Skip to content

Preview of v4.83.0 doc changes #39805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
rachaelshaw wants to merge 9 commits into
base: main
Choose a base branch
from
+119 −15
Draft

Preview of v4.83.0 doc changes #39805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d33ecab
[Guide] Android: Deploy web apps (web clips) (#39547)
marko-lisica Feb 9, 2026
620e2ce
Add docs for 38002 - FLEET_MDM_CERTIFICATE_PROFILES_LIMIT (#38028)
JordanMontgomery Feb 12, 2026
a8302cb
Merge branch 'main' into docs-v4.83.0
rachaelshaw Feb 13, 2026
4a4535d
Add enable_recovery_lock_password option to YAML config (#39408)
melpike Feb 13, 2026
becc562
[Guide] Setup experience: Allow end users to edit their macOS local a…
marko-lisica Feb 16, 2026
e1c8eeb
[API] Android: Deploy web apps (web clips) (#39508)
marko-lisica Feb 17, 2026
661e108
[API/YAML] Patch policy: Fleet-maintained apps (#39600)
marko-lisica Feb 17, 2026
b40608e
#15744 API design: Improve host search by end user email address (#39…
rachaelshaw Feb 17, 2026
d6e3ce5
Add permissions for Recovery Lock password (#39403)
melpike Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions articles/install-app-store-apps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,22 @@ You can also manage which Google Play Store apps are available for self-service

3. Select **Add software > App store**, choose the Android platform, then enter the application ID.

#### Install Android web app (web clip)

To add an Android web app, first create the web app using the Fleet API. Send a request to the [`Create Android web app`](https://fleetdm.com/docs/rest-api/rest-api#create-android-web-app).

The response includes an `app_store_id` (e.g. `com.google.enterprise.webapp.x1c41e22ab611cb98`). Use this ID as the application ID in **Add software > App store** (step 3 above).

**Example request**

```sh
curl -X POST https://<your_fleet_server_url>/api/v1/fleet/software/web_apps \
-H "Authorization: Bearer <your_fleet_api_token>" \
-F 'title=Acme web app' \
-F 'url=https://app.acme.com' \
-F 'icon=@/path/to/app-icon.png'
```

## Edit or delete the app

1. In Fleet, head to the **Software** page and select a team in the teams dropdown.
Expand Down
18 changes: 11 additions & 7 deletions articles/role-based-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,12 +86,14 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
| Retrieve contents from file carving | | | | ✅ | |
| Create Apple Push Certificates service (APNs) certificate signing request (CSR) | | | | ✅ | |
| View, edit, and delete APNs certificate | | | | ✅ | |
| View, edit, and delete Apple Business Manager (ABM) connections | | | | ✅ | |
| View, edit, and delete Volume Purchasing Program (VPP) connections | | | | ✅ | |
| Connect Android Enterprise | | | | ✅ | |
| View disk encryption key for macOS, Windows, and Linux hosts | ✅ | ✅ | ✅ | ✅ | |
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
| View, edit, and delete APNs certificate | | | | ✅ | |
| View, edit, and delete Apple Business Manager (ABM) connections | | | | ✅ | |
| View, edit, and delete Volume Purchasing Program (VPP) connections | | | | ✅ | |
| Connect Android Enterprise | | | | ✅ | |
| View disk encryption key for macOS, Windows, and Linux hosts | ✅ | ✅ | ✅ | ✅ | |
| View Recovery Lock password for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
| Rotate Recovery Lock password for macOS hosts | | | ✅ | ✅ | |
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
| Create, edit, resend and delete configuration profiles for Apple (macOS/iOS/iPadOS), Windows, and Android hosts | | | ✅ | ✅ | ✅ |
| Execute MDM commands on macOS and Windows hosts\** | | | ✅ | ✅ | ✅ |
| View results of MDM commands executed on macOS and Windows hosts\** | ✅ | ✅ | ✅ | ✅ | |
Expand Down Expand Up @@ -171,7 +173,9 @@ Users with access to multiple teams can be assigned different roles for each tea
| Edit agent options | | | | ✅ | ✅ |
| Initiate [file carving](https://fleetdm.com/docs/using-fleet/rest-api#file-carving) | | | ✅ | ✅ | |
| View disk encryption key for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
| View Recovery Lock password for macOS hosts | ✅ | ✅ | ✅ | ✅ | |
| Rotate Recovery Lock password for macOS hosts | | | ✅ | ✅ | |
| Edit OS updates for macOS, Windows, iOS, and iPadOS hosts | | | | ✅ | ✅ |
| Create, edit, resend and delete configuration profiles for Apple (macOS/iOS/iPadOS), Windows, and Android hosts | | | ✅ | ✅ | ✅ |
| Execute MDM commands on macOS and Windows hosts* | | | ✅ | ✅ | |
| View results of MDM commands executed on macOS and Windows hosts* | ✅ | ✅ | ✅ | ✅ | |
Expand Down
4 changes: 2 additions & 2 deletions articles/setup-experience.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ You can enforce end user authentication during automatic enrollment (ADE) for Ap
1. Create a new SAML app in your IdP. In your new app, use `https://<your_fleet_url>/api/v1/fleet/mdm/sso/callback` for the SSO URL. If this URL is set incorrectly, end users won't be able to enroll. On iOS hosts, they'll see a "This screen size is not supported yet" error message.

