still enabled. Added a tooltip on the SSL/TLS checkbox pointing to the STARTTLS toggle in Advanced options.
• Removed a dead SQL condition in hostVPPInstalls that was misleading but har...

Bug fixes

• Fixed fleetctl gitops rejecting Android or Windows configuration profiles when editing an existing team, even when the corresponding MDM platform was configured.
• Implement roaring bitmaps in historical data collection for improved performance.
• Fixed dynamic SCEP certificate issuance failing with an "Invalid NDES admin credentials" error when the NDES Admin URL is fronted by Okta or another gateway that uses HTTP Basic auth instead of NTLM.
• Remove unneeded call to get tracked CVEs when reading CVE chart data

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

1aa5bbaf65833a60040fe28aa1d8b88535a025947185842c6dc6d128052f6132  fleet_v4.85.1_linux.tar.gz
1ca2b8543d5e2cb738536db75f92192c63b8bd650022b0f9ffe5b01fff3c791d  fleetctl_v4.85.1_linux_amd64.tar.gz
04d9f24669ceabad7467c40c2ca631e076a700def73291dd621c22a2dd1dad26  fleetctl_v4.85.1_linux_amd64.zip
5bd235b4840ab2fde87456267843c2ff4f29cae3fb4d431e1d0b87287d15b568  fleetctl_v4.85.1_linux_arm64.tar.gz
118dcc5a485bf1bb337496ab5bb75c6b437b8ecb9858b5ff29d405172a5cc8bd  fleetctl_v4.85.1_linux_arm64.zip
43667769f2d59e45c78d7558e05cd9350f4606681642e8238eaeea6247b7c337  fleetctl_v4.85.1_macos.tar.gz
def4fa7b8d40d6525822ef2a4e810ba8fd9b1525f6ffafa384110f4547df3fc9  fleetctl_v4.85.1_macos.zip
e7567a7e1d61cbe1a6dadc19d0c7ba6e4801dc51b9c91e58f4d303a4fe86cfdb  fleetctl_v4.85.1_windows_amd64.tar.gz
18d8861a7a0242fe2eb032b4d262c4a02411609463f0314adb7e915ccf437e03  fleetctl_v4.85.1_windows_amd64.zip
7e0ae875f2e0a86fb8cd5b746b885f10b1f6c176b404776be79a1480b21a510f  fleetctl_v4.85.1_windows_arm64.tar.gz
7c5604be0976801b00bb6bdb7199a02e10bf88bfcf3feab58011a891caf4d382  fleetctl_v4.85.1_windows_arm64.zip

Fleet 4.85.0 (May 14, 2026)

IT Admins

• Added a dark theme to the Fleet UI, selectable in account settings with light, dark, and system options.
• Implemented Clear Passcode feature for iOS and iPadOS.
• Added support for Fleet variables in Apple's declaration profiles (DDM).
• Added support for passing end-user authentication context to the Fleet MSI installer during Windows MDM enrollment, so end users are not prompted to authenticate twice when EUA is enabled.
• Switched to Docker as the default WiX runtime on macOS (including Apple Silicon) when generating .msi packages via fleetctl package. Wine is no longer required on macOS for the default path.
• Updated macOS 15 CIS benchmark to include v2.0.0 changes.
• Updated the macOS 14 (Sonoma) CIS policy set to benchmark v3.0.0.
• Switched Fleet-maintained apps serving location from GitHub to https://maintained-apps.fleetdm.com/manifests. If this site is inaccessible, Fleet will fall back to the previous GitHub-hosted copies of manifest files.
• Added conditional HTTP downloads using ETag headers for software in GitOps, skipping re-download when content hasn't changed.
• Added always_download option for software in GitOps to bypass the new conditional download feature.
• Added automatic escaping of JSON special characters in GitOps variables used in .json configuration profiles (Apple DDM declarations and Android profiles).
• Updated fleetctl gitops to process Android certificates before Android profiles.
• Made fleet name uniqueness rules consistent across the UI, API, and GitOps paths. Fleet names must now differ by more than letter case, and conflicts return a 409 error on all code paths.
• Enabled renewing and deleting AB tokens in the UI in GitOps mode.
• Changed the team's script_execution_timeout in agent options to default to the global agent options value when unset.
• Added ability to save policies whose SQL is flagged as a syntax error.
• Withheld Android Wi-Fi configuration profiles (openNetworkConfiguration with ClientCertKeyPairAlias) until the referenced certificate is installed or terminally failed on the device.
• Updated the host OS settings detail column to show the reason when an Android profile is pending due to a certificate dependency.
• Added "Hosts online", "Vulnerability exposure", and "Hosts enrolled" charts to the dashboard.
• Added an admin setting to control retention of vulnerability-exposure data used by the dashboard chart.
• Added new policy details page with a read-only view of policy information.
• Updated edit policy page to redirect users with read-only access to the policy details page.
• Added dedicated /policies/:id/live route for running policies.

