Add macOS and Windows screen-lock configuration profiles and manual
exclusion labels, and wire them into fleet manifests and policies.
- Add macOS mobileconfig (screen-lock-inactivity) to start screensaver
after 900s and require a password with a 60s delay.
- Add Windows configuration (Screen lock timeout.xml) to set
InteractiveLogon_MachineInactivityLimit to 900s (15 minutes).
- Create manual labels: "macOS screen lock exclusions" and "Windows
screen lock exclusions" (empty host lists).
- Register the new labels in it-and-security/default.yml and include the
new profiles in workstations.yml with labels_exclude_any pointing to the
appropriate exclusion label.
- Update macOS and Windows policy YAMLs to exclude hosts in the
corresponding exclusion labels.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added macOS and Windows "screen lock exclusions" labels to allow
manual exemption of devices.
* Introduced a macOS configuration profile that enforces a 15-minute
inactivity screen lock and requires a password on resume.
* Introduced a Windows configuration profile setting an equivalent
15-minute inactivity timeout.
* Screen-lock policies now support label-based exclusions so exempted
devices are not affected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Removes YubiKey/Yubikey mentions from onboarding-related handbook
pages
- Security policy pages (`handbook/it/security.md`) are intentionally
**not** modified
## Changes
### `handbook/it/README.md`
- Removed "and YubiKey security keys" from the equipment provisioning
intro
- Removed the bullet item to order YubiKey 5C NFC keys for new team
members
- Removed "and include Yubikeys (if requested)" from the shipping
checklist
### `handbook/company/leadership.md`
- Removed "do NOT receive Yubikeys" from the consultant distinction list
(no longer relevant since YubiKeys are not part of onboarding)
- Removed "and Yubikeys" from the core team member hiring description
### `handbook/company/communications.md`
- Removed "YubiKey security keys," from the tools & equipment overview
---
Built for [Isabell
Reedy](https://fleetdm.slack.com/archives/D0AEGJCGJR0/p1775558324267559?thread_ts=1775484858.521199&cid=D0AEGJCGJR0)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Changes
- Added new quarterly access review ritual to IT rituals configuration
- Task is scheduled to start on 2026-04-01 with quarterly frequency
- Configured to automatically create issues using the
compliance-quarterly-access-review template
- Assigned to lppepper2 as DRI
- Tagged with `:help-it` label in confidential repo
## Summary
- Moved the "Monitor compliance tests" (Vanta) responsibility section
from the Finance department handbook page to the IT department handbook
page.
- Moved the corresponding "Vanta check" ritual entry from
`finance.rituals.yml` to `it.rituals.yml`, updating the `moreInfoUrl` to
point to `handbook/it#monitor-compliance-tests` and the label to
`:help-it`.
- Updated the GitHub label reference in the responsibility text from
`:help-finance` to `:help-it`.
- Added a backward-compatible stub on the Finance page redirecting old
links to the new IT location.
## Changes
| File | Change |
|------|--------|
| `handbook/finance/README.md` | Removed "Monitor compliance tests"
section; added redirect stub |
| `handbook/it/README.md` | Added "Monitor compliance tests" section
under Responsibilities |
| `handbook/finance/finance.rituals.yml` | Removed "Vanta check" ritual
entry |
| `handbook/it/it.rituals.yml` | Added "Vanta check" ritual entry with
updated URL and label |
---
Built for [Isabell
Reedy](https://fleetdm.slack.com/archives/D0AEGJCGJR0/p1773933615134779)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Isabell Reedy <113355639+ireedy@users.noreply.github.com>
## Summary
- Adds a new "Requesting pull request deletion" subsection to the
**GitHub security** section of the IT security handbook page
(`handbook/it/security.md`).
- Documents the step-by-step process for requesting GitHub Support to
permanently delete a pull request, including prerequisites, required
information, and important caveats.
## Changes
The new `### Requesting pull request deletion` section is added after
`### Automation` and before `## Google Workspace security`, as the last
subsection under `## GitHub security`. It covers:
1. Confirming the PR is closed
2. Signing in to GitHub Support with admin access
3. Opening a support ticket
4. Providing the required details (PR URL, reason for deletion)
5. Waiting for confirmation
An important note callout highlights that admin access is required,
deletion is permanent, and merged PRs generally cannot be deleted.
---
Built for [Luke
Heath](https://fleetdm.slack.com/archives/D0AMSD87DJL/p1773689381389609)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Updated the security incident identification and triage process (Phase
I) in the IT security handbook to clarify how Fleet members should
report suspected security incidents.
- Reports should now be sent to the **#g-security** Slack channel with
`@mention` for **@Allen Houchins** and **@Pepper (Andrea Pepper)**.
- For serious incidents or if there isn't a timely response, members
should also follow up with a direct message (DM) to both Allen Houchins
and Pepper (Andrea Pepper).
## Changes
This replaces the previous generic list of reporting methods (direct
report, email, phone, Slack) with specific, actionable guidance
directing team members to the #g-security Slack channel with the
appropriate contacts.
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1773202350274859)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
