This pull request introduces new configuration profiles to support Okta
conditional access for macOS devices, specifically targeting the
Information Technology department. It also updates the GitHub Actions
workflow to include a new secret for the Okta CA certificate.
Additionally, it removes the `workstations-canary` team configuration,
likely as part of a cleanup or migration.
The most important changes are:
**Conditional Access and Okta Integration:**
* Added a new configuration profile,
`fleet-okta-conditional-access.mobileconfig`, to manage trusted CA
certificates, SCEP enrollment, mTLS identity preferences, and Chrome
mTLS auto-selection for Okta conditional access on macOS. This profile
is applied to devices labeled with "Department: Information Technology".
[[1]](diffhunk://#diff-904aba5588b0d2c8dc325414aa1e8f2cd8a324602ac8e0c1cd2a5dff28db357bR1-R157)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
* Added a new configuration profile,
`okta-verify-settings.mobileconfig`, to configure privacy preferences,
managed login items, notification settings, and Okta Verify app settings
for macOS devices in the Information Technology department.
[[1]](diffhunk://#diff-b321656e070ad9cb0727fe7ced60565d88bf31d236ac2642d3192fcb375fa4b2R1-R129)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
**Workflow and Secrets Management:**
* Updated the GitHub Actions workflow (`dogfood-gitops.yml`) to include
the `DOGFOOD_OKTA_CA_CERTIFICATE` secret, supporting the new Okta
conditional access configuration.
**Configuration Cleanup:**
* Removed the `workstations-canary.yml` team configuration, eliminating
its policies, software, scripts, and settings.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
