From addb665c8bdf4a0e7640fd4f1ad7927e5dcc7d80 Mon Sep 17 00:00:00 2001
From: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Date: Thu, 20 Jun 2024 17:13:24 -0300
Subject: [PATCH] Dogfood iPhones team GitOps (#19897)

Changes to dogfood GitOps for #18866.
---
 .github/workflows/dogfood-gitops.yml          |   1 +
 .../ios-content-filtering.mobileconfig        |  48 ++++
 .../ios-lock-screen-message.mobileconfig      |  39 +++
 .../ios-passcode-settings-ddm.json            |  10 +
 .../ios-restrictions.mobileconfig             | 271 ++++++++++++++++++
 it-and-security/teams/iphones.yml             |  38 +++
 6 files changed, 407 insertions(+)
 create mode 100644 it-and-security/lib/configuration-profiles/ios-content-filtering.mobileconfig
 create mode 100644 it-and-security/lib/configuration-profiles/ios-lock-screen-message.mobileconfig
 create mode 100644 it-and-security/lib/configuration-profiles/ios-passcode-settings-ddm.json
 create mode 100644 it-and-security/lib/configuration-profiles/ios-restrictions.mobileconfig
 create mode 100644 it-and-security/teams/iphones.yml

diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml
index 905f503b0a..68fc00cee1 100644
--- a/.github/workflows/dogfood-gitops.yml
+++ b/.github/workflows/dogfood-gitops.yml
@@ -79,3 +79,4 @@ jobs:
           DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }}
           DOGFOOD_CALENDAR_API_KEY: ${{ secrets.DOGFOOD_CALENDAR_API_KEY }}
           DOGFOOD_VIRTUAL_MACHINES_ENROLL_SECRET: ${{ secrets.DOGFOOD_VIRTUAL_MACHINES_ENROLL_SECRET }}
+          DOGFOOD_IPHONES_ENROLL_SECRET: ${{ secrets.DOGFOOD_IPHONES_ENROLL_SECRET }}
diff --git a/it-and-security/lib/configuration-profiles/ios-content-filtering.mobileconfig b/it-and-security/lib/configuration-profiles/ios-content-filtering.mobileconfig
new file mode 100644
index 0000000000..11dfeff2ff
--- /dev/null
+++ b/it-and-security/lib/configuration-profiles/ios-content-filtering.mobileconfig
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>AutoFilterEnabled</key>
+			<true/>
+			<key>BlacklistedURLs</key>
+			<array>
+				<string>https://example.com</string>
+				<string></string>
+			</array>
+			<key>FilterBrowsers</key>
+			<true/>
+			<key>FilterSockets</key>
+			<true/>
+			<key>FilterType</key>
+			<string>BuiltIn</string>
+			<key>PayloadDescription</key>
+			<string>Configures content filtering settings</string>
+			<key>PayloadDisplayName</key>
+			<string>Web Content Filter</string>
+			<key>PayloadIdentifier</key>
+			<string>com.apple.webcontent-filter.1B111C68-501E-44C3-A564-296C9D5D01C3</string>
+			<key>PayloadType</key>
+			<string>com.apple.webcontent-filter</string>
+			<key>PayloadUUID</key>
+			<string>1B111C68-501E-44C3-A564-296C9D5D01C3</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDisplayName</key>
+	<string>Content filtering</string>
+	<key>PayloadIdentifier</key>
+	<string>Lucass-MacBook-Pro.72E4CE0F-8246-4B81-BC28-AD16C7CD43E0</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>9555632D-5053-4A89-94D9-EC4510BB8DC6</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
diff --git a/it-and-security/lib/configuration-profiles/ios-lock-screen-message.mobileconfig b/it-and-security/lib/configuration-profiles/ios-lock-screen-message.mobileconfig
new file mode 100644
index 0000000000..7190fc86f9
--- /dev/null
+++ b/it-and-security/lib/configuration-profiles/ios-lock-screen-message.mobileconfig
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>AssetTagInformation</key>
