Dogfood policies: deduplicate (#19613)

- Add inline policies that are unique to "Workstations" or "Workstations (canary)" to remove duplicate policies in `macos-device-health-canary.yml`
2026-05-24 01:18:42 +00:00 · 2024-06-10 12:00:06 -04:00 · 2024-06-10 12:00:06 -04:00 · 9a4b6a4abe
commit 9a4b6a4abe
parent 1fac823fa9
4 changed files with 23 additions and 89 deletions
--- a/it-and-security/lib/macos-device-health-canary.policies.yml
+++ b/it-and-security/lib/macos-device-health-canary.policies.yml
@ -1,80 +0,0 @@
- name: macOS - Enable FileVault
-  query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.';
-  critical: false
-  description: This policy checks if FileVault (disk encryption) is enabled.
-  resolution: As an IT admin, turn on disk encryption in Fleet.
-  platform: darwin
- name: macOS - Enable Firewall
-  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1;
-  critical: false
-  description: This policy checks if Firewall is enabled.
-  resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true.
-  platform: darwin
- name: macOS - Disable guest account
-  query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0;
-  critical: false
-  description: This policy checks if the guest account is disabled.
-  resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true.
-  platform: darwin
- name: macOS - Require 10 character password
-  query: SELECT 1 WHERE 
-    EXISTS (
-      SELECT 1 FROM managed_policies WHERE 
-        domain='com.apple.screensaver' AND 
-        name='askForPassword' AND 
-        CAST(value AS INT)
-    ) 
-    AND EXISTS (
-      SELECT 1 FROM managed_policies WHERE 
-        domain='com.apple.screensaver' AND 
-        name='minLength' AND 
-        CAST(value AS INT) <= 10
-    );
-  critical: false
-  description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
-  resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10.
-  platform: darwin
- name: macOS - Enable screen saver after 20 minutes
-  query: SELECT 1 WHERE 
-    EXISTS (
-      SELECT 1 FROM managed_policies WHERE 
-        domain='com.apple.screensaver' AND 
-        name='idleTime' AND 
-        CAST(value AS INT) <= 1200 AND 
-        username = ''
-    ) 
-    AND NOT EXISTS (
-      SELECT 1 FROM managed_policies WHERE 
-        domain='com.apple.screensaver' AND 
-        name='idleTime' AND 
-        CAST(value AS INT) > 1200
-    );
-  critical: false
-  description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
-  resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes.
-  platform: darwin
- name: macOS - No 1Password emergency kit stored in desktop, documents, or downloads folders
-  query: SELECT 1 WHERE 
-    NOT EXISTS (
-      SELECT 1 FROM file WHERE 
-        filename LIKE '%Emergency Kit%.pdf' AND 
-        (path LIKE '/Users/%/Desktop/%' OR path LIKE '/Users/%/Documents/%' OR path LIKE '/Users/%/Downloads/%' OR path LIKE '/Users/Shared/%')
-    );
-  critical: false
-  description: Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders.
-  resolution: Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location.
-  platform: darwin
- name: macOS - Check if latest version
-  query: SELECT 1 FROM os_version WHERE major = "14" AND minor = "5" AND patch >= "1";
-  critical: false
-  description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability.
-  resolution: We will update your macOS to the latest version.
-  platform: darwin
-  calendar_events_enabled: false
- name: macOS - MDM migration complete
-  query: SELECT 1 AS result FROM system_info WHERE local_hostname != 'Titanosauria';
-  critical: false
-  description: Determines if the device has completed MDM migration to Fleet.
-  resolution: We will migrate your macOS MDM to Fleet.
-  platform: darwin
-  calendar_events_enabled: true
--- a/it-and-security/lib/macos-device-health.policies.yml
+++ b/it-and-security/lib/macos-device-health.policies.yml
@ -64,11 +64,4 @@
  description: Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders.
  resolution: Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location.
  platform: darwin
- name: macOS - Check if latest version
-  query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5';
-  # patch query: SELECT 1 FROM os_version WHERE major = "14" AND minor = "5" AND patch >= "1";
-  critical: false
-  description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability.
-  resolution: We will update your macOS to the latest version.
-  platform: darwin
-  calendar_events_enabled: true  
+  
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@ -110,9 +110,23 @@ controls:
    - path: ../lib/windows-install-bitdefender.ps1
    - path: ../lib/windows-enable-ms-defender.ps1
 policies:
-  - path: ../lib/macos-device-health-canary.policies.yml
+  - path: ../lib/macos-device-health.policies.yml
  - path: ../lib/windows-device-health.policies.yml
  - path: ../lib/linux-device-health.policies.yml
+  - name: macOS - Check if latest version
+    query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5';
+    critical: false
+    description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability.
+    resolution: We will update your macOS to the latest version.
+    platform: darwin
+    calendar_events_enabled: false  
+  - name: macOS - MDM migration complete
+    query: SELECT 1 AS result FROM system_info WHERE local_hostname != 'Titanosauria';
+    critical: false
+    description: Determines if the device has completed MDM migration to Fleet.
+    resolution: We will migrate your macOS MDM to Fleet.
+    platform: darwin
+    calendar_events_enabled: true
 queries:
  - path: ../lib/collect-failed-login-attempts.queries.yml
  - path: ../lib/collect-fleetd-information.yml
--- a/it-and-security/teams/workstations.yml
+++ b/it-and-security/teams/workstations.yml
@ -61,6 +61,13 @@ policies:
  - path: ../lib/macos-device-health.policies.yml
  - path: ../lib/windows-device-health.policies.yml
  - path: ../lib/linux-device-health.policies.yml
+  - name: macOS - Check if latest version
+    query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5';
+    critical: false
+    description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability.
+    resolution: We will update your macOS to the latest version.
+    platform: darwin
+    calendar_events_enabled: true  
 queries:
  - path: ../lib/collect-failed-login-attempts.queries.yml
  - path: ../lib/collect-usb-devices.queries.yml