Fleet: Open Source MDM With GitOps and Cross-Platform Device Management

Every organization with more than a handful of laptops eventually needs device management. You need to know what's installed, enforce security policies, push software, patch vulnerabilities, and prove compliance to auditors. The traditional answer is Jamf for Macs or Microsoft Intune for Windows — but if you run a heterogeneous fleet, you end up with two or three tools, three different consoles, and no unified view of what's actually happening across your endpoints.

Fleet is the open source MDM that manages all of it from one platform. macOS, Windows, Linux, iOS, Android — one console, one API, one GitOps workflow. It's built on osquery, the open source endpoint agent originally created at Facebook, and it's the first MDM to ship native GitOps support. Configuration lives in YAML in your Git repository, changes go through pull requests, and your device state is auditable the same way your infrastructure is.

What Fleet is

Fleet is an open source device management platform (MDM) for macOS, Windows, Linux, iOS, iPadOS, Android, and ChromeOS. It gives IT and security teams a single system to enroll devices, enforce policies, deploy software, manage patches, run osquery queries, track vulnerabilities, and demonstrate compliance — all from one place.

The platform is built by Fleet Device Management Inc., a company whose business model is explicitly modeled on GitLab — open core, with a free MIT-licensed tier and paid premium features. The free version under the MIT license includes core MDM, osquery management, and infrastructure-as-code workflows, and can be downloaded without leaving an email address. Fleet Premium at $7/host/month adds team-based access controls, advanced audit logging, SSO, vulnerability management integrations, and professional support.

Fleet is used in production at organizations managing tens of thousands of devices, with a few large organizations managing 400,000 or more. The GitHub repo has 6,479 stars with active development.

The license — MIT core, commercial /ee

The majority of Fleet is released under the MIT license. A separate set of paid features lives in an /ee directory under a commercial license. This is the same open core model used by GitLab, Metabase, and others — the core platform is genuinely open source and free, while enterprise features like SSO, advanced RBAC, and vulnerability management integrations require a paid license.

For most self-hosted deployments, the MIT core covers everything you need: MDM enrollment, policy enforcement, osquery queries, software deployment, patch management, and GitOps workflows. The /ee features are for larger organizations with compliance teams and enterprise integration requirements.

Built on osquery

This is what differentiates Fleet from traditional MDM platforms. osquery is an open source tool originally built at Facebook that exposes your operating system as a relational database — you query device state with SQL. Instead of "show me devices with FileVault disabled," you write:

SELECT hostname, username
FROM disk_encryption
JOIN logged_in_users ON logged_in_users.uid = disk_encryption.uid
WHERE encrypted = 0;

Fleet wraps osquery at scale. You can run queries across your entire fleet in real time, schedule queries that run continuously and alert on changes, and build compliance policies from SQL. The result is device visibility that goes far deeper than traditional MDM — you're not limited to the attributes Apple or Microsoft chose to expose through their MDM protocols. If osquery can query it (and it can query almost everything), Fleet can report on it.

Beyond queries, Fleet ships the fleetd agent — a lightweight daemon that handles MDM enrollment, runs osquery, manages software installation, and reports telemetry. One agent, one configuration, all platforms.

GitOps-first device management

This is Fleet's most distinctive capability and the one most relevant to DevOps teams. Fleet is the first cross-platform GitOps-enabled MDM. Your device configuration — MDM profiles, osquery policies, software installers, patch schedules — lives in YAML in a Git repository. Changes go through pull requests. CI/CD applies them. Every change is peer-reviewed, version-controlled, and auditable.

A Fleet GitOps repository looks like this:

# default.yml — applies to all devices
controls:
  macos_settings:
    custom_settings:
      - path: ./profiles/filevault.mobileconfig
      - path: ./profiles/screensaver.mobileconfig
  windows_settings:
    custom_settings:
      - path: ./profiles/bitlocker.xml

# Query policies
policies:
  - name: "FileVault enabled"
    platform: darwin
    query: SELECT 1 FROM disk_encryption WHERE encrypted = 1;
    critical: true

# Software to deploy
software:
  packages:
    - url: https://example.com/app.pkg
      self_service: false

Your CI/CD pipeline runs fleetctl gitops on merge to main, and Fleet applies the changes to enrolled devices. The same workflow you use for infrastructure — Terraform, Ansible, Kubernetes manifests — now manages your endpoints. No clicking through a console, no undocumented manual changes, no configuration drift.

Cross-platform MDM

Fleet implements the native MDM protocols for each platform:

• macOS — Apple MDM protocol + Declarative Device Management (DDM). Zero-touch enrollment through Apple Business Manager (ABM). FileVault management, configuration profiles, OS update enforcement, CIS Benchmark evaluation, Fleet-maintained app catalog.
• Windows — Windows MDM protocol (CSPs). BitLocker encryption enforcement with key escrow. Windows Update deadline enforcement. WDAC application control. Domain join via Autopilot.
• Linux — osquery-based management with full script execution, software deployment, patch management, and policy enforcement. First-class support across major distributions (Ubuntu, RHEL, Debian, Fedora, Amazon Linux). Linux MDM via Fleet is significantly more capable than any competing platform.
• iOS/iPadOS and Android — enrollment, app management, device posture, and basic policy enforcement for corporate and BYOD devices.

The Linux story deserves emphasis. Most MDM platforms treat Linux as an afterthought — if they support it at all. Fleet's Linux management is built on osquery and fleetd, giving you the same query-based visibility and policy enforcement as macOS and Windows. For engineering teams where Linux laptops are the norm, this is the practical differentiator.