Security Engineers

• Added UI pages for creating and editing API-only users with support for fleet assignment, role selection, and API endpoint access control.
• Added new middleware (APIOnlyEndpointCheck) that enforces a 403 response for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions.
• Added POST /users/api_only endpoint for creating API-only users.
• Added PATCH /users/api_only/{id} endpoint for updating existing API-only users.
• Updated fleetctl user create --api-only to remove email and password field requirements.
• Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded api_endpoints.yml artifact.
• Updated GET /users/{id} response to include the new api_endpoints field for API-only users.
• Added user_api_endpoints table to track per-user API endpoint permissions.

Bug fixes and improvements

• Updated Go to 1.26.3.
• Improved MySQL writer performance by skipping no-op UPDATE host_orbit_info and UPDATE host_disks writes when the stored values already match the incoming ingest values from osquery, cutting these writes to near zero at steady state.
• Improved Fleet-maintained apps (FMA) sync performance by adding an index on software.bundle_identifier that eliminates a full table scan during the hourly sync, reducing writer CPU load on large deployments.
• Improved the performance of deleting Windows MDM configuration profiles at scale by collapsing the per-profile update loop into a single batched statement that spans multiple profiles per chunk.
• Updated copy, show, and other action buttons app-wide for a more consistent style.
• Improved button and link styling.
• Improved the OS settings modal layout.
• Improved host policy empty state.
• Updated the enrollment page enroll button to render at full screen width for larger-resolution mobile devices.
• Updated the error message returned when an invalid domain is supplied for MDM Apple CSR signing.
• Updated EULA PDF upload size check to use the default max request body size.
• Added activity when a Windows MDM wipe command fails.
• Improved documentation for MySQL read replica configuration, clarifying that all settings (including region for IAM authentication) must be explicitly set for the read replica.
• Upgraded to TypeScript 6.0 for the app frontend.
• Moved some core UI form components to TypeScript for better predictability and reliability.
• Removed the unused windows_updates MySQL table and ingestion code.
• Implemented the chart bounded context and schema to support charting capabilities in Fleet.
• Added gitOpsModeEnabled and gitOpsModeExceptions to the anonymous statistics payload.
• Added startup validation that panics if any route declared in service/api_endpoints.yml is not registered in the router.
• Stopped turning on Prometheus serving by default with a hard-coded username and password when the server is started with --dev.
• Fixed a Windows BitLocker encrypt/decrypt loop on machines with secondary drives using auto-unlock. Fleet now detects disk encryption using conversion_status (not just protection_status), preventing the server from repeatedly requesting encryption when the disk is already encrypted. Added bitlocker_protection_status tracking so the UI shows "Action required" when BitLocker protection is off instead of misleadingly showing "Verified."
• Fixed a race condition where a host could silently revert to its previous team after an admin team transfer.
• Fixed an issue where trying to wipe a device after its certificate was renewed could fail due to a missing bootstrap token. Note: The device might still have wiped.
• Fixed a server panic (502) when an Android pubsub status report arrived for a host that had been deleted from Fleet.
• Fixed a server panic when an Apple MDM DeviceInformation refetch response omitted DeviceName or other expected fields.
• Fixed an issue where Fleet would send an AccountConfiguration command to iOS and iPadOS devices when end user authentication was enabled; AccountConfiguration is macOS-only.
• Fixed a bug where pending MDM profile rows persisted in the database after Apple or Windows MDM was turned off, causing stale profiles to reappear when MDM was re-enabled. Also fixed cleanup of pending Windows profile rows when a device unenrolls from MDM.
• Fixed a bug where custom package installers were not removed when adding an FMA for the same title via GitOps, which caused setup experience to install duplicate software.
• Fixed a bug where renaming a patch policy in a GitOps file caused it to be deleted initially.
• Fixed a bug where host environment variables in script-only packages would cause GitOps to fail.
• Fixed an issue where the DDM reconciler would not self-heal for stuck remove/pending profiles due to resend with update.
• Fixed an issue where a host DDM cleanup function was not executed for stale remove/pending profiles that weren't reported by the device.
• Fixed an issue where batch processing many DDM profile changes would result in stuck remove/pending profiles.
• Fixed an issue where sending a differently cased display name for a DDM profile via the batch endpoint would result in recreating the DDM profile and triggering a resend.
• Fixed an issue where Fleet would not remove the host OS setting entry if a RemoveProfile command failed with error code 89 (profile not found on device).
• Fixed an issue where adding a custom icon for a script-only package was not allowed in GitOps.
• Fixed an issue where duplicate Disk Encryption activity types showed up.
• Fixed the host details activity feed showing the previously opened host's activities by including the host ID in the activity query cache keys.
• Fixed navigation to the settings page for multi-team admin users.
• Fixed software table page number to be bookmarkable.
• Fixed an infinite page loop pagination bug on the software table page that occurred when viewing a subsequent page and then using the software filter dropdown.
• Fixed styling bugs in GitOps mode UI.
• Fixed padding between GitOps exceptions checkboxes.
• Fixed a nil pointer dereference in the contributor API spec/policies.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.55.0
2. fleet-desktop-v1.55.0 (included with Orbit)
3. osquery-5.23.0 (included with Orbit)
4. fleetd-chrome-v1.3.5
5. fleetd-android-v1.0.2

