Fleet gitops directory: Add structure

default.yml

@@ -1,15 +1,15 @@
-# For Fleet Free: 
+# For Fleet Free:
 # - This file updates policies, queries, agent_options, and controls for all hosts.
 
 # For Fleet Premium:
-# - This file updates policies and queries that run on all hosts ("All teams"). 
+# - This file updates policies and queries that run on all hosts ("All teams").
 # - Remove "controls" and add this to your YAML files in teams/ instead.
 
 policies:
 queries:
 agent_options:
   path: ./lib/agent-options.yml
-controls:
+controls: # This cannot be set here and in no-team.yml
 org_settings:
   server_settings:
     server_url: $FLEET_URL

lib/README.md

@@ -11,15 +11,15 @@ This can reduce duplication for policies, scripts, and other config that is the
 ```yaml
 # default.yml
 policies:
-  - path: ./lib/macos-device-health.policies.yml
+  - path: ./lib/macos/policies/macos-device-health.policies.yml
 ```
 
 ##### Queries
 
 ```yaml
 # default.yml
 queries:
-  - path: ./lib/collect-usb-devices.queries.yml
+  - path: ./lib/all/queries/collect-usb-devices.queries.yml
 ```
 
 ##### Scripts
@@ -28,7 +28,7 @@ queries:
 # default.yml
 controls:
   scripts:
-    - path: ./lib/remove-zoom-artifacts.script.sh
+    - path: ./lib/macos/scripts/remove-zoom-artifacts.script.sh
 ```
 
 ##### Agent options
@@ -37,4 +37,4 @@ controls:
 # default.yml
 agent_options:
   path: ./lib/agent-options.yml
-```
+```

lib/collect-usb-devices.queries.yml → lib/all/queries/collect-usb-devices.queries.yml

@@ -4,3 +4,4 @@
   interval: 360 # 6 minutes
   observer_can_run: true
   automations_enabled: false
+  platform: darwin,linux

lib/macos/scripts/install-santa.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+installer -pkg "$INSTALLER_PATH" -target /

lib/macos/scripts/uninstall-santa.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Fleet extracts and saves package IDs.
+pkg_ids=(
+  "com.northpolesec.santa"
+)
+
+# For each package id, get all .app folders associated with the package and remove them.
+for pkg_id in "${pkg_ids[@]}"
+do
+  # Get volume and location of the package.
+  volume=$(pkgutil --pkg-info "$pkg_id" | grep -i "volume" | awk '{if (NF>1) print $NF}')
+  location=$(pkgutil --pkg-info "$pkg_id" | grep -i "location" | awk '{if (NF>1) print $NF}')
+  # Check if this package id corresponds to a valid/installed package
+  if [[ ! -z "$volume" ]]; then
+    # Remove individual directories that end with ".app" belonging to the package.
+    # Only process directories that end with ".app" to prevent Fleet from removing top level directories.
+    pkgutil --only-dirs --files "$pkg_id" | grep "\.app$" | sed -e 's@^@'"$volume""$location"'/@' | tr '\n' '\0' | xargs -n 1 -0 rm -rf
+    # Remove receipts
+    pkgutil --forget "$pkg_id"
+  else
+    echo "WARNING: volume is empty for package ID $pkg_id"
+  fi
+done

lib/macos/software/santa.yml

@@ -0,0 +1,6 @@
+# Santa (santa-2025.4.pkg) version 2025.4
+hash_sha256: c3eea21b4724719f6deadbd43ef9e0683bf54eba08ee270cc5057055291313b1
+install_script:
+  path: ../scripts/install-santa.sh
+uninstall_script:
+  path: ../scripts/uninstall-santa.sh

lib/windows/configuration-profiles/passcode-settings-ddm.json

@@ -0,0 +1,10 @@
+{
+    "Type": "com.apple.configuration.passcode.settings",
+    "Identifier": "956e0d14-6019-479b-a6f9-a69ef77668c5",
+    "Payload": {
+        "MaximumFailedAttempts": 10,
+        "MaximumInactivityInMinutes": 5,
+        "MinimumLength": 12,
+        "MinimumComplexCharacters": 1
+    }
+}

lib/windows/scripts/default-exe-install-script.ps1

@@ -0,0 +1,46 @@
+$exeFilePath = "${env:INSTALLER_PATH}"
+
+# Define an array of common silent install parameters to try
+$silentParams = @("/S", "/s", "/silent", "/quiet", "-s", "--silent", "/SILENT", "/VERYSILENT")
+
+$installSuccess = $false
+$finalExitCode = 1  # Default to failure
+
+try {
+    foreach ($param in $silentParams) {
+        Write-Host "Attempting installation with parameter: $param"
+
+        $processOptions = @{
+            FilePath = "$exeFilePath"
+            ArgumentList = "$param"
+            PassThru = $true
+            Wait = $true
+        }
+
+        # Start process and track exit code
+        $process = Start-Process @processOptions
+        $exitCode = $process.ExitCode
+
+        Write-Host "Install exit code: $exitCode"
+
+        # Check if installation was successful (typically exit code 0)
+        if ($exitCode -eq 0) {
+            Write-Host "Installation successful with parameter: $param"
+            $installSuccess = $true
+            $finalExitCode = 0
+            break  # Exit the loop if installation was successful
+        }
+
+        Write-Host "Installation with parameter $param failed. Trying next parameter..."
+    }
+
+    if (-not $installSuccess) {
+        Write-Host "All installation attempts failed."
