Add fleet apps, labels, and patch policies

[allenhouchins]

Add multiple Fleet-maintained apps to workstations (macOS and x86 Windows), create dynamic labels to detect installed apps, and add patch policies to flag out-of-date installs. workstations.yml: add numerous macOS self-service entries (e.g. GitHub Desktop, Postman, iTerm2, Sublime Text, Figma, Spotify, Google Drive, Cursor, etc.) and x86 Windows entries with labels_include_any for x86 hosts. lib/all/labels/...: add dynamic macOS labels using bundle identifiers and x86 Windows labels using program name plus arch checks. lib/macos/policies/... and lib/windows/policies/...: add patch policies for each new app to notify about outdated versions and provide remediation guidance (Self-service or app update/uninstall). These changes enable inventory, self-service deployment, and patch management for additional developer and productivity applications.

Summary by CodeRabbit

• New Features
  • Expanded macOS self-service app installation library with 20 new applications, including GitHub Desktop, Docker, Postman, Figma, Cursor, Sublime Text, Spotify, Google Drive, and others
  • Expanded Windows x86 self-service app installation with 8 new applications (Docker Desktop, GitHub Desktop, Postman, Figma, Spotify, Google Drive, Cursor, Sublime Text)
  • Added automatic update tracking for all self-service applications across both platforms

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 588f88c7-4456-498c-ae07-397c05444a01

📥 Commits

Reviewing files that changed from the base of the PR and between 83a886b and ae231bc.

📒 Files selected for processing (5)

• it-and-security/fleets/workstations.yml
• it-and-security/lib/all/labels/macs-with-fleet-maintained-apps-installed.yml
• it-and-security/lib/all/labels/windows-with-fleet-maintained-apps-installed.yml
• it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml
• it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml

---

Walkthrough

The PR adds self-service installation capabilities for 20 macOS applications and 8 Windows x86 applications by declaring these apps as fleet-maintained in the workstations configuration, creating dynamic detection labels based on application bundle identifiers for macOS and installed programs for Windows, and adding corresponding patch policies. It also updates existing Windows patch policies for Brave Browser and Visual Studio Code to target x86-specific hosts with architecture filtering.

Possibly related PRs

• Fix patch policy bugs #43420: Implements patch-policy handling (team scoping, fleet_maintained_app_slug/title ID resolution, and upsert behavior) that the new fleet-maintained app entries, labels, and patch policies depend upon.
• Fix mis-assigned FMA bundle identifiers, switch to fuzzy matching on queries where Windows apps include version number in the name (incl. special fixes for Firefox ESR) #42628: Modifies detection and matching for Windows fleet-maintained apps, affecting the same app-detection pipeline used by the newly added Windows application entries.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch allenhouchins-add-patch-policies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}