Use gitops with dogfood. (#17098)

#17043

Set up dogfood to use gitops. I copied the current dogfood
configs/policies/queries into the gitops flow.

Successful workflow run:
https://github.com/fleetdm/fleet/actions/runs/8023101797/job/21918883543?pr=17098

---------

Co-authored-by: Noah Talerman <noahtal@umich.edu>

.github/workflows/dogfood-gitops.yml

@@ -0,0 +1,55 @@
+name: 'Apply latest configuration to dogfood with gitops'
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'it-and-security/**'
+      - 'mdm_profiles/**'
+      - '.github/workflows/dogfood-gitops.yml'
+  workflow_dispatch: # allows manual triggering
+
+defaults:
+  run:
+    shell: bash
+
+# Limit permissions of GITHUB_TOKEN.
+permissions:
+  contents: read
+
+jobs:
+  fleet-gitops:
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout our repository
+        uses: actions/checkout@v4
+
+      - name: Checkout GitOps repository
+        uses: actions/checkout@v4
+        with:
+          repository: fleetdm/fleet-gitops
+          ref: main
+          path: fleet-gitops
+
+      - name: Apply latest configuration to Fleet
+        uses: ./fleet-gitops/.github/gitops-action
+        with:
+          working-directory: ${{ github.workspace }}/fleet-gitops
+        env:
+          FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security
+          FLEET_URL: https://dogfood.fleetdm.com
+          FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
+          DOGFOOD_APPLE_BM_DEFAULT_TEAM: Workstations
+          DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }}
+          DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
+          DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }}
+          DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }}
+          DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
+          DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
+          DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}
+          DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }}
+          DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }}
+          DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }}
+          DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }}

.github/workflows/example-workflow.yaml

@@ -1,44 +0,0 @@
-# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the provided team.
-name: Apply latest configuration profiles (example)
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "path/to/**.mobileconfig"
-  workflow_dispatch: # Manual
-
-# This allows a subsequently queued workflow run to interrupt previous runs
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
-  cancel-in-progress: true
-
-defaults:
-  run:
-    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
-    shell: bash
-
-permissions:
-  contents: read
-
-env:
-  FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
-  FLEET_URL: ${{ secrets.DOGFOOD_URL }}
-  TOKEN_USED_BY_PROFILE: ${{ secrets.TOKEN_USED_BY_PROFILE }}
-
-jobs:
-  apply-profiles:
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - name: Apply configuration profiles and updates
-        uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b
-        with:
-          FLEET_API_TOKEN: $FLEET_API_TOKEN
-          FLEET_URL: $FLEET_URL
-          FLEET_TEAM_NAME: 💻🐣 Workstations (canary)
-          MDM_CONFIG_REPO: fleetdm/fleet
-          MDM_CONFIG_DIRECTORY: mdm_profiles
-          MAC_OS_MIN_VERSION: 13.3.2
-          MAC_OS_VERSION_DEADLINE: 2023-06-15
-          MAC_OS_ENABLE_DISK_ENCRYPTION: true

.github/workflows/fleetctl-workstations-canary.yml

@@ -1,49 +0,0 @@
-# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the workstations (canary) team.
-# It uses a fleet instance also built and executed from source.
-#
-# It runs automatically when a file is changed in /mdm_profiles.
-name: Apply latest configuration profiles and macOS updates (Canary)
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "mdm_profiles/**.mobileconfig"
-      - ".github/workflows/fleetctl-workstations-canary.yml"
-  workflow_dispatch: # Manual
-
-# This allows a subsequently queued workflow run to interrupt previous runs
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
-  cancel-in-progress: true
-
-defaults:
-  run:
-    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
-    shell: bash
-
-permissions:
-  contents: read
-
-env:
-  DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
-  DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }}
-  CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
-
-jobs:
-  apply-profiles:
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - name: Apply configuration profiles and updates
-        uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b # v1.1.0
-        with:
-          FLEET_API_TOKEN: $DOGFOOD_API_TOKEN
-          FLEET_URL: $DOGFOOD_URL
-          FLEET_TEAM_NAME: 💻🐣 Workstations (canary)
-          MDM_CONFIG_REPO: fleetdm/fleet
-          MDM_CONFIG_DIRECTORY: mdm_profiles
-          MAC_OS_MIN_VERSION: "14.2"
-          MAC_OS_VERSION_DEADLINE: 2023-12-15
-          MAC_OS_ENABLE_DISK_ENCRYPTION: true

