diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml index 90d1f8fdb007..6ad00f9fc071 100644 --- a/it-and-security/teams/workstations-canary.yml +++ b/it-and-security/teams/workstations-canary.yml @@ -65,28 +65,28 @@ controls: enable_disk_encryption: true macos_settings: custom_settings: - - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig - - path: ../lib/configuration-profiles/macos-date-time.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig - - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig - - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig - - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig - - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig - - path: ../lib/configuration-profiles/macos-firewall.mobileconfig - - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig - - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig - - path: ../lib/configuration-profiles/macos-misc.mobileconfig - - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig - - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-update-notifications.mobileconfig - - path: ../lib/configuration-profiles/macos-ensure-show-status-bar-is-enabled.mobileconfig - - path: ../lib/declarations/macos-passcode-settings.json + - path: ../lib/macos/configuration-profiles/chrome-enrollment.mobileconfig + - path: ../lib/macos/configuration-profiles/date-time.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-bluetooth-file-sharing.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-content-caching.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-guest-account.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-guest-shares.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-internet-sharing.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-media-sharing.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-safari-safefiles.mobileconfig + - path: ../lib/macos/configuration-profiles/enable-doh.mobileconfig + - path: ../lib/macos/configuration-profiles/enable-firewall-logging.mobileconfig + - path: ../lib/macos/configuration-profiles/enable-gatekeeper.mobileconfig + - path: ../lib/macos/configuration-profiles/enforce-library-validation.mobileconfig + - path: ../lib/macos/configuration-profiles/firewall.mobileconfig + - path: ../lib/macos/configuration-profiles/full-disk-access-for-fleetd.mobileconfig + - path: ../lib/macos/configuration-profiles/limit-ad-tracking.mobileconfig + - path: ../lib/macos/configuration-profiles/misc.mobileconfig + - path: ../lib/macos/configuration-profiles/prevent-autologon.mobileconfig + - path: ../lib/macos/configuration-profiles/secure-terminal-keyboard.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-update-notifications.mobileconfig + - path: ../lib/macos/configuration-profiles/ensure-show-status-bar-is-enabled.mobileconfig + - path: ../lib/macos/declaration-profiles/passcode-settings.json macos_setup: bootstrap_package: "" enable_end_user_authentication: false @@ -96,28 +96,28 @@ controls: minimum_version: "15.1.1" windows_settings: custom_settings: - - path: ../lib/configuration-profiles/windows-firewall.xml - - path: ../lib/configuration-profiles/windows-password.xml - - path: ../lib/configuration-profiles/windows-screen-lock.xml + - path: ../lib/windows/configuration-profiles/windows-firewall.xml + - path: ../lib/windows/configuration-profiles/windows-password.xml + - path: ../lib/windows/configuration-profiles/windows-screen-lock.xml windows_updates: deadline_days: 7 grace_period_days: 2 scripts: - - path: ../lib/scripts/macos-collect-fleetd-logs.sh - - path: ../lib/scripts/macos-execute-disable-fleet-desktop.sh - - path: ../lib/scripts/macos-see-automatic-enrollment-profile.sh - - path: ../lib/scripts/macos-remove-old-nudge.sh - - path: ../lib/scripts/macos-mdm-migration.sh - - path: ../lib/scripts/macos-system-maintenance.sh + - path: ../lib/macos/scripts/collect-fleetd-logs.sh + - path: ../lib/macos/scripts/execute-disable-fleet-desktop.sh + - path: ../lib/macos/scripts/see-automatic-enrollment-profile.sh + - path: ../lib/macos/scripts/remove-old-nudge.sh + - path: ../lib/macos/scripts/mdm-migration.sh + - path: ../lib/macos/scripts/system-maintenance.sh - path: ../lib/scripts/windows-remove-fleetd.ps1 - - path: ../lib/scripts/windows-turn-off-mdm.ps1 - - path: ../lib/scripts/windows-install-bitdefender.ps1 - - path: ../lib/scripts/windows-enable-ms-defender.ps1 + - path: ../lib/windows/scripts/turn-off-mdm.ps1 + - path: ../lib/windows/scripts/install-bitdefender.ps1 + - path: ../lib/windows/scripts/enable-ms-defender.ps1 policies: - - path: ../lib/policies/macos-device-health.yml - - path: ../lib/policies/macos-upgrade-firefox.yml - - path: ../lib/policies/windows-device-health.yml - - path: ../lib/policies/linux-device-health.yml + - path: ../lib/macos/policies/device-health.yml + - path: ../lib/macos/policies/upgrade-firefox.yml + - path: ../lib/windows/policies/device-health.yml + - path: ../lib/linux/policies/linux-device-health.yml - name: macOS - Check if latest version query: SELECT 1 FROM os_version WHERE (major = '15' AND minor = '1' AND patch = '1'); critical: true @@ -140,16 +140,16 @@ policies: platform: darwin calendar_events_enabled: false queries: - - path: ../lib/queries/collect-failed-login-attempts.yml - - path: ../lib/queries/collect-fleetd-information.yml - - path: ../lib/queries/collect-usb-devices.yml - - path: ../lib/queries/collect-vs-code-extensions.yml - - path: ../lib/queries/collect-software-permissions-system.yml - - path: ../lib/queries/collect-software-permissions-user.yml - - path: ../lib/queries/collect-crowdstrike-info.yml + - path: ../lib/macos/queries/collect-failed-login-attempts.yml + - path: ../lib/all/queries/collect-fleetd-information.yml + - path: ../lib/all/queries/collect-usb-devices.yml + - path: ../lib/all/queries/collect-vs-code-extensions.yml + - path: ../lib/macos/queries/collect-software-permissions-system.yml + - path: ../lib/macos/queries/collect-software-permissions-user.yml + - path: ../lib/all/queries/collect-crowdstrike-info.yml software: packages: - - path: ../lib/software/macos-mozilla-firefox.yml # Mozilla Firefox for MacOS (universal) + - path: ../lib/macos/software/mozilla-firefox.yml # Mozilla Firefox for MacOS (universal) app_store_apps: - app_store_id: '803453959' # Slack Desktop - app_store_id: '1333542190' # 1Password 7 Desktop diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml index 52b5e06c7e93..7ca71d0cc88e 100644 --- a/it-and-security/teams/workstations.yml +++ b/it-and-security/teams/workstations.yml @@ -36,33 +36,33 @@ controls: enable_disk_encryption: true macos_settings: custom_settings: - - path: ../lib/configuration-profiles/macos-date-time.mobileconfig - - path: ../lib/configuration-profiles/macos-chrome-enrollment.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-bluetooth-file-sharing.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-content-caching.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-guest-account.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-guest-shares.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-internet-sharing.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-media-sharing.mobileconfig - - path: ../lib/configuration-profiles/macos-disable-safari-safefiles.mobileconfig - - path: ../lib/configuration-profiles/macos-enable-doh.mobileconfig - - path: ../lib/configuration-profiles/macos-enable-firewall-logging.mobileconfig - - path: ../lib/configuration-profiles/macos-enable-gatekeeper.mobileconfig - - path: ../lib/configuration-profiles/macos-enforce-library-validation.mobileconfig - - path: ../lib/configuration-profiles/macos-firewall.mobileconfig - - path: ../lib/configuration-profiles/macos-full-disk-access-for-fleetd.mobileconfig - - path: ../lib/configuration-profiles/macos-limit-ad-tracking.mobileconfig - - path: ../lib/configuration-profiles/macos-misc.mobileconfig - - path: ../lib/configuration-profiles/macos-prevent-autologon.mobileconfig - - path: ../lib/configuration-profiles/macos-secure-terminal-keyboard.mobileconfig - - path: ../lib/configuration-profiles/macos-passcode-settings.json + - path: ../lib/macos/configuration-profiles/date-time.mobileconfig + - path: ../lib/macos/configuration-profiles/chrome-enrollment.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-bluetooth-file-sharing.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-content-caching.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-guest-account.