github fleetdm/fleet fleet-v4.83.0
on GitHub

10 hours ago

Fleet 4.83.0 (Apr 1, 2026)

IT Admins

  • Added ability to deploy an Android web app via setup experience or self-service.
  • Added ability to set and manually rotate Mac recovery lock passwords.
  • Added ability to lock the pre-filled user information for macOS hosts that login via End User Authentication during Setup Experience.
  • Added automatic retries for failed software installs, excluding VPP apps.
  • Updated host software library to always allow filtering.
  • Added retry functionality when adding software installers to Fleet via GitOps.
  • Added fleetctl new command to initialize a GitOps folder.
  • Added support for paths: key under reports:, labels: and policies: in GitOps files.
  • Added glob support for configuration_profiles in GitOps files.
  • Added support for referencing .sh or .ps1 script files directly in the GitOps path field for software packages.
  • Implemented webhooks_and_tickets_enabled flag for policies in GitOps.
  • Added server config for allowing all Apple MDM declaration types.
  • Added ability to use FLEET_JIT_USER_ROLE_FLEET_ as a prefix on SAML attributes.
  • Added fleet_name and fleet_id columns to hosts CSV export.
  • Added resend button in the OS settings modal for iOS and iPadOS hosts.
  • Added patch policies for Fleet-maintained apps that automatically update when the app is updated.

Security Engineers

  • Added support for NDES CA for Windows hosts.
  • Added vulnerability scanning support for Windows Server 2025 hosts.
  • Added OTEL instrumentation to Fleet's internal HTTP client.
  • Added Content-Type header to Smallstep authorization requests to prevent Cloudflare from blocking them.
  • Added ability to omit secrets: in GitOps files to retain existing enroll secrets on server.
  • Fixed python package false positives on Ubuntu, such as python3-setuptools on Ubuntu 24.04 with version 68.1.2-2ubuntu1.2.
  • Fixed false positive vulnerabilities for Mattermost Desktop.