+			<string>This is a Fleet owned device</string>
+			<key>IfLostReturnToMessage</key>
+			<string>Fleet Device Management Inc.</string>
+			<key>PayloadDescription</key>
+			<string>Configures ownership information for a shared device</string>
+			<key>PayloadDisplayName</key>
+			<string>Lock Screen Message</string>
+			<key>PayloadIdentifier</key>
+			<string>com.apple.shareddeviceconfiguration.E6872230-52C6-4443-AE57-4BB6503C6E01</string>
+			<key>PayloadType</key>
+			<string>com.apple.shareddeviceconfiguration</string>
+			<key>PayloadUUID</key>
+			<string>E6872230-52C6-4443-AE57-4BB6503C6E01</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDisplayName</key>
+	<string>Lock Screen Message</string>
+	<key>PayloadIdentifier</key>
+	<string>Lucass-MacBook-Pro.D0BED3AA-FC16-4276-A8A3-457AA8558C1E</string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>24C286C4-D755-473D-8E09-5E5C0F152BD1</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
diff --git a/it-and-security/lib/configuration-profiles/ios-passcode-settings-ddm.json b/it-and-security/lib/configuration-profiles/ios-passcode-settings-ddm.json
new file mode 100644
index 0000000000..9b7d59f166
--- /dev/null
+++ b/it-and-security/lib/configuration-profiles/ios-passcode-settings-ddm.json
@@ -0,0 +1,10 @@
+{
+    "Type": "com.apple.configuration.passcode.settings",
+    "Identifier": "956e0d14-6019-479b-a6f9-a69ef77668c5",
+    "Payload": {
+        "MaximumFailedAttempts": 10,
+        "MaximumInactivityInMinutes": 5,
+        "MinimumLength": 12,
+        "MinimumComplexCharacters": 1
+    }
+}
diff --git a/it-and-security/lib/configuration-profiles/ios-restrictions.mobileconfig b/it-and-security/lib/configuration-profiles/ios-restrictions.mobileconfig
new file mode 100644
index 0000000000..d63e70fbf9
--- /dev/null
+++ b/it-and-security/lib/configuration-profiles/ios-restrictions.mobileconfig
@@ -0,0 +1,271 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>HasRemovalPasscode</key>
+	<false/>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>PayloadDescription</key>
+			<string>Configures restrictions</string>
+			<key>PayloadDisplayName</key>
+			<string>Restrictions</string>
+			<key>PayloadIdentifier</key>
+			<string>com.apple.applicationaccess.A001D62E-9217-47F0-9ECF-C5E3F548F9EF</string>
+			<key>PayloadType</key>
+			<string>com.apple.applicationaccess</string>
+			<key>PayloadUUID</key>
+			<string>A001D62E-9217-47F0-9ECF-C5E3F548F9EF</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>allowActivityContinuation</key>
+			<true/>
+			<key>allowAddingGameCenterFriends</key>
+			<true/>
+			<key>allowAirPlayIncomingRequests</key>
+			<true/>
+			<key>allowAirPrint</key>
+			<true/>
+			<key>allowAirPrintCredentialsStorage</key>
+			<true/>
+			<key>allowAirPrintiBeaconDiscovery</key>
+			<true/>
+			<key>allowAppCellularDataModification</key>
+			<true/>
+			<key>allowAppClips</key>
+			<true/>
+			<key>allowAppInstallation</key>
+			<true/>
+			<key>allowAppRemoval</key>
+			<true/>
+			<key>allowApplePersonalizedAdvertising</key>
+			<true/>
+			<key>allowAssistant</key>
+			<true/>
+			<key>allowAssistantWhileLocked</key>
+			<true/>
+			<key>allowAutoCorrection</key>
+			<true/>
+			<key>allowAutoUnlock</key>
+			<true/>
+			<key>allowAutomaticAppDownloads</key>
+			<true/>
+			<key>allowBluetoothModification</key>
+			<true/>
+			<key>allowBookstore</key>
+			<true/>
+			<key>allowBookstoreErotica</key>
