github fleetdm/fleet v4.0.0-rc1

latest releases: fleet-v4.15.0, orbit-v0.0.12, orbit-v0.0.11...
pre-release11 months ago


The primary additions in Fleet 4.0.0 are the new Role-based access control (RBAC) and Teams features.

RBAC adds the ability to define a user's access to information and features in Fleet. This way, more individuals in an organization can utilize Fleet with appropriate levels of access. Check out the permissions documentation for a breakdown of the new user roles and their respective capabilities.

Teams adds the ability to separate hosts into exclusive groups. This way, users can easily observe and apply operations to consistent groups of hosts. Read more about the Teams feature in the documentation here.

There are several known issues that will be fixed for the stable release of Fleet 4.0.0. Therefore, we recommend only upgrading to Fleet 4.0.0 RC1 for testing purposes. Please file a GitHub issue for any issues discovered when testing Fleet 4.0.0!

New features breakdown

  • Add ability to define a user's access to information and features in Fleet by introducing the Admin, Maintainer, and Observer roles.

  • Add ability to separate hosts into exclusive groups with the Teams feature. The Teams feature is available for Fleet Basic customers. Check out the list below for the new functionality included with Teams:

  • Add ability to enroll hosts to one team using team specific enroll secrets.

  • Add ability to manually transfer hosts to a different team in the Fleet UI.

  • Add ability to apply unique agent options to each team. Note that "osquery options" have been renamed to "agent options."

  • Add ability to grant users access to one or more teams. This allows you to define a user's access to specific groups of hosts in Fleet.

Upgrade plan

Fleet 4.0.0 is a major release and introduces several breaking changes and database migrations.

  • Use strictly fleet in Fleet's configuration, API routes, and environment variables. This means that you must update all usage of kolide in these items. The backwards compatibility introduced in Fleet 3.8.0 is no longer valid in Fleet 4.0.0.

  • Change configuration option server_tlsprofile to server_tls_compatability. This options previously had an inconsistent key name.

  • Replace the use of the api/v1/fleet/spec/osquery/options with api/v1/fleet/config. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the api/v1/fleet/config API endpoint.

  • Enroll secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic.

  • auth_jwt_key and auth_jwt_key_file are no longer accepted as configuration.

  • JWT encoding is no longer used for session keys. Sessions now default to expiring in 4 hours of inactivity.

Known issues

  • Query packs cannot be targeted to teams.


Please visit our update guide for upgrade instructions.


Documentation for this release can be found at

Binary Checksum


350cc1b11b2b747714f80469b9c7cde6a3d6abae9db64530ee2194e82ad83208  fleetctl-macos.tar.gz
543c5365716f08545ead4a0b07563eb3788d38ff7a54afc7c86b5f4f36694e0e  fleetctl-windows.tar.gz
409baadf4b263625124695835df12d4743c1b673e24353c77b51da6b9e2209a4  fleetctl-linux.tar.gz

Don't miss a new fleet release

NewReleases is sending notifications on new releases.