From d1c9452f23d0b6aec7fd215840547a5e50d1d77c Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:57:04 -0400 Subject: [PATCH 01/11] Vulnerability coverage Currently, Fleet doesn't support CVEs for Debian or Fedora packages. OS (kernel CVEs) are supported --- articles/vulnerability-processing.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/articles/vulnerability-processing.md b/articles/vulnerability-processing.md index 8cd926bfa08..a96bcc1cc2c 100644 --- a/articles/vulnerability-processing.md +++ b/articles/vulnerability-processing.md @@ -16,14 +16,12 @@ Fleet detects vulnerabilities for these software types: | Type | macOS | Windows | Linux | | ------------------- | ------------------------------------------ | ------------------------------------------------ |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Apps | ✅ | ✅ | ✅

For Ubuntu, Debian, RHEL (including CentOS): packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files.

For Fedora, packages defined in RHEL OVAL definitions [mapped by version](https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/oval/parsed/utils.go).

For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| -| Operating system (OS) | ✅ | ✅ | ✅

Linux OS vulnerabilites are the kernel vulnerabilities. Currently, Ubuntu, Debian, and Amazon Linux are supported. CentOS and Fedora [coming soon](https://github.com/fleetdm/fleet/issues/31495).

| +| Apps | ✅ | ✅ | ✅

For Ubuntu, Debian, RHEL, and CentOS: packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files. For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| +| Operating system (OS) | ✅ | ✅ | ✅

Linux OS vulnerabilites are the kernel vulnerabilities. Currently, Ubuntu, Debian, CentOS, Fedora, and Amazon Linux are supported.

| | Browser plugins | Chrome extensions, Firefox extensions | Chrome extensions, Firefox extensions | ❌ | -| Packages | Python, Homebrew, npm | Python, Atom, Chocolatey, npm |

For Ubuntu, Debian, RHEL (including CentOS): packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files.

For Fedora, packages defined in RHEL OVAL definitions [mapped by version](https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/oval/parsed/utils.go).

For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| +| Packages | Python, Homebrew, npm | Python, Atom, Chocolatey, npm |

For Ubuntu, RHEL, and CentOS: packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files.

For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| | IDE extensions | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | -Linux OS vulnerabilities are kernel vulnerabilities. Currently, Ubuntu, Debian, and Amazon Linux are supported. CentOS and Fedora [coming soon](https://github.com/fleetdm/fleet/issues/33990). - Linux kernel vulnerabilities with known variants (ie. `-generic` or `kernel`) are detected using OVAL. Custom kernels (unknown variants) are detected using NVD. Currently, only software names with all ASCII characters are supported. Vulnerabilities won't be detected for software with names featuring non-ASCII characters, such as Cyrillic, or software that has been renamed from its default name (e.g. "Chrome 2" instead of "Google Chrome"). For some software, Fleet uses [custom rules](https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/nvd/cpe_translations.json) to mitigate these issues on an app-by-app basis. From 26ddb8b9a1198e618fee75ac4f13942e2ee5bc65 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Fri, 27 Mar 2026 09:45:49 -0400 Subject: [PATCH 02/11] Add change --- articles/vulnerability-processing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/articles/vulnerability-processing.md b/articles/vulnerability-processing.md index a96bcc1cc2c..ca2394a6c19 100644 --- a/articles/vulnerability-processing.md +++ b/articles/vulnerability-processing.md @@ -16,10 +16,10 @@ Fleet detects vulnerabilities for these software types: | Type | macOS | Windows | Linux | | ------------------- | ------------------------------------------ | ------------------------------------------------ |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Apps | ✅ | ✅ | ✅

For Ubuntu, Debian, RHEL, and CentOS: packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files. For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| +| Apps | ✅ | ✅ | On Linux, apps are installed as packages (there is no separate app format like `.app` on macOS). See the Packages row for coverage details. | | Operating system (OS) | ✅ | ✅ | ✅

Linux OS vulnerabilites are the kernel vulnerabilities. Currently, Ubuntu, Debian, CentOS, Fedora, and Amazon Linux are supported.

| | Browser plugins | Chrome extensions, Firefox extensions | Chrome extensions, Firefox extensions | ❌ | -| Packages | Python, Homebrew, npm | Python, Atom, Chocolatey, npm |

For Ubuntu, RHEL, and CentOS: packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files.

