github fleetdm/fleet fleet-v4.84.0
on GitHub

15 hours ago

Fleet 4.84.0 (Apr 24, 2026)

IT Admins

  • Added support for Entra conditional access to Windows devices.
  • Added ability to pin Fleet-maintained apps to a specific major version in GitOps.
  • Implemented ACME for MDM protocol communication, and hardware device attestation.
  • Added GET /api/v1/fleet/hosts/{id}/reports endpoint (also accessible as /hosts/{id}/queries) that lists the query reports associated with a specific host.
  • Added support for labels_include_all conditional scoping for software installers and apps.
  • Added validation for software install, uninstall, and post-install scripts.
  • Added ability to specify custom patch policy query in an FMA manifest.
  • Added ability to re-send Android certificates to a specific host.
  • Added Reports tab to Host details page.
  • Allowed specifying a Fleet-Maintained App (FMA) as a policy software automation in GitOps.
  • Added support for running python scripts on macOS and Linux.
  • Added automatic retry (up to 3 times) when the Android agent reports a certificate install failure.
  • Added activity logging when a certificate is installed or fails to install on an Android host.
  • Enabled the host activity card on the Android host details page.
  • Switched Fleet-maintained apps serving location from GitHub to https://maintained-apps.fleetdm.com/manifests. NOTE: If you limit outbound Fleet server traffic, make sure it can access the new FMA manifests location.
  • Increased automatic retry limit for failed Apple (macOS, iOS, iPadOS) configuration profiles from 1 to 3. Windows profiles remain at 1 retry.
  • Added a new disk_space fleetd table for macOS that reports available disk space including purgeable storage, matching the value shown in Finder's "Get Info" dialog and System Settings → General → Storage.
  • Added configuration profile deletion when a Windows configuration profile is deleted or a host moves teams via SyncML <Delete> commands, bringing Windows profile removal to parity with macOS.
  • Added support for outputting VPP policy automations in fleetctl generate-gitops.
  • Added logging of profile names alongside MDM commands installing or removing them.
  • Added indication in the UI when a profile command was deferred via NotNow status.
  • Added activity when setup experience is canceled due to software install failure.
  • Added cancel activities for each VPP app install skipped due to setup experience cancellation, and switched "failed" activity to "canceled" for package-based software installs in the same situation.
  • Added install failure activity when VPP installs fail due to licensing issues during setup experience.

Security Engineers

  • Added vulnerability detection for Microsoft 365 Apps and Office products on Windows.
  • Added OSV data source for Ubuntu vulnerability scanning.
  • Added automatic rotation of Mac recovery lock passwords 1 hour after the password is viewed via the API.
  • Updated ingestion/CVE logic to support JetBrains software with 2 version numbers, like WebStorm 2025.1
  • Addressed false positive vulnerabilities (CVE-2019-17201, CVE-2019-17202) reported for Admin By Request on macOS and Linux hosts. These CVEs are Windows-specific.
  • Generated correct CPE from malformed ipswitch whatsup CPE, ensuring applicable CVEs are matched.
  • Added software source to ecosystem matching to help prevent non-deterministic CPE selection when multiple vendors exist for the same product.

