<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added automatic launch agent support for Fleet Desktop.app on macOS
devices, enabling the app to start automatically at system login without
user interaction
* Implemented MDM configuration profiles and policies for seamless
deployment and automatic management across macOS devices
* Added dynamic labeling capabilities to identify and track macOS hosts
with the Fleet Desktop launch agent profile installed
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add a new macOS configuration profile
(fleet-desktop-launchagent.mobileconfig) that configures managed
login/background items to allow Fleet Desktop.app's launch agent to run
at login without prompting the user. Also reference the profile in
it-and-security/fleets/workstations.yml so hosts labeled as having Fleet
Desktop.app installed will match the control.
Delete the macOS policy 'enrollment-profile-up-to-date' and the 'Nudge
test devices' label, and remove their references from it-and-security
manifests. Files removed:
it-and-security/lib/macos/policies/enrollment-profile-up-to-date.yml and
it-and-security/lib/all/labels/nudge-test-devices.yml; references
dropped from it-and-security/default.yml,
it-and-security/fleets/testing-and-qa.yml, and
it-and-security/fleets/workstations.yml to avoid loading deleted
artifacts.
Delete the macOS configuration profile that managed Fleet Desktop as a
login item
(it-and-security/lib/macos/configuration-profiles/fleet-desktop-login-item.mobileconfig)
and remove its inclusion and associated label filter from the
workstations fleet controls (it-and-security/fleets/workstations.yml).
Cleans up an obsolete/unused profile and its reference.
Make Fleet Desktop detection more precise and switch to fleet-maintained
app workflow. Rename label to include the .app suffix and filter by
bundle_identifier; update workstations.yml to reference the new label
and replace the file-based software entry with the fleet-maintained slug
(fleet-desktop/darwin). Add a Fleet Desktop entry to the
patch-fleet-maintained-apps policy so Fleet Desktop is managed via the
fleet_maintained_app_slug. Remove the now-obsolete update-fleet-desktop
policy and the packaged fleet-desktop software metadata file.
## Summary
- Enables host expiry settings for three teams by setting
`host_expiry_enabled: true` and `host_expiry_window: 90` (days) in each
team's GitOps configuration file.
- Hosts that have not checked in for 90 days will be automatically
removed from these teams' inventories.
## Changes
- `it-and-security/fleets/workstations.yml`: Updated
`host_expiry_settings` to enable expiry with a 90-day window.
- `it-and-security/fleets/company-owned-mobile-devices.yml`: Updated
`host_expiry_settings` to enable expiry with a 90-day window.
- `it-and-security/fleets/personal-mobile-devices.yml`: Updated
`host_expiry_settings` to enable expiry with a 90-day window.
## Teams affected
| Team | File | Window |
|------|------|--------|
| 💻 Workstations | `workstations.yml` | 90 days |
| 📱🏢 Employee-issued mobile devices | `company-owned-mobile-devices.yml`
| 90 days |
| 📱🔐 Personal mobile devices | `personal-mobile-devices.yml` | 90 days |
## Related
- Follows the same pattern as #44649 (Testing & QA team, 30 days).
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1777903880443949?thread_ts=1776095784.812489&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/slack)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Enables host expiry settings for the "🧪 Testing & QA" team by setting
`host_expiry_enabled: true` and `host_expiry_window: 30` (days) in the
team's GitOps configuration file.
- Hosts that have not checked in for 30 days will be automatically
removed from this team's inventory.
## Changes
- `it-and-security/fleets/testing-and-qa.yml`: Updated
`host_expiry_settings` to enable expiry with a 30-day window.
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1777903609156429?thread_ts=1776095784.812489&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/slack)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Add macOS and Windows screen-lock configuration profiles and manual
exclusion labels, and wire them into fleet manifests and policies.
- Add macOS mobileconfig (screen-lock-inactivity) to start screensaver
after 900s and require a password with a 60s delay.
- Add Windows configuration (Screen lock timeout.xml) to set
InteractiveLogon_MachineInactivityLimit to 900s (15 minutes).
- Create manual labels: "macOS screen lock exclusions" and "Windows
screen lock exclusions" (empty host lists).
- Register the new labels in it-and-security/default.yml and include the
new profiles in workstations.yml with labels_exclude_any pointing to the
appropriate exclusion label.
