Fixed typo in stealth firewall description. Changed organization from
FleetDM to Fleet.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Update macOS policy query to treat Firefox versions older than 147.0.3
as outdated (previously 140.0.2). This adjusts the apps version_compare
threshold in it-and-security/lib/macos/policies/update-firefox.yml; no
other policy fields were modified.
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
This pull request updates how Keynote installations are tracked and
referenced in configuration files. The main change is to replace the
generic "Keynote installed" label with a more specific "Keynote 14
installed" label, which targets only Keynote versions 14.x on macOS
hosts. This ensures more precise software deployment and management.
**Label changes:**
* Replaced the reference to `keynote-installed.yml` with
`keynote-14-installed.yml` in the `labels` list in `default.yml`,
ensuring only hosts with Keynote version 14.x are matched.
* Removed the old `keynote-installed.yml` label definition, which
matched any version of Keynote, and added a new
`keynote-14-installed.yml` label that matches only Keynote versions
>=14.0.0 and <15.0.0.
[[1]](diffhunk://#diff-f62defade24f2883bff5a996c85446043674cbf31a8b8b32a1e4ab4e16482671L1-L5)
[[2]](diffhunk://#diff-b711956ba5690f7b5b69ce80b81e40d1d18f22f32ff95e5154031daad5e2884fR1-R5)
**Software deployment updates:**
* Updated the `labels_include_any` field for the Fleet Keynote theme in
`workstations.yml` to use "Keynote 14 installed" instead of the generic
"Keynote installed", ensuring the theme is offered only to hosts with
Keynote 14.x.
This pull request updates the logic used to check whether macOS
applications (1Password, Firefox, and Slack) are up to date. The new
queries simplify and improve accuracy by directly identifying outdated
app versions, rather than relying on a combination of existence and
version checks.
**Policy query logic updates:**
* Updated the query in `update-1password.yml` to directly select hosts
with outdated 1Password versions, making the check more precise.
* Updated the query in `update-firefox.yml` to directly select hosts
with outdated Firefox versions, improving accuracy.
* Updated the query in `update-slack.yml` to directly select hosts with
outdated Slack versions, ensuring more reliable detection.
**Script logic update:**
* Changed the query line construction in
`.github/scripts/dogfood-policy-updater-latest-1password-macos.sh` to
match the new logic for identifying outdated 1Password installations.
This pull request introduces new configuration profiles to support Okta
conditional access for macOS devices, specifically targeting the
Information Technology department. It also updates the GitHub Actions
workflow to include a new secret for the Okta CA certificate.
Additionally, it removes the `workstations-canary` team configuration,
likely as part of a cleanup or migration.
The most important changes are:
**Conditional Access and Okta Integration:**
* Added a new configuration profile,
`fleet-okta-conditional-access.mobileconfig`, to manage trusted CA
certificates, SCEP enrollment, mTLS identity preferences, and Chrome
mTLS auto-selection for Okta conditional access on macOS. This profile
is applied to devices labeled with "Department: Information Technology".
[[1]](diffhunk://#diff-904aba5588b0d2c8dc325414aa1e8f2cd8a324602ac8e0c1cd2a5dff28db357bR1-R157)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
* Added a new configuration profile,
`okta-verify-settings.mobileconfig`, to configure privacy preferences,
managed login items, notification settings, and Okta Verify app settings
for macOS devices in the Information Technology department.
[[1]](diffhunk://#diff-b321656e070ad9cb0727fe7ced60565d88bf31d236ac2642d3192fcb375fa4b2R1-R129)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77)
**Workflow and Secrets Management:**
* Updated the GitHub Actions workflow (`dogfood-gitops.yml`) to include
the `DOGFOOD_OKTA_CA_CERTIFICATE` secret, supporting the new Okta
conditional access configuration.
**Configuration Cleanup:**
* Removed the `workstations-canary.yml` team configuration, eliminating
its policies, software, scripts, and settings.
---------
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
This pull request introduces several updates to the configuration for
the Workstations team, primarily to support conditional access testing,
enhance device management, and expand policy coverage. The changes
include enabling conditional access, adding new configuration profiles
and scripts, and updating policies and software deployments.
**Conditional Access and Device Management Enhancements:**
- Enabled conditional access for the Workstations team by setting
`conditional_access_enabled: true` in the integrations section.
- Added new configuration profiles for conditional access and Santa
(macOS security tool), targeting specific test groups via labels.
