This pull request introduces automation for keeping the Fleet macOS
Safari update policy current, along with a new script for updating
Safari on endpoints. The main changes include a new GitHub Actions
workflow step to run an automated script that checks for the latest
Safari versions, updates the policy YAML if needed, and creates a pull
request with the changes. Additionally, a new endpoint script is added
to perform Safari updates via `softwareupdate`.
**Automation for Safari Policy Updates:**
* Added `.github/scripts/dogfood-policy-updater-latest-safari.sh`, a
script that fetches the latest Safari versions from the SOFA feed,
compares them to the versions in `update-safari.yml`, updates the YAML
if necessary, and automatically creates a pull request with reviewers
assigned.
* Updated `.github/workflows/dogfood-automated-policy-updates.yml` to
add a step that runs the new Safari version update script as part of the
workflow, using the required automation secrets.
**Policy and Endpoint Script Enhancements:**
* Added a new policy to
`it-and-security/lib/macos/policies/update-safari.yml` that checks if
the installed Safari version matches the latest for macOS 15 (Safari
18.6) and macOS 26 (Safari 26.1).
* Introduced `it-and-security/lib/macos/scripts/update-safari.sh`, a
script for endpoints that runs `softwareupdate` with the `--safari-only`
flag, logging the outcome and requiring root privileges.
TODO:
- Make the script itself executable. Right now you have to run `sudo
./unload_osquery_extension.sh /var/fleet/extensions/santa.ext`
Context: https://github.com/fleetdm/fleet/issues/34789
---------
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Fixes#32504
Homebrew has removed the ability to install via a local .rb file. For
context see the PR here: https://github.com/Homebrew/brew/pull/20414 .
Also the long list of PRs and commits referencing can give you some idea
of how others are solving this
We have a few different options we can take.
We can use the usual homebrew method of doing an install
wine-stable@[version] but this does not support us installing a version
referenced by a commit SHA, rather we just get to choose a specific
semver.
We can set EVs normally intended for use only by homebrew developers.
The actual Homebrew developers have strongly cautioned against this as
it has more side effects than simply allowing local package installs.
Finally, we can take the method suggested by the Homebrew developers,
which I have done here, of creating a local tap containing our specified
Wine version's cask file and installing from it. This works well in
local testing and I think has the fewest downsides while maintaining the
reference to a specific immutable version.
# Checklist for submitter
## Testing
- [x] QA'd all new/changed functionality manually
Fixed CI run here:
https://github.com/fleetdm/fleet/actions/runs/17407514780/job/49415787748
- Added a new `Keynote installed` label so that the Keynote theme
installer will only show up for devices with Keynote installed
- Added a new `refetch_host.sh` to use to trigger an immediate refetch
For #27042.
Ready for review, just missing integration tests that I will be writing
today.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [X] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [X] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
- Updated version of santa
- Added policy and script to check for existence of santa osquery
extension and install if not found
- Changed to configuration profile based rules
- Split rules into their own configuration profiles to manage easier via
GitOps
- Move duplicate scripts out of `scripts/mdm/` and into
`it-and-security/` so we have one version that we can continue to
iterate and improve.
- Remove no longer used scripts out of `scripts/mdm/`
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