Vulnerability management

Fleet continuously evaluates installed software across every device against the National Vulnerability Database (NVD) CVE feed. You get a real-time view of which devices have vulnerable software, which CVEs affect your fleet, and the severity of each finding. Fleet maintains its own generated CPE/CVE databases from NVD, updated regularly.

The vulnerability data is queryable: "show me all devices with a critical CVE in the last 30 days that haven't been patched." Combine this with Fleet's software deployment capability and you have a complete remediation workflow — detect the vulnerability, deploy the patch, verify the fix.

Self-hosting Fleet

Fleet is a Go binary with a MySQL database and Redis for pub/sub. Docker Compose is the quickest self-hosted path:

services:
  fleet:
    image: fleetdm/fleet:latest
    command: fleet serve
    environment:
      FLEET_MYSQL_ADDRESS: mysql:3306
      FLEET_MYSQL_DATABASE: fleet
      FLEET_MYSQL_USERNAME: fleet
      FLEET_MYSQL_PASSWORD: ${MYSQL_PASSWORD}
      FLEET_REDIS_ADDRESS: redis:6379
      FLEET_SERVER_TLS: "false"  # handle TLS at Traefik
      FLEET_AUTH_JWT_KEY: ${JWT_KEY}
    ports:
      - "8080:8080"
    depends_on:
      - mysql
      - redis

  mysql:
    image: mysql:8.0
    environment:
      MYSQL_DATABASE: fleet
      MYSQL_USER: fleet
      MYSQL_PASSWORD: ${MYSQL_PASSWORD}
      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}

  redis:
    image: redis:alpine

For production Fleet also ships Terraform modules, a Helm chart for Kubernetes, and deployment guides for AWS, GCP, Azure, and air-gapped environments. The TLS certificate handling is critical — Apple MDM enrollment requires a valid TLS certificate, so make sure Traefik or your load balancer is handling HTTPS correctly before enrolling any devices.

Minimum viable server: 2 CPU cores, 4GB RAM. For larger fleets (1,000+ devices), Fleet recommends dedicated MySQL with read replicas and Redis cluster.

Fleet vs the alternatives

vs Jamf — Jamf is the gold standard for Apple device management with the deepest macOS/iOS feature set, the largest ecosystem of integrations, and the strongest name recognition with enterprise security teams. It's also expensive, Apple-only, and a black box. Fleet manages macOS at feature parity for Apple MDM tasks while adding Linux, Windows, and cross-platform osquery visibility that Jamf simply doesn't offer. For organizations that need to manage heterogeneous fleets, Fleet's unified platform eliminates the "Jamf for Macs, Intune for Windows, nothing for Linux" problem.

vs Microsoft Intune — Intune is deeply integrated with Microsoft 365, Azure AD, and the Microsoft ecosystem. If your organization runs primarily on Windows and Microsoft services, Intune's tight integrations are compelling. It's also proprietary SaaS with no self-hosting option. Fleet's Windows MDM coverage is competitive for most use cases, and adding macOS and Linux management through Fleet avoids needing a second platform.

vs Kandji — Kandji is a modern Apple MDM with an excellent UI and strong automation features, but it's Apple-only and SaaS-only. No Linux, no self-hosting, no GitOps. Foursquare publicly migrated from Jamf to Fleet — the quote on Fleet's site: "Thanks for a great run Jamf. Foursquare has officially completed the migration to Fleet as our new device management platform."

vs NinjaRMM / NinjaOne — NinjaRMM targets MSPs with remote monitoring and management (RMM) alongside MDM. Strong Windows RMM capabilities, good for managed service providers. Fleet doesn't have built-in ticketing or the full RMM feature set, but the GitOps model and osquery visibility make Fleet the better choice for internal IT teams that treat infrastructure as code.

Who it's for

Good fit:

• Engineering organizations with heterogeneous fleets (Mac + Windows + Linux) who don't want three separate management tools
• DevOps and platform teams who want to manage endpoints the same way they manage infrastructure — as code, in Git, through pull requests
• Security teams who need deep endpoint visibility beyond what traditional MDM provides
• Organizations with data residency or compliance requirements that rule out SaaS-only MDM
• Teams who want to use osquery at scale without building their own management layer

Not the right fit:

• Small teams that want zero-infrastructure MDM — Jamf or Kandji are easier to start with
• Microsoft-only shops deeply integrated with Intune and Azure AD — the switching cost is real
• Teams that need enterprise SLA support without a Premium contract — the free tier is community-supported

My take

Fleet is the MDM I'd reach for when building infrastructure for an engineering organization. The GitOps model is the right answer to the "how do we manage device configuration without undocumented manual changes" problem — and the fact that it's the only MDM that delivers this at production scale is a genuine differentiator.

The osquery foundation gives you endpoint visibility that no traditional MDM can match. The ability to ask any device an arbitrary SQL question, across every OS, at scale, is powerful. Combined with vulnerability management and software deployment, Fleet gives you a complete endpoint operations platform rather than just a checkbox compliance tool.

The Linux management story is the practical reason many engineering teams end up here. If your engineers run Ubuntu or Fedora and your current MDM ignores those machines, Fleet solves the problem in a way Jamf never will. For any organization where Linux endpoints are first-class citizens alongside Macs and Windows machines, Fleet is the only serious option in the open source space.