Releases: fleetdm/fleet
fleet-v4.60.0
Fleet 4.60.0 (Nov 27, 2024)
Endpoint operations
- Added support for labels_include_any to gitops.
- Added major improvements to keyboard accessibility throughout app (e.g. checkboxes, dropdowns, table navigation).
- Added activity item for
fleetd
enrollment with host serial and display name. - Added capability for Fleet to serve YARA rules to agents over HTTPS authenticated via node key (requires osquery 5.14+).
- Added a query to allow users to turn on/off automations while being transparent of the current log destination.
- Updated UI to allow users to view scripts (from both the scripts page and host details page) without downloading them.
- Updated activity feed to generate an activity when activity automations are enabled, edited, or disabled.
- Cancelled pending script executions when a script is edited or deleted.
Device management (MDM)
- Added better handling of timeout and insufficient permissions errors in NDES SCEP proxy.
- Added info banner for cloud customers to help with their windows autoenrollment setup.
- Added DB support for "include any" label profile deployment.
- Added support for "include any" label/profile relationships to the profile reconciliation machinery.
- Added
team_identifier
signature information to Apple macOS applications to the/api/latest/fleet/hosts/:id/software
API endpoint. - Added indicator of how fresh a software title's host and version counts are on the title's details page.
- Added UI for allowing users to install custom profiles on hosts that include any of the defined labels.
- Added UI features supporting disk encryption for Ubuntu and Fedora Linux.
- Added support for deb packages compressed with zstd.
Vulnerability management
- Allowed skipping computationally heavy population of vulnerability details when populating host software on hosts list endpoint (
GET /api/latest/fleet/hosts
) when using Fleet Premium (populate_software=without_vulnerability_descriptions
).
Bug fixes and improvements
- Improved memory usage of the Fleet server when uploading a large software installer file. Note that the installer will now use (temporary) disk space and sufficient storage space is required.
- Improved performance of adding and removing profiles to large teams by an order of magnitude.
- Disabled accessibility via keyboard for forms that are disabled via a slider.
- Updated software batch endpoint status code from 200 (OK) to 202 (Accepted).
- Updated a package used for testing (msw) to improve security.
- Updated to reboot linux machine on unlock to work around GDM bug on Ubuntu 24.04.
- Updated GitOps to return an error if the deprecated
apple_bm_default_team
key is used and there are more than 1 ABM tokens in Fleet. - Dismissed error flash on the my device page when navigating to another URL.
- Modified the Fleet setup experience feature to not run if there is no software or script configured for the setup experience.
- Set a more accurate minimum height for the Add hosts > ChromeOS > Policy for extension field, avoiding a scrollbar.
- Added UI prompt for user to reenter the password if SCEP/NDES url or username has changed.
- Updated ABM public key to download as as PEM format instead of CRT.
- Fixed issue with uploading macOS software packages that do not have a top level
Distribution.xml
, but do have a top levelPackageInfo.xml
. For example, Okta Verify.app. - Fixed some cases where Fleet Maintained Apps generated incorrect uninstall scripts.
- Fixed a bug where a device that was removed from ABM and then added back wouldn't properly re-enroll in Fleet MDM.
- Fixed name/version parsing issue with PE (EXE) installer self-extracting archives such as Opera.
- Fixed a bug where the create and update label endpoints could return outdated information in a deployment using a mysql replica.
- Fixed the MDM configuration profiles deployment when based on excluded labels.
- Fixed gitops path resolution for installer queries and scripts to always be relative to where the query file or script is referenced. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. installers in a subdirectory referencing scripts elsewhere).
- Fixed issue where minimum OS version enforcement was not being applied during Apple ADE if MDM IdP integration was enabled.
- Fixed a bug where users would be allowed to attempt an install of an App Store app on a host that was not MDM enrolled.
