Skip to content

Commit

Permalink
Merge branch 'main' into docs-v4.61.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@rachaelshaw
rachaelshaw committed Nov 4, 2024
2 parents 3c18929 + 65fbc81 commit dfd80c9
Show file tree
Hide file tree
Showing 33 changed files with 1,082 additions and 823 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/generate-desktop-targets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ defaults:
shell: bash

env:
FLEET_DESKTOP_VERSION: 1.34.0
FLEET_DESKTOP_VERSION: 1.35.0

permissions:
contents: read
Expand Down
24 changes: 20 additions & 4 deletions articles/enforce-os-updates.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,39 @@

_Available in Fleet Premium_

In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or [Fleet's GitOps workflow](https://github.com/fleetdm/fleet-gitops).
In Fleet, you can enforce OS updates on your macOS, Windows, iOS, and iPadOS hosts remotely using the Fleet UI, Fleet API, or Fleet's GitOps workflow.

Fleet UI:
## Turning on enforcement

### Fleet UI

1. Head to the **Controls** > **OS updates** tab.

2. To enforce OS updates for macOS, iOS, or iPadOS, select the platform and set a **Minimum version** and **Deadline**.

3. For Windows, select **Windows** and set a **Deadline** and **Grace period**.

Fleet API: API documentation is [here](https://fleetdm.com/docs/rest-api/rest-api#modify-team).
### Fleet API

Use the [modify team endpoint](https://fleetdm.com/docs/rest-api/rest-api#modify-team) to turn on minimum OS version enforcement. The relevant payload keys in the `mdm` object are:
+ `macos_updates`
+ `ios_updates`
+ `ipados_updates`
+ `windows_updates`

### GitOps

OS version enforcement options are declared within the [controls](https://fleetdm.com/docs/configuration/yaml-files#controls) section of a Fleet GitOps YAML file, using the following keys:
+ [macos_updates](https://fleetdm.com/docs/configuration/yaml-files#macos-updates)
+ [ios_updates](https://fleetdm.com/docs/configuration/yaml-files#ios-updates)
+ [ipados_updates](https://fleetdm.com/docs/configuration/yaml-files#ipados-updates)
+ [windows_updates](https://fleetdm.com/docs/configuration/yaml-files#windows-updates)

## End user experience

### macOS

When a minimum version is enforced, the end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.
When a minimum version is enforced, end users see a native macOS notification (DDM) once per day. Users can choose to update ahead of the deadline or schedule it for that night. 24 hours before the deadline, the notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes and then every 10 minutes.

If the host was turned off when the deadline passed, the update will be scheduled an hour after it’s turned on.