- Update macOS and Windows policy YAMLs to exclude hosts in the
corresponding exclusion labels.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added macOS and Windows "screen lock exclusions" labels to allow
manual exemption of devices.
* Introduced a macOS configuration profile that enforces a 15-minute
inactivity screen lock and requires a password on resume.
* Introduced a Windows configuration profile setting an equivalent
15-minute inactivity timeout.
* Screen-lock policies now support label-based exclusions so exempted
devices are not affected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add forceful Adobe Acrobat Reader patch policy for all devices
Add critical patch policies for Adobe Acrobat Reader on macOS and
Windows that enforce immediate automatic updates via install_software:
true. This ensures all devices running Adobe Reader are patched without
user intervention, addressing the high-risk security profile of PDF
readers.
Changes:
- Add macOS patch policy (adobe-acrobat-reader/darwin) with critical
flag
- Add Windows patch policy (adobe-acrobat-reader/windows) with critical
flag
- Register Adobe Acrobat Reader as a fleet_maintained_app for both
platforms
in workstations.yml
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Adobe Acrobat Reader added as self-service software for macOS and x86
Windows; categorized under Productivity.
* Adobe Acrobat Pro added as self-service software for macOS;
categorized under Productivity.
* Automatic device targeting now surfaces these apps only to hosts that
already have them installed.
* New critical patch policies for macOS and Windows enable automatic
updates with self-service fallback on install failures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Add multiple endpoint security policies and telemetry reports and wire
them into the workstations fleet manifest. New macOS policies: firewall,
Gatekeeper, SIP (critical), Remote Login disabled, screen-lock
inactivity, and local-admin count; new Windows policies: Secure Boot,
Remote Desktop disabled, interactive screen-lock timeout; new Linux
policy: sshd PermitRootLogin restriction. Added cross-platform reports
for disk encryption (includes BitLocker), local user/admin inventory,
USB devices, listening ports, and Chromium-family browser extensions.
These changes improve compliance and detection coverage (SOC2/ISO
mappings included) and enable more comprehensive fleet monitoring.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added device compliance checks: macOS firewall, Gatekeeper, SIP, local
admin count, Windows Secure Boot, and Linux SSH root-login restriction
* Disabled high-risk remote access: macOS Remote Login and Windows
Remote Desktop checks
* Added screen-lock inactivity checks for macOS and Windows
* New inventory reports: local user accounts, connected USB devices,
open listening ports, and browser extensions (Safari, Firefox,
Chromium-family)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Update testing-and-qa and workstations fleet configs to enable osquery
eventing and file-integrity monitoring. Reorder and add
agent_options.config options (pack_delimiter, logger settings,
distributed plugin/endpoint, tls attempts), move decorators under
config, and add macOS FIM file_paths/exclude_paths. Add
command_line_flags to tune eventing, audit, ETW and watchdog settings
for better event collection and retention.
Related: https://github.com/fleetdm/confidential/issues/11768
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Enhanced platform-specific security monitoring across macOS, Linux,
and Windows fleets
* Added file integrity monitoring capabilities for macOS systems
* Expanded audit framework and event collection for Linux environments
* Improved process event auditing for Windows systems
* Added configurable event retention and optimization controls
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Rename and standardize configuration keys across fleet profiles: replace
macos_settings -> apple_settings, macos_setup -> setup_experience, and
macos_setup_assistant -> apple_setup_assistant. Move/rename bootstrap
key to macos_bootstrap_package under setup_experience. Convert per-OS
custom_settings to configuration_profiles (including
windows_settings.custom_settings -> configuration_profiles). Update
server flags: live_query_disabled -> live_reporting_disabled and
query_reports_disabled -> discard_reports_data. Changes applied to:
it-and-security/default.yml, and fleet files in it-and-security/fleets
(company-owned-mobile-devices.yml, personal-mobile-devices.yml,
servers.yml, testing-and-qa.yml, unassigned.yml, workstations.yml) to
unify naming and align with cross-platform config schema.
Add detection and remediation for Santa's Endpoint Security system
extension: new policy
it-and-security/lib/macos/policies/santa-endpoint-security-extension-active.yml
and remediation script
it-and-security/lib/macos/scripts/load-santa-system-extension.sh. Add a
dynamic label for Macs with Santa installed and update the macOS patch
policy to include a Fleet-maintained santa/darwin entry so Fleet can
install/patch Santa. Update workstations fleet config to reference the
new script, policy, and the santa/darwin software slug; remove the old
static santa.yml package file. The policy checks for Santa's bundle id
and the system_extensions record (identifier/team/state) and the script
invokes Santa's binary to request loading the system extension as the
console user.
