initial commit of cookbooks

cpe_applicationaccess/README.md

@@ -0,0 +1,57 @@
+cpe_applicationaccess Cookbook
+=========================
+Install a profile to manage various application settings.
+
+Requirements
+------------
+macOS
+
+Attributes
+----------
+* node['cpe_applicationaccess']['lists']['pathBlackList']
+* node['cpe_applicationaccess']['lists']['pathWhiteList']
+* node['cpe_applicationaccess']['lists']['whiteList']
+* node['cpe_applicationaccess']['features']['allowAutoUnlock']
+* node['cpe_applicationaccess']['features']['allowCamera']
+* node['cpe_applicationaccess']['features']['allowCloudAddressBook']
+* node['cpe_applicationaccess']['features']['allowCloudBTMM']
+* node['cpe_applicationaccess']['features']['allowCloudDesktopAndDocuments']
+* node['cpe_applicationaccess']['features']['allowCloudDocumentSync']
+* node['cpe_applicationaccess']['features']['allowCloudFMM']
+* node['cpe_applicationaccess']['features']['allowCloudKeychainSync']
+* node['cpe_applicationaccess']['features']['allowCloudMail']
+* node['cpe_applicationaccess']['features']['allowCloudCalendar']
+* node['cpe_applicationaccess']['features']['allowCloudReminders']
+* node['cpe_applicationaccess']['features']['allowCloudBookmarks']
+* node['cpe_applicationaccess']['features']['allowCloudNotes']
+* node['cpe_applicationaccess']['features']['allowDefinitionLookup']
+* node['cpe_applicationaccess']['features']['allowMusicService']
+* node['cpe_applicationaccess']['features']['allowSpotlightInternetResults']
+
+Usage
+-----
+The profile will manage the `com.apple.applicationaccess` and `com.apple.applicationaccess.new` preference domains.
+
+The profile's organization key defaults to `Pinterest` unless `node['organization']` is
+configured in your company's custom init recipe. The profile will also use
+whichever prefix is set in `node['cpe_profiles']['prefix']`, which defaults to `com.facebook.chef`
+
+The profile delivers a payload of all keys in `node['cpe_applicationaccess']['features']` and/or `node['cpe_applicationaccess']['lists']` that are non-nil values.  All provided keys are nil by default, so that no profile is installed without overriding.
+
+
+The most common use case for `com.apple.applicationaccess.new` is for service machines that will be significantly locked down.
+
+    # Allow anything from "/".
+    node.default['cpe_applicationaccess']['lists']['pathWhiteList'] = [
+        '/',
+      ]
+    # Block paths.
+    node.default['cpe_applicationaccess']['lists']['pathBlackList'] = [
+        '/Applications/AutoPkgr.app',
+        '/Applications/Transmission.app',
+      ]
+
+The most common use case for `com.apple.applicationaccess` is to lock down specific internet/iCloud features.
+
+    # Block iCloud
+    node.default['cpe_applicationaccess']['features']['allowCloudDesktopAndDocuments']

cpe_applicationaccess/attributes/default.rb

@@ -0,0 +1,40 @@
+#
+# Cookbook Name:: cpe_applicationaccess
+# Attributes:: default
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2017-present, Pinterest, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the Apache 2.0 license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+default['cpe_applicationaccess'] = {
+  # Path Application Whitelist/Blacklist
+  'lists' => {
+    'pathBlackList' => nil,
+    'pathWhiteList' => nil,
+    'whiteList' => nil,
+  },
+  # Application Access Features
+  'features' => {
+    'allowAutoUnlock' => nil,
+    'allowCamera' => nil,
+    'allowCloudAddressBook' => nil,
+    'allowCloudBTMM' => nil,
+    'allowCloudDesktopAndDocuments' => nil,
+    'allowCloudDocumentSync' => nil,
+    'allowCloudFMM' => nil,
+    'allowCloudKeychainSync' => nil,
+    'allowCloudMail' => nil,
+    'allowCloudCalendar' => nil,
+    'allowCloudReminders' => nil,
+    'allowCloudBookmarks' => nil,
+    'allowCloudNotes' => nil,
+    'allowDefinitionLookup' => nil,
+    'allowMusicService' => nil,
+    'allowSpotlightInternetResults' => nil,
+  },
+}

cpe_applicationaccess/metadata.rb

@@ -0,0 +1,12 @@
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+
+name 'cpe_applicationaccess'
+maintainer 'Pinterest'
+maintainer_email 'itcpe@pinterest.com'
+license 'Apache'
+description 'Manages Apple System Preference Panes settings / profile'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version '0.1.0'
+supports 'mac_os_x'
+
+depends 'cpe_profiles'

cpe_applicationaccess/recipes/default.rb

@@ -0,0 +1,14 @@
+#
+# Cookbook Name:: cpe_applicationaccess
+# Resource:: cpe_applicationaccess
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2017-present, Pinterest, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the Apache 2.0 license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+cpe_applicationaccess 'Apply Application Access profile'

