mirror of
https://github.com/fleetdm/fleet
synced 2026-04-28 00:47:22 +00:00
aff7baf3f6
This pull request introduces new configuration profiles to support Okta conditional access for macOS devices, specifically targeting the Information Technology department. It also updates the GitHub Actions workflow to include a new secret for the Okta CA certificate. Additionally, it removes the `workstations-canary` team configuration, likely as part of a cleanup or migration. The most important changes are: **Conditional Access and Okta Integration:** * Added a new configuration profile, `fleet-okta-conditional-access.mobileconfig`, to manage trusted CA certificates, SCEP enrollment, mTLS identity preferences, and Chrome mTLS auto-selection for Okta conditional access on macOS. This profile is applied to devices labeled with "Department: Information Technology". [[1]](diffhunk://#diff-904aba5588b0d2c8dc325414aa1e8f2cd8a324602ac8e0c1cd2a5dff28db357bR1-R157) [[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77) * Added a new configuration profile, `okta-verify-settings.mobileconfig`, to configure privacy preferences, managed login items, notification settings, and Okta Verify app settings for macOS devices in the Information Technology department. [[1]](diffhunk://#diff-b321656e070ad9cb0727fe7ced60565d88bf31d236ac2642d3192fcb375fa4b2R1-R129) [[2]](diffhunk://#diff-96f80858f5a487334ae6014cddaa65d1bb79d7e85fa0ea596d1e49063f5b99bdR72-R77) **Workflow and Secrets Management:** * Updated the GitHub Actions workflow (`dogfood-gitops.yml`) to include the `DOGFOOD_OKTA_CA_CERTIFICATE` secret, supporting the new Okta conditional access configuration. **Configuration Cleanup:** * Removed the `workstations-canary.yml` team configuration, eliminating its policies, software, scripts, and settings. --------- Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com> Co-authored-by: Allen Houchins <allenhouchins@mac.com>
157 lines
5.7 KiB
XML
157 lines
5.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>PayloadContent</key>
|
|
<array>
|
|
<!-- Trusted CA certificate -->
|
|
<dict>
|
|
<key>PayloadCertificateFileName</key>
|
|
<string>conditional_access_ca.der</string>
|
|
<key>PayloadContent</key>
|
|
<data>$DOGFOOD_OKTA_CA_CERTIFICATE</data>
|
|
<key>PayloadDescription</key>
|
|
<string>Fleet conditional access CA certificate</string>
|
|
<key>PayloadDisplayName</key>
|
|
<string>Fleet conditional access CA</string>
|
|
<key>PayloadIdentifier</key>
|
|
<string>com.fleetdm.conditional-access-ca</string>
|
|
<key>PayloadType</key>
|
|
<string>com.apple.security.root</string>
|
|
<key>PayloadUUID</key>
|
|
<string>c6d7357b-5b6b-5577-bd3f-e6c886bad550</string>
|
|
<key>PayloadVersion</key>
|
|
<integer>1</integer>
|
|
</dict>
|
|
<!-- SCEP configuration -->
|
|
<dict>
|
|
<key>PayloadContent</key>
|
|
<dict>
|
|
<key>URL</key>
|
|
<string>https://dogfood.fleetdm.com/api/fleet/conditional_access/scep</string>
|
|
<key>Challenge</key>
|
|
<string>$DOGFOOD_GLOBAL_ENROLL_SECRET</string>
|
|
<key>Keysize</key>
|
|
<integer>2048</integer>
|
|
<key>Key Type</key>
|
|
<string>RSA</string>
|
|
<key>Key Usage</key>
|
|
<integer>5</integer>
|
|
<key>ExtendedKeyUsage</key>
|
|
<array>
|
|
<string>1.3.6.1.5.5.7.3.2</string>
|
|
</array>
|
|
<key>Subject</key>
|
|
<array>
|
|
<array>
|
|
<array>
|
|
<string>CN</string>
|
|
<string>Fleet conditional access for Okta</string>
|
|
</array>
