## Summary
- **Removed the WhatsApp block rule** from the Santa rules configuration
profile (`santa-rules.mobileconfig`). The rule blocked WhatsApp.app via
a CDHASH identifier (`54a8ec11bcea48a276b1fdce556a29108ba77de4`) and is
no longer needed.
- **Expanded Santa profile deployment to all macOS hosts** on the
Workstations team. Both `santa-configuration.mobileconfig` and
`santa-rules.mobileconfig` were previously scoped only to the `"Santa
test devices"` label (4 specific Macs). Removed the `labels_include_any`
restriction so these profiles now install on all Macs in the
Workstations team.
- **Deleted the "Santa test devices" label entirely.** Removed the label
definition file (`santa-test-devices.yml`), its reference in
`default.yml`, and all remaining `labels_include_any` references to it
from the Santa software entry, install-santa-extension policy, and
collect-santa-denied-logs report.
## Changes
###
`it-and-security/lib/macos/configuration-profiles/santa-rules.mobileconfig`
- Removed the `BLOCKLIST` / `CDHASH` rule entry for WhatsApp.app
(identifier `54a8ec11bcea48a276b1fdce556a29108ba77de4`)
- The allowlist for North Pole Security (Team ID) and the test block
rule for BundleExample.app remain unchanged
### `it-and-security/fleets/workstations.yml`
- Removed `labels_include_any: ["Santa test devices"]` from the
`santa-configuration.mobileconfig` and `santa-rules.mobileconfig`
profile entries
- Removed `labels_include_any: ["Santa test devices"]` from the Santa
software entry
- All Santa-related profiles and software now apply to all macOS hosts
on the Workstations team
### `it-and-security/lib/all/labels/santa-test-devices.yml` (deleted)
- Removed the manual label definition for "Santa test devices"
(previously scoped to 4 specific Macs)
### `it-and-security/default.yml`
- Removed the label path reference to `santa-test-devices.yml`
### `it-and-security/lib/macos/policies/install-santa-extension.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the policy
applies to all macOS hosts
### `it-and-security/lib/macos/reports/collect-santa-denied-logs.yml`
- Removed `labels_include_any: ["Santa test devices"]` so the report
applies to all macOS hosts
---
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774320804143629?thread_ts=1774320368.198119&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Removes the Company Portal software package from the Workstations team
- Removes the Company Portal SSO extension (extensible SSO)
configuration profile from the Workstations team
- Removes the "Conditional access test group" label that was used to
scope both Company Portal and the SSO extension
- Removes the `company-portal-installed` and
`entra-conditional-access-check` policies that were specifically for
Company Portal/Entra conditional access
- Removes the `create-conditional-access-allow-file.sh` and
`user-enroll-entra-company-portal.sh` scripts that were only used by the
removed policies/Company Portal
### Files deleted
-
`it-and-security/lib/macos/configuration-profiles/company-portal-sso-extension.mobileconfig`
- `it-and-security/lib/macos/software/company-portal.yml`
- `it-and-security/lib/macos/policies/company-portal-installed.yml`
-
`it-and-security/lib/macos/policies/entra-conditional-access-check.yml`
-
`it-and-security/lib/macos/scripts/create-conditional-access-allow-file.sh`
-
`it-and-security/lib/macos/scripts/user-enroll-entra-company-portal.sh`
- `it-and-security/lib/all/labels/conditional-access-test-group.yml`
### Files modified
- `it-and-security/teams/workstations.yml` — Removed references to
Company Portal software, SSO extension profile, related policies, and
the conditional access script
- `it-and-security/default.yml` — Removed the "Conditional access test
group" label definition
### Items intentionally kept
- `fleet-okta-conditional-access.mobileconfig` — This is an Okta-based
conditional access profile, not related to Company Portal/Entra SSO
- `conditional_access_enabled: true` in team settings — This is a
team-level integration setting, not Company Portal specific
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1773067955110849)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This pull request makes minor improvements to the software metadata for
Linux and Windows installers, and updates messaging in a MacOS
configuration profile. The main changes are the addition of display
names for several software packages and a small wording update in the
MacOS profile.
Software metadata improvements:
* Added the `display_name` field for 1Password, Slack, and Zoom
installers in both `.deb` and `.rpm` formats for Linux, improving
clarity in software listings.
