Solutions
Device management
Remotely manage, and protect laptops and mobile devices.
Orchestration
Automate tasks across devices, from app installs to scripts.
Software management
Inventory, patch, and manage installed software.
Extend Fleet
Integrate your favorite tools with Fleet.
Customers
Stripe + Fleet
Stripe consolidates multiple tools with Fleet.
Foursquare + Fleet
Foursquare quickly migrates to Fleet for device management.
What people are saying
Stories from the Fleet community.
More
Noah Talerman
Noah Talerman
In Fleet you can enforce OS settings like security restrictions, screen lock, Wi-Fi, etc., on your macOS, iOS, iPadOS, Windows, and Android hosts using configuration profiles.
For macOS, iOS, and iPadOS hosts, Fleet recommends the iMazing Profile Creator tool for creating and exporting macOS configuration profiles. Fleet signs these profiles for you. If you have self-signed profiles, run this command to unsign them: /usr/bin/security cms -D -i /path/to/profile/profile.mobileconfig | xmllint --format -
For Windows hosts, copy this Windows configuration profile template and update the profile using any configuration service providers (CSPs) from Microsoft's MDM protocol.
For Android hosts, copy this Android configuration profile template and update the profile using the options available in Android Management API. To learn how, watch this video.
You can enforce OS settings using the Fleet UI, Fleet API, or Fleet's best practice GitOps.
Fleet UI:
In the Fleet UI, head to the Controls > OS settings > Custom settings page.
Choose which team you want to add a configuration profile to by selecting the desired team in the teams dropdown in the upper left corner. Teams are available in Fleet Premium.
Select Add profile and choose your configuration profile.
To edit the OS setting, first remove the old configuration profile and then add the new one. On macOS, iOS, iPadOS, and Android, removing a configuration profile will remove enforcement of the OS setting.
Fleet API: Use the Add custom OS setting (configuration profile) endpoint in the Fleet API.
Currently, on macOS hosts, Fleet supports enforcing OS settings at the device (device-scoped) and user (user-scoped) levels. User-scoped declaration (DDM) profiles and iOS, iPadOS, and Windows configuration profiles are coming soon.
If a host is automatically enrolled (via ADE), user-scoped profiles are delivered to the user that was created during first time setup. For hosts that enrolled and turned on MDM manually, user-scoped profiles are delivered to the user that turned on MDM on the Fleet Desktop > My device page.
How to deliver user-scoped configuration profiles:
PayloadScope
key, and set the value to User
. Here's an example .mobileconfig
snippet:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
...
<key>PayloadScope</key>
<string>User</string>
</dict>
</plist>
When upgrading to 4.71.0, here's how to prepare your already enrolled hosts for user-scoped configuration profiles:
When upgrading to Fleet 4.71.0, here's how to update configuration profiles that are already installed on hosts so that they're delivered to the user scope:
PayloadScope
set to User
. Already deployed profiles with PayloadScope
set to User
won’t be re-installed on hosts automatically.PayloadIdentifier
, re-add the profile to Fleet, and delete the old profile. This will uninstall the device-scope profile and install the profile in the user scope. If you're using GitOps, just update the PayloadIdentifier
and run GitOps.In versions older than 4.71.0, Fleet always delivered configuration profiles to the device scope (even when the profile's PayloadScope
was set to User
)
If you want to make sure the profile stays device-scoped, update PayloadScope
to System
or remove PayloadScope
entirely. The default scope in Fleet is System
.
If one or more labels included in the profile's scope are deleted, the profile will not apply to new hosts that enroll.
On macOS, iOS, iPadOS, and Windows, a broken profile will not remove the enforcement of the OS settings applied to existing hosts. To enforce the OS setting on new hosts, delete it and upload it again.
On Android hosts, a broken profile will remove the enforcement of the OS settings for existing hosts. To enforce the OS setting on existing and new hosts, delete it and upload it again.
In the Fleet UI, head to the Controls > OS settings tab.
In the top box, with "Verified," "Verifying," "Pending," and "Failed" statuses, click each status to view a list of hosts:
Verified: hosts that applied all OS settings. Fleet verified by running an osquery query on Windows and macOS hosts (declarations profiles are verified with a DDM StatusReport). Currently, iOS and iPadOS hosts are "Verified" after they acknowledge all MDM commands to apply OS settings. Android hosts are "Verified" after Fleet verifies that the settings is applied in the next status report.
Verifying: hosts that acknowledged all MDM commands to apply OS settings. Fleet is verifying. If the profile wasn't delivered, Fleet will redeliver the profile.
Pending: hosts that are running MDM commands or will run MDM commands to apply OS settings when they come online.
Failed: hosts that failed to apply OS settings. For Windows profiles, status codes are listed in Microsoft's OMA DM docs.
In the list of hosts, click on an individual host and click the OS settings item to see the status for a specific setting.
Currently, when editing a profile using Fleet's GitOps workflow, it can take 30 seconds for the profile's status to update to "Pending."
For Windows configuration profiles with the Win32 and Desktop Bridge app ADMX policies, Fleet only verifies that the host returned a success status code in response to the MDM command to install the configuration profile. You can query the registry keys defined by the ADMX policy. For instance, if an ADMX file defines the following policy:
<policy name="Subteam" class="Machine" displayName="Subteam" key="Software\Policies\employee\Attributes" explainText="Subteam" presentation="String">
<parentCategory ref="DefaultCategory" />
<supportedOn ref="SUPPORTED_WIN10" />
<elements>
<text id="Subteam" valueName="Subteam" />
</elements>
</policy>
To verify that the OS setting is applied, run the following osquery query:
SELECT data FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Policies\employee\Attributes\Subteam';
On Android, if some settings from the profile fail (e.g. incompatible device), other settings from the profile will still be applied. Failed settings will be surfaced on Host > OS settings. Also, some settings from the profile might be overridden by another configuration profile, which means if multiple profiles include the same setting, the profile that is delivered most recently will be applied.
The error message will provide the reason from the Android Management API (AMAPI) for why certain settings are not applied. Possible reasons are listed in the AMAPI docs.