fleet/docs/REST API/rest-api.md

REST API

• Authentication
• Activities
• Fleet configuration
• File carving
• Hosts
• Labels
• OS Settings
• Setup Experience
• Commands
• Integrations
• Policies
• Reports
• Schedule (deprecated)
• Scripts
• Sessions
• Software
• Targets
• Fleets
• Translator
• Users
• Custom variables
• API errors

Use the Fleet APIs to automate Fleet.

This page includes a list of available resources and their API routes.

Unless otherwise specified, endpoints that accept a request body limit its size to the configured FLEET_SERVER_DEFAULT_MAX_REQUEST_BODY_SIZE (default 1MiB).

Authentication

• Retrieve your API token
• Log in
• Log out
• Forgot password
• Update password
• Reset password
• Me
• SSO config
• Initiate SSO
• SSO callback

Retrieve your API token

All API requests to the Fleet server require API token authentication unless noted in the documentation. API tokens are tied to your Fleet user account.

To get an API token, retrieve it from "My account" > "Get API token" in the Fleet UI (/profile). Or, you can send a request to the login API endpoint to get your token.

Then, use that API token to authenticate all subsequent API requests by sending it in the "Authorization" request header, prefixed with "Bearer ":

Authorization: Bearer <your token>

For SSO and MFA users, email/password login is disabled. The API token can instead be retrieved from the "My account" page in the UI (/profile). On this page, choose "Get API token".

Log in

Authenticates the user with the specified credentials. Use the token returned from this endpoint to authenticate further API requests.

POST /api/v1/fleet/login

Logging in via the API is not supported for SSO and MFA users. The API token can instead be retrieved from the "My account" page in the UI (/profile). On this page, choose "Get API token".

Parameters

Name	Type	In	Description
email	string	body	Required. The user's email.
password	string	body	Required. The user's plain text password.

Example

POST /api/v1/fleet/login

Request body

{
  "email": "janedoe@example.com",
  "password": "VArCjNW7CfsxGp67"
}

Default response

Status: 200

{
  "user": {
    "created_at": "2020-11-13T22:57:12Z",
    "updated_at": "2020-11-13T22:57:12Z",
    "id": 1,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "enabled": true,
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "mfa_enabled": false,
    "global_role": "admin",
    "teams": [],
    "fleets": []
  },
  "token": "{your token}"
}

Authentication failed

Status: 401 Unauthorized

{
  "message": "Authentication failed",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication failed"
    }
  ],
  "uuid": "1272014b-902b-4b36-bcdb-75fde5eac1fc"
}

MFA Required

Status: 202 Accepted

{
  "message": "We sent an email to you. Please click the magic link in the email to sign in.",
}

Too many requests / Rate limiting

Status: 429 Too Many Requests Header: retry-after: N

This response includes a header retry-after that indicates how many more seconds you are blocked before you can try again.

{
  "message": "limit exceeded, retry after: Ns",
  "errors": [
    {
      "name": "base",
      "reason": "limit exceeded, retry after: Ns"
    }
  ]
}

---

Log out

Logs out the authenticated user.

POST /api/v1/fleet/logout

Example

POST /api/v1/fleet/logout

Default response

Status: 200

---

Forgot password

Sends a password reset email to the specified email. Requires that SMTP or SES is configured for your Fleet server.

POST /api/v1/fleet/forgot_password

Parameters

Name	Type	In	Description
email	string	body	Required. The email of the user requesting the reset password link.

Example

POST /api/v1/fleet/forgot_password

Request body

{
  "email": "janedoe@example.com"
}

Default response

Status: 200

Unknown error

Status: 500

{
  "message": "Unknown Error",
  "errors": [
    {
      "name": "base",
      "reason": "email not configured"
    }
  ]
}

---

Update password

POST /api/v1/fleet/change_password

Changes the password for the authenticated user.

Parameters

Name	Type	In	Description
old_password	string	body	Required. The user's old password.
new_password	string	body	Required. The user's new password.

Example

POST /api/v1/fleet/change_password

Request body

{
  "old_password": "VArCjNW7CfsxGp67",
  "new_password": "zGq7mCLA6z4PzArC"
}

Default response

Status: 200

Validation failed

Status: 422 Unprocessable entity

{
  "message": "Validation Failed",
  "errors": [
    {
      "name": "old_password",
      "reason": "old password does not match"
    }
  ]
}

Reset password

Resets a user's password. Which user is determined by the password reset token used. The password reset token can be found in the password reset email sent to the desired user.

POST /api/v1/fleet/reset_password

Parameters

Name	Type	In	Description
new_password	string	body	Required. The new password.
new_password_confirmation	string	body	Required. Confirmation for the new password.
password_reset_token	string	body	Required. The token provided to the user in the password reset email.

Example

POST /api/v1/fleet/reset_password

Request body

{
  "new_password": "abc123",
  "new_password_confirmation": "abc123",
  "password_reset_token": "UU5EK0JhcVpsRkY3NTdsaVliMEZDbHJ6TWdhK3oxQ1Q="
}

Default response

Status: 200

---

Me

Retrieves the user data for the authenticated user.

GET /api/v1/fleet/me

Example

GET /api/v1/fleet/me

Default response

Status: 200

{
  "user": {
    "created_at": "2020-11-13T22:57:12Z",
    "updated_at": "2020-11-16T23:49:41Z",
    "id": 1,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "global_role": "admin",
    "enabled": true,
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "fleets": [],
    "fleets": []
  },
  "available_teams" : [
    {
      "id": 1,
      "name": "Workstations",
      "description": "Employee workstations"
    }
  ],
    "available_fleets" : [
    {
      "id": 1,
      "name": "Workstations",
      "description": "Employee workstations"
    }
  ]
}

---

Perform required password reset

Resets the password of the authenticated user. Requires that force_password_reset is set to true prior to the request.

POST /api/v1/fleet/perform_required_password_reset

Example

POST /api/v1/fleet/perform_required_password_reset

Request body

{
  "new_password": "sdPz8CV5YhzH47nK"
}

Default response

Status: 200

{
  "user": {
    "created_at": "2020-11-13T22:57:12Z",
    "updated_at": "2020-11-17T00:09:23Z",
    "id": 1,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "enabled": true,
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "global_role": "admin",
    "teams": [],
    "fleets": []
  }
}

---

SSO config

Gets the current SSO configuration.

GET /api/v1/fleet/sso

Example

GET /api/v1/fleet/sso

Default response

Status: 200

{
  "settings": {
    "idp_name": "IDP Vendor 1",
    "idp_image_url": "",
    "sso_enabled": false
  }
}

---

Initiate SSO

POST /api/v1/fleet/sso

A successful response contains an HTTP cookie __Host-FLEETSSOSESSIONID that needs to be sent on the POST /api/v1/fleet/sso/callback request (this HTTP cookie is used to identify the SSO login session).

Parameters

Name	Type	In	Description
relay_url	string	body	Required. The relative url to be navigated to after successful sign in.

Example

POST /api/v1/fleet/sso

Request body

{
  "relay_url": "/hosts/manage"
}

Default response

Status: 200

Example response cookie in the HTTP Set-Cookie header:

Set-Cookie: __Host-FLEETSSOSESSIONID=slI727JZ+j0FvyBRLyD/gri1rxtwpaZT; Path=/; Max-Age=300; HttpOnly; Secure

Unknown error

Status: 500

{
  "message": "Unknown Error",
  "errors": [
    {
      "name": "base",
      "reason": "InitiateSSO getting metadata: Get \"https://idp.example.org/idp-meta.xml\": dial tcp: lookup idp.example.org on [2001:558:feed::1]:53: no such host"
    }
  ]
}

SSO callback

This is the callback endpoint that the identity provider will use to send security assertions to Fleet. This is where Fleet receives and processes the response from the identify provider.

POST /api/v1/fleet/sso/callback

The __Host-FLEETSSOSESSIONID HTTP cookie must be set for non-IdP initiated SSO login requests. The value for this cookie is returned in the POST /api/v1/fleet/sso request. For IdP-initiated SSO logins the cookie doesn't need to be set.

Parameters

Name	Type	In	Description
SAMLResponse	string	body	Required. The SAML response from the identity provider.
__Host-FLEETSSOSESSIONID	string	cookie	HTTP Cookie returned in the POST /api/v1/fleet/sso request. This is not set/required for IdP initiated SSO logins

Example

POST /api/v1/fleet/sso/callback

Request body

{
  "SAMLResponse": "<SAML response from IdP>"
}

Example session cookie set in the Cookie request header:

Cookie: __Host-FLEETSSOSESSIONID=slI727JZ+j0FvyBRLyD/gri1rxtwpaZT

Default response

Status: 200

---

Activities

List activities

Returns a list of the activities that have been performed in Fleet. For a comprehensive list of activity types and detailed information, please see the audit logs page.

GET /api/v1/fleet/activities

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page. Maximum is 10,000 records. If no pagination parameters are specified, defaults to 10,000.
order_key	string	query	What to order results by. Can be any column in the activities table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.
query	string	query	Search query keywords. Searchable fields include actor_full_name and actor_email.
activity_type	string	query	Indicates the activity type to filter by. See available activity types in the Audit logs docs.
start_created_at	string	query	Filters to include only activities that happened after this date. If not specified, set to the earliest possible date.
end_created_at	string	query	Filters to include only activities that happened before this date. If not specified, set to now.

Example

GET /api/v1/fleet/activities?page=0&per_page=10&order_key=created_at&order_direction=desc

Default response

{
  "activities": [
    {
      "created_at": "2023-07-27T14:35:08Z",
      "id": 25,
      "actor_full_name": "Anna Chao",
      "actor_id": 3,
      "actor_gravatar": "",
      "actor_email": "",
      "type": "installed_software",
      "fleet_initiated": false,
      "details": {
        "status": "installed",
        "host_id": 1272,
        "host_display_name": "MacBook Pro",
        "policy_id": null,
        "policy_name": null,
        "install_uuid": "23c18ea1-8cd7-4af4-a1d8-f2666993a66b",
        "self_service": false,
        "software_title": "zoom.us.app",
        "software_package": "ZoomInstallerIT.pkg",
      }
    },
    {
      "created_at": "2021-07-29T14:40:27Z",
      "id": 21,
      "actor_full_name": "name",
      "actor_id": 1,
      "actor_gravatar": "",
      "actor_email": "name@example.com",
      "type": "created_team",
      "type": "created_fleet",
      "fleet_initiated": false,
      "details": {
        "team_id": 2,
        "fleet_id": 2,
        "team_name": "Apples",
        "fleet_name": "Apples"
      }
    },
    {
      "created_at": "2023-07-27T14:35:08Z",
      "id": 25,
      "type": "installed_software",
      "fleet_initiated": true,
      "details": {
        "status": "installed",
        "host_id": 1272,
        "host_display_name": "MacBook Pro",
        "policy_id": 24,
        "policy_name": "[Install software] Zoom",
        "install_uuid": "077970ab-0ed6-4573-9cdc-ca9ef9015283",
        "self_service": false,
        "software_title": "zoom.us.app",
        "software_package": "ZoomInstallerIT.pkg",
      }
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

---

Certificates

• Connect certificate authority (CA)
• Add certificate template
• Update certificate authority (CA)
• List certificate authorities (CAs)
• Get certificate authority (CA)
• List certificate templates
• Get certificate template
• Delete certificate authority (CA)
• Delete certificate template
• Request certificate

Connect certificate authority (CA)

Connect Fleet to a certificate authority (CA). Fleet currently supports DigiCert, Microsoft NDES, Hydrant, Smallstep, and any custom SCEP or EST CA.

POST /api/v1/fleet/certificate_authorities

Only one of the objects is allowed in a single request.

Parameters

Name	Type	In	Description
digicert	object	body	See digicert
ndes_scep_proxy	object	body	See ndes_scep_proxy
custom_scep_proxy	object	body	See custom_scep_proxy
custom_est_proxy	object	body	See custom_est_proxy
hydrant	object	body	See hydrant
smallstep	object	body	See smallstep

digicert

Object with the following structure:

Name	Type	Description
name	string	Required. Name of the certificate authority that will be used in variables in configuration profiles. Only letters, numbers, and underscores are allowed.
url	string	Required DigiCert instance URL, used as base URL for DigiCert API requests.
api_token	string	Required API token used to authenticate requests to DigiCert.
profile_id	string	Required The ID of certificate profile in DigiCert.
certificate_common_name	string	Required The certificate's common name.
certificate_user_principal_names	array	Use with type digicert. The certificate's user principal names (UPN) attribute in Subject Alternative Name (SAN).
certificate_seat_id	string	Required The ID of the DigiCert seat. Seats are license units in DigiCert.

ndes_scep_proxy

Object with the following structure:

Name	Type	Description
url	string	Required. The URL of the NDES SCEP endpoint.
admin_url	string	Required. The URL of the NDES admin endpoint.
password	string	Required. The password for the NDES admin endpoint.
username	string	Required. The username for the NDES admin endpoint.

custom_scep_proxy

Object with the following structure:

Name	Type	Description
name	string	Required. Name of the certificate authority that will be used in variables in configuration profiles. Only letters, numbers, and underscores are allowed.
url	string	Required. URL of the Simple Certificate Enrollment Protocol (SCEP) server
challenge	string	Required. Static challenge password used to authenticate requests to SCEP server.

custom_est_proxy

Object with the following structure:

Name	Type	Description
name	string	Required. Name of the certificate authority that will be used in variables in configuration profiles. Only letters, numbers, and underscores are allowed.
url	string	Required. The EST (Enrollment Over Secure Transport) endpoint's URL.
username	string	Required. The username used to authenticate with the EST endpoint.
password	string	Required. The password used to authenticate with the EST endpoint.

hydrant

Object with the following structure:

Name	Type	Description
name	string	Required. Name of the certificate authority. Only letters, numbers, and underscores are allowed.
url	string	Required. The EST (Enrollment Over Secure Transport) endpoint provided by Hydrant.
client_id	string	Required. The client ID provided by Hydrant.
client_secret	string	Required. The client secret provided by Hydrant.

smallstep

Object with the following structure:

Name	Type	Description
url	string	Required. The SCEP URL from Smallstep.
challenge_url	string	Required. The Webhook URL from Smallstep.
username	string	Required. The Challenge Basic Authentication Username from Smallstep.
password	string	Required. The Challenge Basic Authentication Password from Smallstep.

Example

POST /api/v1/fleet/certificate_authorities

Request body

{
  "digicert": {
    "name": "WIFI_CERTIFICATE",
    "url": "https://one.digicert.com",
    "api_token": "********",
    "profile_id": "b416e058-1bdc-4844-9c3f-7c71d58d0eff",
    "certificate_common_name": "$FLEET_VAR_HOST_HARDWARE_SERIAL",
    "certificate_user_principal_names": [
      "$FLEET_VAR_HOST_HARDWARE_SERIAL",
    ],
    "certificate_seat_id": "$FLEET_VAR_HOST_END_USER_EMAIL_IDP"
  }
}

Default response

Status: 200

{
  "id": 1,
  "name": "WIFI_CERTIFICATE",
  "type": "digicert"
}

Add certificate template

Add a certificate template to deploy a certificate to all hosts on the fleet. Fleet currently supports adding certificates for Android that are issued from a custom SCEP certificate authority.

POST /api/v1/fleet/certificates

Parameters

Name	Type	In	Description
name	string	body	Required. The name of the certificate. Name can be used as certificate alias to reference in configuration profiles.
fleet_id	string	body	Available in Fleet Premium. The ID of the fleet to add profiles to.
certificate_authority_id	integer	body	Required. The certificate authority (CA) ID to issue certificate from. Currently, only custom SCEP CA is supported. To get ID use List certificate authorities.
subject_name	string	body	Required The certificate's subject name (SN). Separate subject fields by a ",". For example: "CN=john@example.com, O=Acme Inc.".

Example

POST /api/v1/fleet/certificates

Request body

{
  "name": "wifi-certificate",
  "team_id": 1,
  "fleet_id": 1,
  "certificate_authority_id": 1,
  "subject_name": "CN=$FLEET_VAR_HOST_END_USER_IDP_USERNAME, OU=$FLEET_VAR_HOST_UUID, ST=$FLEET_VAR_HOST_HARDWARE_SERIAL"
}

Default response

Status: 200

{
  "certificate_authority_id": 1,
  "id": 1,
  "name": "wifi-certificate",
  "subject_name": "CN=$FLEET_VAR_HOST_END_USER_IDP_USERNAME, OU=$FLEET_VAR_HOST_UUID, ST=$FLEET_VAR_HOST_HARDWARE_SERIAL"
}

Update certificate authority (CA)

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

PATCH /api/v1/fleet/certificate_authorities/:id

When editing a CA, specify one object and only its fields that you want to update.

Parameters

Name	Type	In	Description
id	integer	path	Required. The certificate authority (CA) ID in Fleet. You can see your CAs IDs using the List certificate authorities endpoint.
digicert	object	body	See digicert
ndes_scep_proxy	object	body	See ndes_scep_proxy
custom_scep_proxy	object	body	See custom_scep_proxy
custom_est_proxy	object	body	See custom_est_proxy
hydrant	object	body	See hydrant
smallstep	object	body	See smallstep

See Connect certificate authority above for the structure of each CA object.

Example

PATCH /api/v1/fleet/certificate_authorities/1

Request body

{
  "digicert": {
    "certificate_common_name": "$FLEET_VAR_HOST_HARDWARE_SERIAL",
  }
}

Default response

Status: 200

List certificate authorities (CAs)

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

GET /api/v1/fleet/certificate_authorities

Example

GET /api/v1/fleet/certificate_authorities

Default response

Status: 200

{
  "certificate_authorities": [
    {
      "id": 3,
      "name": "DIGICERT_PROD",
      "type": "digicert"
    },
    {
      "id": 2,
      "name": "DIGICERT_STAGE",
      "type": "digicert"
    },
    {
      "id": 5,
      "name": "HYDRANT_WIFI_STAGE",
      "type": "hydrant"
    },
    {
      "id": 1,
      "name": "NDES_VPN",
      "type": "ndes_scep_proxy"
    },
    {
      "id": 4,
      "name": "SCEP_CERTIFICATE_PROD",
      "type": "custom_scep_proxy"
    },
    {
      "id": 5,
      "name": "SECTIGO_WIFI",
      "type": "custom_est_proxy"
    }
    {
      "id": 6,
      "name": "SMALLSTEP_WIFI",
      "type": "smallstep"
    }
  ]
}

Get certificate authority (CA)

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Get details of the certificate authority.

GET /api/v1/fleet/certificate_authorities/:id

Parameters

Name	Type	In	Description
id	integer	body	Required. The ID of certificate authority.

Example

GET /api/v1/fleet/certificate_authorities/1

Default response

Status: 200

{
  "id": 1,
  "type": "digicert",
  "name": "WIFI_CERTIFICATE",
  "url": "https://one.digicert.com",
  "api_token": "********",
  "profile_id": "b416e058-1bdc-4844-9c3f-7c71d58d0eff",
  "certificate_common_name": "$FLEET_VAR_HOST_HARDWARE_SERIAL",
  "certificate_user_principal_names": [
    "$FLEET_VAR_HOST_HARDWARE_SERIAL",
  ],
  "certificate_seat_id": "$FLEET_VAR_HOST_END_USER_EMAIL_IDP"
}

List certificate templates

List certificate added to Fleet. Currently, they can only be added via GitOps.

GET /api/v1/fleet/certificates

Parameters

Name	Type	In	Description
fleet	string	query	Available in Fleet Premium. The fleet ID to filter profiles.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed field is id.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Request headers

This endpoint accepts the node key from Fleet's Android agent for authentication in addition to default authentication with a Bearer token.

The Authorization header must be formatted as follows:

Authorization: Node key <node_key>

OR

Authorization: Bearer <token>

When you pass a node key in the authorization header the server will look up the host and replace the $FLEET_* variables with the values associated to that host. If you use a regular bearer token the $FLEET_* variables will not be replaced.

Example

GET /api/v1/fleet/certificates/

Request headers

Authorization: Node key 24dd9ebf-02cd-4d4c-888a-5caa441ee5d5

OR

Authorization: Bearer sunVIQ+wqYQvJlXf1aqYTt8LrlUGKBigNdWmdH5bhT1MH

Default response

Status: 200

{
  "certificates": [
    {
      "id": 1,
      "name": "wifi-certificate",
      "certificate_authority_id": "1",
      "certificate_authority_name": "PRODUCTION_SCEP_SERVER",
      "subject_name": "CN=$FLEET_VAR_HOST_END_USER_IDP_USERNAME, OU=$FLEET_VAR_HOST_UUID, ST=$FLEET_VAR_HOST_HARDWARE_SERIAL",
      "created_at": "2025-11-04T00:00:00Z",
    },
    {
      "id": 2,
      "name": "vpn-certificate",
      "certificate_authority_id": "1",
      "certificate_authority_name": "PRODUCTION_SCEP_SERVER",
      "subject_name": "CN=$FLEET_VAR_HOST_END_USER_IDP_USERNAME, OU=$FLEET_VAR_HOST_UUID",
      "created_at": "2025-11-04T00:00:00Z",
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Get certificate template

Get details of the certificate added to Fleet.

GET /api/v1/fleet/certificates/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the certificate.
host_id	integer	query	ID of the host. If included, variables in subject_name will be replaced with host's values.

Request headers

This endpoint accepts the node key from Fleet's Android agent for authentication in addition to default authentication with a Bearer token.

The Authorization header must be formatted as follows:

Authorization: Node key <node_key>

OR

Authorization: Bearer <token>

When you pass a node key in the authorization header the server will look up the host and replace the $FLEET_* variables with the values associated to that host. If you use a regular bearer token the $FLEET_* variables will not be replaced.

Example

GET /api/v1/fleet/certificates/1

Request headers

Authorization: Node key 24dd9ebf-02cd-4d4c-888a-5caa441ee5d5

OR

Authorization: Bearer sunVIQ+wqYQvJlXf1aqYTt8LrlUGKBigNdWmdH5bhT1MH

Default response

Status: 200

{
  "certificate_authority_id": 2,
  "certificate_authority_name": "PRODUCTION_SCEP_SERVER",
  "created_at": "2025-11-04T00:00:00Z",
  "id": 1,
  "name": "wifi-certificate",
  "subject_name": "CN=$FLEET_VAR_HOST_END_USER_IDP_USERNAME, OU=$FLEET_VAR_HOST_UUID, ST=$FLEET_VAR_HOST_HARDWARE_SERIAL",
}

Delete certificate authority (CA)

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

When the CA is deleted, the issued certificates will remain on existing hosts.

DELETE /api/v1/fleet/certificate_authorities/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The certificate authority (CA) ID in Fleet. You can see your CAs IDs using the List certificate authorities endpoint.

Example

DELETE /api/v1/fleet/certificate_authorities/1

Default response

Status: 204

Delete certificate template

Deletes the certificate template added to Fleet. When a certificate template is deleted from Fleet, the certificate will be uninstalled from the hosts.

DELETE /api/v1/fleet/certificates/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The certificate ID in Fleet. You can see your certificate IDs using the List certificate templates endpoint.

Example

DELETE /api/v1/fleet/certificates/1

Default response

Status: 204

Request certificate

Requests a base64 encoded certificate (.pem). Currently, this endpoint is only supported for Hydrant and custom EST certificate authorities (CAs). DigiCert, NDES, and custom SCEP coming soon.

As an alternative to API token authentication, you can send an HTTP signature in the request header.

POST /api/v1/fleet/certificate_authorities/:id/request_certificate

Parameters

Name	Type	In	Description
id	string	path	Required. The certificate authority (CA) ID in Fleet. You can see your CAs IDs using the List certificate authorities endpoint.
csr	string	body	Required The signed certificate signing request (CSR).
idp_oauth_url	string	body	OAuth introspection URL from your identity provider (IdP). Required if idp_token is specified.
idp_token	string	body	Active session token from your identity provider (IdP). Required if idp_oauth_url is specified.
idp_client_id	string	body	Client ID for which the token was issued from your identity provider (IdP). Required if idp_oauth_url is specified.

Example

POST /api/v1/fleet/certificate_authorities/5/request_certificate

Request body

{
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC/jCCAeYCAQAwITEfMB0GA1UEAwwWQ2lzY29Vc2VyTmV0d29ya0FjY2VzczCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJZtbxathh+RfK+Z613ar4E\nYSIem8yAvv2JZJtopjD3noy1yF+nGRyF/ocm+FhYvjR5u7teJXlcv24tAAHuWL4U\nuPIql0Slakjdsfl098salkj324lkjmtElWDi6XRjUIXEj1zyCnZTCxGmyHcYB/+f3fyv/\ngZ8SkPqocNOCpX6cSW8hxOlaF9aZUC+xMHRdjQgxQ79hleb5K/n2gCJjiW1sV0Es\nRg+MX0cbPCpahpzlvIAkzA7TTUTOd7ZN+V0GW0fH86uMstrqeW2QUuZmSDC9fNyj\nQhk6n5iURaHXdFjSmyrhW5AVvw1nIblHodhUtD6J+g9kjhBg1frss3ndQtnNrnMC\nAwEAAaCBlzCkldflkjc098dlkj2KoZIhvcNAQkOMYGGMIGDMIGABgNVHREEeTB3ggljaXNjby5j\nb22BEWthYW53YXJAY2lzY28uY29thjRJRDpGbGVldERNOkdVSUQ6Y2FkMTM4OTEt\nMzU3Ni00NzhmLTk1MzAtZmM1Y2VlZTEzZTkwoCEGCisGAQQBgjcUAgOgEwwRa2Fh\nbndhckBjaXNjby5jb20wDQYJKoZIhvcNAQELBQADggEBAH2U6Or14b4O22YjM22k\nXI9QDC5P+sDczcLjivv4MyXQL1ks8R6B1nXCrOmiLPPLaZ09f+UkeMnyuGAxW8Ce\n6LTKquwvlifZ+5TjyANz0I/d9ETLQF2MTphEZd4ySNLtq2RwYyDOBKaxMdW0sUsd\n6M3WyAuTBVgBkTVIqbMJBzFsgXSrr2a0LJEHszOO2BN3yT5muDQsKPJ1uXL7tNUv\n16pGaYpQZR8yGAmWyISHhAyLaJ1N1R8L77SLxdd/Sj7RunNNxqFqaEgIJMgsyu08\nGharLkQcIoW7qPHZuaLa54xMF/s/vfKH6rgGbbCAgw9kw8Klt+6H3OH1FSMeRfZ/\nDWs=\n-----END CERTIFICATE REQUEST-----",
  "idp_oauth_url": "https://idp.oauth.com/introspection",
  "idp_token": "88683de5858044aaacaf4046aeeef778044aaacaf4046",
  "idp_client_id": "1o2czkDnUVwTqSOc747"
}

Default response

Status: 200

{
  "certificate": "c3Viamdlkjfid098)d8f2k34jl;Yy4iLCBPVSA9IE1hbmFnZWQgTGludXgsIENOID0gQ2lzY29Vc2VyTmV0d29ya0FjY2Vzcwppc3N1ZXI9TyA9IENpc2NvLCBPVSA9IEVyaWRhbnVzLCBDTiA9IENpc2NvTmV0d29ya0FjY2VzcwotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRkpUQ0NCQTJnQXdJQkFnSVVlSjdhYlBKd29QL0tXRlhvOXE4RmVrQlVqN293RFFZSktvWklodmNOQVFFTApCUUF3UURFT01Bd0dBMVVFQ2hNRlEybHpZMjh4RVRBUEJnTlZCQXNUQ0VWeWFXUmhiblZ6TVJzd0dRWURWUVFECkV4SkRhWE5qYjA1bGRIalskdjf098)DFj23lk4jRVMldoY05NalV3TnpJME1UYzAKTlRVMldqQlhNUnd3R2dZRFZRUUtEQk5EYVhOamJ5QlRlWE4wWlcxekxDQkpibU11TVJZd0ZBWURWUVFMREExTgpZVzVoWjJWa0lFeHBiblY0TVI4d0hRWURWUVFEREJaRGFYTmpiMVZ6WlhKT1pYUjNiM0pyUVdOalpYTnpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF4dFZmWE1xaVMyelRPTEI4WE1ESFBEZmEKMjZIY2ZBdHpmOUVmMk1rQkdrL1VHNVJaTGFrZU0rTDltc0NXaWV0Wllkdf098DSlk23n34,nxo0dfQVdkRHpDbjM0MG1iaUFhS1lIb3JIczVYWW1uSmlrRkYyQgpsQThWWWpTZFZPNGVEN2QvVytwaGo2a2FZQ212dDcwL2tUaDFYL0QzZmM1U0Z4T09OSnZHeVY2MzlvVm9Qd0lECkFRQUJvNElCL2pDQ0Fmb3dEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUmpwK2lwUENWTHJXWnkKTlIxdnBDc0owd2Y5WURDQmdnWUlLd1lCQlFVSEFRRUVkakIwTUVNR0NDc0dBUVVGQnpBQ2hqZG9kSFJ3T2k4dgpZM0pzTG1sdWRHVnlibUZzYUc5emRHNWhiV1Z6TG1OdmJTOURhWE5qYjA1bGRIZHZjbXRCWTJObGMzTXVZM0owCk1DMEdDQ3NHQVFVRkJ6QUJoaUZvZEhSd09pOHZiMk56Y0M1cGJuUmxjbTVoYkdodmMzUnVZVzFsY3k1amIyMHcKZ1p3R0ExVWRFUVNCbERDQmtZSVdRMmx6WTI5VmMyVnlUbVYwZDI5eWEwRmpZMlZ6YzRJSlkybHpZMjh1WTI5dApnUkp5WVdocGJXWjBaRUJqYVhOamJ5NWpiMjJnSWdZS0t3WUJCQUdDTnhRQ0E2QVVEQkp5WVdocGJXWjBaRUJqCmFYTmpieTVqYjIyR05FbEVPa1pzWldWMFJFMDZSMVZKUkRwa05XVmtOamMwWXkweU5XTXpMVEV4WWpJdFlUZzEKWXkxalpXTm1NVGc1WVRneFpUSXdGd1lEVlIwZ0JCQXdEakFNQmdvckJnRUVBUWtWQVNvQk1CTUdBMVVkSlFRTQpNQW9HQ0NzR0FRVUZCd01DTUVnR0ExVWRId1JCTUQ4d1BhQTdvRG1HTjJoMGRIQTZMeTlqY213dWFXNTBaWEp1CllXeG9iM04wYm1GdFpYTXVZMjl0TDBOcGMyTnZUbVYwZDI5eWEwRmpZMlZ6Y3k1amNtd3dIUVlEVlIwT0JCWUUKRkF0NjBHd0FwbVoyUkUrNFZsbkxEYkZhZGErTE1BNEdBMVVkRHdFQi93UUVBd0lGb0RBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUFsdnRseFJUaVlOVEQvWGpldkswT1BsaVhOdUtjVWlRcW5VSDlIZXowa0d6aWpHUkxrZ1VvCnRLbEJDRTB5QjNyOGhJd3dKbDRPS1cvUzdITXFnY2FNanJTaHIwamlsNDQwNXdOaHBGbzZHRkQwSTFzWjE5eFoKL21BMndsUkY0QkZoZ2QraUE5ZnpRNmNxdVFuV3JlemQxcUxNV0hpOGR5QUJ1c1VBQVZ1OUZORFU4N3BZa0Y4MgpsTjJVSTRLSUZlRDJnTDBXeFpzOVlWTGJlZG1MY0FhZk9HcmtuUDZvVlZMNGxzV1VYQlYxR2tydlkxNWUySnVkCkhVSVEvOTVKTWlkbm1EQVZCbjg1MjA2eDkxbXM3S1lYSmI0aW0yOFBtc1BrN1JJVnJNb2w5dkFlU2ppbHQ1eS8KVitacFBwSmtwWWRyNVpEeWI3WDcwMjR0ZU42QUxmZWRjZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCg=="
}

Example (HTTP signature)

Request header

Content-Digest: sha-512=:WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX+T\aPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==
Signature: sig1=:e8UJ5wMiRaonlth5ERtE8GIiEH7Akcr493nQ07VPNo6y3qvjdK\t0fo8VHO8xXDjmtYoatGYBGJVlMfIp06eVMEyNW2I4vN7XDAz7m5v1108vGzaDljr\d0H8+SJ28g7bzn6h2xeL/8q+qUwahWA/JmC8aOC9iVnwbOKCc0WSrLgWQwTY6VLp4\2Qt7jjhYT5W7/wCvfK9A1VmHH1lJXsV873Z6hpxesd50PSmO+xaNeYvDLvVdZlhtw\5PCtUYzKjHqwmaQ6DEuM8udRjYsoNqp2xZKcuCO1nKc0V3RjpqMZLuuyVbHDAbCzr\ 0pg2d2VM/OC33JAU7meEjjaNz+d7LWPg==:
Signature-Input: sig1=("@method" "@authority" "@path" "@query" \"content-digest" "content-type" "content-length")\;created=1618884475;keyid="test-key-rsa-pss"

Request body

{
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC/jCCAeYCAQAwITEfMB0GA1UEAwwWQ2lzY29Vc2VyTmV0d29ya0FjY2VzczCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJZtbxathh+RfK+Z613ar4E\nYSIem8yAvv2JZJtopjD3noy1yF+nGRyF/ocm+FhYvjR5u7teJXlcv24tAAHuWL4U\nuPIql0Slakjdsfl098salkj324lkjmtElWDi6XRjUIXEj1zyCnZTCxGmyHcYB/+f3fyv/\ngZ8SkPqocNOCpX6cSW8hxOlaF9aZUC+xMHRdjQgxQ79hleb5K/n2gCJjiW1sV0Es\nRg+MX0cbPCpahpzlvIAkzA7TTUTOd7ZN+V0GW0fH86uMstrqeW2QUuZmSDC9fNyj\nQhk6n5iURaHXdFjSmyrhW5AVvw1nIblHodhUtD6J+g9kjhBg1frss3ndQtnNrnMC\nAwEAAaCBlzCkldflkjc098dlkj2KoZIhvcNAQkOMYGGMIGDMIGABgNVHREEeTB3ggljaXNjby5j\nb22BEWthYW53YXJAY2lzY28uY29thjRJRDpGbGVldERNOkdVSUQ6Y2FkMTM4OTEt\nMzU3Ni00NzhmLTk1MzAtZmM1Y2VlZTEzZTkwoCEGCisGAQQBgjcUAgOgEwwRa2Fh\nbndhckBjaXNjby5jb20wDQYJKoZIhvcNAQELBQADggEBAH2U6Or14b4O22YjM22k\nXI9QDC5P+sDczcLjivv4MyXQL1ks8R6B1nXCrOmiLPPLaZ09f+UkeMnyuGAxW8Ce\n6LTKquwvlifZ+5TjyANz0I/d9ETLQF2MTphEZd4ySNLtq2RwYyDOBKaxMdW0sUsd\n6M3WyAuTBVgBkTVIqbMJBzFsgXSrr2a0LJEHszOO2BN3yT5muDQsKPJ1uXL7tNUv\n16pGaYpQZR8yGAmWyISHhAyLaJ1N1R8L77SLxdd/Sj7RunNNxqFqaEgIJMgsyu08\nGharLkQcIoW7qPHZuaLa54xMF/s/vfKH6rgGbbCAgw9kw8Klt+6H3OH1FSMeRfZ/\nDWs=\n-----END CERTIFICATE REQUEST-----",
  "idp_oauth_url": "https://idp.oauth.com/introspection",
  "idp_token": "88683de5858044aaacaf4046aeeef778044aaacaf4046",
  "idp_client_id": "1o2czkDnUVwTqSOc747"
}

Default response

Status: 200

{
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIC5DCCAcwCCQChs1cFRAzRCTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDDClD\ndXN0b21lclVzZXJOZXR3b3JrQWNjZXNzOmJvYkBleGFtcGxlLmNvbTAeFw0yNTA5\nMDgxODM0MzNaFw0yODA2MDUxODM0MzNaMDQxMjAwBgNVBAMMKUN1c3RvbWVyVXNl\nck5ldHdvcmtBY2Nlc3M6Ym9iQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAuojcu8UBxTjpz5krPX4KmWNAmWvJ4U7yh8pGXOp6kngz\n1iRmGkBYdr0CQXlkrASejqglbdDfaRt3hz8S4raIlKyiU59gFK6f2Lory54ndzJw\nhVeNGqpLrnW1T763zvjcSKaASfVzdnsa66v6pZQte2fZAk7+q5o9ezyirSQmTuks\ndxXAZ5OiDafFwzXlanGZIvCsHBTJtbi881/QU701aTdFFrxLd+jsiaFhKSoQQcL5\nt0zu96cPS2dJivxpaogZ1f8dispWeRiMbt3njaxfWazm4RqvwvDouTSstqUxTzC8\n28Kbh7bnxPcSiuajnf35q53juhTLmB2CKEf0m1eqEwIDAQABMA0GCSqGSIb3DQEB\nCwUAA4IBAQCp75tK8cxR6A0Sfu3vg7TMPD3MkGrpdgh2giAVoCa4hOxOdHl/nYgu\nfPHodsRUfXi1SXo/77jLldGOLE6Ro447FMgrN94mRkaFUZbuLC5z2VciF9x1fdus\nIFfASIFnb4Zw24F2RDBbbGqXqRrA/1m1fWjHTb20+8rHeZW+FCJmxQrL27OG7n/n\nqDr8QmfNwTm8l72FBvUIz1xisuba5nXNAEc6rxTFw6WhPq5fgtBlVZCm55h87hHd\nQbzDGlkIXf+nypg9kwk3fDQ7VY9hrqc74wAefbIkvUSTk9rNaoncxI5Mod/imyan\ngCioUdMGd7M/dpEDDXKJNyI6lfscpG1D\n-----END CERTIFICATE-----\n"
}

---

Conditional access

• Get Okta certificate
• Get Okta configuration profile
• Delete Microsoft Entra ID

Get Okta certificate

Download the SAML IdP signing certificate for Okta conditional access. Okta uses this certificate to verify SAML assertions signed by Fleet.

GET /api/v1/fleet/conditional_access/idp/signing_cert

Parameters

None.

Example

GET /api/v1/fleet/conditional_access/idp/signing_cert

Default response

Status: 200

Returns a PEM-encoded X.509 certificate file with Content-Type: application/x-pem-file.

Get Okta configuration profile

Download the macOS configuration profile (.mobileconfig) for Okta conditional access. This profile configures SCEP enrollment and client certificate authentication on macOS hosts.

GET /api/v1/fleet/conditional_access/idp/apple/profile

Parameters

None.

Example

GET /api/v1/fleet/conditional_access/idp/apple/profile

Default response

Status: 200

Returns an Apple configuration profile file with Content-Type: application/x-apple-aspen-config.

Delete Microsoft Entra ID

Disconnects Fleet from Entra. This won't unblock end users failing policies. Learn how to unblock end users.

DELETE /api/v1/conditional-access/microsoft

Parameters

None.

Default response

Status: 200

---

File carving

• List carves
• Get carve
• Get carve block

Fleet supports osquery's file carving functionality as of Fleet 3.3.0. This allows the Fleet server to request files (and sets of files) from Fleet's agent (fleetd), returning the full contents to Fleet.

To initiate a file carve using the Fleet API, you can use the live query endpoint to run a query against the carves table.

Keep in mind that any failure when uploading a file block (like a network error) will result on a failed carved file. Starting in osquery v5.22.1, block uploads will be retried up to three times before failing.

For more information on executing a file carve in Fleet, go to the File carving with Fleet docs.

List carves

Retrieves a list of the non expired carves. Carve contents remain available for 24 hours after the first data is provided from the osquery client.

GET /api/v1/fleet/carves

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Can be any field listed in the results array example below.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Valid options are "asc" or "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.
expired	boolean	query	Include expired carves (default: false)

Example

GET /api/v1/fleet/carves

Default response

Status: 200

{
  "carves": [
    {
      "id": 1,
      "created_at": "2021-02-23T22:52:01Z",
      "host_id": 7,
      "name": "macbook-pro.local-2021-02-23T22:52:01Z-fleet_distributed_query_30",
      "block_count": 1,
      "block_size": 2000000,
      "carve_size": 2048,
      "carve_id": "c6958b5f-4c10-4dc8-bc10-60aad5b20dc8",
      "request_id": "fleet_distributed_query_30",
      "session_id": "065a1dc3-40ad-441c-afff-80c2ad7dac28",
      "expired": false,
      "max_block": 0
    },
    {
      "id": 2,
      "created_at": "2021-02-23T22:53:03Z",
      "host_id": 7,
      "name": "macbook-pro.local-2021-02-23T22:53:03Z-fleet_distributed_query_31",
      "block_count": 2,
      "block_size": 2000000,
      "carve_size": 3400704,
      "carve_id": "2b9170b9-4e11-4569-a97c-2f18d18bec7a",
      "request_id": "fleet_distributed_query_31",
      "session_id": "f73922ed-40a4-4e98-a50a-ccda9d3eb755",
      "expired": false,
      "max_block": 1,
      "error": "S3 multipart carve upload: EntityTooSmall: Your proposed upload is smaller than the minimum allowed object size"
    }
  ]
}

Get carve

Retrieves the specified carve.

GET /api/v1/fleet/carves/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired carve's ID.

Example

GET /api/v1/fleet/carves/1

Default response

Status: 200

{
  "carve": {
    "id": 1,
    "created_at": "2021-02-23T22:52:01Z",
    "host_id": 7,
    "name": "macbook-pro.local-2021-02-23T22:52:01Z-fleet_distributed_query_30",
    "block_count": 1,
    "block_size": 2000000,
    "carve_size": 2048,
    "carve_id": "c6958b5f-4c10-4dc8-bc10-60aad5b20dc8",
    "request_id": "fleet_distributed_query_30",
    "session_id": "065a1dc3-40ad-441c-afff-80c2ad7dac28",
    "expired": false,
    "max_block": 0
  }
}

Get carve block

Retrieves the specified carve block. This endpoint retrieves the data that was carved.

GET /api/v1/fleet/carves/:id/block/:block_id

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired carve's ID.
block_id	integer	path	Required. The desired carve block's ID.

Example

GET /api/v1/fleet/carves/1/block/0

Default response

Status: 200

{
    "data": "aG9zdHMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
}

---

Fleet configuration

• Get Fleet certificate
• Get configuration
• Update configuration
• Get global enroll secrets
• Update global enroll secrets
• Get fleet enroll secrets
• Update fleet enroll secrets
• Get version

The Fleet server exposes API endpoints that handle the configuration of Fleet as well as endpoints that manage enroll secret operations. These endpoints require prior authentication, you so you'll need to log in before calling any of the endpoints documented below.

Get Fleet certificate

Returns the Fleet certificate.

GET /api/v1/fleet/config/certificate

Parameters

None.

Example

GET /api/v1/fleet/config/certificate

Default response

Status: 200

{
  "certificate_chain": "<certificate_chain>"
}

Get configuration

Returns all information about the Fleet's configuration.

The agent_options, sso_settings and smtp_settings fields are only returned for admin and GitOps users with global access (see the Role-based access guide).

mdm.macos_settings.custom_settings, mdm.windows_settings.custom_settings, mdm.macos_setup, mdm.volume_purchasing_program, and scripts only include the settings applied using Fleet's YAML. To list the settings added in the UI or API, use the List configuration profiles, GET endpoints from Setup experience, List Volume Purchasing Program (VPP) tokens, or List scripts instead.

GET /api/v1/fleet/config

Parameters

None.

