github fleetdm/fleet fleet-v4.75.0
on GitHub

one day ago

Fleet 4.75.0 (Oct 17, 2025)

Security Engineers

  • Added support for Smallstep certificate authority.
  • Added false-positive filtering for Linux vulnerability scanning.
  • Added support for Arch Linux hosts.
  • Added software inventory ingestion from Arch Linux hosts.
  • Added new rate limiting implementation for Fleet Desktop API endpoints to support all/many hosts of a deployment behind NAT (single IP).
  • Added support for reading server private_key from AWS Secrets Manager.
  • Added support for vulnerabilities feed CPE translation JSON to override sw_edition field.
  • Added filter for removing duplicate RPM python packages and renaming pip packages to match OVAL definitions (same as Ubuntu).
  • Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
  • Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.

IT Admins

  • Added configuration profile support for Android hosts.
  • Added activity logging for Android profile creation, modification, and deletion.
  • Added support for software installation during Windows setup experience.
  • Added support for Arch Linux hosts.
  • Added software inventory ingestion from Arch Linux hosts.
  • Added support to fleetctl to generate fleetd installers for Arch Linux (.pkg.tar.zst).
  • Added software name into checksum calculation for macOS apps.
  • Added ability to specify a Fleet host ID when declaring a manual label in a Gitops YAML file.
  • Added a dedicated page, table, and logical integrations with other parts of the UI for managing labels.
  • Added OpenTelemetry instrumentation to scheduled jobs and several API endpoints.
  • Added CRON job to reconcile Android profiles.
  • Added retries with backoff when Apple's assets API fails with a timeout error.
  • Added ability to unenroll personal iOS/iPadOS devices from Fleet.
  • Added support for assigning host labels based on idP attributes for iOS and iPadOS hosts.
  • Added ability to turn off MDM for iOS and iPadOS devices when refetcher returns device token is inactive.

    Note: The package will need to be updated out-of-band once, because the pre-removal script from previously-generated packages is called upon an upgrade. The old pre-removal script stopped Orbit unconditionally.

  • Added support for hosts enrolled with Company Portal using the legacy SSO extension (for Entra's conditional access).

