From fed39112ae0aec9a9c49753c45bab51713f78ed8 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Thu, 29 Jan 2026 09:51:42 -0500 Subject: [PATCH 01/26] Add new teams --- .github/workflows/workflow.yml | 9 ++++--- default.yml | 13 ++-------- teams/dedicated.devices.yml | 9 +++++++ teams/employee-issued-mobile-devices.yml | 9 +++++++ teams/it-servers.yml | 9 +++++++ teams/no-team.yml | 10 +++----- teams/personal-mobile-devices.yml | 9 +++++++ teams/workstations-canary.yml | 31 ------------------------ teams/workstations.yml | 15 +++--------- 9 files changed, 50 insertions(+), 64 deletions(-) create mode 100644 teams/dedicated.devices.yml create mode 100644 teams/employee-issued-mobile-devices.yml create mode 100644 teams/it-servers.yml create mode 100644 teams/personal-mobile-devices.yml delete mode 100644 teams/workstations-canary.yml diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index e994789f..6804201e 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -39,6 +39,9 @@ jobs: env: FLEET_URL: ${{ secrets.FLEET_URL }} FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }} - FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }} - FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }} - FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }} + GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }} + WORKSTATIONS_ENROLL_SECRET: ${{ secrets.WORKSTATIONS_ENROLL_SECRET }} + IT_SERVERS_ENROLL_SECRET: ${{ secrets.IT_SERVERS_ENROLL_SECRET }} + PERSONAL_MOBILE_DEVICES_ENROLL_SECRET: ${{ secrets.PERSONAL_MOBILE_DEVICES_ENROLL_SECRET }} + EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET: ${{ secrets.EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET }} + DEDICATED_DEVICES_ENROLL_SECRET: ${{ secrets.DEDICATED_DEVICES_ENROLL_SECRET }} diff --git a/default.yml b/default.yml index 7db0a067..d3594caf 100644 --- a/default.yml +++ b/default.yml @@ -1,22 +1,13 @@ -# For Fleet Free: -# - This file updates policies, queries, agent_options, and controls for all hosts. - -# For Fleet Premium: -# - This file updates policies and queries that run on all hosts ("All teams"). -# - Remove "controls" and add this to your YAML files in teams/ instead. +# default.yml controls global settings and policies/queries that run on all hosts ("All teams"). policies: queries: agent_options: path: ./lib/agent-options.yml -controls: # This cannot be set here and in no-team.yml org_settings: server_settings: server_url: $FLEET_URL org_info: org_name: Fleet secrets: - - secret: "$FLEET_GLOBAL_ENROLL_SECRET" - features: - enable_host_users: true - enable_software_inventory: true + - secret: "$GLOBAL_ENROLL_SECRET" diff --git a/teams/dedicated.devices.yml b/teams/dedicated.devices.yml new file mode 100644 index 00000000..9292f7d0 --- /dev/null +++ b/teams/dedicated.devices.yml @@ -0,0 +1,9 @@ +name: 🖥️ Dedicated devices +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: $DEDICATED_DEVICES_ENROLL_SECRET diff --git a/teams/employee-issued-mobile-devices.yml b/teams/employee-issued-mobile-devices.yml new file mode 100644 index 00000000..d5169fcb --- /dev/null +++ b/teams/employee-issued-mobile-devices.yml @@ -0,0 +1,9 @@ +name: 📱🏢 Employee-issued mobile devices +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: $EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET diff --git a/teams/it-servers.yml b/teams/it-servers.yml new file mode 100644 index 00000000..3fb16e02 --- /dev/null +++ b/teams/it-servers.yml @@ -0,0 +1,9 @@ +name: ☁️ IT servers +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: $IT_SERVERS_ENROLL_SECRET diff --git a/teams/no-team.yml b/teams/no-team.yml index cb7471a7..3461d90e 100644 --- a/teams/no-team.yml +++ b/teams/no-team.yml @@ -1,10 +1,6 @@ -# Teams are available in Fleet Premium. - -# This file updates policies, controls, and software for hosts assigned to "No team." - -# To update queries and agent options for hosts assigned to "No team," use the default.yml file. - name: No team policies: -controls: # This cannot be set here and in default.yml +queries: +agent_options: +controls: software: diff --git a/teams/personal-mobile-devices.yml b/teams/personal-mobile-devices.yml new file mode 100644 index 00000000..a49a5b92 --- /dev/null +++ b/teams/personal-mobile-devices.yml @@ -0,0 +1,9 @@ +name: 📱🔐 Personal mobile devices +policies: +queries: +agent_options: +controls: +software: +team_settings: + secrets: + - secret: $PERSONAL_MOBILE_DEVICES_ENROLL_SECRET diff --git a/teams/workstations-canary.yml b/teams/workstations-canary.yml deleted file mode 100644 index 5ffc375d..00000000 --- a/teams/workstations-canary.yml +++ /dev/null @@ -1,31 +0,0 @@ -# Teams are available in Fleet Premium. - -# This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations (canary)" team. - -# To add another team, create a new file in the teams/ directory and copy and paste the contents from this file. -# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. -# Then add that secret to .github/workflows/workflow.yml as an env variable. -# The secret name in the YAML file must match the secret name in GitHub Actions secrets. - -name: Workstations (canary) -policies: - - path: ../lib/macos/policies/macos-device-health.policies.yml - - path: ../lib/windows/policies/windows-device-health.policies.yml - - path: ../lib/linux/policies/linux-device-health.policies.yml -queries: - - path: ../lib/all/queries/collect-usb-devices.queries.yml - - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml -agent_options: - path: ../lib/agent-options.yml -controls: - scripts: - - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh - - path: ../lib/macos/scripts/set-timezone.script.sh -team_settings: - secrets: - - secret: "$FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET" - features: - enable_host_users: true - enable_software_inventory: true -software: - diff --git a/teams/workstations.yml b/teams/workstations.yml index d818561d..ef8f283f 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -1,13 +1,4 @@ -# Teams are available in Fleet Premium. - -# This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations" team. - -# To add another team, create a new file in the teams/ directory and copy and paste the contents from this file. -# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. -# Then add that secret to .github/workflows/workflow.yml as an env variable. -# The secret name in the YAML file must match the secret name in GitHub Actions secrets. - -name: Workstations +name: "💻 Workstations" policies: - path: ../lib/macos/policies/macos-device-health.policies.yml - path: ../lib/windows/policies/windows-device-health.policies.yml @@ -21,10 +12,10 @@ controls: scripts: - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh - path: ../lib/macos/scripts/set-timezone.script.sh +software: team_settings: secrets: - - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET" + - secret: "$WORKSTATIONS_ENROLL_SECRET" features: enable_host_users: true enable_software_inventory: true -software: From 56f5276ff8a5e9b4d64bc252df7c09a837c3a223 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Thu, 29 Jan 2026 14:46:27 -0500 Subject: [PATCH 02/26] Remove strucutre --- lib/README.md | 40 -------------- .../collect-failed-login-attempts.queries.yml | 7 --- ...collect-fleetd-update-channels.queries.yml | 7 --- .../queries/collect-usb-devices.queries.yml | 7 --- .../scripts => }/collect-fleetd-logs.sh | 0 ...health.policies.yml => linux.policies.yml} | 0 ...health.policies.yml => macos.policies.yml} | 0 .../passcode-settings-ddm.json | 10 ---- .../automatic-enrollment.dep.json | 28 ---------- lib/macos/scripts/install-santa.sh | 2 - lib/macos/scripts/macos-password.mobileconfig | 55 ------------------- .../scripts/remove-zoom-artifacts.script.sh | 1 - lib/macos/scripts/set-timezone.script.sh | 1 - lib/macos/scripts/uninstall-santa.sh | 1 - lib/macos/software/santa.yml | 2 - lib/queries.yml | 21 +++++++ ...alth.policies.yml => windows.policies.yml} | 0 .../passcode-settings-ddm.json | 10 ---- .../scripts/default-exe-install-script.ps1 | 2 - lib/windows/scripts/uninstall-slack.ps1 | 2 - lib/windows/scripts/windows-screenlock.xml | 48 ---------------- lib/windows/software/slack.yml | 2 - teams/workstations.yml | 12 ++-- 23 files changed, 26 insertions(+), 232 deletions(-) delete mode 100644 lib/README.md delete mode 100644 lib/all/queries/collect-failed-login-attempts.queries.yml delete mode 100644 lib/all/queries/collect-fleetd-update-channels.queries.yml delete mode 100644 lib/all/queries/collect-usb-devices.queries.yml rename lib/{macos/scripts => }/collect-fleetd-logs.sh (100%) rename lib/{linux/policies/linux-device-health.policies.yml => linux.policies.yml} (100%) rename lib/{macos/policies/macos-device-health.policies.yml => macos.policies.yml} (100%) delete mode 100644 lib/macos/configuration-profiles/passcode-settings-ddm.json delete mode 100644 lib/macos/enrollment-profiles/automatic-enrollment.dep.json delete mode 100644 lib/macos/scripts/install-santa.sh delete mode 100644 lib/macos/scripts/macos-password.mobileconfig delete mode 100644 lib/macos/scripts/remove-zoom-artifacts.script.sh delete mode 100644 lib/macos/scripts/set-timezone.script.sh delete mode 100644 lib/macos/scripts/uninstall-santa.sh delete mode 100644 lib/macos/software/santa.yml create mode 100644 lib/queries.yml rename lib/{windows/policies/windows-device-health.policies.yml => windows.policies.yml} (100%) delete mode 100644 lib/windows/configuration-profiles/passcode-settings-ddm.json delete mode 100644 lib/windows/scripts/default-exe-install-script.ps1 delete mode 100644 lib/windows/scripts/uninstall-slack.ps1 delete mode 100644 lib/windows/scripts/windows-screenlock.xml delete mode 100644 lib/windows/software/slack.yml diff --git a/lib/README.md b/lib/README.md deleted file mode 100644 index 2f391173..00000000 --- a/lib/README.md +++ /dev/null @@ -1,40 +0,0 @@ -# `lib/` - -This folder is for files referenced by `path` in Fleet config YAML. - -This can reduce duplication for policies, scripts, and other config that is the same across multiple teams in Fleet Premium. - -### Examples - -##### Policies - -```yaml -# default.yml -policies: - - path: ./lib/macos/policies/macos-device-health.policies.yml -``` - -##### Queries - -```yaml -# default.yml -queries: - - path: ./lib/all/queries/collect-usb-devices.queries.yml -``` - -##### Scripts - -```yaml -# default.yml -controls: - scripts: - - path: ./lib/macos/scripts/remove-zoom-artifacts.script.sh -``` - -##### Agent options - -```yaml -# default.yml -agent_options: - path: ./lib/agent-options.yml -``` diff --git a/lib/all/queries/collect-failed-login-attempts.queries.yml b/lib/all/queries/collect-failed-login-attempts.queries.yml deleted file mode 100644 index 8ca3b86e..00000000 --- a/lib/all/queries/collect-failed-login-attempts.queries.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Collect failed login attempts - description: Lists the users at least one failed login attempt and timestamp of failed login. Number of failed login attempts reset to zero after a user successfully logs in. - query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count > 0; - interval: 300 # 5 minutes - observer_can_run: false - automations_enabled: false - platform: darwin,linux,windows diff --git a/lib/all/queries/collect-fleetd-update-channels.queries.yml b/lib/all/queries/collect-fleetd-update-channels.queries.yml deleted file mode 100644 index a90ea083..00000000 --- a/lib/all/queries/collect-fleetd-update-channels.queries.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Collect fleetd update channels - description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering." - query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info; - interval: 300 # 5 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux,windows diff --git a/lib/all/queries/collect-usb-devices.queries.yml b/lib/all/queries/collect-usb-devices.queries.yml deleted file mode 100644 index ce1ee13d..00000000 --- a/lib/all/queries/collect-usb-devices.queries.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Collect USB devices - description: Collects the USB devices that are currently connected to macOS and Linux hosts. - query: SELECT model, vendor FROM usb_devices; - interval: 360 # 6 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux diff --git a/lib/macos/scripts/collect-fleetd-logs.sh b/lib/collect-fleetd-logs.sh similarity index 100% rename from lib/macos/scripts/collect-fleetd-logs.sh rename to lib/collect-fleetd-logs.sh diff --git a/lib/linux/policies/linux-device-health.policies.yml b/lib/linux.policies.yml similarity index 100% rename from lib/linux/policies/linux-device-health.policies.yml rename to lib/linux.policies.yml diff --git a/lib/macos/policies/macos-device-health.policies.yml b/lib/macos.policies.yml similarity index 100% rename from lib/macos/policies/macos-device-health.policies.yml rename to lib/macos.policies.yml diff --git a/lib/macos/configuration-profiles/passcode-settings-ddm.json b/lib/macos/configuration-profiles/passcode-settings-ddm.json deleted file mode 100644 index 9b7d59f1..00000000 --- a/lib/macos/configuration-profiles/passcode-settings-ddm.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Type": "com.apple.configuration.passcode.settings", - "Identifier": "956e0d14-6019-479b-a6f9-a69ef77668c5", - "Payload": { - "MaximumFailedAttempts": 10, - "MaximumInactivityInMinutes": 5, - "MinimumLength": 12, - "MinimumComplexCharacters": 1 - } -} diff --git a/lib/macos/enrollment-profiles/automatic-enrollment.dep.json b/lib/macos/enrollment-profiles/automatic-enrollment.dep.json deleted file mode 100644 index 43807f48..00000000 --- a/lib/macos/enrollment-profiles/automatic-enrollment.dep.