JD Strong
JD Strong
Fleet 4.29.0 is up and running. Check out the full changelog or continue reading to get the highlights.
For upgrade instructions, see our upgrade guide in the Fleet docs.
Available in Fleet Premium and Fleet Ultimate
With this update, you can take 🟠 Ownership of Fleet account roles assignment when using Just-in-time (JIT) provisioning. When JIT user provisioning is enabled, Fleet automatically creates a user account upon first login with the configured single sign-on (SSO). The email and full name are copied from the user data in the SSO during the creation process. Large organizations no longer need to create individual users. By default, accounts created via JIT provisioning are assigned the Global Observer role.
Users created via JIT provisioning can be assigned Fleet roles using SAML custom attributes sent by the IdP in a SAMLResponse
during login. Global or team roles can be assigned one of the supported values: admin, maintainer, and observer. Fleet will attempt to parse SAML custom attributes. If the account exists, and enable_jit_role_sync
is true, the Fleet account roles will be updated to match those set in the SAML custom attributes at every login.
Learn more about JIT user role setting.
Available in Fleet Premium and Fleet Ultimate
The Center for Internet Security (CIS) publishes benchmark documents describing the proper configuration of computers to avoid vulnerabilities addressed therein. Fleet 4.28 included scheduling and running a complete set of CIS benchmark policies as part of Premium and Ultimate. Today, Fleet has added additional macOS 13 Ventura CIS benchmarks that can be detected but require manual intervention.
CIS benchmark policies represent the consensus-based effort of cybersecurity experts globally to help protect your systems against threats more confidently. Fleet takes 🟠 Ownership toward providing the most comprehensive CIS benchmark policies available. Using Fleet to detect these additional CIS policies will assist you in quickly bringing your fleet into compliance, saving your organization time and money.
Learn more about macOS 13.0 Ventura Benchmark manual checks.
Fleet updated translation rules to provide better 🟢 Results and avoid false positives when reporting on the Docker desktop. With these changes, the Docker desktop is now mapped to the proper CVE, fixing the false positive where the Docker desktop was showing vulnerabilities that should have been associated with the Docker engine.
PATCH /api/latest/fleet/teams/{id}
) endpoint.GET /mdm/apple/profiles/summary
endpoint.team_id
query parameter so that team_id=0 \
filters results to include only hosts that are not assigned to any team.aggregated_stats
table to compute and store statistics for "no team" in addition to per-team and for all teams.cron_stats
outside the schedule
package to prevent Fleet outages from breaking cron jobs."instanceID"
(aka owner
of locks
) to schedule
logging (to help troubleshoot when running multiple Fleet instances).ATTACH
check on SQL osquery queries (osquery bug fixed a while ago in 4.6.0).fleetctl get config
with fleetctl apply
when MDM is not enabled.fleetctl trigger
doesn't release the schedule lock when the triggered run spans the regularly scheduled interval.Visit our upgrade guide in the Fleet docs for instructions on updating to Fleet 4.29.0.