Replace the package_receipts-based query with a file table check for
/Library/LaunchAgents/com.fleetdm.fleet-desktop-hidden.plist. Update the
policy description and resolution to reference the plist presence and to
instruct confirming the installer drops that plist if the check fails.
Other policy fields (install_software, labels) remain unchanged.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added automatic launch agent support for Fleet Desktop.app on macOS
devices, enabling the app to start automatically at system login without
user interaction
* Implemented MDM configuration profiles and policies for seamless
deployment and automatic management across macOS devices
* Added dynamic labeling capabilities to identify and track macOS hosts
with the Fleet Desktop launch agent profile installed
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add a new macOS configuration profile
(fleet-desktop-launchagent.mobileconfig) that configures managed
login/background items to allow Fleet Desktop.app's launch agent to run
at login without prompting the user. Also reference the profile in
it-and-security/fleets/workstations.yml so hosts labeled as having Fleet
Desktop.app installed will match the control.
Delete the macOS policy 'enrollment-profile-up-to-date' and the 'Nudge
test devices' label, and remove their references from it-and-security
manifests. Files removed:
it-and-security/lib/macos/policies/enrollment-profile-up-to-date.yml and
it-and-security/lib/all/labels/nudge-test-devices.yml; references
dropped from it-and-security/default.yml,
it-and-security/fleets/testing-and-qa.yml, and
it-and-security/fleets/workstations.yml to avoid loading deleted
artifacts.
Delete the macOS configuration profile that managed Fleet Desktop as a
login item
(it-and-security/lib/macos/configuration-profiles/fleet-desktop-login-item.mobileconfig)
and remove its inclusion and associated label filter from the
workstations fleet controls (it-and-security/fleets/workstations.yml).
Cleans up an obsolete/unused profile and its reference.
Make Fleet Desktop detection more precise and switch to fleet-maintained
app workflow. Rename label to include the .app suffix and filter by
bundle_identifier; update workstations.yml to reference the new label
and replace the file-based software entry with the fleet-maintained slug
(fleet-desktop/darwin). Add a Fleet Desktop entry to the
patch-fleet-maintained-apps policy so Fleet Desktop is managed via the
fleet_maintained_app_slug. Remove the now-obsolete update-fleet-desktop
policy and the packaged fleet-desktop software metadata file.
## Summary
- Enables host expiry settings for three teams by setting
`host_expiry_enabled: true` and `host_expiry_window: 90` (days) in each
team's GitOps configuration file.
- Hosts that have not checked in for 90 days will be automatically
removed from these teams' inventories.
## Changes
- `it-and-security/fleets/workstations.yml`: Updated
`host_expiry_settings` to enable expiry with a 90-day window.
- `it-and-security/fleets/company-owned-mobile-devices.yml`: Updated
`host_expiry_settings` to enable expiry with a 90-day window.
- `it-and-security/fleets/personal-mobile-devices.yml`: Updated
`host_expiry_settings` to enable expiry with a 90-day window.
## Teams affected
| Team | File | Window |
|------|------|--------|
| 💻 Workstations | `workstations.yml` | 90 days |
| 📱🏢 Employee-issued mobile devices | `company-owned-mobile-devices.yml`
| 90 days |
| 📱🔐 Personal mobile devices | `personal-mobile-devices.yml` | 90 days |
## Related
- Follows the same pattern as #44649 (Testing & QA team, 30 days).
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1777903880443949?thread_ts=1776095784.812489&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/slack)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Enables host expiry settings for the "🧪 Testing & QA" team by setting
`host_expiry_enabled: true` and `host_expiry_window: 30` (days) in the
team's GitOps configuration file.
- Hosts that have not checked in for 30 days will be automatically
removed from this team's inventory.
## Changes
- `it-and-security/fleets/testing-and-qa.yml`: Updated
`host_expiry_settings` to enable expiry with a 30-day window.
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1777903609156429?thread_ts=1776095784.812489&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/slack)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Add macOS and Windows screen-lock configuration profiles and manual
exclusion labels, and wire them into fleet manifests and policies.
- Add macOS mobileconfig (screen-lock-inactivity) to start screensaver
after 900s and require a password with a 60s delay.
- Add Windows configuration (Screen lock timeout.xml) to set
InteractiveLogon_MachineInactivityLimit to 900s (15 minutes).
- Create manual labels: "macOS screen lock exclusions" and "Windows
screen lock exclusions" (empty host lists).