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "profile_name": "Fleet's example automatic enrollment profile", - "allow_pairing": true, - "is_mdm_removable": true, - "org_magic": "1", - "language": "en", - "region": "US", - "skip_setup_items": [ - "Accessibility", - "Appearance", - "AppleID", - "AppStore", - "Biometric", - "Diagnostics", - "FileVault", - "iCloudDiagnostics", - "iCloudStorage", - "Location", - "Payment", - "Privacy", - "Restore", - "ScreenTime", - "Siri", - "TermsOfAddress", - "TOS", - "UnlockWithWatch" - ] -} \ No newline at end of file diff --git a/lib/macos/scripts/install-santa.sh b/lib/macos/scripts/install-santa.sh deleted file mode 100644 index 8a1136c2..00000000 --- a/lib/macos/scripts/install-santa.sh +++ /dev/null @@ -1,2 +0,0 @@ -# This will be a script that installs Santa onto macOS hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages \ No newline at end of file diff --git a/lib/macos/scripts/macos-password.mobileconfig b/lib/macos/scripts/macos-password.mobileconfig deleted file mode 100644 index 2fe2f717..00000000 --- a/lib/macos/scripts/macos-password.mobileconfig +++ /dev/null @@ -1,55 +0,0 @@ - - - - - PayloadContent - - - PayloadDescription - Configures Passcode settings - PayloadDisplayName - Passcode - PayloadIdentifier - com.github.erikberglund.ProfileCreator.F7CF282E-D91B-44E9-922F-A719634F9C8E.com.apple.mobiledevice.passwordpolicy.231DFC90-D5A7-41B8-9246-564056048AC5 - PayloadOrganization - - PayloadType - com.apple.mobiledevice.passwordpolicy - PayloadUUID - 231DFC90-D5A7-41B8-9246-564056048AC5 - PayloadVersion - 1 - allowSimple - - forcePIN - - maxFailedAttempts - 11 - maxGracePeriod - 1 - maxInactivity - 15 - minLength - 10 - requireAlphanumeric - - - - PayloadDescription - Configures our Macs to require passwords that are 10 character long - PayloadDisplayName - Password policy - require 10 characters - PayloadIdentifier - com.github.erikberglund.ProfileCreator.F7CF282E-D91B-44E9-922F-A719634F9C8E - PayloadOrganization - FleetDM - PayloadScope - System - PayloadType - Configuration - PayloadUUID - F7CF282E-D91B-44E9-922F-A719634F9C8E - PayloadVersion - 1 - - \ No newline at end of file diff --git a/lib/macos/scripts/remove-zoom-artifacts.script.sh b/lib/macos/scripts/remove-zoom-artifacts.script.sh deleted file mode 100644 index 55b2c615..00000000 --- a/lib/macos/scripts/remove-zoom-artifacts.script.sh +++ /dev/null @@ -1 +0,0 @@ -# This will be a script that removes Zoom artifacts from macOS hosts. diff --git a/lib/macos/scripts/set-timezone.script.sh b/lib/macos/scripts/set-timezone.script.sh deleted file mode 100644 index 09d1b0a7..00000000 --- a/lib/macos/scripts/set-timezone.script.sh +++ /dev/null @@ -1 +0,0 @@ -# This will be a script that sets the timezone on macOS hosts. diff --git a/lib/macos/scripts/uninstall-santa.sh b/lib/macos/scripts/uninstall-santa.sh deleted file mode 100644 index f30f48c6..00000000 --- a/lib/macos/scripts/uninstall-santa.sh +++ /dev/null @@ -1 +0,0 @@ -# This will be a script that uninstalls Santa from macOS hosts. \ No newline at end of file diff --git a/lib/macos/software/santa.yml b/lib/macos/software/santa.yml deleted file mode 100644 index d4d1d76b..00000000 --- a/lib/macos/software/santa.yml +++ /dev/null @@ -1,2 +0,0 @@ -# This will be the configuration for a custom package on macOS hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/lib/queries.yml b/lib/queries.yml new file mode 100644 index 00000000..a29a0be6 --- /dev/null +++ b/lib/queries.yml @@ -0,0 +1,21 @@ +- name: Collect failed login attempts + description: Lists the users at least one failed login attempt and timestamp of failed login. Number of failed login attempts reset to zero after a user successfully logs in. + query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count > 0; + interval: 300 # 5 minutes + observer_can_run: false + automations_enabled: false + platform: darwin,linux,windows +- name: Collect USB devices + description: Collects the USB devices that are currently connected to macOS and Linux hosts. + query: SELECT model, vendor FROM usb_devices; + interval: 360 # 6 minutes + observer_can_run: true + automations_enabled: false + platform: darwin,linux +- name: Collect fleetd update channels + description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering." + query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info; + interval: 300 # 5 minutes + observer_can_run: true + automations_enabled: false + platform: darwin,linux,windows diff --git a/lib/windows/policies/windows-device-health.policies.yml b/lib/windows.policies.yml similarity index 100% rename from lib/windows/policies/windows-device-health.policies.yml rename to lib/windows.policies.yml diff --git a/lib/windows/configuration-profiles/passcode-settings-ddm.json b/lib/windows/configuration-profiles/passcode-settings-ddm.json deleted file mode 100644 index 9b7d59f1..00000000 --- a/lib/windows/configuration-profiles/passcode-settings-ddm.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "Type": "com.apple.configuration.passcode.settings", - "Identifier": "956e0d14-6019-479b-a6f9-a69ef77668c5", - "Payload": { - "MaximumFailedAttempts": 10, - "MaximumInactivityInMinutes": 5, - "MinimumLength": 12, - "MinimumComplexCharacters": 1 - } -} diff --git a/lib/windows/scripts/default-exe-install-script.ps1 b/lib/windows/scripts/default-exe-install-script.ps1 deleted file mode 100644 index 857cf7e3..00000000 --- a/lib/windows/scripts/default-exe-install-script.ps1 +++ /dev/null @@ -1,2 +0,0 @@ -# This will be a default script that can install packages on Windows hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/lib/windows/scripts/uninstall-slack.ps1 b/lib/windows/scripts/uninstall-slack.ps1 deleted file mode 100644 index 8d762f1c..00000000 --- a/lib/windows/scripts/uninstall-slack.ps1 +++ /dev/null @@ -1,2 +0,0 @@ -# This will be a script that uninstalls Slack from Windows hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/lib/windows/scripts/windows-screenlock.xml b/lib/windows/scripts/windows-screenlock.xml deleted file mode 100644 index 3d7d52de..00000000 --- a/lib/windows/scripts/windows-screenlock.xml +++ /dev/null @@ -1,48 +0,0 @@ - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled - - 0 - - - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock - - 15 - - - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength - - 10 - - - - - - - int - - - ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters - - 2 - - diff --git a/lib/windows/software/slack.yml b/lib/windows/software/slack.yml deleted file mode 100644 index ca4c36d1..00000000 --- a/lib/windows/software/slack.yml +++ /dev/null @@ -1,2 +0,0 @@ -# This will be the configuration for a custom package on Windows hosts. -# Documentation: https://fleetdm.com/docs/configuration/yaml-files#packages diff --git a/teams/workstations.yml b/teams/workstations.yml index ef8f283f..62cfe2f9 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -1,17 +1,15 @@ name: "💻 Workstations" policies: - - path: ../lib/macos/policies/macos-device-health.policies.yml - - path: ../lib/windows/policies/windows-device-health.policies.yml - - path: ../lib/linux/policies/linux-device-health.policies.yml + - path: ../lib/macos.policies.yml + - path: ../lib/windows.policies.yml + - path: ../lib/linux.policies.yml queries: - - path: ../lib/all/queries/collect-usb-devices.queries.yml - - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml + - path: ../lib/queries.yml agent_options: path: ../lib/agent-options.yml controls: scripts: - - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh - - path: ../lib/macos/scripts/set-timezone.script.sh + - path: ../lib/collect-fleetd-logs.sh software: team_settings: secrets: From 0eb64514f7b0f0072c05c6a6eadaaef8411d31e5 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Thu, 29 Jan 2026 14:48:54 -0500 Subject: [PATCH 03/26] Add strings around secret --- teams/dedicated.devices.yml | 2 +- teams/employee-issued-mobile-devices.yml | 2 +- teams/it-servers.yml | 2 +- teams/personal-mobile-devices.