Comment out the nudge-installed policy in
it-and-security/fleets/workstations.yml and set install_software: true
for the Nudge fleet-maintained app in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml. This
ensures Fleet will automatically install/patch Nudge on matching Macs
(using the existing install-nudge-assets policy) rather than relying on
the nudge-installed enforcement entry.
Uncomment 1Password entries in workstations.yml so 1Password is managed
as a fleet_maintained_app for both macOS and Windows. Commented out the
separate Windows 1Password installed policy path and enabled the
corresponding patch checks in
macos/windows/patch-fleet-maintained-apps.yml to surface/update
out-of-date 1Password installations.
Comment out 1Password fleet-maintained app entries and related
install/patch policies for macOS and Windows. Updates remove/disable the
fleet_maintained_app references in
it-and-security/fleets/workstations.yml and comment out install_software
and patch entries in the macOS and Windows policy files to temporarily
stop automatic installation and patch enforcement for 1Password.
Temporarily disable 1Password-related Fleet checks and app entry.
workstations.yml: commented out the macOS policies
1password-emergency-kit-check.yml and 1password-installed.yml and the
fleet_maintained_apps entry for 1password/darwin.
lib/macos/policies/patch-fleet-maintained-apps.yml: commented out the
patch rule for 1password/darwin. This stops 1Password health checks and
automatic patching until re-enabled.
Replace ad-hoc 1Password update flow with fleet_maintained app handling:
remove the macOS updater script and platform-specific update policy
files; switch install_software refs in macOS/Windows 1Password policies
to fleet_maintained_app_slug; add fleet_maintained_apps entries for
1Password in the workstation fleet manifest; add dynamic labels and
patch policies to track/upkeep 1Password on macOS and Windows. Also
remove references to the removed update step from the dogfood CI
workflow and simplify PR title/branch generation logic accordingly.
Replace the previous manual Nudge install flow with fleet-managed
configuration: add policies and label entries for Nudge, add an
assets-only policy, and add a fleet_maintained software slug. Updated
it-and-security/fleets/workstations.yml to reference
nudge-installed.yml, install-nudge-assets.yml and the new nudge/darwin
software slug (moved from the old nudge software entry). Added label for
Macs with Nudge installed (bundle id com.github.macadmins.Nudge). Added
policy it-and-security/lib/macos/policies/install-nudge-assets.yml and
it-and-security/lib/macos/policies/nudge-installed.yml, and added a
patch policy entry to patch-fleet-maintained-apps.yml for keeping Nudge
up to date. Removed the legacy combined install-nudge.yml policy and the
install-nudge.sh script since installation is now handled via the
fleet-maintained app.
Add a new macOS report (lib/macos/reports/collect-default-browser.yml)
and enable it in the it-and-security/fleets/workstations.yml reports
list. The report gathers each local user's default web browser by
reading LaunchServices plist entries, runs weekly (interval 604800),
uses snapshot logging, and is observer-runnable. Automations are
disabled by default.
Introduce a new macOS configuration profile to register
/Applications/Fleet Desktop.app as a managed login item so Fleet Desktop
auto-launches. Adds
it-and-security/lib/macos/configuration-profiles/fleet-desktop-login-item.mobileconfig
and includes it in it-and-security/fleets/workstations.yml limited to
hosts labeled "Macs with Fleet Desktop installed".
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Minor configuration formatting adjustment to improve consistency and
standardization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Expose a display_name for the `enable-touch-id-sudo.sh` entry in the
workstations fleet manifest so it shows properly in Self Service. Also
add a commented icon placeholder (`../lib/all/icons/touch-id.png`) for
potential future use.
Register a new macOS fleet script that enables Touch ID authentication
for sudo on macOS 15+. Adds
it-and-security/lib/macos/scripts/enable-touch-id-sudo.sh which checks
for the sudo_local.template, creates /etc/pam.d/sudo_local if missing,
and idempotently uncomments or appends the pam_tid line. Also adds a
touch-id.png icon and exposes the script in
it-and-security/fleets/workstations.yml as a self_service Security item.
Provides logging and exits safely when already configured or when run
without root.