Fleet's agent
The following version of Fleet's agent (fleetd
) support the latest changes to Fleet:
- orbit-v1.36.0
fleet-desktop-v1.36.0
(included with Orbit)- fleetd-chrome-v1.3.1
While newer versions of
fleetd
still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
ae0ab2cbd84b0b4db7cf8f0a700a59018a5ac8587216d0af361824096f0c789f fleet_v4.60.0_linux.tar.gz
89ecf2ac3a2cd9c30bd3ccf975a1d325e04d04762dfc8e2da99f13b28fd06885 fleetctl_v4.60.0_linux.tar.gz
75e95310fdbd9ddd32f0ebc2d609be1961791ba91c73b4016cd19f8264f3441b fleetctl_v4.60.0_linux.zip
31c40735cb8a1cdd4aaa8b543d175de5be0e9c8f284a844ced4a1749fc77890b fleetctl_v4.60.0_macos.tar.gz
5c4a07f6baddbfe7e7420244d4e128617382fac910b77891b8552ac1c114bdd7 fleetctl_v4.60.0_macos.zip
8a02fe28ca9cac37ea7106cef3be7055b09893c6c38080d452579ae9aa3c693f fleetctl_v4.60.0_windows.tar.gz
0380415b15075d63977abe88ef43c3236c25be2cb87b2cf877b2f648b792eae7 fleetctl_v4.60.0_windows.zip
fleet-v4.59.1
Fleet 4.59.1 (Nov 18, 2024)
Bug fixes
- Added
team_identifier
signature information to Apple macOS applications to the/api/latest/fleet/hosts/:id/software
API endpoint.
Fleet's agent
The following version of Fleet's agent (fleetd
) support the latest changes to Fleet:
- orbit-v1.35.0
fleet-desktop-v1.35.0
(included with Orbit)- fleetd-chrome-v1.3.1
While newer versions of
fleetd
still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
65b9ee21bebed9429a57420085f0c5433db53bcd0250b4531f9dfc9f525090b6 fleet_v4.59.1_linux.tar.gz
db454f9008bd7b3e133c9f64d351bef66e2ac629be6b3db7e68234588f76e591 fleetctl_v4.59.1_linux.tar.gz
052472b569992cdd29664f8890110e93d55920fe8069fed9c8cd446ad79eb575 fleetctl_v4.59.1_linux.zip
96f96a99d402bd0f037177ce44d688d221503bca7bef578d2bbc9b447a4d78c3 fleetctl_v4.59.1_macos.tar.gz
5ae316067cdbb0c7a9ab9ecae5f95f0a1df4af43241247ea233dbff61da95ffd fleetctl_v4.59.1_macos.zip
34fdf27f4cfb2e7954d8d2b7e8e1f119d5703df1e95055be6cd95695993b4811 fleetctl_v4.59.1_windows.tar.gz
dd25402cfa1b0c5f1bf452833ea40eaa19357b14a87a236f61d37d5946222a0a fleetctl_v4.59.1_windows.zip
fleet-v4.59.0
Fleet 4.59.0 (Nov 12, 2024)
Endpoint operations
- Updated OpenTelemetry libraries to latest versions. This includes the following changes when OpenTelemetry is enabled:
- MySQL spans outside of HTTPS transactions are now logged.
- Renamed MySQL spans to include the query, for easier tracking/debugging.
- Added capability for fleetd to report vital errors to Fleet server, such as when Fleet Desktop is unable to start.
Device management (MDM)
- Added UI for adding a setup experience script.
- Added UI for the install software setup experience.
- Added software experience software title selection API.
- Added database migrations to support Setup Experience.
- Added support to
fleetctl gitops
to specify a setup experience script to run and software to install, for a team or no team. - Added an Orbit endpoint (
POST /orbit/setup_experience/status
) for checking the status of a macOS host's setup experience steps. - Added service to track install status.
- Added ability to connect a SCEP NDES proxy.
- Added SCEP proxy for Windows NDES (Network Device Enrollment Service) AD CS server, which allows devices to request certificates.
- Added error message on the My Device page when MDM is off for the host.
- Added a config field to the UI for custom MDM URLs.
- Added integration to queue setup experience software installation on automatic enrollment.
- Added a validation to prevent removing a software package or a VPP app from a team if that software is selected to be installed during the setup experience.
- Updated user permissions to allow gitops users to run MDM commands.
- Updated to remove a pending MDM device if it was deleted from current ABM.
- Updated to ensure details for a software installation run are available and accurate even after the corresponding installer has been edited or deleted.
- NOTE: The database migration included with this update backfills installer data into installation details based on the currently uploaded installer. If you want to backfill data from activities (which will be more comprehensive and accurate than the migration default, but may take awhile as the entire activities table will be scanned), run this database query after running database migrations:
UPDATE host_software_installs i
JOIN activities a ON a.activity_type = 'installed_software'
AND i.execution_id = a.details->>"$.install_uuid"
SET i.software_title_name = COALESCE(a.details->>"$.software_title", i.software_title_name),
i.installer_filename = COALESCE(a.details->>"$.software_package", i.installer_filename),
i.updated_at = i.updated_at
- The above query is optional, and is unnecessary if no software installers have been edited.