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/teams/dedicated.devices.yml b/teams/dedicated.devices.yml index 9292f7d0..b2d2c7b3 100644 --- a/teams/dedicated.devices.yml +++ b/teams/dedicated.devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: $DEDICATED_DEVICES_ENROLL_SECRET + - secret: "$DEDICATED_DEVICES_ENROLL_SECRET" diff --git a/teams/employee-issued-mobile-devices.yml b/teams/employee-issued-mobile-devices.yml index d5169fcb..756f9199 100644 --- a/teams/employee-issued-mobile-devices.yml +++ b/teams/employee-issued-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: $EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET + - secret: "$EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET" diff --git a/teams/it-servers.yml b/teams/it-servers.yml index 3fb16e02..f8a15a51 100644 --- a/teams/it-servers.yml +++ b/teams/it-servers.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: $IT_SERVERS_ENROLL_SECRET + - secret: "$IT_SERVERS_ENROLL_SECRET" diff --git a/teams/personal-mobile-devices.yml b/teams/personal-mobile-devices.yml index a49a5b92..6b7e170f 100644 --- a/teams/personal-mobile-devices.yml +++ b/teams/personal-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: $PERSONAL_MOBILE_DEVICES_ENROLL_SECRET + - secret: "$PERSONAL_MOBILE_DEVICES_ENROLL_SECRET" From e22183442f1961f6a333f2c5c5e9f7711eb59c63 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Thu, 29 Jan 2026 14:53:28 -0500 Subject: [PATCH 04/26] Global enroll secret --- .github/workflows/workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 6804201e..d431aff1 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -39,7 +39,7 @@ jobs: env: FLEET_URL: ${{ secrets.FLEET_URL }} FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }} - GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }} + GLOBAL_ENROLL_SECRET: ${{ secrets.GLOBAL_ENROLL_SECRET }} WORKSTATIONS_ENROLL_SECRET: ${{ secrets.WORKSTATIONS_ENROLL_SECRET }} IT_SERVERS_ENROLL_SECRET: ${{ secrets.IT_SERVERS_ENROLL_SECRET }} PERSONAL_MOBILE_DEVICES_ENROLL_SECRET: ${{ secrets.PERSONAL_MOBILE_DEVICES_ENROLL_SECRET }} From 93196968c41cf7662226aeabc6ed2ff7dfe9b684 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Thu, 29 Jan 2026 16:40:54 -0500 Subject: [PATCH 05/26] Add changes --- lib/agent-options.yml | 13 ----- lib/all/agent-options.yml/.keep | 1 + lib/all/icons/.keep | 1 + lib/all/labels/.keep | 1 + lib/all/queries/.keep | 1 + lib/collect-fleetd-logs.sh | 7 --- lib/ios/configuration-profiles/.keep | 1 + lib/ios/declaration-profiles/.keep | 1 + lib/ipados/configuration-profiles/.keep | 1 + lib/ipados/declaration-profiles/.keep | 1 + lib/linux.policies.yml | 5 -- lib/linux/policies/.keep | 1 + lib/linux/queries/.keep | 1 + lib/linux/scripts/.keep | 1 + lib/linux/software/.keep | 1 + lib/macos.policies.yml | 52 ------------------- lib/macos/commands/.keep | 1 + lib/macos/configuration-profiles/.keep | 1 + lib/macos/declaration-profiles/.keep | 1 + lib/macos/enrollment-profiles/.keep | 1 + lib/macos/misc/.keep | 1 + lib/macos/policies/.keep | 1 + lib/macos/queries/.keep | 1 + lib/macos/scripts/.keep | 1 + lib/macos/software/.keep | 1 + lib/queries.yml | 21 -------- lib/windows.policies.yml | 20 ------- lib/windows/configuration-profiles/.keep | 1 + lib/windows/policies/.keep | 1 + lib/windows/queries/.keep | 1 + lib/windows/scripts/.keep | 1 + lib/windows/software/.keep | 1 + ...ated.devices.yml => dedicated-devices.yml} | 0 teams/no-team.yml | 6 --- teams/personal-mobile-devices.yml | 2 +- 35 files changed, 27 insertions(+), 125 deletions(-) delete mode 100644 lib/agent-options.yml create mode 100644 lib/all/agent-options.yml/.keep create mode 100644 lib/all/icons/.keep create mode 100644 lib/all/labels/.keep create mode 100644 lib/all/queries/.keep delete mode 100644 lib/collect-fleetd-logs.sh create mode 100644 lib/ios/configuration-profiles/.keep create mode 100644 lib/ios/declaration-profiles/.keep create mode 100644 lib/ipados/configuration-profiles/.keep create mode 100644 lib/ipados/declaration-profiles/.keep delete mode 100644 lib/linux.policies.yml create mode 100644 lib/linux/policies/.keep create mode 100644 lib/linux/queries/.keep create mode 100644 lib/linux/scripts/.keep create mode 100644 lib/linux/software/.keep delete mode 100644 lib/macos.policies.yml create mode 100644 lib/macos/commands/.keep create mode 100644 lib/macos/configuration-profiles/.keep create mode 100644 lib/macos/declaration-profiles/.keep create mode 100644 lib/macos/enrollment-profiles/.keep create mode 100644 lib/macos/misc/.keep create mode 100644 lib/macos/policies/.keep create mode 100644 lib/macos/queries/.keep create mode 100644 lib/macos/scripts/.keep create mode 100644 lib/macos/software/.keep delete mode 100644 lib/queries.yml delete mode 100644 lib/windows.policies.yml create mode 100644 lib/windows/configuration-profiles/.keep create mode 100644 lib/windows/policies/.keep create mode 100644 lib/windows/queries/.keep create mode 100644 lib/windows/scripts/.keep create mode 100644 lib/windows/software/.keep rename teams/{dedicated.devices.yml => dedicated-devices.yml} (100%) delete mode 100644 teams/no-team.yml diff --git a/lib/agent-options.yml b/lib/agent-options.yml deleted file mode 100644 index af5a94aa..00000000 --- a/lib/agent-options.yml +++ /dev/null @@ -1,13 +0,0 @@ -command_line_flags: -config: - decorators: - load: - - SELECT uuid AS host_uuid FROM system_info; - - SELECT hostname AS hostname FROM system_info; - options: - disable_distributed: false - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - logger_tls_endpoint: /api/v1/osquery/log - pack_delimiter: / diff --git a/lib/all/agent-options.yml/.keep b/lib/all/agent-options.yml/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/agent-options.yml/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/all/icons/.keep b/lib/all/icons/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/icons/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/all/labels/.keep