Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidqjgjo7houvogxn6og362rk5lqehdnx3swm7nrngvmlgjnqousd4",
    "uri": "at://did:plc:yaz3p6kpjacwypalo2scppxc/app.bsky.feed.post/3mofnipj6xqi2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreif765xsylglat4gyacocus3mfa6aszjqwqakwsbupq5o7msmgtapu"
    },
    "mimeType": "image/png",
    "size": 119269
  },
  "description": "Fleet is the open source MDM that manages macOS, Windows, Linux, iOS, and Android from one platform — with GitOps workflows, osquery-powered visibility, and no vendor lock-in. Here's what makes it different from Jamf and Intune.",
  "path": "/fleetdm-open-source-mdm-gitops-device-management/",
  "publishedAt": "2026-06-16T11:01:15.000Z",
  "site": "https://devopspack.com",
  "tags": [
    "Get in touch at pipoline.com →"
  ],
  "textContent": "Every organization with more than a handful of laptops eventually needs device management. You need to know what's installed, enforce security policies, push software, patch vulnerabilities, and prove compliance to auditors. The traditional answer is Jamf for Macs or Microsoft Intune for Windows — but if you run a heterogeneous fleet, you end up with two or three tools, three different consoles, and no unified view of what's actually happening across your endpoints.\n\nFleet is the open source MDM that manages all of it from one platform. macOS, Windows, Linux, iOS, Android — one console, one API, one GitOps workflow. It's built on osquery, the open source endpoint agent originally created at Facebook, and it's the first MDM to ship native GitOps support. Configuration lives in YAML in your Git repository, changes go through pull requests, and your device state is auditable the same way your infrastructure is.\n\n## What Fleet is\n\nFleet is an open source device management platform (MDM) for macOS, Windows, Linux, iOS, iPadOS, Android, and ChromeOS. It gives IT and security teams a single system to enroll devices, enforce policies, deploy software, manage patches, run osquery queries, track vulnerabilities, and demonstrate compliance — all from one place.\n\nThe platform is built by Fleet Device Management Inc., a company whose business model is explicitly modeled on GitLab — open core, with a free MIT-licensed tier and paid premium features. The free version under the MIT license includes core MDM, osquery management, and infrastructure-as-code workflows, and can be downloaded without leaving an email address. Fleet Premium at $7/host/month adds team-based access controls, advanced audit logging, SSO, vulnerability management integrations, and professional support.\n\nFleet is used in production at organizations managing tens of thousands of devices, with a few large organizations managing 400,000 or more. The GitHub repo has 6,479 stars with active development.\n\n## The license — MIT core, commercial /ee\n\nThe majority of Fleet is released under the MIT license. A separate set of paid features lives in an /ee directory under a commercial license. This is the same open core model used by GitLab, Metabase, and others — the core platform is genuinely open source and free, while enterprise features like SSO, advanced RBAC, and vulnerability management integrations require a paid license.\n\nFor most self-hosted deployments, the MIT core covers everything you need: MDM enrollment, policy enforcement, osquery queries, software deployment, patch management, and GitOps workflows. The /ee features are for larger organizations with compliance teams and enterprise integration requirements.\n\n## Built on osquery\n\nThis is what differentiates Fleet from traditional MDM platforms. osquery is an open source tool originally built at Facebook that exposes your operating system as a relational database — you query device state with SQL. Instead of \"show me devices with FileVault disabled,\" you write:\n\n\n    SELECT hostname, username\n    FROM disk_encryption\n    JOIN logged_in_users ON logged_in_users.uid = disk_encryption.uid\n    WHERE encrypted = 0;\n\nFleet wraps osquery at scale. You can run queries across your entire fleet in real time, schedule queries that run continuously and alert on changes, and build compliance policies from SQL. The result is device visibility that goes far deeper than traditional MDM — you're not limited to the attributes Apple or Microsoft chose to expose through their MDM protocols. If osquery can query it (and it can query almost everything), Fleet can report on it.\n\nBeyond queries, Fleet ships the **fleetd agent** — a lightweight daemon that handles MDM enrollment, runs osquery, manages software installation, and reports telemetry. One agent, one configuration, all platforms.