[[1]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR49-R51)
[[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R83)
- Included new scripts to support conditional access and device
security, such as creating allow files, installing/uninstalling security
tools, and enabling Windows Defender.
**Policy and Query Expansion:**
- Introduced new policies to check for Company Portal installation and
Entra conditional access compliance.
- Added a query to collect Santa denied logs for improved security
monitoring.
**Software Deployment Updates:**
- Added Company Portal for macOS as a self-service app for the
"Conditional access test group".
- Minor formatting update for the Keynote app store ID.
**Other Notable Changes:**
- Removed the "💻🐣 Workstations (canary)" entry from the organization
settings, streamlining team categorization.
- Cleaned up comments related to update channels in agent options for
clarity.
This pull request removes the configuration and team settings for the
"Servers (canary)" group and updates the display name for the main
servers team. The most significant changes are the deletion of the
`servers-canary` agent options and team configuration, and a minor
update to the `servers` team name.
Removed configuration for "Servers (canary)":
* Deleted the `servers-canary.agent-options.yml` file, which contained
agent configuration and update channel settings for canary servers.
* Removed the `servers-canary.yml` team configuration, including team
settings, secrets, agent options, controls, and policy/query/software
placeholders.
Updated team naming:
* Changed the display name in `servers.yml` from "☁️ Servers" to "☁️ IT
Servers" for clarity.
This pull request introduces new department-based host labels to the IT
and Security configuration, allowing hosts to be categorized according
to the department of their end user. The main change is the addition of
seven new label definitions and their inclusion in the `default.yml`
configuration.
**Department label additions:**
* Updated `it-and-security/default.yml` to include references to seven
new department label files, enabling department-based host
categorization.
**New department label definitions:**
* Added `department-information-technology.yml` to define a label for
hosts belonging to the Information Technology department.
* Added `department-sales.yml`, `department-marketing.yml`,
`department-engineering.yml`, `department-people.yml`,
`department-finance.yml`, and `department-product-design.yml` to define
labels for hosts in Sales, Marketing, Engineering, People, Finance, and
Product Design departments, respectively.
[[1]](diffhunk://#diff-dd6b63c2483cf179831fd7b3192a75f25d9eadfcba8309737ce3406912df74eaR1-R6)
[[2]](diffhunk://#diff-aec6aaa00d0b092d0a427d819f61a4df9c00b5ba67d8438757c5f038860697f2R1-R6)
[[3]](diffhunk://#diff-060b9bf1ab3202940dadc644616890ab99bcd81e37808ec099ff29ba064687adR1-R6)
[[4]](diffhunk://#diff-ef0c2b34df74cf1cd1c32165d3c88f85b29a8d67a02e2b837f2f544e02ad2573R1-R6)
[[5]](diffhunk://#diff-f491ad729d54f56ac51eaa4576f2a2c8a077a16c4abe623198ed6f3b14d03004R1-R6)
[[6]](diffhunk://#diff-ce077a969811b6e57400a23a7d6cb3d40b8ebd6b6733ebd4f3f1fe7558f5fe2dR1-R6)
This PR automatically updates both 1Password macOS version policy and
Safari version policy for dogfood.
The changes were generated automatically by the
[dogfood-automated-policy-updates
workflow](https://github.com/fleetdm/fleet/actions/workflows/dogfood-automated-policy-updates.yml).
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38252
This pull request improves the Windows MDM unregistration PowerShell
script by adding extra checks and cleanup steps to ensure devices are
properly unenrolled and that the state is clearly reported. The script
now checks for relevant registry values before and after unregistration,
and explicitly clears any remaining values to guarantee correct
detection by Fleet.
Enhancements to device unregistration and registry cleanup:
* Added a pre-check for `DiscoveryServiceFullURL` registry values before
attempting to unregister the device, to provide clearer output about the
device's enrollment state.
* After calling the `UnregisterDeviceWithManagement` API, the script now
explicitly removes any remaining `DiscoveryServiceFullURL` values from
enrollment keys that have a `UPN`, ensuring Fleet properly detects the
device as unenrolled.
* Improved output messages to clearly indicate the actions taken and the
resulting device state, including whether registry values were found,
cleared, or already absent.
* Added error handling to exit with a non-zero code if an error occurs
during unregistration.