While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

Upgrading

Ple...

Bug fixes

• Reduced database load from GET /api/latest/fleet/device/{token}/desktop and other Fleet Desktop endpoints when invalid or expired device auth tokens are presented, by resolving the token to a host id with a single-table indexed lookup before running the multi-join host-details query.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

8323559b7c4a586beb31997c585f4000305a754d90902b42796ca84929e8c442  fleet_v4.84.3_linux.tar.gz
deaa661f852646cdbffd50d48278635717661b294c3d02279d112a787e228c1e  fleetctl_v4.84.3_linux_amd64.tar.gz
c6fb3708ea246ee05b756c242cb6f8978bd124d216b3621c2d7fb6637494afb8  fleetctl_v4.84.3_linux_amd64.zip
bce3986624a1d33badb31df1b533feafae877206ac81d3c268cc7428a8625461  fleetctl_v4.84.3_linux_arm64.tar.gz
1a0219499f50cc190949b7ad08686a49df4edb74349283e5c965aa2dc38d8859  fleetctl_v4.84.3_linux_arm64.zip
2d002968c2e2b03b1a05b7925087acce75df90e00458c91af6435e7a9ad87f73  fleetctl_v4.84.3_macos.tar.gz
5d3383af113eed7f12b75b07f8d834c6fa79299e8dce0a3f2bc7a92c10b8453e  fleetctl_v4.84.3_macos.zip
56e88759715ee94f64197869bc60799df06426493b4efa662e55bf8148b057f5  fleetctl_v4.84.3_windows_amd64.tar.gz
6f3d202f5ac908dd6261eee70ee39a9cad91f00687fa93adf13121f67d96777c  fleetctl_v4.84.3_windows_amd64.zip
d3ceac170d1f3315c71f5d71e57f288ceb73e2dc14a04414ad1f63a55286f9bf  fleetctl_v4.84.3_windows_arm64.tar.gz
6a9e17827f10c99dcddfe2d61bff309daf685159411cb4481483e1a8be4f5214  fleetctl_v4.84.3_windows_arm64.zip

