This is the starter repository for using Fleet with a GitOps workflow.
Before getting into how to set up your GitOps workflow, here are some good reasons to use Fleet with GitOps:
Use CI/CD to streamline and approve changes across security, management, and productivity. With git as the backbone, changes become more reliable and transparent—ensuring consistency, security, and easy tracking, even as things evolve.
Track and audit every change in one system. Know who made changes, when, and why—without being tied to vendor-specific methods. Git commit history records every action, letting you see exactly what changed and who approved it.
IT admins are prime targets for attacks, yet their tools are often insecure and outdated. Instead of relying on legacy platforms, move to a secure, transparent system: git. With git-based changes, admins can work safely in an already trusted environment. Tools like GitHub or GitLab offer easy-to-use interfaces for those who prefer them.
Rather than relying on multiple teams for tools like Intune or Jamf, build a unified team of OS specialists. By using git for MDM (mobile device management), admins can focus on expertise in macOS, Windows, or Linux—not specific vendor tools. This approach reduces silos, fosters collaboration, and helps teams learn valuable DevOps skills—avoiding reliance on unstable, vendor-specific tools that may raise prices or fade away.
Calling 'fleetctl gitops' directly is only recommended for experienced users. For documentation, run
fleetctl gitops --help
.
-
Clone this repository.
-
If you do not have a Premium Fleet license, delete the
teams
folder. -
Make any changes to policies, queries, controls, and more defined in the files.
-
Create your own GitHub repository.
-
Add
FLEET_URL
andFLEET_API_TOKEN
secrets to your new repository's secrets. Learn how here. SetFLEET_URL
to your Fleet instance's URL (ex. https://organization.fleet.com). SetFLEET_API_TOKEN
to an API token for an API-only user in Fleet. Learn how here. -
Add
FLEET_GLOBAL_ENROLL_SECRET
secret to your new repository's secrets. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.- If you have a Premium Fleet license, also add
FLEET_WORKSTATIONS_ENROLL_SECRET
andFLEET_WORKSTATIONS_CANARY_ENROLL_SECRET
. - If you do not have a Premium Fleet license, uncomment the following line in
.github/workflows/workflow.yml
:
- If you have a Premium Fleet license, also add
# delete-other-teams: false
-
Delete
.gitlab-ci.yml
, which is for GitLab CI/CD. -
Push your cloned and modified code to your repo.
-
In GitHub, enable the
Apply latest configuration to Fleet
GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only.
-
Create your own GitLab repository.
-
Add
FLEET_URL
andFLEET_API_TOKEN
as masked CI/CD variables. Learn how here. SetFLEET_URL
to your Fleet instance's URL (ex. https://organization.fleet.com). SetFLEET_API_TOKEN
to an API token for an API-only user in Fleet. Learn how here. -
Add
FLEET_GLOBAL_ENROLL_SECRET
secret as a masked CI/CD variable. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.- If you have a Premium Fleet license, also add
FLEET_WORKSTATIONS_ENROLL_SECRET
andFLEET_WORKSTATIONS_CANARY_ENROLL_SECRET
.
- If you have a Premium Fleet license, also add
-
Delete
.github
folder, which is for GitHub Actions. -
Push your cloned and modified code to your repo.
-
Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only.
For all configuration options, go to GitOps reference in the Fleet documentation.