Vulnerability management
- Added filtering Software OS view to show only OSes from a particular platform (Windows, macOS, Linux, etc.)
- Fixed issue where the vulnerabilities cron failed to complete due to a large temporary table creation when calculating host issue counts.
- Fixed Debian python package false positive vulnerabilities by removing duplicate entries for Debian python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
Bug fixes and improvements
- Fixed the ADE enrollment release device processing for hosts running an old fleetd version.
- Fixed an issue with the BYOD enrollment page where it sometimes would show a 404 page.
- Fixed issue where macOS and Linux scripts failed to timeout on long running commands.
- Fixed bug in ABM renewal process that caused upload of new token to fail.
- Fixed blank install status when retrieving install details from the activity feed when the installer package has been updated or the software has since been removed from the host.
- Fixed the svg icon for Edge.
- Fixed frontend error when trying to view install details for an install with a blank status.
- Fixed loading state for the profile status aggregate UI.
- Fixed incorrect character set header on manual Mac enrollment config download.
- Fixed
fleetctl gitops
to support VPP apps, along with setting the VPP apps to install during the setup experience. - Fixed bug where
PATCH /api/latest/fleet/config
was incorrectly clearing VPP token<->team associations. - Fixed issue when trying to download the manual enrollment profile when device token is expired. We now show an error for this case.
- Fixed a bug where DDM declarations would remaing "pending" forever if they were deleted from Fleet before being sent to hosts.
- Fixed a bug where policy failures of a host were not being cleared in the host details page after configuring the host to not run any policies.
- Fixed iOS and iPadOS device release during the ADE enrollment flow.
- Ignored
--delete-other-teams
flag infleetctl gitops
command for non-Premium license users. - Switched Nudge deadline time for OS upgrades on macOS pre-14 hosts from 04:00 UTC to 20:00 UTC.
- Added a more descriptive error message when install or uninstall details do not exist for an activity.
- Updated to allow FLEET_REDIS_ADDRESS to include a
redis://
prefix. Allowed formats are:redis://host:port
orhost:port
. - Documented that Microsoft enrollments have less fields filled in the
mdm_enrolled
activity due to how this MDM enrollment flow is implemented. - Updated UI to make entire rows of the Disk encryption table clickable.
- Updated software install activities from policy automations to be authored by "Fleet", store policy ID and name on each activity.
- Updated tooltip for bootstrap package and VPP app statuses in UI.
- Added created_at/updated_at timestamps on user create endpoint.
- Updated UI notifications so that clicking in the horizontal dimension of a flash message, outside of the message itself, and always hide flash messages when changing routes.
- Filtered out VPP apps on non-MDM enrolled devices.
- Explicitly set line heights on "add profile" messages so they are consistent cross-browser.
- Deprecated the worker-based job to release macOS devices automatically after the setup experience, replace it with the fleetd-specific "/status" endpoint that is polled by the Setup Experience dialog controlled by Fleet during the setup flow.
- Improved UI feedback when user attempts and fails to reset password.
Fleet's agent
The following version of Fleet's agent (fleetd
) support the latest changes to Fleet:
- orbit-v1.35.0
fleet-desktop-v1.35.0
(included with Orbit)- fleetd-chrome-v1.3.1
While newer versions of
fleetd
still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
4fd0375d38834bfcfbda7cc90eb3a9a686a4c437d2fd0052f8413406503f0006 fleet_v4.59.0_linux.tar.gz
cc2290edd90efeaf0206ba916b2120ccf2670b689b8132df805c93bb41c4d1c0 fleetctl_v4.59.0_linux.tar.gz
7c152fe34f7b81a6bb44e44b76534c0ff8031f2c7cbad10aa5aca93c9154c345 fleetctl_v4.59.0_linux.zip
3470c3a79a7ab3ede1a9275c45689d42946b01ce1a1a7090e02c1e898d3c9a34 fleetctl_v4.59.0_macos.tar.gz
924f80b8017bfda84218fe785eb8a082695510d8b610c02a758ea999dc85caf3 fleetctl_v4.59.0_macos.zip
893632921a873386f69d361f429ed04242490c8616c06bd38e4be27e61fa24b2 fleetctl_v4.59.0_windows.tar.gz
b9c4661bbe8df2b91e3e80cda61dc46af8064c6276cc72474b86919bbc49db94 fleetctl_v4.59.0_windows.zip
fleet-v4.58.0
Fleet 4.58.0 (Oct 17, 2024)
Endpoint Operations:
- Added builtin label for Fedora Linux. Warning: Migrations will fail if a pre-existing 'Fedora Linux' label exists. To resolve, delete the existing 'Fedora Linux' label.