Replace the generic "Apple Silicon macOS hosts" label with app-specific
labels_include_any entries for macOS packages and add a Windows label
for VS Code. This change adds or updates labels for many self_service
macOS apps (Brave, Docker Desktop, VS Code, Microsoft Teams, GitHub
Desktop, UTM, Postman, Grammarly Desktop, iTerm2, Sublime Text,
Parallels, Loom, Spotify, Rectangle, Logi Options+, Figma, WhatsApp,
Android Studio, Zed, Obsidian, Google Drive, Cursor, etc.) to target
hosts that have each app installed rather than relying on the Apple
Silicon host label. Improves targeting for software availability in the
fleet configuration.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
Comment out the patch-fleet-maintained-apps.yml entries for macOS and
Windows in it-and-security/fleets/workstations.yml. This temporarily
disables the FMA patch policies (kept as commented lines with a TEMP
note) to allow re-establishing the Fleet Maintained Apps software state.
Remove several x86-only Fleet-maintained Windows applications and their
associated dynamic labels and patch policies. Changes touch:
- it-and-security/fleets/workstations.yml: removed fleet app entries for
Brave, Docker Desktop, GitHub Desktop, Postman, Sublime Text, Spotify,
Figma, Google Drive, and Cursor.
-
it-and-security/lib/all/labels/windows-with-fleet-maintained-apps-installed.yml:
removed the matching x86 dynamic labels.
- it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml:
removed the corresponding patch policies for those apps.
This cleans up configuration related to x86-only Windows apps (labels
previously filtered on arch NOT LIKE 'ARM%').
Register iMazing Profile Editor as a Fleet-maintained app: add input
metadata, add app entry to outputs/apps.json, and add darwin-specific
version/installer info with install/uninstall scripts and checks. Update
frontend icon mapping to include the human-readable name, and adjust
fleet configs (workstations self-service slug, dynamic label bundle
identifier, and macOS patch policy) to reference the new
imazing-profile-editor/darwin slug and
com.DigiDNA.iMazingProfileEditorMac bundle ID.
Replace the fleet-maintained app record for "iMazing Profile Editor"
with the full "iMazing" app. Deleted the old input file and added a new
input for imazing; renamed output paths and updated app metadata (bundle
identifier, slug, categories). Bumped version to 3.5.2 and updated
installer URL, install/uninstall script refs and SHA256. Updated
frontend icon mapping and website routes to point to the new imazing
slug, and adjusted fleet configs: workstation software slug, dynamic
label query, and macOS patch policy to reference imazing/darwin and the
new bundle identifier.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* iMazing application (v3.5.2) now replaces iMazing Profile Editor with
improved capabilities and enhanced functionality.
* Application category updated from Developer tools to Utilities for
better organization and discoverability.
* **Updates**
* Updated deployment configurations, system routes, and management
policies to support iMazing across all managed environments and
platforms.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Remove Microsoft Edge and Suspicious Package from fleet configurations:
deleted their software entries in
it-and-security/fleets/workstations.yml, removed corresponding dynamic
labels in
it-and-security/lib/all/labels/macs-with-fleet-maintained-apps-installed.yml,
and removed their patch policies in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml.
These apps are no longer included in the fleet-maintained app lists and
patch checks.
Add multiple Fleet-maintained apps to workstations (macOS and x86
Windows), create dynamic labels to detect installed apps, and add patch
policies to flag out-of-date installs. workstations.yml: add numerous
macOS self-service entries (e.g. GitHub Desktop, Postman, iTerm2,
Sublime Text, Figma, Spotify, Google Drive, Cursor, etc.) and x86
Windows entries with labels_include_any for x86 hosts.
lib/all/labels/...: add dynamic macOS labels using bundle identifiers
and x86 Windows labels using program name plus arch checks.
lib/macos/policies/... and lib/windows/policies/...: add patch policies
for each new app to notify about outdated versions and provide
remediation guidance (Self-service or app update/uninstall). These
changes enable inventory, self-service deployment, and patch management
for additional developer and productivity applications.
Register AWS VPN Client in fleet configs: add an IdP group label (IdP
group: SAML-aws-vpn), include that label in default.yml, and add
aws-vpn-client/darwin to fleet_maintained_apps (self_service=true,
labeled for the SAML-aws-vpn group). Add a dynamic label for macOS hosts
with AWS VPN Client installed (bundle id com.amazonaws.acvc.osx) and add
a macOS patch policy to surface/update hosts with out-of-date AWS VPN
Client. These changes enable inventorying, self-service installation,
and patch tracking for the AWS VPN Client.
