Fleet 4.29.0 is up and running. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.29.0) or continue reading to get the highlights.
For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs.
With this update, you can take 🟠 Ownership of Fleet account roles assignment when using Just-in-time (JIT) provisioning. When JIT user provisioning is enabled, Fleet automatically creates a user account upon first login with the configured single sign-on (SSO). The email and full name are copied from the user data in the SSO during the creation process. Large organizations no longer need to create individual users. By default, accounts created via JIT provisioning are assigned the [Global Observer role](https://fleetdm.com/docs/using-fleet/permissions).
Users created via JIT provisioning can be assigned Fleet roles using SAML custom attributes sent by the IdP in a `SAMLResponse` during login. Global or team roles can be assigned one of the supported values: admin, maintainer, and observer. Fleet will attempt to parse SAML custom attributes. If the account exists, and `enable_jit_role_sync` is true, the Fleet account roles will be updated to match those set in the SAML custom attributes at every login.
Learn more about [JIT user role setting](https://fleetdm.com/docs/deploying/configuration#just-in-time-jit-user-provisioning).
<iframesrc="https://www.youtube.com/embed/9h38yEIuE6c"title="YouTube video player"frameborder="0"allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"allowfullscreen></iframe>
</div>
The Center for Internet Security (CIS) publishes benchmark documents describing the proper configuration of computers to avoid vulnerabilities addressed therein. Fleet 4.28 included scheduling and running a complete set of [CIS benchmark policies](https://fleetdm.com/docs/using-fleet/cis-benchmarks) as part of Premium and Ultimate. Today, Fleet has added additional macOS 13 Ventura CIS benchmarks that can be detected but require manual intervention.
CIS benchmark policies represent the consensus-based effort of cybersecurity experts globally to help protect your systems against threats more confidently. Fleet takes 🟠 Ownership toward providing the most comprehensive CIS benchmark policies available. Using Fleet to detect these additional CIS policies will assist you in quickly bringing your fleet into compliance, saving your organization time and money.
Learn more about [macOS 13.0 Ventura Benchmark manual checks](https://fleetdm.com/docs/using-fleet/cis-benchmarks#mac-os-13-0-ventura-benchmark-manual-checks-that-require-customer-decision).
### Vulnerability management improvement
Fleet updated translation rules to provide better 🟢 Results and avoid false positives when reporting on the Docker desktop. With these changes, the Docker desktop is now mapped to the proper CVE, fixing the false positive where the Docker desktop was showing vulnerabilities that should have been associated with the Docker engine.
## More new features, improvements, and bug fixes
#### List of MDM features
* Added activity feed items for enabling and disabling disk encryption with MDM.
* Added FileVault banners on the Host Details and My Device pages.
* Added activities for when macOS disk encryption setting is enabled or disabled.
* Added UI for Fleet MDM managed disk encryption toggling and the disk encryption aggregate data.
* Added support to update a team's disk encryption via the Modify Team (`PATCH /api/latest/fleet/teams/{id}`) endpoint.
* Added a new API endpoint to gate access to an enrollment profile behind Okta authentication.
* Added new configuration values to integrate Okta in the DEP MDM flow.
