fleet/it-and-security/lib/macos/configuration-profiles/fleet-okta-conditional-access.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
        <!-- Trusted CA certificate -->
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>conditional_access_ca.der</string>
            <key>PayloadContent</key>
            <data>$DOGFOOD_OKTA_CA_CERTIFICATE</data>
            <key>PayloadDescription</key>
            <string>Fleet conditional access CA certificate</string>
            <key>PayloadDisplayName</key>
            <string>Fleet conditional access CA</string>
            <key>PayloadIdentifier</key>
            <string>com.fleetdm.conditional-access-ca</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>c6d7357b-5b6b-5577-bd3f-e6c886bad550</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
		<!-- SCEP configuration -->
		<dict>
			<key>PayloadContent</key>
			<dict>
				<key>URL</key>
				<string>https://dogfood.fleetdm.com/api/fleet/conditional_access/scep</string>
				<key>Challenge</key>
				<string>$DOGFOOD_GLOBAL_ENROLL_SECRET</string>
				<key>Keysize</key>
				<integer>2048</integer>
				<key>Key Type</key>
				<string>RSA</string>
				<key>Key Usage</key>
				<integer>5</integer>
                <key>ExtendedKeyUsage</key>
                <array>
                    <string>1.3.6.1.5.5.7.3.2</string>
                </array>
				<key>Subject</key>
				<array>
					<array>
						<array>
							<string>CN</string>
							<string>Fleet conditional access for Okta</string>
						</array>
					</array>
				</array>
				<key>SubjectAltName</key>
				<dict>
					<key>uniformResourceIdentifier</key>
					<array>
						<string>urn:device:apple:uuid:%HardwareUUID%</string>
					</array>
				</dict>
				<key>Retries</key>
				<integer>3</integer>
				<key>RetryDelay</key>
				<integer>10</integer>
                <!-- ACL for browser access -->
                <key>AllowAllAppsAccess</key>
                <true/>
                <key>KeyIsExtractable</key>
                <false/>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures SCEP for Fleet conditional access for Okta certificate</string>
			<key>PayloadDisplayName</key>
			<string>Fleet conditional access SCEP</string>
			<key>PayloadIdentifier</key>
			<string>com.fleetdm.conditional-access-scep</string>
			<key>PayloadType</key>
			<string>com.apple.security.scep</string>
			<key>PayloadUUID</key>
			<string>478f8ebd-ded5-5808-962d-36da7aa06afe</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
        <!-- Identity preference for mTLS endpoint -->
        <dict>
            <key>Name</key>
            <string>https://okta.dogfood.fleetdm.com</string>
            <key>PayloadCertificateUUID</key>
            <string>478f8ebd-ded5-5808-962d-36da7aa06afe</string>
            <key>PayloadDescription</key>
            <string>Identity preference for mTLS endpoints</string>
            <key>PayloadDisplayName</key>
            <string>Fleet mTLS identity preference</string>
            <key>PayloadIdentifier</key>
            <string>com.fleetdm.conditional-access-preference</string>
            <key>PayloadType</key>
            <string>com.apple.security.identitypreference</string>
            <key>PayloadUUID</key>
            <string>686b683a-9052-5fe5-8dca-31b51b17bb2c</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <!-- Chrome web browser configuration -->
        <dict>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadIdentifier</key>
            <string>com.fleetdm.chrome.certs</string>
            <key>PayloadUUID</key>
            <string>1c1ab10a-e7b5-5c76-937e-03001cc9bffb</string>
            <key>PayloadDisplayName</key>
            <string>Chrome mTLS auto-select</string>
            <key>PayloadContent</key>
            <dict>
                <key>com.google.Chrome</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>AllowPolicyInIncognito</key>
                                <true/>