This pull request simplifies and improves the automation for updating
Safari version policies on macOS by switching from a multi-line YAML
query to a single-line query and streamlining the associated update
script. The changes make the update process more robust, easier to
maintain, and less error-prone, especially when parsing and updating the
policy file.
**Policy and script simplification:**
* Converted the `query` field in `update-safari.yml` from a multi-line
YAML block to a single-line statement, reducing complexity and making it
easier to update programmatically.
**Script robustness and maintainability:**
* Updated `.github/scripts/dogfood-policy-updater-latest-safari.sh` to
extract and update the single-line `query` instead of handling a
multi-line block, greatly simplifying the parsing and replacement logic.
[[1]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L26-R37)
[[2]](diffhunk://#diff-87712030515d50f6a970f044127d52639dac98021cf573f214f8f36cb1273c17L97-R123)
* Improved error handling for environment variables, requiring only the
essential `DOGFOOD_AUTOMATION_TOKEN` to be set, and clarified error
messages.
* Enhanced validation of the Safari feed response by checking for valid
JSON and explicit API errors using `jq`, making the update process more
reliable.
* Changed the update workflow to write changes directly to the file and
rely on GitHub Actions to create pull requests, removing the script's
own git and PR logic for a cleaner CI/CD process.
This pull request introduces automation for keeping the Fleet macOS
Safari update policy current, along with a new script for updating
Safari on endpoints. The main changes include a new GitHub Actions
workflow step to run an automated script that checks for the latest
Safari versions, updates the policy YAML if needed, and creates a pull
request with the changes. Additionally, a new endpoint script is added
to perform Safari updates via `softwareupdate`.
**Automation for Safari Policy Updates:**
* Added `.github/scripts/dogfood-policy-updater-latest-safari.sh`, a
script that fetches the latest Safari versions from the SOFA feed,
compares them to the versions in `update-safari.yml`, updates the YAML
if necessary, and automatically creates a pull request with reviewers
assigned.
* Updated `.github/workflows/dogfood-automated-policy-updates.yml` to
add a step that runs the new Safari version update script as part of the
workflow, using the required automation secrets.
**Policy and Endpoint Script Enhancements:**
* Added a new policy to
`it-and-security/lib/macos/policies/update-safari.yml` that checks if
the installed Safari version matches the latest for macOS 15 (Safari
18.6) and macOS 26 (Safari 26.1).
* Introduced `it-and-security/lib/macos/scripts/update-safari.sh`, a
script for endpoints that runs `softwareupdate` with the `--safari-only`
flag, logging the outcome and requiring root privileges.
For #36619. Zed + Opus 4.5, prompt was just "fix
https://github.com/fleetdm/fleet/issues/36619"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
No changes file as this isn't in a Fleet release.
## Testing
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
This pull request updates the self-service configuration for iOS devices
by enabling self-service installation for several key apps in both
company-owned and personal mobile device configurations. Additionally,
it makes a minor improvement to the display name in the iOS self-service
configuration profile.
Self-service app enablement:
* Enabled the `self_service` flag for Slack, Zoom, Google Docs, Google
Sheets, and Google Drive in both `company-owned-mobile-devices.yml` and
`personal-mobile-devices.yml`, allowing users to install these apps via
self-service.
[[1]](diffhunk://#diff-b86f7c2a3c8266d5f17dc1cbb37b248bee72ce749c7e0c7f7d16f69c7265b821R35-R47)
[[2]](diffhunk://#diff-ac1234902debdea911a540bc3423aa5ae74ae532d5cea9c9ed3128a07873b925R32-R40)
Configuration profile update:
* Updated the `PayloadDisplayName` in `self-service.mobileconfig` to use
"iOS Self-service" (capitalized "Self-service") for improved consistency
and presentation.
This pull request updates the Santa software package to a newer version
in the configuration file.
- Updated the Santa package URL in
`it-and-security/lib/macos/software/santa.yml` to point to version
`2025.11` instead of `2025.6`.
- Updating feature prioritization criteria
- Use `P-` labels for high-priority customer requests
- Remove 💝 Customer requests (prioritized) project: From a Product
Design perspective, I think we get little to no value from maintaining
that project.
- @noahtalerman: I'm also going to delete the `~customer request` label.
That's the label we used to put issues on this project.
This fixes an issue where the background process invocation fails if the
script is located in a path containing white spaces, due to improper
path escaping, which can occur when the uninstall script is executed via
Microsoft Intune.
