Remove local Zoom software manifests and icon and replace them with
fleet-maintained app slugs. Workstations fleet now references
zoom/darwin and zoom/windows slugs; added dynamic labels for Macs and
x86 Windows hosts with Zoom installed. Patch policies for macOS and
Windows updated to include Zoom using the new slugs so patch
checks/notifications are centralized. Deleted legacy
it-and-security/lib/*/software/zoom.yml and the Zoom icon to avoid
duplicate/local package definitions.
Migrate Firefox management to the fleet-maintained app slug
(firefox/darwin): update workstations.yml to remove the old update
policy and replace the macOS software entry with the firefox/darwin
slug; add a dynamic label for Macs with Firefox installed; add a patch
policy that targets the fleet_maintained_app_slug and uses the new
label. Also remove legacy update policy and package files for Firefox
(macOS and Windows) and the hardcoded Firefox pkg URL. This consolidates
Firefox management under Fleet-maintained apps and removes
duplicated/obsolete artifacts.
## Summary
- Updates Firefox from 148.0.2 to 149.0 (released March 23, 2026) across
the Workstations team configuration
- Updates macOS custom package download URL to Firefox 149.0
- Updates macOS and Windows version-check policies to enforce version >=
149.0
## Changes
| File | Change |
|---|---|
| `it-and-security/lib/macos/software/mozilla-firefox.yml` | Updated
package URL from 148.0.2 to 149.0 |
| `it-and-security/lib/macos/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
| `it-and-security/lib/windows/policies/update-firefox.yml` | Updated
version check from 148.0.2 to 149.0 |
## Notes
- Firefox on Windows uses the Fleet-maintained app (`slug:
firefox/windows`), which is managed by the Fleet catalog and will
auto-update when the catalog is refreshed
- Firefox on macOS uses a custom package URL since the existing pattern
uses a `.pkg` installer
- Both macOS and Windows already have self-service enabled and
corresponding update policies with calendar event enforcement (macOS)
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774366778146629)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
## Summary
- Removes the Company Portal software package from the Workstations team
- Removes the Company Portal SSO extension (extensible SSO)
configuration profile from the Workstations team
- Removes the "Conditional access test group" label that was used to
scope both Company Portal and the SSO extension
- Removes the `company-portal-installed` and
`entra-conditional-access-check` policies that were specifically for
Company Portal/Entra conditional access
- Removes the `create-conditional-access-allow-file.sh` and
`user-enroll-entra-company-portal.sh` scripts that were only used by the
removed policies/Company Portal
### Files deleted
-
`it-and-security/lib/macos/configuration-profiles/company-portal-sso-extension.mobileconfig`
- `it-and-security/lib/macos/software/company-portal.yml`
- `it-and-security/lib/macos/policies/company-portal-installed.yml`
-
`it-and-security/lib/macos/policies/entra-conditional-access-check.yml`
-
`it-and-security/lib/macos/scripts/create-conditional-access-allow-file.sh`
-
`it-and-security/lib/macos/scripts/user-enroll-entra-company-portal.sh`
- `it-and-security/lib/all/labels/conditional-access-test-group.yml`
### Files modified
- `it-and-security/teams/workstations.yml` — Removed references to
Company Portal software, SSO extension profile, related policies, and
the conditional access script
- `it-and-security/default.yml` — Removed the "Conditional access test
group" label definition
### Items intentionally kept
- `fleet-okta-conditional-access.mobileconfig` — This is an Okta-based
conditional access profile, not related to Company Portal/Entra SSO
- `conditional_access_enabled: true` in team settings — This is a
team-level integration setting, not Company Portal specific
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1773067955110849)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
## Summary
- Updates the macOS Firefox software package from v143.0 to the latest
stable v148.0 (released Feb 24, 2026), which includes 50+ security fixes
- Updates the macOS Firefox update policy to require >= 148.0 (was
147.0.3)
- Adds `install_software` auto-remediation to the Firefox update policy
so hosts that fail the version check automatically receive the updated
package — following the same pattern used by the `1password-installed`
policy
### Changes
**`it-and-security/lib/macos/software/mozilla-firefox.yml`**
- Updated download URL from `Firefox 143.0.pkg` to `Firefox 148.0.pkg`
**`it-and-security/lib/macos/policies/update-firefox.yml`**
- Updated minimum version check from `147.0.3` to `148.0`
- Added `install_software.package_path` pointing to
`../software/mozilla-firefox.yml` so Fleet will automatically push the
updated Firefox package to non-compliant hosts
---
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1772229267107939)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Add 1Password Linux package manifests (deb & rpm), update Slack Linux
download URLs to the generic download endpoints, and bump Zoom Linux
package URLs to a newer build (6.7.5.6891). Also add a display_name for
macOS Zoom and register the new Linux 1Password entries in the
workstations software list; remove several redundant display_name fields
in workstations.yml to avoid duplication. Files changed:
it-and-security/lib/linux/software/{1password-deb.yml,1password-rpm.yml,slack-deb.yml,slack-rpm.yml,zoom-deb.yml,zoom-rpm.yml},
it-and-security/lib/macos/software/zoom.yml, and
it-and-security/teams/workstations.yml.
This pull request updates the Santa software package to a newer version
in the configuration file.
- Updated the Santa package URL in
`it-and-security/lib/macos/software/santa.yml` to point to version
`2025.11` instead of `2025.6`.
Configuring Entra conditional access:
- Test group label created
- SSO extension mobileconfig
- Policy to auto-install Company Portal app
- Company Portal software title defined
- Added a new `Keynote installed` label so that the Keynote theme
installer will only show up for devices with Keynote installed
- Added a new `refetch_host.sh` to use to trigger an immediate refetch
- Updated version of santa
- Added policy and script to check for existence of santa osquery
extension and install if not found
- Changed to configuration profile based rules
- Split rules into their own configuration profiles to manage easier via
GitOps
- Fixed patch logic and updated version strings in Firefox and Slack
policies: fleetdm/confidential#9389
- Implemented custom target scoping for Linux software:
fleetdm/confidential#9348
- Updated and consolidated macOS latest operating system check policy
- Copied policies from "💻🐣 Workstations (canary)" to "💻 Workstations"
team
