Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Which API endpoints to expose to the public internet?

{{articleSubtitle}}

| The author's GitHub profile picture

Mike Thomas

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Which API endpoints to expose to the public internet?

{{articleSubtitle}}

| The author's GitHub profile picture

Mike Thomas

Which API endpoints to expose to the public internet?

This guide details which API endpoints to make publicly accessible.

Managing hosts that can travel outside VPN or intranet

If you would like to manage hosts that can travel outside your VPN or intranet, we recommend only exposing the osquery endpoints to the public internet:

  • /api/osquery/*
  • /api/v1/osquery/*

Using Fleet Desktop on remote devices

If you're using Fleet Desktop /api/*/fleet/device/*/desktop must be exposed in the API, and for the end user Fleet Desktop > My device page /device/* and /assets/* must be exposed.

For full Fleet Desktop and scripts functionality, /api/fleet/orbit/* and/api/fleet/device/ping must also be exposed.

Using fleetctl CLI from outside of your network

If you would like to use the fleetctl CLI from outside of your network, the following endpoints will also need to be exposed for fleetctl:

  • /api/setup
  • /api/*/setup
  • /api/*/fleet/*

Using Fleet's MDM features

macOS

If you would like to use Fleet's macOS MDM features, the following endpoints need to be exposed:

  • /mdm/apple/scep: Allows hosts to obtain a SCEP certificate.
  • /mdm/apple/mdm: Allows hosts to reach the server using the MDM protocol.
  • /api/mdm/apple/enroll: If you use automatic enrollment, allows hosts to get an enrollment profile.
  • /api/*/fleet/device/*: Provides end users access to their My device page.
    • This page is where they download their manual enrollment profile, rotate their disk encryption key, and use other features. For more information on these API endpoints see the documentation here.
  • /api/*/fleet/mdm/sso and /api/*/fleet/mdm/sso/callback: If you use automatic enrollment and you require end user authentication during out-of-the-box macOS setup, allows end users to authenticate with your IdP.
  • /api/*/fleet/mdm/setup/eula/*: If you use automatic enrollment and you require that the end user agrees to an End User License Agreement (EULA) during out-of-the-box macOS setup, allows end user to see the EULA.
  • /api/*/fleet/mdm/bootstrap: If you use automatic enrollment and you install a bootstrap package during out-of-the-box macOS setup, installs the bootstrap package.
An icon indicating that this section has important information

The /mdm/apple/scep and /mdm/apple/mdm endpoints are outside of the /api path because they are not RESTful and are not intended for use by API clients or browsers.

Windows

If you would like to use Fleet's Windows MDM features, the following endpoints need to be exposed:

SCEP proxy

If you would like to use Fleet as a SCEP proxy, the following endpoint needs to be exposed:

  • /mdm/scep/proxy/*: Allows hosts to obtain a SCEP certificate from a configured SCEP server.

Advanced

The /api/*/fleet/* endpoints accessed by the fleetd agent can use mTLS with the certificate provided via the --fleet-tls-client-certificate flag in the fleetctl package command.

The /mdm/apple/mdm and /api/mdm/apple/enroll endpoints can use mTLS with the SCEP certificate issued by the Fleet server.

These endpoints don't use mTLS:

  • /mdm/apple/scep
  • /api/mdm/microsoft/discovery
  • /api/mdm/microsoft/auth
  • /api/mdm/microsoft/policy
  • /api/mdm/microsoft/enroll
  • /api/mdm/microsoft/management
  • /api/mdm/microsoft/tos

For macOS and Windows, the MDM client on the host will send the client certificate in a header. The Fleet server always does additional verification of this certificate.