Replace the generic "Apple Silicon macOS hosts" label with app-specific
labels_include_any entries for macOS packages and add a Windows label
for VS Code. This change adds or updates labels for many self_service
macOS apps (Brave, Docker Desktop, VS Code, Microsoft Teams, GitHub
Desktop, UTM, Postman, Grammarly Desktop, iTerm2, Sublime Text,
Parallels, Loom, Spotify, Rectangle, Logi Options+, Figma, WhatsApp,
Android Studio, Zed, Obsidian, Google Drive, Cursor, etc.) to target
hosts that have each app installed rather than relying on the Apple
Silicon host label. Improves targeting for software availability in the
fleet configuration.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
Comment out the patch-fleet-maintained-apps.yml entries for macOS and
Windows in it-and-security/fleets/workstations.yml. This temporarily
disables the FMA patch policies (kept as commented lines with a TEMP
note) to allow re-establishing the Fleet Maintained Apps software state.
Remove several x86-only Fleet-maintained Windows applications and their
associated dynamic labels and patch policies. Changes touch:
- it-and-security/fleets/workstations.yml: removed fleet app entries for
Brave, Docker Desktop, GitHub Desktop, Postman, Sublime Text, Spotify,
Figma, Google Drive, and Cursor.
-
it-and-security/lib/all/labels/windows-with-fleet-maintained-apps-installed.yml:
removed the matching x86 dynamic labels.
- it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml:
removed the corresponding patch policies for those apps.
This cleans up configuration related to x86-only Windows apps (labels
previously filtered on arch NOT LIKE 'ARM%').
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
Replace the fleet-maintained app record for "iMazing Profile Editor"
with the full "iMazing" app. Deleted the old input file and added a new
input for imazing; renamed output paths and updated app metadata (bundle
identifier, slug, categories). Bumped version to 3.5.2 and updated
installer URL, install/uninstall script refs and SHA256. Updated
frontend icon mapping and website routes to point to the new imazing
slug, and adjusted fleet configs: workstation software slug, dynamic
label query, and macOS patch policy to reference imazing/darwin and the
new bundle identifier.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* iMazing application (v3.5.2) now replaces iMazing Profile Editor with
improved capabilities and enhanced functionality.
* Application category updated from Developer tools to Utilities for
better organization and discoverability.
* **Updates**
* Updated deployment configurations, system routes, and management
policies to support iMazing across all managed environments and
platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Remove Microsoft Edge and Suspicious Package from fleet configurations:
deleted their software entries in
it-and-security/fleets/workstations.yml, removed corresponding dynamic
labels in
it-and-security/lib/all/labels/macs-with-fleet-maintained-apps-installed.yml,
and removed their patch policies in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml.
These apps are no longer included in the fleet-maintained app lists and
patch checks.
Add multiple Fleet-maintained apps to workstations (macOS and x86
Windows), create dynamic labels to detect installed apps, and add patch
policies to flag out-of-date installs. workstations.yml: add numerous
macOS self-service entries (e.g. GitHub Desktop, Postman, iTerm2,
Sublime Text, Figma, Spotify, Google Drive, Cursor, etc.) and x86
Windows entries with labels_include_any for x86 hosts.
lib/all/labels/...: add dynamic macOS labels using bundle identifiers
and x86 Windows labels using program name plus arch checks.
lib/macos/policies/... and lib/windows/policies/...: add patch policies
for each new app to notify about outdated versions and provide
remediation guidance (Self-service or app update/uninstall). These
changes enable inventory, self-service deployment, and patch management
for additional developer and productivity applications.
Register AWS VPN Client in fleet configs: add an IdP group label (IdP
group: SAML-aws-vpn), include that label in default.yml, and add
aws-vpn-client/darwin to fleet_maintained_apps (self_service=true,
labeled for the SAML-aws-vpn group). Add a dynamic label for macOS hosts
with AWS VPN Client installed (bundle id com.amazonaws.acvc.osx) and add
a macOS patch policy to surface/update hosts with out-of-date AWS VPN
Client. These changes enable inventorying, self-service installation,
and patch tracking for the AWS VPN Client.
Comment out Zoom Fleet Maintained App entries and associated labels and
patch policies until Zoom FMA is present in Fleet. Files updated:
workstations.yml (zoom/darwin and zoom/windows software entries
commented), labels/* (macOS and x86 Windows Zoom labels commented), and
macOS/Windows patch policy files (Zoom patch policies disabled via
comments). This prevents Fleet from referencing or enforcing Zoom
policies while the FMA is not available.