Bug fixes

• Fixed filtering in /api/v1/fleet/labels/:id/hosts endpoint.
• Fixed a dead SQL condition in hostVPPInstalls that was misleading but harmless: Android VPP apps never produce nano_command_results entries (they use Google's Android Management API, not nanoMDM), so the previous (hvsi.platform != 'android' OR ncr.id IS NULL) guard was a tautology. Replaced with a clarifying comment.
• Fleet UI > Settings > Variables: Fixed access to not allow adding custom variable while in gitops mode both in the empty state and when a variable already exists
• Fixed a bug where custom package installers were not removed when adding an FMA for the same title via GitOps, which caused setup experience to install duplicate software.
• Fixed a bug where host environment variables in script-only packages would cause gitops to fail
• Updated go to 1.26.2
• Fixed an issue where trying to wipe a device after its certificate was renewed could fail due to a missing bootstrap token. Note: The device might still have wiped
• Fixed a bug where duplicate software installers for linux could be added.
• Improved validation for invalid order_key values in /api/v1/fleet/commands, /api/v1/fleet/mdm/commands and /api/v1/fleet/mdm/apple/commands endpoints.
• Fixed a server panic when an Apple MDM DeviceInformation refetch response omitted DeviceName or other expected fields.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

5bb555863948d05299e252e6df5b11914b981773f9b7e7253a1a8b2dc8d83143  fleet_v4.84.2_linux.tar.gz
1b2c7c3a320fc506de9f8b185c9d66de847e14d0d1b5ebffdc9179aeefe0c05c  fleetctl_v4.84.2_linux_amd64.tar.gz
b75e046e5fc70060e7c6383d4fe2d9b388e42367b816bee837491c3274c30000  fleetctl_v4.84.2_linux_amd64.zip
aec1812e1b406f9ac2e4694a2477902760bb3475d58506707f3626e88ef0aa12  fleetctl_v4.84.2_linux_arm64.tar.gz
b1c590f38a1992aa569783c66707986eed2418ccc557570a3bf71d249102ec86  fleetctl_v4.84.2_linux_arm64.zip
6f2d7dbdd6d51722e9373a9558fa78377c83f9b904ad5930031644d07f5e5607  fleetctl_v4.84.2_macos.tar.gz
358bc348bcf54008ac4892dc8d09553acb221b6f0f163039fd56b0ddd8e9dfa3  fleetctl_v4.84.2_macos.zip
69f8b57c80e702a9edf608dd698d3572f8a30860228a381cbbd004c4c1c3346f  fleetctl_v4.84.2_windows_amd64.tar.gz
c58b932c5aa9f003a53262a45021f3af1d94723f703cb50bf6feba8fcf9bf065  fleetctl_v4.84.2_windows_amd64.zip
ec94d3257a195336bd1a6843eaff7440a58e8a51299589725c7bb37bbb5a524a  fleetctl_v4.84.2_windows_arm64.tar.gz
425fb7a53842a0d0f0da43e1d781b5446a5817eee204edd88e94c62be77f1e6c  fleetctl_v4.84.2_windows_arm64.zip

Bug fixes

• Fixed Fleet's Docker image failing to start in Kubernetes with an unknown userid error, triggered by a fleetctl dependency side effect.
• Use Docker as the default WiX runtime on macOS (including Apple Silicon) when generating .msi packages via fleetctl package. Wine is no longer required on macOS for the default path.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