- Register the new labels in it-and-security/default.yml and include the
new profiles in workstations.yml with labels_exclude_any pointing to the
appropriate exclusion label.
- Update macOS and Windows policy YAMLs to exclude hosts in the
corresponding exclusion labels.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added macOS and Windows "screen lock exclusions" labels to allow
manual exemption of devices.
* Introduced a macOS configuration profile that enforces a 15-minute
inactivity screen lock and requires a password on resume.
* Introduced a Windows configuration profile setting an equivalent
15-minute inactivity timeout.
* Screen-lock policies now support label-based exclusions so exempted
devices are not affected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Pin the gnome-shell appindicator extension to a specific ubuntu upstream
commit and download an immutable tarball URL. Verify the downloaded
archive's SHA-256 (refuse to proceed if sha256sum/shasum is missing or
the checksum mismatches) and only extract when verification succeeds.
Add quoting for $username in sudo/mkdir invocations and preserve the
staging/copy workflow for user-owned extension installation. For the
InstallRemoteExtension flow on other distros, add a 90s polling timeout
when waiting for metadata.json and surface an error on timeout to avoid
hanging indefinitely.
This pull request addresses a startup issue with Fleet Desktop on
openSUSE Leap 16 and similar Linux distributions. The main change is to
adjust how Fleet Desktop and key-escrow dialogs are launched to avoid
environment variable loss caused by login shell profile scripts. The fix
is scoped specifically to openSUSE Leap 16+ to avoid impacting other
distributions.
**Distribution-specific sudo invocation changes:**
* The `-i` (login shell) flag is now omitted from the `sudo` command
when launching Fleet Desktop and key-escrow dialogs on openSUSE Leap 16
and newer, preventing environment variables from being lost due to
profile script interference.
[[1]](diffhunk://#diff-633ab361af6795ef458233819e2806dfba4ca56f684866d956321825b8fd2e91R1)
[[2]](diffhunk://#diff-3e8315d9f12512bce490457c5d20bd7c5aebaa2a8e18b1abf50e504815dd7a9dR178-R193)
* For all other supported distributions, the previous behavior (using
`-i`) is preserved to maintain compatibility and avoid unnecessary
re-testing.
**Detection logic:**
* Introduced a new helper function `isOpenSUSELeap16Plus` in
`execuser_linux.go` to detect if the host is running openSUSE Leap 16 or
newer by parsing `/etc/os-release`. This ensures the workaround is only
applied where necessary.
---
**Related issue:** N/A — surfaced via field investigation on openSUSE
Leap 16 (arm64).
This PR addresses two distinct issues that together prevent Fleet
Desktop from working on openSUSE Leap 16, both validated end-to-end on a
real Leap 16 (arm64) host.
## 1. Launch reliability — drop `sudo -i`
`orbit/pkg/execuser/execuser_linux.go`
On Linux, Orbit launches Fleet Desktop with:
```
sudo -n -i -u <user> -H env WAYLAND_DISPLAY=… … FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH=/opt/orbit/identifier … /…/fleet-desktop
```
The `-i` flag makes sudo "simulate initial login" — it runs the target
user's shell as a login shell and wraps the rest of the command in `bash
--login -c '<escaped>'`. That sources `/etc/profile` and every script in
`/etc/profile.d/*` before our `env KEY=val … fleet-desktop` line runs,
and shell metacharacters (`=`, `:`, `/`, `.`) get backslash-escaped
through the shell layer.
On **openSUSE Leap 16 (arm64)**, that indirection causes the inline
env-var assignments to not reach `fleet-desktop`, which exits
immediately with:
```
FTL missing URL environment FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH
```
Orbit then respawns it every ~15 s in a tight kill-and-respawn loop, so
the tray icon never appears.
**Fix:** drop `-i` from the sudo invocation. We don't need a login
shell:
- `-H` already sets `HOME` to the target user.
- sudo's default `env_reset` sets `USER` / `LOGNAME` / `SHELL` / `MAIL`
and `PATH` to `secure_path`.
- All session vars (`WAYLAND_DISPLAY`, `DISPLAY`,
`DBUS_SESSION_BUS_ADDRESS`, `LD_LIBRARY_PATH`) and every
`FLEET_DESKTOP_*` var are already passed explicitly via `env KEY=val …`.
After the change, sudo `execve()`s `env` directly with no shell layer in
between, so `/etc/profile.d` sourcing and shell-escaping are out of the
picture.