Other improvements and bug fixes

  • Upped the default limit for the software batch endpoint, from 1MiB to 25MiB.
  • Added FLEET_MDM_CERTIFICATE_PROFILES_LIMIT server config option to throttle the number of CA certificate profile installations per reconciler cycle, preventing CA server overload in large deployments.
  • Added banner to Add software page to inform users that Android web apps require Google Chrome.
  • Enabled Windows MDM in fleetctl preview by auto-generating WSTEP certificates on startup.
  • Used the same templates for fleetctl new and new instance initialization.
  • Added "API time" to GitOps output on API errors.
  • Allowed clearing Windows OS update deadline and grace period fields to remove enforcement.
  • Updated ordering of setup experience software to take display names into account.
  • Updated iOS/iPadOS refetch logic to slowly clear out old/stale results.
  • Increased the default SSO session validity period from 5 to 15 minutes.
  • Improved performance of distributed read endpoint by reducing mutex contention in shouldUpdate using sync.RWMutex instead of sync.Mutex.
  • Allowed OTEL service name to be overridden with standard OTEL_SERVICE_NAME env var.
  • Revised which versions Fleet tests MySQL against to remove 8.0.39 and add 8.0.42.
  • Allowed typing whitespace on Settings > Integrations > SSO > End users form.
  • Removed incorrect report key from get/create/modify API responses.
  • Added (query_id, has_data, host_id, last_fetched) index on query_results.
  • Improved database query performance for the Host Details > Reports page by adding a has_data virtual generated column to query_results.
  • Made sure that fleet names are trimmed and validate to prevent whitespace-only or padded names across API, gitops, frontend, and existing data.
  • Hid host details > reports in the UI from platforms that do not support scheduled reporting.
  • Updated GitOps label functionality to allow omitting the hosts: key under a manual label to mean "preserve existing host membership", rather than removing all hosts.
  • Added Flatcar Container Linux and CoreOS to the list of recognized Linux platforms, fixing host detail queries (IP address, disk space, etc.) not being sent to hosts running these distributions.
  • Updated the default fleet selected when navigating to the dashboard and to controls.
  • Reduced redundant database queries during policy result submission by computing flipping policies once per host check-in instead of multiple times.
  • Reduced redundant database calls in the osquery distributed query results hot path by pre-loading configuration (AppConfig, HostFeatures, TeamMDMConfig, conditional access) once per request instead of once per detail query result.
  • Updated UI to use new multiplatform API keys.
  • Activated warnings for deprecated API parameters, API URLs, fleetctl commands and fleetctl command options.
  • Updated the Request Certificate API to return the proper PEM header for PKCS #7 certificates returned by EST CAs.
  • Added "Learn more" link on End User Authentication section.
  • Moved Apple MDM worker to a faster cron, and started sending profiles on Post DEP enrollment job, to speed up initial macOS setup.
  • Optimized PolicyQueriesForHost and ListPoliciesForHost SQL queries by replacing correlated subqueries with a single aggregated LEFT JOIN for label-based policy scoping, reducing query time by ~77% at scale.
  • Improved VPP install failure messaging to explain verification timeouts in Host details and My device install details.
  • Refactored large anonymous functions into named functions to improve nil-safety static analysis coverage.
  • Renamed "Custom settings" to "Configuration profiles" in Fleet UI.
  • Added description to UI to help users understand which fleet a policy belongs to during add/edit.
  • Updated Fleet-maintained apps to overwrite software title names on sync and when adding an FMA installer.
  • Improved Fleet server performance for the Windows MDM profiles summary and host OS settings filter queries by replacing correlated subqueries with a single aggregation pass.
  • Improved Windows MDM server performance at scale by reducing redundant database queries during device check-ins.
  • Updated go to 1.26.1
  • Fixed a server panic when uploading a Windows MDM profile to a fleet on a free license.
  • Fixed MSRC vulnerability scanning to differentiate between Windows Server Core and full desktop installations, preventing false positive/negative CVEs caused by non-deterministic product matching.
  • Fixed GitOps policy software resolution failing when URL lookup doesn't match, by falling back to hash-based lookup.
  • Fixed GitOps failing to delete a certificate authority when certificate templates still reference it in fleet configs.
  • Fixed duplicate text in error message when script validation fails when adding a custom package.
  • Fixed issue where the include_available_for_install query param wasn't being applied correctly to the GET /api/latest/fleet/hosts/{id}/software endpoint.
  • Fixed disk encryption key modal to not show stale key when switching between hosts.
  • Fixed SCIM user not associating with host when IdP username was set before the SCIM user was created.
  • Fixed Google Drive version not matching upstream.
  • Fixed bug that cleared the MDM lock state if an "idle" message was received right after the lock ACK.
  • Fixed team maintainers, admins, and GitOps users being unable to add certificate templates due to missing read access to certificate authorities.
  • Fixed fleetd installation failure on macOS when installing it through Host details page > Software > Library as a Custom package.
  • Fixed a bug where SQL queries using table aliases (e.g., FROM mounts m) incorrectly reported no compatible platforms.
  • Fixed fleetctl gitops failing with "No available VPP Token" when assigning VPP apps alongside a new team.
  • Fixed a bug where OS versions were not populated in vulnerability details for OS-only vulnerabilities (e.g., macOS CVEs).
  • Fixed a TOCTOU-related issue when checking before deleting last admin.
  • Fixed database locking issues on the policy_membership table by batching cleanup DELETE operations and moving them outside the primary GitOps apply transaction.
  • Fixed success message on Android software configuration to reference software display name when applicable.
  • Fixed a bug where Android host certificate template records were not cleared when a device unenrolled, causing stale certificate statuses after re-enrollment.
  • Fixed a bug where the organization logo URL entered during setup was only saved for dark backgrounds and not for light backgrounds.
  • Fixed an issue where setup experience items (software to install) were not enqueued for Linux distributions that did not report a "platform-like" value, e.g. Arch Linux and Omarchy.
  • Fixed a bug where filtering hosts by software version for a software version not present on the selected team returned nil software instead of a lightweight report of the software.
  • Fixed Fleet's usage of the incorrectly spelled 'vulnerabities' in favor of 'vulnerabilities' in MSRC bulletins.
  • Fixed nondeterministic CPE matching when multiple CPE candidates share the same product name.
  • Fixed a bug where Windows hosts with an empty display_version in the database would get 0 CVEs from MSRC vulnerability scanning.
  • Fixed a bug where fleetctl generate-gitops failed if a Fleet-maintained app was associated to a software title with a different name (e.g. names with different versions).
  • Fixed fleetctl generate-gitops failing to include VPP fleet assignments.
  • Fixed query results table deduplicating rows when query data contains an id column, and fixed id column header and cell styling.
  • Fixed missing underline on "Reports" nav item when active in top navigation.
  • Fixed bug where adding a patch policy for a new installer in the UI caused gitops runs that didn't include that installer to fail.
  • Fixed browser back button requiring an extra click to leave the Policies and Reports pages.
  • Fixed a bug where Fleet continued to show a stale Recovery Lock password after a macOS host left MDM, by soft-deleting the stored password whenever the host leaves MDM (re-enrollment, CheckOut, admin unenroll, or a periodic sweep of hosts osquery reports as unenrolled) and hiding the password on the host details page until the host is enrolled again.
  • Fixed an issue where silent migration status would persist even after re-enrolling the device normally, causing SCEP renewal to fail.
  • Fixed issue where the "Change Management" form would reset when the page lost and regained focus.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

