This pull request makes minor improvements to the software metadata for
Linux and Windows installers, and updates messaging in a MacOS
configuration profile. The main changes are the addition of display
names for several software packages and a small wording update in the
MacOS profile.
Software metadata improvements:
* Added the `display_name` field for 1Password, Slack, and Zoom
installers in both `.deb` and `.rpm` formats for Linux, improving
clarity in software listings.
[[1]](diffhunk://#diff-74a6b317e1363bc4c856fc04b9532876ec6fbdaec1ae7745bc7ec00c164b5ee8R2)
[[2]](diffhunk://#diff-a09b19aa20a36257dba104b182ec182a175198bf2b83b4c27bbe5b34e3f86a9cR2)
[[3]](diffhunk://#diff-63cf9bff568593d4d6681597dc69b3c3741cbd53197cfa8056e66a8ce6aa65a3R2)
[[4]](diffhunk://#diff-1c76fa28d50f586e4d7090a954db56d9235cdea759e8a613d2c5fb0ccdf28fdfR2)
[[5]](diffhunk://#diff-d3b614ed0d7209d14d8f70170e4326d56e660fdb87ed585674be14c344a59d7fR2)
[[6]](diffhunk://#diff-c5be3430c846b9b69a3d47f0157b0d1707a61dac731d823e38adbf78de4f5ebeR2)
* Added the `display_name` field for Zoom installers for Windows
(`zoom-arm.yml` and `zoom.yml`), making software identification easier.
[[1]](diffhunk://#diff-3f6d972edfe5bd7590c0cd9ffc76a416401410a4b6143e4d6b2d6a0f8efa83b5R2)
[[2]](diffhunk://#diff-2ea34a1db8efdb13d238a064e9bd2e0ba1e4565aba849549e6182fcbe38cd388R2)
MacOS configuration profile update:
* Updated the `subHeader` in the `nudge-configuration.mobileconfig` file
to reference the "IT team" instead of "IT & Enablement team," clarifying
the responsible group in user notifications.
Fixed typo in stealth firewall description. Changed organization from
FleetDM to Fleet.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
This pull request introduces new configuration profiles to support Okta
conditional access for macOS devices, specifically targeting the
Information Technology department. It also updates the GitHub Actions
workflow to include a new secret for the Okta CA certificate.
Additionally, it removes the `workstations-canary` team configuration,
likely as part of a cleanup or migration.
The most important changes are:
**Conditional Access and Okta Integration:**
* Added a new configuration profile,
`fleet-okta-conditional-access.mobileconfig`, to manage trusted CA
certificates, SCEP enrollment, mTLS identity preferences, and Chrome
mTLS auto-selection for Okta conditional access on macOS. This profile
is applied to devices labeled with "Department: Information Technology".
[[1]](diffhunk://#diff-904aba5588b0d2c8dc325414aa1e8f2cd8a324602ac8e0c1cd2a5dff28db357bR1-R157)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
* Added a new configuration profile,
`okta-verify-settings.mobileconfig`, to configure privacy preferences,
managed login items, notification settings, and Okta Verify app settings
for macOS devices in the Information Technology department.
[[1]](diffhunk://#diff-b321656e070ad9cb0727fe7ced60565d88bf31d236ac2642d3192fcb375fa4b2R1-R129)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
**Workflow and Secrets Management:**
* Updated the GitHub Actions workflow (`dogfood-gitops.yml`) to include
the `DOGFOOD_OKTA_CA_CERTIFICATE` secret, supporting the new Okta
conditional access configuration.
**Configuration Cleanup:**
* Removed the `workstations-canary.yml` team configuration, eliminating
its policies, software, scripts, and settings.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
- Updating feature prioritization criteria
- Use `P-` labels for high-priority customer requests
- Remove 💝 Customer requests (prioritized) project: From a Product
Design perspective, I think we get little to no value from maintaining
that project.
- @noahtalerman: I'm also going to delete the `~customer request` label.
That's the label we used to put issues on this project.
- Add #g-security-compliance
- Move #g-mdm and #g-software together like they are in the handbook:
https://fleetdm.com/handbook/company/product-groups#product-groups
- Remove trailing `/view/` from project links
- @noahtalerman: Technically we don't need to remove this bit but this
way it's clear we're going to the project and not a specific view.
Configuring Entra conditional access:
- Test group label created
- SSO extension mobileconfig
- Policy to auto-install Company Portal app
- Company Portal software title defined
For #27042.
Ready for review, just missing integration tests that I will be writing
today.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [X] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [X] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
- Updated version of santa
- Added policy and script to check for existence of santa osquery
extension and install if not found
- Changed to configuration profile based rules
- Split rules into their own configuration profiles to manage easier via
GitOps
