Enroll hosts docs (#15374)

- Move "Grant full disk access for macOS hosts" to Advanced section

docs/Using Fleet/enroll-hosts.md

@@ -48,10 +48,6 @@ With hosts segmented into teams, you can apply unique queries and give users acc
 
 To generate an installer that enrolls to a specific team: from the **Hosts** page, select the desired team from the menu at the top of the screen, then follow the instructions above for generating an installer. The team's enroll secret will be included in the generated command.
 
-
-
-
-
 ### Enroll multiple hosts
 
 If you're managing an enterprise environment with multiple hosts, you likely have an enterprise deployment tool like [Munki](https://www.munki.org/munki/), [Jamf Pro](https://www.jamf.com/products/jamf-pro/), [Chef](https://www.chef.io/), [Ansible](https://www.ansible.com/), or [Puppet](https://puppet.com/) to deliver software to your hosts.
@@ -108,7 +104,15 @@ In the Google Admin console:
 5. Enter the **Extension ID** and **Installation URL** using the data provided in the modal.
 6. Under **Installation Policy**, select **Block**.
 
-## Grant full disk access to osquery on macOS
+## Advanced
+
+- [Grant full disk access to osquery on macOS](#grant-full-disk-access-to-osquery-on-macos) 
+- [Signing fleetd installer](#signing-fleetd-installer)
+- [Generating Windows installers using local WiX toolset](#generating-windows-installers-using-local-wix-toolset)
+- [fleetd configuration options](#fleetd-configuration-options)
+- [Enroll hosts with plain osquery](#enroll-hosts-with-plain-osquery)
+
+### Grant full disk access to osquery on macOS
 
 macOS does not allow applications to access all system files by default. If you are using MDM, which
 is required to deploy these profiles, you
@@ -117,8 +121,9 @@ access. This is necessary to query for files located in protected paths as well
 tables that require access to the [EndpointSecurity
 API](https://developer.apple.com/documentation/endpointsecurity#overview), such as *es_process_events*.
 
-### Creating the configuration profile
-#### Obtaining identifiers
+#### Creating the configuration profile
+
+##### Obtaining identifiers
 If you use plain osquery, instructions are [available here](https://osquery.readthedocs.io/en/stable/deployment/process-auditing/).
 
 On a system with osquery installed via the Fleet osquery installer (fleetd), obtain the
@@ -142,7 +147,7 @@ Note down the **executable path** and the entire **identifier**.
 
 Osqueryd will inherit the privileges from Orbit and does not need explicit permissions.
 
-#### Creating the profile
+##### Creating the profile
 Depending on your MDM, this might be possible in the UI or require a custom profile. If your MDM has a feature to configure *Policy Preferences*, follow these steps:
 
 1. Configure the identifier type to “path.”
@@ -154,7 +159,7 @@ If your MDM does not have built-in support for privacy preferences profiles, you
 [PPPC-Utility](https://github.com/jamf/PPPC-Utility) to create a profile with those values, then upload it to
 your MDM as a custom profile.
 
-#### Test the profile
+##### Test the profile
 Link the profile to a test group that contains at least one Mac.
 Once the computer has received the profile, which you can verify by looking at *Profiles* in *System
 Preferences*, run this query from Fleet:
@@ -176,13 +181,6 @@ See the last hour of logs related to TCC permissions with this command:
 
 You can then look for `orbit` or `osquery` to narrow down results.
 
-## Advanced
-
-- [Signing fleetd installer](#signing-fleetd-installer)
-- [Generating Windows installers using local WiX toolset](#generating-windows-installers-using-local-wix-toolset)
-- [fleetd configuration options](#fleetd-configuration-options)
-- [Enroll hosts with plain osquery](#enroll-hosts-with-plain-osquery)
-
 ### Signing fleetd installers
 
   >**Note:** Currently, the `fleetctl package` command does not support signing Windows fleetd installers. Windows installers can be signed after building.