This guide details which API endpoints to make publicly accessible.
If you would like to manage hosts that can travel outside your VPN or intranet, we recommend only exposing the osquery endpoints to the public internet:
If you are using Fleet Desktop and want it to work on remote devices, the bare minimum API to expose is
/api/*/fleet/device/*/desktop. This minimal endpoint will only provide the number of failing policies.
For full Fleet Desktop and scripts functionality,
/api/fleet/device/ping must also be exposed.
If you would like to use the fleetctl CLI from outside of your network, the following endpoints will also need to be exposed for
If you would like to use Fleet's macOS MDM features, the following endpoints need to be exposed:
/mdm/apple/scep: Allows hosts to obtain a SCEP certificate.
/mdm/apple/mdm: Allows hosts to reach the server using the MDM protocol.
/api/mdm/apple/enroll: If you use automatic enrollment, allows hosts to get an enrollment profile.
/api/*/fleet/device/*: Provides end users access to their My device page.
/api/*/fleet/mdm/sso/callback: If you use automatic enrollment and you require end user authentication during out-of-the-box macOS setup, allows end users to authenticate with your IdP.
/api/*/fleet/mdm/setup/eula/*: If you use automatic enrollment and you require that the end user agrees to an End User License Agreement (EULA) during out-of-the-box macOS setup, allows end user to see the EULA.
/api/*/fleet/mdm/bootstrap: If you use automatic enrollment and you install a bootstrap package during out-of-the-box macOS setup, installs the bootstrap package.
/mdm/apple/mdmendpoints are outside of the
/apipath because they are not RESTful and are not intended for use by API clients or browsers.
If you would like to use Fleet's Windows MDM features, the following endpoints need to be exposed:
/api/mdm/microsoft/management: Allows host to get MDM commands and profiles once the host.
/api/mdm/microsoft/discovery: Allows hosts to get information from the MDM server.
/api/mdm/microsoft/policy: Delivers the enrollment policies required to issue identity certificates to hosts.
/api/mdm/microsoft/enroll: Delivers WS-Trust X.509v3 Token Enrollment (MS-WSTEP) functionality.
/api/mdm/microsoft/tos: Presents end users with the Terms of Service agreement during out-of-the-box Windows setup. Required for automatic enrollment.
/api/mdm/microsoft/auth: If you use automatic enrollment, authenticates end users during out-of-the-box Windows setup.
/api/*/fleet/* endpoints accessed by the fleetd agent can use mTLS with the certificate provided via the
--fleet-tls-client-certificate flag in the
fleetctl package command.
/api/mdm/apple/enroll endpoints can use mTLS with the SCEP certificate issued by the Fleet server.
These endpoints don't use mTLS:
For macOS and Windows, the MDM client on the host will send the client certificate in a header. The Fleet server always does additional verification of this certificate.