From 8f24649a0886ece1e31f33680600f985004c4ea7 Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:18:13 -0400
Subject: [PATCH] In dogfood, collect expiration for MDM SCEP certificates
 (#17848)

- Add query that runs every 5 minutes to the workstations team
- Plan is to remove the query after the issue tracking renewing all SCEP
certs is closed: https://github.com/fleetdm/confidential/issues/4518
---
 it-and-security/teams/workstations.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml
index 49a6a476a0..95ca009dc3 100644
--- a/it-and-security/teams/workstations.yml
+++ b/it-and-security/teams/workstations.yml
@@ -61,3 +61,11 @@ queries:
   - path: ../lib/collect-failed-login-attempts.queries.yml
   - path: ../lib/collect-usb-devices.queries.yml
   - path: ../lib/collect-vs-code-extensions.queries.yml
+  - name: Collect expiration date for MDM SCEP certificates
+    description: "For the following issue: https://github.com/fleetdm/confidential/issues/4518. Returns expiration date for macOS hosts's MDM SCEP certs."
+    query: "SELECT common_name, datetime(not_valid_after,'unixepoch') AS expires FROM certificates WHERE 'common_name' LIKE '%FleetDM Identity%';"
+    platform: darwin
+    interval: 300
+    automations_enabled: false
+    observer_can_run: true
+