|
|
</array>
|
|
</array>
|
|
<key>SubjectAltName</key>
|
|
<dict>
|
|
<key>uniformResourceIdentifier</key>
|
|
<array>
|
|
<string>urn:device:apple:uuid:%HardwareUUID%</string>
|
|
</array>
|
|
</dict>
|
|
<key>Retries</key>
|
|
<integer>3</integer>
|
|
<key>RetryDelay</key>
|
|
<integer>10</integer>
|
|
<!-- ACL for browser access -->
|
|
<key>AllowAllAppsAccess</key>
|
|
<true/>
|
|
<key>KeyIsExtractable</key>
|
|
<false/>
|
|
</dict>
|
|
<key>PayloadDescription</key>
|
|
<string>Configures SCEP for Fleet conditional access for Okta certificate</string>
|
|
<key>PayloadDisplayName</key>
|
|
<string>Fleet conditional access SCEP</string>
|
|
<key>PayloadIdentifier</key>
|
|
<string>com.fleetdm.conditional-access-scep</string>
|
|
<key>PayloadType</key>
|
|
<string>com.apple.security.scep</string>
|
|
<key>PayloadUUID</key>
|
|
<string>478f8ebd-ded5-5808-962d-36da7aa06afe</string>
|
|
<key>PayloadVersion</key>
|
|
<integer>1</integer>
|
|
</dict>
|
|
<!-- Identity preference for mTLS endpoint -->
|
|
<dict>
|
|
<key>Name</key>
|
|
<string>https://okta.dogfood.fleetdm.com</string>
|
|
<key>PayloadCertificateUUID</key>
|
|
<string>478f8ebd-ded5-5808-962d-36da7aa06afe</string>
|
|
<key>PayloadDescription</key>
|
|
<string>Identity preference for mTLS endpoints</string>
|
|
<key>PayloadDisplayName</key>
|
|
<string>Fleet mTLS identity preference</string>
|
|
<key>PayloadIdentifier</key>
|
|
<string>com.fleetdm.conditional-access-preference</string>
|
|
<key>PayloadType</key>
|
|
<string>com.apple.security.identitypreference</string>
|
|
<key>PayloadUUID</key>
|
|
<string>686b683a-9052-5fe5-8dca-31b51b17bb2c</string>
|
|
<key>PayloadVersion</key>
|
|
<integer>1</integer>
|
|
</dict>
|
|
<!-- Chrome web browser configuration -->
|
|
<dict>
|
|
<key>PayloadType</key>
|
|
<string>com.apple.ManagedClient.preferences</string>
|
|
<key>PayloadVersion</key>
|
|
<integer>1</integer>
|
|
<key>PayloadIdentifier</key>
|
|
<string>com.fleetdm.chrome.certs</string>
|
|
<key>PayloadUUID</key>
|
|
<string>1c1ab10a-e7b5-5c76-937e-03001cc9bffb</string>
|
|
<key>PayloadDisplayName</key>
|
|
<string>Chrome mTLS auto-select</string>
|
|
<key>PayloadContent</key>
|
|
<dict>
|
|
<key>com.google.Chrome</key>
|
|
<dict>
|
|
<key>Forced</key>
|
|
<array>
|
|
<dict>
|
|
<key>mcx_preference_settings</key>
|
|
<dict>
|
|
<key>AllowPolicyInIncognito</key>
|
|
<true/>
|
|
<key>AutoSelectCertificateForUrls</key>
|
|
<array>
|
|
<!-- MUST be stringified JSON -->
|
|
<string>{"pattern":"https://okta.dogfood.fleetdm.com","filter":{"SUBJECT":{"CN":"Fleet conditional access for Okta"}}}</string>
|
|
</array>
|
|
</dict>
|
|
</dict>
|
|
</array>
|
|
</dict>
|
|
</dict>
|
|
</dict>
|
|
</array>
|
|
<key>PayloadDescription</key>
|
|
<string>Configures SCEP enrollment for Okta conditional access</string>
|
|
<key>PayloadDisplayName</key>
|
|
<string>Fleet conditional access for Okta</string>
|
|
<key>PayloadIdentifier</key>
|
|
<string>com.fleetdm.conditional-access-okta</string>
|
|
<key>PayloadOrganization</key>
|
|
<string>Fleet Device Management</string>
|
|
<key>PayloadRemovalDisallowed</key>
|
|
<false/>
|
|
<key>PayloadScope</key>
|
|
<string>User</string>
|
|
<key>PayloadType</key>
|
|
<string>Configuration</string>
|
|
<key>PayloadUUID</key>
|
|
<string>fa49f664-378e-5098-bc32-d8160215f873</string>
|
|
<key>PayloadVersion</key>
|
|
<integer>1</integer>
|
|
</dict>
|
|
</plist>
|
|
|