.github/workflows/fleetctl-workstations.yml

@@ -1,49 +0,0 @@
-# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the workstations team.
-# It uses a Fleet instance also built and executed from source.
-#
-# It runs when the GitHub action is triggered manually
-name: Apply latest configuration profiles and macOS updates
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "mdm_profiles/**.mobileconfig"
-      - ".github/workflows/fleetctl-workstations.yml"
-  workflow_dispatch: # Manual
-
-# This allows a subsequently queued workflow run to interrupt previous runs
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
-  cancel-in-progress: true
-
-defaults:
-  run:
-    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
-    shell: bash
-
-permissions:
-  contents: read
-
-env:
-  DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
-  DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }}
-  CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
-
-jobs:
-  apply-profiles:
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - name: Apply configuration profiles and updates
-        uses: fleetdm/fleet-mdm-gitops@15072f2739ef92c6357414ddd86e89b6bf302a2b # v1.1.0
-        with:
-          FLEET_API_TOKEN: $DOGFOOD_API_TOKEN
-          FLEET_URL: $DOGFOOD_URL
-          FLEET_TEAM_NAME: 💻 Workstations
-          MDM_CONFIG_REPO: fleetdm/fleet
-          MDM_CONFIG_DIRECTORY: mdm_profiles
-          MAC_OS_MIN_VERSION: "14.2"
-          MAC_OS_VERSION_DEADLINE: 2023-12-19
-          MAC_OS_ENABLE_DISK_ENCRYPTION: true

it-and-security/default.yml

@@ -0,0 +1,86 @@
+agent_options:
+  path: ./lib/agent-options.yml
+controls:
+  enable_disk_encryption: true
+  macos_migration:
+    enable: true
+    mode: voluntary
+    webhook_url: $DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL
+  macos_settings:
+    custom_settings: null
+  macos_setup:
+    bootstrap_package: ""
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: "2023-06-13"
+    minimum_version: 13.4.1
+  windows_enabled_and_configured: true
+  windows_settings:
+    custom_settings: []
+  windows_updates:
+    deadline_days: 3
+    grace_period_days: 2
+  scripts: []
+org_settings:
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  fleet_desktop:
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings:
+    host_expiry_enabled: false
+    host_expiry_window: 7
+  integrations:
+    jira: [ ]
+    zendesk: [ ]
+  mdm:
+    apple_bm_default_team: $DOGFOOD_APPLE_BM_DEFAULT_TEAM
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: Fleet Device Management
+  secrets:
+    - secret: $DOGFOOD_GLOBAL_ENROLL_SECRET
+  server_settings:
+    debug_host_ids:
+      - 1
+      - 3
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: https://dogfood.fleetdm.com
+  sso_settings:
+    enable_jit_provisioning: true
+    enable_jit_role_sync: false
+    enable_sso: true
+    enable_sso_idp_login: false
+    entity_id: dogfood.fleetdm.com
+    idp_image_url: ""
+    idp_name: Google
+    issuer_uri: $DOGFOOD_SSO_ISSUER_URI
+    metadata: |-
+      $DOGFOOD_SSO_METADATA
+    metadata_url: ""
+  webhook_settings:
+    failing_policies_webhook:
+      destination_url: $DOGFOOD_FAILING_POLICIES_WEBHOOK_URL
+      enable_failing_policies_webhook: true
+      host_batch_size: 0
+      policy_ids: []
+    host_status_webhook:
+      days_count: 1
+      destination_url: ""
+      enable_host_status_webhook: false
+      host_percentage: 25
+    interval: 1m0s
+    vulnerabilities_webhook:
+      destination_url: $DOGFOOD_VULNERABILITIES_WEBHOOK_URL
+      enable_vulnerabilities_webhook: true
+      host_batch_size: 0
+policies:
+queries:
+  - path: ./lib/collect-fleetd-update-channels.queries.yml

