From 4bf263545365f4ef6a320ca400321ab718f9848d Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 4 Dec 2023 11:16:55 -0500 Subject: [PATCH] Enroll hosts docs (#15374) - Move "Grant full disk access for macOS hosts" to Advanced section --- docs/Using Fleet/enroll-hosts.md | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/docs/Using Fleet/enroll-hosts.md b/docs/Using Fleet/enroll-hosts.md index 571fe6ac92..bfc2b0e7cd 100644 --- a/docs/Using Fleet/enroll-hosts.md +++ b/docs/Using Fleet/enroll-hosts.md @@ -48,10 +48,6 @@ With hosts segmented into teams, you can apply unique queries and give users acc To generate an installer that enrolls to a specific team: from the **Hosts** page, select the desired team from the menu at the top of the screen, then follow the instructions above for generating an installer. The team's enroll secret will be included in the generated command. - - - - ### Enroll multiple hosts If you're managing an enterprise environment with multiple hosts, you likely have an enterprise deployment tool like [Munki](https://www.munki.org/munki/), [Jamf Pro](https://www.jamf.com/products/jamf-pro/), [Chef](https://www.chef.io/), [Ansible](https://www.ansible.com/), or [Puppet](https://puppet.com/) to deliver software to your hosts. @@ -108,7 +104,15 @@ In the Google Admin console: 5. Enter the **Extension ID** and **Installation URL** using the data provided in the modal. 6. Under **Installation Policy**, select **Block**. -## Grant full disk access to osquery on macOS +## Advanced + +- [Grant full disk access to osquery on macOS](#grant-full-disk-access-to-osquery-on-macos) +- [Signing fleetd installer](#signing-fleetd-installer) +- [Generating Windows installers using local WiX toolset](#generating-windows-installers-using-local-wix-toolset) +- [fleetd configuration options](#fleetd-configuration-options) +- [Enroll hosts with plain osquery](#enroll-hosts-with-plain-osquery) + +### Grant full disk access to osquery on macOS macOS does not allow applications to access all system files by default. If you are using MDM, which is required to deploy these profiles, you @@ -117,8 +121,9 @@ access. This is necessary to query for files located in protected paths as well tables that require access to the [EndpointSecurity API](https://developer.apple.com/documentation/endpointsecurity#overview), such as *es_process_events*. -### Creating the configuration profile -#### Obtaining identifiers +#### Creating the configuration profile + +##### Obtaining identifiers If you use plain osquery, instructions are [available here](https://osquery.readthedocs.io/en/stable/deployment/process-auditing/). On a system with osquery installed via the Fleet osquery installer (fleetd), obtain the @@ -142,7 +147,7 @@ Note down the **executable path** and the entire **identifier**. Osqueryd will inherit the privileges from Orbit and does not need explicit permissions. -#### Creating the profile +##### Creating the profile Depending on your MDM, this might be possible in the UI or require a custom profile. If your MDM has a feature to configure *Policy Preferences*, follow these steps: 1. Configure the identifier type to “path.” @@ -154,7 +159,7 @@ If your MDM does not have built-in support for privacy preferences profiles, you [PPPC-Utility](https://github.com/jamf/PPPC-Utility) to create a profile with those values, then upload it to your MDM as a custom profile. -#### Test the profile +##### Test the profile Link the profile to a test group that contains at least one Mac. Once the computer has received the profile, which you can verify by looking at *Profiles* in *System Preferences*, run this query from Fleet: @@ -176,13 +181,6 @@ See the last hour of logs related to TCC permissions with this command: You can then look for `orbit` or `osquery` to narrow down results. -## Advanced - -- [Signing fleetd installer](#signing-fleetd-installer) -- [Generating Windows installers using local WiX toolset](#generating-windows-installers-using-local-wix-toolset) -- [fleetd configuration options](#fleetd-configuration-options) -- [Enroll hosts with plain osquery](#enroll-hosts-with-plain-osquery) - ### Signing fleetd installers >**Note:** Currently, the `fleetctl package` command does not support signing Windows fleetd installers. Windows installers can be signed after building.