From 9ee2d5e695f4e22504dad6a247b3d8e11d22ae02 Mon Sep 17 00:00:00 2001 From: Allen Houchins <32207388+allenhouchins@users.noreply.github.com> Date: Tue, 4 Mar 2025 13:42:42 -0600 Subject: [PATCH] Updating APNs certificate and related policy automations (#26696) Created a new policy with the calendaring automation for when I update the APNs certificate being used. --------- Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com> --- it-and-security/default.yml | 1 - .../policies/mac-enrollment-profile-up-to-date.yml | 14 -------------- .../policies/enrollment-profile-up-to-date.yml | 14 ++++++++++++++ it-and-security/teams/compliance-exclusions.yml | 1 + it-and-security/teams/workstations-canary.yml | 1 + it-and-security/teams/workstations.yml | 1 + 6 files changed, 17 insertions(+), 15 deletions(-) delete mode 100644 it-and-security/lib/all/policies/mac-enrollment-profile-up-to-date.yml create mode 100644 it-and-security/lib/macos/policies/enrollment-profile-up-to-date.yml diff --git a/it-and-security/default.yml b/it-and-security/default.yml index c2c17b73b0..bf942122a4 100644 --- a/it-and-security/default.yml +++ b/it-and-security/default.yml @@ -84,7 +84,6 @@ org_settings: destination_url: $DOGFOOD_ACTIVITIES_WEBHOOK_URL enable_activities_webhook: true policies: - - path: ./lib/all/policies/mac-enrollment-profile-up-to-date.yml queries: - path: ./lib/all/queries/collect-fleetd-information.yml - path: ./lib/all/queries/collect-operating-system-information.yml diff --git a/it-and-security/lib/all/policies/mac-enrollment-profile-up-to-date.yml b/it-and-security/lib/all/policies/mac-enrollment-profile-up-to-date.yml deleted file mode 100644 index 22e9587bd5..0000000000 --- a/it-and-security/lib/all/policies/mac-enrollment-profile-up-to-date.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: macOS - Enrollment profile up to date - query: SELECT 1 FROM mdm where topic = "com.apple.mgmt.External.ccfc8d43-e9f1-49ec-8ca4-10072077deec"; - critical: true - description: This policy checks to see if you have the most recent enrollment profile installed. Not having this profile means this device is no longer communicating with Fleet via MDM. - resolution: |- - You must manually remove your enrollment profile to fix this issue by following these steps: - -  > System Settings > General > Device Management > Click on the profile "Fleet enrollment" followed by the "-" button - - After a few minutes, your device may initate automatic re-enrollment. If it does not, open Fleet Desktop and follow the steps for turning on MDM. - - If you encounter any issues, please reach out via #help-dogfooding. - platform: darwin - \ No newline at end of file diff --git a/it-and-security/lib/macos/policies/enrollment-profile-up-to-date.yml b/it-and-security/lib/macos/policies/enrollment-profile-up-to-date.yml new file mode 100644 index 0000000000..6c61facbc4 --- /dev/null +++ b/it-and-security/lib/macos/policies/enrollment-profile-up-to-date.yml @@ -0,0 +1,14 @@ +- name: macOS - Enrollment profile up to date + query: SELECT 1 FROM mdm where topic = "com.apple.mgmt.External.8a3367bf-49d7-4dc3-ae41-c9de95f7b424"; + critical: true + description: Recently we had to update files used for managing Apple devices. This policy checks to see if you have the most recent enrollment profile installed. Not having this profile means this device is no longer communicating with Fleet via MDM. + resolution: |- + You must manually remove your enrollment profile to fix this issue by following these steps: + +  > System Settings > General > Device Management > Click on the profile "Fleet enrollment" followed by the "-" button + + After a few minutes, your device may initiate automatic re-enrollment. If it does not, open Fleet Desktop and follow the steps for manually enabling MDM. + + If you encounter any issues, please reach out via #help-dogfooding. + platform: darwin + calendar_event_enabled: true diff --git a/it-and-security/teams/compliance-exclusions.yml b/it-and-security/teams/compliance-exclusions.yml index 57520ea276..348a5feddb 100644 --- a/it-and-security/teams/compliance-exclusions.yml +++ b/it-and-security/teams/compliance-exclusions.yml @@ -30,6 +30,7 @@ agent_options: controls: enable_disk_encryption: true policies: + - path: ../lib/macos/policies/enrollment-profile-up-to-date.yml queries: software: packages: diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index 9e428bb311..66d6f5fa3e 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -143,6 +143,7 @@ policies: - path: ../lib/macos/policies/latest-macos.yml - path: ../lib/macos/policies/update-1password.yml - path: ../lib/macos/policies/all-software-updates-installed.yml + - path: ../lib/macos/policies/enrollment-profile-up-to-date.yml - path: ../lib/windows/policies/antivirus-signatures-up-to-date.yml - path: ../lib/windows/policies/all-windows-updates-installed.yml - path: ../lib/linux/policies/disk-encryption-check.yml diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml index 83ecf89648..da14369dd8 100644 --- a/it-and-security/teams/workstations.yml +++ b/it-and-security/teams/workstations.yml @@ -88,6 +88,7 @@ policies: - path: ../lib/macos/policies/latest-macos.yml - path: ../lib/macos/policies/all-software-updates-installed.yml - path: ../lib/macos/policies/update-slack.yml + - path: ../lib/macos/policies/enrollment-profile-up-to-date.yml - path: ../lib/windows/policies/antivirus-signatures-up-to-date.yml - path: ../lib/windows/policies/all-windows-updates-installed.yml - path: ../lib/linux/policies/disk-encryption-check.yml