Example

GET /api/v1/fleet/config

Default response

Status: 200

{
  "org_info": {
    "org_name": "fleet",
    "org_logo_url": "",
    "contact_url": "https://fleetdm.com/company/contact"
  },
  "server_settings": {
    "server_url": "https://instance.fleet.com",
    "enable_analytics": true,
    "live_query_disabled": false,
    "query_reports_disabled": false,
    "ai_features_disabled": false
  },
  "smtp_settings": {
    "enable_smtp": false,
    "configured": false,
    "sender_address": "",
    "server": "",
    "port": 587,
    "authentication_type": "authtype_username_password",
    "user_name": "",
    "password": "********",
    "enable_ssl_tls": true,
    "authentication_method": "authmethod_plain",
    "domain": "",
    "verify_ssl_certs": true,
    "enable_start_tls": true
  },
  "sso_settings": {
    "entity_id": "",
    "issuer_uri": "",
    "idp_image_url": "",
    "metadata": "",
    "metadata_url": "",
    "idp_name": "",
    "enable_sso": false,
    "enable_sso_idp_login": false,
    "enable_jit_provisioning": false,
    "sso_server_url": ""
  },
  "conditional_access": {
    "microsoft_entra_tenant_id": "",
    "microsoft_entra_connection_configured": false,
    "okta_idp_id": "0ogmbinlfy9hvGs7cx492",
    "okta_assertion_consumer_service_url": "https://example.okta.com/sso/saml2/0ogmbinlfy9hvGs7cx492",
    "okta_audience_uri": "https://www.okta.com/saml2/service-provider/asdhjlksoewpoasn",
    "okta_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
    "bypass_disabled": false
  },
  "host_expiry_settings": {
    "host_expiry_enabled": false,
    "host_expiry_window": 0
  },
  "activity_expiry_settings": {
    "activity_expiry_enabled": false,
    "activity_expiry_window": 0
  },
  "features": {
    "enable_host_users": true,
    "enable_software_inventory": true,
    "additional_queries": null
  },
  "mdm": {
    "android_enabled_and_configured": true,
    "windows_enabled_and_configured": true,
    "windows_entra_tenant_ids": [
      {
        "tenant_id": "fec37e96-3615-4e37-8fac-445d5328af3c",
      },
    ],
    "enable_turn_on_windows_mdm_manually": false,
    "enable_disk_encryption": true,
    "windows_require_bitlocker_pin": false,
    "macos_updates": {
      "minimum_version": "12.3.1",
      "deadline": "2022-01-01",
      "update_new_hosts": true
    },
    "ios_updates": {
      "minimum_version": "17.0.1",
      "deadline": "2024-08-01"
    },
    "ipados_updates": {
      "minimum_version": "17.0.1",
      "deadline": "2024-08-01"
    },
    "windows_updates": {
      "deadline_days": 5,
      "grace_period_days": 1
    },
    "macos_settings": {
      "custom_settings": [
        {
          "path": "path/to/profile1.mobileconfig",
          "labels": ["Label 1", "Label 2"]
        }
      ]
    },
    "windows_settings": {
      "custom_settings": [
        {
         "path": "path/to/profile2.xml",
         "labels": ["Label 3", "Label 4"]
        }
      ],
    },
    "scripts": ["path/to/script.sh"],
    "end_user_authentication": {
      "entity_id": "",
      "metadata": "",
      "metadata_url": "",
      "idp_name": ""
    },
    "macos_migration": {
      "enable": false,
      "mode": "voluntary",
      "webhook_url": "https://webhook.example.com"
    },
    "macos_setup": {
      "bootstrap_package": "",
      "enable_end_user_authentication": false,
      "macos_setup_assistant": "path/to/config.json",
      "enable_release_device_manually": false,
      "manual_agent_install": false
    },
    "client_url": "https://instance.fleet.com"
  },
  "agent_options": {
    "spec": {
      "config": {
        "options": {
          "pack_delimiter": "/",
          "logger_tls_period": 10,
          "distributed_plugin": "tls",
          "disable_distributed": false,
          "logger_tls_endpoint": "/api/v1/osquery/log",
          "distributed_interval": 10,
          "distributed_tls_max_attempts": 3
        },
        "decorators": {
          "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT hostname AS hostname FROM system_info;"
          ]
        }
      },
      "overrides": {},
      "command_line_flags": {}
    }
  },
  "license": {
    "tier": "premium",
    "organization": "fleet",
    "device_count": 500000,
    "managed_cloud": false,
    "expiration": "2031-10-16T00:00:00Z",
    "note": ""
  },
  "logging": {
    "debug": false,
    "json": false,
    "result": {
      "plugin": "firehose",
      "config": {
        "region": "us-east-1",
        "status_stream": "",
        "result_stream": "result-topic"
      }
    },
    "status": {
      "plugin": "filesystem",
      "config": {
        "status_log_file": "foo_status",
        "result_log_file": "",
        "enable_log_rotation": false,
        "enable_log_compression": false
      }
    }
  },
  "vulnerability_settings": {
    "databases_path": ""
  },
  "gitops": {
    "gitops_mode_enabled": false,
    "repository_url": "",
  },
  "webhook_settings": {
    "host_status_webhook": {
      "enable_host_status_webhook": true,
      "destination_url": "https://server.com",
      "host_percentage": 5,
      "days_count": 7
    },
    "failing_policies_webhook":{
      "enable_failing_policies_webhook":true,
      "destination_url": "https://server.com",
      "policy_ids": [1, 2, 3],
      "host_batch_size": 1000
    },
    "vulnerabilities_webhook":{
      "enable_vulnerabilities_webhook":true,
      "destination_url": "https://server.com",
      "host_batch_size": 1000
    },
    "activities_webhook":{
      "enable_activities_webhook":true,
      "destination_url": "https://server.com"
    }
  },
  "integrations": {
    "google_calendar": [
      {
        "domain": "example.com",
        "api_key_json": {
           "type": "service_account",
           "project_id": "fleet-in-your-calendar",
           "private_key_id": "<private key id>",
           "private_key": "-----BEGIN PRIVATE KEY-----\n<private key>\n-----END PRIVATE KEY-----\n",
           "client_email": "fleet-calendar-events@fleet-in-your-calendar.iam.gserviceaccount.com",
           "client_id": "<client id>",
           "auth_uri": "https://accounts.google.com/o/oauth2/auth",
           "token_uri": "https://oauth2.googleapis.com/token",
           "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
           "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/fleet-calendar-events%40fleet-in-your-calendar.iam.gserviceaccount.com",
           "universe_domain": "googleapis.com"
         }
      }
    ],
    "jira": [],
    "zendesk": []
  },
  "logging": {
    "debug": false,
    "json": false,
    "result": {
        "plugin": "filesystem",
        "config": {
          "status_log_file": "/var/folders/xh/bxm1d2615tv3vrg4zrxq540h0000gn/T/osquery_status",
          "result_log_file": "/var/folders/xh/bxm1d2615tv3vrg4zrxq540h0000gn/T/osquery_result",
          "enable_log_rotation": false,
          "enable_log_compression": false
        }
      },
    "status": {
      "plugin": "filesystem",
      "config": {
        "status_log_file": "/var/folders/xh/bxm1d2615tv3vrg4zrxq540h0000gn/T/osquery_status",
        "result_log_file": "/var/folders/xh/bxm1d2615tv3vrg4zrxq540h0000gn/T/osquery_result",
        "enable_log_rotation": false,
        "enable_log_compression": false
      }
    }
  },
  "update_interval": {
    "osquery_detail": 3600000000000,
    "osquery_policy": 3600000000000
  },
  "vulnerabilities": {
    "cpe_database_url": "",
    "disable_schedule": false,
    "cve_feed_prefix_url": "",
    "databases_path": "",
    "disable_data_sync": false,
    "periodicity": 3600000000000,
    "recent_vulnerability_max_age": 2592000000000000
  }
}

Update configuration

Modifies the Fleet's configuration with the supplied information.

PATCH /api/v1/fleet/config

Parameters

Name	Type	In	Description
org_info	object	body	See org_info.
server_settings	object	body	See server_settings.
smtp_settings	object	body	See smtp_settings.
sso_settings	object	body	See sso_settings.
host_expiry_settings	object	body	See host_expiry_settings.
activity_expiry_settings	object	body	See activity_expiry_settings.
agent_options	objects	body	The agent_options spec that is applied to all hosts.
fleet_desktop	object	body	See fleet_desktop.
webhook_settings	object	body	See webhook_settings.
integrations	object	body	See integrations.
gitops	object	body	See gitops.
mdm	object	body	See mdm.
conditional_access	object	body	See conditional_access.
features	object	body	See features.
scripts	array	body	A list of script files to add so they can be executed at a later time.
yara_rules	array	body	A list of YARA rule files to add.
force	boolean	query	Whether to force-apply the agent options even if there are validation errors.
dry_run	boolean	query	Whether to validate the configuration and return any validation errors without applying changes.

Example

PATCH /api/v1/fleet/config

Request body

{
  "scripts": []
}

Default response

Status: 200

{
  "org_info": {
    "org_name": "Fleet Device Management",
    "org_logo_url": "https://fleetdm.com/logo.png",
    "org_logo_url_light_background": "https://fleetdm.com/logo-light.png",
    "contact_url": "https://fleetdm.com/company/contact"
  },
  "server_settings": {
    "server_url": "https://instance.fleet.com",
    "enable_analytics": true,
    "live_query_disabled": false,
    "query_reports_disabled": false,
    "ai_features_disabled": false
  },
  "smtp_settings": {
    "enable_smtp": true,
    "configured": true,
    "sender_address": "",
    "server": "localhost",
    "port": 1025,
    "authentication_type": "authtype_username_none",
    "user_name": "",
    "password": "********",
    "enable_ssl_tls": true,
    "authentication_method": "authmethod_plain",
    "domain": "",
    "verify_ssl_certs": true,
    "enable_start_tls": true
  },
  "sso_settings": {
    "entity_id": "",
    "issuer_uri": "",
    "idp_image_url": "",
    "metadata": "",
    "metadata_url": "",
    "idp_name": "",
    "enable_sso": false,
    "enable_sso_idp_login": false,
    "enable_jit_provisioning": false,
    "sso_server_url": "https://instance.fleet.com"
  },
  "conditional_access": {
    "microsoft_entra_tenant_id": "<TENANT ID>",
    "microsoft_entra_connection_configured": true,
    "okta_idp_id": "0ogmbinlfy9hvGs7cx492",
    "okta_assertion_consumer_service_url": "https://example.okta.com/sso/saml2/0ogmbinlfy9hvGs7cx492",
    "okta_audience_uri": "https://www.okta.com/saml2/service-provider/asdhjlksoewpoasn",
    "okta_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
    "bypass_disabled": false
  },
  "host_expiry_settings": {
    "host_expiry_enabled": false,
    "host_expiry_window": 0
  },
  "activity_expiry_settings": {
    "activity_expiry_enabled": false,
    "activity_expiry_window": 0
  },
  "features": {
    "enable_host_users": true,
    "enable_software_inventory": true,
    "additional_queries": null
  },
  "license": {
    "tier": "free",
    "expiration": "0001-01-01T00:00:00Z"
  },
  "mdm": {
    "enabled_and_configured": false,
    "android_enabled_and_configured": false,
    "windows_enabled_and_configured": false,
    "windows_entra_tenant_ids": [
      "26ac824d-0d5e-4f0c-a202-1c29d5a48e43"
    ],
    "enable_turn_on_windows_mdm_manually": false,
    "enable_disk_encryption": true,
    "windows_require_bitlocker_pin": false,
    "enable_recovery_lock_password": true,
    "macos_updates": {
      "minimum_version": "12.3.1",
      "deadline": "2022-01-01",
      "update_new_hosts": true
    },
    "ios_updates": {
      "minimum_version": "17.0.1",
      "deadline": "2024-08-01"
    },
    "ipados_updates": {
      "minimum_version": "17.0.1",
      "deadline": "2024-08-01"
    },
    "windows_updates": {
      "deadline_days": 5,
      "grace_period_days": 1
    },
    "macos_settings": {
      "custom_settings": [
        {
          "path": "path/to/profile1.mobileconfig",
          "labels_exclude_any": ["Label 1", "Label 2"]
        },
        {
          "path": "path/to/profile2.json",
          "labels_include_all": ["Label 3", "Label 4"]
        },
        {
          "path": "path/to/profile3.json",
          "labels_include_any": ["Label 5", "Label 6"]
        },
      ]
    },
    "windows_settings": {
      "custom_settings": [
        {
          "path": "path/to/profile3.xml",
          "labels_exclude_any": ["Label 1", "Label 2"]
        }
      ]
    },
    "end_user_authentication": {
      "entity_id": "",
      "metadata": "",
      "metadata_url": "",
      "idp_name": ""
    },
    "macos_migration": {
      "enable": false,
      "mode": "voluntary",
      "webhook_url": "https://webhook.example.com"
    },
    "macos_setup": {
      "bootstrap_package": "",
      "enable_end_user_authentication": false,
      "lock_end_user_info": true,
      "macos_setup_assistant": "path/to/config.json"
    },
    "apple_server_url": "https://instance.fleet.com"
  },
  "agent_options": {
    "config": {
      "options": {
        "pack_delimiter": "/",
        "logger_tls_period": 10,
        "distributed_plugin": "tls",
        "disable_distributed": false,
        "logger_tls_endpoint": "/api/v1/osquery/log",
        "distributed_interval": 10,
        "distributed_tls_max_attempts": 3
      },
      "decorators": {
        "load": [
          "SELECT uuid AS host_uuid FROM system_info;",
          "SELECT hostname AS hostname FROM system_info;"
        ]
      }
    },
    "overrides": {},
    "command_line_flags": {}
  },
  "vulnerability_settings": {
    "databases_path": ""
  },
  "fleet_desktop": {
    "transparency_url": "https://fleetdm.com/better",
    "alternative_browser_host": "fleet-desktop.example.com"
  },
  "gitops": {
    "gitops_mode_enabled": false,
    "repository_url": "",
  },
  "webhook_settings": {
    "host_status_webhook": {
      "enable_host_status_webhook": true,
      "destination_url": "https://server.com",
      "host_percentage": 5,
      "days_count": 7
    },
    "failing_policies_webhook":{
      "enable_failing_policies_webhook":true,
      "destination_url": "https://server.com",
      "policy_ids": [1, 2, 3],
      "host_batch_size": 1000
    },
    "vulnerabilities_webhook":{
      "enable_vulnerabilities_webhook":true,
      "destination_url": "https://server.com",
      "host_batch_size": 1000
    },
    "activities_webhook":{
      "enable_activities_webhook":true,
      "destination_url": "https://server.com"
    }
  },
  "integrations": {
    "google_calendar": [
      {
        "domain": "",
        "api_key_json": null
      }
    ],
    "jira": [
      {
        "url": "https://jiraserver.com",
        "username": "some_user",
        "password": "sec4et!",
        "project_key": "jira_project",
        "enable_software_vulnerabilities": false
      }
    ],
    "zendesk": []
  },
  "logging": {
      "debug": false,
      "json": false,
      "result": {
          "plugin": "firehose",
          "config": {
            "region": "us-east-1",
            "status_stream": "",
            "result_stream": "result-topic"
          }
      },
      "status": {
          "plugin": "filesystem",
          "config": {
            "status_log_file": "foo_status",
            "result_log_file": "",
            "enable_log_rotation": false,
            "enable_log_compression": false
          }
      }
  },
  "scripts": []
}

org_info

Name	Type	Description
org_name	string	The organization name.
org_logo_url	string	The URL for the organization logo.
org_logo_url_light_background	string	The URL for the organization logo displayed in Fleet on top of light backgrounds.
contact_url	string	A URL or file URI that can be used by end users to contact the organization.

Example request body

{
  "org_info": {
    "org_name": "Fleet Device Management",
    "org_logo_url": "https://fleetdm.com/logo.png",
    "org_logo_url_light_background": "https://fleetdm.com/logo-light.png",
    "contact_url": "https://fleetdm.com/company/contact"
  }
}

server_settings

Name	Type	Description
server_url	string	The Fleet server URL.
enable_analytics	boolean	Whether to send anonymous usage statistics. Always enabled for Fleet Premium customers.
live_query_disabled	boolean	Whether the live query capabilities are disabled.
query_reports_disabled	boolean	Whether query report capabilities are disabled.
ai_features_disabled	boolean	Whether AI features are disabled.
query_report_cap	integer	The maximum number of results to store per query report before the report is clipped. If increasing this cap, we recommend enabling reports for one query at time and monitoring your infrastructure. (Default: 1000)

Note: If server_url changes, hosts that enrolled to the old URL will need to re-enroll, or they will no longer communicate with Fleet. Before re-enrolling Android hosts, you'll need to turn Android MDM off and back on to point Google to the new server_url.

Example request body

{
  "server_settings": {
    "server_url": "https://localhost:8080",
    "enable_analytics": true,
    "live_query_disabled": false,
    "query_reports_disabled": false,
    "ai_features_disabled": false
  }
}

smtp_settings

Name	Type	Description
enable_smtp	boolean	Whether SMTP is enabled for the Fleet app.
sender_address	string	The sender email address for the Fleet app. An invitation email is an example of the emails that may use this sender address
server	string	The SMTP server for the Fleet app.
port	integer	The SMTP port for the Fleet app.
authentication_type	string	The authentication type used by the SMTP server. Options include "authtype_username_and_password" or "none"
user_name	string	The username used to authenticate requests made to the SMTP server.
password	string	The password used to authenticate requests made to the SMTP server.
enable_ssl_tls	boolean	Whether or not SSL and TLS are enabled for the SMTP server.
authentication_method	string	The authentication method used to make authenticate requests to SMTP server. Options include "authmethod_plain", "authmethod_cram_md5", and "authmethod_login".
domain	string	The domain for the SMTP server.
verify_ssl_certs	boolean	Whether or not SSL certificates are verified by the SMTP server. Turn this off (not recommended) if you use a self-signed certificate.
enable_start_tls	boolean	Detects if STARTTLS is enabled in your SMTP server and starts to use it.

The Fleet server relies on the host operating system's trust store to validate TLS certificates. If your email server uses a private or self-signed certificate, you’ll need to add the certificate to the OS trust store on the server running Fleet. Fleet doesn't currently support uploading custom CA certificates via the UI or API.

Example request body

{
  "smtp_settings": {
    "enable_smtp": true,
    "sender_address": "",
    "server": "localhost",
    "port": 1025,
    "authentication_type": "none",
    "user_name": "",
    "password": "",
    "enable_ssl_tls": true,
    "authentication_method": "authmethod_plain",
    "domain": "",
    "verify_ssl_certs": true,
    "enable_start_tls": true
  }
}

sso_settings

Name	Type	Description
enable_sso	boolean	Whether or not SSO is enabled for the Fleet application. If this value is true, you must also include most of the SSO settings parameters below.
entity_id	string	The required entity ID is a URI that you use to identify Fleet when configuring the identity provider. Must be 5 or more characters.
issuer_uri	string	The URI you provide here must exactly match the Entity ID field used in the identity provider configuration.
idp_image_url	string	An optional link to an image such as a logo for the identity provider.
metadata_url	string	A URL that references the identity provider metadata. If available from the identity provider, this is the preferred means of providing metadata. Must be either https or http
metadata	string	Metadata provided by the identity provider. Either metadata or a metadata_url must be provided.
enable_sso_idp_login	boolean	Determines whether Identity Provider (IdP) initiated login for Single sign-on (SSO) is enabled for the Fleet application.
enable_jit_provisioning	boolean	Available in Fleet Premium. When enabled, allows just-in-time user provisioning.
sso_server_url	boolean	Update this URL if you want your Fleet users (admins, maintainers, observers) to login via SSO using a URL that's different than the base URL of your Fleet instance. If not configured, login via SSO will use the base URL of the Fleet instance.

Example request body

{
  "sso_settings": {
    "enable_sso": false,
    "entity_id": "",
    "issuer_uri": "",
    "idp_image_url": "",
    "metadata_url": "",
    "metadata": "",
    "idp_name": "",
    "enable_sso_idp_login": false,
    "enable_jit_provisioning": false,
    "sso_server_url": ""
  }
}

host_expiry_settings

Name	Type	Description
host_expiry_enabled	boolean	When enabled, allows automatic cleanup of hosts that have not communicated with Fleet in some number of days.
host_expiry_window	integer	If a host has not communicated with Fleet in the specified number of days, it will be removed. Must be greater than 0 if host_expiry_enabled is set to true.

Example request body

{
  "host_expiry_settings": {
    "host_expiry_enabled": true,
    "host_expiry_window": 7
  }
}

activity_expiry_settings

Name	Type	Description
activity_expiry_enabled	boolean	When enabled, allows automatic cleanup of activities (and associated live query data) older than the specified number of days. Activities linked to a host are preserved until the host is deleted.
activity_expiry_window	integer	The number of days to retain activity records, if activity expiry is enabled.

Example request body

{
  "activity_expiry_settings": {
    "activity_expiry_enabled": true,
    "activity_expiry_window": 90
  }
}

fleet_desktop

Available in Fleet Premium.

Name	Type	Description
transparency_url	string	The URL used to display transparency information to users of Fleet Desktop.
alternative_browser_host	string	The hostname used to navigate Fleet Desktop traffic through.

Example request body

{
  "fleet_desktop": {
    "transparency_url": "https://fleetdm.com/better",
    "alternative_browser_host": "fleet-desktop.example.com"
  }
}

gitops

Available in Fleet Premium.

Name	Type	Description
gitops_mode_enabled	boolean	Whether to enable "GitOps mode", which restricts making changes via the UI that would be overridden by running fleetctl-gitops. (Default: false)
repository_url	string	The URL for the repository where changes are managed, for Fleet instances using GitOps. Users will be sent here when GitOps mode is enabled.

Example request body

{
  "gitops": {
    "gitops_mode_enabled": true,
    "repository_url": "https://github.com/exampleorg/it-and-security"
  }
}

webhook_settings

Name	Type	Description
interval		string
host_status_webhook	array	See webhook_settings.host_status_webhook.
failing_policies_webhook	array	See webhook_settings.failing_policies_webhook.
vulnerabilities_webhook	array	See webhook_settings.vulnerabilities_webhook.
activities_webhook	array	See webhook_settings.activities_webhook.

webhook_settings.host_status_webhook

webhook_settings.host_status_webhook is an object with the following structure:

Name	Type	Description
enable_host_status_webhook	boolean	Whether or not the host status webhook is enabled.
destination_url	string	The URL to deliver the webhook request to.
host_percentage	integer	The minimum percentage of hosts that must fail to check in to Fleet in order to trigger the webhook request.
days_count	integer	The minimum number of days that the configured host_percentage must fail to check in to Fleet in order to trigger the webhook request.

webhook_settings.failing_policies_webhook

webhook_settings.failing_policies_webhook is an object with the following structure:

Name	Type	Description
enable_failing_policies_webhook	boolean	Whether or not the failing policies webhook is enabled.
destination_url	string	The URL to deliver the webhook requests to.
policy_ids	array	List of policy IDs to enable failing policies webhook.
host_batch_size	integer	Maximum number of hosts to batch on failing policy webhook requests. The default, 0, means no batching (all hosts failing a policy are sent on one request).

webhook_settings.vulnerabilities_webhook

webhook_settings.vulnerabilities_webhook is an object with the following structure:

Name	Type	Description
enable_vulnerabilities_webhook	boolean	Whether or not the vulnerabilities webhook is enabled.
destination_url	string	The URL to deliver the webhook requests to.
host_batch_size	integer	Maximum number of hosts to batch on vulnerabilities webhook requests. The default, 0, means no batching (all vulnerable hosts are sent on one request).

webhook_settings.activities_webhook

webhook_settings.activities_webhook is an object with the following structure:

Name	Type	Description
enable_activities_webhook	boolean	Whether or not the activity feed webhook is enabled.
destination_url	string	The URL to deliver the webhook requests to.

Example request body

{
  "webhook_settings": {
    "host_status_webhook": {
      "enable_host_status_webhook": true,
      "destination_url": "https://server.com",
      "host_percentage": 5,
      "days_count": 7
    },
    "failing_policies_webhook":{
      "enable_failing_policies_webhook": true,
      "destination_url": "https://server.com",
      "policy_ids": [1, 2, 3],
      "host_batch_size": 1000
    },
    "vulnerabilities_webhook":{
      "enable_vulnerabilities_webhook":true,
      "destination_url": "https://server.com",
      "host_batch_size": 1000
    },
    "activities_webhook":{
      "enable_activities_webhook":true,
      "destination_url": "https://server.com"
    }
  }
}

integrations

Name	Type	Description
jira	array	See integrations.jira.
zendesk	array	See integrations.zendesk.
google_calendar	array	See integrations.google_calendar.

integrations.jira

integrations.jira is an array of objects with the following structure:

Name	Type	Description
enable_software_vulnerabilities	boolean	Whether or not Jira integration is enabled for software vulnerabilities. Only one vulnerability automation can be enabled at a given time (enable_vulnerabilities_webhook and enable_software_vulnerabilities).
enable_failing_policies	boolean	Whether or not Jira integration is enabled for failing policies. Only one failing policy automation can be enabled at a given time (enable_failing_policies_webhook and enable_failing_policies).
url	string	The URL of the Jira server to integrate with.
username	string	The Jira username to use for this Jira integration.
api_token	string	The API token of the Jira username to use for this Jira integration.
project_key	string	The Jira project key to use for this integration. Jira tickets will be created in this project.

Note that when making changes to the integrations.jira array, all integrations must be provided (not just the one being modified). This is because the endpoint will consider missing integrations as deleted.

integrations.zendesk

integrations.zendesk is an array of objects with the following structure:

Name	Type	Description
enable_software_vulnerabilities	boolean	Whether or not Zendesk integration is enabled for software vulnerabilities. Only one vulnerability automation can be enabled at a given time (enable_vulnerabilities_webhook and enable_software_vulnerabilities).
enable_failing_policies	boolean	Whether or not Zendesk integration is enabled for failing policies. Only one failing policy automation can be enabled at a given time (enable_failing_policies_webhook and enable_failing_policies).
url	string	The URL of the Zendesk server to integrate with.
email	string	The Zendesk user email to use for this Zendesk integration.
api_token	string	The Zendesk API token to use for this Zendesk integration.
group_id	integer	The Zendesk group id to use for this integration. Zendesk tickets will be created in this group.

Note that when making changes to the integrations.zendesk array, all integrations must be provided (not just the one being modified). This is because the endpoint will consider missing integrations as deleted.

integrations.google_calendar

integrations.google_calendar is an array of objects with the following structure:

Name	Type	Description
domain	string	The domain for the Google Workspace service account to be used for this calendar integration.
api_key_json	object	The private key JSON downloaded when generating the service account API key to be used for this calendar integration.

Example request body

{
  "integrations": {
    "jira": [
      {
        "enable_software_vulnerabilities": false,
        "enable_failing_poilicies": true,
        "url": "https://jiraserver.com",
        "username": "some_user",
        "api_token": "<TOKEN>",
        "project_key": "jira_project",
      }
    ],
    "zendesk": [],
    "google_calendar": [
      {
        "domain": "https://domain.com",
        "api_key_json": "<API KEY JSON>"
      }
    ]
  }
}

conditional_access

Available in Fleet Premium.

Name	Type	Description
okta_idp_id	string	The IdP ID found in Okta after creating an IdP in Security > Identity Providers > SAML 2.0 IdP
okta_assertion_consumer_service_url	string	The assertion consumer service URL found in Okta after creating an IdP in Security > Identity Providers > SAML 2.0 IdP
okta_audience_uri	string	The audience URI found in Okta after creating an IdP in Security > Identity Providers > SAML 2.0 IdP
okta_certificate	string	The certificate provided by Okta during the Set Up Authenticator workflow
bypass_disabled	boolean	Disables the per-policy setting to allow bypassing Okta conditional access. (Default: false.)

When updating conditional access config, all conditional_access fields must either be empty or included in the request.

Example request body

{
  "conditional_access": {
    "okta_idp_id": "0ogmbinlfy9hvGs7cx492",
    "okta_assertion_consumer_service_url": "https://example.okta.com/sso/saml2/0ogmbinlfy9hvGs7cx492",
    "okta_audience_uri": "https://www.okta.com/saml2/service-provider/asdhjlksoewpoasn",
    "okta_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
    "bypass_disabled": false
  }
}

mdm

Name	Type	Description
windows_enabled_and_configured	boolean	Enables Windows MDM support.
windows_entra_tenant_ids	array	Available in Fleet Premium. IDs of Microsoft Entra tenants to connect to Fleet, to enable automatic (Autopilot) and manual enrollment by end users (Settings > Accounts > Access work or school on Windows). Find your Tenant ID, on Microsoft Entra ID > Home.
enable_turn_on_windows_mdm_manually	boolean	Available in Fleet Premium. Specifies whether or not to require end users to manually turn on MDM in Settings > Access work or school. If false, MDM is automatically turned on for all Windows hosts that aren't connected to any MDM solution.
enable_disk_encryption	boolean	Available in Fleet Premium. Hosts that are "Unassigned" will have disk encryption enabled if set to true.
windows_require_bitlocker_pin	boolean	Available in Fleet Premium. End users on Windows hosts that are "Unassigned" will be required to set a BitLocker PIN if set to true. enable_disk_encryption must be set to true. When the PIN is set, it's required to unlock Windows host during startup.
enable_recovery_lock_password	boolean	Available in Fleet Premium. Unassigned hosts will have Recovery Lock password enabled if set to true.
macos_updates	object	See mdm.macos_updates.
ios_updates	object	See mdm.ios_updates.
ipados_updates	object	See mdm.ipados_updates.
windows_updates	object	See mdm.window_updates.
macos_migration	object	See mdm.macos_migration.
macos_setup	object	See mdm.macos_setup.
macos_settings	object	See mdm.macos_settings.
windows_settings	object	See mdm.windows_settings.
apple_server_url	string	Update this URL if you're self-hosting Fleet and you want your hosts to talk to this URL for MDM features. (If not configured, hosts will use the base URL of the Fleet instance.)

Note: If apple_server_url changes and Apple (macOS, iOS, iPadOS) hosts already have MDM turned on, the end users will have to turn MDM off and back on to use MDM features.

mdm.macos_updates

Available in Fleet Premium.

mdm.macos_updates is an object with the following structure:

Name	Type	Description
minimum_version	string	Hosts that are "Unassigned" and have MDM turned on will be prompted to update when their OS is below this version.
deadline	string	Hosts that are "Unassigned" and have MDM turned on will be forced to update their OS after this deadline (7PM local time for hosts already on macOS 14 or above, 20:00 UTC for hosts on earlier macOS versions).
update_new_hosts	string	macOS hosts that automatically enroll (ADE) are updated to Apple's latest version during macOS Setup Assistant. For backwards compatibility, if not specified, and deadline and minimum_version are set, update_new_hosts is set to true. Otherwise, update_new_hosts defaults to false.

mdm.ios_updates

Available in Fleet Premium.

mdm.ios_updates is an object with the following structure:

Name	Type	Description
minimum_version	string	Hosts that are "Unassigned" will be prompted to update when their OS is below this version.
deadline	string	Hosts that are "Unassigned" will be forced to update their OS after this deadline (7PM local time).

mdm.ipados_updates

Available in Fleet Premium.

mdm.ipados_updates is an object with the following structure:

Name	Type	Description
minimum_version	string	Hosts that are "Unassigned" will be prompted to update when their OS is below this version.
deadline	string	Hosts that are "Unassigned" will be forced to update their OS after this deadline (7PM local time).

mdm.windows_updates

Available in Fleet Premium.

mdm.windows_updates is an object with the following structure:

Name	Type	Description
deadline_days	integer	Hosts that are "Unassigned" and have MDM turned on will have this number of days before updates are installed on Windows.
grace_period_days	integer	Hosts that are "Unassigned" and have MDM turned on will have this number of days before Windows restarts to install updates.

mdm.macos_migration

Available in Fleet Premium.

mdm.macos_migration is an object with the following structure:

Name	Type	Description
enable	boolean	Whether to enable the end user migration workflow for devices migrating from your old MDM solution.
mode	string	The end user migration workflow mode for devices migrating from your old MDM solution. Options are "voluntary" or "forced".
webhook_url	string	The webhook url configured to receive requests to unenroll devices migrating from your old MDM solution.

mdm.macos_setup

Available in Fleet Premium.

mdm.macos_setup is an object with the following structure:

Name	Type	Description
enable_end_user_authentication	boolean	If set to true, end user authentication will be required during automatic MDM enrollment of new macOS devices. Settings for your IdP provider must also be configured.
lock_end_user_info	boolean	If set to true, end user can't edit the local account's Account Name and Full Name in macOS Setup Assistant. These fields will be locked to values from your IdP. (Default: true)

mdm.macos_settings

mdm.macos_settings is an object with the following structure:

Name	Type	Description
custom_settings	array	Only intended to be used by Fleet's YAML. To add macOS configuration profiles using Fleet's API, use the Create custom OS setting (configuration profile) endpoint instead.

mdm.windows_settings

mdm.windows_settings is an object with the following structure:

Name	Type	Description
custom_settings	array	Only intended to be used by Fleet's YAML. To add Windows configuration profiles using Fleet's API, use the Create custom OS setting (configuration profile) endpoint instead.

mdm.end_user_authentication

mdm.end_user_authentication is an object with the following structure:

Name	Type	Description
entity_id	string	Required. The entity ID is a URI that you use to identify Fleet when configuring the identity provider. Must be 5 or more characters.
idp_name	string	Required. A human friendly name for the identity provider that will provide single sign-on authentication.
metadata_url	string	A URL that references the identity provider metadata. If available from the identity provider, this is the preferred means of providing metadata. Must be either https or http.
metadata	string	Metadata provided by the identity provider. Either metadata or a metadata_url must be provided.

Example request body

{
  "mdm": {
    "windows_enabled_and_configured": false,
    "enable_turn_on_windows_mdm_manually": false,
    "enable_disk_encryption": true,
    "windows_require_bitlocker_pin": false,
    "enable_recovery_lock_password": true,
    "macos_updates": {
      "minimum_version": "12.3.1",
      "deadline": "2022-01-01",
      "update_new_hosts": true
    },
    "windows_updates": {
      "deadline_days": 5,
      "grace_period_days": 1
    },
    "macos_settings": {
      "custom_settings": [
        {
          "path": "path/to/profile1.mobileconfig",
          "labels": ["Label 1", "Label 2"]
        },
        {
          "path": "path/to/profile2.json",
          "labels": ["Label 3", "Label 4"]
        },
      ]
    },
    "windows_settings": {
      "custom_settings": [
        {
          "path": "path/to/profile3.xml",
          "labels": ["Label 1", "Label 2"]
        }
      ]
    },
    "end_user_authentication": {
      "entity_id": "",
      "metadata": "",
      "metadata_url": "",
      "idp_name": ""
    },
    "macos_migration": {
      "enable": false,
      "mode": "voluntary",
      "webhook_url": "https://webhook.example.com"
    },
    "macos_setup": {
      "bootstrap_package": "",
      "enable_end_user_authentication": false,
      "lock_end_user_info": true,
      "macos_setup_assistant": "path/to/config.json"
    }
  }
}

Features

Name	Type	Description
enable_host_users	boolean	Whether to enable the users feature in Fleet. (Default: true)
enable_software_inventory	boolean	Whether to enable the software inventory feature in Fleet. (Default: true)
additional_queries	object	additional_queries adds extra host details. This information will be updated at the same time as other host details and is returned by the API when host objects are returned. (Default: null)

Example request body

{
  "features": {
    "enable_host_users": true,
    "enable_software_inventory": true,
    "additional_queries": {
      "time": "SELECT * FROM time",
      "macs": "SELECT mac FROM interface_details"
    }
  }
}

Get global enroll secrets

Returns the valid global enroll secrets.

GET /api/v1/fleet/spec/enroll_secret

Parameters

None.

Example

GET /api/v1/fleet/spec/enroll_secret

Default response

Status: 200

{
  "spec": {
    "secrets": [
      {
        "secret": "vhPzPOnCMOMoqSrLxKxzSADyqncayacB",
        "created_at": "2021-11-12T20:24:57Z"
      },
      {
        "secret": "jZpexWGiXmXaFAKdrdttFHdJBqEnqlVF",
        "created_at": "2021-11-12T20:24:57Z"
      }
    ]
  }
}

Update global enroll secrets

Replaces all existing global enroll secrets.

POST /api/v1/fleet/spec/enroll_secret

Parameters

Name	Type	In	Description
spec	object	body	Required. Attribute "secrets" must be a list of enroll secrets

Example

Replace all global enroll secrets with a new enroll secret.

POST /api/v1/fleet/spec/enroll_secret

Request body

{
  "spec": {
    "secrets": [
      {
        "secret": "KuSkYFsHBQVlaFtqOLwoUIWniHhpvEhP"
      }
    ]
  }
}

Default response

Status: 200

{}

Example

Delete all global enroll secrets.

POST /api/v1/fleet/spec/enroll_secret

Request body

{
  "spec": {
    "secrets": []
  }
}

Default response

Status: 200

{}

Get fleet enroll secrets

Returns the fleet's enroll secrets.

GET /api/v1/fleet/fleets/:id/secrets

Parameters

None.

Example

GET /api/v1/fleet/fleets/1/secrets

Default response

Status: 200

{
  "secrets": [
    {
      "created_at": "2021-06-16T22:05:49Z",
      "secret": "aFtH2Nq09hrvi73ErlWNQfa7M53D3rPR",
      "team_id": 1,
      "fleet_id": 1,
    }
  ]
}

Update fleet enroll secrets

Replaces all existing enroll secrets for a fleet.

PATCH /api/v1/fleet/fleets/:id/secrets

Parameters

Name	Type	In	Description
id	integer	path	Required. The fleet's id.
secrets	array	body	Required. A list of enroll secrets

Example

Replace all of a fleet's existing enroll secrets with a new enroll secret

PATCH /api/v1/fleet/fleets/2/secrets

Request body

{
  "secrets": [
    {
      "secret": "n07v32y53c237734m3n201153c237"
    }
  ]
}

Default response

Status: 200

{
  "secrets": [
    {
      "secret": "n07v32y53c237734m3n201153c237",
      "created_at": "0001-01-01T00:00:00Z"
    }
  ]
}

Example

Delete all of a fleet's existing enroll secrets

PATCH /api/v1/fleet/fleets/2/secrets

Request body

{
  "secrets": []
}

Default response

Status: 200

{
  "secrets": null
}

Get version

Get version and build information from the Fleet server.

GET /api/v1/fleet/version

Parameters

None.

Example

GET /api/v1/fleet/version

Default response

Status: 200

{
  "version": "3.9.0-93-g1b67826f-dirty",
  "branch": "version",
  "revision": "1b67826fe4bf40b2f45ec53e01db9bf467752e74",
  "go_version": "go1.15.7",
  "build_date": "2021-03-27",
  "build_user": "zwass"
}

---

Hosts

• List hosts
• Count hosts
• Get hosts summary
• Get host
• Get host by identifier
• Get host by Fleet Desktop token
• Delete host
• Refetch host
• Refetch host by Fleet Desktop token
• Update hosts' fleet
• Update hosts' fleet by filter
• Turn off host's MDM
• Batch-delete hosts
• Update human-device mapping
• Get host's device health report
• Get host's mobile device management (MDM) information
• Get mobile device management (MDM) status
• Get host's mobile device management (MDM) and Munki information
• Get hosts' aggregate mobile device management (MDM) and Munki information
• Get host's software
• Get hosts report in CSV
• Get host's disk encryption key
• Get host's Recovery Lock password
• Get host's certificates
• Lock host
• Unlock host
• Wipe host
• Get host's past activity
• Get host's upcoming activity
• Cancel host's upcoming activity
• Add labels to host
• Remove labels from host
• Run live query on host (ad hoc)
• Run live query on host by identifier (ad hoc)
• Bypass host's conditional access

About host timestamps

Hosts have a set of timestamps usually named with an "_at" suffix, such as created_at, enrolled_at, etc. Before we go through each of them and what they mean, we need to understand a bit more about how the host data structure is represented in the database.

The table hosts is the main one. It holds the core data for a host. A host doesn't exist if there is no row for it in this table. This table also holds most of the timestamps, but it doesn't hold all of the host data. This is an important detail as we'll see below.

There's adjacent tables to this one that usually follow the name convention host_<extra data descriptor>. Examples of this are: host_additional that holds additional query results, host_software that links a host with many rows from the software table.

• created_at: the time the row in the database was created, which usually corresponds to the first enrollment of the host.
• updated_at: the last time the row in the database for the hosts table was updated.
• detail_updated_at: the last time Fleet updated host data (this includes updates to host associated tables, e.g. host_users).
• label_updated_at: the last time Fleet updated the label membership for the host
• last_enrolled_at: the last time the host enrolled to Fleet.
• policy_updated_at: the last time we updated the policy results for the host
• seen_time: the last time the host contacted the fleet server, regardless of what operation it was for.
• software_updated_at: the last time software changed for the host in any way.
• last_restarted_at: the last time that the host was restarted.

List hosts

GET /api/v1/fleet/hosts

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Can be any column in the hosts table.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used. Note: Use page instead of after
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
status	string	query	Indicates the status of the hosts to return. Can either be 'new', 'online', 'offline', 'mia' or 'missing'.
query	string	query	Search query keywords. Searchable fields include hostname, hardware_serial, uuid, ipv4, and end user email addresses.
additional_info_filters	string	query	A comma-delimited list of fields to include in each host's additional object. This query is populated by the additional_queries in the features section of the configuration YAML.
fleet_id	integer	query	Available in Fleet Premium. Filters to only include hosts in the specified fleet. Use 0 to filter by "Unassigned" hosts.
policy_id	integer	query	The ID of the policy to filter hosts by.
policy_response	string	query	Requires policy_id. Valid options are 'passing' or 'failing'.
software_version_id	integer	query	The ID of the software version to filter hosts by.
software_title_id	integer	query	The ID of the software title to filter hosts by.
software_status	string	query	The status of the software install to filter hosts by. One of: pending_install, failed_install, installed, pending_uninstall, failed_uninstall, pending, or failed. Mutually exclusive with software_version_id, and must be supplied if software_title_id is set.
os_version_id	integer	query	The ID of the operating system version to filter hosts by.
os_name	string	query	The name of the operating system to filter hosts by. os_version must also be specified with os_name
os_version	string	query	The version of the operating system to filter hosts by. os_name must also be specified with os_version
vulnerability	string	query	The cve to filter hosts by (including "cve-" prefix, case-insensitive).
device_mapping	boolean	query	Indicates whether device_mapping should be included for each host.
mdm_id	integer	query	The ID of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider and URL).
mdm_name	string	query	The name of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider).
mdm_enrollment_status	string	query	The mobile device management (MDM) enrollment status to filter hosts by. Valid options are 'manual', 'automatic', 'enrolled', 'pending', or 'unenrolled'. 'pending' only includes Apple (macOS, iOS, iPadOS) hosts in Apple Business Manager (ABM) that are not yet enrolled to Fleet.
connected_to_fleet	boolean	query	Filter hosts that are talking to this Fleet server for MDM features. In rare cases, hosts can be enrolled to one Fleet server but talk to a different Fleet server for MDM features. In this case, the value would be false. Always false for Linux hosts.
macos_settings	string	query	Filters the hosts by the status of the mobile device management (MDM) profiles applied to hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
munki_issue_id	integer	query	The ID of the munki issue (a Munki-reported error or warning message) to filter hosts by (that is, filter hosts that are affected by that corresponding error or warning message).
low_disk_space	integer	query	Available in Fleet Premium. Filters the hosts to only include hosts with less GB of disk space available than this value. Must be a number between 1-100.
disable_failing_policies	boolean	query	If true, hosts will return failing policies as 0 regardless of whether there are any that failed for the host. This is meant to be used when increased performance is needed in exchange for the extra information.
macos_settings_disk_encryption	string	query	Filters the hosts by disk encryption status. Valid options are 'verified', 'verifying', 'action_required', 'enforcing', 'failed', or 'removing_enforcement'.
bootstrap_package	string	query	Available in Fleet Premium. Filters the hosts by the status of the MDM bootstrap package on the host. Valid options are 'installed', 'pending', or 'failed'.
os_settings	string	query	Filters the hosts by the status of the operating system settings applied to the hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
os_settings_disk_encryption	string	query	Filters the hosts by disk encryption status. Valid options are 'verified', 'verifying', 'action_required', 'enforcing', 'failed', or 'removing_enforcement'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
populate_software	string	query	If false (or omitted), omits installed software details for each host. If "without_vulnerability_details", include a list of installed software for each host, including which CVEs apply to the installed software versions. true adds vulnerability description, CVSS score, and other details when using Fleet Premium. See notes below on performance.
populate_policies	boolean	query	If true, the response will include policy data for each host, including Fleet-maintained policies.
populate_users	boolean	query	If true, the response will include user data for each host.
populate_labels	boolean	query	If true, the response will include labels for each host.
include_device_status	boolean	query	If true, the response will include lock and wipe status (mdm.device_status) and mdm.pending_action information for each host.
profile_uuid	string	query	Requires profile_status. The UUID of the profile to download.
profile_status	string	query	Requires profile_uuid. Valid options are 'verified', 'verifying', 'pending', or 'failed'.

software_id is deprecated as of Fleet 4.42. It is maintained for backwards compatibility. Please use the software_version_id instead.

populate_software returns a lot of data per host when set, and drastically more data when set to true on Fleet Premium. If you need vulnerability details for a large number of hosts, consider setting populate_software to without_vulnerability_details and pulling vulnerability details from the Get vulnerability endpoint, as this returns details once per vulnerability rather than once per vulnerability per host.

If software_title_id is specified, an additional top-level key "software_title" is returned with the software title object corresponding to the software_title_id. See List software response payload for details about this object.

If software_version_id is specified, an additional top-level key "software" is returned with the software object corresponding to the software_version_id. See List software versions response payload for details about this object.

If additional_info_filters is not specified, no additional information will be returned.

If mdm_id is specified, an additional top-level key "mobile_device_management_solution" is returned with the information corresponding to the mdm_id.

If mdm_id, mdm_name, mdm_enrollment_status, os_settings, or os_settings_disk_encryption is specified, then Windows Servers are excluded from the results.

If munki_issue_id is specified, an additional top-level key munki_issue is returned with the information corresponding to the munki_issue_id.

If after is being used with created_at or updated_at, the table must be specified in order_key. Those columns become h.created_at and h.updated_at.

If include_device_status is set to true, device_status and pending_action are included in the MDM information for each host. device_status indicates the current lock/wipe state of the device with possible values: unlocked, locked, locking, unlocking, wiped, wiping. pending_action indicates if a lock, unlock, or wipe command is pending with possible values: lock, unlock, wipe, or an empty string (no pending action).

To filter hosts by platform (macOS, Windows, Linux), use the "List label's hosts" API endpoint. Find the label ID by filtering in the Hosts page of the Fleet UI and copying the ID from the URL (for example: 7 for /hosts/manage/labels/7).

