FleetTracker — Documentation

Before you start

You'll want these ready regardless of platform:

Intune admin access (or an MDM/Entra admin role).
A device group in Intune containing the enrolled, corporate-owned devices you want to track.
The agent package — the Fleet Tracker APK for Android, or the Windows agent installer for Windows.
An ingest API key — every ping needs one. Issue it from the dashboard (one per fleet). See Ingest API key.
an encryption key per fleet tag so user emails are captured and readable to you. See Encryption keys.

Devices are grouped by fleet — and the ingest key decides the fleet. Create one Intune configuration per fleet/company, each with that fleet's own API key.

🤖 Android Deploy on Android (Intune)

Distribution is through Managed Google Play as a private app, assigned by Intune. The flow:

Publish the APK to Managed Google PlayIntune → Apps → Android → Add → Managed Google Play app. In the Play console that opens, create / publish a private app (the + button, lower-right), name it "Fleet Tracker", and upload the APK. Wait for Google to process it.
Sync it into IntuneApps → Android → open Managed Google Play → Sync. The app appears in the list after the sync completes (a few minutes).
Assign it as RequiredOpen Fleet Tracker → Properties / Assignments, and under Required add the device group. Save — this auto-installs it.
Create an App Configuration PolicyApps → Android → App configuration policies → Add → Managed devices. Set Platform = Android Enterprise, Targeted app = Fleet Tracker, Profile = Fully managed. Auto-grant the Location permissions (and Post notifications). Then in the Configuration Designer add the keys below.
Map the configuration keys (see table) — at minimum serialNumber (or deviceId), mail, and that fleet's ingest API key. Assign the policy to the same device group and Save.
Auto-grant permissions & protect the serviceIn the device/enrollment profile, set Default app permission policy = Auto grant so FINE + BACKGROUND location are granted silently, exempt Fleet Tracker from battery optimization, and on Samsung/Knox ensure the boot & foreground-service grants are present. (KPE config changes based on plugin version).

KnoxKPE Warning - Make sure to not enable factory reset protection with Intune as the main MDM, nothing to do with this app, but if you enable it Intune delete / reset does not work.

Configuration keys (Configuration Designer)

Hardware attributes (serial, device IDs) come from the dropdown in the designer — they can't be typed as {{token}} strings.

Key	Intune value	Used for
fleetTag	Static text (e.g. "Acme")	Optional — the API key already sets the fleet (only needed with a shared master key)
serialNumber	Serial number	Stable device identity (or IMEI)
deviceId	Intune device ID	Identity fallback
deviceName	Device name	Friendly name on the map
mail	Mail	Signed-in user's email (encrypted)
X-API-Key	Static text (your ingest key)	Authorizes the ping (required)

Zero-touch: on a factory-reset Knox/Samsung device with the app Required, KnoxKPE setup, the config policy assigned, and location auto-granted, tracking starts with no user interaction. Non-Samsung hardware may need the app opened once (Android's "stopped state" blocks boot events until first launch).

⊞ Windows Deploy on Windows (Intune)

The Windows agent installs as a standard Intune app. It runs in the background, identifies the machine by its Machine GUID, uses the hostname as the device name, and reports its location (it appears under the Windows platform filter on the dashboard).

Package the agentPackage fleet-agent.exe as a Win32 app for Intune.
Set the install commandPass the company's ingest key and fleet tag right on the install line:
```
fleet-agent.exe install --api=<ingest-key> --tag=Acme
```
--api is that fleet's ingest key from the dashboard (the key also sets the fleet, so --tag is optional). Add an uninstall command and a detection rule per your build.
Upload & assign as RequiredIntune → Apps → Windows → Add → Windows app (Win32), upload the package, then under Assignments → Required add the device group. Save to push the install.
VerifyAfter the install and the first ping interval, the machine appears on the dashboard with a Windows badge.

One install command per company — reuse the same fleet-agent.exe and just change --api and --tag for each fleet.

The ingest API key (required)

The location API is closed by default — every ping must carry a valid key, sent as the X-API-Key value in the device's configuration. Anything else is rejected and the location is not stored.

Issue an ingest key from the dashboard — one per fleet. The key is tied to its fleet, so every ping sent with it lands in that fleet automatically. Put it into the device's Intune configuration as the X-API-Key value, and revoke it at any time.

Anyone assigned to the fleet can also view and copy its key from the dashboard — open the KEY panel in the header.

Order matters. Make sure a device is sending its key before you rely on its feed — a ping without a valid key will not map to your fleet.

Encryption keys

User identity pulled from devices / Intune passthrough — email, username, name — is encrypted to a public key before it is stored. I cannot read it without the private key you make in the dashboard; only a holder of the matching private key can. Device IDs, serial, fleet tag, time recorded, and location stay readable (they're company assets, not personal data but after I confirm everything is running smooth locations will also be encrypted).

Keys are per fleet tag (one tenant = one keypair)

Open the Encryption Key panel from the dashboard header — each fleet tag you can see has its own row.
Generate & register — this makes a keypair in your browser, downloads the private-key backup (keep it safe), and registers the public key with the server. From then on that tag's pings are sealed to it.
Read names anywhere — on another browser, open the Encryption Key panel → Import a backup key to unlock. Without the key the dashboard shows "Encrypted".
Manage — per tag you can Rotate, Backup, or Forget; admins also get "Remove key".

No key = dropped. If a fleet tag has no registered key, that tag's identity is discarded on ingest (never stored in the clear). Register the key first if you want emails captured. If you lose the private key you will lose the past history of encrypted fields, please backup the key! (Email yourself or save the download with your IT docs).

First sign-in & 2FA

Every account is protected by an authenticator app (TOTP) — the same kind of 6-digit code used by Google Authenticator, Microsoft Authenticator, Authy, or 1Password.

Sign in on the login page with the username and password an admin gave you.
Scan the QR code shown on first sign-in with your authenticator app — or tap the key to copy it and add it manually.
Enter the 6-digit code to finish enrolment. From then on each sign-in asks for the current code.

Lost your phone? An admin can reset your 2FA from the admin pnael (the Reset 2FA button on your user row). You'll re-enrol with a fresh QR on your next sign-in.

Admins create logins, fleet tags, and ingest keys from the Admin pnael, and can reset any user's 2FA there.

Verify & troubleshoot

After install, wait up to ~5 minutes (the ping interval) for the first location. The device should appear with its fleet tag, name, and serial/ID; the user's email shows only on a browser holding that tag's key.

Symptom	What to check
App not installing	Confirm the Required assignment & group membership, then Sync Managed Google Play.
Config shows Pending	Force a Company Portal sync; confirm the policy targets the same group as the app; allow a few minutes to reach Succeeded.
No fleet / email	The App Configuration Policy isn't applied or a key isn't mapped — verify the API key and `mail` in the Configuration Designer.
No background pings (Samsung)	Confirm Location = "Allow all the time" was auto-granted and battery optimization is off.
Nothing after reboot (non-Samsung)	Open the app once (stopped-state), then confirm boot + background-location permissions are granted.
Pings rejected	The device isn't sending a valid ingest key — issue one from the admin console and set it in the device's configuration.
Email shows "Encrypted"	This browser doesn't hold that fleet tag's key. Open the Encryption Key panel → Import a backup, or Generate & register for the tag.

Need a hand? Head to the contact form on the home page and we'll get you sorted.