<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added automatic launch agent support for Fleet Desktop.app on macOS
devices, enabling the app to start automatically at system login without
user interaction
* Implemented MDM configuration profiles and policies for seamless
deployment and automatic management across macOS devices
* Added dynamic labeling capabilities to identify and track macOS hosts
with the Fleet Desktop launch agent profile installed
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Add a new macOS configuration profile
(fleet-desktop-launchagent.mobileconfig) that configures managed
login/background items to allow Fleet Desktop.app's launch agent to run
at login without prompting the user. Also reference the profile in
it-and-security/fleets/workstations.yml so hosts labeled as having Fleet
Desktop.app installed will match the control.
Make Fleet Desktop detection more precise and switch to fleet-maintained
app workflow. Rename label to include the .app suffix and filter by
bundle_identifier; update workstations.yml to reference the new label
and replace the file-based software entry with the fleet-maintained slug
(fleet-desktop/darwin). Add a Fleet Desktop entry to the
patch-fleet-maintained-apps policy so Fleet Desktop is managed via the
fleet_maintained_app_slug. Remove the now-obsolete update-fleet-desktop
policy and the packaged fleet-desktop software metadata file.
Add detection and remediation for Santa's Endpoint Security system
extension: new policy
it-and-security/lib/macos/policies/santa-endpoint-security-extension-active.yml
and remediation script
it-and-security/lib/macos/scripts/load-santa-system-extension.sh. Add a
dynamic label for Macs with Santa installed and update the macOS patch
policy to include a Fleet-maintained santa/darwin entry so Fleet can
install/patch Santa. Update workstations fleet config to reference the
new script, policy, and the santa/darwin software slug; remove the old
static santa.yml package file. The policy checks for Santa's bundle id
and the system_extensions record (identifier/team/state) and the script
invokes Santa's binary to request loading the system extension as the
console user.
Add a macOS policy to check Fleet Desktop is at least v1.1.0 and
reference it from the workstations fleet. Update the Fleet Desktop
installer metadata to v1.1.0 (new SHA256). Also wrap long resolution
strings in quotes for consistency in Firefox and 1Password policies.
Remove local Zoom software manifests and icon and replace them with
fleet-maintained app slugs. Workstations fleet now references
zoom/darwin and zoom/windows slugs; added dynamic labels for Macs and
x86 Windows hosts with Zoom installed. Patch policies for macOS and
Windows updated to include Zoom using the new slugs so patch
checks/notifications are centralized. Deleted legacy
it-and-security/lib/*/software/zoom.yml and the Zoom icon to avoid
duplicate/local package definitions.
Migrate Firefox management to the fleet-maintained app slug
(firefox/darwin): update workstations.yml to remove the old update
policy and replace the macOS software entry with the firefox/darwin
slug; add a dynamic label for Macs with Firefox installed; add a patch
policy that targets the fleet_maintained_app_slug and uses the new
label. Also remove legacy update policy and package files for Firefox
(macOS and Windows) and the hardcoded Firefox pkg URL. This consolidates
Firefox management under Fleet-maintained apps and removes
duplicated/obsolete artifacts.
