From 7a20da1f2f031e6078eff6094b769f7e44b8ba26 Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Date: Fri, 1 Mar 2024 15:18:54 -0600
Subject: [PATCH] Moving mdm_profiles to it-and-security/lib/mdm_profiles
 (#17268)

Moving mdm_profiles to it-and-security/lib/mdm_profiles so that they are
together with other gitops config files.

---------

Co-authored-by: Noah Talerman <noahtal@umich.edu>
---
 .github/workflows/dogfood-gitops.yml          | 10 ++++-
 .../Using Fleet/MDM-macOS-setup-experience.md |  2 +-
 .../lib/automatic-enrollment.dep.json         |  0
 .../macos-automatic-updates.mobileconfig      |  0
 .../macos-chrome-enrollment.mobileconfig      |  2 +-
 .../macos-date-time.mobileconfig              |  0
 ...isable-bluetooth-file-sharing.mobileconfig |  0
 ...macos-disable-content-caching.mobileconfig |  0
 .../macos-disable-guest-account.mobileconfig  |  0
 .../macos-disable-guest-shares.mobileconfig   |  0
 ...acos-disable-internet-sharing.mobileconfig |  0
 .../macos-disable-media-sharing.mobileconfig  |  0
 ...acos-disable-safari-safefiles.mobileconfig |  0
 .../macos-enable-doh.mobileconfig             |  0
 ...macos-enable-firewall-logging.mobileconfig |  0
 .../macos-enable-gatekeeper.mobileconfig      |  0
 ...os-enforce-library-validation.mobileconfig |  0
 .../macos-firewall.mobileconfig               |  0
 ...s-full-disk-access-for-fleetd.mobileconfig |  0
 .../macos-limit-ad-tracking.mobileconfig      |  0
 .../macos-misc.mobileconfig                   |  0
 .../macos-password.mobileconfig               |  0
 .../macos-prevent-autologon.mobileconfig      |  0
 ...acos-secure-terminal-keyboard.mobileconfig |  0
 it-and-security/teams/workstations-canary.yml | 42 +++++++++----------
 it-and-security/teams/workstations.yml        | 42 +++++++++----------
 26 files changed, 52 insertions(+), 46 deletions(-)
 rename mdm_profiles/automatic_enrollment.json => it-and-security/lib/automatic-enrollment.dep.json (100%)
 rename mdm_profiles/automatic_updates.mobileconfig => it-and-security/lib/configuration-profiles/macos-automatic-updates.mobileconfig (100%)
 rename mdm_profiles/chrome_enrollment.mobileconfig => it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig (96%)
 rename mdm_profiles/time_and_date.mobileconfig => it-and-security/lib/configuration-profiles/macos-date-time.mobileconfig (100%)
 rename mdm_profiles/disable_bluetooth_file_sharing.mobileconfig => it-and-security/lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig (100%)
 rename mdm_profiles/disable_content_caching.mobileconfig => it-and-security/lib/configuration-profiles/macos-disable-content-caching.mobileconfig (100%)
 rename mdm_profiles/disable_guest_account.mobileconfig => it-and-security/lib/configuration-profiles/macos-disable-guest-account.mobileconfig (100%)
 rename mdm_profiles/disable_guest_shares.mobileconfig => it-and-security/lib/configuration-profiles/macos-disable-guest-shares.mobileconfig (100%)
 rename mdm_profiles/disable_internet_sharing.mobileconfig => it-and-security/lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig (100%)
 rename mdm_profiles/disable_media_sharing.mobileconfig => it-and-security/lib/configuration-profiles/macos-disable-media-sharing.mobileconfig (100%)
 rename mdm_profiles/disable_safari_safefiles.mobileconfig => it-and-security/lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig (100%)
 rename mdm_profiles/enable_doh.mobileconfig => it-and-security/lib/configuration-profiles/macos-enable-doh.mobileconfig (100%)
 rename mdm_profiles/enable_firewall_logging.mobileconfig => it-and-security/lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig (100%)
 rename mdm_profiles/enable_gatekeeper.mobileconfig => it-and-security/lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig (100%)
 rename mdm_profiles/enforce_library_validation.mobileconfig => it-and-security/lib/configuration-profiles/macos-enforce-library-validation.mobileconfig (100%)
 rename mdm_profiles/firewall.mobileconfig => it-and-security/lib/configuration-profiles/macos-firewall.mobileconfig (100%)
 rename mdm_profiles/full_disk_access_for_orbit.mobileconfig => it-and-security/lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig (100%)
 rename mdm_profiles/limit_ad_tracking.mobileconfig => it-and-security/lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig (100%)
 rename mdm_profiles/misc.mobileconfig => it-and-security/lib/configuration-profiles/macos-misc.mobileconfig (100%)
 rename mdm_profiles/password_policy.mobileconfig => it-and-security/lib/configuration-profiles/macos-password.mobileconfig (100%)
 rename mdm_profiles/prevent_autologon.mobileconfig => it-and-security/lib/configuration-profiles/macos-prevent-autologon.mobileconfig (100%)
 rename mdm_profiles/secure_terminal_keyboard.mobileconfig => it-and-security/lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig (100%)

diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml
index 10953fe23a..14c23204cc 100644
--- a/.github/workflows/dogfood-gitops.yml
+++ b/.github/workflows/dogfood-gitops.yml
@@ -6,7 +6,6 @@ on:
       - main
     paths:
       - 'it-and-security/**'
-      - 'mdm_profiles/**'
       - '.github/workflows/dogfood-gitops.yml'
   workflow_dispatch: # allows manual triggering
 
@@ -20,7 +19,7 @@ permissions:
 
 jobs:
   fleet-gitops:
-    timeout-minutes: 5
+    timeout-minutes: 10
     runs-on: ubuntu-latest
     steps:
       - name: Checkout our repository
@@ -33,6 +32,13 @@ jobs:
           ref: main
           path: fleet-gitops
 
+      - name: Apply env vars to profiles
+        env:
+          MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
+        run: |
+          envsubst < ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig > ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig
+          mv ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
+
       - name: Apply latest configuration to Fleet
         uses: ./fleet-gitops/.github/gitops-action
         with:
diff --git a/docs/Using Fleet/MDM-macOS-setup-experience.md b/docs/Using Fleet/MDM-macOS-setup-experience.md
index 6ea511b251..8ed4d055fb 100644
--- a/docs/Using Fleet/MDM-macOS-setup-experience.md	
+++ b/docs/Using Fleet/MDM-macOS-setup-experience.md	
@@ -273,7 +273,7 @@ To customize the macOS Setup Assistant, we will do the following steps:
 
 ### Step 1: create an automatic enrollment profile
 
-1. Download Fleet's example automatic enrollment profile by navigating to the example [here on GitHub](https://github.com/fleetdm/fleet/blob/main/mdm_profiles/automatic_enrollment.json) and clicking the download icon.
+1. Download Fleet's example automatic enrollment profile by navigating to the example [here on GitHub](https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/automatic-enrollment.dep.json) and clicking the download icon.
 
