diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml index 10953fe23a..14c23204cc 100644 --- a/.github/workflows/dogfood-gitops.yml +++ b/.github/workflows/dogfood-gitops.yml @@ -6,7 +6,6 @@ on: - main paths: - 'it-and-security/**' - - 'mdm_profiles/**' - '.github/workflows/dogfood-gitops.yml' workflow_dispatch: # allows manual triggering @@ -20,7 +19,7 @@ permissions: jobs: fleet-gitops: - timeout-minutes: 5 + timeout-minutes: 10 runs-on: ubuntu-latest steps: - name: Checkout our repository @@ -33,6 +32,13 @@ jobs: ref: main path: fleet-gitops + - name: Apply env vars to profiles + env: + MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }} + run: | + envsubst < ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig > ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig + mv ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig + - name: Apply latest configuration to Fleet uses: ./fleet-gitops/.github/gitops-action with: diff --git a/docs/Using Fleet/MDM-macOS-setup-experience.md b/docs/Using Fleet/MDM-macOS-setup-experience.md index 6ea511b251..8ed4d055fb 100644 --- a/docs/Using Fleet/MDM-macOS-setup-experience.md +++ b/docs/Using Fleet/MDM-macOS-setup-experience.md @@ -273,7 +273,7 @@ To customize the macOS Setup Assistant, we will do the following steps: ### Step 1: create an automatic enrollment profile -1. Download Fleet's example automatic enrollment profile by navigating to the example [here on GitHub](https://github.com/fleetdm/fleet/blob/main/mdm_profiles/automatic_enrollment.json) and clicking the download icon. +1. Download Fleet's example automatic enrollment profile by navigating to the example [here on GitHub](https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/automatic-enrollment.dep.json) and clicking the download icon. 2. Open the automatic enrollment profile and replace the `profile_name` key with your organization's name. diff --git a/mdm_profiles/automatic_enrollment.json b/it-and-security/lib/automatic-enrollment.dep.json similarity index 100% rename from mdm_profiles/automatic_enrollment.json rename to it-and-security/lib/automatic-enrollment.dep.json diff --git a/mdm_profiles/automatic_updates.mobileconfig b/it-and-security/lib/configuration-profiles/macos-automatic-updates.mobileconfig similarity index 100% rename from mdm_profiles/automatic_updates.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-automatic-updates.mobileconfig diff --git a/mdm_profiles/chrome_enrollment.mobileconfig b/it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig similarity index 96% rename from mdm_profiles/chrome_enrollment.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig index af28f4690a..ba4f3a09da 100644 --- a/mdm_profiles/chrome_enrollment.mobileconfig +++ b/it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig @@ -6,7 +6,7 @@ CloudManagementEnrollmentToken - $CLOUD_MANAGEMENT_ENROLLMENT_TOKEN + $MANAGED_CHROME_ENROLLMENT_TOKEN CloudReportingEnabled PayloadDisplayName diff --git a/mdm_profiles/time_and_date.mobileconfig b/it-and-security/lib/configuration-profiles/macos-date-time.mobileconfig similarity index 100% rename from mdm_profiles/time_and_date.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-date-time.mobileconfig diff --git a/mdm_profiles/disable_bluetooth_file_sharing.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig similarity index 100% rename from mdm_profiles/disable_bluetooth_file_sharing.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig diff --git a/mdm_profiles/disable_content_caching.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-content-caching.mobileconfig similarity index 100% rename from mdm_profiles/disable_content_caching.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-disable-content-caching.mobileconfig diff --git a/mdm_profiles/disable_guest_account.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-guest-account.mobileconfig similarity index 100% rename from mdm_profiles/disable_guest_account.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-disable-guest-account.mobileconfig diff --git a/mdm_profiles/disable_guest_shares.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-guest-shares.mobileconfig similarity index 100% rename from mdm_profiles/disable_guest_shares.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-disable-guest-shares.mobileconfig diff --git a/mdm_profiles/disable_internet_sharing.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig similarity index 100% rename from mdm_profiles/disable_internet_sharing.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig diff --git a/mdm_profiles/disable_media_sharing.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-media-sharing.mobileconfig similarity index 100% rename from mdm_profiles/disable_media_sharing.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-disable-media-sharing.mobileconfig diff --git a/mdm_profiles/disable_safari_safefiles.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig similarity index 100% rename from mdm_profiles/disable_safari_safefiles.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig diff --git a/mdm_profiles/enable_doh.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enable-doh.mobileconfig similarity index 100% rename from mdm_profiles/enable_doh.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-enable-doh.mobileconfig diff --git a/mdm_profiles/enable_firewall_logging.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig similarity index 100% rename from mdm_profiles/enable_firewall_logging.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig diff --git a/mdm_profiles/enable_gatekeeper.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig similarity index 100% rename from mdm_profiles/enable_gatekeeper.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig diff --git a/mdm_profiles/enforce_library_validation.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enforce-library-validation.mobileconfig similarity index 100% rename from mdm_profiles/enforce_library_validation.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-enforce-library-validation.mobileconfig diff --git a/mdm_profiles/firewall.mobileconfig b/it-and-security/lib/configuration-profiles/macos-firewall.mobileconfig similarity index 100% rename from mdm_profiles/firewall.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-firewall.mobileconfig diff --git a/mdm_profiles/full_disk_access_for_orbit.mobileconfig b/it-and-security/lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig similarity index 100% rename from mdm_profiles/full_disk_access_for_orbit.