                                <key>AutoSelectCertificateForUrls</key>
                                <array>
                                    <!-- MUST be stringified JSON -->
                                    <string>{"pattern":"https://okta.dogfood.fleetdm.com","filter":{"SUBJECT":{"CN":"Fleet conditional access for Okta"}}}</string>
                                </array>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
        </dict>
	</array>
	<key>PayloadDescription</key>
	<string>Configures SCEP enrollment for Okta conditional access</string>
	<key>PayloadDisplayName</key>
	<string>Fleet conditional access for Okta</string>
	<key>PayloadIdentifier</key>
	<string>com.fleetdm.conditional-access-okta</string>
	<key>PayloadOrganization</key>
	<string>Fleet Device Management</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadScope</key>
	<string>User</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>fa49f664-378e-5098-bc32-d8160215f873</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>
Pilot deployment of Okta Verify (#38646) This pull request introduces new configuration profiles to support Okta conditional access for macOS devices, specifically targeting the Information Technology department. It also updates the GitHub Actions workflow to include a new secret for the Okta CA certificate. Additionally, it removes the `workstations-canary` team configuration, likely as part of a cleanup or migration. The most important changes are: Conditional Access and Okta Integration: * Added a new configuration profile, `fleet-okta-conditional-access.mobileconfig`, to manage trusted CA certificates, SCEP enrollment, mTLS identity preferences, and Chrome mTLS auto-selection for Okta conditional access on macOS. This profile is applied to devices labeled with "Department: Information Technology". [[1]](diffhunk://#diff-904aba5588b0d2c8dc325414aa1e8f2cd8a324602ac8e0c1cd2a5dff28db357bR1-R157) [[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77) * Added a new configuration profile, `okta-verify-settings.mobileconfig`, to configure privacy preferences, managed login items, notification settings, and Okta Verify app settings for macOS devices in the Information Technology department. [[1]](diffhunk://#diff-b321656e070ad9cb0727fe7ced60565d88bf31d236ac2642d3192fcb375fa4b2R1-R129) [[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77) Workflow and Secrets Management: * Updated the GitHub Actions workflow (`dogfood-gitops.yml`) to include the `DOGFOOD_OKTA_CA_CERTIFICATE` secret, supporting the new Okta conditional access configuration. Configuration Cleanup: * Removed the `workstations-canary.yml` team configuration, eliminating its policies, software, scripts, and settings. --------- Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com> Co-authored-by: Allen Houchins <allenhouchins@mac.com> 2026-01-28 22:24:21 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">`
			`<plist version="1.0">`
			`<dict>`
			`<key>PayloadContent</key>`
			`<array>`
			`<!-- Trusted CA certificate -->`
			`<dict>`
			`<key>PayloadCertificateFileName</key>`
			`<string>conditional_access_ca.der</string>`
			`<key>PayloadContent</key>`
			`<data>$DOGFOOD_OKTA_CA_CERTIFICATE</data>`
			`<key>PayloadDescription</key>`
			`<string>Fleet conditional access CA certificate</string>`
			`<key>PayloadDisplayName</key>`
			`<string>Fleet conditional access CA</string>`
			`<key>PayloadIdentifier</key>`
			`<string>com.fleetdm.conditional-access-ca</string>`
			`<key>PayloadType</key>`
			`<string>com.apple.security.root</string>`
			`<key>PayloadUUID</key>`
			`<string>c6d7357b-5b6b-5577-bd3f-e6c886bad550</string>`
			`<key>PayloadVersion</key>`
			`<integer>1</integer>`
			`</dict>`
			`<!-- SCEP configuration -->`
			`<dict>`
			`<key>PayloadContent</key>`
			`<dict>`
			`<key>URL</key>`
			`<string>https://dogfood.fleetdm.com/api/fleet/conditional_access/scep</string>`
			`<key>Challenge</key>`