## Summary
- Updates Firefox from 148.0.2 to 149.0 (released March 23, 2026) across
the Workstations team configuration
- Updates macOS custom package download URL to Firefox 149.0
- Updates macOS and Windows version-check policies to enforce version >=
149.0
## Changes
| File | Change |
|---|---|
| `it-and-security/lib/macos/software/mozilla-firefox.yml` | Updated
package URL from 148.0.2 to 149.0 |
| `it-and-security/lib/macos/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
| `it-and-security/lib/windows/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
## Notes
- Firefox on Windows uses the Fleet-maintained app (`slug:
firefox/windows`), which is managed by the Fleet catalog and will
auto-update when the catalog is refreshed
- Firefox on macOS uses a custom package URL since the existing pattern
uses a `.pkg` installer
- Both macOS and Windows already have self-service enabled and
corresponding update policies with calendar event enforcement (macOS)
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774366778146629)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
## Summary
- Removes the Company Portal software package from the Workstations team
- Removes the Company Portal SSO extension (extensible SSO)
configuration profile from the Workstations team
- Removes the "Conditional access test group" label that was used to
scope both Company Portal and the SSO extension
- Removes the `company-portal-installed` and
`entra-conditional-access-check` policies that were specifically for
Company Portal/Entra conditional access
- Removes the `create-conditional-access-allow-file.sh` and
`user-enroll-entra-company-portal.sh` scripts that were only used by the
removed policies/Company Portal
### Files deleted
-
`it-and-security/lib/macos/configuration-profiles/company-portal-sso-extension.mobileconfig`
- `it-and-security/lib/macos/software/company-portal.yml`
- `it-and-security/lib/macos/policies/company-portal-installed.yml`
-
`it-and-security/lib/macos/policies/entra-conditional-access-check.yml`
-
`it-and-security/lib/macos/scripts/create-conditional-access-allow-file.sh`
-
`it-and-security/lib/macos/scripts/user-enroll-entra-company-portal.sh`
- `it-and-security/lib/all/labels/conditional-access-test-group.yml`
### Files modified
- `it-and-security/teams/workstations.yml` — Removed references to
Company Portal software, SSO extension profile, related policies, and
the conditional access script
- `it-and-security/default.yml` — Removed the "Conditional access test
group" label definition
### Items intentionally kept
- `fleet-okta-conditional-access.mobileconfig` — This is an Okta-based
conditional access profile, not related to Company Portal/Entra SSO
- `conditional_access_enabled: true` in team settings — This is a
team-level integration setting, not Company Portal specific
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1773067955110849)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Updates the macOS Firefox software package from v143.0 to the latest
stable v148.0 (released Feb 24, 2026), which includes 50+ security fixes
- Updates the macOS Firefox update policy to require >= 148.0 (was
147.0.3)
- Adds `install_software` auto-remediation to the Firefox update policy
so hosts that fail the version check automatically receive the updated
package — following the same pattern used by the `1password-installed`
policy
### Changes
**`it-and-security/lib/macos/software/mozilla-firefox.yml`**
- Updated download URL from `Firefox 143.0.pkg` to `Firefox 148.0.pkg`
**`it-and-security/lib/macos/policies/update-firefox.yml`**
- Updated minimum version check from `147.0.3` to `148.0`
- Added `install_software.package_path` pointing to
`../software/mozilla-firefox.yml` so Fleet will automatically push the
updated Firefox package to non-compliant hosts
---
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1772229267107939)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Add 1Password Linux package manifests (deb & rpm), update Slack Linux
download URLs to the generic download endpoints, and bump Zoom Linux
package URLs to a newer build (6.7.5.6891). Also add a display_name for
macOS Zoom and register the new Linux 1Password entries in the
workstations software list; remove several redundant display_name fields
in workstations.yml to avoid duplication. Files changed:
it-and-security/lib/linux/software/{1password-deb.yml,1password-rpm.yml,slack-deb.yml,slack-rpm.yml,zoom-deb.yml,zoom-rpm.yml},
it-and-security/lib/macos/software/zoom.yml, and
it-and-security/teams/workstations.yml.
This pull request updates the Santa software package to a newer version
in the configuration file.
- Updated the Santa package URL in
`it-and-security/lib/macos/software/santa.yml` to point to version
`2025.11` instead of `2025.6`.
Configuring Entra conditional access:
- Test group label created
- SSO extension mobileconfig
- Policy to auto-install Company Portal app
- Company Portal software title defined
- Added a new `Keynote installed` label so that the Keynote theme
installer will only show up for devices with Keynote installed
- Added a new `refetch_host.sh` to use to trigger an immediate refetch
- Updated version of santa
- Added policy and script to check for existence of santa osquery
extension and install if not found
- Changed to configuration profile based rules
- Split rules into their own configuration profiles to manage easier via
GitOps