 2. Open the automatic enrollment profile and replace the `profile_name` key with your organization's name.
 
diff --git a/mdm_profiles/automatic_enrollment.json b/it-and-security/lib/automatic-enrollment.dep.json
similarity index 100%
rename from mdm_profiles/automatic_enrollment.json
rename to it-and-security/lib/automatic-enrollment.dep.json
diff --git a/mdm_profiles/automatic_updates.mobileconfig b/it-and-security/lib/configuration-profiles/macos-automatic-updates.mobileconfig
similarity index 100%
rename from mdm_profiles/automatic_updates.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-automatic-updates.mobileconfig
diff --git a/mdm_profiles/chrome_enrollment.mobileconfig b/it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
similarity index 96%
rename from mdm_profiles/chrome_enrollment.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
index af28f4690a..ba4f3a09da 100644
--- a/mdm_profiles/chrome_enrollment.mobileconfig
+++ b/it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
@@ -6,7 +6,7 @@
 	<array>
 		<dict>
 			<key>CloudManagementEnrollmentToken</key>
-			<string>$CLOUD_MANAGEMENT_ENROLLMENT_TOKEN</string>
+			<string>$MANAGED_CHROME_ENROLLMENT_TOKEN</string>
 			<key>CloudReportingEnabled</key>
 			<true/>
 			<key>PayloadDisplayName</key>
diff --git a/mdm_profiles/time_and_date.mobileconfig b/it-and-security/lib/configuration-profiles/macos-date-time.mobileconfig
similarity index 100%
rename from mdm_profiles/time_and_date.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-date-time.mobileconfig
diff --git a/mdm_profiles/disable_bluetooth_file_sharing.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig
similarity index 100%
rename from mdm_profiles/disable_bluetooth_file_sharing.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig
diff --git a/mdm_profiles/disable_content_caching.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-content-caching.mobileconfig
similarity index 100%
rename from mdm_profiles/disable_content_caching.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-disable-content-caching.mobileconfig
diff --git a/mdm_profiles/disable_guest_account.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-guest-account.mobileconfig
similarity index 100%
rename from mdm_profiles/disable_guest_account.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-disable-guest-account.mobileconfig
diff --git a/mdm_profiles/disable_guest_shares.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-guest-shares.mobileconfig
similarity index 100%
rename from mdm_profiles/disable_guest_shares.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-disable-guest-shares.mobileconfig
diff --git a/mdm_profiles/disable_internet_sharing.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig
similarity index 100%
rename from mdm_profiles/disable_internet_sharing.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig
diff --git a/mdm_profiles/disable_media_sharing.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-media-sharing.mobileconfig
similarity index 100%
rename from mdm_profiles/disable_media_sharing.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-disable-media-sharing.mobileconfig
diff --git a/mdm_profiles/disable_safari_safefiles.mobileconfig b/it-and-security/lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig
similarity index 100%
rename from mdm_profiles/disable_safari_safefiles.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig
diff --git a/mdm_profiles/enable_doh.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enable-doh.mobileconfig
similarity index 100%
rename from mdm_profiles/enable_doh.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-enable-doh.mobileconfig
diff --git a/mdm_profiles/enable_firewall_logging.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig
similarity index 100%
rename from mdm_profiles/enable_firewall_logging.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig
diff --git a/mdm_profiles/enable_gatekeeper.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig
similarity index 100%
rename from mdm_profiles/enable_gatekeeper.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig
diff --git a/mdm_profiles/enforce_library_validation.mobileconfig b/it-and-security/lib/configuration-profiles/macos-enforce-library-validation.mobileconfig
similarity index 100%
rename from mdm_profiles/enforce_library_validation.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-enforce-library-validation.mobileconfig
diff --git a/mdm_profiles/firewall.mobileconfig b/it-and-security/lib/configuration-profiles/macos-firewall.mobileconfig
similarity index 100%
rename from mdm_profiles/firewall.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-firewall.mobileconfig
diff --git a/mdm_profiles/full_disk_access_for_orbit.mobileconfig b/it-and-security/lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig
similarity index 100%
rename from mdm_profiles/full_disk_access_for_orbit.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig
diff --git a/mdm_profiles/limit_ad_tracking.mobileconfig b/it-and-security/lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig
similarity index 100%
rename from mdm_profiles/limit_ad_tracking.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig
diff --git a/mdm_profiles/misc.mobileconfig b/it-and-security/lib/configuration-profiles/macos-misc.mobileconfig
similarity index 100%
rename from mdm_profiles/misc.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-misc.mobileconfig