Example

GET /api/v1/fleet/hosts?page=0&per_page=100&order_key=hostname&query=2ce&populate_software=true&populate_policies=true&populate_users=true&populate_labels=true&include_device_status=true

Request query parameters

{
  "page": 0,
  "per_page": 100,
  "order_key": "hostname"
}

Default response

Status: 200

{
  "hosts": [
    {
      "created_at": "2020-11-05T05:09:44Z",
      "updated_at": "2020-11-05T06:03:39Z",
      "id": 1,
      "detail_updated_at": "2020-11-05T05:09:45Z",
      "last_restarted_at": "2020-11-01T03:01:45Z",
      "software_updated_at": "2020-11-05T05:09:44Z",
      "label_updated_at": "2020-11-05T05:14:51Z",
      "policy_updated_at": "2023-06-26T18:33:15Z",
      "last_enrolled_at": "2023-02-26T22:33:12Z",
      "seen_time": "2020-11-05T06:03:39Z",
      "hostname": "Annas-MacBook-Pro.local",
      "uuid": "392547dc-0000-0000-a87a-d701ff75bc65",
      "platform": "darwin",
      "osquery_version": "5.15.0",
      "os_version": "macOS 15.2",
      "build": "24C101",
      "platform_like": "darwin",
      "code_name": "",
      "uptime": 8305000000000,
      "memory": 2084032512,
      "cpu_type": "arm64e",
      "cpu_subtype": "ARM64E",
      "cpu_brand": "Apple M1",
      "cpu_physical_cores": 8,
      "cpu_logical_cores": 8,
      "hardware_vendor": "Apple Inc.",
      "hardware_model": "MacBookPro17,1",
      "hardware_version": "",
      "hardware_serial": "C0124FXASD6G",
      "computer_name": "Anna's MacBook Pro",
      "timezone": null,
      "display_name": "Anna's MacBook Pro",
      "public_ip": "123.45.678.910",
      "primary_ip": "192.12.345.678",
      "primary_mac": "36:34:a5:6b:7b:5c",
      "distributed_interval": 10,
      "config_tls_refresh": 10,
      "logger_tls_period": 8,
      "status": "offline",
      "display_text": "Annas-MacBook-Pro.local",
      "team_id": null,
      "fleet_id": null,
      "team_name": null,
      "fleet_name": null,
      "gigs_disk_space_available": 174.98,
      "percent_disk_space_available": 71,
      "gigs_total_disk_space": 246,
      "additional": {},
      "pack_stats": [
        {
          "pack_id": 0,
          "pack_name": "Global",
          "type": "global",
          "query_stats": [
            {
            "scheduled_query_name": "Get recently added or removed USB drives",
            "scheduled_query_id": 5535,
            "query_name": "Get recently added or removed USB drives",
            "discard_data": false,
            "last_fetched": null,
            "automations_enabled": false,
            "description": "Returns a record every time a USB device is plugged in or removed",
            "pack_name": "Global",
            "average_memory": 434176,
            "denylisted": false,
            "executions": 2,
            "interval": 86400,
            "last_executed": "2023-11-28T00:02:07Z",
            "output_size": 891,
            "system_time": 10,
            "user_time": 6,
            "wall_time": 0
            }
          ]
        }
      ],
      "issues": {
        "failing_policies_count": 1,
        "critical_vulnerabilities_count": 2, // Fleet Premium only
        "total_issues_count": 3
      },
      "geolocation": {
        "country_iso": "US",
        "city_name": "New York",
        "geometry": {
          "type": "point",
          "coordinates": [40.6799, -74.0028]
        }
      },
      "mdm": {
        "encryption_key_available": false,
        "enrollment_status": "Pending",
        "dep_profile_error": true,
        "name": "Fleet",
        "server_url": "https://example.fleetdm.com/mdm/apple/mdm",
        "device_status": "unlocked",
        "pending_action": ""
      },
      "software": [
        {
          "id": 1,
          "name": "glibc",
          "version": "2.12",
          "source": "rpm_packages",
          "generated_cpe": "cpe:2.3:a:gnu:glibc:2.12:*:*:*:*:*:*:*",
          "last_opened_at": "2021-08-18T21:14:00Z",
          "vulnerabilities": [
            {
              "cve": "CVE-2009-5155",
              "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5155",
              "cvss_score": 7.5, // Fleet Premium only
              "epss_probability": 0.01537, // Fleet Premium only
              "cisa_known_exploit": false, // Fleet Premium only
              "cve_published": "2022-01-01 12:32:00", // Fleet Premium only
              "cve_description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", // Fleet Premium only
              "resolved_in_version": "2.28" // Fleet Premium only
            }
          ],
          "installed_paths": ["/usr/lib/some-path-1"]
        }
      ],
      "policies": [
        {
          "id": 1,
          "name": "Gatekeeper enabled",
          "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
          "description": "Checks if gatekeeper is enabled on macOS devices",
          "resolution": "Fix with these steps...",
          "platform": "darwin",
          "response": "fail",
          "fleet_maintained": true,
          "critical": false
        }
      ],
      "users": [
        {
          "uid": 0,
          "username": "root",
          "type": "",
          "groupname": "root",
          "shell": "/bin/bash"
        },
        {
          "uid": 1,
          "username": "bin",
          "type": "",
          "groupname": "bin",
          "shell": "/sbin/nologin"
        }
      ],
      "labels": [
        {
          "created_at": "2021-08-19T02:02:17Z",
          "updated_at": "2021-08-19T02:02:17Z",
          "id": 6,
          "name": "All Hosts",
          "description": "All hosts which have enrolled in Fleet",
          "query": "SELECT 1;",
          "platform": "",
          "label_type": "builtin",
          "label_membership_type": "dynamic"
        },
        {
          "created_at": "2021-08-19T02:02:17Z",
          "updated_at": "2021-08-19T02:02:17Z",
          "id": 9,
          "name": "CentOS Linux",
          "description": "All CentOS hosts",
          "query": "SELECT 1 FROM os_version WHERE platform = 'centos' OR name LIKE '%centos%'",
          "platform": "",
          "label_type": "builtin",
          "label_membership_type": "dynamic"
        },
        {
          "created_at": "2021-08-19T02:02:17Z",
          "updated_at": "2021-08-19T02:02:17Z",
          "id": 12,
          "name": "All Linux",
          "description": "All Linux distributions",
          "query": "SELECT 1 FROM osquery_info WHERE build_platform LIKE '%ubuntu%' OR build_distro LIKE '%centos%';",
          "platform": "",
          "label_type": "builtin",
          "label_membership_type": "dynamic"
        }
      ]
    }
  ]
}

Note: the response above assumes a GeoIP database is configured, otherwise the geolocation object won't be included.

Response payload with the mdm_id filter provided:

{
  "hosts": [...],
  "mobile_device_management_solution": {
    "server_url": "http://some.url/mdm",
    "name": "MDM Vendor Name",
    "id": 999
  }
}

Response payload with the munki_issue_id filter provided:

{
  "hosts": [...],
  "munki_issue": {
    "id": 1,
    "name": "Could not retrieve managed install primary manifest",
    "type": "error"
  }
}

Count hosts

GET /api/v1/fleet/hosts/count

Parameters

Name	Type	In	Description
order_key	string	query	What to order results by. Can be any column in the hosts table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.
status	string	query	Indicates the status of the hosts to return. Can either be 'new', 'online', 'offline', 'mia' or 'missing'.
query	string	query	Search query keywords. Searchable fields include hostname, hardware_serial, uuid, ipv4, and end user email addresses.
fleet_id	integer	query	Available in Fleet Premium. Filters the hosts to only include hosts in the specified fleet.
policy_id	integer	query	The ID of the policy to filter hosts by.
policy_response	string	query	Requires policy_id. Valid options are 'passing' or 'failing'.
software_version_id	integer	query	The ID of the software version to filter hosts by.
software_title_id	integer	query	The ID of the software title to filter hosts by.
os_version_id	integer	query	The ID of the operating system version to filter hosts by.
os_name	string	query	The name of the operating system to filter hosts by. os_version must also be specified with os_name
os_version	string	query	The version of the operating system to filter hosts by. os_name must also be specified with os_version
vulnerability	string	query	The cve to filter hosts by (including "cve-" prefix, case-insensitive).
label_id	integer	query	A valid label ID. Can only be used in combination with order_key, order_direction, after, status, query and fleet_id.
mdm_id	integer	query	The ID of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider and URL).
mdm_name	string	query	The name of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider).
mdm_enrollment_status	string	query	The mobile device management (MDM) enrollment status to filter hosts by. Valid options are 'manual', 'automatic', 'enrolled', 'pending', or 'unenrolled'. 'pending' only includes Apple (macOS, iOS, iPadOS) hosts in Apple Business Manager (ABM) that are not yet enrolled to Fleet.
macos_settings	string	query	Filters the hosts by the status of the mobile device management (MDM) profiles applied to hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
munki_issue_id	integer	query	The ID of the munki issue (a Munki-reported error or warning message) to filter hosts by (that is, filter hosts that are affected by that corresponding error or warning message).
low_disk_space	integer	query	Available in Fleet Premium. Filters the hosts to only include hosts with less GB of disk space available than this value. Must be a number between 1-100.
macos_settings_disk_encryption	string	query	Filters the hosts by disk encryption status. Valid options are 'verified', 'verifying', 'action_required', 'enforcing', 'failed', or 'removing_enforcement'.
bootstrap_package	string	query	Available in Fleet Premium. Filters the hosts by the status of the MDM bootstrap package on the host. Valid options are 'installed', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
os_settings	string	query	Filters the hosts by the status of the operating system settings applied to the hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
os_settings_disk_encryption	string	query	Filters the hosts by disk encryption status. Valid options are 'verified', 'verifying', 'action_required', 'enforcing', 'failed', or 'removing_enforcement'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.

If additional_info_filters is not specified, no additional information will be returned.

If mdm_id, mdm_name or mdm_enrollment_status is specified, then Windows Servers are excluded from the results.

Example

GET /api/v1/fleet/hosts/count?page=0&per_page=100&order_key=hostname&query=2ce

Request query parameters

{
  "page": 0,
  "per_page": 100,
  "order_key": "hostname"
}

Default response

Status: 200

{
  "count": 123
}

Get hosts summary

Returns the count of all hosts organized by status. online_count includes all hosts currently enrolled in Fleet. offline_count includes all hosts that haven't checked into Fleet recently. mia_count includes all hosts that haven't been seen by Fleet in more than 30 days. new_count includes the hosts that have been enrolled to Fleet in the last 24 hours.

GET /api/v1/fleet/host_summary

Parameters

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. The ID of the fleet whose host counts should be included. Defaults to all fleets.
platform	string	query	Platform to filter by when counting. Defaults to all platforms.
low_disk_space	integer	query	Available in Fleet Premium. Returns the count of hosts with less GB of disk space available than this value. Must be a number between 1-100.

Example

GET /api/v1/fleet/host_summary?fleet_id=1&low_disk_space=32

Default response

Status: 200

{
  "team_id": 1,
  "fleet_id": 1,
  "totals_hosts_count": 2408,
  "online_count": 2267,
  "offline_count": 141,
  "mia_count": 0,
  "missing_30_days_count": 0,
  "new_count": 0,
  "all_linux_count": 1204,
  "low_disk_space_count": 12,
  "builtin_labels": [
    {
      "id": 6,
      "name": "All Hosts",
      "description": "All hosts which have enrolled in Fleet",
      "label_type": "builtin"
    },
    {
      "id": 7,
      "name": "macOS",
      "description": "All macOS hosts",
      "label_type": "builtin"
    },
    {
      "id": 8,
      "name": "Ubuntu Linux",
      "description": "All Ubuntu hosts",
      "label_type": "builtin"
    },
    {
      "id": 9,
      "name": "CentOS Linux",
      "description": "All CentOS hosts",
      "label_type": "builtin"
    },
    {
      "id": 10,
      "name": "MS Windows",
      "description": "All Windows hosts",
      "label_type": "builtin"
    },
    {
      "id": 11,
      "name": "Red Hat Linux",
      "description": "All Red Hat Enterprise Linux hosts",
      "label_type": "builtin"
    },
    {
      "id": 12,
      "name": "All Linux",
      "description": "All Linux distributions",
      "label_type": "builtin"
    },
    {
      "id": 13,
      "name": "iOS",
      "description": "All iOS hosts",
      "label_type": "builtin"
    },
    {
      "id": 14,
      "name": "iPadOS",
      "description": "All iPadOS hosts",
      "label_type": "builtin"
    },
    {
      "id": 15,
      "name": "Fedora Linux",
      "description": "All Fedora hosts",
      "label_type": "builtin"
    },
    {
      "id": 16,
      "name": "Android",
      "description": "All Android hosts",
      "label_type": "builtin"
    }
  ],
  "platforms": [
    {
      "platform": "chrome",
      "hosts_count": 1234
    },
    {
      "platform": "darwin",
      "hosts_count": 1234
    },
    {
      "platform": "ios",
      "hosts_count": 1234
    },
    {
      "platform": "ipados",
      "hosts_count": 1234
    },
    {
      "platform": "rhel",
      "hosts_count": 1234
    },
    {
      "platform": "ubuntu",
      "hosts_count": 12044
    },
    {
      "platform": "windows",
      "hosts_count": 12044
    },
    {
      "platform": "Android",
      "hosts_count": 200
    }
  ]
}

Get host

Returns the information of the specified host.

GET /api/v1/fleet/hosts/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.
exclude_software	boolean	query	If true, the response will not include a list of installed software for the host.
exclude_fleet_maintained_policies	boolean	query	If true, will omit Fleet-maintained policies from the policies list.

Example

GET /api/v1/fleet/hosts/121

Default response

Status: 200

{
  "host": {
    "created_at": "2021-08-19T02:02:22Z",
    "updated_at": "2021-08-19T21:14:58Z",
    "id": 1,
    "detail_updated_at": "2021-08-19T21:07:53Z",
    "last_restarted_at": "2020-11-01T03:01:45Z",
    "software_updated_at": "2020-11-05T05:09:44Z",
    "label_updated_at": "2021-08-19T21:07:53Z",
    "policy_updated_at": "2023-06-26T18:33:15Z",
    "last_enrolled_at": "2021-08-19T02:02:22Z",
    "last_mdm_checked_in_at": "2023-02-26T22:33:12Z",
    "last_mdm_enrolled_at": "2023-02-26T22:33:12Z",
    "seen_time": "2021-08-19T21:14:58Z",
    "refetch_requested": false,
    "hostname": "Annas-MacBook-Pro.local",
    "uuid": "309a4b7d-0000-0000-8e7f-26ae0815ede8",
    "platform": "darwin",
    "osquery_version": "5.15.0",
    "orbit_version": "1.22.0",
    "fleet_desktop_version": "1.22.0",
    "scripts_enabled": true,
    "os_version": "macOS 15.2",
    "build": "24C101",
    "platform_like": "darwin",
    "code_name": "",
    "uptime": 210671000000000,
    "memory": 16788398080,
    "cpu_type": "arm64e",
    "cpu_subtype": "ARM64E",
    "cpu_brand": "Apple M1",
    "cpu_physical_cores": 8,
    "cpu_logical_cores": 8,
    "hardware_vendor": "Apple Inc.",
    "hardware_model": "MacBookPro17,1",
    "hardware_version": "",
    "hardware_serial": "C0124FXASD6G",
    "computer_name": "Anna's MacBook Pro",
    "timezone": null,
    "display_name": "Anna's MacBook Pro",
    "public_ip": "123.45.678.910",
    "primary_ip": "172.27.0.6",
    "primary_mac": "02:42:ac:1b:00:06",
    "distributed_interval": 10,
    "config_tls_refresh": 10,
    "logger_tls_period": 10,
    "team_id": null,
    "fleet_id": null,
    "pack_stats": null,
    "team_name": null,
    "fleet_name": null,
    "gigs_disk_space_available": 174.98,
    "percent_disk_space_available": 71,
    "gigs_total_disk_space": 246,
    "disk_encryption_enabled": true,
    "status": "online",
    "display_text": "Annas-MacBook-Pro.local",
    "additional": {},
    "issues": {
      "failing_policies_count": 1,
      "critical_vulnerabilities_count": 2, // Available in Fleet Premium
      "total_issues_count": 3
    },
    "batteries": [
      {
        "cycle_count": 999,
        "health": "Normal"
      }
    ],
    "geolocation": {
      "country_iso": "US",
      "city_name": "New York",
      "geometry": {
        "type": "point",
        "coordinates": [40.6799, -74.0028]
      }
    },
    "maintenance_window": {
      "starts_at": "2024-06-18T13:27:18−04:00",
      "timezone": "America/New_York"
    },
    "users": [
      {
        "uid": 0,
        "username": "root",
        "type": "",
        "groupname": "root",
        "shell": "/bin/sh"
      },
      {
        "uid": 1,
        "username": "annachao",
        "type": "",
        "groupname": "staff",
        "shell": "/bin/zsh"
      }
    ],
    "end_users": [
      {
        "idp_info_updated_at": "2025-03-20T02:02:17Z",
        "idp_id": "f26f8649-1e25-42c5-be71-1b1e6de56d3d",
        "idp_username": "anna@acme.com",
        "idp_full_name": "Anna Chao",
        "idp_department": "Product",
        "idp_groups": [
          "Product",
          "Designers"
        ],
        "other_emails": [
          {
            "email": "anna@example.com",
            "source": "google_chrome_profiles"
          },
          {
            "email": "anna@example.com",
            "source": "custom"
          }
        ]
      }
    ],
    "labels": [
      {
        "created_at": "2021-08-19T02:02:17Z",
        "updated_at": "2021-08-19T02:02:17Z",
        "id": 6,
        "name": "All Hosts",
        "description": "All hosts which have enrolled in Fleet",
        "query": "SELECT 1;",
        "platform": "",
        "label_type": "builtin",
        "label_membership_type": "dynamic"
      },
      {
        "created_at": "2021-08-19T02:02:17Z",
        "updated_at": "2021-08-19T02:02:17Z",
        "id": 9,
        "name": "macOS",
        "description": "All macOS hosts",
        "query": "select 1 from os_version where platform = 'darwin';",
        "platform": "",
        "label_type": "builtin",
        "label_membership_type": "dynamic"
      },
      {
        "created_at": "2021-08-19T02:02:17Z",
        "updated_at": "2021-08-19T02:02:17Z",
        "id": 12,
        "name": "Hosts with Chrome installed",
        "description": "",
        "query": "SELECT * FROM apps WHERE name LIKE \"%Chrome%\"",
        "platform": "",
        "label_type": "regular",
        "label_membership_type": "dynamic"
      }
    ],
    "packs": [],
    "policies": [
      {
        "id": 2,
        "name": "SomeQuery2",
        "query": "SELECT * FROM bar;",
        "description": "this is another query",
        "resolution": "fix with these other steps...",
        "platform": "darwin",
        "response": "fail",
        "critical": false,
      },
      {
        "id": 3,
        "name": "SomeQuery3",
        "query": "SELECT * FROM baz;",
        "description": "",
        "resolution": "",
        "platform": "",
        "response": "",
        "critical": false,
      },
      {
        "id": 1,
        "name": "SomeQuery",
        "query": "SELECT * FROM foo;",
        "description": "this is a query",
        "resolution": "fix with these steps...",
        "platform": "windows,linux",
        "response": "pass",
        "critical": false,
      }
    ],
    "software": [
      {
        "id": 321,
        "name": "macOSApp",
        "version": "1.0",
        "source": "apps",
        "bundle_identifier": "com.some.app",
        "last_opened_at": "2021-08-18T21:14:00Z",
        "generated_cpe": "",
        "vulnerabilities": null,
        "installed_paths": ["/usr/lib/some-path-2"]
      },
      {
        "id": 322,
        "name": "Windows",
        "version": "1.0",
        "source": "programs",
        "upgrade_code": "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}",
        "last_opened_at": "2021-08-18T21:14:00Z",
        "generated_cpe": "",
        "vulnerabilities": null,
        "installed_paths": ["/usr/lib/some-path-2"]
      },
    ],
    "mdm": {
      "encryption_key_available": true,
      "enrollment_status": "On (manual)",
      "name": "Fleet",
      "connected_to_fleet": true,
      "server_url": "https://acme.com/mdm/apple/mdm",
      "device_status": "unlocked",
      "pending_action": "",
      "macos_settings": {
        "disk_encryption": "verified",
        "action_required": null
      },
      "macos_setup": {
        "bootstrap_package_status": "installed",
        "detail": "",
        "bootstrap_package_name": "test.pkg"
      },
      "os_settings": {
        "disk_encryption": {
          "status": "verified",
          "detail": ""
        }
      },
      "profiles": [
        {
          "profile_uuid": "954ec5ea-a334-4825-87b3-937e7e381f24",
          "name": "profile1",
          "status": "verifying",
          "operation_type": "install",
          "scope": "device",
          "managed_local_account": "",
          "detail": ""
        }
      ]
    }
  }
}

browser and extension_for fields are included when set and when empty. extension_for shows the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor. browser is deprecated, and only shows this information for browser plugins.

Note: the response above assumes a GeoIP database is configured, otherwise the geolocation object won't be included.

Note: installed_paths may be blank depending on installer package. For example, on Linux, RPM-installed packages do not provide installed path information.

Note: signature_information is only set for macOS (.app) applications.

Note:

• orbit_version: null means this agent is not a fleetd agent
• fleet_desktop_version: null means this agent is not a fleetd agent, or this agent is version <=1.23.0 which is not collecting the desktop version
• fleet_desktop_version: "" means this agent is a fleetd agent but does not have fleet desktop
• scripts_enabled: null means this agent is not a fleetd agent, or this agent is version <=1.23.0 which is not collecting the scripts enabled info

Note: Get human-device mapping is deprecated as of Fleet 4.67.0. It is maintained for backwards compatibility. Please use the Get host endpoint to get human-device mapping.

Note: For iOS, iPadOS, and Android hosts with ⁠mdm.enrollment_status set to "On (personal)", ⁠hardware_serial and ⁠uuid represent a temporary enrollment ID. For Android work profile, this is what Google calls an enterprise-specific ID.

Get host by identifier

Returns the information of the host specified using the hostname, uuid, or hardware_serial as an identifier.

If hostname is specified when there is more than one host with the same hostname, the endpoint returns the first matching host.

In Fleet, hostnames are fully qualified domain names (FQDNs). hostname (e.g. johns-macbook-air.local) is not the same as display_name (e.g. John's MacBook Air).

GET /api/v1/fleet/hosts/identifier/:identifier

Parameters

Name	Type	In	Description
identifier	string	path	Required. The host's hostname, uuid, or hardware_serial.
exclude_software	boolean	query	If true, the response will not include a list of installed software for the host.
exclude_fleet_maintained_policies	boolean	query	If true, will omit Fleet-maintained policies from the policies list.

Example

GET /api/v1/fleet/hosts/identifier/392547dc-0000-0000-a87a-d701ff75bc65

Default response

Status: 200

{
  "host": {
    "created_at": "2022-02-10T02:29:13Z",
    "updated_at": "2022-10-14T17:07:11Z",
    "id": 33,
    "detail_updated_at": "2022-10-14T17:07:12Z",
    "label_updated_at": "2022-10-14T17:07:12Z",
    "policy_updated_at": "2022-10-14T17:07:12Z",
    "last_enrolled_at": "2022-02-10T02:29:13Z",
    "last_mdm_checked_in_at": "2023-02-26T22:33:12Z",
    "last_mdm_enrolled_at": "2023-02-26T22:33:12Z",
    "software_updated_at": "2020-11-05T05:09:44Z",
    "seen_time": "2022-10-14T17:45:41Z",
    "refetch_requested": false,
    "hostname": "23cfc9caacf0",
    "uuid": "392547dc-0000-0000-a87a-d701ff75bc65",
    "platform": "ubuntu",
    "osquery_version": "5.5.1",
    "os_version": "Ubuntu 20.04.3 LTS",
    "build": "",
    "platform_like": "debian",
    "code_name": "focal",
    "uptime": 20807520000000000,
    "memory": 1024360448,
    "cpu_type": "x86_64",
    "cpu_subtype": "63",
    "cpu_brand": "DO-Regular",
    "cpu_physical_cores": 1,
    "cpu_logical_cores": 1,
    "hardware_vendor": "",
    "hardware_model": "",
    "hardware_version": "",
    "hardware_serial": "",
    "computer_name": "23cfc9caacf0",
    "timezone": null,
    "public_ip": "",
    "primary_ip": "172.27.0.6",
    "primary_mac": "02:42:ac:1b:00:06",
    "distributed_interval": 10,
    "config_tls_refresh": 60,
    "logger_tls_period": 10,
    "team_id": 2,
    "fleet_id": 2,
    "team_name": null,
    "fleet_name": null,
    "gigs_disk_space_available": 19.29,
    "percent_disk_space_available": 74,
    "gigs_total_disk_space": 192,
    "issues": {
      "failing_policies_count": 1,
      "critical_vulnerabilities_count": 2, // Fleet Premium only
      "total_issues_count": 3
    },
    "batteries": [
      {
        "cycle_count": 999,
        "health": "Normal"
      }
    ],
    "geolocation": {
      "country_iso": "US",
      "city_name": "New York",
      "geometry": {
        "type": "point",
        "coordinates": [40.6799, -74.0028]
      }
    },
    "pack_stats": [
      {
        "pack_id": 1,
        "pack_name": "Global",
        "type": "global",
        "query_stats": [
          {
            "scheduled_query_name": "Get running processes (with user_name)",
            "scheduled_query_id": 49,
            "query_name": "Get running processes (with user_name)",
            "pack_name": "Global",
            "pack_id": 1,
            "average_memory": 260000,
            "denylisted": false,
            "executions": 1,
            "interval": 86400,
            "last_executed": "2022-10-14T10:00:01Z",
            "output_size": 198,
            "system_time": 20,
            "user_time": 80,
            "wall_time": 0
          }
        ]
      }
    ],
    "labels": [
      {
        "created_at": "2021-09-14T05:11:02Z",
        "updated_at": "2021-09-14T05:11:02Z",
        "id": 12,
        "name": "All Linux",
        "description": "All Linux distributions",
        "query": "SELECT 1 FROM osquery_info WHERE build_platform LIKE '%ubuntu%' OR build_distro LIKE '%centos%';",
        "platform": "",
        "label_type": "builtin",
        "label_membership_type": "dynamic"
      }
    ],
    "packs": [
      {
        "created_at": "2021-09-17T05:28:54Z",
        "updated_at": "2021-09-17T05:28:54Z",
        "id": 1,
        "name": "Global",
        "description": "Global pack",
        "disabled": false,
        "type": "global",
        "labels": null,
        "label_ids": null,
        "hosts": null,
        "host_ids": null,
        "teams": null,
        "fleet": null,
        "team_ids": null,
        "fleet_ids": null
      }
    ],
    "policies": [
      {
        "id": 142,
        "name": "Full disk encryption enabled (macOS)",
        "query": "SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT '' AND filevault_status = 'on' LIMIT 1;",
        "description": "Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.",
        "author_id": 31,
        "author_name": "",
        "author_email": "",
        "team_id": null,
        "fleet_id": null,
        "resolution": "To enable full disk encryption, on the failing device, select System Preferences > Security & Privacy > FileVault > Turn On FileVault.",
        "platform": "darwin,linux",
        "created_at": "2022-09-02T18:52:19Z",
        "updated_at": "2022-09-02T18:52:19Z",
        "response": "fail",
        "critical": false,
      }
    ],
    "software": [
      {
        "id": 16923,
        "name": "Automat",
        "version": "0.8.0",
        "source": "python_packages",
        "browser": "",
        "extension_for": "",
        "generated_cpe": "",
        "vulnerabilities": null,
        "installed_paths": ["/usr/lib/some_path/"]
      }
    ],
    "mdm": {
      "encryption_key_available": false,
      "enrollment_status": null,
      "name": "",
      "server_url": null,
      "device_status": "unlocked",
      "pending_action": "lock",
      "macos_settings": {
        "disk_encryption": null,
        "action_required": null
      },
      "macos_setup": {
        "bootstrap_package_status": "installed",
        "detail": ""
      },
      "os_settings": {
        "disk_encryption": {
          "status": null,
          "detail": ""
        }
      },
      "profiles": [
        {
          "profile_uuid": "954ec5ea-a334-4825-87b3-937e7e381f24",
          "name": "profile1",
          "status": "verifying",
          "operation_type": "install",
          "scope": "device",
          "managed_local_account": "",
          "detail": ""
        }
      ]
    }
  }
}

Note: the response above assumes a GeoIP database is configured, otherwise the geolocation object won't be included.

Note: installed_paths may be blank depending on installer package. For example, on Linux, RPM-installed packages do not provide installed path information.

browser and extension_for fields are included when set and when empty. extension_for will show the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor. browser is deprecated, and only shows this information for browser plugins.

Get host by Fleet Desktop token

Returns a subset of information about the host specified by token. To get all information about a host, use the "Get host" endpoint.

This is the API route used by the My device page in Fleet Desktop to display information about the host to the end user.

This endpoint doesn't require API token authentication. Authentication on macOS, Windows, and Linux is enforced by generating a random UUID that rotates hourly. On iOS and iPadOS, authentication requires the Fleet identity SCEP certificate. This certificate is deployed to iOS/iPadOS hosts when they enroll to Fleet.

GET /api/v1/fleet/device/:token

Parameters

Name	Type	In	Description
token	string	path	The host's Fleet Desktop token. For macOS, Windows, and Linux, this is a random UUID that rotates hourly. For iOS and iPadOS, this is the host's hardware UUID.

Request headers

This endpoint accepts the X-Client-Cert-Serial header for authentication in addition to token authentication.

The Authorization header must be formatted as follows:

X-Client-Cert-Serial: <fleet_identity_scep_cert_serial>

Example

GET /api/v1/fleet/device/abcdef012456789

Default response

Status: 200

{
  "host": {
    "created_at": "2021-08-19T02:02:22Z",
    "updated_at": "2021-08-19T21:14:58Z",
    "id": 1,
    "detail_updated_at": "2021-08-19T21:07:53Z",
    "label_updated_at": "2021-08-19T21:07:53Z",
    "last_enrolled_at": "2021-08-19T02:02:22Z",
    "last_mdm_checked_in_at": "2023-02-26T22:33:12Z",
    "last_mdm_enrolled_at": "2023-02-26T22:33:12Z",
    "seen_time": "2021-08-19T21:14:58Z",
    "refetch_requested": false,
    "hostname": "Annas-MacBook-Pro.local",
    "uuid": "309a4b7d-0000-0000-8e7f-26ae0815ede8",
    "platform": "darwin",
    "osquery_version": "5.15.0",
    "os_version": "macOS 15.2",
    "build": "24C101",
    "platform_like": "darwin",
    "code_name": "",
    "uptime": 210671000000000,
    "memory": 16788398080,
    "cpu_type": "arm64e",
    "cpu_subtype": "ARM64E",
    "cpu_brand": "Apple M1",
    "cpu_physical_cores": 8,
    "cpu_logical_cores": 8,
    "hardware_vendor": "Apple Inc.",
    "hardware_model": "MacBookPro17,1",
    "hardware_version": "",
    "hardware_serial": "",
    "computer_name": "Anna's MacBook Pro",
    "timezone": null,
    "display_name": "Anna's MacBook Pro",
    "public_ip": "123.45.678.910",
    "primary_ip": "192.12.345.678",
    "primary_mac": "36:34:a5:6b:7b:5c",
    "distributed_interval": 10,
    "config_tls_refresh": 10,
    "logger_tls_period": 10,
    "team_id": null,
    "fleet_id": null,
    "pack_stats": null,
    "team_name": null,
    "fleet_name": null,
    "additional": {},
    "gigs_disk_space_available": 174.98,
    "percent_disk_space_available": 71,
    "gigs_total_disk_space": 246,
    "disk_encryption_enabled": true,
    "dep_assigned_to_fleet": false,
    "status": "online",
    "display_text": "Annas-MacBook-Pro.local",
    "self_service": true,
    "org_logo_url": "https://example.com/logo.jpg",
    "conditional_access_bypassed": false,
    "license": {
      "tier": "free",
      "expiration": "2031-01-01T00:00:00Z"
    },
    "global_config": {
      "mdm": {
        "enabled_and_configured": false
      }
    },
    "batteries": [
      {
        "cycle_count": 999,
        "health": "Good"
      }
    ],
    "users": [
      {
        "uid": 0,
        "username": "root",
        "type": "",
        "groupname": "root",
        "shell": "/bin/sh"
      },
      {
        "uid": 1,
        "username": "annachao",
        "type": "",
        "groupname": "staff",
        "shell": "/bin/zsh"
      }
    ],
    "labels": [
      {
        "created_at": "2021-08-19T02:02:17Z",
        "updated_at": "2021-08-19T02:02:17Z",
        "id": 6,
        "name": "All Hosts",
        "description": "All hosts which have enrolled in Fleet",
        "query": "SELECT 1;",
        "platform": "",
        "label_type": "builtin",
        "label_membership_type": "dynamic"
      },
      {
        "created_at": "2021-08-19T02:02:17Z",
        "updated_at": "2021-08-19T02:02:17Z",
        "id": 9,
        "name": "macOS",
        "description": "All macOS hosts",
        "query": "select 1 from os_version where platform = 'darwin';",
        "platform": "",
        "label_type": "builtin",
        "label_membership_type": "dynamic"
      },
      {
        "created_at": "2021-08-19T02:02:17Z",
        "updated_at": "2021-08-19T02:02:17Z",
        "id": 12,
        "name": "Hosts with Chrome installed",
        "description": "",
        "query": "SELECT * FROM apps WHERE name LIKE \"%Chrome%\"",
        "platform": "",
        "label_type": "regular",
        "label_membership_type": "dynamic"
      }
    ],
    "software": [
      {
        "id": 321,
        "name": "SomeApp.app",
        "version": "1.0",
        "source": "apps",
        "browser": "",
        "extension_for": "",
        "bundle_identifier": "com.some.app",
        "last_opened_at": "2021-08-18T21:14:00Z",
        "generated_cpe": "",
        "vulnerabilities": null
      }
    ],
    "packs": [],
    "mdm": {
      "encryption_key_available": true,
      "enrollment_status": "On (manual)",
      "name": "Fleet",
      "connected_to_fleet": true,
      "server_url": "https://acme.com/mdm/apple/mdm",
      "macos_settings": {
        "disk_encryption": "verified",
        "action_required": null
      },
      "macos_setup": {
        "bootstrap_package_status": "installed",
        "detail": "",
        "bootstrap_package_name": "test.pkg"
      },
      "os_settings": {
        "disk_encryption": {
          "status": "verified",
          "detail": ""
        }
      },
      "profiles": [
        {
          "profile_uuid": "954ec5ea-a334-4825-87b3-937e7e381f24",
          "name": "profile1",
          "status": "verifying",
          "operation_type": "install",
          "scope": "device",
          "managed_local_account": "",
          "detail": ""
        }
      ]
    }
  }
}

browser and extension_for fields are included when set and when empty. extension_for will show the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor. browser is deprecated, and only shows this information for browser plugins.

Delete host

Deletes the specified host from Fleet. Note that a deleted host will fail authentication with the previous node key, and in most osquery configurations will attempt to re-enroll automatically. If the host still has a valid enroll secret, it will re-enroll successfully.

DELETE /api/v1/fleet/hosts/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.

Example

DELETE /api/v1/fleet/hosts/121

Default response

Status: 200

Refetch host

Flags the host details, labels and policies to be refetched the next time the host checks in. Note that we cannot be certain when the host will actually check in. Further requests to the host APIs will indicate that the refetch has been requested through the refetch_requested field on the host object.

POST /api/v1/fleet/hosts/:id/refetch

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.

Example

POST /api/v1/fleet/hosts/121/refetch

Default response

Status: 200

Refetch host by Fleet Desktop token

Same as Refetch host except with the Fleet Desktop token instead the host ID.

POST /api/v1/fleet/device/:token/refetch

Parameters

Name	Type	In	Description
token	string	path	Required. The host's Fleet Desktop token.

Example

POST /api/v1/fleet/device/6d3e95ca-6783-4d0d-93b8-a5ffdb207867/refetch

Default response

Status: 200

Update hosts' fleet

Available in Fleet Premium

POST /api/v1/fleet/hosts/transfer

Parameters

Name	Type	In	Description
fleet_id	integer	body	Required. The ID of the fleet you'd like to assign the host(s) to.
hosts	array	body	Required. A list of host IDs.

Example

POST /api/v1/fleet/hosts/transfer

Request body

{
  "team_id": 1,
  "fleet_id": 1,
  "hosts": [3, 2, 4, 6, 1, 5, 7]
}

Default response

Status: 200

Update hosts' fleet by filter

Available in Fleet Premium

POST /api/v1/fleet/hosts/transfer/filter

Parameters

Name	Type	In	Description
fleet_id	integer	body	Required. The ID of the fleet you'd like to assign the host(s) to.
filters	object	body	Required. See filters

Filters

Name	Type	Description
query	string	Search query keywords. Searchable fields include hostname, hardware_serial, uuid, and ipv4.
status	string	Host status. Can either be new, online, offline, mia or missing.
label_id	number	ID of a label to filter by.
fleet_id	number	ID of the fleet to filter by.

Note: label_id and status filters cannot be used at the same time.

Example

POST /api/v1/fleet/hosts/transfer/filter

Request body

{
  "team_id": 1,
  "fleet_id": 1,
  "filters": {
    "status": "online",
    "team_id": 2,
    "fleet_id": 2,
  }
}

Default response

Status: 200

Turn off host's MDM

Turns off MDM for the specified macOS, iOS, iPadOS, or Android host.

DELETE /api/v1/fleet/hosts/:id/mdm

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's ID in Fleet.

Example

DELETE /api/v1/fleet/hosts/42/mdm

Default response

Status: 204

Batch-delete hosts

Delete hosts selected by filter or ids.

POST /api/v1/fleet/hosts/delete

Parameters

Name	Type	In	Description
ids	array	body	A list of the host IDs you'd like to delete. Required if filters not specified. Only one of ids or filters may be included in the request.
filters	object	body	Required. See filters. Required if ids not specified. Only one of ids or filters may be included in the request.

Filters

Name	Type	Description
query	string	Search query keywords. Searchable fields include hostname, hardware_serial, uuid, and ipv4.
status	string	Host status. Can either be new, online, offline, mia or missing.
label_id	number	ID of a label to filter by.
fleet_id	number	ID of the fleet to filter by.

Notes: label_id and status filters cannot be used at the same time.

Request (using ids):

{
  "ids": [1]
}

Request (using filters):

{
  "filters": {
    "status": "online",
    "label_id": 1,
    "team_id": 1,
    "fleet_id": 1,
    "query": "abc"
  }
}

Request (filters is specified and empty, to delete all hosts):

{
  "filters": {}
}

Example

POST /api/v1/fleet/hosts/delete

Request body

{
  "filters": {
    "status": "online",
    "team_id": 1,
    "fleet_id": 1
  }
}

Default response

Status: 200

Update human-device mapping

PUT /api/v1/fleet/hosts/:id/device_mapping

Updates the email for the data source in the human-device mapping. This source can only have one email.

If you're using the $FLEET_VAR_HOST_END_USER_IDP_USERNAME variable in Apple (macOS, iOS, iPadOS) and Windows configuration profiles, overriding the idp data source resends the configuraiton profile even if the value is unchanged. This causes performance issues. In the future, Fleet will only resend profiles if the value changes (coming soon). In the interim, please only update the idp data source when the value changes.

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.
email	string	body	Required. The custom email.
source	string	body	The data source to override. Either "custom" or "idp". If "idp", this will update the end user's "idp_username". (Defaults to "custom".)

Example

PUT /api/v1/fleet/hosts/1/device_mapping

Request body

{
  "email": "user@example.com"
}

Default response

Status: 200

{
  "host_id": 1,
  "device_mapping": [
    {
      "email": "user@example.com",
      "source": "mdm_idp_accounts"
    },
    {
      "email": "user@example.com",
      "source": "google_chrome_profiles"
    },
    {
      "email": "user@example.com",
      "source": "custom"
    }
  ]
}

Get host's device health report

Retrieves information about a single host's device health.

This report includes a subset of host vitals, and simplified policy and vulnerable software information. Data is cached to preserve performance. To get all up-to-date information about a host, use the "Get host" endpoint.

GET /api/v1/fleet/hosts/:id/health

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.

Example

GET /api/v1/fleet/hosts/1/health

Default response

Status: 200

{
  "host_id": 1,
  "health": {
    "updated_at": "2023-09-16T18:52:19Z",
    "os_version": "CentOS Linux 8.3.2011",
    "disk_encryption_enabled": true,
    "failing_policies_count": 1,
    "failing_critical_policies_count": 1, // Fleet Premium only
    "failing_policies": [
      {
        "id": 123,
        "name": "Google Chrome is up to date",
        "critical": true, // Fleet Premium only
        "resolution": "Follow the Update Google Chrome instructions here: https://support.google.com/chrome/answer/95414?sjid=6534253818042437614-NA",
      }
    ],
    "vulnerable_software": [
      {
        "id": 321,
        "name": "Firefox.app",
        "version": "116.0.3",
      }
    ]
  }
}

---

Get host's mobile device management (MDM) information

Currently supports Windows and macOS.

Retrieves a host's MDM enrollment status and MDM server URL.

If the host exists but is not enrolled to an MDM server, then this API returns null.

GET /api/v1/fleet/hosts/:id/mdm

Parameters

Name	Type	In	Description
id	integer	path	Required The id of the host to get the details for

Example

GET /api/v1/fleet/hosts/32/mdm

Default response

Status: 200

{
  "enrollment_status": "On (automatic)",
  "server_url": "some.mdm.com",
  "name": "Some MDM",
  "id": 3
}

---

Get mobile device management (MDM) status

Currently supports Windows and macOS.

Retrieves MDM enrollment summary. Windows servers are excluded from the aggregated data.

GET /api/v1/fleet/hosts/summary/mdm

Parameters

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. Filter by fleet.
platform	string	query	Filter by platform ("windows" or "darwin")

A fleet_id of 0 returns the statistics for hosts that are "Unassigned". A null or missing fleet_id returns statistics for all hosts on all fleets.

Example

GET /api/v1/fleet/hosts/summary/mdm?fleet_id=1&platform=windows

Default response

Status: 200

{
  "counts_updated_at": "2021-03-21T12:32:44Z",
  "mobile_device_management_enrollment_status": {
    "enrolled_manual_hosts_count": 10,
    "enrolled_automated_hosts_count": 200,
    "enrolled_personal_hosts_count": 30,
    "unenrolled_hosts_count": 0,
    "hosts_count": 240
  },
  "mobile_device_management_solution": [
    {
      "id": 2,
      "name": "Solution1",
      "server_url": "solution1.com",
      "hosts_count": 1
    },
    {
      "id": 3,
      "name": "Solution2",
      "server_url": "solution2.com",
      "hosts_count": 1
    }
  ]
}

---

Get host's mobile device management (MDM) and Munki information

Retrieves a host's MDM enrollment status, MDM server URL, and Munki version.

GET /api/v1/fleet/hosts/:id/macadmins

Parameters

Name	Type	In	Description
id	integer	path	Required The id of the host to get the details for

Example

GET /api/v1/fleet/hosts/32/macadmins

Default response

Status: 200

{
  "macadmins": {
    "munki": {
      "version": "1.2.3"
    },
    "munki_issues": [
      {
        "id": 1,
        "name": "Could not retrieve managed install primary manifest",
        "type": "error",
        "created_at": "2022-08-01T05:09:44Z"
      },
      {
        "id": 2,
        "name": "Could not process item Figma for optional install. No pkginfo found in catalogs: release",
        "type": "warning",
        "created_at": "2022-08-01T05:09:44Z"
      }
    ],
    "mobile_device_management": {
      "enrollment_status": "On (automatic)",
      "server_url": "http://some.url/mdm",
      "name": "MDM Vendor Name",
      "id": 999
    }
  }
}

---

Get hosts' aggregate mobile device management (MDM) and Munki information

Currently supported only on macOS.

Retrieves MDM enrollment status and Munki versions, aggregated across all hosts.

GET /api/v1/fleet/macadmins

Parameters

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. Filters the aggregate host information to only include hosts in the specified fleet.

A fleet_id of 0 returns the statistics for hosts that are "Unassigned". A null or missing fleet_id returns statistics for all hosts on all fleets.

Example

GET /api/v1/fleet/macadmins

Default response

Status: 200

{
  "macadmins": {
    "counts_updated_at": "2021-03-21T12:32:44Z",
    "munki_versions": [
      {
        "version": "5.5",
        "hosts_count": 8360
      },
      {
        "version": "5.4",
        "hosts_count": 1700
      },
      {
        "version": "5.3",
        "hosts_count": 400
      },
      {
        "version": "5.2.3",
        "hosts_count": 112
      },
      {
        "version": "5.2.2",
        "hosts_count": 50
      }
    ],
    "munki_issues": [
      {
        "id": 1,
        "name": "Could not retrieve managed install primary manifest",
        "type": "error",
        "hosts_count": 2851
      },
      {
        "id": 2,
        "name": "Could not process item Figma for optional install. No pkginfo found in catalogs: release",
        "type": "warning",
        "hosts_count": 1983
      }
    ],
    "mobile_device_management_enrollment_status": {
      "enrolled_manual_hosts_count": 124,
      "enrolled_automated_hosts_count": 124,
      "unenrolled_hosts_count": 112
    },
    "mobile_device_management_solution": [
      {
        "id": 1,
        "name": "SimpleMDM",
        "hosts_count": 8360,
        "server_url": "https://a.simplemdm.com/mdm"
      },
      {
        "id": 2,
        "name": "Intune",
        "hosts_count": 1700,
        "server_url": "https://enrollment.manage.microsoft.com"
      }
    ]
  }
}

Get host's software

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

GET /api/v1/fleet/hosts/:id/software

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's ID.
query	string	query	Search query keywords. Searchable fields include name.
available_for_install	boolean	query	If true or 1, only list software that is available for install (added by the user). Default is false.
self_service	boolean	query	If true or 1, only lists self-service software. Default is false.
vulnerable	boolean	query	If true or 1, only list software that have vulnerabilities. Default is false.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Options include "name". Default is "name".
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
min_cvss_score	integer	query	Available in Fleet Premium. Filters to include only software with vulnerabilities that have a CVSS version 3.x base score higher than the specified value.
max_cvss_score	integer	query	Available in Fleet Premium. Filters to only include software with vulnerabilities that have a CVSS version 3.x base score lower than what's specified.
exploit	boolean	query	Available in Fleet Premium. If true, filters to only include software with vulnerabilities that have been actively exploited in the wild (cisa_known_exploit: true). Default is false.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

On macOS hosts, last_opened_at is supported for software from the apps source and is the last open time of the most recently installed version of the software. After an update, it may be empty until the software is opened again.

On Windows hosts, last_opened_at is supported for software from the programs source. On Linux hosts, last_opened_at is supported for software from the deb_packages and rpm_packages sources. On Windows and Linux hosts, it represents the last open time of any version.

Currently, hash_sha256, executable_sha256, and executable_path are only supported for macOS software from the apps source. hash_sha256 is the cdhash_sha256.

