Moving mdm_profiles to it-and-security/lib/mdm_profiles (#17268)

Moving mdm_profiles to it-and-security/lib/mdm_profiles so that they are
together with other gitops config files.

---------

Co-authored-by: Noah Talerman <noahtal@umich.edu>

.github/workflows/dogfood-gitops.yml

@@ -6,7 +6,6 @@ on:
       - main
     paths:
       - 'it-and-security/**'
-      - 'mdm_profiles/**'
       - '.github/workflows/dogfood-gitops.yml'
   workflow_dispatch: # allows manual triggering
 
@@ -20,7 +19,7 @@ permissions:
 
 jobs:
   fleet-gitops:
-    timeout-minutes: 5
+    timeout-minutes: 10
     runs-on: ubuntu-latest
     steps:
       - name: Checkout our repository
@@ -33,6 +32,13 @@ jobs:
           ref: main
           path: fleet-gitops
 
+      - name: Apply env vars to profiles
+        env:
+          MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
+        run: |
+          envsubst < ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig > ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig
+          mv ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
+
       - name: Apply latest configuration to Fleet
         uses: ./fleet-gitops/.github/gitops-action
         with:

docs/Using Fleet/MDM-macOS-setup-experience.md

@@ -273,7 +273,7 @@ To customize the macOS Setup Assistant, we will do the following steps:
 
 ### Step 1: create an automatic enrollment profile
 
-1. Download Fleet's example automatic enrollment profile by navigating to the example [here on GitHub](https://github.com/fleetdm/fleet/blob/main/mdm_profiles/automatic_enrollment.json) and clicking the download icon.
+1. Download Fleet's example automatic enrollment profile by navigating to the example [here on GitHub](https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/automatic-enrollment.dep.json) and clicking the download icon.
 
 2. Open the automatic enrollment profile and replace the `profile_name` key with your organization's name.
 

it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig

@@ -6,7 +6,7 @@
 	<array>
 		<dict>
 			<key>CloudManagementEnrollmentToken</key>
-			<string>$CLOUD_MANAGEMENT_ENROLLMENT_TOKEN</string>
+			<string>$MANAGED_CHROME_ENROLLMENT_TOKEN</string>
 			<key>CloudReportingEnabled</key>
 			<true/>
 			<key>PayloadDisplayName</key>

it-and-security/teams/workstations-canary.yml

@@ -14,27 +14,27 @@ controls:
   enable_disk_encryption: true
   macos_settings:
     custom_settings:
-      - path: ../../mdm_profiles/automatic_updates.mobileconfig
-      - path: ../../mdm_profiles/chrome_enrollment.mobileconfig
-      - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_content_caching.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_account.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_shares.mobileconfig
-      - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_media_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig
-      - path: ../../mdm_profiles/enable_doh.mobileconfig
-      - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig
-      - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig
-      - path: ../../mdm_profiles/enforce_library_validation.mobileconfig
-      - path: ../../mdm_profiles/firewall.mobileconfig
-      - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig
-      - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig
-      - path: ../../mdm_profiles/misc.mobileconfig
-      - path: ../../mdm_profiles/password_policy.mobileconfig
-      - path: ../../mdm_profiles/prevent_autologon.mobileconfig
-      - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig
-      - path: ../../mdm_profiles/time_and_date.mobileconfig
+      - path: ../lib/configuration-profiles/macos-automatic-updates.mobileconfig
+      - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
+      - path: ../lib/configuration-profiles/macos-date-time.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig
+      - path: ../lib/configuration-profiles/macos-firewall.mobileconfig
+      - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig
+      - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig
+      - path: ../lib/configuration-profiles/macos-misc.mobileconfig
+      - path: ../lib/configuration-profiles/macos-password.mobileconfig
+      - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig
+      - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig
   macos_setup:
     bootstrap_package: ""
     enable_end_user_authentication: true

it-and-security/teams/workstations.yml

@@ -14,27 +14,27 @@ controls:
   enable_disk_encryption: true
   macos_settings:
     custom_settings:
-      - path: ../../mdm_profiles/automatic_updates.mobileconfig
-      - path: ../../mdm_profiles/chrome_enrollment.mobileconfig
-      - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_content_caching.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_account.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_shares.mobileconfig
-      - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_media_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig
-      - path: ../../mdm_profiles/enable_doh.mobileconfig
-      - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig
-      - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig
-      - path: ../../mdm_profiles/enforce_library_validation.mobileconfig
-      - path: ../../mdm_profiles/firewall.mobileconfig
-      - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig
-      - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig
-      - path: ../../mdm_profiles/misc.mobileconfig
-      - path: ../../mdm_profiles/password_policy.mobileconfig
-      - path: ../../mdm_profiles/prevent_autologon.mobileconfig
-      - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig
-      - path: ../../mdm_profiles/time_and_date.mobileconfig
+      - path: ../lib/configuration-profiles/macos-automatic-updates.mobileconfig
+      - path: ../lib/configuration-profiles/macos-date-time.mobileconfig
+      - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig
+      - path: ../lib/configuration-profiles/macos-firewall.mobileconfig
+      - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig
+      - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig
+      - path: ../lib/configuration-profiles/macos-misc.mobileconfig
+      - path: ../lib/configuration-profiles/macos-password.mobileconfig
+      - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig
+      - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig
   macos_setup:
     bootstrap_package: ""
     enable_end_user_authentication: true