cpe_applicationaccess/resources/cpe_applicationaccess.rb

@@ -0,0 +1,72 @@
+#
+# Cookbook Name:: cpe_applicationaccess
+# Resource:: cpe_applicationaccess
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2017-present, Pinterest, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the Apache 2.0 license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+resource_name :cpe_applicationaccess
+default_action :run
+
+action :run do
+  aa_prefs = node['cpe_applicationaccess']['features'].reject { |_k, v| v.nil? }
+  aan_prefs = node['cpe_applicationaccess']['lists'].reject { |_k, v| v.nil? }
+  if aa_prefs.empty? && aan_prefs.empty?
+    Chef::Log.info("#{cookbook_name}: No prefs found.")
+    return
+  end
+
+  organization = node['organization'] ? node['organization'] : 'GitHub'
+  prefix = node['cpe_profiles']['prefix']
+  aa_profile = {
+    'PayloadIdentifier' => "#{prefix}.applicationaccess",
+    'PayloadRemovalDisallowed' => true,
+    'PayloadScope' => 'System',
+    'PayloadType' => 'Configuration',
+    'PayloadUUID' => 'D1B78DD9-13A1-4BC5-9F22-EF10042F6041',
+    'PayloadOrganization' => organization,
+    'PayloadVersion' => 1,
+    'PayloadDisplayName' => 'Application Restrictions',
+    'PayloadContent' => [],
+  }
+  unless aa_prefs.empty?
+    aa_profile['PayloadContent'].push(
+      'PayloadType' => 'com.apple.applicationaccess',
+      'PayloadVersion' => 1,
+      'PayloadIdentifier' => "#{prefix}.applicationaccess",
+      'PayloadUUID' => '6493D033-179A-4E8D-AD85-FDBD09A28DCC',
+      'PayloadEnabled' => true,
+      'PayloadDisplayName' => 'Application Restrictions',
+    )
+
+    aa_prefs.keys.each do |key|
+      next if aa_prefs[key].nil?
+      aa_profile['PayloadContent'][0][key] = aa_prefs[key]
+    end
+  end
+
+  unless aan_prefs.empty?
+    aa_profile['PayloadContent'].push(
+      'PayloadType' => 'com.apple.applicationaccess.new',
+      'PayloadVersion' => 1,
+      'PayloadIdentifier' => "#{prefix}.applicationaccess.new",
+      'PayloadUUID' => '23E11571-624B-4B74-89C0-12226EEEACD1',
+      'PayloadEnabled' => true,
+      'PayloadDisplayName' => 'Application Restrictions New',
+      'familyControlsEnabled' => true,
+    )
+
+    aan_prefs.keys.each do |key|
+      next if aan_prefs[key].nil?
+      aa_profile['PayloadContent'][-1][key] = aan_prefs[key]
+    end
+  end
+
+  node.default['cpe_profiles']["#{prefix}.applicationaccess"] = aa_profile
+end

cpe_ard/README.md

@@ -0,0 +1,31 @@
+cpe_ard Cookbook
+=========================
+Install a profile to manage Apple Remote Desktop Application settings.
+
+Requirements
+------------
+Mac OS X
+
+Attributes
+----------
+* node['cpe_ard']
+* node['cpe_ard']['AdminConsoleAllowsRemoteControl']
+* node['cpe_ard']['LoadRemoteManagementMenuExtra']
+
+Usage
+-----
+The profile will manage the `com.apple.RemoteManagement` preference domain.
+
+The profile's organization key defaults to `Pinterest` unless `node['organization']` is
+configured in your company's custom init recipe. The profile will also use
+whichever prefix is set in node['cpe_profiles']['prefix'], which defaults to `com.facebook.chef`
+
+The profile delivers a payload of all keys in `node['cpe_ard']` that are non-nil values.  The two provided keys `node['cpe_ard']['AdminConsoleAllowsRemoteControl']` and `node['cpe_ard']['LoadRemoteManagementMenuExtra']` are nil, so that no profile is installed by default.
+
+You can add any arbitrary keys to `node['cpe_ard']` to have them added to your profile.  As long as the values are not nil and create a valid profile, this cookbook will install and manage them.
+
+The most common use case is for service machines with Apple Remote Desktop installed.
+
+    # Force Apple Remote Desktop use when application is open.
+    node.default['cpe_ard']['AdminConsoleAllowsRemoteControl'] = true
+    node.default['cpe_ard']['LoadRemoteManagementMenuExtra'] = true

cpe_ard/attributes/default.rb

@@ -0,0 +1,16 @@
+#
+# Cookbook Name:: cpe_ard
+# Attributes:: default
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2017-present, Pinterest, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the Apache 2.0 license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+# Disable bluetooth setup assistant for mouse and keyboard
+default['cpe_ard']['AdminConsoleAllowsRemoteControl'] = nil
+default['cpe_ard']['LoadRemoteManagementMenuExtra'] = nil