it-and-security/lib/agent-options.yml

@@ -0,0 +1,13 @@
+config:
+  decorators:
+    load:
+      - SELECT uuid AS host_uuid FROM system_info;
+      - SELECT hostname AS hostname FROM system_info;
+  options:
+    disable_distributed: false
+    distributed_interval: 10
+    distributed_plugin: tls
+    distributed_tls_max_attempts: 3
+    logger_tls_endpoint: /api/osquery/log
+    logger_tls_period: 10
+    pack_delimiter: /

it-and-security/lib/collect-failed-login-attempts.queries.yml

@@ -0,0 +1,14 @@
+- name: Collect failed login attempts
+  automations_enabled: true
+  description: Lists the users at least one failed login attempt and timestamp of
+    failed login. Number of failed login attempts reset to zero after a user successfully
+    logs in.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  min_osquery_version: ""
+  observer_can_run: false
+  platform: ""
+  query: SELECT users.username, account_policy_data.failed_login_count, account_policy_data.failed_login_timestamp
+    FROM users INNER JOIN account_policy_data using (uid) WHERE account_policy_data.failed_login_count
+    > 0;

it-and-security/lib/collect-fleetd-logs.sh

@@ -0,0 +1,7 @@
+cp /var/log/orbit/orbit.stderr.log ~/Library/Logs/Fleet/fleet-desktop.log /Users/Shared
+
+echo "Successfully copied fleetd logs to the /Users/Shared folder."
+
+echo "To retrieve logs, ask the end user to open Finder and in the menu bar select Go > Go to Folder."
+
+echo "Then, ask the end user to type in /Users/Shared, press Return, and locate orbit.stderr.log (Orbit logs) and fleet-desktop.log (Fleet Desktop logs) files."

it-and-security/lib/collect-fleetd-update-channels.queries.yml

@@ -0,0 +1,7 @@
+- name: Collect fleetd update channels
+  description: "Collects the update channels for all fleetd components: osquery, Orbit, and Fleet Desktop. To see which version number each channel is on, ask in #help-engineering."
+  query: SELECT desktop_channel, orbit_channel, osqueryd_channel FROM orbit_info;
+  interval: 300 # 5 minutes
+  observer_can_run: true
+  automations_enabled: false
+  platform: darwin,linux,windows

it-and-security/lib/collect-usb-devices.queries.yml

@@ -0,0 +1,10 @@
+- name: Collect USB devices
+  automations_enabled: false
+  description: Collects the USB devices that are currently connected to macOS and Linux hosts.
+  discard_data: false
+  interval: 300
+  logging: snapshot
+  min_osquery_version: ""
+  observer_can_run: true
+  platform: ""
+  query: SELECT model, vendor FROM usb_devices;

it-and-security/lib/collect-vs-code-extensions.queries.yml

@@ -0,0 +1,12 @@
+- name: Collect Visual Studio (VS) Code extensions
+  automations_enabled: false
+  description: Collects the name, publisher, and version of the VS Code extensions
+    installed on hosts.
+  discard_data: false
+  interval: 3600
+  logging: snapshot
+  min_osquery_version: ""
+  observer_can_run: false
+  platform: ""
+  query: SELECT extension.name, extension.publisher, extension.version FROM users
+    JOIN vscode_extensions extension USING (uid);

it-and-security/lib/linux-device-health.policies.yml

@@ -0,0 +1,6 @@
+- name: Linux - Enable disk encryption
+  query: SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1';
+  critical: false
+  description: This policy checks if disk encryption is enabled.
+  resolution: As an IT admin, deploy an image that includes disk encryption.
+  platform: linux

