Register AWS VPN Client in fleet configs: add an IdP group label (IdP
group: SAML-aws-vpn), include that label in default.yml, and add
aws-vpn-client/darwin to fleet_maintained_apps (self_service=true,
labeled for the SAML-aws-vpn group). Add a dynamic label for macOS hosts
with AWS VPN Client installed (bundle id com.amazonaws.acvc.osx) and add
a macOS patch policy to surface/update hosts with out-of-date AWS VPN
Client. These changes enable inventorying, self-service installation,
and patch tracking for the AWS VPN Client.
Replace individual department-*.yml label files with a single
lib/all/labels/departments.yml and update it-and-security/default.yml to
reference the consolidated file. Removes the separate department files
and moves their label entries into departments.yml; behavior and label
criteria are unchanged — this is a refactor to reduce file clutter and
simplify label management.
Introduce dynamic labels for common Fleet-maintained apps on macOS and
Windows, and add corresponding patch policies for macOS and Windows.
Update it-and-security/default.yml to include the new labels and
it-and-security/fleets/workstations.yml to use the consolidated patch
policies (replacing individual update policies). macOS policies use
labels_include_any and reference fleet_maintained_app_slug entries;
Windows policies include platform and architecture filters where
applicable. This centralizes patch checks for Fleet-maintained apps and
simplifies fleet policy management.
## Summary
- **Removed the WhatsApp block rule** from the Santa rules configuration
profile (`santa-rules.mobileconfig`). The rule blocked WhatsApp.app via
a CDHASH identifier (`54a8ec11bcea48a276b1fdce556a29108ba77de4`) and is
no longer needed.
- **Expanded Santa profile deployment to all macOS hosts** on the
Workstations team. Both `santa-configuration.mobileconfig` and
`santa-rules.mobileconfig` were previously scoped only to the `"Santa
test devices"` label (4 specific Macs). Removed the `labels_include_any`
restriction so these profiles now install on all Macs in the
Workstations team.
- **Deleted the "Santa test devices" label entirely.** Removed the label
definition file (`santa-test-devices.yml`), its reference in
`default.yml`, and all remaining `labels_include_any` references to it
from the Santa software entry, install-santa-extension policy, and
collect-santa-denied-logs report.
## Changes
###
`it-and-security/lib/macos/configuration-profiles/santa-rules.mobileconfig`
- Removed the `BLOCKLIST` / `CDHASH` rule entry for WhatsApp.app
(identifier `54a8ec11bcea48a276b1fdce556a29108ba77de4`)
- The allowlist for North Pole Security (Team ID) and the test block
rule for BundleExample.app remain unchanged
### `it-and-security/fleets/workstations.yml`
- Removed `labels_include_any: ["Santa test devices"]` from the
`santa-configuration.mobileconfig` and `santa-rules.mobileconfig`
profile entries
- Removed `labels_include_any: ["Santa test devices"]` from the Santa
software entry
- All Santa-related profiles and software now apply to all macOS hosts
on the Workstations team
### `it-and-security/lib/all/labels/santa-test-devices.yml` (deleted)
- Removed the manual label definition for "Santa test devices"
(previously scoped to 4 specific Macs)
### `it-and-security/default.yml`
- Removed the label path reference to `santa-test-devices.yml`
### `it-and-security/lib/macos/policies/install-santa-extension.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the policy
applies to all macOS hosts
### `it-and-security/lib/macos/reports/collect-santa-denied-logs.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the report
applies to all macOS hosts
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774320804143629?thread_ts=1774320368.198119&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This pull request updates the environment variable configuration for
Okta metadata URLs in the `dogfood-gitops` GitHub Actions workflow.
Instead of using a single metadata URL, the workflow now distinguishes
between admin and end user metadata URLs.
Workflow configuration changes:
* Split the `DOGFOOD_OKTA_METADATA_URL` environment variable into two
separate variables: `DOGFOOD_OKTA_METADATA_URL_ADMINS` and
`DOGFOOD_OKTA_METADATA_URL_END_USERS` in the
`.github/workflows/dogfood-gitops.yml` workflow file.