For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| +| Packages | Python, Homebrew, npm | Python, Atom, Chocolatey, npm | ✅

For Ubuntu, Debian, RHEL, and CentOS: packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files. For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| | IDE extensions | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | Linux kernel vulnerabilities with known variants (ie. `-generic` or `kernel`) are detected using OVAL. Custom kernels (unknown variants) are detected using NVD. From 0e9b206f71afb3ab69d0976653c3b98ffdcc67d5 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Fri, 27 Mar 2026 09:48:52 -0400 Subject: [PATCH 03/11] Add note about Fedora --- articles/vulnerability-processing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/vulnerability-processing.md b/articles/vulnerability-processing.md index ca2394a6c19..803ab0fe9f4 100644 --- a/articles/vulnerability-processing.md +++ b/articles/vulnerability-processing.md @@ -19,7 +19,7 @@ Fleet detects vulnerabilities for these software types: | Apps | ✅ | ✅ | On Linux, apps are installed as packages (there is no separate app format like `.app` on macOS). See the Packages row for coverage details. | | Operating system (OS) | ✅ | ✅ | ✅

Linux OS vulnerabilites are the kernel vulnerabilities. Currently, Ubuntu, Debian, CentOS, Fedora, and Amazon Linux are supported.

| | Browser plugins | Chrome extensions, Firefox extensions | Chrome extensions, Firefox extensions | ❌ | -| Packages | Python, Homebrew, npm | Python, Atom, Chocolatey, npm | ✅

For Ubuntu, Debian, RHEL, and CentOS: packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files. For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| +| Packages | Python, Homebrew, npm | Python, Atom, Chocolatey, npm | ✅

For Ubuntu, RHEL, and CentOS: packages defined in the [OVAL definitions](https://github.com/fleetdm/nvd/blob/master/oval_sources.json), except for vulnerabilities involving configuration files

For Fedora (up to Fedora 40, released June 2024), packages defined in RHEL OVAL definitions [mapped by version](https://github.com/fleetdm/fleet/blob/main/server/vulnerabilities/oval/parsed/utils.go).

For Amazon Linux, packages maintained by Amazon by checking [ALAS advisories](https://alas.aws.amazon.com/).

