Fleet 4.56.0 (Sep 7, 2024)

Endpoint operations

• Added index to query_results DB table to speed up finding last query timestamp for a given query and host.
• Added a link in the UI to the error message when a CSR can't be downloaded due to missing private key.
• Added a disabled overlay to the Other Workflows modal on the policy page.
• Improved performance of live queries to accommodate for higher volumes when utilizing zero-trust workflows.
• Improved fleetctl gitops error message when trying to change team name to a team that already exists.

Device management

• Added server support for multiple VPP tokens.
• Added new endpoints and updated existing endpoints for managing multiple Apple Business Manager tokens.
• Added support for S3 to store MDM bootstrap packages (uses the same bucket configuration as for software installers).
• Added support to UI for self service VPP software.
• Added backend and gitops support for self service VPP.
• Added ability for MDM migrations if the host is manually enrolled to a 3rd party MDM.
• Added an offline screen to the macOS MDM migration flow.
• Added new ABM page to Fleet UI.
• Added new VPP page to the fleet UI
• Added support to track the Apple Business Manager "terms expired" API error per token, as well as a global flag that gets set as soon as one token has its terms expired.
• Updated the instructions on "My device" for MDM migrations on pre-Sonoma macOS hosts.
• Updated to allow multiple teams to be assigned to the same VPP Token.
• Updated process so that deleting installed software or VPP app now makes it available for re-installation.
• Updated to enforce minimum OS version settings during Apple Automated Device Enrollment (ADE).
• Updated ABM ingestion so that deleted iOS/iPadOS host will continue to report to Fleet as long as host is in Apple Business Manager (ABM).
• Updated so that refetching an offline iOS/iPadOS host will not add new MDM commands to the queue if previous refetch has not completed yet.
• Updated UI so that downloading a software installer package now shows the browser's built-in progress bar.
• Updated relevant documentation to include references to multiple ABM and VPP tokens.
• Consolidated Automatic Enrollment and VPP settings under the MDM settings integration page.
• Cleared apps associated with a VPP token if it's moved off of a team.

Vulnerability management

• Added ALAS bulletins as vulnerability source for Amazon Linux (instead of OVAL for Amazon Linux 2, and adds support for Amazon Linux 1, 2022, and 2023).
• Added matching rules for July and August Microsoft 365 security updates (https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates).
• Added the following filters to /software/titles and /software/versions API endpoints: exploit: bool, min_cvss_score: float, max_cvss_score: float.
• Updated software titles/versions tables to allow for filtering by vulnerabilities including severity and known exploit.
• Updated to use empty CVE description when the NVD CVE feed doesn't include description entries (instead of panicking).
• Updated matching software that is not installed by Fleet so that it shows up as 'Available for install' on host details page.
• Updated base images of fleetdm/fleetctl, fleetdm/bomutils and fleetdm/wix to fix critical vulnerabilities found by Trivy.
• Updated vulnerability scanning to use macos SW target for CPEs of homebrew packages.
• Updated vulnerability scanning to not ignore software with non-ASCII en dash and em dash characters.
• Updated GET /api/v1/fleet/vulnerabilities/{cve} endpoint to add validation of CVE format, and a 204 response. The 204 response indicates that the vulnerability is known to Fleet but not present on any hosts.
• Updated the UI to add new empty states for searching vulnerabilities: invalid CVE format searched, a known CVE serached but not present on hosts, not a known CVE searched, exploited vulnerability empty state, operating systems empty state, new icons.

Bug fixes and improvements

• Added support for MySQL 8.4.2 LTS.
• Updated Go to go1.22.6.
• Updated Fleet server to now accept arguments via stdin. This is useful for passing secrets that you don't want to expose as env vars, in the command line, or in the config file.
• Updated text for "Turn on MDM" banners in UI.
• Updated ABM host tooltip copy on the manage host page to clarify when host vitals will be available to view.
• Updated copy on auotmatic enrollment modal on my device page.
• Updated host details activities tooltip and empty state copy to reflect recently added capabilities.
• Updated Fleet Free so users see a Premium feature message when clicking to add software.
• Updated usage reporting to report statistics on new AI features, maintenance window, and fleetd.
• Fixed bug where configuration profile was still showing the old label name after the name was updated.
• Fixed a bug when a cached prepared statement gets deleted in the MySQL server itself without Fleet knowing.
• Fixed a bug where the wrong API path was used to download a software installer.
• Fixed the failing_host_count so it is never 0. This count is normally updated once an hour during cleanups_then_aggregation cron job.
• Fixed CVE-2024-4030 in Vulncheck feed incorrectly targeting non-Windows hosts.
• Fixed a bug where the "Self-service" filter for the list of software and the list of host's software did not take App Store apps into account.
• Fixed a bug where the "My device" page in Fleet Desktop did not show the self-service software tab when App Store apps were available as self-install.
• Fixed a bug where a software installer (a package or a VPP app) that has been installed on a host still shows up as "Available for install" and can still be requested to be installed after the host is transferred to a different team without that installer (or after the installer is deleted).
• Fixed the "Available for install" filter in the host's software page so that installers that were requested to be installed on the host (regardless of installation status) also show up in the list.
• Fixed UI popup messages bleeding off viewport in some cases.
• Fixed an issue with the scheduling of cron jobs at startup if the job has never run, which caused it to be delayed.
• Fixed UI to display the label names in case-insensitive alphabetical order.

Fleet's agent

The following version of Fleet's agent (fleetd) support the latest changes to Fleet:

1. orbit-v1.32.0
2. fleet-desktop-v1.32.0 (included with Orbit)
3. fleetd-chrome-v1.3.1

While newer versions of fleetd still function with older versions of the Fleet server (and vice versa), Fleet does not actively test these scenarios and some newer features won't be available.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for Fleet is available at fleetdm.com/docs.

Binary Checksum

SHA256

71643aa0cf144ed97cec20b85fe34b221659ec84200c126dacb5f0e60d8f8966  fleet_v4.56.0_linux.tar.gz
25bbbc05dc731d9aa2a3644f288dfa92286e66ebb611569f7a8c6b36dc7831e1  fleetctl_v4.56.0_linux.tar.gz
00cca9c8f05278aa6d8bdcec68fddebeefbd7a4f3555d77abef93e194f9fef9c  fleetctl_v4.56.0_linux.zip
c22e235acf96354bce2b164c468c7648755803a6df30e180be957a0bc133d26b  fleetctl_v4.56.0_macos.tar.gz
a106ba43047ff3b31f4dc1db54a9695430f3932b00668d4f5439eac66daf0ec2  fleetctl_v4.56.0_macos.zip
bc350b275520f5b09e6b80fc523846316e3c2d5f88fe0f603076799050651631  fleetctl_v4.56.0_windows.tar.gz
de776ea3c0a896c85d229e39fca13ce51c48b8c5ba10eb46eaed055afbf61a0a  fleetctl_v4.56.0_windows.zip