b/lib/all/labels/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/labels/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/all/queries/.keep b/lib/all/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/all/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/collect-fleetd-logs.sh b/lib/collect-fleetd-logs.sh deleted file mode 100644 index 887af2ac..00000000 --- a/lib/collect-fleetd-logs.sh +++ /dev/null @@ -1,7 +0,0 @@ -cp /var/log/orbit/orbit.stderr.log ~/Library/Logs/Fleet/fleet-desktop.log /Users/Shared - -echo "Successfully copied fleetd logs to the /Users/Shared folder." - -echo "To retrieve logs, ask the end user to open Finder and in the menu bar select Go > Go to Folder." - -echo "Then, ask the end user to type in /Users/Shared, press Return, and locate orbit.stderr.log (Orbit logs) and fleet-desktop.log (Fleet Desktop logs) files." \ No newline at end of file diff --git a/lib/ios/configuration-profiles/.keep b/lib/ios/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ios/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/ios/declaration-profiles/.keep b/lib/ios/declaration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ios/declaration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/ipados/configuration-profiles/.keep b/lib/ipados/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ipados/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/ipados/declaration-profiles/.keep b/lib/ipados/declaration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/ipados/declaration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux.policies.yml b/lib/linux.policies.yml deleted file mode 100644 index 607e12c3..00000000 --- a/lib/linux.policies.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Linux - Enable disk encryption - platform: linux - description: This policy checks if disk encryption is enabled. - resolution: As an IT admin, deploy an image that includes disk encryption. - query: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1'; diff --git a/lib/linux/policies/.keep b/lib/linux/policies/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/policies/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux/queries/.keep b/lib/linux/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux/scripts/.keep b/lib/linux/scripts/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/scripts/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/linux/software/.keep b/lib/linux/software/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/linux/software/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos.policies.yml b/lib/macos.policies.yml deleted file mode 100644 index 0a29e6ec..00000000 --- a/lib/macos.policies.yml +++ /dev/null @@ -1,52 +0,0 @@ -- name: macOS - Enable FileVault - platform: darwin - description: This policy checks if FileVault (disk encryption) is enabled. - resolution: As an IT admin, turn on disk encryption in Fleet. - query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.'; -- name: macOS - Disable guest account - platform: darwin - description: This policy checks if the guest account is disabled. - resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true. - query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1; -- name: macOS - Enable Firewall - platform: darwin - description: This policy checks if Firewall is enabled. - resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true. - query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1; -- name: macOS - Require 10 character password - platform: darwin - description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. - resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10. - query: | - SELECT 1 WHERE - EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='askForPassword' AND - CAST(value AS INT) - ) - AND EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='minLength' AND - CAST(value AS INT) <= 10 - ); -- name: macOS - Enable screen saver after 20 minutes - platform: darwin - description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. - resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes. - query: | - SELECT 1 WHERE - EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='idleTime' AND - CAST(value AS INT) <= 1200 AND - username = '' - ) - AND NOT EXISTS ( - SELECT 1 FROM managed_policies WHERE - domain='com.apple.screensaver' AND - name='idleTime' AND - CAST(value AS INT) > 1200 - ); diff --git a/lib/macos/commands/.keep b/lib/macos/commands/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/commands/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/configuration-profiles/.keep b/lib/macos/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/declaration-profiles/.keep b/lib/macos/declaration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/declaration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/enrollment-profiles/.keep b/lib/macos/enrollment-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/enrollment-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/misc/.keep b/lib/macos/misc/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/misc/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/policies/.keep b/lib/macos/policies/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/policies/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/queries/.keep b/lib/macos/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/scripts/.keep b/lib/macos/scripts/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/scripts/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/macos/software/.keep b/lib/macos/software/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/macos/software/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/queries.yml b/lib/queries.yml deleted file mode 100644 index a29a0be6..00000000 --- a/lib/queries.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: Collect failed login attempts - description: Lists the users at least one failed login attempt and timestamp of failed login. Number of failed login attempts reset to zero after a user successfully logs in. - query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count > 0; - interval: 300 # 5 minutes - observer_can_run: false - automations_enabled: false - platform: darwin,linux,windows -- name: Collect USB devices - description: Collects the USB devices that are currently connected to macOS and Linux hosts. - query: SELECT model, vendor FROM usb_devices; - interval: 360 # 6 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux -- name: Collect fleetd update channels - description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering." - query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info; - interval: 300 # 5 minutes - observer_can_run: true - automations_enabled: false - platform: darwin,linux,windows diff --git a/lib/windows.policies.yml b/lib/windows.policies.yml deleted file mode 100644 index 09b3ca19..00000000 --- a/lib/windows.policies.