| | IDE extensions | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | VS Code, [VS Code forks](https://fleetdm.com/tables/vscode_extensions) (i.e. Cursor), and [JetBrains IDEs](https://fleetdm.com/tables/jetbrains_plugins) (i.e. IntelliJ IDEA) | Linux kernel vulnerabilities with known variants (ie. `-generic` or `kernel`) are detected using OVAL. Custom kernels (unknown variants) are detected using NVD. From 4d99c879096389b537dd2215947fe3b7531bac09 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 29 Jun 2026 10:04:20 -0400 Subject: [PATCH 04/11] Foreign vitals mapping: Update SCIM integration instructions Best practice is to create an API-only user w/ the admin role and access only to necessary SCIM API endpoints - These doc updates require [this bug](https://github.com/fleetdm/fleet/issues/48062) to be fixed because the `/scim/*` API endpoints aren't exposed as API endpoints one can pick when creating an API only user - Separate PR to add them to the API docs: TODO --- articles/foreign-vitals-map-idp-users-to-hosts.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/articles/foreign-vitals-map-idp-users-to-hosts.md b/articles/foreign-vitals-map-idp-users-to-hosts.md index f781d1d8f38..60141addeae 100644 --- a/articles/foreign-vitals-map-idp-users-to-hosts.md +++ b/articles/foreign-vitals-map-idp-users-to-hosts.md @@ -41,14 +41,15 @@ To map users from Okta to hosts in Fleet, we'll do the following steps: 3. For the **Unique identifier field for users**, enter `userName`. 4. For the **Supported provisioning actions**, select **Push New Users**, **Push Profile Updates**, and **Push Groups**. 5. For the **Authentication Mode**, select **HTTP Header**. -6. [Create a Fleet API-only user](https://fleetdm.com/guides/fleetctl#create-api-only-user) with maintainer permissions and copy API token for that user. Paste your API token in Okta's **Authorization** field. +6. [Create a Fleet API-only user](https://fleetdm.com/guides/fleetctl#create-api-only-user) with admin permissions and access to all `/scim/*` API endpoints. +7. Copy the API token for that user and paste it in Okta's **Authorization** field. -7. Select the **Test Connector Configuration** button. You should see a success message pop up in Okta. You can close this message. -8. In Fleet, head to **Settings > Integrations > Identity provider (IdP)** and verify that Fleet successfully received the request from Okta. -9. Back in Okta, select **Save**. -10. Under the **Provisioning** tab, select **To App** and then select **Edit** in the **Provisioning to App** section. Enable **Create Users**, **Update User Attributes**, **Deactivate Users**, and then select **Save**. -11. On the same page, make sure that `givenName` and `familyName` attributes have Okta values assigned to them. Currently, Fleet requires the `userName`, `givenName`, and `familyName` SCIM attributes. Fleet also supports the `department` attribute, but does not require it. Remove the mapping for the rest of the attributes. +9. Select the **Test Connector Configuration** button. You should see a success message pop up in Okta. You can close this message. +10. In Fleet, head to **Settings > Integrations > Identity provider (IdP)** and verify that Fleet successfully received the request from Okta. +11. Back in Okta, select **Save**. +12. Under the **Provisioning** tab, select **To App** and then select **Edit** in the **Provisioning to App** section. Enable **Create Users**, **Update User Attributes**, **Deactivate Users**, and then select **Save**. +13. On the same page, make sure that `givenName` and `familyName` attributes have Okta values assigned to them. Currently, Fleet requires the `userName`, `givenName`, and `familyName` SCIM attributes. Fleet also supports the `department` attribute, but does not require it. Remove the mapping for the rest of the attributes. ![Okta SCIM attributes mapping](../website/assets/images/articles/okta-scim-attributes-mapping-402x181@2x.png) > If you use attributes other than the supported attributes above, the payload will be rejected by Fleet. From 16e7b0b725d24135c8544dd86053ea7cb6ccbc58 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 29 Jun 2026 10:10:41 -0400 Subject: [PATCH 05/11] Update role-based-access.md --- articles/role-based-access.