The `runuser -l` /proc/keys-leak regression from PR #32309 does not
apply — that was specific to `runuser -l` creating session keyrings;
sudo without `-i` doesn't.
# Checklist for submitter
- [x] Changes file added:
`orbit/changes/fleet-desktop-linux-no-login-shell`
- [x] Input data is properly validated; untrusted data interpolated into
shell scripts/commands is validated against shell metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops (script's wait loop now bounded at 90s).
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes — N/A.
## Testing
Manual QA needed before merge:
- [x] **openSUSE Leap 16 (arm64)** — Fleet Desktop process starts, stays
running, env vars present, no FTL respawn loop. Done via `sudo` shim.
- [x] **openSUSE Leap 16 (arm64) — extension fallback** — manual tarball
install + schema compilation produces a working tray icon (matching what
the script automates).
- [ ] **Ubuntu 22.04 / 24.04** — regression check: Fleet Desktop tray
icon still appears, key-escrow zenity dialog still renders, AppIndicator
script still installs via the official path.
- [ ] **Fedora (recent)** — regression check: same as above.
- [ ] **Debian** — regression check: same as above.
- [ ] **openSUSE Tumbleweed** — confirm `InstallRemoteExtension` path
still works (no fallback path triggered).
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet —
pure launch-flag change plus a script update; no protocol or schema
impact.
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes — Go change is in
`execuser_linux.go`, only built on Linux. The script is Linux-only by
construction.
- [ ] Verified that fleetd runs on macOS, Linux and Windows — Linux
re-verification pending QA above; macOS/Windows code paths unchanged.
- [ ] Verified auto-update works from the released version of component
to the new version.
## Notes for reviewers
- The tray-icon visibility issue is an OS-side prerequisite (GNOME 3.26+
has no native tray), so the AppIndicator extension is required
regardless. Even after installing it, Wayland requires a logout/login to
pick up new extensions — this is documented behavior and not specific to
the fallback path.
Add forceful Adobe Acrobat Reader patch policy for all devices
Add critical patch policies for Adobe Acrobat Reader on macOS and
Windows that enforce immediate automatic updates via install_software:
true. This ensures all devices running Adobe Reader are patched without
user intervention, addressing the high-risk security profile of PDF
readers.
Changes:
- Add macOS patch policy (adobe-acrobat-reader/darwin) with critical
flag
- Add Windows patch policy (adobe-acrobat-reader/windows) with critical
flag
- Register Adobe Acrobat Reader as a fleet_maintained_app for both
platforms
in workstations.yml
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Adobe Acrobat Reader added as self-service software for macOS and x86
Windows; categorized under Productivity.
* Adobe Acrobat Pro added as self-service software for macOS;
categorized under Productivity.
* Automatic device targeting now surfaces these apps only to hosts that
already have them installed.
* New critical patch policies for macOS and Windows enable automatic
updates with self-service fallback on install failures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Insert blank lines in the description sections of several
it-and-security reports to improve readability. Files updated:
collect-chromium-browser-extensions.yml,
collect-firefox-browser-extensions.yml, collect-listening-ports.yml,
collect-local-user-accounts.yml, collect-safari-browser-extensions.yml,
collect-usb-devices.yml. No query or functional changes.
Add multiple endpoint security policies and telemetry reports and wire
them into the workstations fleet manifest. New macOS policies: firewall,
Gatekeeper, SIP (critical), Remote Login disabled, screen-lock
inactivity, and local-admin count; new Windows policies: Secure Boot,
Remote Desktop disabled, interactive screen-lock timeout; new Linux
policy: sshd PermitRootLogin restriction. Added cross-platform reports
for disk encryption (includes BitLocker), local user/admin inventory,
USB devices, listening ports, and Chromium-family browser extensions.
These changes improve compliance and detection coverage (SOC2/ISO
mappings included) and enable more comprehensive fleet monitoring.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added device compliance checks: macOS firewall, Gatekeeper, SIP, local
admin count, Windows Secure Boot, and Linux SSH root-login restriction
* Disabled high-risk remote access: macOS Remote Login and Windows
Remote Desktop checks
* Added screen-lock inactivity checks for macOS and Windows
* New inventory reports: local user accounts, connected USB devices,
open listening ports, and browser extensions (Safari, Firefox,
Chromium-family)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Update testing-and-qa and workstations fleet configs to enable osquery
eventing and file-integrity monitoring. Reorder and add
agent_options.config options (pack_delimiter, logger settings,
distributed plugin/endpoint, tls attempts), move decorators under
config, and add macOS FIM file_paths/exclude_paths. Add
command_line_flags to tune eventing, audit, ETW and watchdog settings
for better event collection and retention.