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: Windows - Enable BitLocker - platform: windows - description: "This policy checks if BitLocker (disk encryption) is enabled on the C: volume." - resolution: As an IT admin, turn on disk encryption in Fleet. - query: SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status = 1; -- name: Windows - Disable guest account - platform: windows - description: This policy checks if the guest account is disabled. The Guest account allows unauthenticated network users to gain access to the system. - resolution: "As an IT admin, deploy a Windows profile with the Accounts_EnableGuestAccountStatus option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#accounts_enableguestaccountstatus" - query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus" and CAST(mdm_command_output AS INT) = 0; -- name: Windows - Require 10 character password - platform: windows - description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host. - resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock" - query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/DevicePasswordEnabled" and CAST(mdm_command_output AS INT) = 0; -- name: Windows - Enable screen saver after 20 minutes - platform: windows - description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum. - resolution: "As an IT admin, to deploy a Windows profile with the MaxInactivityTimeDeviceLock option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#maxinactivitytimedevicelock" - query: SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/DeviceLock/MaxInactivityTimeDeviceLock" and CAST(mdm_command_output AS INT) <= 20; diff --git a/lib/windows/configuration-profiles/.keep b/lib/windows/configuration-profiles/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/configuration-profiles/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/policies/.keep b/lib/windows/policies/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/policies/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/queries/.keep b/lib/windows/queries/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/queries/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/scripts/.keep b/lib/windows/scripts/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/scripts/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/lib/windows/software/.keep b/lib/windows/software/.keep new file mode 100644 index 00000000..5c2e4027 --- /dev/null +++ b/lib/windows/software/.keep @@ -0,0 +1 @@ +Ignore this file. It only exists because git refuses to push empty directories to a remote server. \ No newline at end of file diff --git a/teams/dedicated.devices.yml b/teams/dedicated-devices.yml similarity index 100% rename from teams/dedicated.devices.yml rename to teams/dedicated-devices.yml diff --git a/teams/no-team.yml b/teams/no-team.yml deleted file mode 100644 index 3461d90e..00000000 --- a/teams/no-team.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: No team -policies: -queries: -agent_options: -controls: -software: diff --git a/teams/personal-mobile-devices.yml b/teams/personal-mobile-devices.yml index 6b7e170f..0e4b29a0 100644 --- a/teams/personal-mobile-devices.yml +++ b/teams/personal-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "$PERSONAL_MOBILE_DEVICES_ENROLL_SECRET" + - secret: "$PERSONAL_MOBILE_DEVICES_ENROLL_SECRET From c00f7b83913037542a90f27e16efbbe134276755 Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Mon, 2 Feb 2026 09:43:00 -0500 Subject: [PATCH 06/26] Update YAML --- teams/workstations.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/teams/workstations.yml b/teams/workstations.yml index 62cfe2f9..e4287acd 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -1,19 +1,9 @@ name: "💻 Workstations" policies: - - path: ../lib/macos.policies.yml - - path: ../lib/windows.policies.yml - - path: ../lib/linux.policies.yml queries: - - path: ../lib/queries.yml agent_options: - path: ../lib/agent-options.yml controls: - scripts: - - path: ../lib/collect-fleetd-logs.sh software: team_settings: secrets: - secret: "$WORKSTATIONS_ENROLL_SECRET" - features: - enable_host_users: true - enable_software_inventory: true From 74ddeae28c20ee49d10a3e02605967f1c4591612 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 2 Feb 2026 15:00:41 -0500 Subject: [PATCH 07/26] Update workflow.yml --- .github/workflows/workflow.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index d431aff1..ed436792 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -39,9 +39,3 @@ jobs: env: FLEET_URL: ${{ secrets.FLEET_URL }} FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }} - GLOBAL_ENROLL_SECRET: ${{ secrets.GLOBAL_ENROLL_SECRET }} - WORKSTATIONS_ENROLL_SECRET: ${{ secrets.WORKSTATIONS_ENROLL_SECRET }} - IT_SERVERS_ENROLL_SECRET: ${{ secrets.IT_SERVERS_ENROLL_SECRET }} - PERSONAL_MOBILE_DEVICES_ENROLL_SECRET: ${{ secrets.PERSONAL_MOBILE_DEVICES_ENROLL_SECRET }} - EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET: ${{ secrets.EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET }} - DEDICATED_DEVICES_ENROLL_SECRET: ${{ secrets.DEDICATED_DEVICES_ENROLL_SECRET }} From d1beebb3ccb2d2b49d8787df4b033ffda58367c1 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 2 Feb 2026 15:01:47 -0500 Subject: [PATCH 08/26] Update default.yml --- default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default.yml b/default.yml index d3594caf..d5ce4027 100644 --- a/default.yml +++ b/default.yml @@ -10,4 +10,4 @@ org_settings: org_info: org_name: Fleet secrets: - - secret: "$GLOBAL_ENROLL_SECRET" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" From cf99532fb8aa3d55ab64f0c643579e1587867677 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 2 Feb 2026 15:02:09 -0500 Subject: [PATCH 09/26] Update teams/dedicated-devices.yml --- teams/dedicated-devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/dedicated-devices.yml b/teams/dedicated-devices.yml index b2d2c7b3..4062df2a 100644 --- a/teams/dedicated-devices.yml +++ b/teams/dedicated-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "$DEDICATED_DEVICES_ENROLL_SECRET" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" From 7a355d7bf0b0042e290affd307fd16725f9ce102 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 2 Feb 2026 15:03:05 -0500 Subject: [PATCH 10/26] Update teams/workstations.yml --- teams/workstations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/workstations.yml b/teams/workstations.yml index e4287acd..78a5e122 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "$WORKSTATIONS_ENROLL_SECRET" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" From 85c8552812fcf090266d92760380f7d06d434c1c Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 2 Feb 2026 15:03:13 -0500 Subject: [PATCH 11/26] Update teams/employee-issued-mobile-devices.yml --- teams/employee-issued-mobile-devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/employee-issued-mobile-devices.yml b/teams/employee-issued-mobile-devices.yml index 756f9199..83f0c959 100644 --- a/teams/employee-issued-mobile-devices.yml +++ b/teams/employee-issued-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "$EMPLOYEE_ISSUED_MOBILE_DEVICES_ENROLL_SECRET" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" From 1aac59ba77588722002c015c826e0b1509d94603 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 2 Feb 2026 15:03:20 -0500 Subject: [PATCH 12/26] Update teams/it-servers.yml --- teams/it-servers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/it-servers.yml b/teams/it-servers.yml index f8a15a51..c6524fa0 100644 --- a/teams/it-servers.yml +++ b/teams/it-servers.