diff --git a/it-and-security/lib/macos-device-health-canary.policies.yml b/it-and-security/lib/macos-device-health-canary.policies.yml deleted file mode 100644 index 134680169b..0000000000 --- a/it-and-security/lib/macos-device-health-canary.policies.yml +++ /dev/null @@ -1,80 +0,0 @@ -- name: macOS - Enable FileVault - query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.'; - critical: false - description: This policy checks if FileVault (disk encryption) is enabled. - resolution: As an IT admin, turn on disk encryption in Fleet. - platform: darwin -- name: macOS - Enable Firewall - query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1; - critical: false - description: This policy checks if Firewall is enabled. - resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true. - platform: darwin -- name: macOS - Disable guest account - query: SELECT 1 FROM plist WHERE path='/Library/Preferences/com.apple.loginwindow.plist' AND key='GuestEnabled' AND value = 0; - critical: false - description: This policy checks if the guest account is disabled. - resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true. - platform: darwin -- name: macOS - Require 10 character password - query: SELECT 1 WHERE - EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='askForPassword' AND - CAST(value AS INT) - ) - AND EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='minLength' AND - CAST(value AS INT) <= 10 - ); - critical: false - description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. - resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10. - platform: darwin -- name: macOS - Enable screen saver after 20 minutes - query: SELECT 1 WHERE - EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='idleTime' AND - CAST(value AS INT) <= 1200 AND - username = '' - ) - AND NOT EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='idleTime' AND - CAST(value AS INT) > 1200 - ); - critical: false - description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. - resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes. - platform: darwin -- name: macOS - No 1Password emergency kit stored in desktop, documents, or downloads folders - query: SELECT 1 WHERE - NOT EXISTS ( - SELECT 1 FROM file WHERE - filename LIKE '%Emergency Kit%.pdf' AND - (path LIKE '/Users/%/Desktop/%' OR path LIKE '/Users/%/Documents/%' OR path LIKE '/Users/%/Downloads/%' OR path LIKE '/Users/Shared/%') - ); - critical: false - description: Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders. - resolution: Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location. - platform: darwin -- name: macOS - Check if latest version - query: SELECT 1 FROM os_version WHERE major = "14" AND minor = "5" AND patch >= "1"; - critical: false - description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability. - resolution: We will update your macOS to the latest version. - platform: darwin - calendar_events_enabled: false -- name: macOS - MDM migration complete - query: SELECT 1 AS result FROM system_info WHERE local_hostname != 'Titanosauria'; - critical: false - description: Determines if the device has completed MDM migration to Fleet. - resolution: We will migrate your macOS MDM to Fleet. - platform: darwin - calendar_events_enabled: true diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml index c9b7879157..75bfaf4b0b 100644 --- a/it-and-security/lib/macos-device-health.policies.yml +++ b/it-and-security/lib/macos-device-health.policies.yml @@ -64,11 +64,4 @@ description: Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders. resolution: Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location. platform: darwin -- name: macOS - Check if latest version - query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5'; - # patch query: SELECT 1 FROM os_version WHERE major = "14" AND minor = "5" AND patch >= "1"; - critical: false - description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability. - resolution: We will update your macOS to the latest version. - platform: darwin - calendar_events_enabled: true \ No newline at end of file + \ No newline at end of file diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index 5d1c8b7985..55304f6ebf 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -110,9 +110,23 @@ controls: - path: ../lib/windows-install-bitdefender.ps1 - path: ../lib/windows-enable-ms-defender.ps1 policies: - - path: ../lib/macos-device-health-canary.policies.yml + - path: ../lib/macos-device-health.policies.yml - path: ../lib/windows-device-health.policies.yml - path: ../lib/linux-device-health.policies.yml + - name: macOS - Check if latest version + query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5'; + critical: false + description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability. + resolution: We will update your macOS to the latest version. + platform: darwin + calendar_events_enabled: false + - name: macOS - MDM migration complete + query: SELECT 1 AS result FROM system_info WHERE local_hostname != 'Titanosauria'; + critical: false + description: Determines if the device has completed MDM migration to Fleet. + resolution: We will migrate your macOS MDM to Fleet. + platform: darwin + calendar_events_enabled: true queries: - path: ../lib/collect-failed-login-attempts.queries.yml - path: ../lib/collect-fleetd-information.yml diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml index 61d123a0d2..6e28a28f6f 100644 --- a/it-and-security/teams/workstations.yml +++ b/it-and-security/teams/workstations.yml @@ -61,6 +61,13 @@ policies: - path: ../lib/macos-device-health.policies.yml - path: ../lib/windows-device-health.policies.yml - path: ../lib/linux-device-health.policies.yml + - name: macOS - Check if latest version + query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5'; + critical: false + description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability. + resolution: We will update your macOS to the latest version. + platform: darwin + calendar_events_enabled: true queries: - path: ../lib/collect-failed-login-attempts.queries.yml - path: ../lib/collect-usb-devices.queries.yml