Example

GET /api/v1/fleet/hosts/123/software

Default response

Status: 200

{
  "count": 3,
  "software": [
    {
      "id": 121,
      "name": "Google Chrome.app",
      "icon_url": null,
      "software_package": {
        "name": "GoogleChrome.pkg",
        "platform": "darwin",
        "version": "125.12.0.3",
        "self_service": true,
        "last_install": {
          "install_uuid": "8bbb8ac2-b254-4387-8cba-4d8a0407368b",
          "installed_at": "2024-05-15T15:23:57Z"
        }
      },
      "app_store_app": null,
      "source": "apps",
      "status": "failed_install",
      "installed_versions": [
        {
          "version": "121.0",
          "bundle_identifier": "com.google.Chrome",
          "last_opened_at": "2024-04-01T23:03:07Z",
          "vulnerabilities": ["CVE-2023-1234","CVE-2023-4321","CVE-2023-7654"],
          "installed_paths": ["/Applications/Google Chrome.app"],
          "signature_information": [
            {
              "installed_path": "/Applications/Google Chrome.app",
              "team_identifier": "EQHXZ8M8AV",
              "hash_sha256": "a45d00ac9bf21e108fa8e452fabe4d9e05e6765b",
              "executable_sha256": "7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f",
              "executable_path": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
            }
          ]
        }
      ]
    },
    {
      "id": 134,
      "name": "Falcon.app",
      "icon_url": null,
      "software_package": {
        "name": "FalconSensor-6.44.pkg",
        "platform": "darwin",
        "self_service": false,
        "last_install": null,
        "last_uninstall": {
          "script_execution_id": "ed579e73-0f41-46c8-aaf4-3c1e5880ed27",
          "uninstalled_at": "2024-05-15T15:23:57Z"
        }
      },
      "app_store_app": null,
      "source": "",
      "status": "pending_uninstall",
      "installed_versions": [],
    },
    {
      "id": 147,
      "name": "Logic Pro",
      "icon_url": "/api/latest/fleet/software/titles/147/icon?fleet_id=2",
      "software_package": null,
      "app_store_app": {
        "app_store_id": "1091189122",
        "platform": "darwin",
        "version": "2.04",
        "self_service": false,
        "last_install": {
          "command_uuid": "0aa14ae5-58fe-491a-ac9a-e4ee2b3aac40",
          "installed_at": "2024-05-15T15:23:57Z"
        },
      },
      "source": "apps",
      "status": "installed",
      "installed_versions": [
        {
          "version": "118.0",
          "bundle_identifier": "com.apple.logic10",
          "last_opened_at": "2024-04-01T23:03:07Z",
          "vulnerabilities": ["CVE-2023-1234"],
          "installed_paths": ["/Applications/Logic Pro.app"],
          "signature_information": [
            {
              "installed_path": "/Applications/Logic Pro.app",
              "team_identifier": "",
              "hash_sha256": null,
              "executable_sha256": null,
              "executable_path": null
            }
          ]
        }
      ]
    },
    {
      "id": 150,
      "name": "GitHub Copilot",
      "software_package": null,
      "app_store_app": null,
      "source": "jetbrains_plugins",
      "extension_for": "goland",
      "installed_versions": [
        {
          "version": "1.2.3",
          "vulnerabilities": [],
          "installed_paths": ["/Users/username/Library/Application Support/JetBrains/GoLand2025.2/plugins/github-copilot-intellij"],
        }
      ]
    },
    {
      "id": 12,
      "name": "MyCustomApp",
      "software_package": {
        "name": "MyCustomApp-1.12.ipa",
        "platform": "ios",
        "version": "1.12",
        "self_service": false,
        "automatic_install_policies": null,
        "last_install": null,
        "last_uninstall": null
      },
      "app_store_app": null,
      "versions_count": 1,
      "source": "ios_apps",
      "hosts_count": 48,
      "versions": [
        {
          "id": 123,
          "version": "1.12",
          "vulnerabilities": null
        }
      ],
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Get hosts report in CSV

Returns the list of hosts corresponding to the search criteria in CSV format, ready for download when requested by a web browser.

GET /api/v1/fleet/hosts/report

Parameters

Name	Type	In	Description
format	string	query	Required, must be "csv" (only supported format for now).
columns	string	query	Comma-delimited list of columns to include in the report (returns all columns if none is specified).
order_key	string	query	What to order results by. Can be any column in the hosts table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
status	string	query	Indicates the status of the hosts to return. Can either be 'new', 'online', 'offline', 'mia' or 'missing'.
query	string	query	Search query keywords. Searchable fields include hostname, hardware_serial, uuid, ipv4, and end user email addresses.
fleet_id	integer	query	Available in Fleet Premium. Filters the hosts to only include hosts in the specified fleet.
policy_id	integer	query	The ID of the policy to filter hosts by.
policy_response	string	query	Requires policy_id. Valid options are 'passing' or 'failing'. Note: If policy_id is specified without including policy_response, this will also return hosts where the policy is not configured to run or failed to run.
software_version_id	integer	query	The ID of the software version to filter hosts by.
software_title_id	integer	query	The ID of the software title to filter hosts by.
os_version_id	integer	query	The ID of the operating system version to filter hosts by.
os_name	string	query	The name of the operating system to filter hosts by. os_version must also be specified with os_name
os_version	string	query	The version of the operating system to filter hosts by. os_name must also be specified with os_version
vulnerability	string	query	The cve to filter hosts by (including "cve-" prefix, case-insensitive).
mdm_id	integer	query	The ID of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider and URL).
mdm_name	string	query	The name of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider).
mdm_enrollment_status	string	query	The mobile device management (MDM) enrollment status to filter hosts by. Valid options are 'manual', 'automatic', 'enrolled', 'pending', or 'unenrolled'. 'pending' only includes Apple (macOS, iOS, iPadOS) hosts in Apple Business Manager (ABM) that are not yet enrolled to Fleet.
macos_settings	string	query	Filters the hosts by the status of the mobile device management (MDM) profiles applied to hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only hosts that are "Unassigned".
munki_issue_id	integer	query	The ID of the munki issue (a Munki-reported error or warning message) to filter hosts by (that is, filter hosts that are affected by that corresponding error or warning message).
low_disk_space	integer	query	Available in Fleet Premium. Filters the hosts to only include hosts with less GB of disk space available than this value. Must be a number between 1-100.
label_id	integer	query	A valid label ID. Can only be used in combination with order_key, order_direction, status, query and fleet_id.
bootstrap_package	string	query	Available in Fleet Premium. Filters the hosts by the status of the MDM bootstrap package on the host. Valid options are 'installed', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only hosts that are "Unassigned".
disable_failing_policies	boolean	query	If true, hosts will return failing policies as 0 (returned as the issues column) regardless of whether there are any that failed for the host. This is meant to be used when increased performance is needed in exchange for the extra information.

If mdm_id, mdm_name or mdm_enrollment_status is specified, then Windows Servers are excluded from the results.

Example

GET /api/v1/fleet/hosts/report?software_id=123&format=csv&columns=hostname,primary_ip,platform

Default response

Status: 200

created_at,updated_at,id,detail_updated_at,label_updated_at,policy_updated_at,last_enrolled_at,seen_time,refetch_requested,hostname,uuid,platform,osquery_version,os_version,build,platform_like,code_name,uptime,memory,cpu_type,cpu_subtype,cpu_brand,cpu_physical_cores,cpu_logical_cores,hardware_vendor,hardware_model,hardware_version,hardware_serial,computer_name,primary_ip_id,primary_ip,primary_mac,distributed_interval,config_tls_refresh,logger_tls_period,team_name,fleet_name,gigs_disk_space_available,percent_disk_space_available,gigs_total_disk_space,issues,device_mapping,status,display_text
2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,1,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,false,foo.local0,a4fc55a1-b5de-409c-a2f4-441f564680d3,debian,,,,,,0s,0,,,,0,0,,,,,,,,,0,0,0,,,0,0,0,0,,,,
2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:22:56Z,false,foo.local1,689539e5-72f0-4bf7-9cc5-1530d3814660,rhel,,,,,,0s,0,,,,0,0,,,,,,,,,0,0,0,,,0,0,0,0,,,,
2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,3,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:23:56Z,2022-03-15T17:21:56Z,false,foo.local2,48ebe4b0-39c3-4a74-a67f-308f7b5dd171,linux,,,,,,0s,0,,,,0,0,,,,,,,,,0,0,0,,,0,0,0,0,,,,

Get host's disk encryption key

Retrieves the disk encryption key for a host.

The host will only return a key if its disk encryption status is "Verified." Get hosts' disk encryption statuses using the List hosts endpoint and os_settings_disk_encryption parameter.

GET /api/v1/fleet/hosts/:id/encryption_key

Parameters

Name	Type	In	Description
id	integer	path	Required The id of the host to get the disk encryption key for.

Example

GET /api/v1/fleet/hosts/8/encryption_key

Default response

Status: 200

{
  "host_id": 8,
  "encryption_key": {
    "key": "5ADZ-HTZ8-LJJ4-B2F8-JWH3-YPBT",
    "updated_at": "2022-12-01T05:31:43Z"
  }
}

Get host's Recovery Lock password

Retrieves the Recovery Lock password for a host.

The host will only return a password if its Recovery Lock password status is "Verified."

GET /api/v1/fleet/hosts/:id/recovery_lock_password

Parameters

Name	Type	In	Description
id	integer	path	Required The id of the host to get the Recovery Lock password for.

Example

GET /api/v1/fleet/hosts/8/recovery_lock_password

Default response

Status: 200

{
  "host_id": 8,
  "recovery_lock_password": {
    "password": "test-123",
    "updated_at": "2026-02-01T05:31:43Z"
  }
}

Rotate host's Recovery Lock password

Available in Fleet Premium

Rotates the Recovery Lock password for a host.

POST /api/v1/fleet/hosts/:id/recovery_lock_password/rotate

Parameters

Name	Type	In	Description
id	integer	path	The host ID to rotate Recovery Lock password for.

Example

POST /api/v1/fleet/hosts/123/recovery_lock_password/rotate

Default response

204

Get host's certificates

Available for macOS, iOS, iPadOS, and Windows hosts only. Requires Fleet's MDM to be enabled and configured.

Retrieves the certificates installed on a host.

GET /api/v1/fleet/hosts/:id/certificates

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Options include common_name and not_valid_after. Default is common_name
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/hosts/8/certificates

Default response

Status: 200

{
  "certificates": [
    {
      "id": 3,
      "not_valid_after": "2021-08-19T02:02:17Z",
      "not_valid_before": "2021-08-19T02:02:17Z",
      "certificate_authority": true,
      "common_name": "FleetDM",
      "key_algorithm": "rsaEncryption",
      "key_strength": 2048,
      "key_usage": "CRL Sign, Key Cert Sign",
      "serial": 1,
      "signing_algorithm": "sha256WithRSAEncryption",
      "subject": {
        "country": "US",
        "organization": "Fleet Device Management Inc.",
        "organizational_unit": "Fleet Device Management Inc.",
        "common_name": "FleetDM"
      },
      "issuer": {
        "country": "US",
        "organization": "Fleet Device Management Inc.",
        "organizational_unit": "Fleet Device Management Inc.",
        "common_name": "FleetDM"
      },
      "source": "system",
      "username": ""
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Get host's OS settings (configuration profile)

Requires Fleet's MDM properly enabled and configured.

Retrieves a list of the configuration profiles assigned to a host.

GET /api/v1/fleet/hosts/:id/configuration_profiles

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the host

Example

GET /api/v1/fleet/hosts/8/configuration_profiles

Default response

Status: 200

{
  "host_id": 8,
  "profiles": [
    {
      "profile_uuid": "bc84dae7-396c-4e10-9d45-5768bce8b8bd",
      "team_id": 0,
      "fleet_id": 0,
      "name": "Example profile",
      "identifier": "com.example.profile",
      "created_at": "2023-03-31T00:00:00Z",
      "updated_at": "2023-03-31T00:00:00Z",
      "checksum": "dGVzdAo="
    }
  ]
}

Lock host

Available in Fleet Premium

Sends a command to lock the specified macOS, iOS, iPadOS, Linux, or Windows host. The host is locked once it comes online.

To lock a macOS, iOS, or iPadOS host, the host must have MDM turned on. To lock a Windows or Linux host, the host must have scripts enabled.

For iOS and iPadOS, this enables Lost Mode and sends a Device Location MDM command. To see location, use the Get host endpoint.

POST /api/v1/fleet/hosts/:id/lock

Parameters

Name	Type	In	Description
id	integer	path	Required. ID of the host to be locked.
view_pin	boolean	query	For macOS hosts, whether to return the unlock PIN.

Example with macOS unlock PIN

POST /api/v1/fleet/hosts/123/lock?view_pin=true

Default response

Status: 200

{
  "unlock_pin": "123456",
  "device_status": "unlocked",
  "pending_action": "lock"
}

To verify the host successfully locked, you can use the Get host endpoint to retrieve the host's mdm.device_status.

Unlock host

Available in Fleet Premium

Sends a command to unlock the specified iOS, iPadOS, Windows, or Linux host, or retrieves the unlock PIN for a macOS host.

To unlock an iOS or iPadOS host, the host must have MDM turned on. To unlock a Windows or Linux host, the host must have scripts enabled. For iOS and iPadOS, this disables Lost Mode.

POST /api/v1/fleet/hosts/:id/unlock

Parameters

Name	Type	In	Description
id	integer	path	Required. ID of the host to be unlocked.

Example

POST /api/v1/fleet/hosts/:id/unlock

Default response

Status: 200

{
  "host_id": 8,
  "device_status": "locked",
  "pending_action": "unlock"
}

To verify the host successfully unlocked, you can use the Get host endpoint to retrieve the host's mdm.device_status. macOS hosts require entering unlock_pin to unlock.

Wipe host

Sends a command to wipe the specified macOS, iOS, iPadOS, Windows, or Linux host. The host is wiped once it comes online.

To wipe a macOS, iOS, iPadOS, or Windows host, the host must have MDM turned on. To lock a Linux host, the host must have scripts enabled.

POST /api/v1/fleet/hosts/:id/wipe

Parameters

Name	Type	In	Description
id	integer	path	Required. ID of the host to be wiped.
windows	object	body	Optional metadata used when wiping Windows hosts. The object includes a wipe_type property that can be used for specifying what type of remote wipe to perform. Allowed values are "doWipe" and "doWipeProtected".

Example

POST /api/v1/fleet/hosts/123/wipe

Optional request body

{ "windows": { "wipe_type": "doWipe" } }

Default response

Status: 200

{
  "device_status": "unlocked",
  "pending_action": "wipe"
}

To verify the host was successfully wiped, you can use the Get host endpoint to retrieve the host's mdm.device_status.

Get host's past activity

GET /api/v1/fleet/hosts/:id/activities

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's ID.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page. Maximum is 10,000 records. If no pagination parameters are specified, defaults to 10,000.
order_key	string	query	What to order results by. Allowed fields are id, created_at, and activity_type.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/hosts/12/activities

Default response

Status: 200

{
  "activities": [
    {
      "created_at": "2025-02-20T10:09:48.551757Z",
      "id": 123,
      "actor_full_name": "Anna Chao",
      "actor_id": 12,
      "actor_gravatar": "",
      "actor_email": "anna@example.com",
      "type": "installed_software",
      "fleet_initiated": false,
      "details": {
          "status": "installed",
          "host_id": 934,
          "policy_id": null,
          "policy_name": null,
          "install_uuid": "2fddb3d3-d553-4334-89a3-235da50d0ee7",
          "self_service": false,
          "software_title": "Notion.app",
          "software_package": "Notion-4.5.0-arm64.dmg",
          "host_display_name": "Marko's MacBook Pro"
      }
    },
    {
      "created_at": "2023-07-27T14:35:08Z",
      "id": 2,
      "actor_full_name": "Anna Chao",
      "actor_id": 12,
      "actor_gravatar": "",
      "actor_email": "anna@example.com",
      "type": "ran_script",
      "fleet_initiated": true,
      "details": {
        "host_id": 1,
        "host_display_name": "Steve's MacBook Pro",
        "script_name": "set-timezones.sh",
        "script_execution_id": "d6cffa75-b5b5-41ef-9230-15073c8a88cf",
        "async": true
      },
    },
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Get host's upcoming activity

GET /api/v1/fleet/hosts/:id/activities/upcoming

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.

Example

GET /api/v1/fleet/hosts/12/activities/upcoming

Default response

Status: 200

{
  "count": 3,
  "activities": [
    {
      "created_at": "2025-02-20T10:05:43.013218Z",
      "uuid": "ce8ed8b1-8e77-413f-936c-4ef2f9b665f8",
      "actor_full_name": "Anna Chao",
      "actor_id": 12,
      "actor_gravatar": "",
      "actor_email": "anna@example.com",
      "type": "installed_software",
      "fleet_initiated": false,
      "details": {
          "status": "pending_install",
          "host_id": 934,
          "policy_id": null,
          "policy_name": null,
          "install_uuid": "2fddb3d3-d553-4334-89a3-235da50d0ee7",
          "self_service": false,
          "software_title": "Notion.app",
          "software_package": "Notion-4.5.0-arm64.dmg",
          "host_display_name": "Marko's MacBook Pro"
      }
    },
    {
      "created_at": "2023-07-27T14:35:08Z",
      "uuid": "d6cffa75-b5b5-41ef-9230-15073c8a88cf",
      "actor_full_name": "Marko",
      "actor_id": 1,
      "actor_gravatar": "",
      "actor_email": "marko@example.com",
      "type": "ran_script",
      "fleet_initiated": false,
      "details": {
        "host_id": 1,
        "host_display_name": "Steve's MacBook Pro",
        "script_name": "set-timezones.sh",
        "script_execution_id": "d6cffa75-b5b5-41ef-9230-15073c8a88cf",
        "async": true
      },
    },
    {
      "created_at": "2021-07-27T13:25:21Z",
      "uuid": "y3cffa75-b5b5-41ef-9230-15073c8a88cf",
      "actor_full_name": "Rachael",
      "actor_id": 1,
      "actor_gravatar": "",
      "actor_email": "rachael@example.com",
      "type": "ran_script",
      "fleet_initiated": false,
      "details": {
        "host_id": 1,
        "host_display_name": "Steve's MacBook Pro",
        "script_name": "",
        "script_execution_id": "y3cffa75-b5b5-41ef-9230-15073c8a88cf",
        "async": false
      },
    },
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Cancel host's upcoming activity

DELETE /api/v1/fleet/hosts/:id/activities/upcoming/:activity_id

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's ID.
activity_id	string	path	Required. The ID of the host's upcoming activity.

Example

DELETE /api/v1/fleet/hosts/12/activities/upcoming/81e10a70-730b-4c45-9b40-b14373e04757

Default response

Status: 204

Add labels to host

Adds manual labels to a host.

POST /api/v1/fleet/hosts/:id/labels

Parameters

Name	Type	In	Description
labels	array	body	The list of label names to add to the host.

Example

POST /api/v1/fleet/hosts/12/labels

Request body

{
  "labels": ["label1", "label2"]
}

Default response

Status: 200

Remove labels from host

Removes manual labels from a host.

DELETE /api/v1/fleet/hosts/:id/labels

Parameters

Name	Type	In	Description
labels	array	body	The list of label names to delete from the host.

Example

DELETE /api/v1/fleet/hosts/12/labels

Request body

{
  "labels": ["label3", "label4"]
}

Default response

Status: 200

Run live query on host (ad hoc)

Runs an ad hoc live query against the specified host and responds with the results.

The live query will stop if the targeted host is offline, or if the query times out. Timeouts happen if the host hasn't responded after the configured FLEET_LIVE_QUERY_REST_PERIOD (default 25 seconds) or if the distributed_interval agent option (default 10 seconds) is higher than the FLEET_LIVE_QUERY_REST_PERIOD.

POST /api/v1/fleet/hosts/:id/query

Parameters

Name	Type	In	Description
id	integer	path	Required. The target host ID.
query	string	body	Required. The query SQL.

Example

POST /api/v1/fleet/hosts/123/query

Request body

{
  "query": "SELECT model, vendor FROM usb_devices;"
}

Default response

Status: 200

{
  "host_id": 123,
  "query": "SELECT model, vendor FROM usb_devices;",
  "status": "online", // "online" or "offline"
  "error": null,
  "rows": [
    {
      "model": "USB2.0 Hub",
      "vendor": "VIA Labs, Inc."
    }
  ]
}

Note that if the host is online and the query times out, this endpoint will return an error and rows will be null. If the host is offline, no error will be returned, and rows will benull.

Run live query on host by identifier (ad hoc)

Runs an ad hoc live query against a host identified using uuid and responds with the results.

The live query will stop if the targeted host is offline, or if the query times out. Timeouts happen if the host hasn't responded after the configured FLEET_LIVE_QUERY_REST_PERIOD (default 25 seconds) or if the distributed_interval agent option (default 10 seconds) is higher than the FLEET_LIVE_QUERY_REST_PERIOD.

POST /api/v1/fleet/hosts/identifier/:identifier/query

Parameters

Name	Type	In	Description
identifier	integer or string	path	Required. The host's hardware_serial, uuid, osquery_host_id, hostname, or node_key.
query	string	body	Required. The query SQL.

Example

POST /api/v1/fleet/hosts/identifier/392547dc-0000-0000-a87a-d701ff75bc65/query

Request body

{
  "query": "SELECT model, vendor FROM usb_devices;"
}

Default response

Status: 200

{
  "host_id": 123,
  "query": "SELECT model, vendor FROM usb_devices;",
  "status": "online", // "online" or "offline"
  "error": null,
  "rows": [
    {
      "model": "USB2.0 Hub",
      "vendor": "VIA Labs, Inc."
    }
  ]
}

Note that if the host is online and the query times out, this endpoint will return an error and rows will be null. If the host is offline, no error will be returned, and rows will be null.

Bypass host's conditional access

Grant a blocked host access for a single login. Requires Okta conditional access configured with bypass enabled.

POST /api/v1/fleet/device/:token/bypass_conditional_access

Parameters

Name	Type	In	Description
token	string	path	Required. The host's device authentication token.

Example

POST /api/v1/fleet/device/abcdef012456789/bypass_conditional_access

Default response

Status: 200

---

Labels

• Add label
• Update label
• Get label
• Get labels summary
• List labels
• List label's hosts
• Delete label by name
• Delete label by ID

Add label

Add a dynamic or manual label.

POST /api/v1/fleet/labels

Parameters

Name	Type	In	Description
name	string	body	Required. The label's name.
description	string	body	The label's description.
query	string	body	The query in SQL syntax used to filter the hosts. Only one of either query (to create a dynamic label) or hosts (to create a manual label) can be included in the request.
criteria	object	body	Criteria for adding hosts to a host vitals label. See criteria for details.
hosts	array	body	The list of host identifiers (hardware_serial or uuid). The label will apply to any host with a matching identifier. Only one of either query (to create a dynamic label), hosts (to create a manual label), or host_ids (to create a manual label) can be included in the request.
host_ids	array	body	The list of Fleet host IDs the label will apply to. Only one of either query (to create a dynamic label) or hosts/host_ids (to create a manual label) can be included in the request.
platform	string	body	The specific platform for the label to target. Provides an additional filter. Choices for platform are darwin, windows, ubuntu, and centos. All platforms are included by default and this option is represented by an empty string.

If query, criteria, and hosts aren't specified, a manual label with no hosts will be created.

The hostname host identifier is deprecated. Please use host_ids, hardware_serial, or uuid instead.

criteria

Name	Type	Description
vital	string	The type of host vital to use when creating a host vital label. Can be "end_user_idp_group" or "end_user_idp_department".
value	string	Hosts with vital data matching this value will be added to the label.

Example

POST /api/v1/fleet/labels

Request body

{
  "name": "macOS hosts (x86_64)",
  "description": "Filters macOS hosts with x86_64 architecture",
  "query": "SELECT 1 FROM os_version WHERE platform = 'darwin' AND instr(arch, 'x86_64')",
  "platform": "darwin"
}

Default response

Status: 200

{
  "label": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 42,
    "name": "macOS hosts (x86_64)",
    "description": "Filters macOS hosts with x86_64 architecture",
    "query": "SELECT 1 FROM os_version WHERE platform = 'darwin' AND instr(arch, 'x86_64')",
    "label_type": "regular",
    "label_membership_type": "dynamic",
    "display_text": "macOS hosts (x86_64)",
    "count": 0,
    "host_ids": null,
    "author_id": 1,
    "team_id": null,
    "fleet_id": null
  }
}

Update label

Updates the specified label. Note: Label queries, platforms, and fleets are immutable. To change these, you must delete the label and create a new label.

PATCH /api/v1/fleet/labels/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The label's id.
name	string	body	The label's name.
description	string	body	The label's description.
hosts	array	body	If updating a manual label: the list of host identifiers (hardware_serial or uuid). The label will apply to any host with a matching identifier. The provided list fully replaces the previous list. Only one of either hosts or host_ids can be included in the request.
host_ids	array	body	If updating a manual label: the list of Fleet host IDs the label will apply to. The provided list fully replaces the previous list. Only one of either hosts or host_ids can be included in the request.

The hostname host identifier is deprecated. Please use host_ids, hardware_serial, or uuid instead.

Example

PATCH /api/v1/fleet/labels/21

Request body

{
  "hosts": ["ABC1234", "XYZ5678"]
}

Default response

Status: 200

{
  "label": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 21,
    "name": "My label",
    "description": "Some hosts that I want to manually group together",
    "query": "",
    "platform": "",
    "label_type": "regular",
    "label_membership_type": "manual",
    "display_text": "My label",
    "count": 2,
    "host_ids": [42, 43],
    "author_id": 1,
    "team_id": null,
    "fleet_id": null,
    "team_name": null,
    "fleet_name": null
  }
}

Get label

Returns the specified label.

GET /api/v1/fleet/labels/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The label's id.

Example

GET /api/v1/fleet/labels/1

Default response

Status: 200

{
  "label": {
    "created_at": "2021-02-09T22:09:43Z",
    "updated_at": "2021-02-09T22:15:58Z",
    "id": 12,
    "name": "Ubuntu",
    "description": "Filters ubuntu hosts",
    "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';",
    "label_type": "regular",
    "label_membership_type": "dynamic",
    "display_text": "Ubuntu",
    "count": 0,
    "host_ids": null,
    "author_id": 1,
    "team_id": null,
    "fleet_id": null,
    "team_name": null,
    "fleet_name": null,
  }
}

Get labels summary

Returns a list of labels in Fleet, including basic information on each label.

GET /api/v1/fleet/labels/summary

Parameters

Name	Type	In	Description
fleet_id	string	query	Available in Fleet Premium. Filters to labels belonging to the specified fleet, plus global labels. Specify "global" to show only globally-available labels. If omitted, Fleet returns all global labels, plus all labels for fleets to which the requestor has access.

Example

GET /api/v1/fleet/labels/summary

Default response

Status: 200

{
  "labels": [
    {
      "id": 6,
      "name": "All Hosts",
      "description": "All hosts which have enrolled in Fleet",
      "label_type": "builtin",
      "team_id": null,
      "fleet_id": null
    },
    {
      "id": 7,
      "name": "macOS",
      "description": "All macOS hosts",
      "label_type": "builtin",
      "team_id": null,
      "fleet_id": null
    },
    {
      "id": 8,
      "name": "Ubuntu Linux",
      "description": "All Ubuntu hosts",
      "label_type": "builtin",
      "team_id": null,
      "fleet_id": null
    },
    {
      "id": 9,
      "name": "CentOS Linux",
      "description": "All CentOS hosts",
      "label_type": "builtin",
      "team_id": null,
      "fleet_id": null
    },
    {
      "id": 10,
      "name": "MS Windows",
      "description": "All Windows hosts",
      "label_type": "builtin",
      "team_id": null,
      "fleet_id": null
    },
    {
      "id": 11,
      "name": "My fleet-specific label",
      "description": "This one goes to eleven, but only on one fleet",
      "label_type": "regular",
      "team_id": 1,
      "fleet_id": 1
    }
  ]
}

List labels

Returns a list of labels.

GET /api/v1/fleet/labels

Parameters

Name	Type	In	Description
include_host_counts	boolean	query	Whether or not to calculate host counts for each label. Default is true. See "additional notes" for more information.
order_key	string	query	What to order results by. Can be any column in the labels table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.
fleet_id	string	query	Available in Fleet Premium. Filters to labels belonging to the specified fleet, plus global labels. Specify "global" to show only globally-available labels. If omitted, Fleet returns all global labels, plus all labels for fleets to which the requestor has access.

When include_host_counts is true (or omitted), host_count will only be included for labels that are in use by one or more hosts, but count will always be included, even if it is 0. When include_host_counts is false, host_count will always be omitted, and count will be returned as 0 for each label. Setting include_host_counts=false will improve API performance, especially on deployments with large numbers of hosts and labels.

Example

GET /api/v1/fleet/labels

Default response

Status: 200

{
  "labels": [
    {
      "created_at": "2021-02-02T23:55:25Z",
      "updated_at": "2021-02-02T23:55:25Z",
      "id": 6,
      "name": "All Hosts",
      "description": "All hosts which have enrolled in Fleet",
      "query": "SELECT 1;",
      "label_type": "builtin",
      "label_membership_type": "dynamic",
      "host_count": 7,
      "display_text": "All Hosts",
      "count": 7,
      "host_ids": null,
      "author_id": 1,
      "team_id": null,
      "fleet_id": null
    },
    {
      "created_at": "2021-02-02T23:55:25Z",
      "updated_at": "2021-02-02T23:55:25Z",
      "id": 7,
      "name": "macOS",
      "description": "All macOS hosts",
      "query": "SELECT 1 FROM os_version WHERE platform = 'darwin';",
      "platform": "darwin",
      "label_type": "builtin",
      "label_membership_type": "dynamic",
      "host_count": 1,
      "display_text": "macOS",
      "count": 1,
      "host_ids": null,
      "author_id": 1,
      "team_id": null,
      "fleet_id": null
    },
    {
      "created_at": "2021-02-02T23:55:25Z",
      "updated_at": "2021-02-02T23:55:25Z",
      "id": 8,
      "name": "Ubuntu Linux",
      "description": "All Ubuntu hosts",
      "query": "SELECT 1 FROM os_version WHERE platform = 'ubuntu';",
      "platform": "ubuntu",
      "label_type": "builtin",
      "label_membership_type": "dynamic",
      "host_count": 3,
      "display_text": "Ubuntu Linux",
      "count": 3,
      "host_ids": null,
      "author_id": 1,
      "team_id": null,
      "fleet_id": null
    },
    {
      "created_at": "2021-02-02T23:55:25Z",
      "updated_at": "2021-02-02T23:55:25Z",
      "id": 9,
      "name": "CentOS Linux",
      "description": "All CentOS hosts",
      "query": "SELECT 1 FROM os_version WHERE platform = 'centos' OR name LIKE '%centos%'",
      "label_type": "builtin",
      "label_membership_type": "dynamic",
      "host_count": 3,
      "display_text": "CentOS Linux",
      "count": 3,
      "host_ids": null,
      "author_id": 1,
      "team_id": null,
      "fleet_id": null
    },
    {
      "created_at": "2021-02-02T23:55:25Z",
      "updated_at": "2021-02-02T23:55:25Z",
      "id": 10,
      "name": "MS Windows",
      "description": "All Windows hosts",
      "query": "SELECT 1 FROM os_version WHERE platform = 'windows';",
      "platform": "windows",
      "label_type": "builtin",
      "label_membership_type": "dynamic",
      "display_text": "MS Windows",
      "count": 0,
      "host_ids": null,
      "author_id": 1,
      "team_id": null,
      "fleet_id": null
    },
    {
      "created_at": "2025-11-13T06:14:20Z",
      "updated_at": "2025-11-13T06:14:20Z",
      "id": 4663,
      "name": "Team: g-software",
      "description": "Workstations used by g-software",
      "query": "",
      "platform": "",
      "label_type": "regular",
      "label_membership_type": "manual",
      "display_text": "Team: g-software",
      "count": 0,
      "host_ids": null,
      "author_id": 1,
      "team_id": 2,
      "fleet_id": null
    }
  ]
}

List label's hosts

Returns a list of the hosts that belong to the specified label.

GET /api/v1/fleet/labels/:id/hosts

Parameters

Name	Type	In	Description
id	integer	path	Required. The label's id.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Can be any column in the hosts table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.
status	string	query	Indicates the status of the hosts to return. Can either be 'new', 'online', 'offline', 'mia' or 'missing'.
query	string	query	Search query keywords. Searchable fields include hostname, hardware_serial, uuid, and ipv4.
fleet_id	integer	query	Available in Fleet Premium. Filters the hosts to only include hosts in the specified fleet.
disable_failing_policies	boolean	query	If "true", hosts will return failing policies as 0 regardless of whether there are any that failed for the host. This is meant to be used when increased performance is needed in exchange for the extra information.
mdm_id	integer	query	The ID of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider and URL).
mdm_name	string	query	The name of the mobile device management (MDM) solution to filter hosts by (that is, filter hosts that use a specific MDM provider).
mdm_enrollment_status	string	query	The mobile device management (MDM) enrollment status to filter hosts by. Valid options are 'manual', 'automatic', 'enrolled', 'pending', or 'unenrolled'. 'pending' only includes Apple (macOS, iOS, iPadOS) hosts in Apple Business Manager (ABM) that are not yet enrolled to Fleet.
macos_settings	string	query	Filters the hosts by the status of the mobile device management (MDM) profiles applied to hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
low_disk_space	integer	query	Available in Fleet Premium. Filters the hosts to only include hosts with less GB of disk space available than this value. Must be a number between 1-100.
macos_settings_disk_encryption	string	query	Filters the hosts by disk encryption status. Valid options are 'verified', 'verifying', 'action_required', 'enforcing', 'failed', or 'removing_enforcement'.
bootstrap_package	string	query	Available in Fleet Premium. Filters the hosts by the status of the MDM bootstrap package on the host. Valid options are 'installed', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
os_settings	string	query	Filters the hosts by the status of the operating system settings applied to the hosts. Valid options are 'verified', 'verifying', 'pending', or 'failed'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.
os_settings_disk_encryption	string	query	Filters the hosts by disk encryption status. Valid options are 'verified', 'verifying', 'action_required', 'enforcing', 'failed', or 'removing_enforcement'. Note: If this filter is used in Fleet Premium without a fleet ID filter, the results include only "Unassigned" hosts.

If mdm_id, mdm_name, mdm_enrollment_status, os_settings, or os_settings_disk_encryption is specified, then Windows Servers are excluded from the results.

Example

GET /api/v1/fleet/labels/6/hosts&query=floobar

Default response

Status: 200

{
  "hosts": [
    {
      "created_at": "2021-02-03T16:11:43Z",
      "updated_at": "2021-02-03T21:58:19Z",
      "id": 2,
      "detail_updated_at": "2021-02-03T21:58:10Z",
      "label_updated_at": "2021-02-03T21:58:10Z",
      "policy_updated_at": "2023-06-26T18:33:15Z",
      "last_enrolled_at": "2021-02-03T16:11:43Z",
      "software_updated_at": "2020-11-05T05:09:44Z",
      "seen_time": "2021-02-03T21:58:20Z",
      "refetch_requested": false,
      "hostname": "floobar42",
      "uuid": "a2064cef-0000-0000-afb9-283e3c1d487e",
      "platform": "ubuntu",
      "osquery_version": "4.5.1",
      "os_version": "Ubuntu 20.4.0",
      "build": "",
      "platform_like": "debian",
      "code_name": "",
      "uptime": 32688000000000,
      "memory": 2086899712,
      "cpu_type": "x86_64",
      "cpu_subtype": "142",
      "cpu_brand": "Intel(R) Core(TM) i5-8279U CPU @ 2.40GHz",
      "cpu_physical_cores": 4,
      "cpu_logical_cores": 4,
      "hardware_vendor": "",
      "hardware_model": "",
      "hardware_version": "",
      "hardware_serial": "",
      "computer_name": "e2e7f8d8983d",
      "timezone": null,
      "display_name": "e2e7f8d8983d",
      "primary_ip": "172.20.0.2",
      "primary_mac": "02:42:ac:14:00:02",
      "distributed_interval": 10,
      "config_tls_refresh": 10,
      "logger_tls_period": 10,
      "team_id": null,
      "fleet_id": null,
      "pack_stats": null,
      "team_name": null,
      "fleet_name": null,
      "status": "offline",
      "display_text": "e2e7f8d8983d",
      "mdm": {
        "encryption_key_available": false,
        "enrollment_status": null,
        "name": "",
        "server_url": null
      }
    }
  ]
}

Delete label by name

Deletes the label specified by name.

DELETE /api/v1/fleet/labels/:name

Parameters

Name	Type	In	Description
name	string	path	Required. The label's name.

Example

DELETE /api/v1/fleet/labels/ubuntu_label

Default response

Status: 200

Delete label by ID

Deletes the label specified by ID.

DELETE /api/v1/fleet/labels/id/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The label's id.

Example

DELETE /api/v1/fleet/labels/id/13

Default response

Status: 200

---

OS settings

• Create custom OS setting (configuration profile)
• List custom OS settings (configuration profiles)
• Get or download custom OS setting (configuration profile)
• Delete custom OS setting (configuration profile)
• Batch-update custom OS settings (configuration profiles)
• Update disk encryption
• Get disk encryption status
• Update Recovery Lock
• Get OS settings (configuration profiles) status
• Get OS setting (configuration profile) status
• Resend custom OS setting (configuration profile)
• Batch-resend custom OS setting (configuration profile)

Create custom OS setting (configuration profile)

Experimental feature. Deploying Windows SCEP profile is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Add custom macOS setting (POST /api/v1/fleet/mdm/apple/profiles) API endpoint is deprecated as of Fleet 4.41. It is maintained for backwards compatibility. Please use the below API endpoint instead.

Add a configuration profile to enforce custom settings on macOS and Windows hosts.

You need to send a request of type multipart/form-data.

This endpoint accepts a maximum request body size of 1.5MiB.

POST /api/v1/fleet/configuration_profiles

Parameters

Name	Type	In	Description
profile	file	body	Required. The .mobileconfig and JSON for macOS or XML for Windows file containing the profile.
fleet_id	string	body	Available in Fleet Premium. The fleet ID for the profile. If specified, the profile is applied to only hosts that are assigned to the specified fleet. If not specified, the profile is applied to only hosts that are "Unassigned".
labels_include_all	array	body	Available in Fleet Premium. Target hosts that have all labels, specified by label name, in the array.
labels_include_any	array	body	Available in Fleet Premium. Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	body	Available in Fleet Premium. Target hosts that that don’t have any label, specified by label name, in the array.

Only one of labels_include_all, labels_include_any, or labels_exclude_any can be specified. If none are specified, all hosts are targeted.

If the response is Status: 409 Conflict, the body may include additional error details in the case of duplicate payload display name or duplicate payload identifier (macOS profiles).

Example

Add a new configuration profile to be applied to macOS hosts assigned to a fleet. Note that in this example the form data specifies fleet_id in addition to profile.

POST /api/v1/fleet/configuration_profiles

Request body

profile="Foo.mobileconfig"
fleet_id="1"
labels_include_all="Label name 1"

Default response

Status: 200

{
  "profile_uuid": "954ec5ea-a334-4825-87b3-937e7e381f24"
}

List custom OS settings (configuration profiles)

List custom macOS settings (GET /api/v1/fleet/mdm/apple/profiles) API endpoint is deprecated as of Fleet 4.41. It is maintained for backwards compatibility. Please use the below API endpoint instead.

Get a list of the configuration profiles in Fleet.

For Fleet Premium, the list can optionally be filtered by fleet ID. If no fleet ID is specified, fleet profiles are excluded from the results (i.e., only profiles that are associated with "Unassigned" are listed).

GET /api/v1/fleet/configuration_profiles

Parameters

Name	Type	In	Description
fleet_id	string	query	Available in Fleet Premium. The fleet id to filter profiles.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Can be ordered by name, created_at, or uploaded_at.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

List all configuration profiles for macOS and Windows hosts enrolled to Fleet's MDM that are "Unassigned".

GET /api/v1/fleet/configuration_profiles

Default response

Status: 200

{
  "profiles": [
    {
      "profile_uuid": "39f6cbbc-fe7b-4adc-b7a9-542d1af89c63",
      "team_id": 0,
      "name": "Example macOS profile",
      "platform": "darwin",
      "identifier": "com.example.profile",
      "created_at": "2023-03-31T00:00:00Z",
      "updated_at": "2023-03-31T00:00:00Z",
      "checksum": "dGVzdAo=",
      "labels_exclude_any": [
       {
        "name": "Label name 1",
        "id": 1
       }
      ]
    },
    {
      "profile_uuid": "f5ad01cc-f416-4b5f-88f3-a26da3b56a19",
      "team_id": 0,
      "name": "Example Windows profile",
      "platform": "windows",
      "created_at": "2023-04-31T00:00:00Z",
      "updated_at": "2023-04-31T00:00:00Z",
      "checksum": "aCLemVr)",
      "labels_include_all": [
        {
          "name": "Label name 2",
          "broken": true,
        },
        {
          "name": "Label name 3",
          "id": 3
        }
      ]
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

If one or more assigned labels are deleted the profile is considered broken (broken: true). It won’t be applied to new hosts.

Get or download custom OS setting (configuration profile)

Download custom macOS setting (GET /api/v1/fleet/mdm/apple/profiles/:profile_id) API endpoint is deprecated as of Fleet 4.41. It is maintained for backwards compatibility. Please use the API endpoint below instead.

GET /api/v1/fleet/configuration_profiles/:profile_uuid

Parameters

Name	Type	In	Description
profile_uuid	string	url	Required The UUID of the profile to download.
alt	string	query	If specified and set to "media", downloads the profile.

Example (get a profile metadata)

GET /api/v1/fleet/configuration_profiles/f663713f-04ee-40f0-a95a-7af428c351a9

Default response

Status: 200

{
  "profile_uuid": "f663713f-04ee-40f0-a95a-7af428c351a9",
  "team_id": 0,
  "name": "Example profile",
  "platform": "darwin",
  "identifier": "com.example.profile",
  "created_at": "2023-03-31T00:00:00Z",
  "updated_at": "2023-03-31T00:00:00Z",
  "checksum": "dGVzdAo=",
  "labels_include_all": [
    {
      "name": "Label name 1",
      "id": 1,
      "broken": true
    },
    {
      "name": "Label name 2",
      "id": 2
    }
  ]
}

Example (download a profile)

GET /api/v1/fleet/configuration_profiles/f663713f-04ee-40f0-a95a-7af428c351a9?alt=media

Default response

Status: 200

Note To confirm success, it is important for clients to match content length with the response header (this is done automatically by most clients, including the browser) rather than relying solely on the response status code returned by this endpoint.

Example response headers

  Content-Length: 542
  Content-Type: application/octet-stream
  Content-Disposition: attachment;filename="2023-03-31 Example profile.mobileconfig"

Example response body

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array/>
  <key>PayloadDisplayName</key>
  <string>Example profile</string>
  <key>PayloadIdentifier</key>
  <string>com.example.profile</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>0BBF3E23-7F56-48FC-A2B6-5ACC598A4A69</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

Delete custom OS setting (configuration profile)

Delete custom macOS setting (DELETE /api/v1/fleet/mdm/apple/profiles/:profile_id) API endpoint is deprecated as of Fleet 4.41. It is maintained for backwards compatibility. Please use the below API endpoint instead.

DELETE /api/v1/fleet/configuration_profiles/:profile_uuid

Parameters

Name	Type	In	Description
profile_uuid	string	url	Required The UUID of the profile to delete.

Example

DELETE /api/v1/fleet/configuration_profiles/f663713f-04ee-40f0-a95a-7af428c351a9

Default response

Status: 200

Resend custom OS setting (configuration profile)

Resends a configuration profile for the specified host. Currently, macOS, iOS, iPadOS configuration profiles (.mobileconfig) are supported, as well as Windows (.xml) configuration profiles.

POST /api/v1/fleet/hosts/:id/configuration_profiles/:profile_uuid/resend

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's ID.
profile_uuid	string	path	Required. The UUID of the configuration profile to resend to the host.

Example

POST /api/v1/fleet/hosts/233/configuration_profiles/fc14a20-84a2-42d8-9257-a425f62bb54d/resend

Default response

Status: 202

Batch-update custom OS settings (configuration profiles)

Modify configuration profiles for a fleet. The provided list of profiles will be the active profiles for the specified fleet. If no fleet (fleet_id or fleet_name) is provided, the profiles are applied for all hosts (Fleet Free) or for hosts that are "Unassigned" (Fleet Premium).

For Apple (macOS, iOS, iPadOS) profiles, Fleet will send only an InstallProfile command (edit) for all existing profiles with the same PayloadIdentifier (specified in the .mobileconfig file). Fleet will send a RemoveProfile command to hosts for all existing profiles that are not part of the list.

For Windows profiles, Fleet applies new profiles or updates when content changes, and deletes profiles no longer in the list. It does not send commands to remove configuration profiles from Windows hosts.

For declaration (DDM) profiles, hosts with new, updated, or removed profiles are marked “Pending,” and Fleet sends a DeclarativeManagement command to tell Apple (macOS, iOS, iPadOS) hosts to sync profiles. If declarations are current, no command is sent and the host is not marked "Pending."

For requests with 100+ profiles, requests will take 5+ seconds.

This endpoint accepts a maximum request body size of 25MiB.

POST /api/v1/fleet/configuration_profiles/batch

Parameters

Name	Type	In	Description
fleet_id	number	query	Available in Fleet Premium The fleet ID to apply the configuration profiles to. Only one of fleet_name or fleet_id may be included in the request.
fleet_name	string	query	Available in Fleet Premium The name of the fleet to apply the custom settings to. Only one of fleet_name or fleet_id may be included in the request.
dry_run	bool	query	Validate the provided profiles and return any validation errors, but do not apply the changes.
configuration_profiles	object	body	Required. See configuration_profiles

Configuration profiles

Name	Type	Description
profile	string	Base64 encoded configuration profile (.mobileconfig) or declaration (DDM) profile for Apple (macOS, iOS, iPadOS) hosts, JSON profile for Android hosts, or XML profile for Windows hosts.
labels_include_all	array	Available in Fleet Premium. Target hosts that have all labels, specified by label name, in the array.
labels_include_any	array	Available in Fleet Premium. Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	Available in Fleet Premium. Target hosts that that don’t have any label, specified by label name, in the array.
display_name	string	Required for Windows and declaration (DDM) profiles. It's not supported for .mobileconfig profiles. Instead, the profiles PayloadDisplayName is used.

For each profile, only one of labels_include_all, labels_include_any, or labels_exclude_any can be specified. If neither is set, all hosts on the specified platform are targeted.