Expand Down
9 changes: 6 additions & 3 deletions articles/role-based-access.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,9 @@ GitOps is an API-only and write-only role that can be used on CI/CD pipelines.
| Filter hosts using policies ||||| |
| Create, edit, and delete policies for all hosts | | ||||
| Create, edit, and delete policies for all hosts assigned to team\* | | ||||
| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | |||
| Edit global ("All teams") policy automations | | | |||
| Edit team policy automations: calendar events, install software, and run script\* | | ||||
| Edit team policy automations: other workflows (tickets and webhooks)\* | | | |||
| Create, edit, view, and delete users | | | || |
| Add and remove team users\* | | | |||
| Create, edit, and delete teams\* | | | |||
Expand Down Expand Up @@ -146,7 +148,8 @@ Users with access to multiple teams can be assigned different roles for each tea
| Run global (inherited) policies as a live policy | |||| |
| Filter hosts using policies ||||| |
| Create, edit, and delete team policies | | ||||
| Manage [policy automations](https://fleetdm.com/docs/using-fleet/automations#policy-automations) | | | |||
| Edit team policy automations: calendar events, install software, and run script | | ||||
| Edit team policy automations: other workflows (tickets and webhooks) | | | |||
| Add and remove team users | | | |||
| Edit team name | | | |||
| Create, edit, and delete [team enroll secrets](https://fleetdm.com/docs/using-fleet/rest-api#get-enroll-secrets-for-a-team) | | ||| |
Expand Down Expand Up @@ -179,6 +182,6 @@ Users with access to multiple teams can be assigned different roles for each tea
<meta name="category" value="guides">
<meta name="authorGitHubUsername" value="noahtalerman">
<meta name="authorFullName" value="Noah Talerman">
<meta name="publishedOn" value="2024-08-10">
<meta name="publishedOn" value="2024-10-31">
<meta name="articleTitle" value="Role-based access">
<meta name="description" value="Learn about the different roles and permissions in Fleet.">
96 changes: 94 additions & 2 deletions docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,98 @@
---
apiVersion: v1
kind: policy
spec:
name: Ensure a password is required to wake the computer from sleep or screen saver is enabled
platforms: macOS
platform: darwin
description: Checks that password is required to wake the computer from sleep or screen saver is enabled.
resolution: |
Automated method:
Ask your system administrator to deploy an MDM profile that ensures a password is required to wake the computer from sleep or screen saver is enabled.
Graphical method:
Perform the following steps to ensure a password is required to wake the computer from sleep or screen saver is enabled:
1. Open System Settings
2. Select Lock Screen
3. Verify that "Require password after screensaver begins or display is turned
off" is set with "After 0 seconds" or "After 5 seconds"
query: |-
SELECT 1 WHERE
EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.screensaver' AND
name='askForPassword' AND
(value = 1 OR value = 'true') AND
username = ''
)
AND EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.screensaver' AND
name='askForPasswordDelay' AND
value <= 5 AND
username = ''
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.screensaver' AND
name='askForPassword' AND
(value != 1 AND value != 'true')
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.screensaver' AND
name='askForPasswordDelay' AND
value > 5
);
purpose: Informational
tags: compliance, CIS, CIS_Level1, premium,
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: Ensure auto-update is enabled
platforms: macOS
platform: darwin
description: Checks that the system is configured via MDM to automatically install updates.
resolution: "Ask your system administrator to deploy an MDM profile that enables automatic updates."
query: |
SELECT 1 WHERE
EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticCheckEnabled' AND
(value = 1 OR value = 'true') AND
username = ''
)
AND NOT EXISTS (
SELECT 1 FROM managed_policies WHERE
domain='com.apple.SoftwareUpdate' AND
name='AutomaticCheckEnabled' AND
(value != 1 AND value != 'true')
);
purpose: Informational
tags: compliance, CIS, CIS_Level1, premium
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: Ensure 'Minimum password length' is set to '14 or more characters'
platforms: win10
platform: windows
description: |
This policy setting determines the least number of characters that make up a password for a user account.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 14 or more characters
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length'
query: |
SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14;
purpose: Informational
tags: compliance, CIS, CIS_Level1, premium
contributors: marcosd4h
---
apiVersion: v1
kind: query
spec:
name: Get OpenSSL versions
Expand Down Expand Up @@ -1006,12 +1099,11 @@ spec:
contributors: defensivedepth
---
apiVersion: v1
kind: policy
kind: query
spec:
name: Identify Apple development secrets (macOS)
query: SELECT * FROM keychain_items WHERE label LIKE '%ABCDEFG%';
description: "Identifies certificates associated with Apple development signing and notarization. Replace ABCDEFG with your company's identifier."
resolution: "Ensure your official Apple builds, signing and notarization happen on a centralized system, and remove these certificates from workstations."
tags: compliance, inventory, built-in
platform: darwin
contributors: GuillaumeRoss
Expand Down
26 changes: 16 additions & 10 deletions docs/Configuration/yaml-files.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,8 +215,14 @@ controls:
windows_enabled_and_configured: true
enable_disk_encryption: true # Available in Fleet Premium
macos_updates: # Available in Fleet Premium
deadline: "2023-06-13"
minimum_version: 13.4.1
deadline: "2024-12-31"
minimum_version: 15.1
ios_updates: # Available in Fleet Premium
deadline: "2024-12-31"
minimum_version: 18.1
ipados_updates: # Available in Fleet Premium
deadline: "2024-12-31"
minimum_version: 18.1
windows_updates: # Available in Fleet Premium
deadline_days: 5
grace_period_days: 2
Expand Down Expand Up @@ -244,24 +250,24 @@ controls:

### macos_updates

- `deadline` specifies the deadline in the form of `YYYY-MM-DD`. The exact deadline time is at 04:00:00 (UTC-8) (default: `""`).
- `deadline` specifies the deadline in `YYYY-MM-DD` format. The exact deadline is set to noon local time for hosts on macOS 14 and above, 20:00 UTC for hosts on older macOS versions. (default: `""`).
- `minimum_version` specifies the minimum required macOS version (default: `""`).

### windows_updates

- `deadline_days` (default: null)
- `grace_period_days` (default: null)

### ios_updates

- `deadline` specifies the deadline in the form of `YYYY-MM-DD`. The exact deadline time is at 04:00:00 (UTC-8) (default: `""`).
- `deadline` specifies the deadline in `YYYY-MM-DD` format; the exact deadline is set to noon local time. (default: `""`).
- `minimum_version` specifies the minimum required iOS version (default: `""`).

### ipados_updates

- `deadline` specifies the deadline in the form of `YYYY-MM-DD`. The exact deadline time is at 04:00:00 (UTC-8) (default: `""`).
- `deadline` specifies the deadline in `YYYY-MM-DD` format; the exact deadline is set to noon local time. (default: `""`).
- `minimum_version` specifies the minimum required iPadOS version (default: `""`).

### windows_updates

- `deadline_days` specifies the number of days before Windows installs updates (default: `null`)
- `grace_period_days` specifies the number of days before Windows restarts to install updates (default: `null`)

### macos_settings and windows_settings

- `macos_settings.custom_settings` is a list of paths to macOS configuration profiles (.mobileconfig) or declaration profiles (.json).
Expand Down
Loading

0 comments on commit dfd80c9

Please sign in to comment.