d8f4cfe973fdba253eae70d6e0c83e681d6d945ec52d37a8c9e20a887cc21c32  fleet_v4.84.1_linux.tar.gz
615567928c7e94f9cee9ae60e81852f9d300031f1e3933c5c34981f5883b9861  fleetctl_v4.84.1_linux_amd64.tar.gz
ba79ac36c7aef0e7259c9f2bc6615a42ff098b18dd4baf3564ed704c973a730b  fleetctl_v4.84.1_linux_amd64.zip
d042ff15c6c2a27eba7e992d4b11fbfd9b1dcc99b95741c6b19723601e7025cc  fleetctl_v4.84.1_linux_arm64.tar.gz
8da325cf0c2c4c729c22d4c66ab2c53c355fabb16aae1a45b43df04c8c6bfb6d  fleetctl_v4.84.1_linux_arm64.zip
75acdbd6945eb374c77cde0f65350945712cd93f9098f93bf246df88b520ae8d  fleetctl_v4.84.1_macos.tar.gz
6809e7b94fd8c99fe9f243130d1049ff4735b7c3eedb65a00d51e4526602d761  fleetctl_v4.84.1_macos.zip
72819485c95a0c7b1b765c4b64f34241d3a2712de6700c2059533427e9bded52  fleetctl_v4.84.1_windows_amd64.tar.gz
2e3cf8977a08f331fa441af11aecc0592f833f079bacdd9efb26768cd94a258e  fleetctl_v4.84.1_windows_amd64.zip
eacfbeb4cb83e8ea42fab4ea9e430ff114b6f0c7d742f781c552921b5ecdfa82  fleetctl_v4.84.1_windows_arm64.tar.gz
433efde225f9f62f95812a0b76a4335f7446210dd1d2e7319905618ff724026d  fleetctl_v4.84.1_windows_arm64.zip

NOTE FOR SELF-HOSTED: the fleetdm/fleet:v4.84.0 Docker image is broken in Kubernetes environments. Use fleetdm/fleet:v4.84.1 instead.

Fleet 4.84.0 (Apr 24, 2026)

IT Admins

• Added support for Entra conditional access to Windows devices.
• Added ability to pin Fleet-maintained apps to a specific major version in GitOps.
• Implemented ACME for MDM protocol communication, and hardware device attestation.
• Added GET /api/v1/fleet/hosts/{id}/reports endpoint (also accessible as /hosts/{id}/queries) that lists the query reports associated with a specific host.
• Added support for labels_include_all conditional scoping for software installers and apps.
• Added validation for software install, uninstall, and post-install scripts.
• Added ability to specify custom patch policy query in an FMA manifest.
• Added ability to re-send Android certificates to a specific host.
• Added Reports tab to Host details page.
• Allowed specifying a Fleet-Maintained App (FMA) as a policy software automation in GitOps.
• Added support for running python scripts on macOS and Linux.
• Added automatic retry (up to 3 times) when the Android agent reports a certificate install failure.
• Added activity logging when a certificate is installed or fails to install on an Android host.
• Enabled the host activity card on the Android host details page.
• Switched Fleet-maintained apps serving location from GitHub to https://maintained-apps.fleetdm.com/manifests. NOTE: If you limit outbound Fleet server traffic, make sure it can access the new FMA manifests location.
• Increased automatic retry limit for failed Apple (macOS, iOS, iPadOS) configuration profiles from 1 to 3. Windows profiles remain at 1 retry.
• Added a new disk_space fleetd table for macOS that reports available disk space including purgeable storage, matching the value shown in Finder's "Get Info" dialog and System Settings → General → Storage.
• Added configuration profile deletion when a Windows configuration profile is deleted or a host moves teams via SyncML <Delete> commands, bringing Windows profile removal to parity with macOS.
• Added support for outputting VPP policy automations in fleetctl generate-gitops.
• Added logging of profile names alongside MDM commands installing or removing them.
• Added indication in the UI when a profile command was deferred via NotNow status.
• Added activity when setup experience is canceled due to software install failure.
• Added cancel activities for each VPP app install skipped due to setup experience cancellation, and switched "failed" activity to "canceled" for package-based software installs in the same situation.
• Added install failure activity when VPP installs fail due to licensing issues during setup experience.

