mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
c2f4c9638b
## Summary - **Removed the WhatsApp block rule** from the Santa rules configuration profile (`santa-rules.mobileconfig`). The rule blocked WhatsApp.app via a CDHASH identifier (`54a8ec11bcea48a276b1fdce556a29108ba77de4`) and is no longer needed. - **Expanded Santa profile deployment to all macOS hosts** on the Workstations team. Both `santa-configuration.mobileconfig` and `santa-rules.mobileconfig` were previously scoped only to the `"Santa test devices"` label (4 specific Macs). Removed the `labels_include_any` restriction so these profiles now install on all Macs in the Workstations team. - **Deleted the "Santa test devices" label entirely.** Removed the label definition file (`santa-test-devices.yml`), its reference in `default.yml`, and all remaining `labels_include_any` references to it from the Santa software entry, install-santa-extension policy, and collect-santa-denied-logs report. ## Changes ### `it-and-security/lib/macos/configuration-profiles/santa-rules.mobileconfig` - Removed the `BLOCKLIST` / `CDHASH` rule entry for WhatsApp.app (identifier `54a8ec11bcea48a276b1fdce556a29108ba77de4`) - The allowlist for North Pole Security (Team ID) and the test block rule for BundleExample.app remain unchanged ### `it-and-security/fleets/workstations.yml` - Removed `labels_include_any: ["Santa test devices"]` from the `santa-configuration.mobileconfig` and `santa-rules.mobileconfig` profile entries - Removed `labels_include_any: ["Santa test devices"]` from the Santa software entry - All Santa-related profiles and software now apply to all macOS hosts on the Workstations team ### `it-and-security/lib/all/labels/santa-test-devices.yml` (deleted) - Removed the manual label definition for "Santa test devices" (previously scoped to 4 specific Macs) ### `it-and-security/default.yml` - Removed the label path reference to `santa-test-devices.yml` ### `it-and-security/lib/macos/policies/install-santa-extension.yml` - Removed `labels_include_any: ["Santa test devices"]` so the policy applies to all macOS hosts ### `it-and-security/lib/macos/reports/collect-santa-denied-logs.yml` - Removed `labels_include_any: ["Santa test devices"]` so the report applies to all macOS hosts --- Built for [Allen Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774320804143629?thread_ts=1774320368.198119&cid=D0AFASNBZMW) by [Kilo for Slack](https://kilo.ai/features/slack-integration) --------- Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
74 lines
2.1 KiB
XML
74 lines
2.1 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>PayloadContent</key>
|
|
<array>
|
|
<dict>
|
|
<key>PayloadContent</key>
|
|
<dict>
|
|
<key>com.northpolesec.santa</key>
|
|
<dict>
|
|
<key>Forced</key>
|
|
<array>
|
|
<dict>
|
|
<key>mcx_preference_settings</key>
|
|
<dict>
|
|
<key>StaticRules</key>
|
|
<array>
|
|
<dict>
|
|
<!-- Always allow files signed by North Pole Security Inc -->
|
|
<key>identifier</key>
|
|
<string>ZMCG7MLDV9</string>
|
|
<key>policy</key>
|
|
<string>ALLOWLIST</string>
|
|
<key>rule_type</key>
|
|
<string>TEAMID</string>
|
|
</dict>
|
|
<dict>
|
|
<!-- Always BLOCK the BundleExample.app binary in Santa's testdata files, for testing -->
|
|
<key>identifier</key>
|
|
<string>b7c1e3fd640c5f211c89b02c2c6122f78ce322aa5c56eb0bb54bc422a8f8b670</string>
|
|
<key>policy</key>
|
|
<string>BLOCKLIST</string>
|
|
<key>rule_type</key>
|
|
<string>BINARY</string>
|
|
</dict>
|
|
</array>
|
|
</dict>
|
|
</dict>
|
|
</array>
|
|
</dict>
|
|
</dict>
|
|
<key>PayloadEnabled</key>
|
|
<true/>
|
|
<key>PayloadIdentifier</key>
|
|
<string>com.fleetdm.santa.359E3C7D-396F-4C45-99E7-F429620B9B21</string>
|
|
<key>PayloadType</key>
|
|
<string>com.apple.ManagedClient.preferences</string>
|
|
<key>PayloadUUID</key>
|
|
<string>359E3C7D-396F-4C45-99E7-F429620B9B21</string>
|
|
<key>PayloadVersion</key>
|
|
<integer>1</integer>
|
|
</dict>
|
|
</array>
|
|
<key>PayloadDescription</key>
|
|
<string>Santa rules</string>
|
|
<key>PayloadDisplayName</key>
|
|
<string>Santa rules</string>
|
|
<key>PayloadIdentifier</key>
|
|
<string>com.fleetdm.santa.rules</string>
|
|
<key>PayloadOrganization</key>
|
|
<string>Fleet</string>
|
|
<key>PayloadRemovalDisallowed</key>
|
|
<true/>
|
|
<key>PayloadScope</key>
|
|
<string>System</string>
|
|
<key>PayloadType</key>
|
|
<string>Configuration</string>
|
|
<key>PayloadUUID</key>
|
|
<string>AFA02DE3-ACA6-49C4-9980-A3664E22E446</string>
|
|
<key>PayloadVersion</key>
|
|
<integer>1</integer>
|
|
</dict>
|
|
</plist>
|