From 649fc0a65614db3c8d44b9e136a7cded11cb3c2a Mon Sep 17 00:00:00 2001
From: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Date: Mon, 20 Apr 2026 09:39:50 -0500
Subject: [PATCH] Add macOS Fleet Desktop label and attach to policy (#43760)

Add a new dynamic label 'Macs with Fleet Desktop installed' (platform:
darwin) that selects hosts where apps.name = 'Fleet Desktop'. Update the
macOS policy update-fleet-desktop.yml to include this label via
labels_include_any so the policy targets only hosts with Fleet Desktop
installed. Files changed:
it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
(new) and it-and-security/lib/macos/policies/update-fleet-desktop.yml
(modified).
---
 it-and-security/default.yml                                  | 1 +
 .../lib/all/labels/macs-with-fleet-desktop-installed.yml     | 5 +++++
 it-and-security/lib/macos/policies/update-fleet-desktop.yml  | 4 +++-
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml

diff --git a/it-and-security/default.yml b/it-and-security/default.yml
index 33b4adc271..3a6fec5b8e 100644
--- a/it-and-security/default.yml
+++ b/it-and-security/default.yml
@@ -111,6 +111,7 @@ labels:
   - path: ./lib/all/labels/nudge-test-devices.yml
   - path: ./lib/all/labels/macs-with-microsoft-autoupdate-installed.yml
   - path: ./lib/all/labels/macs-with-fleet-maintained-apps-installed.yml
+  - path: ./lib/all/labels/macs-with-fleet-desktop-installed.yml
   - path: ./lib/all/labels/windows-with-fleet-maintained-apps-installed.yml
   - path: ./lib/all/labels/departments.yml
   - path: ./lib/all/labels/idp-group-saml-aws-vpn.yml
diff --git a/it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml b/it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
new file mode 100644
index 0000000000..61f9e77089
--- /dev/null
+++ b/it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
@@ -0,0 +1,5 @@
+- name: Macs with Fleet Desktop installed
+  description: macOS hosts with Fleet Desktop installed
+  query: SELECT 1 FROM apps WHERE name = 'Fleet Desktop.app';
+  label_membership_type: dynamic
+  platform: darwin
diff --git a/it-and-security/lib/macos/policies/update-fleet-desktop.yml b/it-and-security/lib/macos/policies/update-fleet-desktop.yml
index 1d0cad1392..2977b1e248 100644
--- a/it-and-security/lib/macos/policies/update-fleet-desktop.yml
+++ b/it-and-security/lib/macos/policies/update-fleet-desktop.yml
@@ -1,8 +1,10 @@
 - name: macOS - Fleet Desktop up to date
-  query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = 'Fleet Desktop' AND version_compare(bundle_short_version, '1.1.0') < 0);
+  query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM apps WHERE name = 'Fleet Desktop.app' AND version_compare(bundle_short_version, '1.1.0') < 0);
   critical: false
   description: The host may have an outdated version of Fleet Desktop, potentially risking security vulnerabilities or compatibility issues.
   resolution: "Download the latest version from Self-service."
   platform: darwin
+  labels_include_any:
+    - Macs with Fleet Desktop installed
   install_software:
     package_path: ../software/fleet-desktop.yml