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "$IT_SERVERS_ENROLL_SECRET" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" From b0bac44a46d621b35b6ec3f9f7849407e30cc83a Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Mon, 2 Feb 2026 15:03:28 -0500 Subject: [PATCH 13/26] Update teams/personal-mobile-devices.yml --- teams/personal-mobile-devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/personal-mobile-devices.yml b/teams/personal-mobile-devices.yml index 0e4b29a0..440c45ab 100644 --- a/teams/personal-mobile-devices.yml +++ b/teams/personal-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "$PERSONAL_MOBILE_DEVICES_ENROLL_SECRET + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" From 8d5595fac05db8316ac5e7c7449852f4fcbe64db Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Tue, 3 Feb 2026 13:12:27 -0500 Subject: [PATCH 14/26] Shorten the README --- README.md | 23 ++++------------------- gitops.sh | 7 ++++--- 2 files changed, 8 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 91fd8c74..a11524cc 100644 --- a/README.md +++ b/README.md @@ -10,14 +10,7 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git 2. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). [Create an API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) with the "GitOps" role and set `FLEET_API_TOKEN` to your user's API token. If you're using Fleet Free, set the API-only user's role to global admin. -3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret to your new repository's secrets. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters. - - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`. - - If you do not have a Premium Fleet license, delete the `teams` directory. - -4. If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment lines 22 and 23 in `gitops.sh`. - - If you are using different variable names for your secrets, edit the appropriate line to reflect the correct variable name. - -5. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only. +3. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only. ## GitLab setup @@ -25,16 +18,9 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git 2. Add `FLEET_URL` and `FLEET_API_TOKEN` as masked CI/CD variables. Learn how [here](https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user), then, grant it the `GitOps` role via the **Settings** > **Users** page so it can make changes. -3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret as a masked CI/CD variable. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters. - - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`. - - If you do not have a Premium Fleet license, delete the `teams` directory. - -4. If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment lines 22 and 23 in `gitops.sh`. - - If you are using different variable names for your secrets, edit the appropriate line to reflect the correct variable name. +3. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only. -5. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only. - -6. (Optional) To ensure your Fleet configuration stays up to date even when there are no new commits, set up a scheduled pipeline: +4. To ensure your Fleet configuration stays up to date even when there are no new commits, set up a scheduled pipeline: - In your GitLab project, go to the left sidebar and navigate to **Build > Pipeline schedules**. (In some GitLab versions, this may appear as **CI/CD > Schedules**.) - Click **Create a new pipeline schedule** (or **Schedule a new pipeline**). - Fill in the form: @@ -48,11 +34,10 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git For all configuration options, go to the [YAML files reference](https://fleetdm.com/docs/using-fleet/gitops) in the Fleet docs. -## Fleet UI +## GitOps mode Once you're set up with GitOps in Fleet, you can optionally put the UI in GitOps mode. This prevents you from making changes in the UI that would be overridden by GitOps workflows. An admin can enable GitOps mode in **Settings** > **Integrations** > **Change management**. Note that this is a UI-only setting. API permissions are restricted based on user role. - diff --git a/gitops.sh b/gitops.sh index 9a3c2b98..bcff87c1 100755 --- a/gitops.sh +++ b/gitops.sh @@ -21,13 +21,14 @@ else FLEET_DELETE_OTHER_TEAMS=false fi -# Copy/pasting raw SSO metadata into GitHub secrets will result in malformed yaml. -# Adds spaces to all but the first line of metadata keeps the multiline string in bounds. -# See README for more information +# If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment the below: # FLEET_SSO_METADATA=$( sed '2,$s/^/ /' <<< "${FLEET_MDM_SSO_METADATA}") # FLEET_MDM_SSO_METADATA=$( sed '2,$s/^/ /' <<< "${FLEET_MDM_SSO_METADATA}") +# Copy/pasting raw SSO metadata into GitHub secrets will result in malformed yaml. +# Adds spaces to all but the first line of metadata keeps the multiline string in bounds. + if compgen -G "$FLEET_GITOPS_DIR"/teams/*.yml > /dev/null; then # Validate that every team has a unique name. # This is a limited check that assumes all team files contain the phrase: `name: ` From d4a3d573059eef8f89c2d98b5cfdffe63a3edb8d Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Tue, 3 Feb 2026 13:12:52 -0500 Subject: [PATCH 15/26] Fix README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a11524cc..61073f23 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git ## GitHub setup -1. Clone the [GitHub repository](https://github.com/fleetdm/fleet-gitops), create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2 and 3). +1. Clone the [GitHub repository](https://github.com/fleetdm/fleet-gitops), create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2). 2. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). [Create an API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) with the "GitOps" role and set `FLEET_API_TOKEN` to your user's API token. If you're using Fleet Free, set the API-only user's role to global admin. @@ -14,7 +14,7 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git ## GitLab setup -1. Clone the [GitLab repository](https://gitlab.com/fleetdm/fleet-gitops), create your own GitLab repository, and push your clone to your new repo. Note that a pipeline will run once and fail because the required variables haven't been added (step 2 and 3). +1. Clone the [GitLab repository](https://gitlab.com/fleetdm/fleet-gitops), create your own GitLab repository, and push your clone to your new repo. Note that a pipeline will run once and fail because the required variables haven't been added (step 2). 