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig diff --git a/mdm_profiles/limit_ad_tracking.mobileconfig b/it-and-security/lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig similarity index 100% rename from mdm_profiles/limit_ad_tracking.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig diff --git a/mdm_profiles/misc.mobileconfig b/it-and-security/lib/configuration-profiles/macos-misc.mobileconfig similarity index 100% rename from mdm_profiles/misc.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-misc.mobileconfig diff --git a/mdm_profiles/password_policy.mobileconfig b/it-and-security/lib/configuration-profiles/macos-password.mobileconfig similarity index 100% rename from mdm_profiles/password_policy.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-password.mobileconfig diff --git a/mdm_profiles/prevent_autologon.mobileconfig b/it-and-security/lib/configuration-profiles/macos-prevent-autologon.mobileconfig similarity index 100% rename from mdm_profiles/prevent_autologon.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-prevent-autologon.mobileconfig diff --git a/mdm_profiles/secure_terminal_keyboard.mobileconfig b/it-and-security/lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig similarity index 100% rename from mdm_profiles/secure_terminal_keyboard.mobileconfig rename to it-and-security/lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index bd34a4f4a1..1a94399ae7 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -14,27 +14,27 @@ controls: enable_disk_encryption: true macos_settings: custom_settings: - - path: ../../mdm_profiles/automatic_updates.mobileconfig - - path: ../../mdm_profiles/chrome_enrollment.mobileconfig - - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig - - path: ../../mdm_profiles/disable_content_caching.mobileconfig - - path: ../../mdm_profiles/disable_guest_account.mobileconfig - - path: ../../mdm_profiles/disable_guest_shares.mobileconfig - - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig - - path: ../../mdm_profiles/disable_media_sharing.mobileconfig - - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig - - path: ../../mdm_profiles/enable_doh.mobileconfig - - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig - - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig - - path: ../../mdm_profiles/enforce_library_validation.mobileconfig - - path: ../../mdm_profiles/firewall.mobileconfig - - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig - - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig - - path: ../../mdm_profiles/misc.mobileconfig - - path: ../../mdm_profiles/password_policy.mobileconfig - - path: ../../mdm_profiles/prevent_autologon.mobileconfig - - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig - - path: ../../mdm_profiles/time_and_date.mobileconfig + - path: ../lib/configuration-profiles/macos-automatic-updates.mobileconfig + - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig + - path: ../lib/configuration-profiles/macos-date-time.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig + - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig + - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig + - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig + - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig + - path: ../lib/configuration-profiles/macos-firewall.mobileconfig + - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig + - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig + - path: ../lib/configuration-profiles/macos-misc.mobileconfig + - path: ../lib/configuration-profiles/macos-password.mobileconfig + - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig + - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig macos_setup: bootstrap_package: "" enable_end_user_authentication: true diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml index 65fe53fdc7..445166ce95 100644 --- a/it-and-security/teams/workstations.yml +++ b/it-and-security/teams/workstations.yml @@ -14,27 +14,27 @@ controls: enable_disk_encryption: true macos_settings: custom_settings: - - path: ../../mdm_profiles/automatic_updates.mobileconfig - - path: ../../mdm_profiles/chrome_enrollment.mobileconfig - - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig - - path: ../../mdm_profiles/disable_content_caching.mobileconfig - - path: ../../mdm_profiles/disable_guest_account.mobileconfig - - path: ../../mdm_profiles/disable_guest_shares.mobileconfig - - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig - - path: ../../mdm_profiles/disable_media_sharing.mobileconfig - - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig - - path: ../../mdm_profiles/enable_doh.mobileconfig - - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig - - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig - - path: ../../mdm_profiles/enforce_library_validation.mobileconfig - - path: ../../mdm_profiles/firewall.mobileconfig - - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig - - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig - - path: ../../mdm_profiles/misc.mobileconfig - - path: ../../mdm_profiles/password_policy.mobileconfig - - path: ../../mdm_profiles/prevent_autologon.mobileconfig - - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig - - path: ../../mdm_profiles/time_and_date.mobileconfig + - path: ../lib/configuration-profiles/macos-automatic-updates.mobileconfig + - path: ../lib/configuration-profiles/macos-date-time.mobileconfig + - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig + - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig + - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig + - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig + - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig + - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig + - path: ../lib/configuration-profiles/macos-firewall.mobileconfig + - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig + - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig + - path: ../lib/configuration-profiles/macos-misc.mobileconfig + - path: ../lib/configuration-profiles/macos-password.mobileconfig + - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig + - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig macos_setup: bootstrap_package: "" enable_end_user_authentication: true