Comment out Zoom Fleet Maintained App entries and associated labels and
patch policies until Zoom FMA is present in Fleet. Files updated:
workstations.yml (zoom/darwin and zoom/windows software entries
commented), labels/* (macOS and x86 Windows Zoom labels commented), and
macOS/Windows patch policy files (Zoom patch policies disabled via
comments). This prevents Fleet from referencing or enforcing Zoom
policies while the FMA is not available.
Remove local Zoom software manifests and icon and replace them with
fleet-maintained app slugs. Workstations fleet now references
zoom/darwin and zoom/windows slugs; added dynamic labels for Macs and
x86 Windows hosts with Zoom installed. Patch policies for macOS and
Windows updated to include Zoom using the new slugs so patch
checks/notifications are centralized. Deleted legacy
it-and-security/lib/*/software/zoom.yml and the Zoom icon to avoid
duplicate/local package definitions.
Add lock_end_user_info: false to it-and-security/fleets/workstations.yml
under macos_setup so end-user information is not locked during macOS
enrollment. This allows end users to view or edit their info while
end-user authentication remains enabled.
Migrate Firefox management to the fleet-maintained app slug
(firefox/darwin): update workstations.yml to remove the old update
policy and replace the macOS software entry with the firefox/darwin
slug; add a dynamic label for Macs with Firefox installed; add a patch
policy that targets the fleet_maintained_app_slug and uses the new
label. Also remove legacy update policy and package files for Firefox
(macOS and Windows) and the hardcoded Firefox pkg URL. This consolidates
Firefox management under Fleet-maintained apps and removes
duplicated/obsolete artifacts.
Introduce dynamic labels for common Fleet-maintained apps on macOS and
Windows, and add corresponding patch policies for macOS and Windows.
Update it-and-security/default.yml to include the new labels and
it-and-security/fleets/workstations.yml to use the consolidated patch
policies (replacing individual update policies). macOS policies use
labels_include_any and reference fleet_maintained_app_slug entries;
Windows policies include platform and architecture filters where
applicable. This centralizes patch checks for Fleet-maintained apps and
simplifies fleet policy management.
## Summary
- Adds a **macOS battery health check** policy that verifies the battery
health is "Good" and condition is "Normal" using the osquery `battery`
table's macOS-specific `health` and `condition` columns.
- Adds a **Windows battery health check** policy that verifies the
battery's full charge capacity remains above 80% of its designed
capacity using the osquery `battery` table's `max_capacity` and
`designed_capacity` columns.
- References both new policies in the **Workstations** team config
(`it-and-security/fleets/workstations.yml`).
- **Desktop computers (no battery) automatically pass** both policies.
The queries use a `NOT EXISTS` pattern so that devices returning zero
rows from the `battery` table are not treated as failures.
## Changes
| File | Description |
|------|-------------|
| `it-and-security/lib/macos/policies/battery-health-check.yml` | New
macOS battery health policy |
| `it-and-security/lib/windows/policies/battery-health-check.yml` | New
Windows battery health policy |
| `it-and-security/fleets/workstations.yml` | Added policy references
for both platforms |
## Testing
- Policy queries validated against the [osquery `battery` table
schema](https://github.com/fleetdm/fleet/blob/main/schema/tables/battery.yml).
- macOS query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
health != 'Good' OR condition != 'Normal');`
- Windows query: `SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM battery WHERE
designed_capacity > 0 AND CAST(max_capacity AS REAL) / designed_capacity
<= 0.80);`
### Expected behavior
| Scenario | Result |
|----------|--------|
| Laptop with healthy battery | PASS |
| Laptop with unhealthy battery | FAIL |
| Desktop (no battery / zero rows) | PASS |
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774454193574469?thread_ts=1774453340.076579&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds `setup_experience: true` to the `claude/darwin` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the macOS setup experience for new device enrollments.
- Adds `setup_experience: true` to the `claude/windows` Fleet-maintained
app entry in the Workstations team, so Claude is automatically installed
during the Windows setup experience for new device enrollments.
## Changes
Only `it-and-security/fleets/workstations.yml` is modified. Two lines
added — one `setup_experience: true` for each platform's Claude entry
under `fleet_maintained_apps`.
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774450304000589)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