diff --git a/mdm_profiles/password_policy.mobileconfig b/it-and-security/lib/configuration-profiles/macos-password.mobileconfig
similarity index 100%
rename from mdm_profiles/password_policy.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-password.mobileconfig
diff --git a/mdm_profiles/prevent_autologon.mobileconfig b/it-and-security/lib/configuration-profiles/macos-prevent-autologon.mobileconfig
similarity index 100%
rename from mdm_profiles/prevent_autologon.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-prevent-autologon.mobileconfig
diff --git a/mdm_profiles/secure_terminal_keyboard.mobileconfig b/it-and-security/lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig
similarity index 100%
rename from mdm_profiles/secure_terminal_keyboard.mobileconfig
rename to it-and-security/lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig
diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml
index bd34a4f4a1..1a94399ae7 100644
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@@ -14,27 +14,27 @@ controls:
   enable_disk_encryption: true
   macos_settings:
     custom_settings:
-      - path: ../../mdm_profiles/automatic_updates.mobileconfig
-      - path: ../../mdm_profiles/chrome_enrollment.mobileconfig
-      - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_content_caching.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_account.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_shares.mobileconfig
-      - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_media_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig
-      - path: ../../mdm_profiles/enable_doh.mobileconfig
-      - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig
-      - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig
-      - path: ../../mdm_profiles/enforce_library_validation.mobileconfig
-      - path: ../../mdm_profiles/firewall.mobileconfig
-      - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig
-      - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig
-      - path: ../../mdm_profiles/misc.mobileconfig
-      - path: ../../mdm_profiles/password_policy.mobileconfig
-      - path: ../../mdm_profiles/prevent_autologon.mobileconfig
-      - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig
-      - path: ../../mdm_profiles/time_and_date.mobileconfig
+      - path: ../lib/configuration-profiles/macos-automatic-updates.mobileconfig
+      - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
+      - path: ../lib/configuration-profiles/macos-date-time.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig
+      - path: ../lib/configuration-profiles/macos-firewall.mobileconfig
+      - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig
+      - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig
+      - path: ../lib/configuration-profiles/macos-misc.mobileconfig
+      - path: ../lib/configuration-profiles/macos-password.mobileconfig
+      - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig
+      - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig
   macos_setup:
     bootstrap_package: ""
     enable_end_user_authentication: true
diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml
index 65fe53fdc7..445166ce95 100644
--- a/it-and-security/teams/workstations.yml
+++ b/it-and-security/teams/workstations.yml
@@ -14,27 +14,27 @@ controls:
   enable_disk_encryption: true
   macos_settings:
     custom_settings:
-      - path: ../../mdm_profiles/automatic_updates.mobileconfig
-      - path: ../../mdm_profiles/chrome_enrollment.mobileconfig
-      - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_content_caching.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_account.mobileconfig
-      - path: ../../mdm_profiles/disable_guest_shares.mobileconfig
-      - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_media_sharing.mobileconfig
-      - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig
-      - path: ../../mdm_profiles/enable_doh.mobileconfig
-      - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig
-      - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig
-      - path: ../../mdm_profiles/enforce_library_validation.mobileconfig
-      - path: ../../mdm_profiles/firewall.mobileconfig
-      - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig
-      - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig
-      - path: ../../mdm_profiles/misc.mobileconfig
-      - path: ../../mdm_profiles/password_policy.mobileconfig
-      - path: ../../mdm_profiles/prevent_autologon.mobileconfig
-      - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig
-      - path: ../../mdm_profiles/time_and_date.mobileconfig
+      - path: ../lib/configuration-profiles/macos-automatic-updates.mobileconfig
+      - path: ../lib/configuration-profiles/macos-date-time.mobileconfig
+      - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig
+      - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig
+      - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig
+      - path: ../lib/configuration-profiles/macos-firewall.mobileconfig
+      - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig
+      - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig
+      - path: ../lib/configuration-profiles/macos-misc.mobileconfig
+      - path: ../lib/configuration-profiles/macos-password.mobileconfig
+      - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig
+      - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig
   macos_setup:
     bootstrap_package: ""
     enable_end_user_authentication: true