Related: https://github.com/fleetdm/confidential/issues/11768
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enhanced platform-specific security monitoring across macOS, Linux,
and Windows fleets
* Added file integrity monitoring capabilities for macOS systems
* Expanded audit framework and event collection for Linux environments
* Improved process event auditing for Windows systems
* Added configurable event retention and optimization controls
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Rename and standardize configuration keys across fleet profiles: replace
macos_settings -> apple_settings, macos_setup -> setup_experience, and
macos_setup_assistant -> apple_setup_assistant. Move/rename bootstrap
key to macos_bootstrap_package under setup_experience. Convert per-OS
custom_settings to configuration_profiles (including
windows_settings.custom_settings -> configuration_profiles). Update
server flags: live_query_disabled -> live_reporting_disabled and
query_reports_disabled -> discard_reports_data. Changes applied to:
it-and-security/default.yml, and fleet files in it-and-security/fleets
(company-owned-mobile-devices.yml, personal-mobile-devices.yml,
servers.yml, testing-and-qa.yml, unassigned.yml, workstations.yml) to
unify naming and align with cross-platform config schema.
Add detection and remediation for Santa's Endpoint Security system
extension: new policy
it-and-security/lib/macos/policies/santa-endpoint-security-extension-active.yml
and remediation script
it-and-security/lib/macos/scripts/load-santa-system-extension.sh. Add a
dynamic label for Macs with Santa installed and update the macOS patch
policy to include a Fleet-maintained santa/darwin entry so Fleet can
install/patch Santa. Update workstations fleet config to reference the
new script, policy, and the santa/darwin software slug; remove the old
static santa.yml package file. The policy checks for Santa's bundle id
and the system_extensions record (identifier/team/state) and the script
invokes Santa's binary to request loading the system extension as the
console user.
Comment out the nudge-installed policy in
it-and-security/fleets/workstations.yml and set install_software: true
for the Nudge fleet-maintained app in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml. This
ensures Fleet will automatically install/patch Nudge on matching Macs
(using the existing install-nudge-assets policy) rather than relying on
the nudge-installed enforcement entry.
Uncomment 1Password entries in workstations.yml so 1Password is managed
as a fleet_maintained_app for both macOS and Windows. Commented out the
separate Windows 1Password installed policy path and enabled the
corresponding patch checks in
macos/windows/patch-fleet-maintained-apps.yml to surface/update
out-of-date 1Password installations.
Comment out 1Password fleet-maintained app entries and related
install/patch policies for macOS and Windows. Updates remove/disable the
fleet_maintained_app references in
it-and-security/fleets/workstations.yml and comment out install_software
and patch entries in the macOS and Windows policy files to temporarily
stop automatic installation and patch enforcement for 1Password.
Temporarily disable 1Password-related Fleet checks and app entry.
workstations.yml: commented out the macOS policies
1password-emergency-kit-check.yml and 1password-installed.yml and the
fleet_maintained_apps entry for 1password/darwin.
lib/macos/policies/patch-fleet-maintained-apps.yml: commented out the
patch rule for 1password/darwin. This stops 1Password health checks and
automatic patching until re-enabled.
Replace ad-hoc 1Password update flow with fleet_maintained app handling:
remove the macOS updater script and platform-specific update policy
files; switch install_software refs in macOS/Windows 1Password policies
to fleet_maintained_app_slug; add fleet_maintained_apps entries for
1Password in the workstation fleet manifest; add dynamic labels and
patch policies to track/upkeep 1Password on macOS and Windows. Also
remove references to the removed update step from the dogfood CI
workflow and simplify PR title/branch generation logic accordingly.
Replace the previous manual Nudge install flow with fleet-managed
configuration: add policies and label entries for Nudge, add an
assets-only policy, and add a fleet_maintained software slug. Updated
it-and-security/fleets/workstations.yml to reference
nudge-installed.yml, install-nudge-assets.yml and the new nudge/darwin
software slug (moved from the old nudge software entry). Added label for
Macs with Nudge installed (bundle id com.github.macadmins.Nudge). Added
policy it-and-security/lib/macos/policies/install-nudge-assets.yml and
it-and-security/lib/macos/policies/nudge-installed.yml, and added a
patch policy entry to patch-fleet-maintained-apps.yml for keeping Nudge
up to date. Removed the legacy combined install-nudge.yml policy and the
install-nudge.sh script since installation is now handled via the
fleet-maintained app.