it-and-security/lib/macos-device-health.policies.yml

@@ -0,0 +1,55 @@
+- name: macOS - Enable FileVault
+  query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.';
+  critical: false
+  description: This policy checks if FileVault (disk encryption) is enabled.
+  resolution: As an IT admin, turn on disk encryption in Fleet.
+  platform: darwin
+- name: macOS - Enable Firewall
+  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.security.firewall' AND username = '' AND name='EnableFirewall' AND CAST(value AS INT) = 1;
+  critical: false
+  description: This policy checks if Firewall is enabled.
+  resolution: An an IT admin, deploy a macOS, Firewall profile with the EnableFirewall option set to true.
+  platform: darwin
+- name: macOS - Disable guest account
+  query: SELECT 1 FROM managed_policies WHERE domain='com.apple.loginwindow' AND username = '' AND name='DisableGuestAccount' AND CAST(value AS INT) = 1;
+  critical: false
+  description: This policy checks if the guest account is disabled.
+  resolution: An an IT admin, deploy a macOS, login window profile with the DisableGuestAccount option set to true.
+  platform: darwin
+- name: macOS - Require 10 character password
+  query: SELECT 1 WHERE 
+    EXISTS (
+      SELECT 1 FROM managed_policies WHERE 
+        domain='com.apple.screensaver' AND 
+        name='askForPassword' AND 
+        CAST(value AS INT)
+    ) 
+    AND EXISTS (
+      SELECT 1 FROM managed_policies WHERE 
+        domain='com.apple.screensaver' AND 
+        name='minLength' AND 
+        CAST(value AS INT) <= 10
+    );
+  critical: false
+  description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
+  resolution: An an IT admin, deploy a macOS, screensaver profile with the askForPassword option set to true and minLength option set to 10.
+  platform: darwin
+- name: macOS - Enable screen saver after 20 minutes
+  query: SELECT 1 WHERE 
+    EXISTS (
+      SELECT 1 FROM managed_policies WHERE 
+        domain='com.apple.screensaver' AND 
+        name='idleTime' AND 
+        CAST(value AS INT) <= 1200 AND 
+        username = ''
+    ) 
+    AND NOT EXISTS (
+        SELECT 1 FROM managed_policies WHERE 
+        domain='com.apple.screensaver' AND 
+        name='idleTime' AND 
+        CAST(value AS INT) > 1200
+    );
+  critical: false
+  description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
+  resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes.
+  platform: darwin

it-and-security/lib/macos-see-automatic-enrollment-profile.sh

@@ -0,0 +1 @@
+profiles show -type enrollment

it-and-security/lib/servers.agent-options.yml

@@ -0,0 +1,13 @@
+config:
+  decorators:
+    load:
+      - SELECT uuid AS host_uuid FROM system_info;
+      - SELECT hostname AS hostname FROM system_info;
+  options:
+    disable_distributed: false
+    distributed_interval: 10
+    distributed_plugin: tls
+    distributed_tls_max_attempts: 3
+    logger_tls_endpoint: /api/osquery/log
+    logger_tls_period: 10
+    pack_delimiter: /

it-and-security/lib/windows-device-health.policies.yml

@@ -0,0 +1,24 @@
+- name: Windows - Enable screen saver after 20 minutes
+  query: SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/DeviceLock/MaxInactivityTimeDeviceLock</LocURI></Target></Item></Get></SyncBody>" and CAST(mdm_command_output AS INT) <= 20;
+  critical: false
+  description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
+  resolution: "As an IT admin, to deploy a Windows profile with the MaxInactivityTimeDeviceLock option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock#maxinactivitytimedevicelock"
+  platform: windows
+- name: Windows - Enable BitLocker
+  query: SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status = 1;
+  critical: false
+  description: As an IT admin, turn on disk encryption in Fleet.
+  resolution: Ask your system administrator to turn on disk encryption in Fleet
+  platform: windows
+- name: Windows - Disable guest account
+  query: SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</LocURI></Target></Item></Get></SyncBody>" and CAST(mdm_command_output AS INT) = 0;
+  critical: false
+  description: This policy checks if the guest account is disabled. The Guest account allows unauthenticated network users to gain access to the system.
+  resolution: "As an IT admin, deploy a Windows profile with the Accounts_EnableGuestAccountStatus option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#accounts_enableguestaccountstatus"
+  platform: windows
+- name: Windows - Require 10 character password
+  query: SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/DeviceLock/DevicePasswordEnabled</LocURI></Target></Item></Get></SyncBody>" and CAST(mdm_command_output AS INT) = 0;
+  critical: false
+  description: This policy checks if the end user is required to enter a password, with at least 10 characters, to unlock the host.
+  resolution: "As an IT admin, deploy a Windows profile with the DevicePasswordEnabled and MinDevicePasswordLength option documented here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock"
+  platform: windows