- Added ability to trigger script run on policy failure.
- Updated GitOps script and software installer relative paths to now always relative to the file they're in. This change breaks existing YAML files that had to account for previous inconsistent behavior (e.g. script paths declared in no-team.yml being relative to default.yaml one directory up).
- Improved performance for host details and Fleet Desktop, particularly in environments using high volumes of live queries.
- Updated activity cleanup job to remove all expired live queries to improve API performance in environment using large volumes of live queries. To note, the cleanup cron may take longer on the first run after upgrade.
- Added an event for when a policy automation triggers a script run in the activity feed.
- Added battery status to Windows host details.
Device Management (MDM):
- Added the
POST /software/fleet_maintained_apps
endpoint for adding Fleet-maintained apps. - Added the
GET /software/fleet_maintained_apps/{app_id}
endpoint to retrieve details of a Fleet-maintained app. - Added API endpoint to list team available Fleet-maintained apps.
- Added UI for managing Fleet-maintained apps.
- Updated add software modal to be seperate pages in Fleet UI.
- Added support for uploading RPM packages.
- Updated the request timeouts for software installer edits to be the same as initial software installer uploads.
- Updated UI for software uploads to include upload progress bar.
- Improved performance of SQL queries used to determine MDM profile status for Apple hosts.
Vulnerability Management:
- Fixed MSRC feed pulls (for NVD release builds) in environments where GitHub access is authenticated.
Bug fixes and improvements:
- Added the 'Unsupported screen size' UI on the My device page.
- Removed redundant built in label filter pills.
- Updated success messages for lock, unlock, and wipe commands in the UI.
- Restricted width of policy description wrappers for better UI.
- Updated host details about section to condense information into fewer columns at smaller widths.
- Hid CVSS severity column from Fleet Free software details > vulnerabilities sections.
- Updated UI to remove leading/trailing whitespace when creating or editing team or query names.
- Added UI improvements when selecting live query targets (e.g. styling, closing behavior).
- Updated API to return 409 instead of 500 when trying to delete an installer associated with a policy automation.
- Updated battery health definitions to be defined as cycle counts greater than 1000 or max capacity falling under 80% of designed capacity for macOS and Windows.
- Added information on how battery health is defined to the UI.
- Updated UI to surface duplicate label name error to user.
- Fixed software uninstaller script for
pkg
s to only remove '.app' directories installed by the package. - Fixed "no rows" error when adding a software installer that matches an existing title's name and source but not its bundle ID.
- Fixed an issue with the migration adding support for multiple VPP tokens that would happen if a token is removed prior to upgrading Fleet.
- Fixed UI flow for observers to easily query hosts from the host details page.
- Fixed bug with label display names always sentence casing.
- Fixed a bug where a profile wouldn't be removed from a host if it was deleted or if the host was moved to another team before the profile was installed on the host.
- Fixed a bug where removing a VPP or ABM token from a GitOps YAML file would leave the team assignments unchanged.
- Fixed host software filter bug that resets dropdown filter on table changes (pagination, order by column, etc).
- Fixed UI bug: Edit team name closes modal.
- Fixed UI so that switching vulnerability search types does not cause page re-render.
- Fixed UI policy automation truncation when selecting software to auto-install.
- Fixed UI design bug where software package file name was not displayed as expected.
- Fixed a small UI bug where a button overlapped some copy.
- Fixed software icon for chrome packages.
Fleet's agent
The following version of Fleet's agent (fleetd
) support the latest changes to Fleet:
- orbit-v1.34.0
fleet-desktop-v1.34.0
(included with Orbit)- fleetd-chrome-v1.3.1
While newer versions of
fleetd
still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
b64c43029e3751d738b8b9402b450aca3d79021cfc3008dc5beecfe7d04f40a5 fleet_v4.58.0_linux.tar.gz
93552ff29f5e65939c12ad6536d8b958a486635dd1134da5e230b3a133d8759d fleetctl_v4.58.0_linux.tar.gz
13876db49b09463c70bd9b5a994e40047df5d077d5f1f35ed7cf9d6df7c84072 fleetctl_v4.58.0_linux.zip
ea4c58d760f9579b99bb9b9b35aae9e3d66dc3616aa330a7ddb74e1b6b58e8c1 fleetctl_v4.58.0_macos.tar.gz
c7c8bd5a7120bdf065dc3a19b5d73e068f448dfb0eabf1e000b4896433b21125 fleetctl_v4.58.0_macos.zip
9b0239a4f5147a34157cbd299038da0c7643460f319806909998f9804839d889 fleetctl_v4.58.0_windows.tar.gz
5267fd7905b51a88d9f8f2ad00dfcfb46cb2debdf35bc79bf235658f06640793 fleetctl_v4.58.0_windows.zip
fleet-v4.57.3
Bug fix
- Fixed Orbit configuration endpoint returning 500 for Macs running Rapid Security Response macOS releases that are enrolled in OS major version enforcement.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
79db83177cc02b9a50c375622554f74b0c60a0fc2ad812a38eb305001348118e fleet_v4.57.3_linux.tar.gz
d47184baff8c1de6f19fd285c276485e9a6c736fdb4bcd42e5770ce014844f6d fleetctl_v4.57.3_linux.tar.gz
55dd22652ec98a5f54782d35e34e335e784382abdd0e5656c19b52269a319547 fleetctl_v4.57.3_linux.zip
50d8e366a99710a5636dc865d44f074d41b9555fc54dbb390c888d2ce16cf8c7 fleetctl_v4.57.3_macos.tar.gz
10edafb7a9002b3ae08e32f047820a9e5688b1f43e7af6582bbe7818ab8c769b fleetctl_v4.57.3_macos.zip
29435a2389541a4ae7c16394bdc074845b555ef8d896a02339670dfdab7317c4 fleetctl_v4.57.3_windows.tar.gz
297175700f2607bc78afbddd1d43017d49488672f2de7e5d194d357531d31986 fleetctl_v4.57.3_windows.zip
fleet-v4.57.2
Bug fixes
- Fixed software uninstaller script for
pkg
s to only remove '.app' directories installed by the package.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
4f9678462840fdd46693a9b87cd4d024e4c0291841db61a646ccc33a032d2217 fleet_v4.57.2_linux.tar.gz
bc2f66959cdf256636cb7c0579c6dfd93318a72e154c6bb6d0d8921e1fd57236 fleetctl_v4.57.2_linux.tar.gz
2dd2f42a277ae496d552096211dce07a21fe95458da30e352fb0141f4308b86b fleetctl_v4.57.2_linux.zip
e3fb6a535d708ee119b57ef58dd48879f26a3e704221db2ee2c942f4186049a1 fleetctl_v4.57.2_macos.tar.gz
593424c998c32dcda57e358661caa3a28ccf6c51bdac984a86a5fdb31c9041f8 fleetctl_v4.57.2_macos.zip
6d2a143622987064bf54ac614f18f400a8f44294155e11398676e6fb99624d66 fleetctl_v4.57.2_windows.tar.gz
965703982904c75140a135073afdfabc2392a002b14806e42d27ba1812d3edb4 fleetctl_v4.57.2_windows.zip
fleet-v4.57.1
Note: 4.57.1 contains two critical bugs
Two critical bugs have been identified in 4.57.1:
- Fleet uninstall script removes other apps from the host
- Software Package installs for Windows .exe and .msi installers stuck in Pending state
We are currently developing fixes for both and will issue 4.57.2 as soon as possible.
Bug fixes
- Improved performance of SQL queries used to determine MDM profile status for Apple hosts.
- Ensured request timeouts for software installer edits were just as high as for initial software installer uploads.
- Fixed an issue with the migration that added support for multiple VPP tokens, which would happen if a token was removed prior to upgrading Fleet.
- Fixed a "no rows" error when adding a software installer that matched an existing title's name and source but not its bundle ID.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
56e09992faa0f1b67c2bfe61760954a25a78fce60d8595de48686ed2913aa6ea fleet_v4.57.1_linux.tar.gz
2a6a92bc80fe841e880ca750f6a66c6c909ebeb2e3c6ab57d7c28c057f379d16 fleetctl_v4.57.1_linux.tar.gz
86937bd7113c96b814be3ecb9c0cdafec20ebfbef6080a95f234c379a714636c fleetctl_v4.57.1_linux.zip
2c2b3e51d0d87a7ff0d9b0dfffd2e528b16ab4a55ffa2aa7c03af8d476bc1299 fleetctl_v4.57.1_macos.tar.gz
2344a72117b71aa2419460805f04dd0f904e3e53fc4d2e06b06be28065db9144 fleetctl_v4.57.1_macos.zip
4c136e10c1d4b3dc7fedf7928392e45633defb09e6aa4906d906e0ddd101619e fleetctl_v4.57.1_windows.tar.gz
e09ea5bef0d53cc95eced508e3ecb0a12d8def4b64260bea21924c91a2912474 fleetctl_v4.57.1_windows.zip
fleet-v4.57.0
Note: 4.57.0 contains two critical bugs
Two critical bugs have been identified in 4.57.0:
- Fleet uninstall script removes other apps from the host
- Software Package installs for Windows .exe and .msi installers stuck in Pending state
We are currently developing fixes for both and will issue 4.57.2 as soon as possible.
Fleet 4.57.0 (Sep 23, 2024)
Endpoint Operations
- Added support for configuring policy installers via GitOps.
- Added support for policies in "No team" that run on hosts that belong to "No team".
- Added reserved team names: "All teams" and "No team".
- Added support the software status filter for 'No teams' on the hosts page.
- Enable 'No teams' funcitonality for the policies page and associated workflows.
- Added reset install counts and cancel pending installs/uninstalls when GitOps installer updates change package contents.
- Added support for software installer packages, self-service flag, scripts, pre-install query, and self-service availability to be edited in-place rather than deleted and re-added.
Device Management (MDM)
- Added feature allowing automatic installation of software on hosts that fail policies.
- Added feature for end users to enroll BYOD devices into Fleet MDM.
- Added the ability to use Fleet to uninstall packages from hosts.
- Added an endpoint for getting an OTA MDM profile for enrolling iOS and iPadOS hosts.
- Added protocol support for OTA enrollment and automatic team assignment for hosts.
- Added validation of Setup Assistant profiles on profile upload.
- Added validation to prevent installing software on a host with a pending installation.
- Allowed custom SCEP CA certificates with any kind of extendedKeyUsage attributes.
- Modified
POST /api/latest/fleet/software/batch
endpoint to be asynchronous and added a new endpointGET /api/latest/fleet/software/batch/{request_uuid}
to retrieve the result of the batch upload.
Vulnerability Management
- Fixed a false negative vulnerability for git.
- Fixed false positive vulnerabilities for minio.
- Fixed an issue where virtual box for macOS wasn't matching against the NVD product name.
- Fixed Ubuntu python package false positive vulnerabilities by removing duplicate entries for ubuntu python packages installed by dpkg and renaming remaining pip installed packages to match OVAL definitions.
Bug fixes and improvements
- Updated Go to go1.23.1.
- Removed validation of APNS certificate from server startup.
- Removed invalid node keys from server logs.
- Improved the UX of turning off MDM on an offline host.
- Improved clarity of GitOps VPP app ID type errors.
- Improved gitops error message about enabling windows MDM.
- Improved messaging for VPP token constraint errors.
- Improved loading state for UI tables when no data is present yet.
- Improved permissions so that hosts can no longer access installers that aren't directly assigned to them.
- Improved verification of premium license before uploading VPP tokens.
- Added "0 items" description on empty software tables for UI consistency.
- Updated the macos target minimum version tooltip.
- Fixed logic to properly catch and log APNs errors.
- Fixed UI overflow issues with OS settings table data.
- Fixed regression for checking email used to get a signed CSR.
- Fixed bugs on enrollment profiles when the organization name contains invalid XML characters.
- Fixed an issue with cron profiles delivery failing if a Windows VM is enrolled twice.
- Fixed issue where Fleet server could start when an expired ABM certificate was provided as server config.
- Fixed self-service checkbox appearing when iOS or iPadOS app is selected.
Fleet's agent
The following version of Fleet's agent (fleetd
) support the latest changes to Fleet:
- orbit-v1.33.0
fleet-desktop-v1.33.0
(included with Orbit)- fleetd-chrome-v1.3.1
While newer versions of
fleetd
still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
5add72a4f9ebfcf7d3adbb20b37bac886c920aa055b0fbbfe4f84dccf6047cbc fleet_v4.57.0_linux.tar.gz
42f207bf0a39df2d50e2adcf33760fdf504f9924790df2d02a4ccdb928fe31d2 fleetctl_v4.57.0_linux.tar.gz
1fbbc2618817200af95533d1682ba5c522346e49f162456ad3efc4b3fff7c3c2 fleetctl_v4.57.0_linux.zip
83afac7d2dbd4a7707e7268fa893dbdc15ae1b8dfce280720760af27d20b0063 fleetctl_v4.57.0_macos.tar.gz
688837872c0aad1a2c48d89a600b38a40f89bdb550b25d4f9f265d3a95468539 fleetctl_v4.57.0_macos.zip
588ee392e35e4e4e74606977bae8413cde82f248cb23bf053747cb3ab947d4dc fleetctl_v4.57.0_windows.tar.gz
255e79e4b352b24d865e82a01f982b3d0ae72615b411649a20fb9780828ec87c fleetctl_v4.57.0_windows.zip
fleet-v4.56.0
Fleet 4.56.0 (Sep 7, 2024)
Endpoint operations
- Added index to
query_results
DB table to speed up finding last query timestamp for a given query and host. - Added a link in the UI to the error message when a CSR can't be downloaded due to missing private key.
- Added a disabled overlay to the Other Workflows modal on the policy page.
- Improved performance of live queries to accommodate for higher volumes when utilizing zero-trust workflows.
- Improved
fleetctl
gitops error message when trying to change team name to a team that already exists.
Device management
- Added server support for multiple VPP tokens.
- Added new endpoints and updated existing endpoints for managing multiple Apple Business Manager tokens.
- Added support for S3 to store MDM bootstrap packages (uses the same bucket configuration as for software installers).
- Added support to UI for self service VPP software.
- Added backend and gitops support for self service VPP.
- Added ability for MDM migrations if the host is manually enrolled to a 3rd party MDM.
- Added an offline screen to the macOS MDM migration flow.
- Added new ABM page to Fleet UI.
- Added new VPP page to the fleet UI
- Added support to track the Apple Business Manager "terms expired" API error per token, as well as a global flag that gets set as soon as one token has its terms expired.
- Updated the instructions on "My device" for MDM migrations on pre-Sonoma macOS hosts.
- Updated to allow multiple teams to be assigned to the same VPP Token.
- Updated process so that deleting installed software or VPP app now makes it available for re-installation.
- Updated to enforce minimum OS version settings during Apple Automated Device Enrollment (ADE).
- Updated ABM ingestion so that deleted iOS/iPadOS host will continue to report to Fleet as long as host is in Apple Business Manager (ABM).
- Updated so that refetching an offline iOS/iPadOS host will not add new MDM commands to the queue if previous refetch has not completed yet.
- Updated UI so that downloading a software installer package now shows the browser's built-in progress bar.
- Updated relevant documentation to include references to multiple ABM and VPP tokens.
- Consolidated Automatic Enrollment and VPP settings under the MDM settings integration page.
- Cleared apps associated with a VPP token if it's moved off of a team.
Vulnerability management
- Added ALAS bulletins as vulnerability source for Amazon Linux (instead of OVAL for Amazon Linux 2, and adds support for Amazon Linux 1, 2022, and 2023).
- Added matching rules for July and August Microsoft 365 security updates (https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates).
- Added the following filters to
/software/titles
and/software/versions
API endpoints:exploit: bool
,min_cvss_score: float
,max_cvss_score: float
. - Updated software titles/versions tables to allow for filtering by vulnerabilities including severity and known exploit.
- Updated to use empty CVE description when the NVD CVE feed doesn't include description entries (instead of panicking).
- Updated matching software that is not installed by Fleet so that it shows up as 'Available for install' on host details page.
- Updated base images of
fleetdm/fleetctl
,fleetdm/bomutils
andfleetdm/wix
to fix critical vulnerabilities found by Trivy. - Updated vulnerability scanning to use
macos
SW target for CPEs of homebrew packages. - Updated vulnerability scanning to not ignore software with non-ASCII en dash and em dash characters.
- Updated
GET /api/v1/fleet/vulnerabilities/{cve}
endpoint to add validation of CVE format, and a 204 response. The 204 response indicates that the vulnerability is known to Fleet but not present on any hosts. - Updated the UI to add new empty states for searching vulnerabilities: invalid CVE format searched, a known CVE serached but not present on hosts, not a known CVE searched, exploited vulnerability empty state, operating systems empty state, new icons.
Bug fixes and improvements
- Added support for MySQL 8.4.2 LTS.
- Updated Go to go1.22.6.
- Updated Fleet server to now accept arguments via stdin. This is useful for passing secrets that you don't want to expose as env vars, in the command line, or in the config file.