  1. orbit-v1.54.0
  2. fleet-desktop-v1.54.0 (included with Orbit)
  3. osquery-5.22.1 (included with Orbit)
  4. fleetd-chrome-v1.3.5
  5. fleetd-android-v1.0.2

While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256 

81f41a8040fa24d6eedb36f4e07781a1e9c7becd5230a8fbaa4838585a9d7e10  fleet_v4.84.0_linux.tar.gz
f75f2ba262a0d729b620c43a423e5821798fbdd8c9dff837b79e760ad8a49e3b  fleetctl_v4.84.0_linux_amd64.tar.gz
a6bb3ce5900159593f7baab35ded00b5f57265d5c2b3b466075ec08c8e579a98  fleetctl_v4.84.0_linux_amd64.zip
47cc6a694b3c28e39e6f5808b36656a5a8759d1e27b19bbc9e6af1c544d51c6b  fleetctl_v4.84.0_linux_arm64.tar.gz
09aa54bdff09d288b179f9f3238c6dc5a9d77f1ed706666f376f248e314568e9  fleetctl_v4.84.0_linux_arm64.zip
5d6dc8cb956937f91469e0bc24b6c65e7c3eebf10776b8ae5554f8540c1fa04c  fleetctl_v4.84.0_macos.tar.gz
7a995e9b12007a4e1453f63e8bf15fe224a283678f60424c146ceff6e57dbb57  fleetctl_v4.84.0_macos.zip
f370a39f8ebd89521f6f73fd7040ba371dfe53cd5917a5e063ab4ed3013aedc0  fleetctl_v4.84.0_windows_amd64.tar.gz
e2ec4d03889487ece6c0f786b1f2fb5bf93c82a0024f28aeba668e7f206b1c91  fleetctl_v4.84.0_windows_amd64.zip
67af88665d450fc14329fde02ef6d1ec64faaae12b7748c23bb56c1605f63eae  fleetctl_v4.84.0_windows_arm64.tar.gz
775b847ccab8fdbf9bf27b5e469fa6283b28799416761c5619f1917aaa1f453d  fleetctl_v4.84.0_windows_arm64.zip
Check out latest releases or
releases around fleetdm/fleet fleet-v4.84.0

Don't miss a new fleet release

NewReleases is sending notifications on new releases.

Get notifications