it-and-security/lib/windows-remove-fleetd.ps1

@@ -0,0 +1,110 @@
+function Test-Administrator  
+{  
+    [OutputType([bool])]
+    param()
+    process {
+        [Security.Principal.WindowsPrincipal]$user = [Security.Principal.WindowsIdentity]::GetCurrent();
+        return $user.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator);
+    }
+}
+
+# borrowed from Jeffrey Snover http://blogs.msdn.com/powershell/archive/2006/12/07/resolve-error.aspx
+function Resolve-Error-Detailed($ErrorRecord = $Error[0]) {
+  $error_message = "========== ErrorRecord:{0}ErrorRecord.InvocationInfo:{1}Exception:{2}"
+  $formatted_errorRecord = $ErrorRecord | format-list * -force | out-string
+  $formatted_invocationInfo = $ErrorRecord.InvocationInfo | format-list * -force | out-string
+  $formatted_exception = ""
+  $Exception = $ErrorRecord.Exception
+  for ($i = 0; $Exception; $i++, ($Exception = $Exception.InnerException)) {
+    $formatted_exception += ("$i" * 70) + "-----"
+    $formatted_exception += $Exception | format-list * -force | out-string
+    $formatted_exception += "-----"
+  }
+
+  return $error_message -f $formatted_errorRecord, $formatted_invocationInfo, $formatted_exception
+}
+
+#Stops Orbit service and related processes
+function Stop-Orbit {
+
+  # Stop Service
+  Stop-Service -Name "Fleet osquery" -ErrorAction "Continue"
+  Start-Sleep -Milliseconds 1000
+
+  # Ensure that no process left running
+  Get-Process -Name "orbit" -ErrorAction "SilentlyContinue" | Stop-Process -Force
+  Get-Process -Name "osqueryd" -ErrorAction "SilentlyContinue" | Stop-Process -Force
+  Get-Process -Name "fleet-desktop" -ErrorAction "SilentlyContinue" | Stop-Process -Force
+  Start-Sleep -Milliseconds 1000
+}
+
+#Remove Orbit footprint from registry and disk
+function Force-Remove-Orbit {
+
+  try {
+
+    #Stoping Orbit
+    Stop-Orbit
+
+    #Remove Service
+    $service = Get-WmiObject -Class Win32_Service -Filter "Name='Fleet osquery'"
+    if ($service) {
+      $service.delete() | Out-Null
+    }
+
+    #Removing Program files entries
+    $targetPath = $Env:Programfiles + "\\Orbit"
+    Remove-Item -LiteralPath $targetPath -Force -Recurse -ErrorAction "Continue"
+
+    #Remove HKLM registry entries
+    Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" -Recurse  -ErrorAction "SilentlyContinue" |  Where-Object {($_.ValueCount -gt 0)} | ForEach-Object {
+      
+      # Filter for osquery entries
+      $properties = Get-ItemProperty $_.PSPath  -ErrorAction "SilentlyContinue" |  Where-Object {($_.DisplayName -eq "Fleet osquery")}     
+      if ($properties) {
+      
+        #Remove Registry Entries
+        $regKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" + $_.PSChildName
+
+        Get-Item $regKey -ErrorAction "SilentlyContinue" | Remove-Item -Force -ErrorAction "SilentlyContinue"
+
+        return
+      }
+    }
+  }
+  catch { 
+    Write-Host "There was a problem running Force-Remove-Orbit"
+    Write-Host "$(Resolve-Error-Detailed)"
+    return $false
+  }
+  
+  return $true
+}
+
+function Main {
+
+  try {
+    # Is Administrator check
+    if (-not (Test-Administrator)) {
+      Write-Host "Please run this script with adming privileges."
+      Exit -1
+    }
+
+    Write-Host "About to uninstall fleetd..."
+
+    if (Force-Remove-Orbit) {
+        Write-Host "fleetd was uninstalled."
+        Exit 0
+    } else {
+        Write-Host "There was a problem uninstalling fleetd."
+        Exit -1
+    }
+
+  } catch {
+    Write-Host "Errorr: Entry point"  
+    Write-Host "$(Resolve-Error-Detailed)"
+    Exit -1
+  }
+}
+
+$null = Main