+			<true/>
+			<key>allowCamera</key>
+			<true/>
+			<key>allowCellularPlanModification</key>
+			<true/>
+			<key>allowChat</key>
+			<true/>
+			<key>allowCloudBackup</key>
+			<true/>
+			<key>allowCloudDocumentSync</key>
+			<true/>
+			<key>allowCloudPhotoLibrary</key>
+			<true/>
+			<key>allowContinuousPathKeyboard</key>
+			<true/>
+			<key>allowDefinitionLookup</key>
+			<true/>
+			<key>allowDeviceNameModification</key>
+			<true/>
+			<key>allowDeviceSleep</key>
+			<true/>
+			<key>allowDictation</key>
+			<true/>
+			<key>allowESIMModification</key>
+			<true/>
+			<key>allowEnablingRestrictions</key>
+			<true/>
+			<key>allowEnterpriseAppTrust</key>
+			<true/>
+			<key>allowEnterpriseBookBackup</key>
+			<true/>
+			<key>allowEnterpriseBookMetadataSync</key>
+			<true/>
+			<key>allowEraseContentAndSettings</key>
+			<true/>
+			<key>allowExplicitContent</key>
+			<true/>
+			<key>allowFilesNetworkDriveAccess</key>
+			<true/>
+			<key>allowFilesUSBDriveAccess</key>
+			<true/>
+			<key>allowFindMyDevice</key>
+			<true/>
+			<key>allowFindMyFriends</key>
+			<true/>
+			<key>allowFingerprintForUnlock</key>
+			<true/>
+			<key>allowFingerprintModification</key>
+			<true/>
+			<key>allowGameCenter</key>
+			<true/>
+			<key>allowGlobalBackgroundFetchWhenRoaming</key>
+			<true/>
+			<key>allowInAppPurchases</key>
+			<true/>
+			<key>allowKeyboardShortcuts</key>
+			<true/>
+			<key>allowManagedAppsCloudSync</key>
+			<true/>
+			<key>allowMultiplayerGaming</key>
+			<true/>
+			<key>allowMusicService</key>
+			<true/>
+			<key>allowNews</key>
+			<true/>
+			<key>allowNotificationsModification</key>
+			<true/>
+			<key>allowOpenFromManagedToUnmanaged</key>
+			<true/>
+			<key>allowOpenFromUnmanagedToManaged</key>
+			<true/>
+			<key>allowPairedWatch</key>
+			<true/>
+			<key>allowPassbookWhileLocked</key>
+			<true/>
+			<key>allowPasscodeModification</key>
+			<true/>
+			<key>allowPasswordAutoFill</key>
+			<true/>
+			<key>allowPasswordProximityRequests</key>
+			<true/>
+			<key>allowPasswordSharing</key>
+			<true/>
+			<key>allowPersonalHotspotModification</key>
+			<true/>
+			<key>allowPhotoStream</key>
+			<true/>
+			<key>allowPredictiveKeyboard</key>
+			<true/>
+			<key>allowProximitySetupToNewDevice</key>
+			<true/>
+			<key>allowRadioService</key>
+			<true/>
+			<key>allowRemoteAppPairing</key>
+			<true/>
+			<key>allowRemoteScreenObservation</key>
+			<true/>
+			<key>allowSafari</key>
+			<true/>
+			<key>allowScreenShot</key>
+			<false/>
+			<key>allowSharedStream</key>
+			<true/>
+			<key>allowSpellCheck</key>
+			<true/>
+			<key>allowSpotlightInternetResults</key>
+			<true/>
+			<key>allowSystemAppRemoval</key>
+			<true/>
+			<key>allowUIAppInstallation</key>
+			<true/>
+			<key>allowUIConfigurationProfileInstallation</key>
+			<true/>
+			<key>allowUSBRestrictedMode</key>
+			<true/>
+			<key>allowUnpairedExternalBootToRecovery</key>
+			<false/>
+			<key>allowUntrustedTLSPrompt</key>
+			<true/>
+			<key>allowVPNCreation</key>
+			<true/>
+			<key>allowVideoConferencing</key>
+			<true/>
+			<key>allowVoiceDialing</key>
+			<true/>
+			<key>allowWallpaperModification</key>
+			<true/>
+			<key>allowiTunes</key>
+			<true/>
+			<key>forceAirDropUnmanaged</key>
+			<false/>
+			<key>forceAirPrintTrustedTLSRequirement</key>
+			<false/>
+			<key>forceAssistantProfanityFilter</key>
+			<false/>
+			<key>forceAuthenticationBeforeAutoFill</key>