Example

POST /api/v1/fleet/configuration_profiles/batch?fleet_id=1

Request body

{
  "configuration_profiles": [
    {
      "profile": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KCTxhcnJheT4KCQk8ZGljdD4KCQkJPGtleT5BbGxvd1ByZVJlbGVhc2VJbnN0YWxsYXRpb248L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkF1dG9tYXRpY0NoZWNrRW5hYmxlZDwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+QXV0b21hdGljRG93bmxvYWQ8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkF1dG9tYXRpY2FsbHlJbnN0YWxsQXBwVXBkYXRlczwva2V5PgoJCQk8dHJ1ZS8+CgkJCTxrZXk+QXV0b21hdGljYWxseUluc3RhbGxNYWNPU1VwZGF0ZXM8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PkNvbmZpZ0RhdGFJbnN0YWxsPC9rZXk+CgkJCTx0cnVlLz4KCQkJPGtleT5Dcml0aWNhbFVwZGF0ZUluc3RhbGw8L2tleT4KCQkJPHRydWUvPgoJCQk8a2V5PlBheWxvYWREZXNjcmlwdGlvbjwva2V5PgoJCQk8c3RyaW5nPkNvbmZpZ3VyZXMgU29mdHdhcmUgVXBkYXRlIHNldHRpbmdzPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+CgkJCTxzdHJpbmc+U29mdHdhcmUgVXBkYXRlPC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KCQkJPHN0cmluZz5jb20uZ2l0aHViLmVyaWtiZXJnbHVuZC5Qcm9maWxlQ3JlYXRvci5CRUJBMDc0MC00RERCLTRBQzQtODVEQy1CQTQ4Qjk2QzBEQzguY29tLmFwcGxlLlNvZnR3YXJlVXBkYXRlLkE4Qjk3MDMyLTc2NDUtNDA2OC1CNDU3LTAxREU1QzZCMzNGNzwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRPcmdhbml6YXRpb248L2tleT4KCQkJPHN0cmluZz48L3N0cmluZz4KCQkJPGtleT5QYXlsb2FkVHlwZTwva2V5PgoJCQk8c3RyaW5nPmNvbS5hcHBsZS5Tb2Z0d2FyZVVwZGF0ZTwvc3RyaW5nPgoJCQk8a2V5PlBheWxvYWRVVUlEPC9rZXk+CgkJCTxzdHJpbmc+QThCOTcwMzItNzY0NS00MDY4LUI0NTctMDFERTVDNkIzM0Y3PC9zdHJpbmc+CgkJCTxrZXk+UGF5bG9hZFZlcnNpb248L2tleT4KCQkJPGludGVnZXI+MTwvaW50ZWdlcj4KCQk8L2RpY3Q+Cgk8L2FycmF5PgoJPGtleT5QYXlsb2FkRGVzY3JpcHRpb248L2tleT4KCTxzdHJpbmc+RW5hYmxlcyBhdXRvbWF0aWMgdXBkYXRlczwvc3RyaW5nPgoJPGtleT5QYXlsb2FkRGlzcGxheU5hbWU8L2tleT4KCTxzdHJpbmc+VHVybiBvbiBhdXRvbWF0aWMgdXBkYXRlczwvc3RyaW5nPgoJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgoJPHN0cmluZz5jb20uZ2l0aHViLmVyaWtiZXJnbHVuZC5Qcm9maWxlQ3JlYXRvci5CRUJBMDc0MC00RERCLTRBQzQtODVEQy1CQTQ4Qjk2QzBEQzg8L3N0cmluZz4KCTxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5PgoJPHN0cmluZz5GbGVldERNPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRSZW1vdmFsRGlzYWxsb3dlZDwva2V5PgoJPHRydWUvPgoJPGtleT5QYXlsb2FkU2NvcGU8L2tleT4KCTxzdHJpbmc+U3lzdGVtPC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRUeXBlPC9rZXk+Cgk8c3RyaW5nPkNvbmZpZ3VyYXRpb248L3N0cmluZz4KCTxrZXk+UGF5bG9hZFVVSUQ8L2tleT4KCTxzdHJpbmc+QkVCQTA3NDAtNEREQi00QUM0LTg1REMtQkE0OEI5NkMwREM4PC9zdHJpbmc+Cgk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+Cgk8aW50ZWdlcj4xPC9pbnRlZ2VyPgo8L2RpY3Q+CjwvcGxpc3Q+",
      "labels_include_any": [
        "Apple Silicon macOS hosts"
      ],
    }
  ]
}

Default response

204

Resend custom OS setting (configuration profile) by Fleet Desktop token

Resends a configuration profile for the specified host. Currently, macOS, iOS, iPadOS configuration profiles (.mobileconfig) are supported, as well as Windows (.xml) configuration profiles.

POST /api/v1/fleet/device/:token/configuration_profiles/:profile_uuid/resend

Parameters

Name	Type	In	Description
token	string	path	Required. The host's Fleet Desktop token.
profile_uuid	string	path	Required. The UUID of the configuration profile to resend to the host.

Example

POST /api/v1/fleet/device/abcdef012456789/configuration_profiles/fc14a20-84a2-42d8-9257-a425f62bb54d/resend

Default response

Status: 202

Batch-resend custom OS setting (configuration profile)

POST /api/v1/fleet/configuration_profiles/resend/batch

Parameters

Name	Type	In	Description
profile_uuid	integer	body	Required. The UUID of the existing configuration profile you'd like to resend.
filters	object	body	Required. See filters

Filters

Name	Type	Description
profile_status	string	Profile status. Currently, "failed" is supported.

Example

POST /api/v1/fleet/configuration_profiles/batch/resend

Request body

{
  "profile_uuid": "f663713f-04ee-40f0-a95a-7af428c351a9",
  "filters": {
    "profile_status": "failed"
  }
}

Default response

Status: 202

Update disk encryption

The PATCH /api/v1/fleet/mdm/apple/settings API endpoint is deprecated as of Fleet 4.45. It is maintained for backward compatibility. Please use the new API endpoint below. You can view archived documentation for the deprecated endpoint.

Available in Fleet Premium

POST /api/v1/fleet/disk_encryption

Parameters

Name	Type	In	Description
fleet_id	integer	body	The fleet ID to apply the settings to. Settings are applied to "Unassigned" hosts if absent.
enable_disk_encryption	boolean	body	Whether disk encryption should be enforced on devices that belong to the fleet (or "Unassigned").
windows_require_bitlocker_pin	boolean	body	End users on Windows hosts will be required to set a BitLocker PIN if set to true. enable_disk_encryption must be set to true. When the PIN is set, it's required to unlock Windows host during startup.

Example

POST /api/v1/fleet/disk_encryption

Default response

204

Get disk encryption status

Available in Fleet Premium

Get aggregate status counts of disk encryption enforced on macOS and Windows hosts.

The summary can optionally be filtered by fleet ID.

GET /api/v1/fleet/disk_encryption

Parameters

Name	Type	In	Description
fleet_id	string	query	Available in Fleet Premium. The fleet ID to filter the summary.

Example

GET /api/v1/fleet/disk_encryption

Default response

Status: 200

{
  "verified": {"macos": 123, "windows": 123, "linux": 13},
  "verifying": {"macos": 123, "windows": 0, "linux": 0},
  "action_required": {"macos": 123, "windows": 0, "linux": 37},
  "enforcing": {"macos": 123, "windows": 123, "linux": 0},
  "failed": {"macos": 123, "windows": 123, "linux": 0},
  "removing_enforcement": {"macos": 123, "windows": 0, "linux": 0}
}

Update Recovery Lock

Available in Fleet Premium

Edit Recovery Lock password enforcement settings for eligible macOS hosts.

POST /api/v1/fleet/recovery_lock_password

Parameters

Name	Type	In	Description
team_id	integer	body	The team ID to apply the settings to. If omitted, settings apply to unassigned hosts.
enable_recovery_lock_password	boolean	body	Whether to enforce Recovery Lock password on eligible hosts.

Example

POST /api/v1/fleet/recovery_lock_password

Default response

204

Get OS settings (configuration profiles) status

Get macOS settings statistics (GET /api/v1/fleet/mdm/apple/profiles/summary) API endpoint is deprecated as of Fleet 4.41. It is maintained for backwards compatibility. Please use the below API endpoint instead.

Get aggregate status counts of all OS settings (configuration profiles, Recovery Lock passwords, and disk encryption) enforced on hosts.

For Fleet Premium users, the counts can optionally be filtered by fleet_id. If no fleet_id is specified, fleet profiles are excluded from the results (i.e., only profiles that are associated with "Unassigned" are listed).

GET /api/v1/fleet/configuration_profiles/summary

Parameters

Name	Type	In	Description
fleet_id	string	query	Available in Fleet Premium. The fleet ID to filter profiles.

Example

Get aggregate status counts of profiles for macOS and Windows hosts that are "Unassigned".

GET /api/v1/fleet/configuration_profiles/summary

Default response

Status: 200

{
  "verified": 123,
  "verifying": 123,
  "failed": 123,
  "pending": 123
}

Get OS setting (configuration profile) status

Get status counts of a single OS settings (configuration profile) enforced on hosts.

GET /api/v1/fleet/configuration_profile/:profile_uuid/status

Parameters

Name	Type	In	Description
profile_uuid	string	query	Required. The UUID of configuration profile.

Example

GET /api/v1/fleet/configuration_profile/f663713f-04ee-40f0-a95a-7af428c351a9/status

Default response

Status: 200

{
  "verified": 123,
  "verifying": 123,
  "failed": 123,
  "pending": 123,
}

---

Setup experience

• Update custom MDM setup enrollment profile
• Get custom MDM setup enrollment profile
• Delete custom MDM setup enrollment profile
• Get Over-the-Air (OTA) enrollment profile
• Get manual enrollment profile
• Create bootstrap package
• Get bootstrap package metadata
• Delete bootstrap package
• Download bootstrap package
• Get bootstrap package status
• Update setup experience
• Create EULA
• Get EULA metadata
• Delete EULA
• Download EULA
• List setup experience software
• Update setup experience software (setup experience)
• Create setup experience script
• Get or download setup experience script
• Delete setup experience script

Update custom MDM setup enrollment profile

Available in Fleet Premium

Sets the custom MDM setup enrollment profile for a fleet or "Unassigned".

POST /api/v1/fleet/enrollment_profiles/automatic

Parameters

Name	Type	In	Description
fleet_id	integer	json	The fleet ID this custom enrollment profile applies to, or "Unassigned" if omitted.
name	string	json	The filename of the uploaded custom enrollment profile.
enrollment_profile	object	json	The custom enrollment profile's json, as documented in https://developer.apple.com/documentation/devicemanagement/profile.

Example

POST /api/v1/fleet/enrollment_profiles/automatic

Default response

Status: 200

{
  "team_id": 123,
  "fleet_id": 123,
  "name": "dep_profile.json",
  "uploaded_at": "2023-04-04:00:00Z",
  "enrollment_profile": {
    "is_mandatory": true,
    "is_mdm_removable": false
  }
}

NOTE: The ConfigurationWebURL and URL values in the custom MDM setup enrollment profile are automatically populated. Attempting to populate them with custom values may generate server response errors.

Get custom MDM setup enrollment profile

Available in Fleet Premium

Gets the custom MDM setup enrollment profile for a fleet or "Unassigned".

GET /api/v1/fleet/enrollment_profiles/automatic

Parameters

Name	Type	In	Description
fleet_id	integer	query	The fleet ID for which to return the custom enrollment profile, or "Unassigned" if omitted.

Example

GET /api/v1/fleet/enrollment_profiles/automatic?fleet_id=123

Default response

Status: 200

{
  "team_id": 123,
  "fleet_id": 123,
  "name": "dep_profile.json",
  "uploaded_at": "2023-04-04:00:00Z",
  "enrollment_profile": {
    "is_mandatory": true,
    "is_mdm_removable": false
  }
}

Delete custom MDM setup enrollment profile

Available in Fleet Premium

Deletes the custom MDM setup enrollment profile assigned to a fleet or "Unassigned".

DELETE /api/v1/fleet/enrollment_profiles/automatic

Parameters

Name	Type	In	Description
fleet_id	integer	query	The fleet ID for which to delete the custom enrollment profile, or "Unassigned" if omitted.

Example

DELETE /api/v1/fleet/enrollment_profiles/automatic?fleet_id=123

Default response

Status: 204

Get Over-the-Air (OTA) enrollment profile

GET /api/v1/fleet/enrollment_profiles/ota

The returned value is a signed .mobileconfig OTA enrollment profile (see Apple enrollment profile docs). Install this profile on macOS, iOS, or iPadOS hosts to enroll them to a specific fleet in Fleet and turn on MDM features.

If the fleet has end user authentication enabled, the OTA enrollment profile won't work. Use the manual enrollment profile instead.

To enroll macOS hosts, turn on MDM features, and add human-device mapping, use the manual enrollment profile instead.

Parameters

Name	Type	In	Description
enroll_secret	string	query	Required. The enroll secret of the fleet this host will be assigned to.

Example

GET /api/v1/fleet/enrollment_profiles/ota?enroll_secret=foobar

Default response

Status: 200

Note: To confirm success, it is important for clients to match content length with the response header (this is done automatically by most clients, including the browser) rather than relying solely on the response status code returned by this endpoint.

Example response headers

  Content-Length: 542
  Content-Type: application/x-apple-aspen-config; charset=utf-8
  Content-Disposition: attachment;filename="fleet-mdm-enrollment-profile.mobileconfig"
  X-Content-Type-Options: nosniff

Example response body

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadContent</key>
    <dict>
      <key>URL</key>
      <string>https://foo.example.com/api/fleet/ota_enrollment?enroll_secret=foobar</string>
      <key>DeviceAttributes</key>
      <array>
        <string>UDID</string>
        <string>VERSION</string>
        <string>PRODUCT</string>
        <string>SERIAL</string>
      </array>
    </dict>
    <key>PayloadOrganization</key>
    <string>Acme Inc.</string>
    <key>PayloadDisplayName</key>
    <string>Acme Inc. enrollment</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadUUID</key>
    <string>fdb376e5-b5bb-4d8c-829e-e90865f990c9</string>
    <key>PayloadIdentifier</key>
    <string>com.fleetdm.fleet.mdm.apple.ota</string>
    <key>PayloadType</key>
    <string>Profile Service</string>
  </dict>
</plist>

Get manual enrollment profile

Retrieves an unsigned manual enrollment profile for macOS hosts. Install this profile on macOS hosts to turn on MDM features manually.

To add human-device mapping, add the end user's email to the enrollment profile.

GET /api/v1/fleet/enrollment_profiles/manual

Example

GET /api/v1/fleet/enrollment_profiles/manual

Default response

Status: 200

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<!-- ... -->
</plist>

Create bootstrap package

Available in Fleet Premium

Upload a bootstrap package that will be automatically installed during DEP setup.

You need to send a request of type multipart/form-data.

This endpoint accepts a maximum request body size of 10GB.

POST /api/v1/fleet/bootstrap

Parameters

Name	Type	In	Description
package	file	body	Required. The bootstrap package installer. It must be a signed pkg file.
fleet_id	string	body	The fleet ID for the package. If specified, the package will be installed to hosts that are assigned to the specified fleet. If not specified, the package will be installed on "Unassigned" hosts.
manual_agent_install	boolean	body	If set to true Fleet's agent (fleetd) won't be installed as part of automatic enrollment (ADE) on macOS hosts. (Default: false)

Example

Upload a bootstrap package that will be installed to macOS hosts enrolled to MDM that are assigned to a fleet. Note that in this example the form data specifies fleet_id in addition to package.

POST /api/v1/fleet/bootstrap

Request body

fleet_id="1"
package="bootstrap-package.pkg"

Default response

Status: 200

Get bootstrap package metadata

Available in Fleet Premium

Get information about a bootstrap package that was uploaded to Fleet.

GET /api/v1/fleet/bootstrap/:fleet_id/metadata

Parameters

Name	Type	In	Description
fleet_id	string	url	Required The fleet ID for the package. Zero (0) can be specified to get information about the bootstrap package for "Unassigned" hosts.
for_update	boolean	query	If set to true, the authorization will be for a write action instead of a read. Useful for the write-only gitops role when requesting the bootstrap metadata to check if the package needs to be replaced.

Example

GET /api/v1/fleet/bootstrap/0/metadata

Default response

Status: 200

{
  "name": "bootstrap-package.pkg",
  "team_id": 0,
  "fleet_id": 0,
  "sha256": "6bebb4433322fd52837de9e4787de534b4089ac645b0692dfb74d000438da4a3",
  "token": "AA598E2A-7952-46E3-B89D-526D45F7E233",
  "created_at": "2023-04-20T13:02:05Z"
}

In the response above:

• token is the value you can use to download a bootstrap package
• sha256 is the SHA256 digest of the bytes of the bootstrap package file.

Delete bootstrap package

Available in Fleet Premium

Delete a fleet's bootstrap package.

DELETE /api/v1/fleet/bootstrap/:fleet_id

Parameters

Name	Type	In	Description
fleet_id	string	url	Required The fleet ID for the package. Zero (0) can be specified to get information about the bootstrap package for "Unassigned" hosts.

Example

DELETE /api/v1/fleet/bootstrap/1

Default response

Status: 200

Download bootstrap package

Available in Fleet Premium

Download a bootstrap package.

GET /api/v1/fleet/bootstrap

Parameters

Name	Type	In	Description
token	string	query	Required The token of the bootstrap package.

Example

GET /api/v1/fleet/bootstrap?token=AA598E2A-7952-46E3-B89D-526D45F7E233

Default response

Status: 200

Status: 200
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Length: <length>
Body: <blob>

Get bootstrap package status

Available in Fleet Premium

Get aggregate status counts of bootstrap packages delivered to DEP enrolled hosts.

The summary can optionally be filtered by fleet ID.

GET /api/v1/fleet/bootstrap/summary

Parameters

Name	Type	In	Description
fleet_id	string	query	The fleet ID to filter the summary.

Example

GET /api/v1/fleet/bootstrap/summary

Default response

Status: 200

{
  "installed": 10,
  "failed": 1,
  "pending": 4
}

Update setup experience

Experimental feature. The manual_agent_install feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium

PATCH /api/v1/fleet/setup_experience

Parameters

Name	Type	In	Description
fleet_id	integer	body	The fleet ID to apply the settings to. Settings are applied to "Unassigned" hosts if absent.
enable_end_user_authentication	boolean	body	When enabled, require end users to authenticate with your identity provider (IdP) when they set up their new macOS hosts.
lock_end_user_info	boolean	body	When enabled, end user can't edit the local account's Account Name and Full Name in macOS Setup Assistant. These fields will be locked to values from your IdP. (Default: true)
require_all_software_macos	boolean	body	If set to true, setup will be canceled on macOS hosts if any software installs fail.
enable_release_device_manually	boolean	body	When enabled, you're responsible for sending the DeviceConfigured command. End users will be stuck in Setup Assistant until this command is sent.
manual_agent_install	boolean	body	If set to true Fleet's agent (fleetd) won't be installed as part of automatic enrollment (ADE) on macOS hosts. (Default: false)

Example

PATCH /api/v1/fleet/setup_experience

Request body

{
  "team_id": 1,
  "fleet_id": 1,
  "enable_end_user_authentication": true,
  "enable_release_device_manually": true
}

Default response

Status: 204

Create EULA

Available in Fleet Premium

Upload an EULA that will be shown during the DEP flow.

You need to send a request of type multipart/form-data.

This endpoint accepts a maximum request body size of 25MiB.

POST /api/v1/fleet/setup_experience/eula

Parameters

Name	Type	In	Description
eula	file	body	Required. A PDF document containing the EULA.

Example

POST /api/v1/fleet/setup_experience/eula

Request body

eula="eula.pdf"

Default response

Status: 200

Get EULA metadata

Available in Fleet Premium

Get information about the EULA file that was uploaded to Fleet. If no EULA was previously uploaded, this endpoint returns a 404 status code.

GET /api/v1/fleet/setup_experience/eula/metadata

Example

GET /api/v1/fleet/setup_experience/eula/metadata

Default response

Status: 200

{
  "name": "eula.pdf",
  "token": "AA598E2A-7952-46E3-B89D-526D45F7E233",
  "created_at": "2023-04-20T13:02:05Z"
}

In the response above:

• token is the value you can use to download an EULA

Delete EULA

Available in Fleet Premium

Delete an EULA file.

DELETE /api/v1/fleet/setup_experience/eula/:token

Parameters

Name	Type	In	Description
token	string	path	Required The token of the EULA file.

Example

DELETE /api/v1/fleet/setup_experience/eula/AA598E2A-7952-46E3-B89D-526D45F7E233

Default response

Status: 200

Download EULA

Available in Fleet Premium

Download an EULA file

GET /api/v1/fleet/setup_experience/eula/:token

Parameters

Name	Type	In	Description
token	string	path	Required The token of the EULA file.

Example

GET /api/v1/fleet/setup_experience/eula/AA598E2A-7952-46E3-B89D-526D45F7E233

Default response

Status: 200

Status: 200
Content-Type: application/pdf
Content-Disposition: attachment
Content-Length: <length>
Body: <blob>

List setup experience software

Available in Fleet Premium

List software that can be automatically installed during setup. If install_during_setup is true it will be installed during setup.

GET /api/v1/fleet/setup_experience/software

Parameters

Name	Type	In	Description
platform	string	query	Filters software titles available for install by platforms. Options are "macos", "windows", "linux", "ios", "ipados", and "android". Defaults to "macos". To show titles from multiple platforms, separate the platforms with commas (e.g. ?platform=macos,ios,android).
fleet_id	integer	query	Available in Fleet Premium. The ID of the fleet to filter software by. If not specified, it will filter only software that's available for "Unassigned" hosts.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are name and hosts_count. Default is hosts_count (descending).
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".

Example

GET /api/v1/fleet/setup_experience/software?fleet_id=3

Default response

Status: 200

{
  "software_titles": [
    {
      "id": 12,
      "name": "Firefox.app",
      "icon_url": "/api/latest/fleet/software/titles/12/icon?fleet_id=3",
      "software_package": {
        "name": "FirefoxInstall.pkg",
        "platform": "darwin",
        "version": "125.6",
        "self_service": true,
        "install_during_setup": true
      },
      "app_store_app": null,
      "versions_count": 3,
      "source": "apps",
      "hosts_count": 48,
      "versions": [
        {
          "id": 123,
          "version": "1.12",
          "vulnerabilities": ["CVE-2023-1234","CVE-2023-4321","CVE-2023-7654"]
        },
        {
          "id": 124,
          "version": "3.4",
          "vulnerabilities": ["CVE-2023-1234","CVE-2023-4321","CVE-2023-7654"]
        },
        {
          "id": 12,
          "version": "1.13",
          "vulnerabilities": ["CVE-2023-1234","CVE-2023-4321","CVE-2023-7654"]
        }
      ]
    }
  ],
  "count": 2,
  "counts_updated_at": "2024-10-04T10:00:00Z",
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Update setup experience software

Available in Fleet Premium

Set software that will be automatically installed during setup. Software that isn't included in the request will be unset.

PUT /api/v1/fleet/setup_experience/software

Parameters

Name	Type	In	Description
platform	string	query	Platform to install software for. Either "macos", "windows", "linux", "ios", "ipados", or "android". Defaults to "macos".
fleet_id	integer	query	Available in Fleet Premium. The ID of the fleet to set the software for. If not specified, it will set the software for "Unassigned" hosts.
software_title_ids	array	body	The ID of software titles to install during setup.

Example

PUT /api/v1/fleet/setup_experience/software

Request body

{
  "platform": "linux",
  "team_id": 1,
  "fleet_id": 1,
  "software_title_ids": [3000, 3001]
}

Default response

Status: 200

{}

Create setup experience script

Available in Fleet Premium

Add a script that will automatically run during macOS setup.

You need to send a request of type multipart/form-data.

POST /api/v1/fleet/setup_experience/script

Name	Type	In	Description
fleet_id	integer	body	Available in Fleet Premium. The ID of the fleet to add the script to. If not specified, a script will be added for "Unassigned" hosts.
script	file	body	The contents of the script to run during setup.

Example

POST /api/v1/fleet/setup_experience/script

Request body

fleet_id="1"
script="myscript.sh"

Default response

Status: 200

Update setup experience script

Available in Fleet Premium

Changes the script that will automatically run during macOS setup. Updates the existing script for the fleet, or for "Unassigned" hosts, if one already exists.

You need to send a request of type multipart/form-data.

PUT /api/v1/fleet/setup_experience/script

Name	Type	In	Description
fleet_id	integer	body	Available in Fleet Premium. The ID of the fleet to add the script to. If not specified, a script will be added for "Unassigned" hosts.
script	file	body	The contents of the script to run during setup.

Example

PUT /api/v1/fleet/setup_experience/script

Request body

fleet_id="1"
script="myscript.sh"

Default response

Status: 200

Get or download setup experience script

Available in Fleet Premium

Get a script that will automatically run during macOS setup.

GET /api/v1/fleet/setup_experience/script

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. The ID of the fleet to get the script for. If not specified, script will be returned for "Unassigned" hosts.
alt	string	query	If specified and set to "media", downloads the script's contents.

Example (get script)

GET /api/v1/fleet/setup_experience/script?fleet_id=3

Default response

Status: 200

{
  "id": 1,
  "team_id": 3,
  "fleet_id": 3,
  "name": "setup-experience-script.sh",
  "created_at": "2023-07-30T13:41:07Z",
  "updated_at": "2023-07-30T13:41:07Z"
}

Example (download script)

GET /api/v1/fleet/setup_experience/script?fleet_id=3?alt=media

Example response headers

Content-Length: 13
Content-Type: application/octet-stream
Content-Disposition: attachment;filename="2023-09-27 script_1.sh"

Example response body

Status: 200

echo "hello"

Delete setup experience script

Available in Fleet Premium

Delete a script that will automatically run during macOS setup.

DELETE /api/v1/fleet/setup_experience/script

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. The ID of the fleet to get the script for. If not specified, script will be returned for "Unassigned" hosts.

Example

DELETE /api/v1/fleet/setup_experience/script?fleet_id=3

Default response

Status: 200

---

Commands

• Run MDM command
• Get MDM command results
• List MDM commands

Run MDM command

POST /api/v1/fleet/mdm/apple/enqueue API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. Archived documentation is available for the deprecated endpoint.

This endpoint tells Fleet to run a custom MDM command on the targeted macOS, iOS, iPadOS, or Windows hosts the next time they come online.

This endpoint accepts a maximum request body size of 2MiB.

POST /api/v1/fleet/commands/run

Parameters

Name	Type	In	Description
command	string	json	A Base64 encoded MDM command as described in Apple's documentation or Windows's documentation. Supported formats are standard and raw (unpadded). You can paste your Base64 code to the online decoder to check if you're using the valid format.
host_uuids	array	json	An array of host UUIDs enrolled in Fleet on which the command should run.

Note that the EraseDevice and DeviceLock commands are available in Fleet Premium only.

Example

POST /api/v1/fleet/commands/run

Default response

Status: 200

{
  "command_uuid": "a2064cef-0000-1234-afb9-283e3c1d487e",
  "request_type": "ProfileList"
}

Get MDM command results

GET /api/v1/fleet/mdm/apple/commandresults API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. [Archived documentation is available for the deprecated endpoint.

This endpoint returns the results for a specific custom MDM command.

In the response, the possible status values for macOS, iOS, and iPadOS hosts are the following:

• Pending: the command has yet to run on the host. The host will run the command the next time it comes online.
• NotNow: the host acknowledged the MDM command but couldn’t run for one of Apple's documented reasons. Per Apple, the host retries automatically. Apple doesn’t specify when the retries happen, or whether they depend on clearing all blocking reasons or just one.
• Acknowledged: the host responded with "Acknowledged" status via the MDM protocol: the host processed the command successfully.
• Error: the host responded with "Error" status via the MDM protocol: an error occurred. Run the fleetctl get mdm-command-results --id=<insert-command-id to view the error.
• CommandFormatError: the host responded with "CommandFormatError" status via the MDM protocol: a protocol error occurred, which can result from a malformed command. Run the fleetctl get mdm-command-results --id=<insert-command-id to view the error.

The possible status values for Windows hosts are listed in Microsoft's OMA DM documentation.

GET /api/v1/fleet/commands/results

Parameters

Name	Type	In	Description
command_uuid	string	query	The unique identifier of the command.
host_identifier	string	query	The host's hostname, uuid, or hardware_serial. Returns only results for the specified host.

Example

GET /api/v1/fleet/commands/results?command_uuid=a2064cef-0000-1234-afb9-283e3c1d487e

Default response

Status: 200

{
  "results": [
    {
      "host_uuid": "145cafeb-87c7-4869-84d5-e4118a927746",
      "command_uuid": "a2064cef-0000-1234-afb9-283e3c1d487e",
      "status": "Acknowledged",
      "updated_at": "2023-04-04:00:00Z",
      "request_type": "ProfileList",
      "hostname": "mycomputer",
      "payload": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhRE9DVFlQRSBwbGlzdCBQVUJMSUMgIi0vL0FwcGxlLy9EVEQgUExJU1QgMS4wLy9FTiIgImh0dHA6Ly93d3cuYXBwbGUuY29tL0RURHMvUHJvcGVydHlMaXN0LTEuMC5kdGQiPg0KPHBsaXN0IHZlcnNpb249IjEuMCI+DQo8ZGljdD4NCg0KCTxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+DQoJPHN0cmluZz5UaGlzIHByb2ZpbGUgY29uZmlndXJhdGlvbiBpcyBkZXNpZ25lZCB0byBhcHBseSB0aGUgQ0lTIEJlbmNobWFyayBmb3IgbWFjT1MgMTAuMTQgKHYyLjAuMCksIDEwLjE1ICh2Mi4wLjApLCAxMS4wICh2Mi4wLjApLCBhbmQgMTIuMCAodjEuMC4wKTwvc3RyaW5nPg0KCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+DQoJPHN0cmluZz5EaXNhYmxlIEJsdWV0b290aCBzaGFyaW5nPC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pg0KCTx0cnVlLz4NCgk8a2V5PlBheWxvYWRJZGVudGlmaWVyPC9rZXk+DQoJPHN0cmluZz5jaXMubWFjT1NCZW5jaG1hcmsuc2VjdGlvbjIuQmx1ZXRvb3RoU2hhcmluZzwvc3RyaW5nPg0KCTxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+DQoJPHN0cmluZz5TeXN0ZW08L3N0cmluZz4NCgk8a2V5PlBheWxvYWRUeXBlPC9rZXk+DQoJPHN0cmluZz5Db25maWd1cmF0aW9uPC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkVVVJRDwva2V5Pg0KCTxzdHJpbmc+NUNFQkQ3MTItMjhFQi00MzJCLTg0QzctQUEyOEE1QTM4M0Q4PC9zdHJpbmc+DQoJPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5Pg0KCTxpbnRlZ2VyPjE8L2ludGVnZXI+DQogICAgPGtleT5QYXlsb2FkUmVtb3ZhbERpc2FsbG93ZWQ8L2tleT4NCiAgICA8dHJ1ZS8+DQoJPGtleT5QYXlsb2FkQ29udGVudDwva2V5Pg0KCTxhcnJheT4NCgkJPGRpY3Q+DQoJCQk8a2V5PlBheWxvYWRDb250ZW50PC9rZXk+DQoJCQk8ZGljdD4NCgkJCQk8a2V5PmNvbS5hcHBsZS5CbHVldG9vdGg8L2tleT4NCgkJCQk8ZGljdD4NCgkJCQkJPGtleT5Gb3JjZWQ8L2tleT4NCgkJCQkJPGFycmF5Pg0KCQkJCQkJPGRpY3Q+DQoJCQkJCQkJPGtleT5tY3hfcHJlZmVyZW5jZV9zZXR0aW5nczwva2V5Pg0KCQkJCQkJCTxkaWN0Pg0KCQkJCQkJCQk8a2V5PlByZWZLZXlTZXJ2aWNlc0VuYWJsZWQ8L2tleT4NCgkJCQkJCQkJPGZhbHNlLz4NCgkJCQkJCQk8L2RpY3Q+DQoJCQkJCQk8L2RpY3Q+DQoJCQkJCTwvYXJyYXk+DQoJCQkJPC9kaWN0Pg0KCQkJPC9kaWN0Pg0KCQkJPGtleT5QYXlsb2FkRGVzY3JpcHRpb248L2tleT4NCgkJCTxzdHJpbmc+RGlzYWJsZXMgQmx1ZXRvb3RoIFNoYXJpbmc8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+DQoJCQk8c3RyaW5nPkN1c3RvbTwvc3RyaW5nPg0KCQkJPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pg0KCQkJPHRydWUvPg0KCQkJPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5Pg0KCQkJPHN0cmluZz4wMjQwREQxQy03MERDLTQ3NjYtOTAxOC0wNDMyMkJGRUVBRDE8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZFR5cGU8L2tleT4NCgkJCTxzdHJpbmc+Y29tLmFwcGxlLk1hbmFnZWRDbGllbnQucHJlZmVyZW5jZXM8L3N0cmluZz4NCgkJCTxrZXk+UGF5bG9hZFVVSUQ8L2tleT4NCgkJCTxzdHJpbmc+MDI0MEREMUMtNzBEQy00NzY2LTkwMTgtMDQzMjJCRkVFQUQxPC9zdHJpbmc+DQoJCQk8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+DQoJCQk8aW50ZWdlcj4xPC9pbnRlZ2VyPg0KCQk8L2RpY3Q+DQoJPC9hcnJheT4NCjwvZGljdD4NCjwvcGxpc3Q+",
      "result": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjwhRE9DVFlQRSBwbGlzdCBQVUJMSUMgIi0vL0FwcGxlLy9EVEQgUExJU1QgMS4wLy9FTiIgImh0dHA6Ly93d3cuYXBwbGUuY29tL0RURHMvUHJvcGVydHlMaXN0LTEuMC5kdGQiPg0KPHBsaXN0IHZlcnNpb249IjEuMCI+DQo8ZGljdD4NCiAgICA8a2V5PkNvbW1hbmRVVUlEPC9rZXk+DQogICAgPHN0cmluZz4wMDAxX0luc3RhbGxQcm9maWxlPC9zdHJpbmc+DQogICAgPGtleT5TdGF0dXM8L2tleT4NCiAgICA8c3RyaW5nPkFja25vd2xlZGdlZDwvc3RyaW5nPg0KICAgIDxrZXk+VURJRDwva2V5Pg0KICAgIDxzdHJpbmc+MDAwMDgwMjAtMDAwOTE1MDgzQzgwMDEyRTwvc3RyaW5nPg0KPC9kaWN0Pg0KPC9wbGlzdD4="
    }
  ]
}

Note: If the server has not yet received a result for a command, it will return an empty object ({}).

List MDM commands

GET /api/v1/fleet/mdm/apple/commands API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. Archived documentation is available for the deprecated endpoint.

This endpoint returns the list of custom MDM commands that have been executed.

GET /api/v1/fleet/commands

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page. Default is 10.
order_key	string	query	What to order results by. Can be any field listed in the results array example below. Default is updated_at.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
host_identifier	string	query	The host's hostname, uuid, or hardware_serial. Returns only commands that target the specified host.
request_type	string	query	The request type to filter commands by.
command_status	string	query	Comma-separated string of one of the following options: 'ran', 'pending', or 'failed'.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Currently, ⁠command_status is only available when ⁠host_identifier is provided and the host is macOS, iOS, or iPadOS. Additionally, ⁠count is returned only when ⁠command_status is ⁠pending; for any other values, ⁠count will be ⁠null.

Apple (macOS, iOS, iPadOS) MDM commands that 'ran' have an 'Acknowledged' status. Commands that are 'pending' have a 'Pending' or 'NotNow' status. Apple commands that 'failed' have an 'Error' status.

Example

GET /api/v1/fleet/commands?per_page=5

Default response

Status: 200

{
  "count": null,
  "results": [
    {
      "host_uuid": "145cafeb-87c7-4869-84d5-e4118a927746",
      "command_uuid": "a2064cef-0000-1234-afb9-283e3c1d487e",
      "status": "Acknowledged",
      "command_status": "ran",
      "updated_at": "2023-04-04:00:00Z",
      "request_type": "ProfileList",
      "hostname": "mycomputer"
    },
    {
      "host_uuid": "322vghee-12c7-8976-83a1-e2118a927342",
      "command_uuid": "d76d69b7-d806-45a9-8e49-9d6dc533485c",
      "status": "200",
      "command_status": "ran",
      "updated_at": "2023-05-04:00:00Z",
      "request_type": "./Device/Vendor/MSFT/Reboot/RebootNow",
      "hostname": "myhost"
    }
  ]
}

---

Integrations

• Get Apple Push Notification service (APNs)
• List Apple Business Manager (ABM) tokens
• List Volume Purchasing Program (VPP) tokens
• Get identity provider (IdP) details
• Get Android Enterprise

Get Apple Push Notification service (APNs)

GET /api/v1/fleet/apns

Parameters

None.

Example

GET /api/v1/fleet/apns

Default response

Status: 200

{
  "common_name": "APSP:04u52i98aewuh-xxxx-xxxx-xxxx-xxxx",
  "serial_number": "1234567890987654321",
  "issuer": "Apple Application Integration 2 Certification Authority",
  "renew_date": "2023-09-30T00:00:00Z"
}

List Apple Business Manager (ABM) tokens

Available in Fleet Premium

GET /api/v1/fleet/abm_tokens

Parameters

None.

Example

GET /api/v1/fleet/abm_tokens

Default response

Status: 200

"abm_tokens": [
  {
    "id": 1,
    "apple_id": "apple@example.com",
    "org_name": "Fleet Device Management Inc.",
    "mdm_server_url": "https://example.com/mdm/apple/mdm",
    "renew_date": "2023-11-29T00:00:00Z",
    "terms_expired": false,
    "macos_team": {
      "name": "💻 Workstations",
      "id": 1
    },
    "macos_fleet": {
      "name": "💻 Workstations",
      "id": 1
    },
    "ios_team": {
      "name": "📱🏢 Company-owned iPhones",
      "id": 2
    },
    "ios_fleet": {
      "name": "📱🏢 Company-owned iPhones",
      "id": 2
    },
    "ipados_team": {
      "name": "🔳🏢 Company-owned iPads",
      "id": 3
    },
    "ipados_fleet": {
      "name": "🔳🏢 Company-owned iPads",
      "id": 3
    }
  }
]

List Volume Purchasing Program (VPP) tokens

Available in Fleet Premium

GET /api/v1/fleet/vpp_tokens

Parameters

None.

Example

GET /api/v1/fleet/vpp_tokens

Default response

Status: 200

"vpp_tokens": [
  {
    "id": 1,
    "org_name": "Fleet Device Management Inc.",
    "location": "https://example.com/mdm/apple/mdm",
    "renew_date": "2023-11-29T00:00:00Z",
    "fleets": [
      {
        "name": "💻 Workstations",
        "id": 1
      },
      {
        "name": "💻🐣 Workstations (canary)",
        "id": 2
      },
      {
        "name": "📱🏢 Company-owned iPhones",
        "id": 3
      },
      {
        "name": "🔳🏢 Company-owned iPads",
        "id": 4
      }
    ],
  }
]

Get identity provider (IdP) details

Get details about the most recent SCIM (System for Cross-domain Identity Management) request from your identity provider (IdP).

GET /api/v1/fleet/scim/details

Parameters

None.

Example

GET /api/v1/fleet/scim/details

Default response

Status: 200

{
  "last_request": {
    "requested_at": "2025-03-11T02:02:17Z",
    "status": "success",
    "details": "",
  }
}

Get Android Enterprise

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Get info about Android Enterprise that's connected to Fleet.

GET /api/v1/fleet/android_enterprise

Parameters

None.

Example

GET /api/v1/fleet/android_enterprise

Default response

Status: 200

{
  "android_enterprise_id": "LC0445szuv"
}

---

Policies

• List policies
• List fleet policies
• Get policies count
• Get fleet policies count
• Get policy
• Get fleet policy
• Create policy
• Create fleet policy
• Delete policies
• Delete fleet policies
• Update policy
• Update fleet policy
• Reset policy automations

Policies are yes or no questions you can ask about your hosts.

Policies in Fleet are defined by osquery queries.

A passing host answers "yes" to a policy if the host returns results for a policy's query.

A failing host answers "no" to a policy if the host does not return results for a policy's query.

For example, a policy might ask “Is Gatekeeper enabled on macOS devices?“ This policy's osquery query might look like the following: SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;

List policies

GET /api/v1/fleet/global/policies

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are id, name, team_id, created_at, updated_at, failing_host_count, and passing_host_count.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/global/policies

Default response

Status: 200

{
  "policies": [
    {
      "id": 1,
      "name": "Gatekeeper enabled",
      "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
      "description": "Checks if gatekeeper is enabled on macOS devices",
      "critical": false,
      "author_id": 42,
      "author_name": "John",
      "author_email": "john@example.com",
      "team_id": null,
      "resolution": "Resolution steps",
      "platform": "darwin",
      "created_at": "2021-12-15T15:23:57Z",
      "updated_at": "2021-12-15T15:23:57Z",
      "passing_host_count": 2000,
      "failing_host_count": 300,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "labels_include_any": ["Macs on Sonoma"]
    },
    {
      "id": 2,
      "name": "Windows machines with encrypted hard disks",
      "query": "SELECT 1 FROM bitlocker_info WHERE protection_status = 1;",
      "description": "Checks if the hard disk is encrypted on Windows devices",
      "critical": true,
      "author_id": 43,
      "author_name": "Alice",
      "author_email": "alice@example.com",
      "team_id": null,
      "resolution": "Resolution steps",
      "platform": "windows",
      "created_at": "2021-12-31T14:52:27Z",
      "updated_at": "2022-02-10T20:59:35Z",
      "passing_host_count": 2300,
      "failing_host_count": 0,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "labels_exclude_any": ["Compliance exclusions", "Workstations (Canary)"]
    }
  ]
}

---

List fleet policies

Available in Fleet Premium

GET /api/v1/fleet/fleets/:id/policies

Parameters

Name	Type	In	Description
id	integer	path	Required. Defines what fleet ID to operate on
merge_inherited	boolean	query	If true, will return both fleet policies and inherited ("All fleets") policies in the policies list, and will not return a separate inherited_policies list.
query	string	query	Search query keywords. Searchable fields include name.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are id, name, team_id, created_at, updated_at, failing_host_count, and passing_host_count.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.
automation_type	string	query	Filters by automation type. Supported values are "software", "scripts", "calendar", "conditional_access", and "other".

Example (default usage)

GET /api/v1/fleet/fleets/1/policies

Default response

Status: 200

{
  "policies": [
    {
      "id": 1,
      "name": "Gatekeeper enabled",
      "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
      "description": "Checks if gatekeeper is enabled on macOS devices",
      "type": "dynamic",
      "critical": true,
      "author_id": 42,
      "author_name": "John",
      "author_email": "john@example.com",
      "team_id": 1,
      "resolution": "Resolution steps",
      "platform": "darwin",
      "created_at": "2021-12-16T14:37:37Z",
      "updated_at": "2021-12-16T16:39:00Z",
      "passing_host_count": 2000,
      "failing_host_count": 300,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "calendar_events_enabled": true,
      "conditional_access_enabled": true,
      "labels_include_any": ["Macs on Sonoma"]
    },
    {
      "id": 2,
      "name": "Windows machines with encrypted hard disks",
      "query": "SELECT 1 FROM bitlocker_info WHERE protection_status = 1;",
      "description": "Checks if the hard disk is encrypted on Windows devices",
      "critical": false,
      "type": "dynamic",
      "author_id": 43,
      "author_name": "Alice",
      "author_email": "alice@example.com",
      "team_id": 1,
      "resolution": "Resolution steps",
      "platform": "windows",
      "created_at": "2021-12-16T14:37:37Z",
      "updated_at": "2021-12-16T16:39:00Z",
      "passing_host_count": 2300,
      "failing_host_count": 0,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "calendar_events_enabled": false,
      "conditional_access_enabled": false,
      "labels_exclude_any": ["Compliance exclusions", "Workstations (Canary)"],
      "run_script": {
        "name": "Encrypt Windows disk with BitLocker",
        "id": 234
      }
    },
    {
      "id": 3,
      "name": "macOS - Adobe Acrobat up to date",
      "query": "SELECT 1 FROM apps WHERE bundle_identifier = 'com.adobe.Reader' AND version_compare(bundle_short_version, '23.001.20687') >= 0;",
      "description": "Checks if the hard disk is encrypted on Windows devices",
      "critical": false,
      "type": "patch",
      "author_id": 43,
      "author_name": "Alice",
      "author_email": "alice@example.com",
      "team_id": 1,
      "resolution": "Resolution steps",
      "platform": "darwin",
      "created_at": "2021-12-16T14:37:37Z",
      "updated_at": "2021-12-16T16:39:00Z",
      "passing_host_count": 2300,
      "failing_host_count": 3,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "calendar_events_enabled": false,
      "conditional_access_enabled": false,
      "install_software": {
        "name": "Adobe Acrobat",
        "software_title_id": 1234
      }
    }
  ],
  "inherited_policies": [
    {
      "id": 136,
      "name": "Arbitrary Test Policy (all platforms) (all fleets)",
      "query": "SELECT 1 FROM osquery_info WHERE 1=1;",
      "description": "If you're seeing this, mostly likely this is because someone is testing out failing policies in dogfood. You can ignore this.",
      "critical": true,
      "author_id": 77,
      "author_name": "Test Admin",
      "author_email": "test@admin.com",
      "team_id": null,
      "resolution": "To make it pass, change \"1=0\" to \"1=1\". To make it fail, change \"1=1\" to \"1=0\".",
      "platform": "darwin,windows,linux",
      "created_at": "2022-08-04T19:30:18Z",
      "updated_at": "2022-08-30T15:08:26Z",
      "passing_host_count": 10,
      "failing_host_count": 9,
      "host_count_updated_at": "2023-12-20T15:23:57Z"
    }
  ]
}

Example (returns single list)

GET /api/v1/fleet/fleets/1/policies?merge_inherited=true

Default response

Status: 200

{
  "policies": [
    {
      "id": 1,
      "name": "Gatekeeper enabled",
      "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
      "description": "Checks if gatekeeper is enabled on macOS devices",
      "critical": true,
      "author_id": 42,
      "author_name": "John",
      "author_email": "john@example.com",
      "team_id": 1,
      "resolution": "Resolution steps",
      "platform": "darwin",
      "created_at": "2021-12-16T14:37:37Z",
      "updated_at": "2021-12-16T16:39:00Z",
      "passing_host_count": 2000,
      "failing_host_count": 300,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "calendar_events_enabled": false,
      "conditional_access_enabled": false,
      "fleet_maintained": false,
      "labels_include_any": ["Macs on Sonoma"]
    },
    {
      "id": 2,
      "name": "Windows machines with encrypted hard disks",
      "query": "SELECT 1 FROM bitlocker_info WHERE protection_status = 1;",
      "description": "Checks if the hard disk is encrypted on Windows devices",
      "critical": false,
      "author_id": 43,
      "author_name": "Alice",
      "author_email": "alice@example.com",
      "team_id": 1,
      "resolution": "Resolution steps",
      "platform": "windows",
      "created_at": "2021-12-16T14:37:37Z",
      "updated_at": "2021-12-16T16:39:00Z",
      "passing_host_count": 2300,
      "failing_host_count": 0,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "calendar_events_enabled": false,
      "conditional_access_enabled": false,
      "fleet_maintained": false
    },
    {
      "id": 136,
      "name": "Arbitrary Test Policy (all platforms) (all fleets)",
      "query": "SELECT 1 FROM osquery_info WHERE 1=1;",
      "description": "If you're seeing this, mostly likely this is because someone is testing out failing policies in dogfood. You can ignore this.",
      "critical": true,
      "author_id": 77,
      "author_name": "Test Admin",
      "author_email": "test@admin.com",
      "team_id": null,
      "resolution": "To make it pass, change \"1=0\" to \"1=1\". To make it fail, change \"1=1\" to \"1=0\".",
      "platform": "darwin,windows,linux",
      "created_at": "2022-08-04T19:30:18Z",
      "updated_at": "2022-08-30T15:08:26Z",
      "passing_host_count": 10,
      "failing_host_count": 9,
      "host_count_updated_at": "2023-12-20T15:23:57Z",
      "fleet_maintained": false
    }
  ]
}

---

Get policies count

GET /api/v1/fleet/policies/count

Parameters

Name	Type	In	Description
query	string	query	Search query keywords. Searchable fields include name.