cpe_ard/metadata.rb

@@ -0,0 +1,12 @@
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+
+name 'cpe_ard'
+maintainer 'Pinterest'
+maintainer_email 'itcpe@pinterest.com'
+license 'Apache'
+description 'Manages Apple Remote Desktop Application settings / profile'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version '0.1.0'
+supports 'mac_os_x'
+
+depends 'cpe_profiles'

cpe_ard/recipes/default.rb

@@ -0,0 +1,14 @@
+#
+# Cookbook Name:: cpe_ard
+# Recipes:: default
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2017-present, Pinterest, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the Apache 2.0 license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+cpe_ard 'Apply Apple Remote Desktop App profile'

cpe_ard/resources/cpe_ard.rb

@@ -0,0 +1,53 @@
+#
+# Cookbook Name:: cpe_ard
+# Resource:: cpe_ard
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2017-present, Pinterest, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the Apache 2.0 license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+resource_name :cpe_ard
+default_action :run
+
+ard_prefs = {}
+
+action :run do
+  ard_prefs = node['cpe_ard'].reject { |_k, v| v.nil? }
+  return if ard_prefs.empty?
+  organization = node['organization'] ? node['organization'] : 'Pinterest'
+  prefix = node['cpe_profiles']['prefix']
+  node.default['cpe_profiles']["#{prefix}.ard"] = {
+    'PayloadIdentifier' => "#{prefix}.ardapp",
+    'PayloadRemovalDisallowed' => true,
+    'PayloadScope' => 'System',
+    'PayloadType' => 'Configuration',
+    'PayloadUUID' => '2CAB3C80-54C4-4D61-A142-52C2EBB0DA8C',
+    'PayloadOrganization' => organization,
+    'PayloadVersion' => 1,
+    'PayloadDisplayName' => 'Apple Remote Desktop Application',
+    'PayloadContent' => [
+      {
+        'PayloadType' => 'com.apple.ManagedClient.preferences',
+        'PayloadVersion' => 1,
+        'PayloadIdentifier' => "#{prefix}.ard",
+        'PayloadUUID' => '149EAD29-D27D-4639-8E8D-D8513B18A2B5',
+        'PayloadEnabled' => true,
+        'PayloadDisplayName' => 'RemoteManagement',
+        'PayloadContent' => {
+          'com.apple.RemoteManagement' => {
+            'Forced' => [
+              {
+                'mcx_preference_settings' => ard_prefs,
+              },
+            ],
+          },
+        },
+      },
+    ],
+  }
+end

cpe_desktopwallpaper/README.md

@@ -0,0 +1,26 @@
+cpe_desktopwallpaper Cookbook
+=========================
+Install a profile to manage Desktop settings.
+Requirements
+------------
+maOS
+
+Attributes
+----------
+* node['cpe_desktopwallpaper']
+* node['cpe_desktopwallpaper']['OverridePicturePath']
+
+Usage
+-----
+The profile will manage the `com.apple.desktop` preference domain.
+
+The profile's organization key defaults to `Pinterest` unless `node['organization']` is
+configured in your company's custom init recipe. The profile will also use
+whichever prefix is set in node['cpe_profiles']['prefix'], which defaults to `com.facebook.chef`
+
+The profile delivers a payload of all keys in `node['cpe_desktopwallpaper']` that are non-nil values.  The key `node['cpe_desktopwallpaper']['OverridePicturePath']` is nil, so that no profile is installed by default.
+
+The most common use case is for client machines that are heavily locked down.
+
+    # Set Wallpaper
+    node.default['cpe_desktopwallpaper']['OverridePicturePath'] = '/Library/Desktop Pictures/El Capitan.jpg'

cpe_desktopwallpaper/attributes/default.rb

@@ -0,0 +1,15 @@
+#
+# Cookbook Name:: cpe_desktopwallpaper
+# Attributes:: default
+#
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+#
+# Copyright (c) 2017-present, Pinterest, Inc.
+# All rights reserved.
+#
+# This source code is licensed under the Apache 2.0 license found in the
+# LICENSE file in the root directory of this source tree.
+#
+
+# Lock and Setup a wallpaper
+default['cpe_desktopwallpaper']['OverridePicturePath'] = nil

cpe_desktopwallpaper/metadata.rb

@@ -0,0 +1,12 @@
+# vim: syntax=ruby:expandtab:shiftwidth=2:softtabstop=2:tabstop=2
+
+name 'cpe_desktopwallpaper'
+maintainer 'Pinterest'
+maintainer_email 'itcpe@pinterest.com'
+license 'Apache'
+description 'Manages Desktop Wallpaper settings / profile'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version '0.1.0'
+supports 'mac_os_x'
+
+depends 'cpe_profiles'