it-and-security/lib/windows-turn-off-mdm.ps1

@@ -0,0 +1,27 @@
+Add-Type -TypeDefinition @"
+using System;
+using System.Runtime.InteropServices;
+
+public class MdmRegistration
+{
+    [DllImport("mdmregistration.dll", SetLastError = true)]
+    public static extern int UnregisterDeviceWithManagement(IntPtr pDeviceID);
+
+    public static int UnregisterDevice()
+    {
+        return UnregisterDeviceWithManagement(IntPtr.Zero);
+    }
+}
+"@ -Language CSharp
+
+try {
+    $result = [MdmRegistration]::UnregisterDevice()
+
+    if ($result -ne 0) {
+        throw "UnregisterDeviceWithManagement failed with error code: $result"
+    }
+
+    Write-Host "Device unregistration called successfully."
+} catch {
+    Write-Error "Error calling UnregisterDeviceWithManagement: $_"
+}

it-and-security/teams/explore-data.yml

@@ -0,0 +1,43 @@
+name: "Explore data (fleetdm.com) [DO NOT DELETE]"
+team_settings:
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: false
+    host_expiry_window: 0
+  secrets:
+    - secret: $DOGFOOD_EXPLORE_DATA_ENROLL_SECRET
+agent_options:
+  config:
+    decorators:
+      load:
+        - SELECT uuid AS host_uuid FROM system_info;
+        - SELECT hostname AS hostname FROM system_info;
+    options:
+      disable_distributed: false
+      distributed_interval: 5
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+controls:
+  enable_disk_encryption: false
+  macos_settings:
+    custom_settings:
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_settings:
+    custom_settings: null
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+  scripts:
+policies:
+queries:
+  - path: ../lib/explore-data.queries.yml

it-and-security/teams/servers-canary.yml

@@ -0,0 +1,31 @@
+name: "Servers (canary)"
+team_settings:
+  features:
+    enable_host_users: false
+    enable_software_inventory: false
+  host_expiry_settings:
+    host_expiry_enabled: false
+    host_expiry_window: 0
+  secrets:
+    - secret: $DOGFOOD_SERVERS_CANARY_ENROLL_SECRET
+agent_options:
+  path: ../lib/servers.agent-options.yml
+controls:
+  enable_disk_encryption: false
+  macos_settings:
+    custom_settings:
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_settings:
+    custom_settings: null
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+  scripts:
+policies:
+queries:

it-and-security/teams/servers.yml

@@ -0,0 +1,31 @@
+name: "Servers"
+team_settings:
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: false
+    host_expiry_window: 0
+  secrets:
+    - secret: $DOGFOOD_SERVERS_ENROLL_SECRET
+agent_options:
+  path: ../lib/servers.agent-options.yml
+controls:
+  enable_disk_encryption: false
+  macos_settings:
+    custom_settings:
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_settings:
+    custom_settings: null
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+  scripts:
+policies:
+queries:

it-and-security/teams/workstations-canary.yml

@@ -0,0 +1,68 @@
+name: "Workstations (canary)"
+team_settings:
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: false
+    host_expiry_window: 0
+  secrets:
+    - secret: $DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET
+agent_options:
+  path: ../lib/agent-options.yml
+controls:
+  enable_disk_encryption: true
+  macos_settings:
+    custom_settings:
+      - path: ../../mdm_profiles/automatic_updates.mobileconfig
+      - path: ../../mdm_profiles/chrome_enrollment.mobileconfig
+      - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig
+      - path: ../../mdm_profiles/disable_content_caching.mobileconfig
+      - path: ../../mdm_profiles/disable_guest_account.mobileconfig
+      - path: ../../mdm_profiles/disable_guest_shares.mobileconfig
+      - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig
+      - path: ../../mdm_profiles/disable_media_sharing.mobileconfig
+      - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig
+      - path: ../../mdm_profiles/enable_doh.mobileconfig
+      - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig
+      - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig
+      - path: ../../mdm_profiles/enforce_library_validation.mobileconfig
+      - path: ../../mdm_profiles/firewall.mobileconfig
+      - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig
+      - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig
+      - path: ../../mdm_profiles/misc.mobileconfig
+      - path: ../../mdm_profiles/password_policy.mobileconfig
+      - path: ../../mdm_profiles/prevent_autologon.mobileconfig
+      - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig
+      - path: ../../mdm_profiles/time_and_date.mobileconfig
+  macos_setup:
+    bootstrap_package: ""
+    enable_end_user_authentication: true
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: "2023-12-15"
+    minimum_version: "14.2"
+  windows_settings:
+    custom_settings: null
+  windows_updates:
+    deadline_days: 7
+    grace_period_days: 2
+  scripts:
+    - path: ../lib/collect-fleetd-logs.sh
+    - path: ../lib/macos-see-automatic-enrollment-profile.sh
+    - path: ../lib/windows-remove-fleetd.ps1
+    - path: ../lib/windows-turn-off-mdm.ps1
+policies:
+  - path: ../lib/macos-device-health.policies.yml
+  - path: ../lib/windows-device-health.policies.yml
+  - path: ../lib/linux-device-health.policies.yml
+  - name: chromeOS/macOS - Screenlock enabled
+    query: SELECT 1 FROM screenlock WHERE enabled = 1;
+    critical: false
+    description: ""
+    resolution: ""
+    platform: darwin,chrome
+queries:
+  - path: ../lib/collect-failed-login-attempts.queries.yml
+  - path: ../lib/collect-usb-devices.queries.yml
+  - path: ../lib/collect-vs-code-extensions.queries.yml

