This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Add a new dynamic label 'Macs with Fleet Desktop installed' (platform:
darwin) that selects hosts where apps.name = 'Fleet Desktop'. Update the
macOS policy update-fleet-desktop.yml to include this label via
labels_include_any so the policy targets only hosts with Fleet Desktop
installed. Files changed:
it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
(new) and it-and-security/lib/macos/policies/update-fleet-desktop.yml
(modified).
Extend the battery-health-check SQL to flag batteries whose max_capacity
/ designed_capacity is below 80%. The new clause guards against zero
capacities and casts max_capacity to REAL for proper floating-point
division, improving detection of degraded batteries in the macOS policy.
Replace two icon assets used by the it-and-security module:
it-and-security/lib/all/icons/fleet-desktop-icon.png and
it-and-security/lib/all/icons/keynote-theme-swan.png. These binary PNG
updates refresh the visuals for the corresponding icons.
Replace the generic "Apple Silicon macOS hosts" label with app-specific
labels_include_any entries for macOS packages and add a Windows label
for VS Code. This change adds or updates labels for many self_service
macOS apps (Brave, Docker Desktop, VS Code, Microsoft Teams, GitHub
Desktop, UTM, Postman, Grammarly Desktop, iTerm2, Sublime Text,
Parallels, Loom, Spotify, Rectangle, Logi Options+, Figma, WhatsApp,
Android Studio, Zed, Obsidian, Google Drive, Cursor, etc.) to target
hosts that have each app installed rather than relying on the Apple
Silicon host label. Improves targeting for software availability in the
fleet configuration.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
Comment out the patch-fleet-maintained-apps.yml entries for macOS and
Windows in it-and-security/fleets/workstations.yml. This temporarily
disables the FMA patch policies (kept as commented lines with a TEMP
note) to allow re-establishing the Fleet Maintained Apps software state.
Remove several x86-only Fleet-maintained Windows applications and their
associated dynamic labels and patch policies. Changes touch:
- it-and-security/fleets/workstations.yml: removed fleet app entries for
Brave, Docker Desktop, GitHub Desktop, Postman, Sublime Text, Spotify,
Figma, Google Drive, and Cursor.
-
it-and-security/lib/all/labels/windows-with-fleet-maintained-apps-installed.yml:
removed the matching x86 dynamic labels.
- it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml:
removed the corresponding patch policies for those apps.
This cleans up configuration related to x86-only Windows apps (labels
previously filtered on arch NOT LIKE 'ARM%').
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
Replace the fleet-maintained app record for "iMazing Profile Editor"
with the full "iMazing" app. Deleted the old input file and added a new
input for imazing; renamed output paths and updated app metadata (bundle
identifier, slug, categories). Bumped version to 3.5.2 and updated
installer URL, install/uninstall script refs and SHA256. Updated
frontend icon mapping and website routes to point to the new imazing
slug, and adjusted fleet configs: workstation software slug, dynamic
label query, and macOS patch policy to reference imazing/darwin and the
new bundle identifier.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* iMazing application (v3.5.2) now replaces iMazing Profile Editor with
improved capabilities and enhanced functionality.
* Application category updated from Developer tools to Utilities for
better organization and discoverability.
* **Updates**
* Updated deployment configurations, system routes, and management
policies to support iMazing across all managed environments and
platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Remove Microsoft Edge and Suspicious Package from fleet configurations:
deleted their software entries in
it-and-security/fleets/workstations.yml, removed corresponding dynamic
labels in
it-and-security/lib/all/labels/macs-with-fleet-maintained-apps-installed.yml,
and removed their patch policies in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml.
These apps are no longer included in the fleet-maintained app lists and
patch checks.
Add multiple Fleet-maintained apps to workstations (macOS and x86
Windows), create dynamic labels to detect installed apps, and add patch
policies to flag out-of-date installs. workstations.yml: add numerous
macOS self-service entries (e.g. GitHub Desktop, Postman, iTerm2,
Sublime Text, Figma, Spotify, Google Drive, Cursor, etc.) and x86
Windows entries with labels_include_any for x86 hosts.
lib/all/labels/...: add dynamic macOS labels using bundle identifiers
and x86 Windows labels using program name plus arch checks.
lib/macos/policies/... and lib/windows/policies/...: add patch policies
for each new app to notify about outdated versions and provide
remediation guidance (Self-service or app update/uninstall). These
changes enable inventory, self-service deployment, and patch management
for additional developer and productivity applications.