2. In your new SAML app, set **Name ID** to email (required). Fleet will trim this email and use it
to populate and lock the macOS local account **Account Name**. For example, a
to populate the macOS local account **Account Name**. For example, a
"johndoe@example.com" email will turn into a "johndoe" account name.

> If the host is restarted during automatic enrollment (DEP), the macOS local account fields won't be populated with the user's IDP email and username.

3. Make sure your end users' full names are set to one of the following attributes (depends on IdP): `name`, `displayname`, `cn`, `urn:oid:2.5.4.3`, or `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`. Fleet will automatically populate and lock the macOS local account **Full Name** with any of these.
3. Make sure your end users' full names are set to one of the following attributes (depends on IdP): `name`, `displayname`, `cn`, `urn:oid:2.5.4.3`, or `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`. Fleet will automatically populate the macOS local account **Full Name** with any of these.

4. In Fleet, configure your IdP by heading to **Settings > Integrations > Single sign-on (SSO) > End users**. Then, enable end user authentication by heading to **Controls > Setup experience > End user authentication**. Alternatively, you can use [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops) to configure your IdP integration and enable end user authentication.

Expand Down
18 changes: 18 additions & 0 deletions docs/Configuration/fleet-server-configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3252,6 +3252,24 @@ The best practice is to set this to 3x the number of new employees (end users) t
sso_rate_limit_per_minute: 200
```

### mdm.certificate_profiles_limit

If you're using Fleet to [deploy certificates](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate) from a third-party certificate authority (CA), this is the maximum number of Apple (macOS, iOS, iPadOS), certificate configuration profiles Fleet installs (`InstallProfile` command) every 30 seconds. Each install also requests a certificate from your CA, so this limit also caps CA requests to the same number per 30 seconds.

The profile reconciler runs approximately every 30 seconds. The best practice is to set this at a level that is half or less the number that can be handled by your certificate authority in one minute. If a profile for instance is uploaded that references a SCEP server which can handle 100 transactions per minute, best practice would be to set this to 50 or less. Lower values will mean that a profile potentially takes longer to be sent to all hosts targeted by it, with a tradeoff that it will result in lower Certificate Authority load.

For a team with 10,000 hosts targeted by a newly-uploaded profile containing Certificate Authority variables, a setting of 100 would mean that it would take 100 runs of the profile reconciler, or, at least 50 minutes, for all 10,000 certificate profiles to be sent.

Currently this limit only applies to the Apple profile reconciler. Windows and Android support will be added soon. Additionally, newly enrolling ADE hosts do not count toward and are not affected by limit, so as not to delay onboarding.

- Default value: 100
- Environment variable: `FLEET_MDM_CERTIFICATE_PROFILES_LIMIT`
- Config file format:
```yaml
mdm:
certificate_profiles_limit: 50
```

## Partnerships

### partnerships_enable_secureframe
Expand Down
8 changes: 8 additions & 0 deletions docs/Configuration/yaml-files.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,12 @@ policies:
install_software:
package_path: ./linux-firefox.deb.package.yml
# app_store_id: "1487937127" (for App Store apps)
- name: Zoom up to date
description: Outdated software might introduce security vulnerabilities or compatibility issues.
resolution: Install the latest version from self-service.
type: patch
fleet_maintained_app_slug: zoom/darwin
install_software: true
```

`default.yml` (for policies that neither install software nor run scripts), `teams/team-name.yml`, or `teams/no-team.yml`
Expand Down Expand Up @@ -323,6 +329,7 @@ The `controls` section allows you to configure scripts and device management (MD
- `windows_migration_enabled` specifies whether or not to automatically migrate Windows hosts connected to another MDM solution. If `false`, MDM is only turned on after hosts are unenrolled from your old MDM solution. `enable_turn_on_windows_mdm_manually` must be set to `false`. (default: `false`). Can only be configured for all teams (`default.yml`).
- `enable_disk_encryption` specifies whether or not to enforce disk encryption on macOS, Windows, and Linux hosts (default: `false`).
- `windows_require_bitlocker_pin` specifies whether or not to require end users on Windows hosts to set a BitLocker PIN. When set, this PIN is required to unlock Windows host during startup. `enable_disk_encryption` must be set to `true`. (default: `false`).
- `enable_recovery_lock_password` specifies whether or not to enforce Recovery Lock password on eligible macOS hosts (default: `false`).

#### Example

Expand All @@ -336,6 +343,7 @@ controls:
enable_turn_on_windows_mdm_manually: false # Available in Fleet Premium
windows_migration_enabled: true # Available in Fleet Premium
enable_disk_encryption: true # Available in Fleet Premium
enable_recovery_lock_password: true # Available in Fleet Premium
macos_updates: # Available in Fleet Premium
deadline: "2024-12-31"
minimum_version: "15.1"
Expand Down
Loading
Loading