+    }
+
+    Exit $finalExitCode
+
+} catch {
+    Write-Host "Error: $_"
+    Exit 1
+}

lib/windows/scripts/uninstall-slack.ps1

@@ -0,0 +1,145 @@
+# Fleet extracts name from installer (EXE) and saves it to PACKAGE_ID
+# variable
+$softwareName = "Slack"
+
+# It is recommended to use exact software name here if possible to avoid
+# uninstalling unintended software.
+$softwareNameLike = "*$softwareName*"
+
+# Define an array of common silent uninstall parameters to try
+$silentParams = @("/S", "/s", "/silent", "/quiet", "-s", "--silent", "/SILENT", "/VERYSILENT", "/NORESTART", "-q", "--quiet")
+
+$machineKey = `
+'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
+$machineKey32on64 = `
+'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
+
+$exitCode = 0
+
+try {
+    [array]$uninstallKeys = Get-ChildItem `
+        -Path @($machineKey, $machineKey32on64) `
+        -ErrorAction SilentlyContinue |
+            ForEach-Object { Get-ItemProperty $_.PSPath }
+
+    $foundUninstaller = $false
+    foreach ($key in $uninstallKeys) {
+        # If needed, add -notlike to the comparison to exclude certain similar
+        # software
+        if ($key.DisplayName -like $softwareNameLike) {
+            $foundUninstaller = $true
+            Write-Host "Found software: $($key.DisplayName)"
+
+            # Get the uninstall string without any arguments
+            $baseUninstallCommand = $key.UninstallString
+
+            # The uninstall command may contain command and args, like:
+            # "C:\Program Files\Software\uninstall.exe" --uninstall --silent
+            # Extract just the executable path
+            $splitArgs = $baseUninstallCommand.Split('"')
+            if ($splitArgs.Length -gt 1) {
+                $baseUninstallCommand = $splitArgs[1]
+                # Get any existing arguments
+                $existingArgs = ""
+                if ($splitArgs.Length -ge 3) {
+                    $existingArgs = $splitArgs[2].Trim()
+                }
+            }
+
+            Write-Host "Base uninstall command: $baseUninstallCommand"
+
+            $uninstallSuccess = $false
+
+            # First, try QuietUninstallString if it exists
+            if ($key.QuietUninstallString) {
+                Write-Host "Trying QuietUninstallString: $($key.QuietUninstallString)"
+
+                $processOptions = @{
+                    FilePath = $baseUninstallCommand
+                    PassThru = $true
+                    Wait = $true
+                }
+
+                # Extract arguments from QuietUninstallString if they exist
+                $quietSplitArgs = $key.QuietUninstallString.Split('"')
+                if ($quietSplitArgs.Length -ge 3) {
+                    $quietArgs = $quietSplitArgs[2].Trim()
+                    if ($quietArgs) {
+                        $processOptions.ArgumentList = "$quietArgs"
+                    }
+                }
+
+                # Start process and track exit code
+                $process = Start-Process @processOptions
+                $exitCode = $process.ExitCode
+
+                Write-Host "QuietUninstallString exit code: $exitCode"
+
+                if ($exitCode -eq 0) {
+                    Write-Host "Uninstallation successful with QuietUninstallString"
+                    $uninstallSuccess = $true
+                }
+            }
+
+            # If QuietUninstallString didn't work or doesn't exist, try each silent parameter
+            if (-not $uninstallSuccess) {
+                foreach ($param in $silentParams) {
+                    Write-Host "Attempting uninstallation with parameter: $param"
+
+                    # Combine existing args with silent parameter
+                    $combinedArgs = if ($existingArgs) {
+                        "$existingArgs $param"
+                    } else {
+                        "$param"
+                    }
+
+                    $processOptions = @{
+                        FilePath = "$baseUninstallCommand"
+                        ArgumentList = "$combinedArgs"
+                        PassThru = $true
+                        Wait = $true
+                    }
+
+                    # Start process and track exit code
+                    $process = Start-Process @processOptions
+                    $exitCode = $process.ExitCode
+
+                    Write-Host "Uninstall exit code: $exitCode"
+
+                    # Check if uninstallation was successful (typically exit code 0)
+                    if ($exitCode -eq 0) {
+                        Write-Host "Uninstallation successful with parameter: $param"
+                        $uninstallSuccess = $true
+                        break  # Exit the loop if uninstallation was successful
+                    }
+
+                    Write-Host "Uninstallation with parameter $param failed. Trying next parameter..."