[[1]](diffhunk://#diff-74a6b317e1363bc4c856fc04b9532876ec6fbdaec1ae7745bc7ec00c164b5ee8R2)
[[2]](diffhunk://#diff-a09b19aa20a36257dba104b182ec182a175198bf2b83b4c27bbe5b34e3f86a9cR2)
[[3]](diffhunk://#diff-63cf9bff568593d4d6681597dc69b3c3741cbd53197cfa8056e66a8ce6aa65a3R2)
[[4]](diffhunk://#diff-1c76fa28d50f586e4d7090a954db56d9235cdea759e8a613d2c5fb0ccdf28fdfR2)
[[5]](diffhunk://#diff-d3b614ed0d7209d14d8f70170e4326d56e660fdb87ed585674be14c344a59d7fR2)
[[6]](diffhunk://#diff-c5be3430c846b9b69a3d47f0157b0d1707a61dac731d823e38adbf78de4f5ebeR2)
* Added the `display_name` field for Zoom installers for Windows
(`zoom-arm.yml` and `zoom.yml`), making software identification easier.
[[1]](diffhunk://#diff-3f6d972edfe5bd7590c0cd9ffc76a416401410a4b6143e4d6b2d6a0f8efa83b5R2)
[[2]](diffhunk://#diff-2ea34a1db8efdb13d238a064e9bd2e0ba1e4565aba849549e6182fcbe38cd388R2)
MacOS configuration profile update:
* Updated the `subHeader` in the `nudge-configuration.mobileconfig` file
to reference the "IT team" instead of "IT & Enablement team," clarifying
the responsible group in user notifications.
Fixed typo in stealth firewall description. Changed organization from
FleetDM to Fleet.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
This pull request introduces new configuration profiles to support Okta
conditional access for macOS devices, specifically targeting the
Information Technology department. It also updates the GitHub Actions
workflow to include a new secret for the Okta CA certificate.
Additionally, it removes the `workstations-canary` team configuration,
likely as part of a cleanup or migration.
The most important changes are:
**Conditional Access and Okta Integration:**
* Added a new configuration profile,
`fleet-okta-conditional-access.mobileconfig`, to manage trusted CA
certificates, SCEP enrollment, mTLS identity preferences, and Chrome
mTLS auto-selection for Okta conditional access on macOS. This profile
is applied to devices labeled with "Department: Information Technology".
[[1]](diffhunk://#diff-904aba5588b0d2c8dc325414aa1e8f2cd8a324602ac8e0c1cd2a5dff28db357bR1-R157)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
* Added a new configuration profile,
`okta-verify-settings.mobileconfig`, to configure privacy preferences,
managed login items, notification settings, and Okta Verify app settings
for macOS devices in the Information Technology department.
[[1]](diffhunk://#diff-b321656e070ad9cb0727fe7ced60565d88bf31d236ac2642d3192fcb375fa4b2R1-R129)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
**Workflow and Secrets Management:**
* Updated the GitHub Actions workflow (`dogfood-gitops.yml`) to include
the `DOGFOOD_OKTA_CA_CERTIFICATE` secret, supporting the new Okta
conditional access configuration.
**Configuration Cleanup:**
* Removed the `workstations-canary.yml` team configuration, eliminating
its policies, software, scripts, and settings.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
- Updating feature prioritization criteria
- Use `P-` labels for high-priority customer requests
- Remove 💝 Customer requests (prioritized) project: From a Product
Design perspective, I think we get little to no value from maintaining
that project.
- @noahtalerman: I'm also going to delete the `~customer request` label.
That's the label we used to put issues on this project.
- Add #g-security-compliance
- Move #g-mdm and #g-software together like they are in the handbook:
https://fleetdm.com/handbook/company/product-groups#product-groups
- Remove trailing `/view/` from project links
- @noahtalerman: Technically we don't need to remove this bit but this
way it's clear we're going to the project and not a specific view.
Configuring Entra conditional access:
- Test group label created
- SSO extension mobileconfig
- Policy to auto-install Company Portal app
- Company Portal software title defined
For #27042.
Ready for review, just missing integration tests that I will be writing
today.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For new Fleet configuration settings
- [X] Verified that the setting can be managed via GitOps, or confirmed
that the setting is explicitly being excluded from GitOps. If managing
via Gitops:
- [X] Verified that the setting is exported via `fleetctl
generate-gitops`
- [X] Added the setting to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [X] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [X] Manual QA for all new/changed functionality
---------
Co-authored-by: jacobshandling <61553566+jacobshandling@users.noreply.github.com>
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
- Updated version of santa
- Added policy and script to check for existence of santa osquery
extension and install if not found
- Changed to configuration profile based rules
- Split rules into their own configuration profiles to manage easier via
GitOps