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/articles/role-based-access.md b/articles/role-based-access.md index 9a82dea0037..dd8c259b72c 100644 --- a/articles/role-based-access.md +++ b/articles/role-based-access.md @@ -79,7 +79,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. | Edit any fleet's policy automations: other workflows (tickets and webhooks)\* | | | | | ✅ | ✅ | | Edit "Unassigned" policy automations | | | | | ✅ | ✅ | | View users\** | ✅ | ✅ | ✅ | ✅ | ✅ | | -| Create, edit, view, and delete users | | | | | ✅ | | +| Create, edit, view, and delete users\*** | | | | | ✅ | | | Add and remove a fleet's users\* | | | | | ✅ | ✅ | | Create, edit, and delete fleets\* | | | | | ✅ | ✅ | | Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | | ✅ | ✅ | ✅ | @@ -129,6 +129,8 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. \** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api) +\*** Currently, maintainers can delete users via the `DELETE,PATCH,PUT /scim/Users/:id` endpoints. In Fleet 5, this will be restricted to admins only. + ## Fleet-level user permissions `Applies only to Fleet Premium` From 49ec908d1460b9d26bb6b9d029c90f4cb182cba9 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Mon, 29 Jun 2026 10:49:18 -0400 Subject: [PATCH 06/11] Add docs --- docs/REST API/rest-api.md | 821 +++++++++++++++++++++++++++++++++++++- 1 file changed, 807 insertions(+), 14 deletions(-) diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md index f411e63a152..db9f7d17aba 100644 --- a/docs/REST API/rest-api.md +++ b/docs/REST API/rest-api.md @@ -10,6 +10,7 @@ - [Setup Experience](#setup-experience) - [Commands](#commands) - [Integrations](#integrations-1) +- [SCIM](#scim) - [Policies](#policies) - [Reports](#reports) - [Schedule (deprecated)](#schedule) @@ -8090,7 +8091,6 @@ This endpoint returns the list of custom MDM commands that have been executed. - [Get Apple Push Notification service (APNs)](#get-apple-push-notification-service-apns) - [List Apple Business (AB) tokens](#list-apple-business-ab-tokens) - [List Volume Purchasing Program (VPP) tokens](#list-volume-purchasing-program-vpp-tokens) -- [Get identity provider (IdP) details](#get-identity-provider-idp-details) - [Get Android Enterprise](#get-android-enterprise) ### Get Apple Push Notification service (APNs) @@ -8251,22 +8251,205 @@ None. ] ``` -### Get identity provider (IdP) details +### Get Android Enterprise -Get details about the most recent SCIM (System for Cross-domain Identity Management) request from your identity provider (IdP). +Get info about Android Enterprise that's connected to Fleet. -`GET /api/v1/fleet/scim/details` +`GET /api/v1/fleet/android_enterprise` #### Parameters None. +#### Example + +`GET /api/v1/fleet/android_enterprise` + + +##### Default response + +`Status: 200` + +```json +{ + "android_enterprise_id": "LC0445szuv" +} +``` + +--- + +## SCIM + +- [List users](#list-scim-users) +- [Create user](#create-scim-user) +- [Get user](#get-scim-user) +- [Replace user](#replace-scim-user) +- [Update user](#update-scim-user) +- [Delete user](#delete-scim-user) +- [List groups](#list-scim-groups) +- [Create group](#create-scim-group) +- [Get group](#get-scim-group) +- [Replace group](#replace-scim-group) +- [Update group](#update-scim-group) +- [Delete group](#delete-scim-group) +- [Get schemas](#get-scim-schemas) +- [Get service provider config](#get-scim-service-provider-config) +- [Get resource types](#get-scim-resource-types) +- [Get identity provider (IdP) details](#get-identity-provider-idp-details) + +Fleet's SCIM ([System for Cross-domain Identity Management](https://datatracker.ietf.org/doc/html/rfc7644)) API endpoints are used to [map end user's identity providers (IdPs) details](https://fleetdm.com/guides/foreign-vitals-map-idp-users-to-hosts) to their hosts and automatically delete a user's Fleet account when the user is deleted or deactivated in the IdP. + +SCIM resource type names (e.g. `Users`, `Groups`, `Schemas`) are defined by the [SCIM spec](https://datatracker.ietf.org/doc/html/rfc7644#section-2) and must be capitalized exactly as shown to work with identity providers. This is why they differ from Fleet's usual lowercase API naming convention. + +### List SCIM users + +_Available in Fleet Premium_ + +`GET /api/v1/fleet/scim/Users` + +#### Parameters + +| Name | Type | In | Description | +| ---------- | ------- | ----- | ------------------------------------------------------------------------------------------------------ | +| startIndex | integer | query | 1-based index of the first result to return. Defaults to 1. | +| count | integer | query | Number of results per page. Maximum 100. Defaults to 100. | +| filter | string | query | SCIM filter expression. Only `userName eq ""` and `emails[type eq ""].value eq ""` are supported. | #### Example -`GET /api/v1/fleet/scim/details` +`GET /api/v1/fleet/scim/Users` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "totalResults": 1, + "startIndex": 1, + "itemsPerPage": 100, + "Resources": [ + { + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "id": "1", + "externalId": "ext-123", + "userName": "user@example.com", + "name": { + "givenName": "Jane", + "familyName": "Doe" + }, + "emails": [ + { + "value": "user@example.com", + "type": "work", + "primary": true + } + ], + "active": true, + "groups": [], + "meta": { + "resourceType": "User" + } + } + ] +} +``` + +--- + +### Create SCIM user +_Available in Fleet Premium_ + +`POST /api/v1/fleet/scim/Users` + +#### Parameters + +| Name | Type | In | Description | +| -------------------- | ------- | ---- | ------------------------------------------------------------------------------------------------- | +| schemas | array | body | **Required**. Must include `"urn:ietf:params:scim:schemas:core:2.0:User"`. | +| userName | string | body | **Required**. Unique username (typically an email address). | +| name.givenName | string | body | **Required**. User's first name. | +| name.familyName | string | body | **Required**. User's last name. | +| externalId | string | body | Optional. External identifier from the IdP. | +| emails | array | body | Optional. List of email objects with `value`, `type`, and `primary` fields. | +| active | boolean | body | Optional. Whether the user account is active. | +| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | string | body | Optional. User's department. | + +#### Example + +`POST /api/v1/fleet/scim/Users` + +##### Request body + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "userName": "user@example.com", + "externalId": "ext-123", + "name": { + "givenName": "Jane", + "familyName": "Doe" + }, + "emails": [ + { + "value": "user@example.com", + "type": "work", + "primary": true + } + ], + "active": true +} +``` + +##### Default response + +`Status: 201` + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "id": "1", + "externalId": "ext-123", + "userName": "user@example.com", + "name": { + "givenName": "Jane", + "familyName": "Doe" + }, + "emails": [ + { + "value": "user@example.com", + "type": "work", + "primary": true + } + ], + "active": true, + "groups": [], + "meta": { + "resourceType": "User" + } +} +``` + +--- + +### Get SCIM user + +_Available in Fleet Premium_ + +`GET /api/v1/fleet/scim/Users/{id}` + +#### Parameters + +| Name | Type | In | Description | +| ---- | ------ | ---- | ---------------------------- | +| id | string | path | **Required**. The user's ID. | + +#### Example + +`GET /api/v1/fleet/scim/Users/1` ##### Default response @@ -8274,22 +8457,493 @@ None. ```json { - "last_request": { - "requested_at": "2025-03-11T02:02:17Z", - "status": "success", - "details": "", + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "id": "1", + "externalId": "ext-123", + "userName": "user@example.com", + "name": { + "givenName": "Jane", + "familyName": "Doe" + }, + "emails": [ + { + "value": "user@example.com", + "type": "work", + "primary": true + } + ], + "active": true, + "groups": [ + { + "value": "group-1", + "$ref": "Groups/group-1", + "display": "Engineering" + } + ], + "meta": { + "resourceType": "User" } } ``` +--- +### Replace SCIM user -### Get Android Enterprise +_Available in Fleet Premium_ -Get info about Android Enterprise that's connected to Fleet. +Replaces all attributes of an existing user. Any attributes not included in the request body are cleared. -`GET /api/v1/fleet/android_enterprise` +`PUT /api/v1/fleet/scim/Users/{id}` + +#### Parameters +| Name | Type | In | Description | +| --------------- | ------- | ---- | -------------------------------------------------------------------------------- | +| id | string | path | **Required**. The user's ID. | +| schemas | array | body | **Required**. Must include `"urn:ietf:params:scim:schemas:core:2.0:User"`. | +| userName | string | body | **Required**. Unique username. | +| name.givenName | string | body | **Required**. User's first name. | +| name.familyName | string | body | **Required**. User's last name. | +| externalId | string | body | Optional. External identifier from the IdP. | +| emails | array | body | Optional. List of email objects with `value`, `type`, and `primary` fields. | +| active | boolean | body | Optional. Whether the user account is active. | +| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | string | body | Optional. User's department. | + +#### Example + +`PUT /api/v1/fleet/scim/Users/1` + +##### Request body + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "userName": "user@example.com", + "name": { + "givenName": "Jane", + "familyName": "Smith" + }, + "active": true +} +``` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "id": "1", + "userName": "user@example.com", + "name": { + "givenName": "Jane", + "familyName": "Smith" + }, + "active": true, + "groups": [], + "meta": { + "resourceType": "User" + } +} +``` + +--- + +### Update SCIM user + +_Available in Fleet Premium_ + +Partially updates a user using SCIM patch operations. Supports `add`, `replace`, and `remove` operations on `userName`, `externalId`, `active`, `name.givenName`, `name.familyName`, `emails`, and `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department`. + +`PATCH /api/v1/fleet/scim/Users/{id}` + +#### Parameters + +| Name | Type | In | Description | +| ---------- | ------ | ---- | ---------------------------------------------------------------------- | +| id | string | path | **Required**. The user's ID. | +| schemas | array | body | **Required**. Must include `"urn:ietf:params:scim:api:messages:2.0:PatchOp"`. | +| Operations | array | body | **Required**. List of patch operations. Each has `op`, optional `path`, and `value`. | + +#### Example + +`PATCH /api/v1/fleet/scim/Users/1` + +##### Request body + +```json +{ + "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + "Operations": [ + { + "op": "replace", + "path": "active", + "value": false + } + ] +} +``` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], + "id": "1", + "userName": "user@example.com", + "name": { + "givenName": "Jane", + "familyName": "Doe" + }, + "active": false, + "groups": [], + "meta": { + "resourceType": "User" + } +} +``` + +--- + +### Delete SCIM user + +_Available in Fleet Premium_ + +`DELETE /api/v1/fleet/scim/Users/{id}` + +#### Parameters + +| Name | Type | In | Description | +| ---- | ------ | ---- | ---------------------------- | +| id | string | path | **Required**. The user's ID. | + +#### Example + +`DELETE /api/v1/fleet/scim/Users/1` + +##### Default response + +`Status: 204` + +No content. + +--- + +### List SCIM groups + +_Available in Fleet Premium_ + +`GET /api/v1/fleet/scim/Groups` + +#### Parameters + +| Name | Type | In | Description | +| ------------------ | ------- | ----- | ---------------------------------------------------------------------------------------- | +| startIndex | integer | query | 1-based index of the first result to return. Defaults to 1. | +| count | integer | query | Number of results per page. Maximum 100. Defaults to 100. | +| filter | string | query | SCIM filter expression. Only `displayName eq ""` is supported. | +| excludedAttributes | string | query | Comma-separated list of attributes to exclude. Use `members` to omit group member lists. | + +#### Example + +`GET /api/v1/fleet/scim/Groups` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "totalResults": 1, + "startIndex": 1, + "itemsPerPage": 100, + "Resources": [ + { + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "id": "group-1", + "externalId": "ext-group-123", + "displayName": "Engineering", + "members": [ + { + "value": "1", + "type": "User" + } + ], + "meta": { + "resourceType": "Group" + } + } + ] +} +``` + +--- + +### Create SCIM group + +_Available in Fleet Premium_ + +`POST /api/v1/fleet/scim/Groups` + +#### Parameters + +| Name | Type | In | Description | +| ----------- | ------ | ---- | ------------------------------------------------------------------------------------------ | +| schemas | array | body | **Required**. Must include `"urn:ietf:params:scim:schemas:core:2.0:Group"`. | +| displayName | string | body | **Required**. Human-readable group name. Must be unique. | +| externalId | string | body | Optional. External identifier from the IdP. | +| members | array | body | Optional. List of member objects with a `value` field containing a SCIM user ID. | + +#### Example + +`POST /api/v1/fleet/scim/Groups` + +##### Request body + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "displayName": "Engineering", + "members": [ + { + "value": "1" + } + ] +} +``` + +##### Default response + +`Status: 201` + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "id": "group-1", + "displayName": "Engineering", + "members": [ + { + "value": "1", + "type": "User" + } + ], + "meta": { + "resourceType": "Group" + } +} +``` + +--- + +### Get SCIM group + +_Available in Fleet Premium_ + +`GET /api/v1/fleet/scim/Groups/{id}` + +#### Parameters + +| Name | Type | In | Description | +| ------------------ | ------ | ----- | ---------------------------------------------------------------------------------------- | +| id | string | path | **Required**. The group's ID (format: `group-`). | +| excludedAttributes | string | query | Comma-separated list of attributes to exclude. Use `members` to omit the member list. | + +#### Example + +`GET /api/v1/fleet/scim/Groups/group-1` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "id": "group-1", + "externalId": "ext-group-123", + "displayName": "Engineering", + "members": [ + { + "value": "1", + "type": "User" + } + ], + "meta": { + "resourceType": "Group" + } +} +``` + +--- + +### Replace SCIM group + +_Available in Fleet Premium_ + +Replaces all attributes of an existing group. Any attributes not included in the request body are cleared. + +`PUT /api/v1/fleet/scim/Groups/{id}` + +#### Parameters + +| Name | Type | In | Description | +| ----------- | ------ | ---- | ------------------------------------------------------------------------------------------ | +| id | string | path | **Required**. The group's ID (format: `group-`). | +| schemas | array | body | **Required**. Must include `"urn:ietf:params:scim:schemas:core:2.0:Group"`. | +| displayName | string | body | **Required**. Human-readable group name. Must be unique. | +| externalId | string | body | Optional. External identifier from the IdP. | +| members | array | body | Optional. List of member objects with a `value` field containing a SCIM user ID. | + +#### Example + +`PUT /api/v1/fleet/scim/Groups/group-1` + +##### Request body + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "displayName": "Engineering", + "members": [ + { + "value": "1" + }, + { + "value": "2" + } + ] +} +``` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "id": "group-1", + "displayName": "Engineering", + "members": [ + { + "value": "1", + "type": "User" + }, + { + "value": "2", + "type": "User" + } + ], + "meta": { + "resourceType": "Group" + } +} +``` + +--- + +### Update SCIM group + +_Available in Fleet Premium_ + +Partially updates a group using SCIM patch operations. Supports `add`, `replace`, and `remove` operations on `displayName`, `externalId`, and `members`. + +`PATCH /api/v1/fleet/scim/Groups/{id}` + +#### Parameters + +| Name | Type | In | Description | +| ---------- | ------ | ---- | ------------------------------------------------------------------------------------- | +| id | string | path | **Required**. The group's ID (format: `group-`). | +| schemas | array | body | **Required**. Must include `"urn:ietf:params:scim:api:messages:2.0:PatchOp"`. | +| Operations | array | body | **Required**. List of patch operations. Each has `op`, optional `path`, and `value`. | + +#### Example + +`PATCH /api/v1/fleet/scim/Groups/group-1` + +##### Request body + +```json +{ + "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], + "Operations": [ + { + "op": "add", + "path": "members", + "value": [ + { + "value": "3" + } + ] + } + ] +} +``` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + "id": "group-1", + "displayName": "Engineering", + "members": [ + { + "value": "1", + "type": "User" + }, + { + "value": "3", + "type": "User" + } + ], + "meta": { + "resourceType": "Group" + } +} +``` + +--- + +### Delete SCIM group + +_Available in Fleet Premium_ + +`DELETE /api/v1/fleet/scim/Groups/{id}` + +#### Parameters + +| Name | Type | In | Description | +| ---- | ------ | ---- | -------------------------------------------------------- | +| id | string | path | **Required**. The group's ID (format: `group-`). | + +#### Example + +`DELETE /api/v1/fleet/scim/Groups/group-1` + +##### Default response + +`Status: 204` + +No content. + +--- + +### Get SCIM schemas + +_Available in Fleet Premium_ + +Returns the SCIM schemas supported by Fleet: the core User schema and Group schema. + +`GET /api/v1/fleet/scim/Schemas` #### Parameters @@ -8297,8 +8951,50 @@ None. #### Example -`GET /api/v1/fleet/android_enterprise` +`GET /api/v1/fleet/scim/Schemas` + +##### Default response +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "totalResults": 2, + "Resources": [ + { + "id": "urn:ietf:params:scim:schemas:core:2.0:User", + "name": "User", + "description": "SCIM User", + "attributes": [...] + }, + { + "id": "urn:ietf:params:scim:schemas:core:2.0:Group", + "name": "Group", + "description": "SCIM Group", + "attributes": [...] + } + ] +} +``` + +--- + +### Get SCIM service provider config + +_Available in Fleet Premium_ + +Returns Fleet's SCIM service provider configuration, including supported features. + +`GET /api/v1/fleet/scim/ServiceProviderConfig` + +#### Parameters + +None. + +#### Example + +`GET /api/v1/fleet/scim/ServiceProviderConfig` ##### Default response @@ -8306,7 +9002,104 @@ None. ```json { - "android_enterprise_id": "LC0445szuv" + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"], + "documentationUri": "https://fleetdm.com/docs/get-started/why-fleet", + "patch": { + "supported": true + }, + "filter": { + "supported": true, + "maxResults": 100 + }, + "bulk": { + "supported": false + }, + "changePassword": { + "supported": false + }, + "sort": { + "supported": false + }, + "etag": { + "supported": false + } +} +``` + +--- + +### Get SCIM resource types + +_Available in Fleet Premium_ + +Returns the resource types supported by Fleet's SCIM implementation (`User` and `Group`). + +`GET /api/v1/fleet/scim/ResourceTypes` + +#### Parameters + +None. + +#### Example + +`GET /api/v1/fleet/scim/ResourceTypes` + +##### Default response + +`Status: 200` + +```json +{ + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "totalResults": 2, + "Resources": [ + { + "id": "User", + "name": "User", + "description": "User Account", + "endpoint": "/Users", + "schema": "urn:ietf:params:scim:schemas:core:2.0:User" + }, + { + "id": "Group", + "name": "Group", + "description": "Group", + "endpoint": "/Groups", + "schema": "urn:ietf:params:scim:schemas:core:2.0:Group" + } + ] +} +``` + +--- + +### Get identity provider (IdP) details + +_Available in Fleet Premium_ + +Get details about the most recent SCIM request from your identity provider (IdP). Useful for diagnosing SCIM integration issues. + +`GET /api/v1/fleet/scim/details` + +#### Parameters + +None. + +#### Example + +`GET /api/v1/fleet/scim/details` + +##### Default response + +`Status: 200` + +```json +{ + "last_request": { + "requested_at": "2025-03-11T02:02:17Z", + "status": "success", + "details": "" + } } ``` From fdd67ea10271db3ed3bd387d6a3391471ab089a0 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 2 Jul 2026 09:33:39 -0400 Subject: [PATCH 07/11] Setup experience software is installed on iOS/iPadOS hosts (any enrollment method) - Enrollment methods: ADE, profile-based manual, Managed Apple Account --- articles/setup-experience.