Other improvements and bug fixes

  • Most top-level keys can now be omitted from GitOps files in place of supplying them with an empty value.
  • Improved host search to always match against host email addresses, not only when the query looks like an email.
  • Prevented a 500 error on the host details page when an MDM command reference in host_mdm_actions pointed to a non-existent command (orphan reference).
  • Allowed Fleet-maintained apps to be added if they have default categories configured that are not available in older builds from this point forward.
  • Migrated to using Policy critical option when disallowing Okta conditional access bypass.
  • Updated DEP enrollment flow to apply minimum macOS version check when specified.
  • Updated GitOps to fail runs when unknown keys are detected in files.
  • Updated default last opened time diff to 2m to increase the chances of updating the last opened time for software that is opened frequently.
  • Updated the host results endpoint URL to be consistent with the other URLs.
  • Added tooltip to batch run result host count to clarify that the count might include deleted hosts.
  • Updated table heading and result filter styles.
  • Reordered the columns on the Hosts page.
  • Updated Fleet desktop to surface custom transparency links to the device user.
  • Changed PostJSONWithTimeout to log response body in error case.
  • Removedd unused and confusingly-named --mdm_apple_scep_signer_allow_renewal_days config.
  • Refactored NewActivity functionality by moving it to the new activity bounded context.
  • Modified Android certificate renewal logic to make it easier to test.
  • Optimized api/latest/fleet/software/titles endpoint.
  • Trimmed incoming ABM suffix for Arch Linux hosts so Arch OSs are grouped together in the database and UI.
  • Updated determination process used for selecting which user email address to use when scheduling a maintenance event for a host failing policies.
  • Added license checks for fleet-free targeting queries by label.
  • Added APNs expiry banner in the UI for Fleet free users.
  • Added error if GitOps/batch attempts to add setup experience software when manual agent install is enabled.
  • Added Fleet-maintained app utilization to anonymous usage statistics collected by Fleet.
  • Surfaced data constraints using the proper HTTP status code on the /api/v1/fleet/scim/users endpoint.
  • Updated macOS device details UI to delay showing FileVault "action required" notifications banner during the first hour after MDM enrollment to allow sufficient time for Fleet to automatically escrow keys from ADE devices.
  • Added an early return in the PUT /hosts/{id}/device_mapping endpoint so that setting the same IDP email that is already stored no longer triggers unnecessary database updates, activity log entries, or profile resends.
  • Improved cleanup functionality so that when deleting a host record, Fleet will now clean up host issues, such as failing policies and critical vulnerabilities associated with the host.
  • Improved the way we verify Windows profiles to no longer rely on osquery for faster verification.
  • Improved body parsing validation by using http.MaxBytesReader and wrapping gzip decode output too.
  • Improved rate-limiting on conditional access endpoints.
  • Finished migrating code from go-kit/log to slog.
  • Updated UI for disabling stored report results for clarity.
  • Revised which versions Fleet tests MySQL against to 9.5.0 (unchanged), 8.4.8, 8.0.44, and 8.0.39, 8.0.44.
  • Deprecated several configuration keys in favor of new names: custom_settings -> configuration_profiles, macos_settings -> apple_settings, macos_setup -> setup_experience and macos_setup_assistant -> apple_setup_assistant.
  • Deprecated setup_experience.bootstrap_package in favor of setup_experience.macos_bootstrap_package.
  • Deprecated setup_experience.manual_agent_install in favor of setup_experience.macos_manual_agent_install.
  • Deprecated setup_experience.enable_release_device_manually in favor of setup_experience.apple_enable_release_device_manually.
  • Deprecated setup_experience.script in favor of setup_experience.macos_script.
  • Fixed an issue where the MDM section on the integration page did not update correctly when Apple MDM is turned off.
  • Fixed an issue where iOS/iPadOS hosts couldn't add app store apps from the host library page.
  • Fixed inaccurate error message when clearing identity provider settings while end user authentication is enabled.
  • Fixed Microsoft NDES CA not being selectable after deleting an existing NDES CA without a page refresh.
  • Fixed an issue where Apple setup experience could get stuck, if the device was in the middle of a SCEP renewal, and then re-enrolled.
  • Fixed secure.OpenFile to self-heal incorrect file permissions via chmod instead of returning a fatal error.
  • Fixed an issue where personal iOS and iPadOS enrollments could see software in the self-service webclip.
  • Fixed table footer rendering unexpectedly in the host targets search dropdown.
  • Fixed a security issue where canceling a pending lock or wipe command permanently deleted the original locked_host/wiped_host activity from the audit log. The original activity is now preserved, and the subsequent cancellation activity serves as the follow-up record.
  • Fixed dropdown rendering center of a row and from pushing down save button below open dropdown options.
  • Fixed end user authentication form to allow saving cleared IdP settings.
  • Fixed inconsistent link styling in UI.
  • Fixed the error resend button overflowing over the edge of the os settings modal table.
  • Fixed CPE matching failing for software names that sanitize to FTS5 reserved keywords (AND, OR, NOT).
  • Fixed table shifting left when clicking the copy hash icon in host software inventory.
  • Fixed a bug where vulnerability counts increased over time due to orphaned entries remaining in the database after hosts were removed.
  • Fixed a bug where software installers could create titles with the wrong platform.
  • Fixed a bug where Fleet maintained apps for Windows won't show as available in the list when they actually are.
  • Fixed host search in live queries returning no results for observer users when many hosts on inaccessible teams matched the search term before accessible ones.
  • Fixed live query host/team targeting to correctly scope observer_can_run to the query's own team, preventing observers from targeting hosts on other observed teams.
  • Fixed alignment of tooltip text in the certificate details modal.
  • Fixed a bug where a policy that links a software to install fails to apply when that software package uses an environment variable in its yaml definition.
  • Fixed error message when deleting a certificate authority (that is referenced by a certificate template) to show a helpful message instead of a raw database error.
  • Fixed observer query bypass by restricting live query/report team targeting to only teams where the user has sufficient permissions, including global observers who are now limited to the query's own team when observer_can_run is true.
  • Fixed a bug where manage hosts page header button text would wrap and distort at certain widths.
  • Fixed an issue where $FLEET_SECRET was being double encoded, if set via GitOps.
  • Fixed editing reports on free tier failing due to labels_include_any triggering a premium license check.
  • Fixed a bug where certain incorrect resolved-in versions were reported for certain vulnerable versions of Citrix Workspace.
  • Fixed DigiCert CA UPN variable substitution so each host receives a certificate containing its own unique values instead of another host's substituted values.
  • Fixed alignment and spacing of the "rolling" tooltip next to "Arch Linux" in the host vitals card.
  • Fixed select-all header checkbox not selecting rows on partial pages where not all rows are selectable.
  • Fixed an issue where it was possible to configure manual_agent_install without specifiying a bootstrap package via the API and GitOps.
  • Fixed dead rows accumulating in software host counts tables by using an atomic table swap instead of in-place updates during the sync process.
  • Fixed a bug where script packages (.sh, .ps1) incorrectly used the unsaved script size limit (10K characters) instead of the saved script limit (500K characters), preventing large scripts from being added as software packages.
  • Fixed an issue where Windows MDM profiles could remain in pending if hosts acknowledged them too quickly after upload.
  • Fixed an issue where users with the same ID as an invited user would be hidden from the users table, and fixed the users count to include invited users.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