Add a new macOS report (lib/macos/reports/collect-default-browser.yml)
and enable it in the it-and-security/fleets/workstations.yml reports
list. The report gathers each local user's default web browser by
reading LaunchServices plist entries, runs weekly (interval 604800),
uses snapshot logging, and is observer-runnable. Automations are
disabled by default.
Add Slack logo asset and update Linux package manifests to use the new
release. Adds it-and-security/lib/all/icons/slack-logo.png and updates
slack-deb.yml and slack-rpm.yml to bump the Slack desktop version to
4.49.81 and include an icon.path reference.
Introduce a new macOS configuration profile to register
/Applications/Fleet Desktop.app as a managed login item so Fleet Desktop
auto-launches. Adds
it-and-security/lib/macos/configuration-profiles/fleet-desktop-login-item.mobileconfig
and includes it in it-and-security/fleets/workstations.yml limited to
hosts labeled "Macs with Fleet Desktop installed".
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Minor configuration formatting adjustment to improve consistency and
standardization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Expose a display_name for the `enable-touch-id-sudo.sh` entry in the
workstations fleet manifest so it shows properly in Self Service. Also
add a commented icon placeholder (`../lib/all/icons/touch-id.png`) for
potential future use.
Register a new macOS fleet script that enables Touch ID authentication
for sudo on macOS 15+. Adds
it-and-security/lib/macos/scripts/enable-touch-id-sudo.sh which checks
for the sudo_local.template, creates /etc/pam.d/sudo_local if missing,
and idempotently uncomments or appends the pam_tid line. Also adds a
touch-id.png icon and exposes the script in
it-and-security/fleets/workstations.yml as a self_service Security item.
Provides logging and exits safely when already configured or when run
without root.
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Add a new dynamic label 'Macs with Fleet Desktop installed' (platform:
darwin) that selects hosts where apps.name = 'Fleet Desktop'. Update the
macOS policy update-fleet-desktop.yml to include this label via
labels_include_any so the policy targets only hosts with Fleet Desktop
installed. Files changed:
it-and-security/lib/all/labels/macs-with-fleet-desktop-installed.yml
(new) and it-and-security/lib/macos/policies/update-fleet-desktop.yml
(modified).
Extend the battery-health-check SQL to flag batteries whose max_capacity
/ designed_capacity is below 80%. The new clause guards against zero
capacities and casts max_capacity to REAL for proper floating-point
division, improving detection of degraded batteries in the macOS policy.
Replace two icon assets used by the it-and-security module:
it-and-security/lib/all/icons/fleet-desktop-icon.png and
it-and-security/lib/all/icons/keynote-theme-swan.png. These binary PNG
updates refresh the visuals for the corresponding icons.
Replace the generic "Apple Silicon macOS hosts" label with app-specific
labels_include_any entries for macOS packages and add a Windows label
for VS Code. This change adds or updates labels for many self_service
macOS apps (Brave, Docker Desktop, VS Code, Microsoft Teams, GitHub
Desktop, UTM, Postman, Grammarly Desktop, iTerm2, Sublime Text,
Parallels, Loom, Spotify, Rectangle, Logi Options+, Figma, WhatsApp,
Android Studio, Zed, Obsidian, Google Drive, Cursor, etc.) to target
hosts that have each app installed rather than relying on the Apple
Silicon host label. Improves targeting for software availability in the
fleet configuration.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
Comment out the patch-fleet-maintained-apps.yml entries for macOS and
Windows in it-and-security/fleets/workstations.yml. This temporarily
disables the FMA patch policies (kept as commented lines with a TEMP
note) to allow re-establishing the Fleet Maintained Apps software state.
Remove several x86-only Fleet-maintained Windows applications and their
associated dynamic labels and patch policies. Changes touch:
- it-and-security/fleets/workstations.yml: removed fleet app entries for
Brave, Docker Desktop, GitHub Desktop, Postman, Sublime Text, Spotify,
Figma, Google Drive, and Cursor.
-
it-and-security/lib/all/labels/windows-with-fleet-maintained-apps-installed.yml:
removed the matching x86 dynamic labels.
- it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml:
removed the corresponding patch policies for those apps.
This cleans up configuration related to x86-only Windows apps (labels
previously filtered on arch NOT LIKE 'ARM%').
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
