Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Built-in checks Raw data App library Tutorials & guides API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Automatically install software

{{articleSubtitle}}

| The author's GitHub profile picture

Sharon Katz

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Automatically install software

{{articleSubtitle}}

| The author's GitHub profile picture

Sharon Katz

Automatically install software

Fleet v4.57.0 introduces the ability to automatically and remotely install software on hosts based on predefined policy failures. This guide will walk you through the process of configuring Fleet for automatic installation of software on hosts using uploaded custom packages or Fleet-maintained apps and based on programmed policies. You'll learn how to configure and use this feature, as well as understand how the underlying mechanism works.

Fleet allows its users to upload trusted software installation files to be installed and used on hosts. This installation could be conditioned on a failure of a specific Fleet Policy.

An icon indicating that this section has important information

Currently, Fleet-maintained apps can be automatically installed on macOS hosts and custom packages can be automatically installed on macOS, Windows, and Linux hosts. (macOS App Store apps coming soon)

Prerequisites

  • Fleet premium with Admin permissions.
  • Fleet v4.57.0 or greater.

Step-by-step instructions

  1. Adding software: Add any software to be available for installation. Follow the deploying software document with instructions how to do it. Note that all installation steps (pre-install query, install script, and post-install script) will be executed as configured, regardless of the policy that triggers the installation.

Add software

Current supported software deployment formats:

  • macOS: .pkg
  • Windows: .msi, .exe
  • Linux: .deb, .rpm

Coming soon:

  • VPP for iOS and iPadOS
An icon indicating that this section has important information

Note: starting with v4.62.0, you can have Fleet create an automatic install policy for you when you upload a package. If you use this "Automatic" installation mode, you do not have to create your own policy. See our deploying software guide for more details.

  1. Add a policy: In Fleet, add a policy that failure to pass will trigger the required installation. Go to Policies tab --> Press the "Add policy" button --> Click "create your own policy" --> Enter your policy SQL --> Save --> Fill in details in the Save modal and Save.
SELECT 1 FROM apps WHERE name = 'Adobe Acrobat Reader.app' AND version_compare(bundle_short_version, '23.001.20687') >= 0;

Note: In order to know the exact application name to put in the query (e.g. "Adobe Acrobat Reader.app" in the query above) you can manually install it on a canary/test host and then query SELECT * from apps;

  1. Manage automation: Open Manage Automations: Policies Tab --> top right "Manage automations" --> "Install software".

Manage policies

  1. Select policy: Select (click the check box of) your newly created policy. To the right of it select from the drop-down list the software you would like to be installed upon failure of this policy.

Install software modal

Upon failure of the selected policy, the selected software installation will be triggered.

An icon indicating that this section has important information

Adding software to a policy will reset the policy's host counts.

How does it work?

  • After configuring Fleet to auto-install a specific software the rest will be done automatically.
  • The policy check mechanism runs on a typical 1 hour cadence on all online hosts.
  • Fleet will send install requests to the hosts on the first policy failure (first "No" result for the host) or if a policy goes from "Yes" to "No". On this iteration it will not send an install request if a policy is already failing and continues to fail ("No" -> "No"). See the following flowchart for details.

Flowchart Detailed flowchart

Templates for policy queries

Use the following policy templates to see if the software is already installed. Fleet uses these templates to automatically install software.

macOS (pkg)

SELECT 1 FROM apps WHERE name = '<SOFTWARE_TITLE_NAME>' AND version_compare(bundle_short_version, '<SOFTWARE_PACKAGE_VERSION>') >= 0;

Windows (msi and exe)

SELECT 1 FROM programs WHERE name = '<SOFTWARE_TITLE_NAME>' AND version_compare(version, '<VERSION>') >= 0;

Debian-based (deb)

SELECT 1 FROM deb_packages WHERE name = '<SOFTWARE_TITLE_NAME>' AND version_compare(version, '<SOFTWARE_PACKAGE_VERSION>') >= 0;

If your team has both Ubuntu and RHEL-based hosts then you should use the following template for the policy queries:

SELECT 1 WHERE EXISTS (
   -- This will mark the policies as successful on non-Debian-based hosts.
   -- This is only required if Debian-based and RPM-based hosts share a team.
   SELECT 1 WHERE (SELECT COUNT(*) FROM deb_packages) = 0
) OR EXISTS (
   SELECT 1 FROM deb_packages WHERE name = '<SOFTWARE_TITLE_NAME>' AND version_compare(version, '<SOFTWARE_PACKAGE_VERSION>') >= 0
);

RPM-based (rpm)

SELECT 1 FROM rpm_packages WHERE name = '<SOFTWARE_TITLE_NAME>' AND version_compare(version, '<SOFTWARE_PACKAGE_VERSION>') >= 0;

If your team has both Ubuntu and RHEL-based hosts then you should use the following template for the policy queries:

SELECT 1 WHERE EXISTS (
   -- This will mark the policies as successful on non-RPM-based hosts.
   -- This is only required if Debian-based and RPM-based hosts share a team.
   SELECT 1 WHERE (SELECT COUNT(*) FROM rpm_packages) = 0
) OR EXISTS (
   SELECT 1 FROM rpm_packages WHERE name = '<SOFTWARE_TITLE_NAME>' AND version_compare(version, 'SOFTWARE_PACKAGE_VERSION') >= 0
);

Using the REST API for self-service software packages

Fleet provides a REST API for managing software packages, including self-service software packages. Learn more about Fleet's REST API.

Managing self-service software packages with GitOps

To manage self-service software packages using Fleet's best practice GitOps, check out the software key in the GitOps reference documentation.

Conclusion

Software deployment can be time-consuming and risky. This guide presents Fleet's ability to mass deploy software to your fleet in a simple and safe way. Starting with uploading a trusted installer and ending with deploying it to the proper set of machines answering the exact policy defined by you.

Leveraging Fleet’s ability to install and upgrade software on your hosts, you can streamline the process of controlling your hosts, replacing old versions of software and having the up-to-date info on what's installed on your fleet.

By automating software deployment, you can gain greater control over what's installed on your machines and have better oversight of version upgrades, ensuring old software with known issues is replaced.