Example

GET /api/v1/fleet/policies/count

Default response

Status: 200

{
  "count": 43
}

---

Get fleet policies count

Available in Fleet Premium

GET /api/v1/fleet/fleets/:fleet_id/policies/count

Parameters

Name	Type	In	Description
fleet_id	integer	path	Required. Defines what fleet ID to operate on
query	string	query	Search query keywords. Searchable fields include name.
merge_inherited	boolean	query	If true, will include inherited ("All fleets") policies in the count.
automation_type	string	query	Filters by automation type. Supported values are "software", "scripts", "calendar", "conditional_access", and "other".

Example

GET /api/v1/fleet/fleets/1/policies/count

Default response

Status: 200

{
  "count": 43
}

---

Get policy

GET /api/v1/fleet/global/policies/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The policy's ID.

Example

GET /api/v1/fleet/global/policies/1

Default response

Status: 200

{
  "policy": {
    "id": 1,
    "name": "Gatekeeper enabled",
    "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
    "description": "Checks if gatekeeper is enabled on macOS devices",
    "critical": false,
    "author_id": 42,
    "author_name": "John",
    "author_email": "john@example.com",
    "team_id": null,
    "resolution": "Resolution steps",
    "platform": "darwin",
    "created_at": "2021-12-15T15:23:57Z",
    "updated_at": "2021-12-15T15:23:57Z",
    "passing_host_count": 2000,
    "failing_host_count": 300,
    "host_count_updated_at": "2023-12-20T15:23:57Z"
  }
}

---

Get fleet policy

Available in Fleet Premium

GET /api/v1/fleet/fleets/:fleet_id/policies/:policy_id

Parameters

Name	Type	In	Description
fleet_id	integer	path	Required. Defines what fleet ID to operate on
policy_id	integer	path	Required. The policy's ID.

Example

GET /api/v1/fleet/fleets/1/policies/43

Default response

Status: 200

{
  "policy": {
    "id": 43,
    "name": "Gatekeeper enabled",
    "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
    "description": "Checks if gatekeeper is enabled on macOS devices",
    "critical": true,
    "type": "dynamic",
    "author_id": 42,
    "author_name": "John",
    "author_email": "john@example.com",
    "team_id": 1,
    "resolution": "Resolution steps",
    "platform": "darwin",
    "created_at": "2021-12-16T14:37:37Z",
    "updated_at": "2021-12-16T16:39:00Z",
    "passing_host_count": 0,
    "failing_host_count": 0,
    "host_count_updated_at": null,
    "calendar_events_enabled": true,
    "conditional_access_enabled": false,
    "fleet_maintained": false,
    "labels_include_any": ["Macs on Sonoma"],
    "patch_software": {
      "display_name": "", 
      "name": "Adobe Acrobat.app",
      "software_title_id": 1234,
    },
    "install_software": {
      "name": "Adobe Acrobat.app",
      "software_title_id": 1234
    },
    "run_script": {
      "name": "Enable gatekeeper",
      "id": 1337
    }
  }
}

---

Create policy

POST /api/v1/fleet/global/policies

Parameters

Name	Type	In	Description
name	string	body	The policy's name.
query	string	body	The policy's query in SQL.
description	string	body	The policy's description.
resolution	string	body	The resolution steps for the policy.
platform	string	body	Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms.
critical	boolean	body	Available in Fleet Premium. Mark policy as critical/high impact.
labels_include_any	array	form	Available in Fleet Premium. Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	form	Available in Fleet Premium. Target hosts that that don’t have any, specified by label name, label in the array.

Only one of labels_include_any or labels_exclude_any can be specified. If neither is set, all hosts on the specified platform are targeted.

Example

POST /api/v1/fleet/global/policies

Request body

{
  "name": "Gatekeeper enabled",
  "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
  "description": "Checks if gatekeeper is enabled on macOS devices",
  "resolution": "Resolution steps",
  "platform": "darwin",
  "critical": true
}

Default response

Status: 200

{
  "policy": {
    "id": 43,
    "name": "Gatekeeper enabled",
    "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
    "description": "Checks if gatekeeper is enabled on macOS devices",
    "critical": true,
    "author_id": 42,
    "author_name": "John",
    "author_email": "john@example.com",
    "team_id": null,
    "resolution": "Resolution steps",
    "platform": "darwin",
    "created_at": "2022-03-17T20:15:55Z",
    "updated_at": "2022-03-17T20:15:55Z",
    "passing_host_count": 0,
    "failing_host_count": 0,
    "host_count_updated_at": null,
    "labels_include_any": ["Macs on Sonoma"]
  }
}

---

Create fleet policy

Available in Fleet Premium

Experimental feature. Software related features (like install software policy automation) are undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

The semantics for creating a fleet policy are the same as for global policies, see Create policy.

POST /api/v1/fleet/fleets/:id/policies

Parameters

Name	Type	In	Description
id	integer	path	Defines what fleet ID to operate on.
name	string	body	The policy's name.
query	string	body	The policy's query in SQL.
description	string	body	The policy's description.
resolution	string	body	The resolution steps for the policy.
platform	string	body	Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms.
critical	boolean	body	Available in Fleet Premium. Mark policy as critical/high impact. Critical policies can never bypass conditional access.
type	string	body	The type of the policy. Options are "dynamic" (classic policy with an editable query) or "patch" (tied to patch_software_title_id and automatically updated to include the newest Fleet-maintained app version). If not specified, defaults to "dynamic".
patch_software_title_id	integer	body	Available in Fleet Premium. ID of the software title (Fleet-maintained only) to create a patch policy for. Required if type is patch.
software_title_id	integer	body	Available in Fleet Premium. ID of software title to install if the policy fails. If software_title_id is specified and the software has labels_include_any or labels_exclude_any defined, the policy will inherit this target in addition to specified platform.
script_id	integer	body	Available in Fleet Premium. ID of script to run if the policy fails.
labels_include_any	array	form	Available in Fleet Premium. Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	form	Available in Fleet Premium. Target hosts that that don’t have any label, specified by label name, in the array.

Either query or query_id must be provided.

Only one of labels_include_any or labels_exclude_any can be specified. If neither is set, all hosts on the specified platform are targeted.

Example

POST /api/v1/fleet/fleets/1/policies

Request body

{
  "name": "Gatekeeper enabled",
  "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
  "description": "Checks if gatekeeper is enabled on macOS devices",
  "critical": true,
  "resolution": "Resolution steps",
  "platform": "darwin"
}

Default response

Status: 200

{
  "policy": {
    "id": 43,
    "name": "Gatekeeper enabled",
    "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
    "description": "Checks if gatekeeper is enabled on macOS devices",
    "critical": true,
    "author_id": 42,
    "author_name": "John",
    "author_email": "john@example.com",
    "team_id": 1,
    "fleet_id": 1,
    "resolution": "Resolution steps",
    "platform": "darwin",
    "created_at": "2021-12-16T14:37:37Z",
    "updated_at": "2021-12-16T16:39:00Z",
    "passing_host_count": 0,
    "failing_host_count": 0,
    "host_count_updated_at": null,
    "calendar_events_enabled": false,
    "labels_include_any": ["Macs on Sonoma"],
    "install_software": {
      "name": "Adobe Acrobat.app",
      "software_title_id": 1234
    },
    "run_script": {
      "name": "Enable gatekeeper",
      "id": 1337
    }
  }
}

---

Delete policies

POST /api/v1/fleet/global/policies/delete

Parameters

Name	Type	In	Description
ids	array	body	Required. The IDs of the policies to delete.

Example

POST /api/v1/fleet/global/policies/delete

Request body

{
  "ids": [ 1 ]
}

Default response

Status: 200

{
  "deleted": 1
}

---

Delete fleet policies

Available in Fleet Premium

POST /api/v1/fleet/fleets/:fleet_id/policies/delete

Parameters

Name	Type	In	Description
fleet_id	integer	path	Required. Defines what fleet ID to operate on
ids	array	body	Required. The IDs of the policies to delete.

Example

POST /api/v1/fleet/fleets/1/policies/delete

Request body

{
  "ids": [ 1 ]
}

Default response

Status: 200

{
  "deleted": 1
}

---

Update policy

PATCH /api/v1/fleet/global/policies/:id

Parameters

Name	Type	In	Description
id	integer	path	The policy's ID.
name	string	body	The query's name.
query	string	body	The query in SQL.
description	string	body	The query's description.
resolution	string	body	The resolution steps for the policy.
platform	string	body	Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms.
critical	boolean	body	Available in Fleet Premium. Mark policy as critical/high impact.
labels_include_any	array	form	Available in Fleet Premium. Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	form	Available in Fleet Premium. Target hosts that that don’t have any label, specified by label name, in the array.

Only one of labels_include_any or labels_exclude_any can be specified. If neither is set, all hosts on the specified platform are targeted.

Example

PATCH /api/v1/fleet/global/policies/42

Request body

{
  "name": "Gatekeeper enabled",
  "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
  "description": "Checks if gatekeeper is enabled on macOS devices",
  "critical": true,
  "resolution": "Resolution steps",
  "platform": "darwin"
}

Default response

Status: 200

{
  "policy": {
    "id": 42,
    "name": "Gatekeeper enabled",
    "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
    "description": "Checks if gatekeeper is enabled on macOS devices",
    "critical": true,
    "author_id": 43,
    "author_name": "John",
    "author_email": "john@example.com",
    "team_id": null,
    "resolution": "Resolution steps",
    "platform": "darwin",
    "created_at": "2022-03-17T20:15:55Z",
    "updated_at": "2022-03-17T20:15:55Z",
    "passing_host_count": 0,
    "failing_host_count": 0,
    "host_count_updated_at": null
  }
}

---

Update fleet policy

Available in Fleet Premium

Experimental feature. Software related features (like install software policy automation) are undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

PATCH /api/v1/fleet/fleets/:fleet_id/policies/:policy_id

Parameters

Name	Type	In	Description
fleet_id	integer	path	The fleet's ID.
policy_id	integer	path	The policy's ID.
name	string	body	The query's name.
query	string	body	The query in SQL.
description	string	body	The query's description.
resolution	string	body	The resolution steps for the policy.
platform	string	body	Comma-separated target platforms, currently supported values are "windows", "linux", "darwin". The default, an empty string means target all platforms.
critical	boolean	body	Available in Fleet Premium. Mark policy as critical/high impact. Critical policies can never bypass conditional access.
calendar_events_enabled	boolean	body	Available in Fleet Premium. Whether to trigger calendar events when policy is failing.
conditional_access_enabled	boolean	body	Available in Fleet Premium. Whether to block single sign-on for end users whose hosts fail this policy.
conditional_access_bypass_enabled	boolean	body	Available in Fleet Premium. Additional option to allow end users to bypass conditional access for this policy for a single Okta login. This setting is ignored if conditional_access_enabled is false, if Okta conditional access is not configured, or if bypass is disabled in org settings. (Default: true.)
software_title_id	integer	body	Available in Fleet Premium. ID of software title to install if the policy fails. Set to null to remove the automation.
script_id	integer	body	Available in Fleet Premium. ID of script to run if the policy fails. Set to null to remove the automation.
labels_include_any	array	form	Available in Fleet Premium. Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	form	Available in Fleet Premium. Target hosts that that don’t have any label, specified by label name, in the array.

Only one of labels_include_any or labels_exclude_any can be specified. If neither is set, all hosts on the specified platform are targeted.

Example

PATCH /api/v1/fleet/fleets/2/policies/42

Request body

{
  "name": "Gatekeeper enabled",
  "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
  "description": "Checks if gatekeeper is enabled on macOS devices",
  "critical": true,
  "resolution": "Resolution steps",
  "platform": "darwin",
  "script_id": 1337
}

Default response

Status: 200

{
  "policy": {
    "id": 42,
    "name": "Gatekeeper enabled",
    "query": "SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
    "description": "Checks if gatekeeper is enabled on macOS devices",
    "critical": true,
    "author_id": 43,
    "author_name": "John",
    "author_email": "john@example.com",
    "resolution": "Resolution steps",
    "platform": "darwin",
    "team_id": 2,
    "created_at": "2021-12-16T14:37:37Z",
    "updated_at": "2021-12-16T16:39:00Z",
    "passing_host_count": 0,
    "failing_host_count": 0,
    "host_count_updated_at": null,
    "calendar_events_enabled": true,
    "conditional_access_enabled": false,
    "fleet_maintained": false,
    "install_software": {
      "name": "Adobe Acrobat.app",
      "software_title_id": 1234
    },
    "run_script": {
      "name": "Enable gatekeeper",
      "id": 1337
    }
  }
}

Reset policy automations

Resets webhook and ticket policy automations status for all hosts failing the specified policies. On the next automation run, any failing host will be considered newly failing.

POST /api/v1/fleet/automations/reset

Parameters

Name	Type	In	Description
policy_ids	array	body	Filters to only run policy automations for the specified policies.
fleet_ids	array	body	Available in Fleet Premium. Filters to only run policy automations for hosts in the specified fleets.

Example

POST /api/v1/fleet/automations/reset

Request body

{
    "team_ids": [1],
    "fleet_ids": [1],
    "policy_ids": [1, 2, 3]
}

Default response

Status: 200

{}

---

Reports

• List reports
• Get report
• Get report data
• Get host's report data
• Create report
• Update report
• Delete report by name
• Delete report by ID
• Delete reports
• Run live report

List reports

Returns a list of reports. To see each report's data, use the get report data endpoint.

GET /api/v1/fleet/reports

Parameters

Name	Type	In	Description
order_key	string	query	What to order results by. Can be any column in the reports table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
fleet_id	integer	query	Available in Fleet Premium. The ID of the fleet for the reports to be listed. When omitted, returns global reports.
query	string	query	Search query keywords. Searchable fields include name.
merge_inherited	boolean	query	Available in Fleet Premium. If true, will include global reports in addition to fleet-level reports when filtering by fleet_id. (If no fleet_id is provided, this parameter is ignored.)
platform	string	query	Return reports that are scheduled to run on this platform. One of: "macos", "windows", "linux" (case-insensitive). (Since reports cannot be scheduled to run on "chrome" hosts, it's not a valid value here)
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/reports

Default response

Status: 200

{
  "queries": [
    {
      "created_at": "2021-01-04T21:19:57Z",
      "updated_at": "2021-01-04T21:19:57Z",
      "id": 1,
      "name": "report1",
      "description": "report",
      "query": "SELECT * FROM osquery_info",
      "team_id": null,
      "interval": 3600,
      "platform": "darwin,windows,linux",
      "min_osquery_version": "",
      "automations_enabled": true,
      "logging": "snapshot",
      "saved": true,
      "observer_can_run": true,
      "discard_data": false,
      "author_id": 1,
      "author_name": "noah",
      "author_email": "noah@example.com",
      "labels_include_any": [],
      "packs": [
        {
          "created_at": "2021-01-05T21:13:04Z",
          "updated_at": "2021-01-07T19:12:54Z",
          "id": 1,
          "name": "Pack",
          "description": "Pack",
          "platform": "",
          "disabled": true
        }
      ],
      "stats": {
        "system_time_p50": 1.32,
        "system_time_p95": 4.02,
        "user_time_p50": 3.55,
        "user_time_p95": 3.00,
        "total_executions": 3920
      }
    }
  ],
  "reports": [
    {
      "created_at": "2021-01-04T21:19:57Z",
      "updated_at": "2021-01-04T21:19:57Z",
      "id": 1,
      "name": "report1",
      "description": "report",
      "query": "SELECT * FROM osquery_info",
      "team_id": null,
      "interval": 3600,
      "platform": "darwin,windows,linux",
      "min_osquery_version": "",
      "automations_enabled": true,
      "logging": "snapshot",
      "saved": true,
      "observer_can_run": true,
      "discard_data": false,
      "author_id": 1,
      "author_name": "noah",
      "author_email": "noah@example.com",
      "labels_include_any": [],
      "packs": [
        {
          "created_at": "2021-01-05T21:13:04Z",
          "updated_at": "2021-01-07T19:12:54Z",
          "id": 1,
          "name": "Pack",
          "description": "Pack",
          "platform": "",
          "disabled": true
        }
      ],
      "stats": {
        "system_time_p50": 1.32,
        "system_time_p95": 4.02,
        "user_time_p50": 3.55,
        "user_time_p95": 3.00,
        "total_executions": 3920
      }
    },
    {
      "created_at": "2021-01-19T17:08:24Z",
      "updated_at": "2021-01-19T17:08:24Z",
      "id": 3,
      "name": "osquery_schedule",
      "description": "Report performance stats for each file in the query schedule.",
      "query": "select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;",
      "team_id": null,
      "interval": 3600,
      "platform": "",
      "version": "",
      "automations_enabled": true,
      "logging": "differential",
      "saved": true,
      "observer_can_run": true,
      "discard_data": true,
      "author_id": 1,
      "author_name": "noah",
      "author_email": "noah@example.com",
      "labels_include_any": ["macOS 13+"],
      "packs": [
        {
          "created_at": "2021-01-19T17:08:31Z",
          "updated_at": "2021-01-19T17:08:31Z",
          "id": 14,
          "name": "test_pack",
          "description": "",
          "platform": "",
          "disabled": false
        }
      ],
      "stats": {
        "system_time_p50": null,
        "system_time_p95": null,
        "user_time_p50": null,
        "user_time_p95": null,
        "total_executions": null
      }
    }
  ],
  "meta": {
    "has_next_results": true,
    "has_previous_results": false
  },
  "count": 200
}

Get report

Returns the report specified by ID.

GET /api/v1/fleet/reports/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The id of the desired report.

Example

GET /api/v1/fleet/reports/31

Default response

Status: 200

{
  "query": {
    "created_at": "2021-01-19T17:08:24Z",
    "updated_at": "2021-01-19T17:08:24Z",
    "id": 31,
    "name": "centos_hosts",
    "description": "",
    "query": "select 1 from os_version where platform = \"centos\";",
    "team_id": null,
    "interval": 3600,
    "platform": "",
    "min_osquery_version": "",
    "automations_enabled": true,
    "logging": "snapshot",
    "saved": true,
    "observer_can_run": true,
    "discard_data": false,
    "author_id": 1,
    "author_name": "John",
    "author_email": "john@example.com",
    "labels_include_any": [],
    "packs": [
      {
        "created_at": "2021-01-19T17:08:31Z",
        "updated_at": "2021-01-19T17:08:31Z",
        "id": 14,
        "name": "test_pack",
        "description": "",
        "platform": "",
        "disabled": false
      }
    ],
    "stats": {
      "system_time_p50": 1.32,
      "system_time_p95": 4.02,
      "user_time_p50": 3.55,
      "user_time_p95": 3.00,
      "total_executions": 3920
    }
  }
}

Get report data

Returns a specific report's data.

GET /api/v1/fleet/report/:id/report

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the desired query.
fleet_id	integer	query	Filter the query report to only include hosts that are associated with the fleet specified

Example

GET /api/v1/fleet/reports/31/report

Default response

Status: 200

{
  "query_id": 31,
  "report_id": 31,
  "report_clipped": false,
  "results": [
    {
      "host_id": 1,
      "host_name": "foo",
      "last_fetched": "2021-01-19T17:08:31Z",
      "columns": {
        "model": "USB 2.0 Hub",
        "vendor": "VIA Labs, Inc."
      }
    },
    {
      "host_id": 1,
      "host_name": "foo",
      "last_fetched": "2021-01-19T17:08:31Z",
      "columns": {
        "model": "USB Keyboard",
        "vendor": "VIA Labs, Inc."
      }
    },
    {
      "host_id": 2,
      "host_name": "bar",
      "last_fetched": "2021-01-19T17:20:00Z",
      "columns": {
        "model": "USB Receiver",
        "vendor": "Logitech"
      }
    },
    {
      "host_id": 2,
      "host_name": "bar",
      "last_fetched": "2021-01-19T17:20:00Z",
      "columns": {
        "model": "USB Receiver",
        "vendor": "Logitech"
      }
    },
    {
      "host_id": 2,
      "host_name": "bar",
      "last_fetched": "2021-01-19T17:20:00Z",
      "columns": {
        "model": "Display Audio",
        "vendor": "Apple Inc."
      }
    }
  ]
}

If a query has no results stored, then results will be an empty array:

{
  "query_id": 32,
  "results": []
}

Scheduled reports do not return errors, so only non-error results are included. If you suspect a report may be running into errors, you can use the live report endpoint to get diagnostics.

Get host's report data

Returns a specific report's data for a single host.

GET /api/v1/fleet/hosts/:id/reports/:report_id

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the desired host.
report_id	integer	path	Required. The ID of the desired report.

Example

GET /api/v1/fleet/hosts/123/reports/31

Default response

Status: 200

{
  "query_id": 31,
  "report_id": 31,
  "host_id": 1,
  "host_name": "foo",
  "last_fetched": "2021-01-19T17:08:31Z",
  "report_clipped": false,
  "results": [
    {
      "columns": {
        "model": "USB 2.0 Hub",
        "vendor": "VIA Labs, Inc."
      }
    },
    {
      "columns": {
        "model": "USB Keyboard",
        "vendor": "VIA Labs, Inc."
      }
    },
    {
      "columns": {
        "model": "USB Receiver",
        "vendor": "Logitech"
      }
    }
  ]
}

If a report has no results stored for the specified host, then results will be an empty array:

{
  "query_id": 31,
  "report_id": 31,
  "host_id": 1,
  "host_name": "foo",
  "last_fetched": "2021-01-19T17:08:31Z",
  "report_clipped": false,
  "results": []
}

Scheduled reports do not return errors, so only non-error results are included in the report. If you suspect a report may be running into errors, you can use the live report endpoint to get diagnostics.

Create report

Creates a global report or fleet report.

POST /api/v1/fleet/reports

Parameters

Name	Type	In	Description
name	string	body	Required. The name of the report.
query	string	body	Required. The SQL query for collecting report data.
description	string	body	The query's description.
observer_can_run	boolean	body	Whether or not users with the observer role can run the report as a live report. This field is only relevant for the observer role. The observer_plus role can run any report and is not limited by this flag.
fleet_id	integer	body	Available in Fleet Premium. The fleet to which the new report should be added. If omitted, the report will be global.
interval	integer	body	The amount of time, in seconds, the report waits before running. Can be set to 0 to never run. Default: 0.
platform	string	body	The OS platforms where this report will run (other platforms ignored). Comma-separated string. If omitted, runs on all compatible platforms.
labels_include_any	array	body	Available in Fleet Premium. Labels, specified by label name, to target with this report. If specified, the report will run on hosts that match any of these labels.
min_osquery_version	string	body	The minimum required osqueryd version installed on a host. If omitted, all osqueryd versions are acceptable.
automations_enabled	boolean	body	Whether to send data to the configured log destination according to the report's interval.
logging	string	body	The type of log output for this report. Valid values: "snapshot"(default), "differential", or "differential_ignore_removals".
discard_data	boolean	body	Whether to skip saving the latest results for each host. If set to true, data is still sent to the configured log destination if automations_enabled. Default: false.

Example

POST /api/v1/fleet/reports

Request body

{
  "name": "new_report",
  "description": "This is a new report.",
  "query": "SELECT * FROM osquery_info",
  "interval": 3600, // Once per hour
  "platform": "darwin,windows,linux",
  "min_osquery_version": "",
  "automations_enabled": true,
  "logging": "snapshot",
  "discard_data": false,
  "labels_include_any": [
    "Hosts with Docker installed"
  ]
}

Default response

Status: 200

{
  "query": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 288,
    "name": "new_query",
    "query": "SELECT * FROM osquery_info",
    "description": "This is a new query.",
    "team_id": null,
    "interval": 3600,
    "platform": "darwin,windows,linux",
    "min_osquery_version": "",
    "automations_enabled": true,
    "logging": "snapshot",
    "saved": true,
    "author_id": 1,
    "author_name": "",
    "author_email": "",
    "observer_can_run": true,
    "discard_data": false,
    "packs": [],
    "labels_include_any": [
      "Hosts with Docker installed"
    ]
  },
  "report": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 288,
    "name": "new_query",
    "query": "SELECT * FROM osquery_info",
    "description": "This is a new query.",
    "team_id": null,
    "interval": 3600,
    "platform": "darwin,windows,linux",
    "min_osquery_version": "",
    "automations_enabled": true,
    "logging": "snapshot",
    "saved": true,
    "author_id": 1,
    "author_name": "",
    "author_email": "",
    "observer_can_run": true,
    "discard_data": false,
    "packs": [],
    "labels_include_any": [
      "Hosts with Docker installed"
    ]
  }
}

Update report

Modifies the report specified by ID.

PATCH /api/v1/fleet/reports/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the report.
name	string	body	The name of the report.
query	string	body	The report's SQL query.
description	string	body	The report's description.
observer_can_run	boolean	body	Whether or not users with the observer role can run the report as a live report. This field is only relevant for the observer role. The observer_plus role can run any query and is not limited by this flag.
interval	integer	body	The amount of time, in seconds, the report waits before running. Can be set to 0 to never run. Default: 0.
platform	string	body	The OS platforms where this report will run (other platforms ignored). Comma-separated string. If set to "", runs on all compatible platforms.
labels_include_any	list	body	Available in Fleet Premium. Labels, specified by label name, to target with this report. If specified, the report will run on hosts that match any of these labels.
min_osquery_version	string	body	The minimum required osqueryd version installed on a host. If omitted, all osqueryd versions are acceptable.
automations_enabled	boolean	body	Whether to send data to the configured log destination according to the report's interval.
logging	string	body	The type of log output for this query. Valid values: "snapshot"(default), "differential", or "differential_ignore_removals".
discard_data	boolean	body	Whether to skip saving the latest results for each host. If set to true, data is still sent to the configured log destination if automations_enabled.

Note that any of the following conditions will cause the existing report's data to be discarded:

• Updating the query (SQL) field
• Updating the filters for targeted hosts (platform, min_osquery_version, labels_include_any)
• Changing discard_data from false to true
• Changing logging from "snapshot" to "differential" or "differential_ignore_removals"

Example

PATCH /api/v1/fleet/reports/2

Request body

{
  "name": "new_title_for_my_report",
  "interval": 3600, // Once per hour,
  "platform": "",
  "min_osquery_version": "",
  "automations_enabled": false,
  "discard_data": true,
  "labels_include_any": [
    "Hosts with Docker installed",
    "macOS 13+"
  ]
}

Default response

Status: 200

{
  "query": {
    "created_at": "2021-01-22T17:23:27Z",
    "updated_at": "2021-01-22T17:23:27Z",
    "id": 288,
    "name": "new_title_for_my_query",
    "description": "This is a new query.",
    "query": "SELECT * FROM osquery_info",
    "team_id": null,
    "interval": 3600,
    "platform": "",
    "min_osquery_version": "",
    "automations_enabled": false,
    "logging": "snapshot",
    "saved": true,
    "author_id": 1,
    "author_name": "noah",
    "observer_can_run": true,
    "discard_data": true,
    "packs": [],
    "labels_include_any": [
      "Hosts with Docker installed",
      "macOS 13+"
    ]
  },
  "report": {
    "created_at": "2021-01-22T17:23:27Z",
    "updated_at": "2021-01-22T17:23:27Z",
    "id": 288,
    "name": "new_title_for_my_query",
    "description": "This is a new query.",
    "query": "SELECT * FROM osquery_info",
    "team_id": null,
    "interval": 3600,
    "platform": "",
    "min_osquery_version": "",
    "automations_enabled": false,
    "logging": "snapshot",
    "saved": true,
    "author_id": 1,
    "author_name": "noah",
    "observer_can_run": true,
    "discard_data": true,
    "packs": [],
    "labels_include_any": [
      "Hosts with Docker installed",
      "macOS 13+"
    ]
  }
}

Delete report by name

Deletes the report specified by name.

DELETE /api/v1/fleet/reports/:name

Parameters

Name	Type	In	Description
name	string	path	Required. The name of the report.
fleet_id	integer	body	Available in Fleet Premium. The ID of the report's fleet. If omitted, Fleet will search among only global reports.

Example

DELETE /api/v1/fleet/reports/foo

Default response

Status: 200

Delete report by ID

Deletes the report specified by ID.

DELETE /api/v1/fleet/reports/id/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the report.

Example

DELETE /api/v1/fleet/reports/id/28

Default response

Status: 200

Delete reports

Deletes the reports specified by ID. Returns the count of reports successfully deleted.

POST /api/v1/fleet/reports/delete

Parameters

Name	Type	In	Description
ids	array	body	Required. The IDs of the reports.

Example

POST /api/v1/fleet/reports/delete

Request body

{
  "ids": [
    2, 24, 25
  ]
}

Default response

Status: 200

{
  "deleted": 3
}

Run live report

This updated API endpoint replaced GET /api/v1/fleet/queries/run in Fleet 4.43.0, for improved compatibility with many HTTP clients. The deprecated endpoint is maintained for backwards compatibility.

Runs a live report against the specified hosts and responds with the results.

The live report will stop if the request times out. Timeouts happen if targeted hosts haven't responded after the configured FLEET_LIVE_QUERY_REST_PERIOD (default 25 seconds) or if the distributed_interval agent option (default 10 seconds) is higher than the FLEET_LIVE_QUERY_REST_PERIOD.

POST /api/v1/fleet/reports/:id/run

Parameters

Name	Type	In	Description
report_id	integer	path	Required. The ID of the saved report to run.
host_ids	array	body	Required. The IDs of the hosts to target. User must be authorized to target all of these hosts.

Example

POST /api/v1/fleet/reports/123/run

Request body

{
  "host_ids": [ 1, 4, 34, 27 ]
}

Default response

{
  "query_id": 123,
  "report_id": 123,
  "targeted_host_count": 4,
  "responded_host_count": 2,
  "results": [
    {
      "host_id": 1,
      "rows": [
        {
          "build_distro": "10.12",
          "build_platform": "darwin",
          "config_hash": "7bb99fa2c8a998c9459ec71da3a84d66c592d6d3",
          "config_valid": "1",
          "extensions": "active",
          "instance_id": "9a2ec7bf-4946-46ea-93bf-455e0bcbd068",
          "pid": "23413",
          "platform_mask": "21",
          "start_time": "1635194306",
          "uuid": "4C182AC7-75F7-5AF4-A74B-1E165ED35742",
          "version": "4.9.0",
          "watcher": "23412"
        }
      ],
      "error": null
    },
    {
      "host_id": 2,
      "rows": [],
      "error": "no such table: os_version"
    }
  ]
}

---

Schedule

The schedule API endpoints are deprecated as of Fleet 4.35. They are maintained for backwards compatibility.

Please use the reports endpoints, which as of 4.35 have attributes such as interval and platform that enable scheduling.

---

Scripts

• Run script
• Get script result
• Batch-run script
• List batch scripts
• Get batch script
• List hosts targeted in batch script
• Cancel batch script
• Create script
• Update script
• Delete script
• List scripts
• List host's scripts
• Get or download script

Run script

Run a script on a host.

The script will be added to the host's list of upcoming activities.

The new script will run after other activities finish. Failure of one activity won't cancel other activities.

By default, script runs time out after 5 minutes. You can modify this default in your agent configuration.

POST /api/v1/fleet/scripts/run

Parameters

Name	Type	In	Description
host_id	integer	body	Required. The ID of the host to run the script on.
script_id	integer	body	The ID of the existing saved script to run. Only one of either script_id, script_contents, or script_name can be included.
script_contents	string	body	The contents of the script to run. Only one of either script_id, script_contents, or script_name can be included. Scripts must be less than 10,000 characters. To run scripts with more than 10k characters, save the script and use script_id or script_name and fleet_id instead.
script_name	integer	body	The name of the existing saved script to run. If specified, requires fleet_id. Only one of either script_id, script_contents, or script_name can be included in the request.
fleet_id	integer	body	The ID of the fleet the existing saved script belongs to. If specified, requires script_name. Only one of either script_id, script_contents, or script_name can be included in the request.

Note that if any combination of script_id, script_contents, and script_name are included in the request, this endpoint will respond with an error.

Example

POST /api/v1/fleet/scripts/run

Default response

Status: 202

{
  "host_id": 1227,
  "execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002"
}

Get script result

Gets the result of a script that was executed.

Parameters

Name	Type	In	Description
execution_id	string	path	Required. The execution id of the script.

Example

GET /api/v1/fleet/scripts/results/:execution_id

Default response

Status: 200

{
  "script_contents": "echo 'hello'",
  "exit_code": 0,
  "output": "hello",
  "message": "",
  "hostname": "Test Host",
  "host_timeout": false,
  "host_id": 1,
  "execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002",
  "runtime": 20,
  "created_at": "2024-09-11T20:30:24Z"
}

Note: exit_code can be null if Fleet hasn't heard back from the host yet.

Note: created_at is the creation timestamp of the script execution request.

Batch-run script

Run a script on multiple hosts.

The script will be added to each host's list of upcoming activities.

POST /api/v1/fleet/scripts/run/batch

Parameters

Name	Type	In	Description
script_id	integer	body	Required. The ID of the existing saved script to run.
host_ids	array	body	List of host IDs. Required if filters not specified. Only one of host_ids or filters may be included in the request.
filters	object	body	See filters. Required if host_ids not specified. Only one of host_ids or filters may be included in the request.
not_before	string	body	UTC time when the script run is scheduled to begin. If omitted, the batch script will begin right away.

Filters

Name	Type	Description
query	string	Search query keywords. Searchable fields include hostname, hardware_serial, uuid, and ipv4.
status	string	Host status. Can either be new, online, offline, mia or missing.
label_id	number	ID of a label to filter by.
fleet_id	number	ID of the fleet to filter by.

Note that if a batch script is scheduled for the future using not_before, and hosts are targeted using filters, the script will run on any hosts matching the filters at the time the batch script was added. To see all targeted hosts, use the List hosts targeted in batch script endpoint.

Example

POST /api/v1/fleet/scripts/run/batch

Request body

Request (using host_ids):

{
  "script_id": 123,
  "host_ids": [1, 2, 3],
  "not_before": "2025-07-01T15:00:00Z"
}

Request (using filters):

{
  "script_id": 123,
  "filters": {
    "status": "online",
    "query": "abc"
  }
}

Default response

Status: 202

{
  "batch_execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002"
}

List batch scripts

Returns a list of batch script executions.

GET /api/v1/fleet/scripts/batch

Parameters

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. Filters to batch script runs for the specified fleet.
status	string	query	Filters to batch script runs with this status. Either "started", "scheduled", or "finished".
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.

Example

GET /api/v1/fleet/scripts/batch

Request body

{
  "team_id": 123,
  "fleet_id": 123,
  "status": "completed"
}

Default response

Status: 200

{
  "batch_executions": [
    {
      "script_id": 555,
      "script_name": "my-script.sh",
      "batch_execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002",
      "team_id": 123,
      "fleet_id": 123,
      "not_before": "2025-07-01T15:00:00Z",
      "finished_at": "2025-07-06T15:00:00Z",
      "started_at": "2025-07-06T14:00:00Z",
      "status": "finished",
      "canceled": false,
      "targeted_host_count": 12599,
      "ran_host_count": 12345,
      "pending_host_count": 234,
      "errored_host_count": 18,
      "incompatible_host_count": 3,
      "canceled_host_count": 2,
      "created_at": "2025-07-01T10:00:00Z"
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false,
  },
  "count": 1
}

Get batch script

Returns a summary of a batch-run script, including host counts and current status.

The Get batch script summary endpoint is deprecated as of Fleet 4.73. It is maintained for backwards compatibility. Please use this endpoint instead.

GET /api/v1/fleet/scripts/batch/:batch_execution_id

Parameters

Name	Type	In	Description
batch_execution_id	string	path	Required. The ID returned from a batch script run.

Example

GET /api/v1/fleet/scripts/batch/abc-def

Default response

Status: 200

{
  "script_id": 555,
  "script_name": "my-script.sh",
  "team_id": 123,
  "fleet_id": 123,
  "not_before": "2025-07-01T15:00:00Z",
  "finished_at": "2025-07-06T15:00:00Z",
  "started_at": "2025-07-06T14:00:00Z",
  "status": "finished",
  "canceled": false,
  "targeted_host_count": 12599,
  "ran_host_count": 12345,
  "pending_host_count": 234,
  "errored_host_count": 18,
  "incompatible_host_count": 3,
  "canceled_host_count": 2,
  "created_at": "2025-07-01T10:00:00Z"
}

List hosts targeted in batch script

Returns a list hosts targeted in a batch script run, along with their script execution status.

GET /api/v1/fleet/scripts/batch/:batch_execution_id/host_results

Parameters

Name	Type	In	Description
batch_execution_id	string	path	Required. The ID returned from a batch script run.
status	string	query	Filters to hosts with this script status. Either "ran", "pending", "errored", "incompatible", or "canceled".
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are display_name, hostname, and updated_at.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/scripts/batch/abc-def/host-results?status=ran

Default response

Status: 200

{
  "hosts": [
    {
      "id": 123,
      "display_name": "Anna's MacBook Pro",
      "script_status": "ran",
      "script_execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002",
      "script_executed_at": "2024-09-11T20:30:24Z",
      "script_output_preview": "hello world"
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  },
  "count": 1
}

Cancel batch script

POST /scripts/batch/abc-def/cancel

Create script

Uploads a script, making it available to run on hosts assigned to the specified fleet (or "Unassigned").

You need to send a request of type multipart/form-data.

This endpoint accepts a maximum request body size of 1.5MiB.

POST /api/v1/fleet/scripts

Parameters

Name	Type	In	Description
script	file	body	Required. The file containing the script.
fleet_id	integer	body	Available in Fleet Premium. The fleet ID. If specified, the script will only be available to hosts assigned to this fleet. If not specified, the script will only be available for "Unassigned" hosts.

Script line endings are automatically converted from CRLF to LF for compatibility with both non-Windows shells and PowerShell.

Example

POST /api/v1/fleet/scripts

Request body

fleet_id="1"
script="myscript.sh"

Default response

Status: 200

{
  "script_id": 1227
}

Update script

Modifies an existing script.

You need to send a request of type multipart/form-data.

PATCH /api/v1/fleet/scripts/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the script to modify.
script	file	body	Required. The file containing the script. Filename will be ignored.

Example

PATCH /api/v1/fleet/scripts/1

Request body

script="myscript.sh"

Default response

Status: 200

{
  "id": 1,
  "team_id": null,
  "name": "script_1.sh",
  "created_at": "2023-07-30T13:41:07Z",
  "updated_at": "2023-07-30T13:41:07Z"
}

Delete script

Deletes an existing script.

DELETE /api/v1/fleet/scripts/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the script to delete.

Example

DELETE /api/v1/fleet/scripts/1

Default response

Status: 204

List scripts

GET /api/v1/fleet/scripts

Parameters

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. The ID of the fleet to filter scripts by. If not specified, it will filter only scripts that are available for "Unassigned" hosts.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Can be ordered by id, name, created_at, or updated_at.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/scripts

Default response

Status: 200

{
  "scripts": [
    {
      "id": 1,
      "team_id": null,
      "name": "script_1.sh",
      "created_at": "2023-07-30T13:41:07Z",
      "updated_at": "2023-07-30T13:41:07Z"
    },
    {
      "id": 2,
      "team_id": null,
      "name": "script_2.sh",
      "created_at": "2023-08-30T13:41:07Z",
      "updated_at": "2023-08-30T13:41:07Z"
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

List host's scripts

GET /api/v1/fleet/hosts/:id/scripts

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's id.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Can be ordered by name or executed_at.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/hosts/123/scripts

Default response

Status: 200

"scripts": [
  {
    "script_id": 3,
    "name": "remove-zoom-artifacts.sh",
    "last_execution": {
      "execution_id": "e797d6c6-3aae-11ee-be56-0242ac120002",
      "executed_at": "2021-12-15T15:23:57Z",
      "status": "error"
    }
  },
  {
    "script_id": 5,
    "name": "set-timezone.sh",
    "last_execution": {
      "id": "e797d6c6-3aae-11ee-be56-0242ac120002",
      "executed_at": "2021-12-15T15:23:57Z",
      "status": "pending"
    }
  },
  {
    "script_id": 8,
    "name": "uninstall-zoom.sh",
    "last_execution": {
      "id": "e797d6c6-3aae-11ee-be56-0242ac120002",
      "executed_at": "2021-12-15T15:23:57Z",
      "status": "ran"
    }
  }
],
"meta": {
  "has_next_results": false,
  "has_previous_results": false
}

Get or download script

GET /api/v1/fleet/scripts/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired script's ID.
alt	string	query	If specified and set to "media", downloads the script's contents.

Example (get script)

GET /api/v1/fleet/scripts/123

Default response

Status: 200

{
  "id": 123,
  "team_id": null,
  "name": "script_1.sh",
  "created_at": "2023-07-30T13:41:07Z",
  "updated_at": "2023-07-30T13:41:07Z"
}

Example (download script)

GET /api/v1/fleet/scripts/123?alt=media

Example response headers

Content-Length: 13
Content-Type: application/octet-stream
Content-Disposition: attachment;filename="2023-09-27 script_1.sh"

Example response body

Status: 200

echo "hello"

Sessions

• Get session
• Delete session

Get session

Returns the session information for the session specified by ID.

GET /api/v1/fleet/sessions/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the desired session.

Example

GET /api/v1/fleet/sessions/1

Default response

Status: 200

{
  "session_id": 1,
  "user_id": 1,
  "created_at": "2021-03-02T18:41:34Z"
}

Delete session

Deletes the session specified by ID. When the user associated with the session next attempts to access Fleet, they will be asked to log in.

DELETE /api/v1/fleet/sessions/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The id of the desired session.

Example

DELETE /api/v1/fleet/sessions/1

Default response

Status: 200

---

Software

• List software
• List software versions
• List operating systems
• Get software
• Get software version
• Get operating system version
• Add package
• Update package
• Update software icon
• Download software icon
• Delete software icon
• List Apple App Store apps
• Add app store app
• Update app store app
• List Fleet-maintained apps
• Get Fleet-maintained app
• Create Fleet-maintained app
• Install software
• Uninstall software
• Get software install result
• Download software
• Delete software

List software

Get a list of all software.