Add DOGFOOD_OKTA_METADATA_URL to the dogfood GitOps workflow environment
and update SSO configuration to use Okta. it-and-security/default.yml:
change end_user_authentication.entity_id to fleet-end-users and org SSO
entity_id to fleet-admins, set idp_name to Okta for both, remove inline
metadata values, and point metadata_url to $DOGFOOD_OKTA_METADATA_URL.
This centralizes IdP metadata retrieval via a secret URL.
PR created based on this:
https://fleetdm.slack.com/archives/C071NNMSP2R/p1773261307958859
Which will allows us to keep enrolling Windows devices via Autopilot,
currently it will be wiped next Gitops run.
I've added the GH secret with the value Jordan posted.
## Summary
- Adds `windows_entra_tenant_ids` configuration to the Dogfood
`controls` section in `it-and-security/default.yml`, referencing a new
`$DOGFOOD_ENTRA_TENANT_ID` environment variable.
- Adds the corresponding `DOGFOOD_ENTRA_TENANT_ID` secret mapping in
`.github/workflows/dogfood-gitops.yml` so the value is passed through
during deployment.
## Action required
The actual tenant ID value needs to be added as a GitHub Actions secret
named `DOGFOOD_ENTRA_TENANT_ID` in the repository settings before this
will take effect. The tenant ID can be found in [Microsoft Entra admin
center](https://entra.microsoft.com/#home) under **Microsoft Entra ID >
Home**.
Built for [Magnus
Jensen](https://fleetdm.slack.com/archives/D0AG2PPQWV7/p1773271863050969)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This pull request makes a minor update to the organization settings by
updating the contact URL for the organization in the
`it-and-security/default.yml` file.
* Updated the `contact_url` under `org_info` to point to a new Slack
channel.
## Summary
- Removes the Company Portal software package from the Workstations team
- Removes the Company Portal SSO extension (extensible SSO)
configuration profile from the Workstations team
- Removes the "Conditional access test group" label that was used to
scope both Company Portal and the SSO extension
- Removes the `company-portal-installed` and
`entra-conditional-access-check` policies that were specifically for
Company Portal/Entra conditional access
- Removes the `create-conditional-access-allow-file.sh` and
`user-enroll-entra-company-portal.sh` scripts that were only used by the
removed policies/Company Portal
### Files deleted
-
`it-and-security/lib/macos/configuration-profiles/company-portal-sso-extension.mobileconfig`
- `it-and-security/lib/macos/software/company-portal.yml`
- `it-and-security/lib/macos/policies/company-portal-installed.yml`
-
`it-and-security/lib/macos/policies/entra-conditional-access-check.yml`
-
`it-and-security/lib/macos/scripts/create-conditional-access-allow-file.sh`
-
`it-and-security/lib/macos/scripts/user-enroll-entra-company-portal.sh`
- `it-and-security/lib/all/labels/conditional-access-test-group.yml`
### Files modified
- `it-and-security/teams/workstations.yml` — Removed references to
Company Portal software, SSO extension profile, related policies, and
the conditional access script
- `it-and-security/default.yml` — Removed the "Conditional access test
group" label definition
### Items intentionally kept
- `fleet-okta-conditional-access.mobileconfig` — This is an Okta-based
conditional access profile, not related to Company Portal/Entra SSO
- `conditional_access_enabled: true` in team settings — This is a
team-level integration setting, not Company Portal specific
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1773067955110849)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds `conditional_access.bypass_disabled: true` to
`it-and-security/default.yml` to disable the bypass option for
conditional access in Fleet's GitOps configuration
- This prevents end users from bypassing conditional access blocking
during login attempts
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1772933047288969)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Restores the Google Calendar integration settings in
`it-and-security/default.yml` that were removed in PR #39532
- Re-adds the `api_key_json` and `domain` configuration under
`org_settings.integrations.google_calendar`, reverting from the empty
array (`[]`) back to the original service account configuration
## Changes
The `google_calendar` integration in `it-and-security/default.yml` was
changed from an empty array back to:
```yaml
google_calendar:
- api_key_json: $DOGFOOD_CALENDAR_API_KEY
domain: fleetdm.com
```
This is an exact reversal of the change made in #39532.