			`<string>$DOGFOOD_GLOBAL_ENROLL_SECRET</string>`
			`<key>Keysize</key>`
			`<integer>2048</integer>`
			`<key>Key Type</key>`
			`<string>RSA</string>`
			`<key>Key Usage</key>`
			`<integer>5</integer>`
			`<key>ExtendedKeyUsage</key>`
			`<array>`
			`<string>1.3.6.1.5.5.7.3.2</string>`
			`</array>`
			`<key>Subject</key>`
			`<array>`
			`<array>`
			`<array>`
			`<string>CN</string>`
			`<string>Fleet conditional access for Okta</string>`
			`</array>`
			`</array>`
			`</array>`
			`<key>SubjectAltName</key>`
			`<dict>`
			`<key>uniformResourceIdentifier</key>`
			`<array>`
			`<string>urn:device:apple:uuid:%HardwareUUID%</string>`
			`</array>`
			`</dict>`
			`<key>Retries</key>`
			`<integer>3</integer>`
			`<key>RetryDelay</key>`
			`<integer>10</integer>`
			`<!-- ACL for browser access -->`
			`<key>AllowAllAppsAccess</key>`
			`<true/>`
			`<key>KeyIsExtractable</key>`
			`<false/>`
			`</dict>`
			`<key>PayloadDescription</key>`
			`<string>Configures SCEP for Fleet conditional access for Okta certificate</string>`
			`<key>PayloadDisplayName</key>`
			`<string>Fleet conditional access SCEP</string>`
			`<key>PayloadIdentifier</key>`
			`<string>com.fleetdm.conditional-access-scep</string>`
			`<key>PayloadType</key>`
			`<string>com.apple.security.scep</string>`
			`<key>PayloadUUID</key>`
			`<string>478f8ebd-ded5-5808-962d-36da7aa06afe</string>`
			`<key>PayloadVersion</key>`
			`<integer>1</integer>`
			`</dict>`
			`<!-- Identity preference for mTLS endpoint -->`
			`<dict>`
			`<key>Name</key>`
			`<string>https://okta.dogfood.fleetdm.com</string>`
			`<key>PayloadCertificateUUID</key>`
			`<string>478f8ebd-ded5-5808-962d-36da7aa06afe</string>`
			`<key>PayloadDescription</key>`
			`<string>Identity preference for mTLS endpoints</string>`
			`<key>PayloadDisplayName</key>`
			`<string>Fleet mTLS identity preference</string>`
			`<key>PayloadIdentifier</key>`
			`<string>com.fleetdm.conditional-access-preference</string>`
			`<key>PayloadType</key>`
			`<string>com.apple.security.identitypreference</string>`
			`<key>PayloadUUID</key>`
			`<string>686b683a-9052-5fe5-8dca-31b51b17bb2c</string>`
			`<key>PayloadVersion</key>`
			`<integer>1</integer>`
			`</dict>`
			`<!-- Chrome web browser configuration -->`
			`<dict>`
			`<key>PayloadType</key>`
			`<string>com.apple.ManagedClient.preferences</string>`
			`<key>PayloadVersion</key>`
			`<integer>1</integer>`
			`<key>PayloadIdentifier</key>`
			`<string>com.fleetdm.chrome.certs</string>`
			`<key>PayloadUUID</key>`
			`<string>1c1ab10a-e7b5-5c76-937e-03001cc9bffb</string>`
			`<key>PayloadDisplayName</key>`
			`<string>Chrome mTLS auto-select</string>`
			`<key>PayloadContent</key>`
			`<dict>`
			`<key>com.google.Chrome</key>`
			`<dict>`
			`<key>Forced</key>`
			`<array>`
			`<dict>`
			`<key>mcx_preference_settings</key>`
			`<dict>`
			`<key>AllowPolicyInIncognito</key>`
			`<true/>`
			`<key>AutoSelectCertificateForUrls</key>`
			`<array>`
			`<!-- MUST be stringified JSON -->`
			`<string>{"pattern":"https://okta.dogfood.fleetdm.com","filter":{"SUBJECT":{"CN":"Fleet conditional access for Okta"}}}</string>`
			`</array>`
			`</dict>`
			`</dict>`
			`</array>`
			`</dict>`
			`</dict>`
			`</dict>`
			`</array>`
			`<key>PayloadDescription</key>`
			`<string>Configures SCEP enrollment for Okta conditional access</string>`
			`<key>PayloadDisplayName</key>`
			`<string>Fleet conditional access for Okta</string>`
			`<key>PayloadIdentifier</key>`
			`<string>com.fleetdm.conditional-access-okta</string>`
			`<key>PayloadOrganization</key>`
			`<string>Fleet Device Management</string>`
			`<key>PayloadRemovalDisallowed</key>`
			`<false/>`
			`<key>PayloadScope</key>`
			`<string>User</string>`
			`<key>PayloadType</key>`
			`<string>Configuration</string>`
			`<key>PayloadUUID</key>`
			`<string>fa49f664-378e-5098-bc32-d8160215f873</string>`
			`<key>PayloadVersion</key>`
			`<integer>1</integer>`
			`</dict>`
			`</plist>`