Device & software fleet management that integrates with OpenFrame — provisioning, updates, inventory, policy, and remote actions across Windows, macOS, and Linux.
- Cross-platform device management (Windows, macOS, Linux)
- Zero-touch provisioning (bootstrap scripts / enrollment tokens)
- Inventory & health (hardware, OS, software, services)
- Policy engine (baseline hardening, schedule, constraints)
- Software catalog & updates (install, pin, rollback)
- Remote actions (scripts, services, processes, files)
- Compliance reporting (drift, remediation, audit)
- Integrations: OpenFrame Gateway, Stream (Kafka), Analytics (Pinot), Auth (OIDC/JWT)
- API-first (REST/GraphQL gateway), web console (operator UI)
For OpenFrame Integration:
- Kubernetes cluster with kubectl
- Telepresence (for local access to services)
Fleet is integrated into OpenFrame as FleetMDM for device management via osquery.
Fleet runs as a service in OpenFrame and talks to endpoint agents via Gateway. Events flow into Stream and Analytics for compliance and dashboards.
flowchart LR
A[Agent] -- inventory/metrics --> G[OpenFrame Gateway]
A <-- actions/policy/enroll --> G
subgraph OpenFrame
G --> API[(Fleet Service API)]
API --> DB[(DB: inventory, policy, jobs)]
DB --> S[Stream]
S --> K[(Kafka)]
K --> C[(Cassandra)]
K --> P[(Pinot Analytics)]
end
style A fill:#FFC109,stroke:#1A1A1A,color:#FAFAFA
style G fill:#666666,stroke:#1A1A1A,color:#FAFAFA
style API fill:#212121,stroke:#1A1A1A,color:#FAFAFA
FleetMDM is deployed automatically as part of OpenFrame via ArgoCD app-of-apps pattern:
# manifests/apps/values.yaml
apps:
fleetmdm:
enabled: true
project: integrated-tools
namespace: integrated-tools
syncWave: "3" # Deployed after microservicesDeploy complete OpenFrame stack:
# Install with ArgoCD
helm install openframe ./manifests/app-of-apps
# FleetMDM will be deployed automatically along with:
# - MySQL and Redis (StatefulSets)
# - Fleet server with auto-initialization
# - Tool registration job for OpenFrame integrationAccess Fleet UI:
# Connect to integrated-tools namespace
telepresence connect --namespace integrated-tools
# Fleet UI will be available at:
# http://fleetmdm-server.integrated-tools.svc.cluster.local:8070For standalone FleetMDM deployment (not recommended - registration job will fail):
helm install fleetmdm ./manifests/integrated-tools/fleetmdmAuto-initialization:
- Creates organization "OpenFrame"
- Sets up admin and API-only users
- Persists API token at
/etc/fleet/api_token.txt - Registers as integrated tool in OpenFrame
Configuration is managed via Helm chart at manifests/integrated-tools/fleetmdm/.
import com.openframe.sdk.fleetmdm.FleetMdmClient;
import com.openframe.sdk.fleetmdm.model.Host;
import com.openframe.sdk.fleetmdm.model.HostSearchRequest;
import com.openframe.sdk.fleetmdm.model.QueryResult;
@Service
public class DeviceManagementService {
private final FleetMdmClient fleetClient;
public DeviceManagementService() {
this.fleetClient = new FleetMdmClient(
"http://fleetmdm-server.integrated-tools.svc.cluster.local:8070",
System.getenv("FLEET_API_TOKEN")
);
}
// Get device by ID
public Host getDevice(long hostId) throws IOException, InterruptedException {
return fleetClient.getHostById(hostId);
}
// Search devices
public List<Host> searchDevices(String query) throws IOException, InterruptedException {
return fleetClient.searchHosts(query);
}
// Search with pagination
public List<Host> searchDevicesPaginated(String query, int page, int perPage)
throws IOException, InterruptedException {
HostSearchRequest request = new HostSearchRequest(query, page, perPage);
return fleetClient.searchHosts(request);
}
// Execute osquery on specific device
public QueryResult executeQuery(long hostId, String sqlQuery)
throws IOException, InterruptedException {
return fleetClient.runQuery(hostId, sqlQuery);
}
// Example: Get Chrome extensions on device
public QueryResult getChromeExtensions(long hostId)
throws IOException, InterruptedException {
String query = "SELECT * FROM chrome_extensions";
return fleetClient.runQuery(hostId, query);
}
// Get enroll secret for new devices
public String getEnrollSecret() throws IOException, InterruptedException {
return fleetClient.getEnrollSecret();
}
}Check deployment status:
kubectl get pods -n integrated-tools -l app=fleetmdm-server
kubectl logs -f fleetmdm-server-0 -n integrated-toolsAccess Fleet services via Telepresence:
# Connect to cluster
telepresence connect --namespace integrated-tools
# Access Fleet UI directly
open http://fleetmdm-server.integrated-tools.svc.cluster.local:8070
# Access MySQL for debugging
mysql -h fleetmdm-mysql-0.fleetmdm-mysql.integrated-tools.svc.cluster.local -u fleet -p
# Access Redis for debugging
redis-cli -h fleetmdm-redis.integrated-tools.svc.cluster.localGet API token manually:
kubectl exec -it fleetmdm-server-0 -n integrated-tools -- \
cat /etc/fleet/api_token.txtReinitialize if needed:
kubectl delete pod fleetmdm-server-0 -n integrated-tools
# StatefulSet will recreate automaticallyFor complete documentation:
- All communication is encrypted with TLS 1.2
- OAuth2/OIDC → JWT for authentication (via Gateway)
- Minimal client-side privileges required
- Safeguards against unsafe command execution
Found a vulnerability? Email security@flamingo.run instead of opening a public issue.
We welcome PRs! Please follow these guidelines:
- Use branching strategy:
feature/...,bugfix/... - Add descriptions to the CHANGELOG
- Follow consistent Go code style (
go fmt, linters) - Keep documentation updated in
docs/
This project is licensed under the Flamingo Unified License v1.0 (LICENSE.md).