Security Engineers

• Added vulnerability detection for Microsoft 365 Apps and Office products on Windows.
• Added OSV data source for Ubuntu vulnerability scanning.
• Added automatic rotation of Mac recovery lock passwords 1 hour after the password is viewed via the API.
• Updated ingestion/CVE logic to support JetBrains software with 2 version numbers, like WebStorm 2025.1
• Addressed false positive vulnerabilities (CVE-2019-17201, CVE-2019-17202) reported for Admin By Request on macOS and Linux hosts. These CVEs are Windows-specific.
• Generated correct CPE from malformed ipswitch whatsup CPE, ensuring applicable CVEs are matched.
• Added software source to ecosystem matching to help prevent non-deterministic CPE selection when multiple vendors exist for the same product.

Other improvements and bug fixes

• Upped the default limit for the software batch endpoint, from 1MiB to 25MiB.
• Added FLEET_MDM_CERTIFICATE_PROFILES_LIMIT server config option to throttle the number of CA certificate profile installations per reconciler cycle, preventing CA server overload in large deployments.
• Added banner to Add software page to inform users that Android web apps require Google Chrome.
• Enabled Windows MDM in fleetctl preview by auto-generating WSTEP certificates on startup.
• Used the same templates for fleetctl new and new instance initialization.
• Added "API time" to GitOps output on API errors.
• Allowed clearing Windows OS update deadline and grace period fields to remove enforcement.
• Updated ordering of setup experience software to take display names into account.
• Updated iOS/iPadOS refetch logic to slowly clear out old/stale results.
• Increased the default SSO session validity period from 5 to 15 minutes.
• Improved performance of distributed read endpoint by reducing mutex contention in shouldUpdate using sync.RWMutex instead of sync.Mutex.
• Allowed OTEL service name to be overridden with standard OTEL_SERVICE_NAME env var.
• Revised which versions Fleet tests MySQL against to remove 8.0.39 and add 8.0.42.
• Allowed typing whitespace on Settings > Integrations > SSO > End users form.
• Removed incorrect report key from get/create/modify API responses.
• Added (query_id, has_data, host_id, last_fetched) index on query_results.
• Improved database query performance for the Host Details > Reports page by adding a has_data virtual generated column to query_results.
• Made sure that fleet names are trimmed and validate to prevent whitespace-only or padded names across API, gitops, frontend, and existing data.
• Hid host details > reports in the UI from platforms that do not support scheduled reporting.
• Updated GitOps label functionality to allow omitting the hosts: key under a manual label to mean "preserve existing host membership", rather than removing all hosts.
• Added Flatcar Container Linux and CoreOS to the list of recognized Linux platforms, fixing host detail queries (IP address, disk space, etc.) not being sent to hosts running these distributions.
• Updated the default fleet selected when navigating to the dashboard and to controls.
• Reduced redundant database queries during policy result submission by computing flipping policies once per host check-in instead of multiple times.
• Reduced redundant database calls in the osquery distributed query results hot path by pre-loading configuration (AppConfig, HostFeatures, TeamMDMConfig, conditional access) once per request instead of once per detail query result.
• Updated UI to use new multiplatform API keys.
• Activated warnings for deprecated API parameters, API URLs, fleetctl commands and fleetctl command options.
• Updated the Request Certificate API to return the proper PEM header for PKCS #7 certificates returned by EST CAs.
• Added "Learn more" link on End User Authentication section.
• Moved Apple MDM worker to a faster cron, and started sending profiles on Post DEP enrollment job, to speed up initial macOS setup.
• Optimized PolicyQueriesForHost and ListPoliciesForHost SQL queries by replacing correlated subqueries with a single aggregated LEFT JOIN for label-based policy scoping, reducing query time by ~77% at scale.
• Improved VPP install failure messaging to explain verification timeouts in Host details and My device install details.
• Refactored large anonymous functions into named functions to improve nil-safety static analysis coverage.
• Renamed "Custom settings" to "Configuration profiles" in Fleet UI.
• Added description to UI to help users understand which fleet a policy belongs to during add/edit.
• Updated Fleet-maintained apps to overwrite software title names on sync and when adding an FMA installer.
• Improved Fleet server performance for the Windows MDM profiles summary and host OS settings filter queries by replacing correlated subqueries with a single aggregation pass.
• Improved Windows MDM server performance at scale by reducing redundant database queries during device check-ins.
• Updated go to 1.26.1
• Fixed a server panic when uploading a Windows MDM profile to a fleet on a free license.
• Fixed MSRC vulnerability scanning to differentiate between Windows Server Core and full desktop installations, preventing false positive/negative CVEs caused by non-deterministic product matching.
• Fixed GitOps policy software resolution failing when URL lookup doesn't match, by falling back to hash-based lookup.
• Fixed GitOps failing to delete a certificate authority when certificate templates still reference it in fleet configs.
• Fixed duplicate text in error message when script validation fails when adding a custom package.
• Fixed issue where the include_available_for_install query param wasn't being applied correctly to the GET /api/latest/fleet/hosts/{id}/software endpoint.
• Fixed disk encryption key modal to not show stale key when switching between hosts.
• Fixed SCIM user not associating with host when IdP username was set before the SCIM user was created.
• Fixed Google Drive version not matching upstream.
• Fixed bug that cleared the MDM lock state if an "idle" message was received right after the lock ACK.
• Fixed team maintainers, admins, and GitOps users being unable to add certificate templates due to missing read access to certificate authorities.
• Fixed fleetd installation failure on macOS when installing it through Host details page > Software > Library as a Custom package.
• Fixed a bug where SQL queries using table aliases (e.g., FROM mounts m) incorrectly reported no compatible platforms.
• Fixed fleetctl gitops failing with "No available VPP Token" when assigning VPP apps alongside a new team.
• Fixed a bug where OS versions were not populated in vulnerability details for OS-only vulnerabilities (e.g., macOS CVEs).
• Fixed a TOCTOU-related issue when checking before deleting last admin.
• Fixed database locking issues on the policy_membership table by batching cleanup DELETE operations and moving them outside the primary GitOps apply transaction.
• Fixed success message on Android softwar...