it-and-security/teams/workstations.yml

@@ -0,0 +1,62 @@
+name: "Workstations"
+team_settings:
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: false
+    host_expiry_window: 0
+  secrets:
+    - secret: $DOGFOOD_WORKSTATIONS_ENROLL_SECRET
+agent_options:
+  path: ../lib/agent-options.yml
+controls:
+  enable_disk_encryption: true
+  macos_settings:
+    custom_settings:
+      - path: ../../mdm_profiles/automatic_updates.mobileconfig
+      - path: ../../mdm_profiles/chrome_enrollment.mobileconfig
+      - path: ../../mdm_profiles/disable_bluetooth_file_sharing.mobileconfig
+      - path: ../../mdm_profiles/disable_content_caching.mobileconfig
+      - path: ../../mdm_profiles/disable_guest_account.mobileconfig
+      - path: ../../mdm_profiles/disable_guest_shares.mobileconfig
+      - path: ../../mdm_profiles/disable_internet_sharing.mobileconfig
+      - path: ../../mdm_profiles/disable_media_sharing.mobileconfig
+      - path: ../../mdm_profiles/disable_safari_safefiles.mobileconfig
+      - path: ../../mdm_profiles/enable_doh.mobileconfig
+      - path: ../../mdm_profiles/enable_firewall_logging.mobileconfig
+      - path: ../../mdm_profiles/enable_gatekeeper.mobileconfig
+      - path: ../../mdm_profiles/enforce_library_validation.mobileconfig
+      - path: ../../mdm_profiles/firewall.mobileconfig
+      - path: ../../mdm_profiles/full_disk_access_for_orbit.mobileconfig
+      - path: ../../mdm_profiles/limit_ad_tracking.mobileconfig
+      - path: ../../mdm_profiles/misc.mobileconfig
+      - path: ../../mdm_profiles/password_policy.mobileconfig
+      - path: ../../mdm_profiles/prevent_autologon.mobileconfig
+      - path: ../../mdm_profiles/secure_terminal_keyboard.mobileconfig
+      - path: ../../mdm_profiles/time_and_date.mobileconfig
+  macos_setup:
+    bootstrap_package: ""
+    enable_end_user_authentication: true
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: "2023-12-19"
+    minimum_version: "14.2"
+  windows_settings:
+    custom_settings: null
+  windows_updates:
+    deadline_days: 7
+    grace_period_days: 2
+  scripts:
+    - path: ../lib/collect-fleetd-logs.sh
+    - path: ../lib/macos-see-automatic-enrollment-profile.sh
+    - path: ../lib/windows-remove-fleetd.ps1
+    - path: ../lib/windows-turn-off-mdm.ps1
+policies:
+  - path: ../lib/macos-device-health.policies.yml
+  - path: ../lib/windows-device-health.policies.yml
+  - path: ../lib/linux-device-health.policies.yml
+queries:
+  - path: ../lib/collect-failed-login-attempts.queries.yml
+  - path: ../lib/collect-usb-devices.queries.yml
+  - path: ../lib/collect-vs-code-extensions.queries.yml