\n\n## GitOps-first device management\n\nThis is Fleet's most distinctive capability and the one most relevant to DevOps teams. Fleet is the first cross-platform GitOps-enabled MDM. Your device configuration — MDM profiles, osquery policies, software installers, patch schedules — lives in YAML in a Git repository. Changes go through pull requests. CI/CD applies them. Every change is peer-reviewed, version-controlled, and auditable.\n\nA Fleet GitOps repository looks like this:\n\n\n    # default.yml — applies to all devices\n    controls:\n      macos_settings:\n        custom_settings:\n          - path: ./profiles/filevault.mobileconfig\n          - path: ./profiles/screensaver.mobileconfig\n      windows_settings:\n        custom_settings:\n          - path: ./profiles/bitlocker.xml\n\n    # Query policies\n    policies:\n      - name: \"FileVault enabled\"\n        platform: darwin\n        query: SELECT 1 FROM disk_encryption WHERE encrypted = 1;\n        critical: true\n\n    # Software to deploy\n    software:\n      packages:\n        - url: https://example.com/app.pkg\n          self_service: false\n\nYour CI/CD pipeline runs `fleetctl gitops` on merge to main, and Fleet applies the changes to enrolled devices. The same workflow you use for infrastructure — Terraform, Ansible, Kubernetes manifests — now manages your endpoints. No clicking through a console, no undocumented manual changes, no configuration drift.\n\n## Cross-platform MDM\n\nFleet implements the native MDM protocols for each platform:\n\n  * **macOS** — Apple MDM protocol + Declarative Device Management (DDM). Zero-touch enrollment through Apple Business Manager (ABM). FileVault management, configuration profiles, OS update enforcement, CIS Benchmark evaluation, Fleet-maintained app catalog.\n  * **Windows** — Windows MDM protocol (CSPs). BitLocker encryption enforcement with key escrow. Windows Update deadline enforcement. WDAC application control. Domain join via Autopilot.\n  * **Linux** — osquery-based management with full script execution, software deployment, patch management, and policy enforcement. First-class support across major distributions (Ubuntu, RHEL, Debian, Fedora, Amazon Linux). Linux MDM via Fleet is significantly more capable than any competing platform.\n  * **iOS/iPadOS and Android** — enrollment, app management, device posture, and basic policy enforcement for corporate and BYOD devices.\n\n\n\nThe Linux story deserves emphasis. Most MDM platforms treat Linux as an afterthought — if they support it at all. Fleet's Linux management is built on osquery and fleetd, giving you the same query-based visibility and policy enforcement as macOS and Windows. For engineering teams where Linux laptops are the norm, this is the practical differentiator.\n\n## Vulnerability management\n\nFleet continuously evaluates installed software across every device against the National Vulnerability Database (NVD) CVE feed. You get a real-time view of which devices have vulnerable software, which CVEs affect your fleet, and the severity of each finding. Fleet maintains its own generated CPE/CVE databases from NVD, updated regularly.\n\nThe vulnerability data is queryable: \"show me all devices with a critical CVE in the last 30 days that haven't been patched.\" Combine this with Fleet's software deployment capability and you have a complete remediation workflow — detect the vulnerability, deploy the patch, verify the fix.\n\n## Self-hosting Fleet\n\nFleet is a Go binary with a MySQL database and Redis for pub/sub. Docker Compose is the quickest self-hosted path:\n\n\n    services:\n      fleet:\n        image: fleetdm/fleet:latest\n        command: fleet serve\n        environment:\n          FLEET_MYSQL_ADDRESS: mysql:3306\n          FLEET_MYSQL_DATABASE: fleet\n          FLEET_MYSQL_USERNAME: fleet\n          FLEET_MYSQL_PASSWORD: ${MYSQL_PASSWORD}\n          FLEET_REDIS_ADDRESS: redis:6379\n          FLEET_SERVER_TLS: \"false\"  # handle TLS at Traefik\n          FLEET_AUTH_JWT_KEY: ${JWT_KEY}\n        ports:\n          - \"8080:8080\"\n        depends_on:\n          - mysql\n          - redis\n\n      mysql:\n        image: mysql:8.0\n        environment:\n          MYSQL_DATABASE: fleet\n          MYSQL_USER: fleet\n          MYSQL_PASSWORD: ${MYSQL_PASSWORD}\n          MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}\n\n      redis:\n        image: redis:alpine\n\nFor production Fleet also ships Terraform modules, a Helm chart for Kubernetes, and deployment guides for AWS, GCP, Azure, and air-gapped environments. The TLS certificate handling is critical — Apple MDM enrollment requires a valid TLS certificate, so make sure Traefik or your load balancer is handling HTTPS correctly before enrolling any devices.