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/setup-experience.md b/articles/setup-experience.md index 79ce28e5440..ada05fec341 100644 --- a/articles/setup-experience.md +++ b/articles/setup-experience.md @@ -175,7 +175,7 @@ To sign the package we need a valid Developer ID Installer certificate: You can install software during first time macOS, iOS, iPadOS, Android, and [Windows and Linux setup](https://fleetdm.com/guides/windows-linux-setup-experience). -Currently, for macOS hosts, software is only installed on hosts that automatically enroll to Fleet via Apple Business (AB). For iOS and iPadOS hosts, software is only installed on hosts that enroll via ABM and hosts that manually enroll via the `/enroll` link (profile-based device enrollment). +Currently, for macOS hosts, software is only installed on hosts that automatically enroll to Fleet via Apple Business (AB). Add setup experience software: From d40988826d09847a82079894a33c5c9553ffef20 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Thu, 2 Jul 2026 09:38:45 -0400 Subject: [PATCH 08/11] Add changes --- .../cards/InstallSoftware/InstallSoftware.tsx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tsx b/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tsx index 91042b87f21..c35f9c844ef 100644 --- a/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tsx +++ b/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tsx @@ -227,9 +227,9 @@ const InstallSoftware = ({ From 23abbd3918a9dcc0114c7259226d86af0ac9a15e Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 2 Jul 2026 09:40:14 -0400 Subject: [PATCH 09/11] Apply suggestion from @noahtalerman --- articles/role-based-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/role-based-access.md b/articles/role-based-access.md index dd8c259b72c..ab50e84d7ef 100644 --- a/articles/role-based-access.md +++ b/articles/role-based-access.md @@ -79,7 +79,7 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. | Edit any fleet's policy automations: other workflows (tickets and webhooks)\* | | | | | ✅ | ✅ | | Edit "Unassigned" policy automations | | | | | ✅ | ✅ | | View users\** | ✅ | ✅ | ✅ | ✅ | ✅ | | -| Create, edit, view, and delete users\*** | | | | | ✅ | | +| Create, edit, view, and delete users | | | | | ✅ | | | Add and remove a fleet's users\* | | | | | ✅ | ✅ | | Create, edit, and delete fleets\* | | | | | ✅ | ✅ | | Create, edit, and delete [enroll secrets](https://fleetdm.com/docs/deploying/faq#when-do-i-need-to-deploy-a-new-enroll-secret-to-my-hosts) | | | | ✅ | ✅ | ✅ | From c709d4b46c534491b1be3e239f67d9c4b78a7c8d Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 2 Jul 2026 09:40:27 -0400 Subject: [PATCH 10/11] Apply suggestion from @noahtalerman --- articles/role-based-access.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/articles/role-based-access.md b/articles/role-based-access.md index ab50e84d7ef..9a82dea0037 100644 --- a/articles/role-based-access.md +++ b/articles/role-based-access.md @@ -129,8 +129,6 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines. \** Applies only to [Fleet REST API](https://fleetdm.com/docs/using-fleet/rest-api) -\*** Currently, maintainers can delete users via the `DELETE,PATCH,PUT /scim/Users/:id` endpoints. In Fleet 5, this will be restricted to admins only. - ## Fleet-level user permissions `Applies only to Fleet Premium` From 3ee42ad6587d6d485d2dec48c958af53406c1cf8 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Thu, 2 Jul 2026 12:03:03 -0400 Subject: [PATCH 11/11] Fix js tests --- .../cards/InstallSoftware/InstallSoftware.tests.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tests.tsx b/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tests.tsx index 1fe3728c1e1..a7180312451 100644 --- a/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tests.tsx +++ b/frontend/pages/ManageControlsPage/SetupExperience/cards/InstallSoftware/InstallSoftware.tests.tsx @@ -98,7 +98,7 @@ describe("InstallSoftware", () => { expect(screen.getByText(/Turn on Android MDM/)).toBeInTheDocument(); }); expect( - screen.getByText(/Install software on hosts that automatically enroll/) + screen.getByText(/Install software on hosts that enroll to Fleet/) ).toBeVisible(); }); });