GET /api/v1/fleet/software/titles

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are name and hosts_count. Default is hosts_count (descending).
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
query	string	query	Search query keywords. Searchable fields include title and cve.
fleet_id	integer	query	Available in Fleet Premium. Filters the software to only include the software installed on the hosts that are assigned to the specified fleet. Use 0 to filter by "Unassigned" hosts.
vulnerable	boolean	query	If true or 1, only list software that has detected vulnerabilities. Default is false.
available_for_install	boolean	query	If true or 1, only list software that is available for install (added by the user). Default is false.
self_service	boolean	query	If true or 1, only lists self-service software. Default is false.
packages_only	boolean	query	Available in Fleet Premium. If true or 1, only lists packages available for install (without app store apps).
min_cvss_score	integer	query	Available in Fleet Premium. Filters to include only software with vulnerabilities that have a CVSS version 3.x base score higher than the specified value.
max_cvss_score	integer	query	Available in Fleet Premium. Filters to only include software with vulnerabilities that have a CVSS version 3.x base score lower than what's specified.
exploit	boolean	query	Available in Fleet Premium. If true, filters to only include software with vulnerabilities that have been actively exploited in the wild (cisa_known_exploit: true). Default is false.
platform	string	query	Filters software titles available for install by platforms. fleet_id must be specified to filter by platform. Options are: "macos" (alias of "darwin"), "darwin" "windows", "linux", "chrome", "ios", "ipados". To show titles from multiple platforms, separate the platforms with commas (e.g. ?platform=darwin,windows).
hash_sha256	string	query	Filters to only include custom software packages (uploaded installers) with the specified SHA-256 hash. fleet_id must be specified to filter by hash. This allows checking if a specific package already exists before uploading.
package_name	string	query	Filters to only include custom software packages (uploaded installers) with the specified package filename. fleet_id must be specified to filter by package name. This allows checking if a specific package already exists before uploading.
exclude_fleet_maintained_apps	boolean	query	If true or 1, Fleet maintained apps will not be included in the list of software_titles. Default is false
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/software/titles?fleet_id=3&platform=darwin,windows

Default response

Status: 200

{
  "counts_updated_at": "2022-01-01 12:32:00",
  "count": 3,
  "software_titles": [
    {
      "id": 12,
      "name": "Firefox.app",
      "display_name": "Firefox",
      "icon_url":"/api/latest/fleet/software/titles/12/icon?fleet_id=3",
      "display_name": "",
      "software_package": {
        "platform": "darwin",
        "fleet_maintained_app_id": 42,
        "name": "FirefoxInstall.pkg",
        "version": "125.6",
        "self_service": true,
        "patch_policy": {
          "id": 122,
          "name": "Firefox up to date"
        },
        "automatic_install_policies": [
          {
            "id": 343,
            "name": "[Install software] Firefox.app",
            "type": "dynamic",
          }
        ],
      },
      "app_store_app": null,
      "versions_count": 3,
      "source": "apps",
      "hosts_count": 48,
      "versions": [
        {
          "id": 123,
          "version": "1.12",
          "vulnerabilities": ["CVE-2023-1234","CVE-2023-4321","CVE-2023-7654"]
        },
        {
          "id": 124,
          "version": "3.4",
          "vulnerabilities": ["CVE-2023-1234","CVE-2023-4321","CVE-2023-7654"]
        },
        {
          "id": 12,
          "version": "1.13",
          "vulnerabilities": ["CVE-2023-1234","CVE-2023-4321","CVE-2023-7654"]
        }
      ],
      "bundle_identifier": "org.mozilla.firefox",
      "hash_sha256": "1e83a94b801db429398b95a11f76fc5ba0e8643cb027b40a2b890592761f48f9",
    },
    {
      "id": 22,
      "name": "Google Chrome.app",
      "icon_url": null,
      "display_name": "",
      "software_package": null,
      "app_store_app": null,
      "versions_count": 5,
      "source": "apps",
      "hosts_count": 345,
      "versions": [
        {
          "id": 331,
          "version": "118.1",
          "vulnerabilities": ["CVE-2023-1234"]
        },
        {
          "id": 332,
          "version": "119.0",
          "vulnerabilities": ["CVE-2023-9876", "CVE-2023-2367"]
        },
        {
          "id": 334,
          "version": "119.4",
          "vulnerabilities": ["CVE-2023-1133", "CVE-2023-2224"]
        },
        {
          "id": 348,
          "version": "121.5",
          "vulnerabilities": ["CVE-2023-0987", "CVE-2023-5673", "CVE-2023-1334"]
        },
      ],
      "bundle_identifier": "com.google.Chrome",
      "hash_sha256": "ca30af561de15bb26186efcbcc59f3936c67d81e071e96fa8afa1e867a67a04f"
    },
    {
      "id": 32,
      "name": "1Password – Password Manager",
      "icon_url": null,
      "display_name": "",
      "software_package": null,
      "app_store_app": null,
      "versions_count": 1,
      "source": "chrome_extensions",
      "browser": "chrome",
      "extension_for": "chrome",
      "hosts_count": 345,
      "versions": [
        {
          "id": 4242,
          "version": "2.3.7",
          "vulnerabilities": []
        }
      ]
    },
    {
      "id": 77,
      "name": "Prettier",
      "icon_url": null,
      "display_name": "",
      "software_package": null,
      "app_store_app": null,
      "versions_count": 2,
      "source": "jetbrains_plugin",
      "extensions_for": "goland",
      "hosts_count": 19,
      "versions": [
        {
          "id": 6501,
          "version": "232.1.0",
          "vulnerabilities": []
        },
        {
          "id": 6502,
          "version": "241.2.1",
          "vulnerabilities": []
        }
      ]
    },
    {
      "id": 12,
      "name": "MyCustomApp",
      "software_package": {
        "name": "MyCustomApp-1.12.ipa",
        "platform": "ios",
        "version": "1.12",
        "self_service": false,
        "automatic_install_policies": null,
        "last_install": null,
        "last_uninstall": null
      },
      "app_store_app": null,
      "versions_count": 1,
      "source": "ios_apps",
      "hosts_count": 48,
      "versions": [
        {
          "id": 123,
          "version": "1.12",
          "vulnerabilities": null
        }
      ],
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

browser and extension_for fields are included when set and when empty. extension_for will show the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor. browser is deprecated, and only shows this information for browser plugins.

List software versions

Get a list of all software versions.

GET /api/v1/fleet/software/versions

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are name, hosts_count, cve_published, cvss_score, epss_probability and cisa_known_exploit. Default is hosts_count (descending).
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
query	string	query	Search query keywords. Searchable fields include name, version, and cve.
fleet_id	integer	query	Available in Fleet Premium. Filters the software to only include the software installed on the hosts that are assigned to the specified fleet. Use 0 to filter by "Unassigned" hosts.
vulnerable	boolean	query	If true or 1, only list software that has detected vulnerabilities. Default is false.
min_cvss_score	integer	query	Available in Fleet Premium. Filters to include only software with vulnerabilities that have a CVSS version 3.x base score higher than the specified value.
max_cvss_score	integer	query	Available in Fleet Premium. Filters to only include software with vulnerabilities that have a CVSS version 3.x base score lower than what's specified.
exploit	boolean	query	Available in Fleet Premium. If true, filters to only include software with vulnerabilities that have been actively exploited in the wild (cisa_known_exploit: true). Default is false.
without_vulnerability_details	boolean	query	Available in Fleet Premium. If true only vulnerability name is included in response. If false (or omitted), adds vulnerability description, CVSS score, and other details available in Fleet Premium. See notes below on performance.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

For optimal performance, we recommend Fleet Premium users set without_vulnerability_details to true whenever possible. If set to false a large amount of data will be included in the response. If you need vulnerability details, consider using the Get vulnerability endpoint.

Example

GET /api/v1/fleet/software/versions

Default response

Status: 200

{
    "counts_updated_at": "2022-01-01 12:32:00",
    "count": 2,
    "software": [
      {
        "id": 1,
        "name": "glibc",
        "display_name": "",
        "version": "2.12",
        "source": "rpm_packages",
        "release": "1.212.el6",
        "vendor": "CentOS",
        "arch": "x86_64",
        "generated_cpe": "cpe:2.3:a:gnu:glibc:2.12:*:*:*:*:*:*:*",
        "vulnerabilities": [
          {
            "cve": "CVE-2009-5155",
            "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2009-5155",
            "cvss_score": 7.5,
            "epss_probability": 0.01537,
            "cisa_known_exploit": false,
            "cve_published": "2022-01-01 12:32:00",
            "cve_description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
            "resolved_in_version": "2.28"
          }
        ],
        "hosts_count": 1
      },
      {
        "id": 2,
        "name": "1Password – Password Manager",
        "display_name": "",
        "version": "2.10.0",
        "source": "chrome_extensions",
        "browser": "chrome",
        "extension_for": "chrome",
        "extension_id": "aeblfdkhhhdcdjpifhhbdiojplfjncoa",
        "generated_cpe": "cpe:2.3:a:1password:1password:2.19.0:*:*:*:*:chrome:*:*",
        "hosts_count": 345,
        "vulnerabilities": null
      },
      {
        "id": 3,
        "name": "Prettier",
        "version": "232.1.0",
        "source": "jetbrains_plugins",
        "extensions_for": "goland",
        "generated_cpe": "cpe:2.3:a:*:prettier:232.1.0:*:*:*:*:node.js:*:*",
        "hosts_count": 19,
        "vulnerabilities": null
      }
    ],
    "meta": {
      "has_next_results": false,
      "has_previous_results": false
    }
}

browser and extension_for fields are included when set and when empty. extension_for will show the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor. browser is deprecated, and only shows this information for browser plugins.

List operating systems

Returns a list of all operating systems.

GET /api/v1/fleet/os_versions

Parameters

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. Filters response data to the specified fleet. Use 0 to filter by "Unassigned" hosts.
platform	string	query	Filters the hosts to the specified platform
os_name	string	query	The name of the operating system to filter hosts by. os_version must also be specified with os_name
os_version	string	query	The version of the operating system to filter hosts by. os_name must also be specified with os_version
max_vulnerabilities	integer	query	Limits the number of vulnerabilities returned per OS version. (If omitted, returns all vulnerabilities.)
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page. Default is 20.
order_key	string	query	What to order results by. Allowed fields are: hosts_count. Default is hosts_count (descending).
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Default response

Status: 200

{
  "count": 1,
  "counts_updated_at": "2023-12-06T22:17:30Z",
  "os_versions": [
    {
      "os_version_id": 123,
      "hosts_count": 21,
      "name": "Microsoft Windows 11 Pro 23H2 10.0.22621.1234",
      "name_only": "Microsoft Windows 11 Pro 23H2",
      "version": "10.0.22621.1234",
      "platform": "windows",
      "generated_cpes": [],
      "vulnerabilities_count": 1,
      "vulnerabilities": [
        {
          "cve": "CVE-2022-30190",
          "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30190",
          "cvss_score": 7.8,// Available in Fleet Premium
          "epss_probability": 0.9729,// Available in Fleet Premium
          "cisa_known_exploit": false,// Available in Fleet Premium
          "cve_published": "2022-06-01T00:15:00Z",// Available in Fleet Premium
          "cve_description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.",// Available in Fleet Premium
          "resolved_in_version": ""// Available in Fleet Premium
        }
      ]
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Windows and macOS listed vulnerabilities are based on OS version-specific data. Linux vulnerabilities are based on kernel vulnerabilities for hosts running the specified OS version. Both active and inactive kernels on a host are accounted for in kernel vulnerability reporting. Other operating systems do not report vulnerabilities.

Get software

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Returns information about the specified software. By default, versions are sorted in descending order by the hosts_count field.

GET /api/v1/fleet/software/titles/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The software title's ID.
fleet_id	integer	query	Available in Fleet Premium. Filters response data to the specified fleet. Use 0 to filter by "Unassigned" hosts.

Example

GET /api/v1/fleet/software/titles/12?fleet_id=3

Default response

Status: 200

{
  "software_title": {
    "id": 12,
    "name": "Google Chrome.app",
    "display_name": "Google Chrome",
    "icon_url":"/api/latest/fleet/software/titles/12/icon?team_id=3",
    "display_name": "",
    "bundle_identifier": "com.google.Chrome",
    "software_package": {
      "name": "GoogleChrome.pkg",
      "version": "143.0.7499.193",
      "categories": ["Productivity"],
      "platform": "darwin",
      "fleet_maintained_app_id": 42,
      "fleet_maintained_versions": [
        {
          "id": 1,
          "version": "143.0.7499.193"
        },
        {
          "id": 2,
          "version": "142.0.7444.176"
        },
      ],
      "installer_id": 23,
      "team_id": 3,
      "uploaded_at": "2024-04-01T14:22:58Z",
      "hash_sha256": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
      "install_script": "sudo installer -pkg '$INSTALLER_PATH' -target /",
      "pre_install_query": "SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';",
      "post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
      "uninstall_script": "/Library/CS/falconctl uninstall",
      "self_service": true,
      "labels_include_any": [
        {
          "name": "Engineering",
          "id": 294
        }
      ],
      "automatic_install_policies": [
        {
          "id": 343,
          "name": "[Install software] Crowdstrike Agent",
          "type": "dynamic"
        }
      ],
      "status": {
        "installed": 3,
        "pending_install": 1,
        "failed_install": 0,
        "pending_uninstall": 2,
        "failed_uninstall": 1
      }
    },
    "app_store_app": null,
    "counts_updated_at": "2024-11-03T22:39:36Z",
    "source": "apps",
    "hosts_count": 48,
    "versions": [
      {
        "id": 123,
        "version": "142.0.7444.176",
        "vulnerabilities": ["CVE-2023-1234"],
        "hosts_count": 37
      },
      {
        "id": 124,
        "version": "141.0.7444.170",
        "vulnerabilities": ["CVE-2023-4321"],
        "hosts_count": 7
      },
      {
        "id": 127,
        "version": "138.0.7655.171",
        "vulnerabilities": ["CVE-2023-7654"],
        "hosts_count": 4
      }
    ]
  }
}

browser and extension_for fields are included when set and when empty, at the same level as source. extension_for will show the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor. browser is deprecated, and only shows this information for browser plugins.

Example (app store app)

GET /api/v1/fleet/software/titles/15?fleet_id=3

Default response

Status: 200

{
  "software_title": {
    "id": 15,
    "name": "Logic Pro",
    "display_name": "",
    "icon_url": "/api/latest/fleet/software/titles/15/icon?fleet_id=3",
    "display_name": "",
    "bundle_identifier": "com.apple.logic10",
    "software_package": null,
    "auto_update_enabled": true,
    "auto_update_window_start": "00:00",
    "auto_update_window_end": "02:00",
    "app_store_app": {
      "name": "Logic Pro",
      "categories": [],
      "app_store_id": 1091189122,
      "platform": "darwin",
      "latest_version": "2.04",
      "created_at": "2024-04-01T14:22:58Z",
      "self_service": true,
      "automatic_install_policies": [
        {
          "id": 345,
          "name": "[Install software] Logic Pro",
          "type": "dynamic"
        }
      ],
      "status": {
        "installed": 3,
        "pending": 1,
        "failed": 2,
      }
    },
    "source": "ios_apps",
    "hosts_count": 48,
    "versions": [
      {
        "id": 123,
        "version": "2.04",
        "vulnerabilities": [],
        "hosts_count": 24
      }
    ]
  }
}

auto_update_enabled, auto_update_window_start and auto_update_window_end will only be returned for iOS/iPadOS apps, and only when a fleet_id is specified in the request.

Example (Play Store app)

GET /api/v1/fleet/software/titles/16

Default response

Status: 200

{
  "software_title": {
    "id": 16,
    "name": "Zoom Workplace",
    "icon_url": null,
    "display_name": "",
    "application_id": "us.zoom.videomeetings",
    "counts_updated_at": "2025-08-29T10:23:48Z",
    "software_package": null,
    "app_store_app": {
      "app_store_id": "us.zoom.videomeetings",
      "platform": "android",
      "name": "Zoom Workplace",
      "icon_url": "https://lh3.googleusercontent.com/yZsmiNjmji3ZoOuLthoVvptLB9cZ0vCmitcky4OUXNcEFV3IEQkrBD2uu5kuWRF5_ERA",
      "status": {
        "installed": 1,
        "pending": 0,
        "failed": 0
      },
      "self_service": false,
      "automatic_install_policies": null,
      "labels_include_any": null,
      "labels_exclude_any": null,
      "created_at": "2025-08-15T00:55:03.96954Z",
      "categories": null
    },
    "source": "android_apps",
    "hosts_count": 72,
    "versions_count": 1,
    "versions": [
      {
        "id": 333,
        "version": "6.5.10.32613",
        "vulnerabilities": null,
        "hosts_count": 24
      }
    ]
  }
}

Example (in-house iOS app)

GET /api/v1/fleet/software/titles/24?fleet_id=3

Default response

Status: 200

{
  "software_title": {
    "id": 12,
    "name": "MyCustomApp",
    "software_package": {
      "name": "MyCustomApp-1.12.ipa",
      "platform": "ios",
      "fleet_maintained_id": null,
      "version": "1.12",
      "self_service": false,
      "automatic_install_policies": null,
      "categories": null,
      "uploaded_at": "2025-08-15T00:55:03.96954Z",
      "hash_sha256": "1e83a94b801db429398b95a11f76fc5ba0e8643cb027b40a2b890592761f48f9",
      "title_id": 12,
      "team_id": 3,
      "status": {
        "installed": 0,
        "pending_install": 0,
        "failed_install": 0,
        "pending_uninstall": 0,
        "failed_uninstall": 0
      },
      "installer_id": 332,
      "install_script": null,
      "uninstall_script": null,
      "post_install_script": null,
      "pre_install_query": null,
      "labels_include_any": null,
      "labels_exclude_any": null,
    },
    "app_store_app": null,
    "versions_count": 1,
    "source": "ios_apps",
    "hosts_count": 48,
    "versions": [
      {
        "id": 123,
        "version": "1.12",
        "vulnerabilities": null
      }
    ]
  }
}

Get software version

Returns information about the specified software version.

GET /api/v1/fleet/software/versions/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The software version's ID.
fleet_id	integer	query	Available in Fleet Premium. Filters response data to the specified fleet. Use 0 to filter by "Unassigned" hosts.

Example

GET /api/v1/fleet/software/versions/12

Default response

Status: 200

{
  "software": {
    "id": 425224,
    "name": "Firefox.app",
    "display_name": "Firefox",
    "version": "117.0",
    "bundle_identifier": "org.mozilla.firefox",
    "source": "apps",
    "generated_cpe": "cpe:2.3:a:mozilla:firefox:117.0:*:*:*:*:macos:*:*",
    "vulnerabilities": [
      {
        "cve": "CVE-2023-4863",
        "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863",
        "created_at": "2024-07-01T00:15:00Z",
        "cvss_score": 8.8, // Available in Fleet Premium
        "epss_probability": 0.4101, // Available in Fleet Premium
        "cisa_known_exploit": true, // Available in Fleet Premium
        "cve_published": "2023-09-12T15:15:00Z", // Available in Fleet Premium
        "resolved_in_version": "" // Available in Fleet Premium
      },
      {
        "cve": "CVE-2023-5169",
        "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-5169",
        "created_at": "2024-07-01T00:15:00Z",
        "cvss_score": 6.5, // Available in Fleet Premium
        "epss_probability": 0.00073, // Available in Fleet Premium
        "cisa_known_exploit": false, // Available in Fleet Premium
        "cve_published": "2023-09-27T15:19:00Z", // Available in Fleet Premium
        "resolved_in_version": "118" // Available in Fleet Premium
      }
    ]
  }
}

browser and extension_for fields are included when set and when empty, at the same level as source. extension_for will show the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor. browser is deprecated, and only shows this information for browser plugins.

Get operating system version

Retrieves information about the specified operating system (OS) version.

GET /api/v1/fleet/os_versions/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The OS version's ID.
fleet_id	integer	query	Available in Fleet Premium. Filters response data to the specified fleet. Use 0 to filter by "Unassigned" hosts.
max_vulnerabilities	integer	query	Limits the number of vulnerabilities returned. (If omitted, returns all vulnerabilities.) For Linux OS's, doesn't limit the number of vulnerabilities returned in the kernels array.

Default response

Status: 200

{
  "counts_updated_at": "2023-12-06T22:17:30Z",
  "os_version": {
    "os_version_id": 123,
    "hosts_count": 21,
    "name": "Microsoft Windows 11 Pro 23H2 10.0.22621.1234",
    "name_only": "Microsoft Windows 11 Pro 23H2",
    "version": "10.0.22621.1234",
    "platform": "windows",
    "generated_cpes": [],
    "kernels": [], // empty for non-Linux
    "vulnerabilities": [
      {
        "cve": "CVE-2022-30190",
        "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30190",
        "created_at": "2024-07-01T00:15:00Z",
        "cvss_score": 7.8,// Available in Fleet Premium
        "epss_probability": 0.9729,// Available in Fleet Premium
        "cisa_known_exploit": false,// Available in Fleet Premium
        "cve_published": "2022-06-01T00:15:00Z",// Available in Fleet Premium
        "cve_description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.",// Available in Fleet Premium
        "resolved_in_version": ""// Available in Fleet Premium
      }
    ]
  }
}

Windows and macOS listed vulnerabilities are based on OS version-specific data.

Linux vulnerabilities are based on kernel vulnerabilities for hosts running the specified OS version. Both active and inactive kernels on a host are accounted for in kernel vulnerability reporting, so host counts across kernels may sum to more than the count of hosts running a given OS version. Hosts running in a container or paravirtualized environment do not have a kernel of their own.

{
  "counts_updated_at": "2023-12-06T22:17:30Z",
  "os_version": {
    "os_version_id": 321,
    "hosts_count": 2,
    "name": "Ubuntu 24.04.1 LTS",
    "name_only": "Ubuntu",
    "version": "24.04.1 LTS",
    "platform": "ubuntu",
    "generated_cpes": [],
    "kernels": [
      {
        "id": 561703, // the software version ID of the kernel
        "version": "6.11.0-26.26~24.04.1",
        "vulnerabilities": [
          "CVE-2023-53034",
          "CVE-2024-53222",
          "CVE-2024-58092",
          "CVE-2024-58093",
          "CVE-2025-21893",
          "CVE-2025-21894",
          "CVE-2025-21902",
          "CVE-2025-21903",
          "CVE-2025-21904",
          "CVE-2025-21905",
          "CVE-2025-21906",
          "CVE-2025-21908",
          "CVE-2025-21909",
          "CVE-2025-21910",
        ],
        "hosts_count": 1
      },
      {
        "id": 568096,
        "version": "6.11.0-29.29~24.04.1",
        "vulnerabilities": null,
        "hosts_count": 2
      }
    ],
    "vulnerabilities": [
      {
        "cve": "CVE-2023-53034",
        "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-53034",
        "created_at": "2023-07-01T00:15:00Z",
        "cvss_score": 7.8, // Available in Fleet Premium
        "epss_probability": 0.9729, // Available in Fleet Premium
        "cisa_known_exploit": false, // Available in Fleet Premium
        "cve_published": "2023-06-01T00:15:00Z", // Available in Fleet Premium
        "cve_description": "A description", // Available in Fleet Premium
        "resolved_in_version": "" // Available in Fleet Premium
      }
    ]
  }
}

Operating systems other than Windows, macOS, and Linux do not report vulnerabilities.

Add package

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Add a package (.pkg, .msi, .exe, .deb, .rpm, .tar.gz, .ipa) to install on Apple (macOS/iOS/iPadOS), Windows, or Linux hosts. Also supports adding a custom script (.sh, .ps1) to run on Windows or Linux hosts.

You need to send a request of type multipart/form-data.

This endpoint accepts a maximum request body size of 10GB.

POST /api/v1/fleet/software/package

Parameters

Name	Type	In	Description
software	file	body	Required. Installer package file or custom script file. Supported packages are .pkg, .msi, .exe, .deb, .rpm, .tar.gz, .ipa, .sh, and .ps1.
fleet_id	integer	body	The fleet ID. Adds a software package to the specified fleet. If not specified, it will add the software for "Unassigned" hosts.
install_script	string	body	Script that Fleet runs to install software. If not specified Fleet runs the default install script for each package type if one exists. Required for .tar.gz and .exe (no default script). Not supported for .sh and .ps1.
uninstall_script	string	body	Script that Fleet runs to uninstall software. If not specified Fleet runs the default uninstall script for each package type if one exists. Required for .tar.gz and .exe (no default script). Not supported for .sh and .ps1.
pre_install_query	string	body	Query that is pre-install condition. If the query doesn't return any result, Fleet won't proceed to install. Not supported for .sh and .ps1.
post_install_script	string	body	The contents of the script to run after install. If the specified script fails (exit code non-zero) software install will be marked as failed and rolled back. Not supported for .sh and .ps1.
self_service	boolean	body	Self-service software is optional and can be installed by the end user.
labels_include_any	array	body	Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	body	Target hosts that don't have any label, specified by label name, in the array.
automatic_install	boolean	body	Specifies whether to create a policy that triggers a software install only on hosts missing the software. Not supported for iOS, iPadOS, Android, or for .sh and .ps1.

Only one of labels_include_any or labels_exclude_any can be specified. If neither are specified, all hosts are targeted.

Add the X-Fleet-Scripts-Encoded: base64 header line to parse install_script, uninstall_script, post_install_script, and pre_install_query fields as bas64-encoded rather than as-is.

Example

POST /api/v1/fleet/software/package

Request body

fleet_id="1"
self_service="true"
install_script="sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /"
pre_install_query"SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';"
post_install_script"sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX"
software="FalconSensor-6.44.pkg"
labels_exclude_any="Engineering"
labels_exclude_any="QA"

Default response

Status: 200

{
  "software_package": {
    "title_id": 123,
    "name": "FalconSensor-6.44.pkg",
    "icon_url": null,
    "categories": null,
    "display_name": "",
    "version": "6.44",
    "platform": "darwin",
    "fleet_maintained_app_id": 42,
    "installer_id": 23,
    "team_id": 3,
    "uploaded_at": "2024-04-01T14:22:58Z",
    "hash_sha256": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
    "install_script": "sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /",
    "pre_install_query": "SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';",
    "post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
    "self_service": true,
    "url": "",
    "automatic_install_policies": null,
    "labels_include_any": null,
    "labels_exclude_any": null,
    "status": {
      "installed": 0,
      "pending": 0,
      "failed": 0
    }
  }
}

Update package

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Update a package to install on macOS, Windows, Linux, iOS, or iPadOS hosts.

You need to send a request of type multipart/form-data.

This endpoint accepts a maximum request body size of 10GB.

PATCH /api/v1/fleet/software/titles/:id/package

Parameters

Name	Type	In	Description
id	integer	path	ID of the software title being updated.
software	file	body	Installer package file or custom script file. Supported packages are .pkg, .msi, .exe, .deb, .rpm, .tar.gz, .ipa, .sh, and .ps1.
fleet_id	integer	body	Required. The fleet ID. Updates a software package in the specified fleet.
display_name	string	body	Optional override for the default name.
categories	array	body	Zero or more of the supported categories, used to group self-service software on your end users' Fleet Desktop > My device page. Software with no categories will be still be shown under All.
install_script	string	body	Command that Fleet runs to install software. If not specified Fleet runs the default install command for each package type. Not supported for .sh and .ps1.
pre_install_query	string	body	Query that is pre-install condition. If the query doesn't return any result, the package will not be installed. Not supported for .sh and .ps1.
post_install_script	string	body	The contents of the script to run after install. If the specified script fails (exit code non-zero) software install will be marked as failed and rolled back. Not supported for .sh and .ps1.
self_service	boolean	body	Whether this is optional self-service software that can be installed by the end user.
labels_include_any	array	body	Target hosts that have any label, specified by label name, in the array. Only one of either labels_include_any or labels_exclude_any can be specified.
labels_exclude_any	array	body	Target hosts that don't have any label, specified by label name, in the array.

Only one of labels_include_any or labels_exclude_any can be specified. If neither are specified, all hosts are targeted.

Changes to the installer package will reset installation counts. Changes to any field other than self_service will cancel pending installs for the old package.

Add the X-Fleet-Scripts-Encoded: base64 header line to parse install_script, uninstall_script, post_install_script, and pre_install_query fields as bas64-encoded rather than as-is.

Example

PATCH /api/v1/fleet/software/titles/1/package

Request body

fleet_id="1"
software="FalconSensor-6.44.pkg"
self_service="true"
display_name="CrowdStrike agent"
install_script="sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /"
pre_install_query="SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';"
post_install_script="sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX"

Default response

Status: 200

{
  "software_installer": {
    "name": "FalconSensor-6.44.pkg",
    "display_name": "CrowdStrike agent",
    "icon_url": null,
    "categories": null,
    "version": "6.44",
    "platform": "darwin",
    "fleet_maintained_app_id": 42,
    "installer_id": 23,
    "team_id": 3,
    "uploaded_at": "2024-04-01T14:22:58Z",
    "hash_sha256": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
    "install_script": "sudo installer -pkg /temp/FalconSensor-6.44.pkg -target /",
    "pre_install_query": "SELECT 1 FROM macos_profiles WHERE uuid='c9f4f0d5-8426-4eb8-b61b-27c543c9d3db';",
    "post_install_script": "sudo /Applications/Falcon.app/Contents/Resources/falconctl license 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX",
    "self_service": true,
    "status": {
      "installed": 0,
      "pending": 0,
      "failed": 0
    }
  }
}

Update software icon

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Icon will be displayed in Fleet and on Fleet Desktop > Self-service. In the UI for the specified team, overriding the default icon built into Fleet, as well as the Apple-sourced icon if the software has an associated VPP app.

You need to send a request of type multipart/form-data.

PUT /api/v1/fleet/software/titles/:id/icon

Parameters

Name	Type	In	Description
id	integer	path	ID of the software title being updated.
fleet_id	integer	query	Required. The fleet ID. Updates a software icon in the specified fleet.
icon	file	body	Must be PNG format. It must be square with dimensions between 120x120 px and 1024x1024 px.
hash_sha256	string	body	SHA256 hash of an already-uploaded icon to use. If provided, filename is required and icon should be omitted.
filename	string	body	Filename to record for the icon image, if hash_sha256 was supplied.

Example

PUT /api/v1/fleet/software/titles/33/icon?team_id=2

Request body

icon="crowdstrike-icon-512x512.png"

Default response

Status: 200

  "icon_url": "/api/latest/fleet/software/titles/33/icon?team_id=2"

Download software icon

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Download the icon added via Update software icon or icon from the Apple App Store (VPP). This endpoint requires authentication.

GET /api/v1/fleet/software/titles/:id/icon

Parameters

Name	Type	In	Description
id	integer	path	ID of the software title to get icon for.
fleet_id	integer	query	Required. The fleet ID.

This endpoint will redirect (302) to the Apple-hosted URL of an icon if an icon override isn't set and a VPP app is added for the title on the host's team.

Example

GET /api/v1/fleet/software/titles/33/icon?team_id=2

Default response

Status: 200

Status: 200
Content-Type: image/png
Content-Disposition: inline; filename="zoom-icon-512x512.png"
Content-Length: 124567

<BINARY_IMAGE_DATA>

Delete software icon

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Delete a custom icon added via Update software icon. This will revert to using the software title's built-in icon.

DELETE /api/v1/fleet/software/titles/:id/icon

Parameters

Name	Type	In	Description
id	integer	path	ID of the software title being updated.
team_id	integer	query	Required. The team ID. Updates a software icon in the specified team.

Example

DELETE /api/v1/fleet/software/titles/33/icon?team_id=2

Default response

Status: 204

List Apple App Store apps

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Returns the list of Apple App Store (VPP) apps that can be added to the specified fleet. If an app is already added to the fleet, it's excluded from the list.

GET /api/v1/fleet/software/app_store_apps

Parameters

Name	Type	In	Description
fleet_id	integer	query	Required. The fleet ID.

Example

GET /api/v1/fleet/software/app_store_apps/?fleet_id=3

Default response

Status: 200

{
  "app_store_apps": [
    {
      "name": "Xcode",
      "display_name": "",
      "icon_url": "https://is1-ssl.mzstatic.com/image/thumb/Purple211/v4/f1/65/1e/a4844ccd-486d-455f-bb31-67336fe46b14/AppIcon-1x_U007emarketing-0-7-0-85-220-0.png/512x512bb.jpg",
      "latest_version": "15.4",
      "app_store_id": "497799835",
      "platform": "darwin"
    },
    {
      "name": "Logic Pro",
      "display_name": "",
      "icon_url": "https://is1-ssl.mzstatic.com/image/thumb/Purple211/v4/f1/65/1e/a4844ccd-486d-455f-bb31-67336fe46b14/AppIcon-1x_U007emarketing-0-7-0-85-220-0.png/512x512bb.jpg",
      "latest_version": "2.04",
      "app_store_id": "634148309",
      "platform": "ios"
    },
    {
      "name": "Logic Pro",
      "display_name": "",
      "icon_url": "https://is1-ssl.mzstatic.com/image/thumb/Purple211/v4/f1/65/1e/a4844ccd-486d-455f-bb31-67336fe46b14/AppIcon-1x_U007emarketing-0-7-0-85-220-0.png/512x512bb.jpg",
      "latest_version": "2.04",
      "app_store_id": "634148309",
      "platform": "ipados"
    },
  ]
}

Add app store app

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Add Apple App Store or Google Play store app. Apple apps must be added in Apple Business Manager (ABM) before adding them to Fleet.

POST /api/v1/fleet/software/app_store_apps

Parameters

Name	Type	In	Description
app_store_id	string	body	Required. The ID of the Apple App Store app or Google Play app.
fleet_id	integer	body	Required. The fleet ID. Adds app from the store to the specified fleet.
platform	string	body	The platform of the app (darwin, ios, ipados, or android). Default is darwin.
self_service	boolean	body	Required if platform is Android. Currently supported for macOS and Android apps. Specifies whether the app shows up in self-service and is available for install by the end user. For macOS shows up on Fleet Desktop > My device page, for Android in Play Store app in end user's work profile, and for iOS/iPadOS in self-service web app.
ensure	string	form	For macOS only, if set to "present" (currently the only valid value if set), create a policy that triggers a software install only on hosts missing the software.
labels_include_any	array	form	Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	form	Target hosts that don't have any label, specified by label name, in the array.
configuration	object	form	The Android Play Store app's managed configuration in JSON format. Currently only supported for Android.

Only one of labels_include_any or labels_exclude_any can be specified. If neither are specified, all hosts are targeted.

Example

POST /api/v1/fleet/software/app_store_apps

Request body

{
  "app_store_id": "497799835",
  "categories": ["Productivity"],
  "team_id": 2,
  "platform": "ipados",
  "self_service": true
}

Default response

Status: 200

{
  "software_title_id": 123
}

Default response

Status: 200

{
  "software_title_id": 456
}

Update app store app

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Modify an Apple App Store (VPP) or a Google Play app's options.

PATCH /api/v1/fleet/software/titles/:title_id/app_store_app

Parameters

Name	Type	In	Description
fleet_id	integer	body	Required. The fleet ID. Edits Apple App Store or Android Play store app from the specified fleet.
display_name	string	body	Optional override for the default name.
self_service	boolean	body	Required if platform is Android. Currently supported for macOS and Android apps. Specifies whether the app shows up in self-service and is available for install by the end user. For macOS shows up on Fleet Desktop > My device page, and for Android in Play Store app in end user's work profile.
categories	array	body	Zero or more of the supported categories, used to group self-service software on your end users' Fleet Desktop > My device page. Software with no categories will be still be shown under All.
auto_update_enabled	boolean	body	Whether to enable automatic updates for iOS/iPadOS App Store (VPP) apps.
auto_update_window_start	string	body	Update window start time (local time of the device) when automatic updates will take place for iOS/iPadOS App Store (VPP) apps, formatted as HH:MM. Required if auto_update_enabled is true.
auto_update_window_end	string	body	Update window end time (local time of the device) when automatic updates will take place for iOS/iPadOS App Store (VPP) apps, formatted as HH:MM. Required if auto_update_enabled is true.
labels_include_any	array	body	Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	body	Target hosts that don't have any label, specified by label name, in the array.
configuration	object	body	The Android Play Store app's managed configuration in JSON format. Currently only supported for Android.

Only one of labels_include_any or labels_exclude_any can be specified. If neither are specified, all hosts are targeted.

configuration only supports managedConfiguration and workProfileWidgets from Android application policy. Configuration keys vary by app. Refer to the app vendor's documentation for available managed configuration options. For example, see Zoom's Android managed configuration or GlobalProtect's Android configuration.

Example

PATCH /api/v1/fleet/software/titles/3467/app_store_app

Request body

{
  "team_id": 2,
  "self_service": true,
  "categories": ["Browser"],
  "labels_include_any": [
    "Product",
    "Marketing"
  ]
}

Default response

Status: 200

{
  "app_store_app": {
    "name": "Logic Pro",
    "display_name": "",
    "icon_url" null,
    "app_store_id": 1091189122,
    "categories": ["Browser"],
    "latest_version": "2.04",
    "self_service": true,
    "labels_include_any": [
      {
        "name": "Product",
        "id": 12
      },
      {
        "name": "Marketing",
        "id": 17
      }
    ],
    "automatic_install_policies": [
      {
        "id": 345,
        "name": "[Install software] Logic Pro",
        "type": "dynamic"
      }
    ],
    "status": {
      "installed": 3,
      "pending": 1,
      "failed": 2,
    }
  }
}

List Fleet-maintained apps

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

List available Fleet-maintained apps.

GET /api/v1/fleet/software/fleet_maintained_apps

Parameters

Name	Type	In	Description
fleet_id	integer	query	If specified, each app includes the software_title_id if the software has already been added to that fleet.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.

Example

GET /api/v1/fleet/software/fleet_maintained_apps?fleet_id=3

Default response

Status: 200

{
  "fleet_maintained_apps": [
    {
      "id": 1,
      "name": "1Password",
      "slug": "1password/darwin",
      "platform": "darwin",
      "version": "8.10.40",
      "software_title_id": 1
    },
    {
      "id": 2,
      "name": "Adobe Acrobat Reader",
      "slug": "adobe-acrobat-reader/darwin",
      "platform": "darwin",
      "version": "24.002.21005",
      "software_title_id": null
    },
    {
      "id": 3,
      "name": "Box Drive",
      "slug": "box-drive/darwin",
      "platform": "darwin",
      "version": "2.39.179",
      "software_title_id": 3
    },
    ...
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Get Fleet-maintained app

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Returns information about the specified Fleet-maintained app.

GET /api/v1/fleet/software/fleet_maintained_apps/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The Fleet-maintained app's ID.
fleet_id	integer	query	If supplied, set software_title_id on the response when an installer or VPP app has already been added to that fleet for that software.

Example

GET /api/v1/fleet/software/fleet_maintained_apps/1

Default response

Status: 200

{
  "fleet_maintained_app": {
    "id": 1,
    "slug": "1password/darwin",
    "name": "1Password",
    "filename": "1Password-8.10.50-aarch64.zip",
    "version": "8.10.50",
    "platform": "darwin",
    "url": "https://downloads.1password.com/mac/1Password-8.10.50-aarch64.zip",
    "install_script": "#!/bin/sh\ninstaller -pkg \"$INSTALLER_PATH\" -target /",
    "uninstall_script": "#!/bin/sh\npkg_ids=$PACKAGE_ID\nfor pkg_id in '${pkg_ids[@]}'...",
    "software_title_id": 3
    "categories": ["Productivity"]
  }
}

Create Fleet-maintained app

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Add Fleet-maintained app so it's available for install.

POST /api/v1/fleet/software/fleet_maintained_apps

Parameters

Name	Type	In	Description
fleet_maintained_app_id	integer	body	Required. The ID of Fleet-maintained app.
fleet_id	integer	body	Required. The fleet ID. Adds Fleet-maintained app to the specified fleet.
install_script	string	body	Command that Fleet runs to install software. If not specified Fleet runs default install command for each Fleet-maintained app.
pre_install_query	string	body	Query that is pre-install condition. If the query doesn't return any result, Fleet won't proceed to install.
post_install_script	string	body	The contents of the script to run after install. If the specified script fails (exit code non-zero) software install will be marked as failed and rolled back.
self_service	boolean	body	Self-service software is optional and can be installed by the end user.
labels_include_any	array	form	Target hosts that have any label, specified by label name, in the array.
labels_exclude_any	array	form	Target hosts that don't have any label, specified by label name, in the array.
automatic_install	boolean	form	Create a policy that triggers a software install only on hosts missing the software.

Only one of labels_include_any or labels_exclude_any can be specified. If neither are specified, all hosts are targeted.

Add the X-Fleet-Scripts-Encoded: base64 header line to parse install_script, uninstall_script, post_install_script, and pre_install_query fields as bas64-encoded rather than as-is.

Example

POST /api/v1/fleet/software/fleet_maintained_apps

Request body

{
  "fleet_maintained_app_id": 3,
  "team_id": 2,
  "ensure": "present"
}

Default response

Status: 200

{
  "software_title_id": 234
}

Create Android web app

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Creates web app (web clip). This endpoint returns the application ID that can be used to add an Android app to Fleet.

You need to send a request of type multipart/form-data.

POST /api/v1/fleet/software/web_apps

Parameters

Name	Type	In	Description
title	string	body	Required. It is displayed to the end user under the app icon.
url	string	body	Required. The URL of the web app. What the end user sees when they open this app.
icon	file	body	The app icon. The icon must be a PNG file and square, with dimensions of at least 512 x 512px.

Example

POST /api/v1/fleet/software/web_apps

Request body

title="Acme web app"
url="https://app.acme.com"
icon="app-icon-512x512.png"

Default response

Status: 200

{
  "app_store_id": "com.google.enterprise.webapp.x1c41e22ab611cb98"
}

Download software

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

GET /api/v1/fleet/software/titles/:id/package?alt=media

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the software title to download software package.
fleet_id	integer	query	Required. The fleet ID. Downloads a software package added to the specified fleet.
alt	string	query	Required. If specified and set to "media", downloads the specified software package.

Example

GET /api/v1/fleet/software/titles/123/package?alt=media&team_id=2

Default response

Status: 200

Status: 200
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Length: <length>
Body: <blob>

Install software

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Install software (package or app store app) on a macOS, iOS, iPadOS, Windows, or Linux (Ubuntu) host. Software title must have a software_package or app_store_app to be installed.

Package installs time out after 1 hour.

POST /api/v1/fleet/hosts/:id/software/:software_title_id/install

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's ID.
software_title_id	integer	path	Required. The software title's ID.

Example

POST /api/v1/fleet/hosts/123/software/3435/install

Default response

Status: 202

Uninstall software

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows. Available in Fleet Premium.

Uninstalls software from a host.

POST /api/v1/fleet/hosts/:id/software/:software_title_id/uninstall

Parameters

Name	Type	In	Description
id	integer	path	Required. The host's ID.
software_title_id	integer	path	Required. The software title's ID.

Example

POST /api/v1/fleet/hosts/123/software/3435/uninstall

Default response

Status: 202

Get software install result

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

GET /api/v1/fleet/software/install/:install_uuid/results

Get the results of a Fleet-maintained app or custom package install. To get uninstall results, use the List activities and Get script result API endpoints.

To get the results of an Apple App Store app install, use the List MDM commands and Get MDM command results API endpoints. Fleet uses an MDM command to install Apple App Store apps.

Name	Type	In	Description
install_uuid	string	path	Required. The software installation UUID.

Example

GET /api/v1/fleet/software/install/b15ce221-e22e-4c6a-afe7-5b3400a017da/results

Default response

Status: 200

 {
   "install_uuid": "b15ce221-e22e-4c6a-afe7-5b3400a017da",
   "software_title": "Falcon.app",
   "software_title_id": 8353,
   "software_package": "FalconSensor-6.44.pkg",
   "host_id": 123,
   "host_display_name": "Marko's MacBook Pro",
   "status": "failed_install",
   "output": "Installing software...\nError: The operation can’t be completed because the item “Falcon” is in use.",
   "pre_install_query_output": "Query returned result\nSuccess",
   "post_install_script_output": "Running script...\nExit code: 1 (Failed)\nRolling back software install...\nSuccess"
 }

Download package

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

GET /api/v1/fleet/software/titles/:software_title_id/package?alt=media

Parameters

Name	Type	In	Description
software_title_id	integer	path	Required. The ID of the software title to download software package.
fleet_id	integer	query	Required. The fleet ID. Downloads a software package added to the specified fleet.
alt	integer	query	Required. If specified and set to "media", downloads the specified software package.

Example

GET /api/v1/fleet/software/titles/123/package?alt=media?team_id=2

Default response

Status: 200

Status: 200
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Length: <length>
Body: <blob>

Delete software

Experimental feature. This feature is undergoing rapid improvement, which may result in breaking changes to the API or configuration surface. It is not recommended for use in automated workflows.

Available in Fleet Premium.

Deletes software that's available for install. This won't uninstall the software from hosts.

DELETE /api/v1/fleet/software/titles/:software_title_id/available_for_install

Parameters

Name	Type	In	Description
software_title_id	integer	path	Required. The ID of the software title to delete software available for install.
fleet_id	integer	query	Required. The fleet ID. Deletes a software package added to the specified fleet.

Example

DELETE /api/v1/fleet/software/titles/24/available_for_install?team_id=2

Default response

Status: 204

Vulnerabilities

• List vulnerabilities
• Get vulnerability

List vulnerabilities

Retrieves a list of all CVEs affecting software and/or OS versions.

GET /api/v1/fleet/vulnerabilities

Parameters

Name	Type	In	Description
fleet_id	integer	query	Available in Fleet Premium. Filters only include vulnerabilities affecting the specified fleet. Use 0 to filter by "Unassigned" hosts.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are: cve, cvss_score, epss_probability, cve_published, created_at, and host_count. Default is created_at (descending).
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
query	string	query	Search query keywords. Searchable fields include cve.
exploit	boolean	query	Available in Fleet Premium. If true, filters to only include vulnerabilities that have been actively exploited in the wild (cisa_known_exploit: true). Otherwise, includes vulnerabilities with any cisa_known_exploit value.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Default response

Status: 200

{
  "vulnerabilities": [
    {
      "cve": "CVE-2022-30190",
      "created_at": "2022-06-01T00:15:00Z",
      "hosts_count": 1234,
      "hosts_count_updated_at": "2023-12-20T15:23:57Z",
      "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30190",
      "cvss_score": 7.8,// Available in Fleet Premium
      "epss_probability": 0.9729,// Available in Fleet Premium
      "cisa_known_exploit": false,// Available in Fleet Premium
      "cve_published": "2022-06-01T00:15:00Z",// Available in Fleet Premium
      "cve_description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.",// Available in Fleet Premium
    }
  ],
  "count": 123,
  "counts_updated_at": "2024-02-02T16:40:37Z",
  "meta": {
    "has_next_results": false,
    "has_previous_results": false
  }
}

Get vulnerability

Retrieve details about a vulnerability and its affected software and OS versions.

If no vulnerable OS versions or software were found, but Fleet is aware of the vulnerability, a 204 status code is returned.

Parameters

Name	Type	In	Description
cve	string	path	The cve to get information about (format must be CVE-YYYY-<4 or more digits>, case-insensitive).
fleet_id	integer	query	Available in Fleet Premium. Filters response data to the specified fleet. Use 0 to filter by "Unassigned" hosts.

GET /api/v1/fleet/vulnerabilities/:cve

Example

GET /api/v1/fleet/vulnerabilities/cve-2022-30190

Default response

Status: 200

"vulnerability": {
  "cve": "CVE-2022-30190",
  "created_at": "2022-06-01T00:15:00Z",
  "hosts_count": 1234,
  "hosts_count_updated_at": "2023-12-20T15:23:57Z",
  "details_link": "https://nvd.nist.gov/vuln/detail/CVE-2022-30190",
  "cvss_score": 7.8,// Available in Fleet Premium
  "epss_probability": 0.9729,// Available in Fleet Premium
  "cisa_known_exploit": false,// Available in Fleet Premium
  "cve_published": "2022-06-01T00:15:00Z",// Available in Fleet Premium
  "cve_description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.",// Available in Fleet Premium
  "os_versions" : [
    {
      "os_version_id": 6,
      "hosts_count": 200,
      "name": "macOS 14.1.2",
      "name_only": "macOS",
      "version": "14.1.2",
      "resolved_in_version": "14.2",
      "generated_cpes": [
        "cpe:2.3:o:apple:macos:*:*:*:*:*:14.2:*:*",
        "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:14.2:*:*"
      ]
    }
  ],
  "software": [
    {
      "id": 2363,
      "software_title_id": 124,
      "name": "Docker Desktop",
      "version": "4.9.1",
      "source": "programs",
      "generated_cpe": "cpe:2.3:a:docker:docker_desktop:4.9.1:*:*:*:*:windows:*:*",
      "hosts_count": 50,
      "resolved_in_version": "5.0.0"
    }
  ]
}

The extension_for field is included when set and when empty, at the same level as source. extension_for will show the browser or Visual Studio Code fork associated with the extension, allowing for differentiation between e.g. an extension installed on Visual Studio Code and one installed on Cursor.

---

Targets

In Fleet, targets are used to run reports against specific hosts or groups of hosts. Labels are used to create groups in Fleet.

