Added query to detect APNs certificates (#26876)

Create a query and assigned it to all teams to identify which macOS devices are no longer communicating with Fleet via MDM.
2026-05-23 17:08:53 +00:00 · 2025-03-05 13:36:00 -06:00 · 2025-03-05 13:36:00 -06:00 · 40d670e12f
commit 40d670e12f
parent 2c3d7e420e
2 changed files with 10 additions and 0 deletions
--- a/it-and-security/default.yml
+++ b/it-and-security/default.yml
@ -88,6 +88,7 @@ queries:
  - path: ./lib/all/queries/collect-fleetd-information.yml
  - path: ./lib/all/queries/collect-operating-system-information.yml
  - path: ./lib/all/queries/collect-known-vulnerable-chrome-extensions.yml
+  - path: ./lib/macos/queries/detect-apns-certificate.yml
 controls: 
  enable_disk_encryption: true
  macos_migration:
--- a/it-and-security/lib/macos/queries/detect-apns-certificate.yml
+++ b/it-and-security/lib/macos/queries/detect-apns-certificate.yml
@ -0,0 +1,9 @@
+- name: Detect APNs certificate by topic
+  automations_enabled: true
+  description: Detects macOS devices that are enrolled using an invalid APNs certificate.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: "darwin"
+  query: SELECT topic FROM mdm WHERE topic NOT LIKE 'com.apple.mgmt.External.8a3367bf-49d7-4dc3-ae41-c9de95f7b424';