  1. orbit-v1.53.1
  2. fleet-desktop-v1.53.1 (included with Orbit)
  3. osquery-5.22.1 (included with Orbit)
  4. fleetd-chrome-v1.3.5
  5. fleetd-android-v1.0.2

While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256 

09ce0435cc82ee2a7b8d3370c843aa7d97dc675257bfdeda26637654c328e87e  fleet_v4.83.0_linux.tar.gz
2b2f1ce50e590303538879b8d55b5aefa4a07161c7dc2bb7349971434bc3709b  fleetctl_v4.83.0_linux_amd64.tar.gz
7756c01f50289b4ae8252e0e3b5747ba2078b5ab5ccd4918555c1ff412f5ea71  fleetctl_v4.83.0_linux_amd64.zip
a280d54a6b99cd2ea38e3781564dbd66eab7a3b4765f6b8880b32bbc0a025206  fleetctl_v4.83.0_linux_arm64.tar.gz
1df887e66bf5bc6e480d975097ee4635c8a7796951d01fc2e256e14705cff0c0  fleetctl_v4.83.0_linux_arm64.zip
b2910389ac04d6fd6b4826984277f1b7e9c9e4ad860018fe93304c733ac605ba  fleetctl_v4.83.0_macos.tar.gz
8c6c0468fa183b9482c731912406db2f4ed8a54f6c1b452a18e35e49743c0f0a  fleetctl_v4.83.0_macos.zip
16d467dcd26d867f4dccd17f8d8fc9b194cca3db2d67a54d4d5d1edbede2385b  fleetctl_v4.83.0_windows_amd64.tar.gz
6c3dca0a44a708595c0e6ba76f73f81d67e4abfbc679771011da472db6484676  fleetctl_v4.83.0_windows_amd64.zip
da28e45a3cab092ed7e1156968acaf1bb892125aa029667d8c4e5cf931afbb6f  fleetctl_v4.83.0_windows_arm64.tar.gz
b86190fb76053765ac4647d13d208244c2eae9031fb2221ad665d84e615dd4cd  fleetctl_v4.83.0_windows_arm64.zip
Check out latest releases or
releases around fleetdm/fleet fleet-v4.83.0

Don't miss a new fleet release

NewReleases is sending notifications on new releases.

Get notifications