+			<false/>
+			<key>forceAutomaticDateAndTime</key>
+			<false/>
+			<key>forceClassroomAutomaticallyJoinClasses</key>
+			<false/>
+			<key>forceClassroomRequestPermissionToLeaveClasses</key>
+			<false/>
+			<key>forceClassroomUnpromptedAppAndDeviceLock</key>
+			<false/>
+			<key>forceClassroomUnpromptedScreenObservation</key>
+			<false/>
+			<key>forceDelayedSoftwareUpdates</key>
+			<false/>
+			<key>forceEncryptedBackup</key>
+			<false/>
+			<key>forceITunesStorePasswordEntry</key>
+			<false/>
+			<key>forceLimitAdTracking</key>
+			<false/>
+			<key>forceWatchWristDetection</key>
+			<false/>
+			<key>forceWiFiPowerOn</key>
+			<false/>
+			<key>forceWiFiWhitelisting</key>
+			<false/>
+			<key>ratingApps</key>
+			<integer>1000</integer>
+			<key>ratingMovies</key>
+			<integer>1000</integer>
+			<key>ratingRegion</key>
+			<string>us</string>
+			<key>ratingTVShows</key>
+			<integer>1000</integer>
+			<key>safariAcceptCookies</key>
+			<real>2</real>
+			<key>safariAllowAutoFill</key>
+			<true/>
+			<key>safariAllowJavaScript</key>
+			<true/>
+			<key>safariAllowPopups</key>
+			<true/>
+			<key>safariForceFraudWarning</key>
+			<false/>
+		</dict>
+		<dict>
+			<key>AssetTagInformation</key>
+			<string>This is a FleetDM owned device</string>
+			<key>IfLostReturnToMessage</key>
+			<string>Fleet Device Management Inc.</string>
+			<key>PayloadDescription</key>
+			<string>Configures ownership information for a shared device</string>
+			<key>PayloadDisplayName</key>
+			<string>Lock Screen Message</string>
+			<key>PayloadIdentifier</key>
+			<string>com.apple.shareddeviceconfiguration.8A2A7B75-4E65-42EF-AC09-B1F8A7EE94B5</string>
+			<key>PayloadType</key>
+			<string>com.apple.shareddeviceconfiguration</string>
+			<key>PayloadUUID</key>
+			<string>8A2A7B75-4E65-42EF-AC09-B1F8A7EE94B5</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDisplayName</key>
+	<string>Restrictions</string>
+	<key>PayloadIdentifier</key>
+	<string>Lucass-MacBook-Pro.47AF8BD0-DC78-4814-98A1-40B927B3408E</string>
+	<key>PayloadRemovalDisallowed</key>
+	<true/>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>A5EE2362-BF54-45F4-A00F-55B1E990A4C0</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
diff --git a/it-and-security/teams/iphones.yml b/it-and-security/teams/iphones.yml
new file mode 100644
index 0000000000..c41faaeca5
--- /dev/null
+++ b/it-and-security/teams/iphones.yml
@@ -0,0 +1,38 @@
+name: iPhones
+team_settings:
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: false
+    host_expiry_window: 0
+  secrets:
+    - secret: $DOGFOOD_IPHONES_ENROLL_SECRET
+  integrations:
+    google_calendar:
+      enable_calendar_events: false
+agent_options:
+  path: ../lib/agent-options.yml
+controls:
+  enable_disk_encryption: true
+  macos_settings:
+    custom_settings:
+      - path: ../lib/configuration-profiles/ios-restrictions.mobileconfig
+      - path: ../lib/configuration-profiles/ios-passcode-settings-ddm.json
+      - path: ../lib/configuration-profiles/ios-lock-screen-message.mobileconfig
+      - path: ../lib/configuration-profiles/ios-content-filtering.mobileconfig
+  macos_setup:
+    bootstrap_package: ""
+    enable_end_user_authentication: true
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: ""
+    minimum_version: ""
+  windows_settings:
+    custom_settings: null
+  windows_updates:
+    deadline_days: 7
+    grace_period_days: 2
+  scripts: []
+policies: []
+queries: []