Remove local Zoom software manifests and icon and replace them with
fleet-maintained app slugs. Workstations fleet now references
zoom/darwin and zoom/windows slugs; added dynamic labels for Macs and
x86 Windows hosts with Zoom installed. Patch policies for macOS and
Windows updated to include Zoom using the new slugs so patch
checks/notifications are centralized. Deleted legacy
it-and-security/lib/*/software/zoom.yml and the Zoom icon to avoid
duplicate/local package definitions.
Add lock_end_user_info: false to it-and-security/fleets/workstations.yml
under macos_setup so end-user information is not locked during macOS
enrollment. This allows end users to view or edit their info while
end-user authentication remains enabled.
Migrate Firefox management to the fleet-maintained app slug
(firefox/darwin): update workstations.yml to remove the old update
policy and replace the macOS software entry with the firefox/darwin
slug; add a dynamic label for Macs with Firefox installed; add a patch
policy that targets the fleet_maintained_app_slug and uses the new
label. Also remove legacy update policy and package files for Firefox
(macOS and Windows) and the hardcoded Firefox pkg URL. This consolidates
Firefox management under Fleet-maintained apps and removes
duplicated/obsolete artifacts.
Introduce dynamic labels for common Fleet-maintained apps on macOS and
Windows, and add corresponding patch policies for macOS and Windows.
Update it-and-security/default.yml to include the new labels and
it-and-security/fleets/workstations.yml to use the consolidated patch
policies (replacing individual update policies). macOS policies use
labels_include_any and reference fleet_maintained_app_slug entries;
Windows policies include platform and architecture filters where
applicable. This centralizes patch checks for Fleet-maintained apps and
simplifies fleet policy management.
## Summary
- Adds a **macOS battery health check** policy that verifies the battery
health is "Good" and condition is "Normal" using the osquery `battery`
table's macOS-specific `health` and `condition` columns.
- Adds a **Windows battery health check** policy that verifies the
battery's full charge capacity remains above 80% of its designed
capacity using the osquery `battery` table's `max_capacity` and
`designed_capacity` columns.
- References both new policies in the **Workstations** team config
(`it-and-security/fleets/workstations.yml`).
- **Desktop computers (no battery) automatically pass** both policies.
The queries use a `NOT EXISTS` pattern so that devices returning zero
rows from the `battery` table are not treated as failures.
## Changes
| File | Description |
|------|-------------|
| `it-and-security/lib/macos/policies/battery-health-check.yml` | New
macOS battery health policy |
| `it-and-security/lib/windows/policies/battery-health-check.yml` | New
Windows battery health policy |
| `it-and-security/fleets/workstations.yml` | Added policy references
for both platforms |
## Testing
- Policy queries validated against the [osquery `battery` table
schema](https://github.com/fleetdm/fleet/blob/main/schema/tables/battery.yml).
- macOS query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
health != 'Good' OR condition != 'Normal');`
- Windows query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
designed_capacity > 0 AND CAST(max_capacity AS REAL) / designed_capacity
<= 0.80);`
### Expected behavior
| Scenario | Result |
|----------|--------|
| Laptop with healthy battery | PASS |
| Laptop with unhealthy battery | FAIL |
| Desktop (no battery / zero rows) | PASS |
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774454193574469?thread_ts=1774453340.076579&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds `setup_experience: true` to the `claude/darwin` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the macOS setup experience for new device enrollments.
- Adds `setup_experience: true` to the `claude/windows` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the Windows setup experience for new device enrollments.
## Changes
Only `it-and-security/fleets/workstations.yml` is modified. Two lines
added — one `setup_experience: true` for each platform's Claude entry
under `fleet_maintained_apps`.
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774450304000589)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a new **macOS - FileVault enabled** policy that checks whether
FileVault disk encryption is enabled on macOS devices by querying
`filevault_status` for an active status.
- Adds a new **Windows - BitLocker enabled** policy that checks whether
BitLocker disk encryption is enabled on the C: drive of Windows devices
by querying `bitlocker_info` for protection status.
- Both policies are added to the Workstations team configuration in
`workstations.yml`, placed alongside the existing disk encryption check
policies.
- Updated the resolution text for both policies to indicate that
settings should be automatically applied via MDM and to direct users to
#help-it for assistance.
- Changed resolution phrasing from "If you're still seeing this issue"
to "If you're still failing this policy" for both policies.
