Summary and recommendation
Fleet, the open-source device management platform for macOS, Windows, and Linux, does not currently support SCIM provisioning on any plan. While Fleet offers SAML 2.0 SSO integration with identity providers like Okta and Entra ID, including Just-In-Time (JIT) user provisioning via SAML attributes, this falls short of true SCIM automation. Fleet's documentation indicates that "SCIM for user provisioning is coming soon," but provides no timeline for availability. Even when SCIM arrives, it will likely require their Premium tier with custom pricing, making it cost-prohibitive for many organizations.
The gap between SSO and full provisioning creates operational overhead for IT teams managing Fleet deployments. While JIT provisioning can create users during first login, it doesn't handle the complete user lifecycle—deprovisioning, role changes, and bulk user management still require manual intervention. For organizations running Fleet across hundreds or thousands of endpoints, this manual overhead becomes a significant compliance and security risk, particularly when employees leave or change roles.
The strategic alternative
Fleet has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | ✓ | ❌ | Fleet supports Okta SSO via SAML, but no OIN catalog integration; SCIM for user provisioning coming soon |
| Microsoft Entra ID | ✓ | ❌ | SAML 2.0 SSO supported with Entra ID; JIT provisioning available |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Fleet accounts manually. Here's what that costs:
The Fleet pricing problem
Fleet gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Free (Open Source) | Free | ||
| Premium | Custom pricing |
Current provisioning options
| Plan | Price | SCIM | User Management |
|---|---|---|---|
| Free (Open Source) | Free | ❌ Not available | Manual creation only |
| Premium | Custom pricing | ❌ Coming soon | JIT via SAML attributes |
Fleet supports Just-In-Time (JIT) provisioning through SAML attributes, but this creates users only when they first log in - not when they're added to your IdP.
What this means in practice
No proactive user creation: Users must manually log in before their Fleet account exists, creating a gap between when someone joins your team and when they can access device management tools.
Role assignment limitations: While SAML attributes can assign roles during JIT provisioning, you can't pre-configure user access or update roles without user interaction.
Deprovisioning gaps: When employees leave, their Fleet access must be manually revoked since there's no automated way to sync user status from your IdP.
Additional constraints
Summary of challenges
- Fleet does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Fleet actually offers for identity
SAML SSO (Available on all plans)
Fleet provides SAML 2.0 integration with identity providers at no additional cost:
| Setting | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Entra ID, Google Workspace, OneLogin |
| Configuration | Manual SAML setup via Fleet configuration files |
| User provisioning | JIT (Just-In-Time) only |
| Role assignment | Via SAML attributes |
Key capability: Fleet supports JIT provisioning, meaning users are automatically created when they first authenticate via SAML. Roles can be assigned through SAML attributes, providing basic automated user management.
Current Provisioning Limitations
| Feature | Fleet Status |
|---|---|
| SCIM user provisioning | ❌ Coming soon (not yet available) |
| Bulk user creation | ❌ Manual only |
| User deprovisioning | ❌ Manual deletion required |
| Group synchronization | ❌ Not supported |
| Real-time updates | ❌ JIT creation only |
The reality: While Fleet's JIT provisioning covers basic user creation, you're still stuck with manual processes for user lifecycle management. No automated deprovisioning means offboarded employees retain access until manually removed.
Premium Pricing Structure
Fleet's Premium tier requires custom pricing for:
Bottom line: Even when SCIM arrives, it will likely be gated behind Premium's custom pricing model, making cost planning difficult for identity management projects.
What IT admins are saying
Fleet's missing SCIM support forces IT teams into manual provisioning workflows despite having SSO configured:
- Users must be manually created in Fleet before SSO authentication works
- No automated deprovisioning when employees leave the organization
- Role assignments require manual configuration even with SAML attributes
- JIT provisioning exists but doesn't eliminate the need for ongoing user management
Fleet supports Okta SSO via SAML, but no OIN catalog integration; SCIM for user provisioning coming soon
SAML 2.0 SSO supported with Entra ID; JIT provisioning available
Users created via JIT can be assigned roles via SAML attributes
The recurring theme
Fleet offers solid SSO integration but IT teams still handle all user lifecycle management manually. Even with JIT provisioning, role management and deprovisioning remain time-consuming manual processes that don't scale with growing fleets of devices.
The decision
| Your Situation | Recommendation |
|---|---|
| Small IT team (<20 devices) with minimal turnover | Manual management is acceptable |
| Development team using Fleet's open source version | Manual management with SSO for authentication |
| Growing organization (50+ endpoints) | Use Stitchflow: automation essential for scale |
| Enterprise with compliance requirements | Use Stitchflow: automation essential for audit trail |
| Multi-team deployment with frequent staff changes | Use Stitchflow: automation strongly recommended |
The bottom line
Fleet is an excellent open source MDM platform, but it lacks modern user provisioning capabilities. With SCIM support still "coming soon" and only JIT provisioning available, organizations scaling beyond basic deployments face significant manual overhead. For teams that need automated user lifecycle management today, Stitchflow delivers SCIM-level provisioning without waiting for native support.
Make Fleet workflows AI-native
Fleet has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- Open source MDM for macOS, Windows, Linux
- SCIM for user provisioning is coming soon (not yet available)
- JIT (Just-In-Time) user provisioning supported via SAML
- Users created via JIT can be assigned roles via SAML attributes
- Free version has no artificial limits
- Premium required for professional support with SLA
Documentation not available.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
SAML 2.0 SSO supported with Entra ID; JIT provisioning available
Use Stitchflow for automated provisioning.
Unlock SCIM for
Fleet
Fleet has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