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1772930523927149?thread_ts=1772928789.366369&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Adds a new saved query (`collect-xprotect-reports.yml`) to collect
XProtect report data from macOS hosts using the `xprotect_reports`
osquery table
- The query captures malware detection events and remediation actions
performed by XProtect
- Assigned to the default (global) config in `default.yml` so the query
runs across **all teams**
## Changes
- **New file:**
`it-and-security/lib/macos/queries/collect-xprotect-reports.yml` — query
definition following existing conventions (snapshot logging, 300s
interval, darwin platform)
- **Modified:** `it-and-security/default.yml` — added path reference to
the new query in the `queries:` section so it applies to all teams
- **Modified:** `it-and-security/teams/workstations.yml` — removed the
query reference that was previously scoped only to Workstations
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1772249294834709?thread_ts=1772248848.978339&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
While working on some GitOps updates I noticed that our current
`default.yml` file is invalid, because it has a duplicate
`volume_purchasing_program` section. It looks like it was accidentally
copied during an update to rename some teams.
This pull request updates how Keynote installations are tracked and
referenced in configuration files. The main change is to replace the
generic "Keynote installed" label with a more specific "Keynote 14
installed" label, which targets only Keynote versions 14.x on macOS
hosts. This ensures more precise software deployment and management.
**Label changes:**
* Replaced the reference to `keynote-installed.yml` with
`keynote-14-installed.yml` in the `labels` list in `default.yml`,
ensuring only hosts with Keynote version 14.x are matched.
* Removed the old `keynote-installed.yml` label definition, which
matched any version of Keynote, and added a new
`keynote-14-installed.yml` label that matches only Keynote versions
>=14.0.0 and <15.0.0.
[[1]](diffhunk://#diff-f62defade24f2883bff5a996c85446043674cbf31a8b8b32a1e4ab4e16482671L1-L5)
[[2]](diffhunk://#diff-b711956ba5690f7b5b69ce80b81e40d1d18f22f32ff95e5154031daad5e2884fR1-R5)
**Software deployment updates:**
* Updated the `labels_include_any` field for the Fleet Keynote theme in
`workstations.yml` to use "Keynote 14 installed" instead of the generic
"Keynote installed", ensuring the theme is offered only to hosts with
Keynote 14.x.
This pull request makes a minor configuration change to the
`it-and-security/default.yml` file, specifically in the `org_settings`
section. The Google Calendar integration configuration has been
commented out, which means it will no longer be active but is preserved
for reference.
* Google Calendar integration in
`org_settings.integrations.google_calendar` has been commented out,
disabling it while keeping the configuration for potential future use.
This pull request updates the naming and configuration for mobile device
teams and associated settings, primarily shifting references from
"Company-owned mobile devices" to "Employee-issued mobile devices"
across configuration files. It also introduces new team and organization
mappings and updates app store app ID formatting for consistency.
**Team and naming updates:**
* Renamed the team from "📱🏢 Company-owned mobile devices" to "📱🏢
Employee-issued mobile devices" in `company-owned-mobile-devices.yml`
and updated all related references in `default.yml`.
[[1]](diffhunk://#diff-b86f7c2a3c8266d5f17dc1cbb37b248bee72ce749c7e0c7f7d16f69c7265b821L1-R1)
[[2]](diffhunk://#diff-381910c0ec6788e1ad9a97eb1065cd37c6510f67d4c45d1fc93b2ca2d9fce0f3L28-R29)
[[3]](diffhunk://#diff-381910c0ec6788e1ad9a97eb1065cd37c6510f67d4c45d1fc93b2ca2d9fce0f3L38-R53)
**Configuration and mapping enhancements:**
* Added new organization and team mappings for both Fleet Device
Management Inc. and Mactivate LLC, including updates to `macos_team`,
`ios_team`, and `ipados_team` assignments.
[[1]](diffhunk://#diff-381910c0ec6788e1ad9a97eb1065cd37c6510f67d4c45d1fc93b2ca2d9fce0f3L28-R29)
[[2]](diffhunk://#diff-381910c0ec6788e1ad9a97eb1065cd37c6510f67d4c45d1fc93b2ca2d9fce0f3L38-R53)
* Expanded the list of teams under the Fleet Device Management Inc.
location and introduced a new `volume_purchasing_program` section with
appropriate team assignments.