Add more DEX queries for building DEX dashboards and reporting
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
This PR automatically updates macOS version policies, 1Password macOS
version policy, and Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Register AWS VPN Client in fleet configs: add an IdP group label (IdP
group: SAML-aws-vpn), include that label in default.yml, and add
aws-vpn-client/darwin to fleet_maintained_apps (self_service=true,
labeled for the SAML-aws-vpn group). Add a dynamic label for macOS hosts
with AWS VPN Client installed (bundle id com.amazonaws.acvc.osx) and add
a macOS patch policy to surface/update hosts with out-of-date AWS VPN
Client. These changes enable inventorying, self-service installation,
and patch tracking for the AWS VPN Client.
Remove wording that suggested deleting/uninstalling apps from resolution
text in fleet-maintained app patch policies. Updated macOS and Windows
policy files to only advise updating via Self-service or each app's
built-in update functionality (no mention of deleting/uninstalling).
Affected files:
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml and
it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml.
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Comment out Zoom Fleet Maintained App entries and associated labels and
patch policies until Zoom FMA is present in Fleet. Files updated:
workstations.yml (zoom/darwin and zoom/windows software entries
commented), labels/* (macOS and x86 Windows Zoom labels commented), and
macOS/Windows patch policy files (Zoom patch policies disabled via
comments). This prevents Fleet from referencing or enforcing Zoom
policies while the FMA is not available.
Temporarily disable Zoom-related Fleet Maintained App (FMA) labels and
patch policies across macOS and Windows while the FMA installer issue is
resolved in gitops (SQL returned no rows). Commented out the Zoom label
entries in lib/all/labels/*-with-fleet-maintained-apps-installed.yml and
the corresponding Zoom patch policies in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml and
it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml,
with comments noting to uncomment them together when re-enabling.
Remove local Zoom software manifests and icon and replace them with
fleet-maintained app slugs. Workstations fleet now references
zoom/darwin and zoom/windows slugs; added dynamic labels for Macs and
x86 Windows hosts with Zoom installed. Patch policies for macOS and
Windows updated to include Zoom using the new slugs so patch
checks/notifications are centralized. Deleted legacy
it-and-security/lib/*/software/zoom.yml and the Zoom icon to avoid
duplicate/local package definitions.
Add lock_end_user_info: false to it-and-security/fleets/workstations.yml
under macos_setup so end-user information is not locked during macOS
enrollment. This allows end users to view or edit their info while
end-user authentication remains enabled.
Replace individual department-*.yml label files with a single
lib/all/labels/departments.yml and update it-and-security/default.yml to
reference the consolidated file. Removes the separate department files
and moves their label entries into departments.yml; behavior and label
criteria are unchanged — this is a refactor to reduce file clutter and
simplify label management.
Migrate Firefox management to the fleet-maintained app slug
(firefox/darwin): update workstations.yml to remove the old update
policy and replace the macOS software entry with the firefox/darwin
slug; add a dynamic label for Macs with Firefox installed; add a patch
policy that targets the fleet_maintained_app_slug and uses the new
label. Also remove legacy update policy and package files for Firefox
(macOS and Windows) and the hardcoded Firefox pkg URL. This consolidates
Firefox management under Fleet-maintained apps and removes
duplicated/obsolete artifacts.
Introduce dynamic labels for common Fleet-maintained apps on macOS and
Windows, and add corresponding patch policies for macOS and Windows.
Update it-and-security/default.yml to include the new labels and
it-and-security/fleets/workstations.yml to use the consolidated patch
policies (replacing individual update policies). macOS policies use
labels_include_any and reference fleet_maintained_app_slug entries;
Windows policies include platform and architecture filters where
applicable. This centralizes patch checks for Fleet-maintained apps and
simplifies fleet policy management.
## Summary
- Update the macOS "Claude up to date" policy minimum version from
`1.1.5749` to `1.1.9493` (latest Homebrew cask version)
- Update the Windows "Claude up to date" policy minimum version from
`1.1.5368` to `1.1.9310` (latest winget version)
These policies ensure all Workstations team hosts are running the latest
version of the Claude desktop app (Anthropic). The policies,
Fleet-maintained app entries (`claude/darwin`, `claude/windows`), and
workstations team references were already in place — this PR only bumps
the version numbers checked by the osquery queries.
## Changes
| File | Change |
|------|--------|
| `it-and-security/lib/macos/policies/update-claude.yml` |
`version_compare` threshold `1.1.5749` → `1.1.9493` |
| `it-and-security/lib/windows/policies/update-claude.yml` |
`version_compare` threshold `1.1.5368` → `1.1.9310` |
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774884397872049)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42573
Fixes failing test by replacing no-longer-supported `--no-quarantine`
option with manually turning off quarantine for Wine.
