From 40d670e12fb901307e4f09fac2113173cea16498 Mon Sep 17 00:00:00 2001
From: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Date: Wed, 5 Mar 2025 13:36:00 -0600
Subject: [PATCH] Added query to detect APNs certificates (#26876)

Create a query and assigned it to all teams to identify which macOS
devices are no longer communicating with Fleet via MDM.
---
 it-and-security/default.yml                              | 1 +
 .../lib/macos/queries/detect-apns-certificate.yml        | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 it-and-security/lib/macos/queries/detect-apns-certificate.yml

diff --git a/it-and-security/default.yml b/it-and-security/default.yml
index bf942122a4..f52cb1d202 100644
--- a/it-and-security/default.yml
+++ b/it-and-security/default.yml
@@ -88,6 +88,7 @@ queries:
   - path: ./lib/all/queries/collect-fleetd-information.yml
   - path: ./lib/all/queries/collect-operating-system-information.yml
   - path: ./lib/all/queries/collect-known-vulnerable-chrome-extensions.yml
+  - path: ./lib/macos/queries/detect-apns-certificate.yml
 controls: 
   enable_disk_encryption: true
   macos_migration:
diff --git a/it-and-security/lib/macos/queries/detect-apns-certificate.yml b/it-and-security/lib/macos/queries/detect-apns-certificate.yml
new file mode 100644
index 0000000000..50ad55f909
--- /dev/null
+++ b/it-and-security/lib/macos/queries/detect-apns-certificate.yml
@@ -0,0 +1,9 @@
+- name: Detect APNs certificate by topic
+  automations_enabled: true
+  description: Detects macOS devices that are enrolled using an invalid APNs certificate.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  observer_can_run: true
+  platform: "darwin"
+  query: SELECT topic FROM mdm WHERE topic NOT LIKE 'com.apple.mgmt.External.8a3367bf-49d7-4dc3-ae41-c9de95f7b424';