\n\nMinimum viable server: 2 CPU cores, 4GB RAM. For larger fleets (1,000+ devices), Fleet recommends dedicated MySQL with read replicas and Redis cluster.\n\n## Fleet vs the alternatives\n\n**vs Jamf** — Jamf is the gold standard for Apple device management with the deepest macOS/iOS feature set, the largest ecosystem of integrations, and the strongest name recognition with enterprise security teams. It's also expensive, Apple-only, and a black box. Fleet manages macOS at feature parity for Apple MDM tasks while adding Linux, Windows, and cross-platform osquery visibility that Jamf simply doesn't offer. For organizations that need to manage heterogeneous fleets, Fleet's unified platform eliminates the \"Jamf for Macs, Intune for Windows, nothing for Linux\" problem.\n\n**vs Microsoft Intune** — Intune is deeply integrated with Microsoft 365, Azure AD, and the Microsoft ecosystem. If your organization runs primarily on Windows and Microsoft services, Intune's tight integrations are compelling. It's also proprietary SaaS with no self-hosting option. Fleet's Windows MDM coverage is competitive for most use cases, and adding macOS and Linux management through Fleet avoids needing a second platform.\n\n**vs Kandji** — Kandji is a modern Apple MDM with an excellent UI and strong automation features, but it's Apple-only and SaaS-only. No Linux, no self-hosting, no GitOps. Foursquare publicly migrated from Jamf to Fleet — the quote on Fleet's site: \"Thanks for a great run Jamf. Foursquare has officially completed the migration to Fleet as our new device management platform.\"\n\n**vs NinjaRMM / NinjaOne** — NinjaRMM targets MSPs with remote monitoring and management (RMM) alongside MDM. Strong Windows RMM capabilities, good for managed service providers. Fleet doesn't have built-in ticketing or the full RMM feature set, but the GitOps model and osquery visibility make Fleet the better choice for internal IT teams that treat infrastructure as code.\n\n## Who it's for\n\n**Good fit:**\n\n  * Engineering organizations with heterogeneous fleets (Mac + Windows + Linux) who don't want three separate management tools\n  * DevOps and platform teams who want to manage endpoints the same way they manage infrastructure — as code, in Git, through pull requests\n  * Security teams who need deep endpoint visibility beyond what traditional MDM provides\n  * Organizations with data residency or compliance requirements that rule out SaaS-only MDM\n  * Teams who want to use osquery at scale without building their own management layer\n\n\n\n**Not the right fit:**\n\n  * Small teams that want zero-infrastructure MDM — Jamf or Kandji are easier to start with\n  * Microsoft-only shops deeply integrated with Intune and Azure AD — the switching cost is real\n  * Teams that need enterprise SLA support without a Premium contract — the free tier is community-supported\n\n\n\n## My take\n\nFleet is the MDM I'd reach for when building infrastructure for an engineering organization. The GitOps model is the right answer to the \"how do we manage device configuration without undocumented manual changes\" problem — and the fact that it's the only MDM that delivers this at production scale is a genuine differentiator.\n\nThe osquery foundation gives you endpoint visibility that no traditional MDM can match. The ability to ask any device an arbitrary SQL question, across every OS, at scale, is powerful. Combined with vulnerability management and software deployment, Fleet gives you a complete endpoint operations platform rather than just a checkbox compliance tool.\n\nThe Linux management story is the practical reason many engineering teams end up here. If your engineers run Ubuntu or Fedora and your current MDM ignores those machines, Fleet solves the problem in a way Jamf never will. For any organization where Linux endpoints are first-class citizens alongside Macs and Windows machines, Fleet is the only serious option in the open source space.\n\n* * *\n\nPIPOLINE · DEVOPS CONSULTING\n\n### Need help deploying Fleet?\n\nStanding up Fleet in production — MySQL, Redis, TLS configuration, Apple Business Manager enrollment setup, GitOps repository structure, osquery policy configuration, and enrolling your first devices across macOS, Windows, and Linux — has more moving parts than most infrastructure tools. I can handle the full deployment and set up your GitOps workflow so your team manages endpoints as code from day one.\n\nGet in touch at pipoline.com →",
  "title": "Fleet: Open Source MDM With GitOps and Cross-Platform Device Management",
  "updatedAt": "2026-06-16T11:01:15.580Z"
}