Bug fixes

• Fixed a crash on the "My device" page for Fleet Free instances. The page returned a 402 error when the host was assigned to a team because the device endpoint called a premium-only API, and also crashed when accessing undefined policies data.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

08ef96bfc8c7b2d7650169054fa68fc9fa99a33409459d9f569859df34fb5602  fleet_v4.83.2_linux.tar.gz
9594c7a29cb210efe74eb3ac82aeeb6720a0f9a99af17197b21f7fcebbe42128  fleetctl_v4.83.2_linux_amd64.tar.gz
b6e230fe251f8f8a6a03ba3690abb012870c19944002e199a88e61f9051f4f3a  fleetctl_v4.83.2_linux_amd64.zip
46946bb498bf98f0d00265addbffba4e3a192350e6f90567021a04f679b452cb  fleetctl_v4.83.2_linux_arm64.tar.gz
0385f2981215df1e3a1ed9d1ef044066c1038a09564b2500cdda2075006e9b89  fleetctl_v4.83.2_linux_arm64.zip
8bbe2ab6244d9a04fdd555777bc9a1838cd6b988dadf4b30c45983ac0c9786aa  fleetctl_v4.83.2_macos.tar.gz
414340f61c7d31b67000311b6f91ebd0b8d4b4da280c7ffdb08cfea2ab81a0ea  fleetctl_v4.83.2_macos.zip
a52bc3bbd14cbad8227b1d68a68a0192a978381e10f70f24fb6125a0e8c7c1d2  fleetctl_v4.83.2_windows_amd64.tar.gz
0296691003856e6129a1191e8dc23d3e52f46ba627674750e533c658b5e62dc9  fleetctl_v4.83.2_windows_amd64.zip
cb009ccba74c1893607b22d57738507ff324f622d836d94f9fcf6e027dfe869b  fleetctl_v4.83.2_windows_arm64.tar.gz
d66710c52f78484b3a087c35db18d749b674f9921834bf15a299cbcd90c281b8  fleetctl_v4.83.2_windows_arm64.zip