2. Add `FLEET_URL` and `FLEET_API_TOKEN` as masked CI/CD variables. Learn how [here](https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user), then, grant it the `GitOps` role via the **Settings** > **Users** page so it can make changes. From d1b8fc5179745d549b9aae57fa8d8ba1592e6e2c Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Tue, 3 Feb 2026 13:13:28 -0500 Subject: [PATCH 16/26] Clean up --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 61073f23..33f2e360 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a GitOps workflow. -[Why use GitOps?](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage#basic-article) +[Why use GitOps?](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage) ## GitHub setup From cce400ea364a90dd8c5479fb30d9a9b1092cdbdd Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Tue, 3 Feb 2026 13:15:25 -0500 Subject: [PATCH 17/26] Add learn how --- teams/dedicated-devices.yml | 2 +- teams/employee-issued-mobile-devices.yml | 2 +- teams/personal-mobile-devices.yml | 2 +- teams/workstations.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/teams/dedicated-devices.yml b/teams/dedicated-devices.yml index 4062df2a..d6b07601 100644 --- a/teams/dedicated-devices.yml +++ b/teams/dedicated-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops diff --git a/teams/employee-issued-mobile-devices.yml b/teams/employee-issued-mobile-devices.yml index 83f0c959..a29dbe0b 100644 --- a/teams/employee-issued-mobile-devices.yml +++ b/teams/employee-issued-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops diff --git a/teams/personal-mobile-devices.yml b/teams/personal-mobile-devices.yml index 440c45ab..658dd343 100644 --- a/teams/personal-mobile-devices.yml +++ b/teams/personal-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops diff --git a/teams/workstations.yml b/teams/workstations.yml index 78a5e122..248f163f 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops From 161edf9bff1fc091ee70712ea7db9afff4d72dd5 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:48:18 -0500 Subject: [PATCH 18/26] Update teams/workstations.yml --- teams/workstations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/workstations.yml b/teams/workstations.yml index 248f163f..7c49f0ce 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops + - secret: "REPLACE_ME_1" # Replace with environment variable. Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops From 1bc1f957cf4d7eb3a45365e715ae9778a9b42b6f Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:50:53 -0500 Subject: [PATCH 19/26] Update teams/personal-mobile-devices.yml --- teams/personal-mobile-devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/personal-mobile-devices.yml b/teams/personal-mobile-devices.yml index 658dd343..84dc813b 100644 --- a/teams/personal-mobile-devices.yml +++ b/teams/personal-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_3" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops From 5e48a6e18bd2ea8e4bc69841ad09fb9fad7117a7 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:51:02 -0500 Subject: [PATCH 20/26] Update teams/workstations.yml --- teams/workstations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/workstations.yml b/teams/workstations.yml index 7c49f0ce..9fbc0d4f 100644 --- a/teams/workstations.yml +++ b/teams/workstations.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_ME_1" # Replace with environment variable. Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_5" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops From a22cd288d8082037b21644cda1f2c05076590b93 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:51:14 -0500 Subject: [PATCH 21/26] Update teams/dedicated-devices.yml --- teams/dedicated-devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/dedicated-devices.yml b/teams/dedicated-devices.yml index d6b07601..849eb79d 100644 --- a/teams/dedicated-devices.yml +++ b/teams/dedicated-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_1" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops From 2b21a1761146f31e884eae317b9012d1c19814c5 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:51:25 -0500 Subject: [PATCH 22/26] Update teams/employee-issued-mobile-devices.yml --- teams/employee-issued-mobile-devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/employee-issued-mobile-devices.yml b/teams/employee-issued-mobile-devices.yml index a29dbe0b..14ba6a13 100644 --- a/teams/employee-issued-mobile-devices.yml +++ b/teams/employee-issued-mobile-devices.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_2" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops From ea7b15ef6b8c2af062fcb85ec439d0f7ddf718e5 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:51:32 -0500 Subject: [PATCH 23/26] Update teams/it-servers.yml --- teams/it-servers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/teams/it-servers.yml b/teams/it-servers.yml index c6524fa0..a8b928c0 100644 --- a/teams/it-servers.yml +++ b/teams/it-servers.yml @@ -6,4 +6,4 @@ controls: software: team_settings: secrets: - - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE" + - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE_4" # Learn how: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles#gitops From f6afde6e40f55d757366b4ba754a369393385d69 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:53:14 -0500 Subject: [PATCH 24/26] Update default.yml --- default.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/default.yml b/default.yml index d5ce4027..f396e8e8 100644 --- a/default.yml +++ b/default.yml @@ -3,7 +3,6 @@ policies: queries: agent_options: - path: ./lib/agent-options.yml org_settings: server_settings: server_url: $FLEET_URL From b5fa895ee22d85758d7e6a7fb52b55e8ae72a09a Mon Sep 17 00:00:00 2001 From: Noah Talerman Date: Tue, 3 Feb 2026 13:54:18 -0500 Subject: [PATCH 25/26] New filename --- lib/all/{agent-options.yml => agent-options}/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename lib/all/{agent-options.yml => agent-options}/.keep (100%) diff --git a/lib/all/agent-options.yml/.keep b/lib/all/agent-options/.keep similarity index 100% rename from lib/all/agent-options.yml/.keep rename to lib/all/agent-options/.keep From 83a6a17ca56dbaf49bce0ee84562f68f1f916f51 Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:55:59 -0500 Subject: [PATCH 26/26] Update default.yml --- default.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/default.yml b/default.yml index f396e8e8..222f020b 100644 --- a/default.yml +++ b/default.yml @@ -3,6 +3,7 @@ policies: queries: agent_options: +controls: org_settings: server_settings: server_url: $FLEET_URL