## Changes
| File | Change |
|------|--------|
| `it-and-security/lib/macos/policies/filevault-enabled.yml` | New
policy file for macOS FileVault check |
| `it-and-security/lib/windows/policies/bitlocker-enabled.yml` | New
policy file for Windows BitLocker check |
| `it-and-security/fleets/workstations.yml` | Added references to both
new policy files |
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774388430297229?thread_ts=1774386241.477189&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Add display_name: "Mozilla Firefox" to the Firefox software entries in
it-and-security/fleets/workstations.yml (macOS and Windows sections).
This ensures a consistent, user-facing name in self-service catalogs for
both platforms.
## Summary
- **Removed the WhatsApp block rule** from the Santa rules configuration
profile (`santa-rules.mobileconfig`). The rule blocked WhatsApp.app via
a CDHASH identifier (`54a8ec11bcea48a276b1fdce556a29108ba77de4`) and is
no longer needed.
- **Expanded Santa profile deployment to all macOS hosts** on the
Workstations team. Both `santa-configuration.mobileconfig` and
`santa-rules.mobileconfig` were previously scoped only to the `"Santa
test devices"` label (4 specific Macs). Removed the `labels_include_any`
restriction so these profiles now install on all Macs in the
Workstations team.
- **Deleted the "Santa test devices" label entirely.** Removed the label
definition file (`santa-test-devices.yml`), its reference in
`default.yml`, and all remaining `labels_include_any` references to it
from the Santa software entry, install-santa-extension policy, and
collect-santa-denied-logs report.
## Changes
###
`it-and-security/lib/macos/configuration-profiles/santa-rules.mobileconfig`
- Removed the `BLOCKLIST` / `CDHASH` rule entry for WhatsApp.app
(identifier `54a8ec11bcea48a276b1fdce556a29108ba77de4`)
- The allowlist for North Pole Security (Team ID) and the test block
rule for BundleExample.app remain unchanged
### `it-and-security/fleets/workstations.yml`
- Removed `labels_include_any: ["Santa test devices"]` from the
`santa-configuration.mobileconfig` and `santa-rules.mobileconfig`
profile entries
- Removed `labels_include_any: ["Santa test devices"]` from the Santa
software entry
- All Santa-related profiles and software now apply to all macOS hosts
on the Workstations team
### `it-and-security/lib/all/labels/santa-test-devices.yml` (deleted)
- Removed the manual label definition for "Santa test devices"
(previously scoped to 4 specific Macs)
### `it-and-security/default.yml`
- Removed the label path reference to `santa-test-devices.yml`
### `it-and-security/lib/macos/policies/install-santa-extension.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the policy
applies to all macOS hosts
### `it-and-security/lib/macos/reports/collect-santa-denied-logs.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the report
applies to all macOS hosts
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774320804143629?thread_ts=1774320368.198119&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Introduce a new report
lib/macos/reports/collect-macos-27-incompatible-apps.yml that queries
apps joined with Spotlight mdls to find Intel-only (x86_64 without
arm64) bundles. The report collects app name, path, bundle identifier,
version, architectures and last opened time, runs weekly (interval
604800), has snapshot logging and automations disabled. Also add the
report to the workstations.yml reports list so it runs for the macOS
workstation fleet.
## Changes
Removes the duplicate `labels_include_any` mapping key from the
`claude/windows` fleet-maintained app entry in
`fleets/workstations.yml`.
This duplicate key causes a YAML validation error ("duplicated mapping
key") because the same key appears twice on the same mapping. The fix
keeps the first occurrence (before `categories`) and removes the second.
## Summary
- Adds a Windows Firefox update policy (`update-firefox.yml`) to detect
outdated Firefox installations vulnerable to CVE-2025-2857
- Adds Firefox as a Fleet-maintained app for Windows workstations
(`firefox/windows`) for self-service installation/update
- Registers both the policy and maintained app in `workstations.yml`
## CVE-2025-2857: Firefox Sandbox Escape on Windows
[CVE-2025-2857](https://nvd.nist.gov/vuln/detail/CVE-2025-2857) is a
**critical** sandbox escape vulnerability in Mozilla Firefox on Windows.
Following the Chrome sandbox escape (CVE-2025-2783), Firefox developers
identified a similar pattern in Firefox's IPC code where a compromised
child process could cause the parent process to return an
unintentionally powerful handle, leading to a sandbox escape.