+
+                    # Add a short delay between attempts
+                    Start-Sleep -Seconds 2
+                }
+            }
+
+            if (-not $uninstallSuccess) {
+                Write-Host "All uninstallation attempts failed."
+                $exitCode = 1
+            }
+
+            # Exit the loop once the software is found and uninstallation is attempted
+            break
+        }
+    }
+
+    if (-not $foundUninstaller) {
+        Write-Host "Uninstaller for '$softwareName' not found."
+        # Change exit code to 0 if you don't want to fail if uninstaller is not
+        # found. This could happen if program was already uninstalled.
+        $exitCode = 1
+    }
+
+} catch {
+    Write-Host "Error: $_"
+    $exitCode = 1
+}
+
+Exit $exitCode

lib/windows/software/slack.yml

@@ -0,0 +1,8 @@
+url: https://downloads.slack-edge.com/desktop-releases/windows/x64/4.44.60/SlackSetup.exe
+self_service: true
+labels_include_any:
+  - "x86-based Windows hosts"
+install_script:
+  path: ../scripts/default-exe-install-script.ps1
+uninstall_script:
+  path: ../scripts/uninstall-slack.ps1

teams/no-team.yml

@@ -1,10 +1,10 @@
-# Teams are available in Fleet Premium. 
+# Teams are available in Fleet Premium.
 
 # This file updates policies, controls, and software for hosts assigned to "No team."
 
 # To update queries and agent options for hosts assigned to "No team," use the default.yml file.
 
 name: No team
 policies:
-controls:
+controls: # This cannot be set here and in default.yml
 software:

teams/workstations-canary.yml

@@ -1,26 +1,26 @@
-# Teams are available in Fleet Premium. 
+# Teams are available in Fleet Premium.
 
 # This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations (canary)" team.
 
 # To add another team, create a new file in the teams/ directory and copy and paste the contents from this file.
-# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. 
+# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets.
 # Then add that secret to .github/workflows/workflow.yml as an env variable.
 # The secret name in the YAML file must match the secret name in GitHub Actions secrets.
 
 name: Workstations (canary)
 policies:
-  - path: ../lib/macos-device-health.policies.yml
-  - path: ../lib/windows-device-health.policies.yml
-  - path: ../lib/linux-device-health.policies.yml
+  - path: ../lib/macos/policies/macos-device-health.policies.yml
+  - path: ../lib/windows/policies/windows-device-health.policies.yml
+  - path: ../lib/linux/policies/linux-device-health.policies.yml
 queries:
-  - path: ../lib/collect-usb-devices.queries.yml
-  - path: ../lib/collect-failed-login-attempts.queries.yml
+  - path: ../lib/all/queries/collect-usb-devices.queries.yml
+  - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml
 agent_options:
   path: ../lib/agent-options.yml
 controls:
   scripts:
-    - path: ../lib/remove-zoom-artifacts.script.sh
-    - path: ../lib/set-timezone.script.sh
+    - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh
+    - path: ../lib/macos/scripts/set-timezone.script.sh
 team_settings:
   secrets:
     - secret: "$FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET"

teams/workstations.yml

@@ -1,26 +1,26 @@
-# Teams are available in Fleet Premium. 
+# Teams are available in Fleet Premium.
 
 # This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations" team.
 
 # To add another team, create a new file in the teams/ directory and copy and paste the contents from this file.
-# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. 
+# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets.
 # Then add that secret to .github/workflows/workflow.yml as an env variable.
 # The secret name in the YAML file must match the secret name in GitHub Actions secrets.
 
 name: Workstations
 policies:
-  - path: ../lib/macos-device-health.policies.yml
-  - path: ../lib/windows-device-health.policies.yml
-  - path: ../lib/linux-device-health.policies.yml
+  - path: ../lib/macos/policies/macos-device-health.policies.yml
+  - path: ../lib/windows/policies/windows-device-health.policies.yml
+  - path: ../lib/linux/policies/linux-device-health.policies.yml
 queries:
-  - path: ../lib/collect-usb-devices.queries.yml
-  - path: ../lib/collect-failed-login-attempts.queries.yml
+  - path: ../lib/all/queries/collect-usb-devices.queries.yml
+  - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml
 agent_options:
   path: ../lib/agent-options.yml
 controls:
   scripts:
-    - path: ../lib/remove-zoom-artifacts.script.sh
-    - path: ../lib/set-timezone.script.sh
+    - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh
+    - path: ../lib/macos/scripts/set-timezone.script.sh
 team_settings:
   secrets:
     - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET"