Fleet device management

Fleet 4.85.0 (May 14, 2026)

IT Admins

• Added a dark theme to the Fleet UI, selectable in account settings with light, dark, and system options.
• Implemented Clear Passcode feature for iOS and iPadOS.
• Added support for Fleet variables in Apple's declaration profiles (DDM).
• Added support for passing end-user authentication context to the Fleet MSI installer during Windows MDM enrollment, so end users are not prompted to authenticate twice when EUA is enabled.
• Switched to Docker as the default WiX runtime on macOS (including Apple Silicon) when generating .msi packages via fleetctl package. Wine is no longer required on macOS for the default path.
• Updated macOS 15 CIS benchmark to include v2.0.0 changes.
• Updated the macOS 14 (Sonoma) CIS policy set to benchmark v3.0.0.
• Switched Fleet-maintained apps serving location from GitHub to https://maintained-apps.fleetdm.com/manifests. If this site is inaccessible, Fleet will fall back to the previous GitHub-hosted copies of manifest files.
• Added conditional HTTP downloads using ETag headers for software in GitOps, skipping re-download when content hasn't changed.
• Added always_download option for software in GitOps to bypass the new conditional download feature.
• Added automatic escaping of JSON special characters in GitOps variables used in .json configuration profiles (Apple DDM declarations and Android profiles).
• Updated fleetctl gitops to process Android certificates before Android profiles.
• Made fleet name uniqueness rules consistent across the UI, API, and GitOps paths. Fleet names must now differ by more than letter case, and conflicts return a 409 error on all code paths.
• Enabled renewing and deleting AB tokens in the UI in GitOps mode.
• Changed the team's script_execution_timeout in agent options to default to the global agent options value when unset.
• Added ability to save policies whose SQL is flagged as a syntax error.
• Withheld Android Wi-Fi configuration profiles (openNetworkConfiguration with ClientCertKeyPairAlias) until the referenced certificate is installed or terminally failed on the device.
• Updated the host OS settings detail column to show the reason when an Android profile is pending due to a certificate dependency.
• Added "Hosts online", "Vulnerability exposure", and "Hosts enrolled" charts to the dashboard.
• Added an admin setting to control retention of vulnerability-exposure data used by the dashboard chart.
• Added new policy details page with a read-only view of policy information.
• Updated edit policy page to redirect users with read-only access to the policy details page.
• Added dedicated /policies/:id/live route for running policies.

Security Engineers

• Added UI pages for creating and editing API-only users with support for fleet assignment, role selection, and API endpoint access control.
• Added new middleware (APIOnlyEndpointCheck) that enforces a 403 response for API-only users whose request either isn't in the API endpoint catalog or falls outside their configured per-user endpoint restrictions.
• Added POST /users/api_only endpoint for creating API-only users.
• Added PATCH /users/api_only/{id} endpoint for updating existing API-only users.
• Updated fleetctl user create --api-only to remove email and password field requirements.
• Added a new premium GET /api/_version_/fleet/rest_api endpoint that returns the contents of the embedded api_endpoints.yml artifact.
• Updated GET /users/{id} response to include the new api_endpoints field for API-only users.
• Added user_api_endpoints table to track per-user API endpoint permissions.

Bug fixes and improvements

• Updated Go to 1.26.3.
• Improved MySQL writer performance by skipping no-op UPDATE host_orbit_info and UPDATE host_disks writes when the stored values already match the incoming ingest values from osquery, cutting these writes to near zero at steady state.
• Improved Fleet-maintained apps (FMA) sync performance by adding an index on software.bundle_identifier that eliminates a full table scan during the hourly sync, reducing writer CPU load on large deployments.
• Improved the performance of deleting Windows MDM configuration profiles at scale by collapsing the per-profile update loop into a single batched statement that spans multiple profiles per chunk.
• Updated copy, show, and other action buttons app-wide for a more consistent style.
• Improved button and link styling.
• Improved the OS settings modal layout.
• Improved host policy empty state.
• Updated the enrollment page enroll button to render at full screen width for larger-resolution mobile devices.
• Updated the error message returned when an invalid domain is supplied for MDM Apple CSR signing.
• Updated EULA PDF upload size check to use the default max request body size.
• Added activity when a Windows MDM wipe command fails.
• Improved documentation for MySQL read replica configuration, clarifying that all settings (including region for IAM authentication) must be explicitly set for the read replica.
• Upgraded to TypeScript 6.0 for the app frontend.
• Moved some core UI form components to TypeScript for better predictability and reliability.
• Removed the unused windows_updates MySQL table and ingestion code.
• Implemented the chart bounded context and schema to support charting capabilities in Fleet.
• Added gitOpsModeEnabled and gitOpsModeExceptions to the anonymous statistics payload.
• Added startup validation that panics if any route declared in service/api_endpoints.yml is not registered in the router.
• Stopped turning on Prometheus serving by default with a hard-coded username and password when the server is started with --dev.
• Fixed a Windows BitLocker encrypt/decrypt loop on machines with secondary drives using auto-unlock. Fleet now detects disk encryption using conversion_status (not just protection_status), preventing the server from repeatedly requesting encryption when the disk is already encrypted. Added bitlocker_protection_status tracking so the UI shows "Action required" when BitLocker protection is off instead of misleadingly showing "Verified."
• Fixed a race condition where a host could silently revert to its previous team after an admin team transfer.
• Fixed an issue where trying to wipe a device after its certificate was renewed could fail due to a missing bootstrap token. Note: The device might still have wiped.
• Fixed a server panic (502) when an Android pubsub status report arrived for a host that had been deleted from Fleet.
• Fixed a server panic when an Apple MDM DeviceInformation refetch response omitted DeviceName or other expected fields.
• Fixed an issue where Fleet would send an AccountConfiguration command to iOS and iPadOS devices when end user authentication was enabled; AccountConfiguration is macOS-only.
• Fixed a bug where pending MDM profile rows persisted in the database after Apple or Windows MDM was turned off, causing stale profiles to reappear when MDM was re-enabled. Also fixed cleanup of pending Windows profile rows when a device unenrolls from MDM.
• Fixed a bug where custom package installers were not removed when adding an FMA for the same title via GitOps, which caused setup experience to install duplicate software.
• Fixed a bug where renaming a patch policy in a GitOps file caused it to be deleted initially.
• Fixed a bug where host environment variables in script-only packages would cause GitOps to fail.
• Fixed an issue where the DDM reconciler would not self-heal for stuck remove/pending profiles due to resend with update.
• Fixed an issue where a host DDM cleanup function was not executed for stale remove/pending profiles that weren't reported by the device.
• Fixed an issue where batch processing many DDM profile changes would result in stuck remove/pending profiles.
• Fixed an issue where sending a differently cased display name for a DDM profile via the batch endpoint would result in recreating the DDM profile and triggering a resend.
• Fixed an issue where Fleet would not remove the host OS setting entry if a RemoveProfile command failed with error code 89 (profile not found on device).
• Fixed an issue where adding a custom icon for a script-only package was not allowed in GitOps.
• Fixed an issue where duplicate Disk Encryption activity types showed up.
• Fixed the host details activity feed showing the previously opened host's activities by including the host ID in the activity query cache keys.
• Fixed navigation to the settings page for multi-team admin users.
• Fixed software table page number to be bookmarkable.
• Fixed an infinite page loop pagination bug on the software table page that occurred when viewing a subsequent page and then using the software filter dropdown.
• Fixed styling bugs in GitOps mode UI.
• Fixed padding between GitOps exceptions checkboxes.
• Fixed a nil pointer dereference in the contributor API spec/policies.

Fleet-maintained app updates and vulnerability fixes are applied, whether or not you upgrade.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.55.0
2. fleet-desktop-v1.55.0 (included with Orbit)
3. osquery-5.23.0 (included with Orbit)
4. fleetd-chrome-v1.3.5
5. fleetd-android-v1.0.2

While newer versions of fleetd still function with older versions of Fleet, old versions of fleetd and osquery may not function with new versions of Fleet. We do not actively test these scenarios, and we recommend deploying a minimum of the agent versions above before upgrading to this version of Fleet.

Upgrading

Please visit our upgrade guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

f7eed5849929b0da95b6137637ff511861c77083347b56729e64ec730ffe0fac  fleet_v4.85.0_linux.tar.gz
5ec57c4fbeea41d709a53b95cdc45c9882a0fcec540ee6817aeab8c1dee3451c  fleetctl_v4.85.0_linux_amd64.tar.gz
bee544c2a1c14f00f3704ae5b7d30e7ae4bd5eb6e83f83036787563cb96e1adc  fleetctl_v4.85.0_linux_amd64.zip
cf1c797a89ec9fdfca0faeee5e9eaf6e12abe6b2f19d1eebba721e2eb52d1075  fleetctl_v4.85.0_linux_arm64.tar.gz
97f893bb791193f6c341e6aaeb5495738d396dfd68861d0ee745083f18e70cd6  fleetctl_v4.85.0_linux_arm64.zip
ad2190195b51267eec3a935c89ea60f2fcb49ff6f85a8bd80f432664e455f56b  fleetctl_v4.85.0_macos.tar.gz
f9c5acdb0da87185cd154c653618e0dd7466267edbce33147533735b686551a6  fleetctl_v4.85.0_macos.zip
5928e8ea9652273860f7fcc0afc5689fd64df7e6fb1dde7e45b4d62af453de82  fleetctl_v4.85.0_windows_amd64.tar.gz
2229f249a7bfe0c574ea16727f2dfd8093e674d33cdb9960c28fbc17df705019  fleetctl_v4.85.0_windows_amd64.zip
07fbc541d75ef073ec18722b7cb0f7d66b89bbad85326c7fff3c27f033d408be  fleetctl_v4.85.0_windows_arm64.tar.gz
fd23af063cc59c50f125ade79d531952207595488f4c179c8efd1d5242c08411  fleetctl_v4.85.0_windows_arm64.zip