Successful run here:
https://github.com/fleetdm/fleet/actions/runs/23661332211
---------
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
## Summary
- Adds a **macOS battery health check** policy that verifies the battery
health is "Good" and condition is "Normal" using the osquery `battery`
table's macOS-specific `health` and `condition` columns.
- Adds a **Windows battery health check** policy that verifies the
battery's full charge capacity remains above 80% of its designed
capacity using the osquery `battery` table's `max_capacity` and
`designed_capacity` columns.
- References both new policies in the **Workstations** team config
(`it-and-security/fleets/workstations.yml`).
- **Desktop computers (no battery) automatically pass** both policies.
The queries use a `NOT EXISTS` pattern so that devices returning zero
rows from the `battery` table are not treated as failures.
## Changes
| File | Description |
|------|-------------|
| `it-and-security/lib/macos/policies/battery-health-check.yml` | New
macOS battery health policy |
| `it-and-security/lib/windows/policies/battery-health-check.yml` | New
Windows battery health policy |
| `it-and-security/fleets/workstations.yml` | Added policy references
for both platforms |
## Testing
- Policy queries validated against the [osquery `battery` table
schema](https://github.com/fleetdm/fleet/blob/main/schema/tables/battery.yml).
- macOS query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
health != 'Good' OR condition != 'Normal');`
- Windows query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
designed_capacity > 0 AND CAST(max_capacity AS REAL) / designed_capacity
<= 0.80);`
### Expected behavior
| Scenario | Result |
|----------|--------|
| Laptop with healthy battery | PASS |
| Laptop with unhealthy battery | FAIL |
| Desktop (no battery / zero rows) | PASS |
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774454193574469?thread_ts=1774453340.076579&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Enables `calendar_events_enabled: true` for the **Windows - 1Password
up to date** and **Windows - Firefox up to date** policies on the
Workstations team.
- Updates the `description` and `resolution` text to match the pattern
already used by the macOS counterparts, referencing the scheduled
maintenance window and calendar.
This mirrors the calendar integration that was previously enabled for
the macOS 1Password and Firefox update policies.
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774451322610839)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds `setup_experience: true` to the `claude/darwin` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the macOS setup experience for new device enrollments.
- Adds `setup_experience: true` to the `claude/windows` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the Windows setup experience for new device enrollments.
## Changes
Only `it-and-security/fleets/workstations.yml` is modified. Two lines
added — one `setup_experience: true` for each platform's Claude entry
under `fleet_maintained_apps`.
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774450304000589)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a new **macOS - FileVault enabled** policy that checks whether
FileVault disk encryption is enabled on macOS devices by querying
`filevault_status` for an active status.
- Adds a new **Windows - BitLocker enabled** policy that checks whether
BitLocker disk encryption is enabled on the C: drive of Windows devices
by querying `bitlocker_info` for protection status.
- Both policies are added to the Workstations team configuration in
`workstations.yml`, placed alongside the existing disk encryption check
policies.
- Updated the resolution text for both policies to indicate that
settings should be automatically applied via MDM and to direct users to
#help-it for assistance.
- Changed resolution phrasing from "If you're still seeing this issue"
to "If you're still failing this policy" for both policies.
## Changes
| File | Change |
|------|--------|
| `it-and-security/lib/macos/policies/filevault-enabled.yml` | New
policy file for macOS FileVault check |
| `it-and-security/lib/windows/policies/bitlocker-enabled.yml` | New
policy file for Windows BitLocker check |
| `it-and-security/fleets/workstations.yml` | Added references to both
new policy files |
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774388430297229?thread_ts=1774386241.477189&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This PR automatically updates macOS version policies, 1Password macOS
version policy, and Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
## Summary
- Updates Firefox from 148.0.2 to 149.0 (released March 23, 2026) across
the Workstations team configuration
- Updates macOS custom package download URL to Firefox 149.0
- Updates macOS and Windows version-check policies to enforce version >=
149.0
## Changes
| File | Change |
|---|---|
| `it-and-security/lib/macos/software/mozilla-firefox.yml` | Updated
package URL from 148.0.2 to 149.0 |
| `it-and-security/lib/macos/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
| `it-and-security/lib/windows/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
## Notes
- Firefox on Windows uses the Fleet-maintained app (`slug:
firefox/windows`), which is managed by the Fleet catalog and will
auto-update when the catalog is refreshed
- Firefox on macOS uses a custom package URL since the existing pattern
uses a `.pkg` installer
- Both macOS and Windows already have self-service enabled and
corresponding update policies with calendar event enforcement (macOS)
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774366778146629)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Add display_name: "Mozilla Firefox" to the Firefox software entries in
it-and-security/fleets/workstations.yml (macOS and Windows sections).
This ensures a consistent, user-facing name in self-service catalogs for
both platforms.