**Affected versions:**
- Firefox < 136.0.4
- Firefox ESR < 128.8.1
- Firefox ESR < 115.21.1
**Only affects Firefox on Windows.** Other operating systems are
unaffected.
## What was changed and why
The Fleet-maintained Firefox app is already at version 148.0.2 (well
beyond the fix), and macOS workstations already had both an update
policy and software package configured. However, **Windows workstations
had no Firefox update policy or maintained app** — meaning there was no
mechanism to:
1. **Detect** Windows hosts running vulnerable Firefox versions
2. **Remediate** by offering an updated Firefox via self-service
This PR closes that gap by:
1. **`it-and-security/lib/windows/policies/update-firefox.yml`** — New
policy that queries the Windows `programs` table to flag any host with
Firefox < 148.0.2 (uses `LIKE 'Mozilla Firefox%'` and `NOT LIKE '%ESR%'`
to match standard Firefox installations, matching the pattern used in
other Windows update policies)
2. **`it-and-security/fleets/workstations.yml`** — Adds the policy
reference under Windows policies, and adds `firefox/windows` to
`fleet_maintained_apps` for self-service browser installation on x86
Windows hosts
---
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1773774729891479)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: Kilo Code <kilo-bot@kilo.ai>
## Summary
- Adds new Fleet policies (`update-slack.yml`) for macOS and Windows
that **fail** if a device has an outdated version of Slack installed
(below `4.48.100`).
- Follows the existing `update-*` policy pattern used by 1Password,
Claude, and Firefox.
- Registers both policies in `workstations.yml` under the appropriate OS
sections.
## Changes
| File | Description |
|---|---|
| `it-and-security/lib/macos/policies/update-slack.yml` | New macOS
policy: checks `apps` table for `Slack.app` version via
`version_compare` |
| `it-and-security/lib/windows/policies/update-slack.yml` | New Windows
policy: checks `programs` table for `Slack` version via
`version_compare` |
| `it-and-security/fleets/workstations.yml` | Adds both policy paths to
the workstations fleet |
## Policy behavior
The policy **passes** if Slack is not installed OR if the installed
version is >= `4.48.100`. The policy **fails** if Slack is installed but
at a version older than `4.48.100`.
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1773436302175049)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds Slack as managed software to the Workstations fleet for
**macOS**, **Windows**, and **Linux** so it is installed on all new and
existing devices and kept up to date automatically.
- Uses **Fleet-maintained apps** (`slack/darwin`, `slack/windows`) for
macOS and Windows to ensure the latest version is always deployed.
- References the existing `slack-deb.yml` and `slack-rpm.yml` package
definitions for Linux (Debian and RPM).
- All entries include `self_service: true` and `setup_experience: true`
to install on new devices during setup and allow self-service
reinstallation.
- Mobile devices (iOS, iPadOS, Android) already have Slack configured in
both company-owned and personal mobile device fleets — no changes needed
there.
## Changes
Only `it-and-security/fleets/workstations.yml` is modified:
| Platform | Method | Entry |
|----------|--------|-------|
| macOS | `fleet_maintained_apps` | `slack/darwin` (Apple Silicon) |
| Windows | `fleet_maintained_apps` | `slack/windows` (x86) |
| Linux (Debian) | `packages` | `slack-deb.yml` |
| Linux (RPM) | `packages` | `slack-rpm.yml` |
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1773435271021419)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
This pull request removes Slack from the managed software and policy
lists for all platforms (macOS, Linux, and Windows) in the workstation
fleet configuration. The associated policy file for keeping Slack up to
date on macOS has also been deleted.
Key removals by theme:
Slack software and policy removal:
* Removed the `update-slack.yml` policy from the list of enforced macOS
policies in `workstations.yml`.
* Deleted the `update-slack.yml` policy file for macOS, which checked
that Slack was up to date.
Slack application removal from managed software:
* Removed Slack from the list of managed apps for macOS
(`slack/darwin`), Linux (`slack-deb.yml` and `slack-rpm.yml`), and
Windows (`slack/windows`) in the `workstations.yml` configuration.
[[1]](diffhunk://#diff-48e4b7825d0b94911c4b33cccbe16ac3698dfb4b3e365a86432b58f06294daaaL227-L242)
[[2]](diffhunk://#diff-48e4b7825d0b94911c4b33cccbe16ac3698dfb4b3e365a86432b58f06294daaaL287-L292)
[[3]](diffhunk://#diff-48e4b7825d0b94911c4b33cccbe16ac3698dfb4b3e365a86432b58f06294daaaL340-L345)