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-guest-shares.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-internet-sharing.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-media-sharing.mobileconfig + - path: ../lib/macos/configuration-profiles/disable-safari-safefiles.mobileconfig + - path: ../lib/macos/configuration-profiles/enable-doh.mobileconfig + - path: ../lib/macos/configuration-profiles/enable-firewall-logging.mobileconfig + - path: ../lib/macos/configuration-profiles/enable-gatekeeper.mobileconfig + - path: ../lib/macos/configuration-profiles/enforce-library-validation.mobileconfig + - path: ../lib/macos/configuration-profiles/firewall.mobileconfig + - path: ../lib/macos/configuration-profiles/full-disk-access-for-fleetd.mobileconfig + - path: ../lib/macos/configuration-profiles/limit-ad-tracking.mobileconfig + - path: ../lib/macos/configuration-profiles/misc.mobileconfig + - path: ../lib/macos/configuration-profiles/prevent-autologon.mobileconfig + - path: ../lib/macos/configuration-profiles/secure-terminal-keyboard.mobileconfig + - path: ../lib/macos/declaration-profiles/passcode-settings.json macos_setup: bootstrap_package: "" enable_end_user_authentication: true - macos_setup_assistant: ../lib/automatic-enrollment.dep.json + macos_setup_assistant: ../lib/all/enrollment-profiles/automatic-enrollment.dep.json software: - - package_path: ../lib/software/macos-google-chrome.yml # Google Chrome for macOS - - package_path: ../lib/software/macos-zoom.yml # Zoom for macOS + - package_path: ../lib/macos/software/google-chrome.yml # Google Chrome for macOS + - package_path: ../lib/macos/software/zoom.yml # Zoom for macOS - app_store_id: '803453959' # Slack Desktop - app_store_id: '1333542190' # 1Password 7 Desktop macos_updates: @@ -74,17 +74,17 @@ controls: deadline_days: 7 grace_period_days: 2 scripts: - - path: ../lib/scripts/collect-fleetd-logs.sh - - path: ../lib/scripts/macos-see-automatic-enrollment-profile.sh - - path: ../lib/scripts/macos-remove-old-nudge.sh - - path: ../lib/scripts/windows-remove-fleetd.ps1 - - path: ../lib/scripts/windows-turn-off-mdm.ps1 + - path: ../lib/macos/scripts/collect-fleetd-logs.sh + - path: ../lib/macos/scripts/see-automatic-enrollment-profile.sh + - path: ../lib/macos/scripts/remove-old-nudge.sh + - path: ../lib/windows/scripts/remove-fleetd.ps1 + - path: ../lib/windows/scripts/turn-off-mdm.ps1 policies: - - path: ../lib/policies/macos-device-health.yml - - path: ../lib/policies/macos-cis.yml - - path: ../lib/policies/windows-device-health.yml - - path: ../lib/policies/windows-cis.yml - - path: ../lib/policies/linux-device-health.yml + - path: ../lib/macos/policies/device-health.yml + - path: ../lib/macos/policies/cis.yml + - path: ../lib/windows/policies/device-health.yml + - path: ../lib/windows/policies/cis.yml + - path: ../lib/linux/policies/linux-device-health.yml - name: macOS - Check if latest version query: SELECT 1 FROM os_version WHERE (major = '15' AND minor = '1' AND patch = '1'); critical: true @@ -93,9 +93,9 @@ policies: platform: darwin calendar_events_enabled: false queries: - - path: ../lib/queries/collect-failed-login-attempts.yml - - path: ../lib/queries/collect-usb-devices.yml - - path: ../lib/queries/collect-vs-code-extensions.yml + - path: ../lib/macos/queries/collect-failed-login-attempts.yml + - path: ../lib/all/queries/collect-usb-devices.yml + - path: ../lib/all/queries/collect-vs-code-extensions.yml - name: Collect expiration date for MDM SCEP certificates description: "For the following issue: https://github.com/fleetdm/confidential/issues/4518. Returns expiration date for macOS hosts's MDM SCEP certs." query: "SELECT common_name, datetime(not_valid_after,'unixepoch') AS expires FROM certificates WHERE 'common_name' LIKE '%FleetDM Identity%';" @@ -105,8 +105,8 @@ queries: observer_can_run: true software: packages: - - path: ../lib/software/macos-zoom.yml # Zoom for macOS - - path: ../lib/software/macos-google-chrome.yml # Google Chrome for macOS + - path: ../lib/macos/software/zoom.yml # Zoom for macOS + - path: ../lib/macos/software/google-chrome.yml # Google Chrome for macOS app_store_apps: - app_store_id: '803453959' # Slack Desktop - app_store_id: '1333542190' # 1Password 7 Desktop