Search targets

The search targets endpoint returns two lists. The first list includes the possible target hosts in Fleet given the search query provided and the hosts already selected as targets. The second list includes the possible target labels in Fleet given the search query provided and the labels already selected as targets.

The returned lists are filtered based on the hosts the requesting user has access to.

POST /api/v1/fleet/targets

Parameters

Name	Type	In	Description
query	string	body	The search query. Searchable items include a host's hostname or IPv4 address and labels.
query_id	integer	body	The saved query (if any) that will be run. The observer_can_run property on the query and the user's roles effect which targets are included.
selected	object	body	The targets already selected. The object includes a hosts property which contains a list of host IDs, a labels with label IDs and/or a fleets property with fleet IDs.

Example

POST /api/v1/fleet/targets

Request body

{
  "query": "172",
  "selected": {
    "hosts": [],
    "labels": [7]
  },
  "include_observer": true
}

Default response

{
  "targets": {
    "hosts": [
      {
        "created_at": "2021-02-03T16:11:43Z",
        "updated_at": "2021-02-03T21:58:19Z",
        "id": 3,
        "detail_updated_at": "2021-02-03T21:58:10Z",
        "label_updated_at": "2021-02-03T21:58:10Z",
        "policy_updated_at": "2023-06-26T18:33:15Z",
        "last_enrolled_at": "2021-02-03T16:11:43Z",
        "software_updated_at": "2020-11-05T05:09:44Z",
        "seen_time": "2021-02-03T21:58:20Z",
        "hostname": "7a2f41482833",
        "uuid": "a2064cef-0000-0000-afb9-283e3c1d487e",
        "platform": "rhel",
        "osquery_version": "4.5.1",
        "os_version": "CentOS 6.10.0",
        "build": "",
        "platform_like": "rhel",
        "code_name": "",
        "uptime": 32688000000000,
        "memory": 2086899712,
        "cpu_type": "x86_64",
        "cpu_subtype": "142",
        "cpu_brand": "Intel(R) Core(TM) i5-8279U CPU @ 2.40GHz",
        "cpu_physical_cores": 4,
        "cpu_logical_cores": 4,
        "hardware_vendor": "",
        "hardware_model": "",
        "hardware_version": "",
        "hardware_serial": "",
        "computer_name": "7a2f41482833",
        "timezone": null,
        "display_name": "7a2f41482833",
        "primary_ip": "172.20.0.3",
        "primary_mac": "02:42:ac:14:00:03",
        "distributed_interval": 10,
        "config_tls_refresh": 10,
        "logger_tls_period": 10,
        "additional": {},
        "status": "offline",
        "display_text": "7a2f41482833"
      },
      {
        "created_at": "2021-02-03T16:11:43Z",
        "updated_at": "2021-02-03T21:58:19Z",
        "id": 4,
        "detail_updated_at": "2021-02-03T21:58:10Z",
        "label_updated_at": "2021-02-03T21:58:10Z",
        "policy_updated_at": "2023-06-26T18:33:15Z",
        "last_enrolled_at": "2021-02-03T16:11:43Z",
        "software_updated_at": "2020-11-05T05:09:44Z",
        "seen_time": "2021-02-03T21:58:20Z",
        "hostname": "78c96e72746c",
        "uuid": "a2064cef-0000-0000-afb9-283e3c1d487e",
        "platform": "ubuntu",
        "osquery_version": "4.5.1",
        "os_version": "Ubuntu 16.4.0",
        "build": "",
        "platform_like": "debian",
        "code_name": "",
        "uptime": 32688000000000,
        "memory": 2086899712,
        "cpu_type": "x86_64",
        "cpu_subtype": "142",
        "cpu_brand": "Intel(R) Core(TM) i5-8279U CPU @ 2.40GHz",
        "cpu_physical_cores": 4,
        "cpu_logical_cores": 4,
        "hardware_vendor": "",
        "hardware_model": "",
        "hardware_version": "",
        "hardware_serial": "",
        "computer_name": "78c96e72746c",
        "timezone": null,
        "display_name": "78c96e72746c",
        "primary_ip": "172.20.0.7",
        "primary_mac": "02:42:ac:14:00:07",
        "distributed_interval": 10,
        "config_tls_refresh": 10,
        "logger_tls_period": 10,
        "additional": {},
        "status": "offline",
        "display_text": "78c96e72746c"
      }
    ],
    "labels": [
      {
        "created_at": "2021-02-02T23:55:25Z",
        "updated_at": "2021-02-02T23:55:25Z",
        "id": 6,
        "name": "All Hosts",
        "description": "All hosts which have enrolled in Fleet",
        "query": "SELECT 1;",
        "label_type": "builtin",
        "label_membership_type": "dynamic",
        "host_count": 5,
        "display_text": "All Hosts",
        "count": 5
      }
    ],
    "fleets": [
      {
        "id": 1,
        "created_at": "2021-05-27T20:02:20Z",
        "name": "Client Platform Engineering",
        "description": "",
        "agent_options": null,
        "user_count": 4,
        "host_count": 2,
        "display_text": "Client Platform Engineering",
        "count": 2
      }
    ]
  },
  "targets_count": 1,
  "targets_online": 1,
  "targets_offline": 0,
  "targets_missing_in_action": 0
}

---

Fleets

• List fleets
• Get fleet
• Create fleet
• Update fleet
• Add users to fleet
• Update fleet's agent options
• Delete fleet

List fleets

Available in Fleet Premium

GET /api/v1/fleet/fleets

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Can be any column in the fleets table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
query	string	query	Search query keywords. Searchable fields include name.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/fleets

Default response

Status: 200

{
  "fleets": [
    {
      "id": 1,
      "created_at": "2021-07-28T15:58:21Z",
      "name": "workstations",
      "description": "",
      "agent_options": {
        "config": {
          "options": {
            "pack_delimiter": "/",
            "logger_tls_period": 10,
            "distributed_plugin": "tls",
            "disable_distributed": false,
            "logger_tls_endpoint": "/api/v1/osquery/log",
            "distributed_interval": 10,
            "distributed_tls_max_attempts": 3
          },
          "decorators": {
            "load": [
              "SELECT uuid AS host_uuid FROM system_info;",
              "SELECT hostname AS hostname FROM system_info;"
            ]
          }
        },
        "overrides": {},
        "command_line_flags": {}
      },
      "user_count": 0,
      "host_count": 0,
      "secrets": [
        {
          "secret": "",
          "created_at": "2021-07-28T15:58:21Z",
          "team_id": 10
        }
      ]
    },
    {
      "id": 2,
      "created_at": "2021-08-05T21:41:42Z",
      "name": "servers",
      "description": "",
      "agent_options": {
        "spec": {
          "config": {
            "options": {
              "pack_delimiter": "/",
              "logger_tls_period": 10,
              "distributed_plugin": "tls",
              "disable_distributed": false,
              "logger_tls_endpoint": "/api/v1/osquery/log",
              "distributed_interval": 10,
              "distributed_tls_max_attempts": 3
            },
            "decorators": {
              "load": [
                "SELECT uuid AS host_uuid FROM system_info;",
                "SELECT hostname AS hostname FROM system_info;"
              ]
            }
          },
          "overrides": {},
          "command_line_flags": {}
        },
        "user_count": 0,
        "host_count": 0,
        "secrets": [
          {
            "secret": "+ncixtnZB+IE0OrbrkCLeul3U8LMVITd",
            "created_at": "2021-08-05T21:41:42Z",
            "team_id": 15
          }
        ]
      }
    }
  ]
}

Get fleet

Available in Fleet Premium

GET /api/v1/fleet/fleets/:id

mdm.macos_settings.custom_settings, mdm.windows_settings.custom_settings, scripts, and mdm.macos_setup only include the configuration profiles, scripts, and setup experience settings applied using Fleet's YAML. To list profiles, scripts, or setup experience settings added in the UI or API, use the List configuration profiles, List scripts, or GET endpoints from Setup experience instead.

"Unassigned" (id 0) will only return id, name, webhook_settings.failing_policies_webhook, integrations.jira, and integrations.zendesk fields.

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired fleet's ID. Use 0 for "Unassigned" hosts.

Example

GET /api/v1/fleet/fleets/1

Default response

Status: 200

{
  "team": {
    "name": "Workstations",
    "id": 1,
    "user_count": 4,
    "host_count": 0,
    "agent_options": {
      "config": {
        "options": {
          "pack_delimiter": "/",
          "logger_tls_period": 10,
          "distributed_plugin": "tls",
          "disable_distributed": false,
          "logger_tls_endpoint": "/api/v1/osquery/log",
          "distributed_interval": 10,
          "distributed_tls_max_attempts": 3
        },
        "decorators": {
          "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT hostname AS hostname FROM system_info;"
          ]
        }
      },
      "overrides": {},
      "command_line_flags": {}
    },
    "webhook_settings": {
      "failing_policies_webhook": {
        "enable_failing_policies_webhook": false,
        "destination_url": "",
        "policy_ids": null,
        "host_batch_size": 0
      }
    },
    "integrations": {
      "google_calendar": {
        "enable_calendar_events": true,
        "webhook_url": "https://server.com/example"
      }
    },
    "mdm": {
      "enable_disk_encryption": true,
      "windows_require_bitlocker_pin": false,
      "macos_updates": {
        "minimum_version": "12.3.1",
        "deadline": "2022-01-01",
        "update_new_hosts": true
      },
      "windows_updates": {
        "deadline_days": 5,
        "grace_period_days": 1
      },
      "macos_settings": {
        "custom_settings": [
          {
            "path": "path/to/profile1.mobileconfig",
            "labels": ["Label 1", "Label 2"]
          }
        ]
      },
      "windows_settings": {
        "custom_settings": [
          {
            "path": "path/to/profile2.xml",
            "labels": ["Label 3", "Label 4"]
          }
        ],
      },
      "macos_setup": {
        "bootstrap_package": "",
        "enable_end_user_authentication": false,
        "macos_setup_assistant": "path/to/config.json",
        "enable_release_device_manually": false,
        "manual_agent_install": false
      }
    }
  }
}

Create fleet

Available in Fleet Premium

POST /api/v1/fleet/fleets

Parameters

Name	Type	In	Description
name	string	body	Required. The fleet's name.

Example

POST /api/v1/fleet/fleets

Request body

{
  "name": "workstations"
}

Default response

Status: 200

{
  "team": {
    "name": "workstations",
    "id": 1,
    "user_count": 0,
    "host_count": 0,
    "agent_options": {
      "config": {
        "options": {
          "pack_delimiter": "/",
          "logger_tls_period": 10,
          "distributed_plugin": "tls",
          "disable_distributed": false,
          "logger_tls_endpoint": "/api/v1/osquery/log",
          "distributed_interval": 10,
          "distributed_tls_max_attempts": 3
        },
        "decorators": {
          "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT hostname AS hostname FROM system_info;"
          ]
        }
      },
      "overrides": {},
      "command_line_flags": {}
    },
    "webhook_settings": {
      "failing_policies_webhook": {
        "enable_failing_policies_webhook": false,
        "destination_url": "",
        "policy_ids": null,
        "host_batch_size": 0
      }
    }
  }
}

Update fleet

Available in Fleet Premium

PATCH /api/v1/fleet/fleets/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired fleet's ID. Use 0 for "Unassigned" hosts. Note: When using id=0, only webhook_settings.failing_policies_webhook, integrations.jira, and integrations.zendesk fields are supported in the request body.
name	string	body	The fleet's name.
host_ids	array	body	A list of hosts that belong to the fleet.
user_ids	array	body	A list of users on the fleet.
webhook_settings	object	body	Webhook settings for the fleet. See webhook_settings.
integrations	object	body	Integrations settings for the fleet. See integrations for details. Note that integrations referenced here must already exist globally, created by a call to Modify configuration.
mdm	object	body	MDM settings for the fleet. See mdm for details.
host_expiry_settings	object	body	Host expiry settings for the fleet. See host_expiry_settings for details.

Example (transfer hosts to a fleet)

PATCH /api/v1/fleet/fleets/1

Request body

{
  "host_ids": [3, 6, 7, 8, 9, 20, 32, 44]
}

Default response

Status: 200

{
  "team": {
    "name": "Workstations",
    "id": 1,
    "user_count": 4,
    "host_count": 8,
    "agent_options": {
      "config": {
        "options": {
          "pack_delimiter": "/",
          "logger_tls_period": 10,
          "distributed_plugin": "tls",
          "disable_distributed": false,
          "logger_tls_endpoint": "/api/v1/osquery/log",
          "distributed_interval": 10,
          "distributed_tls_max_attempts": 3
        },
        "decorators": {
          "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT hostname AS hostname FROM system_info;"
          ]
        }
      },
      "overrides": {},
      "command_line_flags": {}
    },
    "webhook_settings": {
      "failing_policies_webhook": {
        "enable_failing_policies_webhook": false,
        "destination_url": "",
        "policy_ids": null,
        "host_batch_size": 0
      }
    }
  }
}

webhook_settings

Name	Type	Description
failing_policies_webhook	array	See webhook_settings.failing_policies_webhook.
host_status_webhook	array	See webhook_settings.host_status_webhook.

webhook_settings.failing_policies_webhook

webhook_settings.failing_policies_webhook is an object with the following structure:

Name	Type	Description
enable_failing_policies_webhook	boolean	Whether or not the failing policies webhook is enabled.
destination_url	string	The URL to deliver the webhook requests to.
policy_ids	array	List of policy IDs to enable failing policies webhook.
host_batch_size	integer	Maximum number of hosts to batch on failing policy webhook requests. The default, 0, means no batching (all hosts failing a policy are sent on one request).

webhook_settings.host_status_webhook

webhook_settings.host_status_webhook is an object with the following structure:

Name	Type	Description
enable_host_status_webhook	boolean	Whether or not the host status webhook is enabled.
destination_url	string	The URL to deliver the webhook request to.
host_percentage	integer	The minimum percentage of hosts that must fail to check in to Fleet in order to trigger the webhook request.
days_count	integer	body

Example request body

{
  "webhook_settings": {
    "failing_policies_webhook":{
      "enable_failing_policies_webhook": true,
      "destination_url": "https://server.com",
      "policy_ids": [1, 2, 3],
      "host_batch_size": 1000
    },
    "host_status_webhook": {
      "enable_host_status_webhook": true,
      "destination_url": "https://server.com",
      "host_percentage": 5,
      "days_count": 7
    }
  }
}

integrations

Name	Type	Description
jira	array	See integrations.jira.
zendesk	array	See integrations.zendesk.
google_calendar	array	See integrations.google_calendar.
conditional_access_enabled	boolean	Available in Fleet Premium. Whether to block third party app sign-ins on hosts failing policies. Must have Microsoft Entra or Okta connected and configured in global config.

integrations.jira

integrations.jira is an array of objects with the following structure:

Name	Type	Description
url	string	The URL of the Jira server to use.
project_key	string	The project key of the Jira integration to use. Jira tickets will be created in this project.
enable_failing_policies	boolean	Whether or not that Jira integration is enabled for failing policies. Only one failing policy automation can be enabled at a given time (enable_failing_policies_webhook and enable_failing_policies).

integrations.zendesk

integrations.zendesk is an array of objects with the following structure:

Name	Type	Description
url	string	The URL of the Zendesk server to use.
group_id	integer	The Zendesk group ID to use. Zendesk tickets will be created in this group.
enable_failing_policies	boolean	Whether or not that Zendesk integration is enabled for failing policies. Only one failing policy automation can be enabled at a given time (enable_failing_policies_webhook and enable_failing_policies).

integrations.google_calendar

integrations.google_calendar is an array of objects with the following structure:

Name	Type	Description
enable_calendar_events	boolean	Whether or not calendar events are enabled for this fleet.
webhook_url	string	The URL to send a request to during calendar events, to trigger auto-remediation.

Example request body

{
  "integrations": {
    "conditional_access_enabled": true,
    "jira": [
      {
        "enable_software_vulnerabilities": false,
        "enable_failing_poilicies": true,
        "url": "https://jiraserver.com",
        "username": "some_user",
        "api_token": "<TOKEN>",
        "project_key": "jira_project",
      }
    ],
    "zendesk": [],
    "google_calendar": [
      {
        "domain": "https://domain.com",
        "api_key_json": "<API KEY JSON>"
      }
    ]
  }
}

mdm

Name	Type	Description
macos_updates	object	See mdm.macos_updates.
ios_updates	object	See mdm.ios_updates.
ipados_updates	object	See mdm.ipados_updates.
windows_updates	object	See mdm.windows_updates.
macos_settings	object	See mdm.macos_settings.
windows_settings	object	See mdm.windows_settings.
macos_setup	object	See mdm.macos_setup.

mdm.macos_updates

mdm.macos_updates is an object with the following structure:

Name	Type	Description
minimum_version	string	Hosts that belong to this fleet and have MDM turned on will be prompted to update when their OS is below this version.
deadline	string	Hosts that belong to this fleet and have MDM turned on will be forced to update their OS after this deadline (7PM local time for hosts already on macOS 14 or above, 20:00 UTC for hosts on earlier macOS versions).
update_new_hosts	string	macOS hosts that automatically enroll (ADE) are updated to Apple's latest version during macOS Setup Assistant. For backwards compatibility, if not specified, and deadline and minimum_version are set, update_new_hosts is set to true. Otherwise, update_new_hosts defaults to false.

mdm.ios_updates

mdm.ios_updates is an object with the following structure:

Name	Type	Description
minimum_version	string	Hosts that belong to this fleet will be prompted to update when their OS is below this version.
deadline	string	Hosts that belong to this fleet will be forced to update their OS after this deadline (7PM local time).

mdm.ipados_updates

mdm.ipados_updates is an object with the following structure:

Name	Type	Description
minimum_version	string	Hosts that belong to this fleet will be prompted to update when their OS is below this version.
deadline	string	Hosts that belong to this fleet will be forced to update their OS after this deadline (7PM local time).

mdm.windows_updates

mdm.windows_updates is an object with the following structure:

Name	Type	Description
deadline_days	integer	Hosts that belong to this fleet and have MDM turned on will have this number of days before updates are installed on Windows.
grace_period_days	integer	Hosts that belong to this fleet and have MDM turned on will have this number of days before Windows restarts to install updates.

mdm.macos_settings

mdm.macos_settings is an object with the following structure:

Name	Type	Description
enable_disk_encryption	boolean	Hosts that belong to this fleet will have disk encryption enabled if set to true.
custom_settings	array	Only intended to be used by Fleet's YAML. To add macOS configuration profiles using Fleet's API, use the Create custom OS setting (configuration profile) endpoint instead.

mdm.windows_settings

mdm.windows_settings is an object with the following structure:

Name	Type	Description
custom_settings	array	Only intended to be used by Fleet's YAML. To add Windows configuration profiles using Fleet's API, use the Create custom OS setting (configuration profile) endpoint instead.

mdm.macos_setup

mdm.macos_setup is an object with the following structure:

Name	Type	Description
enable_end_user_authentication	boolean	If set to true, end user authentication will be required during automatic MDM enrollment of new macOS hosts. Settings for your IdP provider must also be configured.
lock_end_user_info	boolean	If set to true, end user can't edit the local account's Account Name and Full Name in macOS Setup Assistant. These fields will be locked to values from your IdP. (Default: true)

Example request body

{
  "mdm": {
    "macos_updates": {
      "minimum_version": "12.3.1",
      "deadline": "2025-04-01",
      "update_new_hosts": true
    },
    "ios_updates": {
      "minimum_version": "18.3.1",
      "deadline": "2025-04-01"
    },
    "windows_updates": {
      "deadline_days": 5,
      "grace_period_days": 1
    },
    "macos_settings": {
      "custom_settings": [
        {
          "path": "path/to/profile1.mobileconfig",
          "labels": ["Label 1", "Label 2"]
        },
        {
          "path": "path/to/profile2.json",
          "labels": ["Label 3", "Label 4"]
        },
      ]
    },
    "windows_settings": {
      "custom_settings": [
        {
          "path": "path/to/profile3.xml",
          "labels": ["Label 1", "Label 2"]
        }
      ]
    },
    "macos_setup": {
      "enable_end_user_authentication": false
    }
  }
}

host_expiry_settings

Name	Type	Description
host_expiry_enabled	boolean	When enabled, allows automatic cleanup of hosts that have not communicated with Fleet in some number of days. When disabled, defaults to the global setting.
host_expiry_window	integer	If a host has not communicated with Fleet in the specified number of days, it will be removed.

Example request body

{
  "host_expiry_settings": {
    "host_expiry_enabled": true,
    "host_expiry_window": 7
  }
}

Add users to fleet

Available in Fleet Premium

PATCH /api/v1/fleet/fleets/:id/users

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired fleet's ID.
users	string	body	Array of users to add.
id	integer	body	The id of the user.
role	string	body	The fleet role that the user will be granted. Options are: "admin", "maintainer", "observer", "observer_plus", and "gitops".

Example

PATCH /api/v1/fleet/fleets/1/users

Request body

{
  "users": [
    {
      "id": 1,
      "role": "admin"
    },
    {
      "id": 17,
      "role": "observer"
    }
  ]
}

Default response

Status: 200

{
  "team": {
    "name": "Workstations",
    "id": 1,
    "user_count": 2,
    "host_count": 0,
    "agent_options": {
      "config": {
        "options": {
          "pack_delimiter": "/",
          "logger_tls_period": 10,
          "distributed_plugin": "tls",
          "disable_distributed": false,
          "logger_tls_endpoint": "/api/v1/osquery/log",
          "distributed_interval": 10,
          "distributed_tls_max_attempts": 3
        },
        "decorators": {
          "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT hostname AS hostname FROM system_info;"
          ]
        }
      },
      "overrides": {},
      "command_line_flags": {}
    },
    "webhook_settings": {
      "failing_policies_webhook": {
        "enable_failing_policies_webhook": false,
        "destination_url": "",
        "policy_ids": null,
        "host_batch_size": 0
      }
    },
    "mdm": {
      "enable_disk_encryption": true,
      "windows_require_bitlocker_pin": false,
      "macos_updates": {
        "minimum_version": "12.3.1",
        "deadline": "2022-01-01",
        "update_new_hosts": true
      },
      "windows_updates": {
        "deadline_days": 5,
        "grace_period_days": 1
      },
      "macos_settings": {
        "custom_settings": [
          {
           "path": "path/to/profile1.mobileconfig",
           "labels": ["Label 1", "Label 2"]
          }
        ]
      },
      "windows_settings": {
        "custom_settings": [
          {
           "path": "path/to/profile2.xml",
           "labels": ["Label 3", "Label 4"]
          }
        ],
      },
      "macos_setup": {
        "bootstrap_package": "",
        "enable_end_user_authentication": false,
        "macos_setup_assistant": "path/to/config.json"
      }
    },
    "users": [
      {
        "created_at": "0001-01-01T00:00:00Z",
        "updated_at": "0001-01-01T00:00:00Z",
        "id": 1,
        "name": "Example User1",
        "email": "user1@example.com",
        "force_password_reset": false,
        "gravatar_url": "",
        "sso_enabled": false,
        "global_role": null,
        "api_only": false,
        "teams": null,
        "role": "admin"
      },
      {
        "created_at": "0001-01-01T00:00:00Z",
        "updated_at": "0001-01-01T00:00:00Z",
        "id": 17,
        "name": "Example User2",
        "email": "user2@example.com",
        "force_password_reset": false,
        "gravatar_url": "",
        "sso_enabled": false,
        "global_role": null,
        "api_only": false,
        "teams": null,
        "role": "observer"
      }
    ]
  }
}

Update fleet's agent options

Available in Fleet Premium

POST /api/v1/fleet/fleets/:id/agent_options

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired fleet's ID.
force	boolean	query	Force apply the options even if there are validation errors.
dry_run	boolean	query	Validate the options and return any validation errors, but do not apply the changes.
JSON data	object	body	The JSON to use as agent options for this fleet. See Agent options for details.

Example

POST /api/v1/fleet/fleets/1/agent_options

Request body

{
  "config": {
    "options": {
      "pack_delimiter": "/",
      "logger_tls_period": 20,
      "distributed_plugin": "tls",
      "disable_distributed": false,
      "logger_tls_endpoint": "/api/v1/osquery/log",
      "distributed_interval": 60,
      "distributed_tls_max_attempts": 3
    },
    "decorators": {
      "load": [
        "SELECT uuid AS host_uuid FROM system_info;",
        "SELECT hostname AS hostname FROM system_info;"
      ]
    }
  },
  "overrides": {},
  "command_line_flags": {}
}

Default response

Status: 200

{
  "team": {
    "name": "Workstations",
    "id": 1,
    "user_count": 4,
    "host_count": 8,
    "agent_options": {
      "config": {
        "options": {
          "pack_delimiter": "/",
          "logger_tls_period": 20,
          "distributed_plugin": "tls",
          "disable_distributed": false,
          "logger_tls_endpoint": "/api/v1/osquery/log",
          "distributed_interval": 60,
          "distributed_tls_max_attempts": 3
        },
        "decorators": {
          "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT hostname AS hostname FROM system_info;"
          ]
        }
      },
      "overrides": {},
      "command_line_flags": {}
    },
    "webhook_settings": {
      "failing_policies_webhook": {
        "enable_failing_policies_webhook": false,
        "destination_url": "",
        "policy_ids": null,
        "host_batch_size": 0
      }
    }
  }
}

Delete fleet

Available in Fleet Premium

DELETE /api/v1/fleet/fleets/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The desired fleet's ID.

Example

DELETE /api/v1/fleet/fleets/1

Default response

Status: 200

---

Translator

• Translate IDs

Translate IDs

Transforms a host name into a host id. For example, the Fleet UI uses this endpoint when sending live reports to a set of hosts.

POST /api/v1/fleet/translate

Parameters

Name	Type	In	Description
array	array	body	Required list of items to translate.

Example

POST /api/v1/fleet/translate

Request body

{
  "list": [
    {
      "type": "user",
      "payload": {
        "identifier": "some@email.com"
      }
    },
    {
      "type": "label",
      "payload": {
        "identifier": "labelA"
      }
    },
    {
      "type": "team",
      "payload": {
        "identifier": "team1"
      }
    },
    {
      "type": "host",
      "payload": {
        "identifier": "host-ABC"
      }
    }
  ]
}

Default response

Status: 200

{
  "list": [
    {
      "type": "user",
      "payload": {
        "identifier": "some@email.com",
        "id": 32
      }
    },
    {
      "type": "label",
      "payload": {
        "identifier": "labelA",
        "id": 1
      }
    },
    {
      "type": "team",
      "payload": {
        "identifier": "team1",
        "id": 22
      }
    },
    {
      "type": "host",
      "payload": {
        "identifier": "host-ABC",
        "id": 45
      }
    }
  ]
}

---

Users

• List users
• Create user
• Create user from invite
• Get user
• Update user
• Delete user
• Require password reset
• List sessions
• Delete sessions
• Invite user
• List invites
• Delete invite
• Verify invite
• Update invite

The Fleet server exposes API endpoints that handles common user management operations, including managing emailed invites to new users. All of these endpoints require prior authentication, so you'll need to log in before calling any of the endpoints documented below.

List users

Returns a list of all enabled users

GET /api/v1/fleet/users

Parameters

Name	Type	In	Description
query	string	query	Search query keywords. Searchable fields include name and email.
order_key	string	query	What to order results by. Can be any column in the users table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
page	integer	query	Page number of the results to fetch.
query	string	query	Search query keywords. Searchable fields include name and email.
per_page	integer	query	Results per page.
fleet_id	integer	query	Available in Fleet Premium. Filters the users to only include users in the specified fleet.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/users

Request query parameters

None.

Default response

Status: 200

{
  "users": [
    {
      "created_at": "2020-12-10T03:52:53Z",
      "updated_at": "2020-12-10T03:52:53Z",
      "id": 1,
      "name": "Jane Doe",
      "email": "janedoe@example.com",
      "force_password_reset": false,
      "gravatar_url": "",
      "sso_enabled": false,
      "mfa_enabled": false,
      "global_role": null,
      "api_only": false,
      "fleets": [
        {
          "id": 1,
          "created_at": "0001-01-01T00:00:00Z",
          "name": "workstations",
          "description": "",
          "role": "admin"
        }
      ]
    }
  ]
}

Failed authentication

Status: 401 Authentication Failed

{
  "message": "Authentication Failed",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication failed"
    }
  ]
}

Create user

Creates a user account without requiring an invitation, the user is enabled immediately. By default, the user will be forced to reset its password upon first login.

POST /api/v1/fleet/users/admin

Parameters

Name	Type	In	Description
email	string	body	Required. The user's email address.
name	string	body	Required. The user's full name or nickname.
password	string	body	The user's password (required for non-SSO users).
sso_enabled	boolean	body	Whether or not SSO is enabled for the user.
mfa_enabled	boolean	body	Available in Fleet Premium. Whether or not the user must click a magic link emailed to them to log in, after they successfully enter their username and password. Incompatible with SSO and API-only users.
api_only	boolean	body	User is an "API-only" user (cannot use web UI) if true.
global_role	string	body	The role assigned to the user. If global_role is specified, fleets cannot be specified. For more information, see manage access.
admin_forced_password_reset	boolean	body	Sets whether the user will be forced to reset its password upon first login (default=true)
fleets	array	body	Available in Fleet Premium. The fleets and respective roles assigned to the user. Should contain an array of objects in which each object includes the fleet's id and the user's role on each fleet. If fleets is specified, global_role cannot be specified. For more information, see manage access.

Example

POST /api/v1/fleet/users/admin

Request body

{
  "name": "Jane Doe",
  "email": "janedoe@example.com",
  "password": "test-123",
  "api_only": true,
  "fleets": [
    {
      "id": 2,
      "role": "observer"
    },
    {
      "id": 3,
      "role": "maintainer"
    }
  ]
}

Default response

Status: 200

{
  "user": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 5,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "enabled": true,
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "mfa_enabled": false,
    "api_only": true,
    "global_role": null,
    "fleets": [
      {
        "id": 2,
        "role": "observer"
      },
      {
        "id": 3,
        "role": "maintainer"
      }
    ]
  },
  "token": "{API key}"
}

Note: The new user's token (API key) is only included in the response after creating an api-only user (api_only: true).

User doesn't exist

Status: 404 Resource Not Found

{
  "message": "Resource Not Found",
  "errors": [
    {
      "name": "base",
      "reason": "User with id=1 was not found in the datastore"
    }
  ]
}

Create user from invite

Creates a user account after an invited user provides registration information and submits the form.

POST /api/v1/fleet/users

Parameters

Name	Type	In	Description
email	string	body	Required. The email address of the user.
invite_token	string	body	Required. Token provided to the user in the invitation email.
name	string	body	Required. The name of the user.
password	string	body	The password chosen by the user (if not SSO user).
password_confirmation	string	body	Confirmation of the password chosen by the user.

Example

POST /api/v1/fleet/users

Request query parameters

{
  "email": "janedoe@example.com",
  "invite_token": "SjdReDNuZW5jd3dCbTJtQTQ5WjJTc2txWWlEcGpiM3c=",
  "name": "janedoe",
  "password": "test-123",
  "password_confirmation": "test-123"
}

Default response

Status: 200

{
  "user": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 2,
    "name": "janedoe",
    "email": "janedoe@example.com",
    "enabled": true,
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "mfa_enabled": false,
    "global_role": "admin",
    "fleets": []
  }
}

Failed authentication

Status: 401 Authentication Failed

{
  "message": "Authentication Failed",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication failed"
    }
  ]
}

Expired or used invite code

Status: 404 Resource Not Found

{
  "message": "Resource Not Found",
  "errors": [
    {
      "name": "base",
      "reason": "Invite with token SjdReDNuZW5jd3dCbTJtQTQ5WjJTc2txWWlEcGpiM3c= was not found in the datastore"
    }
  ]
}

Validation failed

Status: 422 Validation Failed

The same error will be returned whenever one of the required parameters fails the validation.

{
  "message": "Validation Failed",
  "errors": [
    {
      "name": "name",
      "reason": "cannot be empty"
    }
  ]
}

Get user

Returns all information about a specific user.

GET /api/v1/fleet/users/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The user's id.

Example

GET /api/v1/fleet/users/2

Default response

Status: 200

{
  "user": {
    "created_at": "2020-12-10T05:20:25Z",
    "updated_at": "2020-12-10T05:24:27Z",
    "id": 2,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "mfa_enabled": false,
    "global_role": "admin",
    "api_only": false,
    "fleets": []
  }
}

User doesn't exist

Status: 404 Resource Not Found

{
  "message": "Resource Not Found",
  "errors": [
    {
      "name": "base",
      "reason": "User with id=5 was not found in the datastore"
    }
  ]
}

Update user

PATCH /api/v1/fleet/users/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The user's id.
name	string	body	The user's name.
position	string	body	The user's position.
email	string	body	The user's email.
sso_enabled	boolean	body	Whether or not SSO is enabled for the user.
mfa_enabled	boolean	body	Available in Fleet Premium. Whether or not the user must click a magic link emailed to them to log in, after they successfully enter their username and password. Incompatible with SSO and API-only users.
api_only	boolean	body	User is an "API-only" user (cannot use web UI) if true.
password	string	body	The user's current password, required to change the user's own email or password (not required for an admin to modify another user).
new_password	string	body	The user's new password.
global_role	string	body	The role assigned to the user. If global_role is specified, fleets cannot be specified.
fleets	array	body	Available in Fleet Premium. The fleets and respective roles assigned to the user. Should contain an array of objects in which each object includes the fleet's id and the user's role on each fleet. In Fleet 4.0.0, 3 user roles were introduced (admin, maintainer, and observer). If fleets is specified, global_role cannot be specified.

Example

PATCH /api/v1/fleet/users/2

Request body

{
  "name": "Jane Doe",
  "global_role": "admin"
}

Default response

Status: 200

{
  "user": {
    "created_at": "2021-02-03T16:11:06Z",
    "updated_at": "2021-02-03T16:11:06Z",
    "id": 2,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "global_role": "admin",
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "mfa_enabled": false,
    "api_only": false,
    "fleets": []
  }
}

Example (modify a user's fleets)

PATCH /api/v1/fleet/users/2

Request body

{
  "fleets": [
    {
      "id": 1,
      "role": "observer"
    },
    {
      "id": 2,
      "role": "maintainer"
    }
  ]
}

Default response

Status: 200

{
  "user": {
    "created_at": "2021-02-03T16:11:06Z",
    "updated_at": "2021-02-03T16:11:06Z",
    "id": 2,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "enabled": true,
    "force_password_reset": false,
    "gravatar_url": "",
    "sso_enabled": false,
    "mfa_enabled": false,
    "global_role": "admin",
    "fleets": [
      {
        "id": 2,
        "role": "observer"
      },
      {
        "id": 3,
        "role": "maintainer"
      }
    ]
  }
}

Delete user

Delete the specified user from Fleet.

DELETE /api/v1/fleet/users/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The user's id.

Example

DELETE /api/v1/fleet/users/3

Default response

Status: 200

Require password reset

The selected user is logged out of Fleet and required to reset their password during the next attempt to log in. This also revokes all active Fleet API tokens for this user. Returns the user object.

POST /api/v1/fleet/users/:id/require_password_reset

Parameters

Name	Type	In	Description
id	integer	path	Required. The user's id.
require	boolean	body	Whether or not the user is required to reset their password during the next attempt to log in.

Example

POST /api/v1/fleet/users/123/require_password_reset

Request body

{
  "require": true
}

Default response

Status: 200

{
  "user": {
    "created_at": "2021-02-23T22:23:34Z",
    "updated_at": "2021-02-23T22:28:52Z",
    "id": 2,
    "name": "Jane Doe",
    "email": "janedoe@example.com",
    "force_password_reset": true,
    "gravatar_url": "",
    "mfa_enabled": false,
    "sso_enabled": false,
    "global_role": "observer",
    "fleets": []
  }
}

List sessions

Returns a list of the user's sessions in Fleet.

GET /api/v1/fleet/users/:id/sessions

Parameters

None.

Example

GET /api/v1/fleet/users/1/sessions

Default response

Status: 200

{
  "sessions": [
    {
      "session_id": 2,
      "user_id": 1,
      "created_at": "2021-02-03T16:12:50Z"
    },
    {
      "session_id": 3,
      "user_id": 1,
      "created_at": "2021-02-09T23:40:23Z"
    },
    {
      "session_id": 6,
      "user_id": 1,
      "created_at": "2021-02-23T22:23:58Z"
    }
  ]
}

Delete sessions

Deletes the selected user's sessions in Fleet. Also deletes the user's API token.

DELETE /api/v1/fleet/users/:id/sessions

Parameters

Name	Type	In	Description
id	integer	path	Required. The ID of the desired user.

Example

DELETE /api/v1/fleet/users/1/sessions

Default response

Status: 200

Invite user

POST /api/v1/fleet/invites

Parameters

Name	Type	In	Description
global_role	string	body	Role the user will be granted. Either a global role is needed, or a fleet role.
email	string	body	Required. The email of the invited user. This email will receive the invitation link.
name	string	body	Required. The name of the invited user.
sso_enabled	boolean	body	Required. Whether or not SSO will be enabled for the invited user.
mfa_enabled	boolean	body	Available in Fleet Premium. Whether or not the invited user must click a magic link emailed to them to log in, after they successfully enter their username and password. Users can have SSO or MFA enabled, but not both.
fleets	array	body	Available in Fleet Premium. A list of the fleets the user is a member of. Each item includes the fleet's ID and the user's role in the specified fleet.

Example

POST /api/v1/fleet/invites

Request body

{
  "email": "john_appleseed@example.com",
  "name": "John",
  "sso_enabled": false,
  "mfa_enabled": false,
  "global_role": null,
  "fleets": [
    {
      "id": 2,
      "role": "observer"
    },
    {
      "id": 3,
      "role": "maintainer"
    }
  ]
}

Default response

Status: 200

{
  "invite": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 3,
    "invited_by": 1,
    "email": "john_appleseed@example.com",
    "name": "John",
    "sso_enabled": false,
    "mfa_enabled": false,
    "fleets": [
      {
        "id": 10,
        "created_at": "0001-01-01T00:00:00Z",
        "name": "Apples",
        "description": "",
        "agent_options": null,
        "user_count": 0,
        "host_count": 0,
        "role": "observer"
      },
      {
        "id": 14,
        "created_at": "0001-01-01T00:00:00Z",
        "name": "Best of the Best Engineering",
        "description": "",
        "agent_options": null,
        "user_count": 0,
        "host_count": 0,
        "role": "maintainer"
      }
    ]
  }
}

List invites

Returns a list of the active invitations in Fleet.

GET /api/v1/fleet/invites

Parameters

Name	Type	In	Description
order_key	string	query	What to order results by. Can be any column in the invites table.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
query	string	query	Search query keywords. Searchable fields include name and email.
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/invites

Default response

Status: 200

{
  "invites": [
    {
      "created_at": "0001-01-01T00:00:00Z",
      "updated_at": "0001-01-01T00:00:00Z",
      "id": 3,
      "email": "john_appleseed@example.com",
      "name": "John",
      "sso_enabled": false,
      "mfa_enabled": false,
      "global_role": "admin",
      "fleets": []
    },
    {
      "created_at": "0001-01-01T00:00:00Z",
      "updated_at": "0001-01-01T00:00:00Z",
      "id": 4,
      "email": "bob_marks@example.com",
      "name": "Bob",
      "sso_enabled": false,
      "mfa_enabled": false,
      "global_role": "admin",
      "fleets": []
    }
  ]
}

Delete invite

Delete the specified invite from Fleet.

DELETE /api/v1/fleet/invites/:id

Parameters

Name	Type	In	Description
id	integer	path	Required. The user's id.

Example

DELETE /api/v1/fleet/invites/123

Default response

Status: 200

Verify invite

Verify the specified invite.

GET /api/v1/fleet/invites/:token

Parameters

Name	Type	In	Description
token	string	path	Required. The user's invite token.

Example

GET /api/v1/fleet/invites/abcdef012456789

Default response

Status: 200

{
  "invite": {
    "created_at": "2021-01-15T00:58:33Z",
    "updated_at": "2021-01-15T00:58:33Z",
    "id": 4,
    "email": "steve@example.com",
    "name": "Steve",
    "sso_enabled": false,
    "mfa_enabled": false,
    "global_role": "admin",
    "fleets": []
  }
}

Not found

Status: 404

{
  "message": "Resource Not Found",
  "errors": [
    {
      "name": "base",
      "reason": "Invite with token <token> was not found in the datastore"
    }
  ]
}

Update invite

PATCH /api/v1/fleet/invites/:id

Parameters

Name	Type	In	Description
global_role	string	body	Role the user will be granted. Either a global role is needed, or a fleet role.
email	string	body	The email of the invited user. Updates on the email won't resend the invitation.
name	string	body	The name of the invited user.
sso_enabled	boolean	body	Whether or not SSO will be enabled for the invited user.
mfa_enabled	boolean	body	Available in Fleet Premium. Whether or not the invited user must click a magic link emailed to them to log in, after they successfully enter their username and password. Users can have SSO or MFA enabled, but not both.
fleets	array	body	Available in Fleet Premium. A list of the fleets the user is a member of. Each item includes the fleet's ID and the user's role in the specified fleet.

Example

PATCH /api/v1/fleet/invites/123

Request body

{
  "email": "john_appleseed@example.com",
  "name": "John",
  "sso_enabled": false,
  "mfa_enabled": false,
  "global_role": null,
  "fleets": [
    {
      "id": 2,
      "role": "observer"
    },
    {
      "id": 3,
      "role": "maintainer"
    }
  ]
}

Default response

Status: 200

{
  "invite": {
    "created_at": "0001-01-01T00:00:00Z",
    "updated_at": "0001-01-01T00:00:00Z",
    "id": 3,
    "invited_by": 1,
    "email": "john_appleseed@example.com",
    "name": "John",
    "sso_enabled": false,
    "mfa_enabled": false,
    "fleets": [
      {
        "id": 10,
        "created_at": "0001-01-01T00:00:00Z",
        "name": "Apples",
        "description": "",
        "agent_options": null,
        "user_count": 0,
        "host_count": 0,
        "role": "observer"
      },
      {
        "id": 14,
        "created_at": "0001-01-01T00:00:00Z",
        "name": "Best of the Best Engineering",
        "description": "",
        "agent_options": null,
        "user_count": 0,
        "host_count": 0,
        "role": "maintainer"
      }
    ]
  }
}

Debug

• Get errors
• Get database information
• Get profiling information

The Fleet server exposes a handful of API endpoints to retrieve debug information about the server itself in order to help troubleshooting. All the following endpoints require prior authentication meaning you must first log in successfully before calling any of the endpoints documented below.

Get errors

Returns a set of all the errors that happened in the server during the interval of time defined by the logging_error_retention_period configuration.

The server only stores and returns a single instance of each error.

GET /debug/errors

Parameters

Name	Type	In	Description
flush	boolean	query	Whether or not clear the errors from Redis after reading them. Default is false

Example

GET /debug/errors?flush=true

Default response

Status: 200

[
  {
    "count": "3",
    "chain": [
      {
        "message": "Authorization header required"
      },
      {
        "message": "missing FleetError in chain",
        "data": {
          "timestamp": "2022-06-03T14:16:01-03:00"
        },
        "stack": [
          "github.com/fleetdm/fleet/v4/server/contexts/ctxerr.Handle (ctxerr.go:262)",
          "github.com/fleetdm/fleet/v4/server/service.encodeError (transport_error.go:80)",
          "github.com/go-kit/kit/transport/http.Server.ServeHTTP (server.go:124)"
        ]
      }
    ]
  }
]

Get database information

Returns information about the current state of the database; valid keys are:

• locks: returns transaction locking information.
• innodb-status: returns InnoDB status information.
• process-list: returns running processes (queries, etc).

GET /debug/db/:key

Parameters

None.

Get profiling information

Returns runtime profiling data of the server in the format expected by go tools pprof. The responses are equivalent to those returned by the Go http/pprof package.

Valid keys are: cmdline, profile, symbol and trace.

GET /debug/pprof/:key

Parameters

None.

Custom variables

• List custom variables
• Create custom variable
• Delete custom variable

List custom variables

Lists all custom variables that can be used in scripts and profiles prefixed with $FLEET_SECRET_.

GET /api/v1/fleet/custom_variables

Parameters

Name	Type	In	Description
page	integer	query	Page number of the results to fetch.
per_page	integer	query	Results per page.
order_key	string	query	What to order results by. Allowed fields are name, id, and updated_at.
order_direction	string	query	Requires order_key. The direction of the order given the order key. Options include "asc" and "desc". Default is "asc".
after	string	query	The value to get results after. This needs order_key defined, as that's the column that would be used.

Example

GET /api/v1/fleet/custom_variables

Default response

Status: 200

{
  "custom_variables": [
    {
      "id": 123,
      "name": "SOME_API_TOKEN"
    }
  ],
  "meta": {
    "has_next_results": false,
    "has_previous_results": false,
  },
  "count": 1
}

Create custom variable

Creates a custom variable that can be used in scripts and profiles prefixed with $FLEET_SECRET_.

POST /api/v1/fleet/custom_variables

Parameters

Name	Type	In	Description
name	string	body	Required. The desired variable name, without the FLEET_SECRET_ prefix.
value	string	body	Required. The value for the custom variable.

Example

POST /api/v1/fleet/custom_variables

Request body

{
  "name": "SOME_API_TOKEN",
  "value": "971ef02b93c74ca9b22b694a9251f1d6"
}

Default response

Status: 200

{
  "id": 123,
  "name": "SOME_API_TOKEN"
}

Delete custom variable

Removes a custom variable from Fleet.

DELETE /api/v1/fleet/custom_variables/:id

Example

DELETE /api/v1/fleet/custom_variables/123

Default response

Status: 200

API errors

Fleet returns API errors as a JSON document with the following fields:

• message: This field contains the kind of error (bad request error, authorization error, etc.).
• errors: List of errors with name and reason keys.
• uuid: Unique identifier for the error. This identifier can be matched to Fleet logs which might contain more information about the cause of the error.

Sample of an error when trying to send an empty body on a request that expects a JSON body:

$ curl -k -H "Authorization: Bearer $TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d ''

Response:

{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "Expected JSON Body"
    }
  ],
  "uuid": "c0532a64-bec2-4cf9-aa37-96fe47ead814"
}

---