Other improvements and bug fixes

  • Updated DEB and RPM packages generated by fleetctl package to now be safe to upgrade in-band through the Software page.
  • Updated to return count in list host certificates API response, and use it in the certificate table.
  • Updated setup experience to try software installs up to 3 times by default in case of intermittent failures.
  • Modified the Apple profile reconciliation CRON logic to query for installs and removals within a transaction to avoid race conditions around team or label changes.
  • Fixed inconsistent spacing in Controls OS settings headers.
  • Validated setting manual_agent_install option on the server.
  • Ignore warning when LastOpenedAt for software is nil on macOS.
  • Improved install action tooltips and modals including timestamps to VPP successful installs.
  • Changed the response code for UserAuthenticate checkin messages, which are unsupported, from a 5XX to "410 Gone" as specified in the Apple MDM protocol docs for servers that do not implement this method.
  • Ensured UI consistency by adding a border to the empty state of End User Authentication section.
  • Added easy to understand error messages when configuring Entra conditional access in Fleet.
  • Updated docs for the pwd_policy table to better reflect the meaning of days_to_expiration.
  • Improved the layout of the IdP-driven label form.
  • Updated Hosts table > hostname column to truncate overflowing hostnames and place the full name in a tooltip on hover.
  • Removed duplicate tar.gz copies of osqueryd and Fleet Desktop from built packages (DEB/RPM/PKG).
  • Extended the number of errors Fleet looks for when determining whether we should invalidate the prepared statements cache.
  • Updated instructions in Linux key escrow modal.
  • Adjusted log level to "info" instead of "error" when Windows MDM endpoints generate client errors (e.g. empty binary security token).
  • Disabled debug logging by default in fleetctl preview and reformatted login information.
  • Improved handling of host details page label pills for labels with very long names.
  • Modified Controls > OS settings > Custom settings so profile upload time is based on updated_at instead of created_at.
  • Added check to GitOps command to throw error if positional arguments are detected.
  • Added an error message when software is defined in a package YAML file in GitOps but some fields expected in that file were set at the team level. Previously, GitOps would silently ignore the fields set at the team level in this case.
  • Updated the OS updates current versions empty state to match consistancy with other empty states.
  • Updated message shown in the 'Delete Script' modal.
  • Added a delay to the platform compatibility tooltip showing when creating or editing a query.
  • Added error when uploading signed profiles instead of when trying to deliver them.
  • Updated old end user migration workflow preview, and switch to video for product consistency.
  • Replaced outdated Firefox icon with a new one that follows brand guidelines.
  • Updated UI to make policy pass/fail icons and copy consistent across host details, my device, and manage policies tables.
  • Removed the software renaming fix introduced in 4.73.3 due to MySQL DB performance issues.
  • Optimized software ingestione rename functionality to generate less lock contention during high concurrency.
  • Optimized ingestion of software names on macOS apps when vendor-supplied bundle executable names are unclear.
  • Optimized software title reconciliation in vulnerabilities cron job.
  • Revised macOS software ingestion to correctly show application names for Steam games instead of run.sh.
  • Added logic to detect and fix migration issues caused by improperly published Fleet v4.73.2 Linux binary.
  • Updated go to 1.25.1.
  • Fixed inconsistent subtitle text style in Custom Settings.
  • Fixed SentinelOne pkg generating wrong bundle identifier for auto-install policy.
  • Fixed required query parameters using field name instead of parameter name in error messages
  • Fixed a bug where blocking of VPP installs on personally enrolled Apple devices was not in place.
  • Fixed edit teams action in VPP table dropdown not being blocked when Fleet is in GitOps mode.
  • Fixed certificate ingest parser to no longer break on multiple equal signs in certificate key pair values.
  • Fixed certificate ingest parser to allow for only multiple relative distinguished names separated by +.
  • Fixed 422 error when hitting /api/v1/fleet/commands endpoint with team filter.
  • Fixed deletion of conditional access integration by adding a spinner and clearing the tenant ID after the deletion.
  • Fixed an issue on ChromeOS and Windows where the cursor in the SQL editor is misaligned.
  • Fixed issue where "Controls" link in the top nav didn't always go to the default controls page.
  • Fixed cases where Firefox ESR installations would have false-positive vulnerabilities reported that were backported to the ESR.
  • Fixed clicking the currently selected navbar item would cause a full-page rerender.
  • Fixed EULA path to be relative to the YAML file in fleetctl gitops, as it is for other settings.
  • Fixed bundle identifier for privileges macos software pkg and fixed existing software installers to use corrected software title. The privileges application should show the correct status in software inventory.
  • Fixed the reported version of fleetd on the Software tab for Linux hosts.
  • Fixed invalid GET and DELETE requests that incorrectly included request bodies in client code, ensuring HTTP compliance.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

  1. orbit-v1.48.1
  2. fleet-desktop-v1.48.1 (included with Orbit)
  3. fleetd-chrome-v1.3.3

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256 

f37a55734f73bc4930afb8dc4999655de56496f090a2f22bb60271b1fc748203  fleet_v4.75.0_linux.tar.gz
471c043b64479b986329d7b7ca29887bebc5c62349ad8b0878ed77c1250c32b6  fleetctl_v4.75.0_linux_amd64.tar.gz
fcb00a0a26053a6398a26d3ea73efd956a291505d1542b151d29e5d69fbbb802  fleetctl_v4.75.0_linux_amd64.zip
75becdcd6a98ddcdb7d82d92b2f32c7da441030a1e32648b58713737e22ac126  fleetctl_v4.75.0_linux_arm64.tar.gz
fb946d4c699f9aa7b092b6d5223c319c7cbf64694f7434a527405e51663561c5  fleetctl_v4.75.0_linux_arm64.zip
54811cf543aa1a365f2b29287fff2d011898a9714525dda1428f38406e8b72c3  fleetctl_v4.75.0_macos.tar.gz
a399ec13991b4d471716eac3e3a09e75807dfd56137d4bf3181bb2cd7f229aeb  fleetctl_v4.75.0_macos.zip
88f4e9dbb966560faeb94ff4ce26ecc95a7a8ee98d621b033949e412dbd09977  fleetctl_v4.75.0_windows_amd64.tar.gz
65b69da9a220277566e92a42725fd6698d8c90a324200bd6c9d8a5562f576952  fleetctl_v4.75.0_windows_amd64.zip
e542ac7ce32c4a87ccc610aa8be4d12eb51aa2daca1726f6b40dc2eece81ed9e  fleetctl_v4.75.0_windows_arm64.tar.gz
7759a409f7089f1c86d5a229437cae28c60e70b8cbc6fd149f8e5739e461f477  fleetctl_v4.75.0_windows_arm64.zip
Check out latest releases or
releases around fleetdm/fleet fleet-v4.75.0

Don't miss a new fleet release

NewReleases is sending notifications on new releases.

Get notifications