- Updated text for "Turn on MDM" banners in UI.
- Updated ABM host tooltip copy on the manage host page to clarify when host vitals will be available to view.
- Updated copy on auotmatic enrollment modal on my device page.
- Updated host details activities tooltip and empty state copy to reflect recently added capabilities.
- Updated Fleet Free so users see a Premium feature message when clicking to add software.
- Updated usage reporting to report statistics on new AI features, maintenance window, and
fleetd
. - Fixed bug where configuration profile was still showing the old label name after the name was updated.
- Fixed a bug when a cached prepared statement gets deleted in the MySQL server itself without Fleet knowing.
- Fixed a bug where the wrong API path was used to download a software installer.
- Fixed the failing_host_count so it is never 0. This count is normally updated once an hour during cleanups_then_aggregation cron job.
- Fixed CVE-2024-4030 in Vulncheck feed incorrectly targeting non-Windows hosts.
- Fixed a bug where the "Self-service" filter for the list of software and the list of host's software did not take App Store apps into account.
- Fixed a bug where the "My device" page in Fleet Desktop did not show the self-service software tab when App Store apps were available as self-install.
- Fixed a bug where a software installer (a package or a VPP app) that has been installed on a host still shows up as "Available for install" and can still be requested to be installed after the host is transferred to a different team without that installer (or after the installer is deleted).
- Fixed the "Available for install" filter in the host's software page so that installers that were requested to be installed on the host (regardless of installation status) also show up in the list.
- Fixed UI popup messages bleeding off viewport in some cases.
- Fixed an issue with the scheduling of cron jobs at startup if the job has never run, which caused it to be delayed.
- Fixed UI to display the label names in case-insensitive alphabetical order.
Fleet's agent
The following version of Fleet's agent (fleetd
) support the latest changes to Fleet:
- orbit-v1.32.0
fleet-desktop-v1.32.0
(included with Orbit)- fleetd-chrome-v1.3.1
While newer versions of
fleetd
still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
71643aa0cf144ed97cec20b85fe34b221659ec84200c126dacb5f0e60d8f8966 fleet_v4.56.0_linux.tar.gz
25bbbc05dc731d9aa2a3644f288dfa92286e66ebb611569f7a8c6b36dc7831e1 fleetctl_v4.56.0_linux.tar.gz
00cca9c8f05278aa6d8bdcec68fddebeefbd7a4f3555d77abef93e194f9fef9c fleetctl_v4.56.0_linux.zip
c22e235acf96354bce2b164c468c7648755803a6df30e180be957a0bc133d26b fleetctl_v4.56.0_macos.tar.gz
a106ba43047ff3b31f4dc1db54a9695430f3932b00668d4f5439eac66daf0ec2 fleetctl_v4.56.0_macos.zip
bc350b275520f5b09e6b80fc523846316e3c2d5f88fe0f603076799050651631 fleetctl_v4.56.0_windows.tar.gz
de776ea3c0a896c85d229e39fca13ce51c48b8c5ba10eb46eaed055afbf61a0a fleetctl_v4.56.0_windows.zip
fleet-v4.55.2
Bug fixes
- Removed validation of APNS certificate from server startup. This was no longer necessary because we now allow for APNS certificates to be renewed in the UI.
- Fixed logic to properly catch and log APNs errors.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for Fleet is available at fleetdm.com/docs.
Binary Checksum
SHA256
9e1dc63d1a5d106852205a7a4df992d219e56416bc7aa91866e3c5e7ac08a3bd fleet_v4.55.2_linux.tar.gz
4f0c77ad9633856b2655aa8597f9d584180699b4cd01bca1a237504cc1707787 fleetctl_v4.55.2_linux.tar.gz
78416839860ee2a8177c5e0177428ba5e99d59b09ca4629740959dffbf0ad410 fleetctl_v4.55.2_linux.zip
8a1a954e94082da50ebc7f123499da5998064562b3203a80aeb20fdeb47d2b41 fleetctl_v4.55.2_macos.tar.gz
a4c9d1aa097c6fee9a6d84511e56ee1bb36421e67f8757b8bf275626b1b7d3ba fleetctl_v4.55.2_macos.zip
930ee32691c3e5f433b58b6468102f185a04af6b9af191e15cc53473b69b7a6c fleetctl_v4.55.2_windows.tar.gz
7a2154e82a287f32e103f323ecca73ffbcae3c7ec640c29f09607f86ababfeb4 fleetctl_v4.55.2_windows.zip