**Formatting consistency:**
* Standardized App Store app IDs to use double quotes instead of single
quotes in the `app_store_apps` section of
`company-owned-mobile-devices.yml`.
This pull request introduces several updates to the configuration for
the Workstations team, primarily to support conditional access testing,
enhance device management, and expand policy coverage. The changes
include enabling conditional access, adding new configuration profiles
and scripts, and updating policies and software deployments.
**Conditional Access and Device Management Enhancements:**
- Enabled conditional access for the Workstations team by setting
`conditional_access_enabled: true` in the integrations section.
- Added new configuration profiles for conditional access and Santa
(macOS security tool), targeting specific test groups via labels.
[[1]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR49-R51)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R83)
- Included new scripts to support conditional access and device
security, such as creating allow files, installing/uninstalling security
tools, and enabling Windows Defender.
**Policy and Query Expansion:**
- Introduced new policies to check for Company Portal installation and
Entra conditional access compliance.
- Added a query to collect Santa denied logs for improved security
monitoring.
**Software Deployment Updates:**
- Added Company Portal for macOS as a self-service app for the
"Conditional access test group".
- Minor formatting update for the Keynote app store ID.
**Other Notable Changes:**
- Removed the "💻🐣 Workstations (canary)" entry from the organization
settings, streamlining team categorization.
- Cleaned up comments related to update channels in agent options for
clarity.
This pull request introduces new department-based host labels to the IT
and Security configuration, allowing hosts to be categorized according
to the department of their end user. The main change is the addition of
seven new label definitions and their inclusion in the `default.yml`
configuration.
**Department label additions:**
* Updated `it-and-security/default.yml` to include references to seven
new department label files, enabling department-based host
categorization.
**New department label definitions:**
* Added `department-information-technology.yml` to define a label for
hosts belonging to the Information Technology department.
* Added `department-sales.yml`, `department-marketing.yml`,
`department-engineering.yml`, `department-people.yml`,
`department-finance.yml`, and `department-product-design.yml` to define
labels for hosts in Sales, Marketing, Engineering, People, Finance, and
Product Design departments, respectively.
[[1]](diffhunk://#diff-dd6b63c2483cf179831fd7b3192a75f25d9eadfcba8309737ce3406912df74eaR1-R6)
[[2]](diffhunk://#diff-aec6aaa00d0b092d0a427d819f61a4df9c00b5ba67d8438757c5f038860697f2R1-R6)
[[3]](diffhunk://#diff-060b9bf1ab3202940dadc644616890ab99bcd81e37808ec099ff29ba064687adR1-R6)
[[4]](diffhunk://#diff-ef0c2b34df74cf1cd1c32165d3c88f85b29a8d67a02e2b837f2f544e02ad2573R1-R6)
[[5]](diffhunk://#diff-f491ad729d54f56ac51eaa4576f2a2c8a077a16c4abe623198ed6f3b14d03004R1-R6)
[[6]](diffhunk://#diff-ce077a969811b6e57400a23a7d6cb3d40b8ebd6b6733ebd4f3f1fe7558f5fe2dR1-R6)
This pull request adds a new organization, Mactivate LLC, to the
`org_settings` section in the `it-and-security/default.yml`
configuration file. The new organization is assigned to the "🧪 Testing &
QA" team for all device types.
Organizational configuration updates:
* Added `Mactivate LLC` to the list of organizations, assigning the "🧪
Testing & QA" team for `macos_team`, `ios_team`, and `ipados_team`
settings in `it-and-security/default.yml`.
Configuring Entra conditional access:
- Test group label created
- SSO extension mobileconfig
- Policy to auto-install Company Portal app
- Company Portal software title defined
- Added a new `Keynote installed` label so that the Keynote theme
installer will only show up for devices with Keynote installed
- Added a new `refetch_host.sh` to use to trigger an immediate refetch
- Updated the support contact URL to point to #help-dogfood instead of
the customer support portal.
Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com>
- `issuer_uri` and `enable_jit_role_sync` are deprecated (see
https://github.com/fleetdm/fleet/issues/10688)
- Setting `enable_sso_idp_login` to allow testing logins initiated from
Google.
