Fleet gitops directory: Add structure

default.yml

@@ -1,15 +1,15 @@
-# For Fleet Free: 
+# For Fleet Free:
 # - This file updates policies, queries, agent_options, and controls for all hosts.
 
 # For Fleet Premium:
-# - This file updates policies and queries that run on all hosts ("All teams"). 
+# - This file updates policies and queries that run on all hosts ("All teams").
 # - Remove "controls" and add this to your YAML files in teams/ instead.
 
 policies:
 queries:
 agent_options:
   path: ./lib/agent-options.yml
-controls:
+controls: # This cannot be set here and in no-team.yml
 org_settings:
   server_settings:
     server_url: $FLEET_URL

lib/README.md

@@ -11,15 +11,15 @@ This can reduce duplication for policies, scripts, and other config that is the
 ```yaml
 # default.yml
 policies:
-  - path: ./lib/macos-device-health.policies.yml
+  - path: ./lib/macos/policies/macos-device-health.policies.yml
 ```
 
 ##### Queries
 
 ```yaml
 # default.yml
 queries:
-  - path: ./lib/collect-usb-devices.queries.yml
+  - path: ./lib/all/queries/collect-usb-devices.queries.yml
 ```
 
 ##### Scripts
@@ -28,7 +28,7 @@ queries:
 # default.yml
 controls:
   scripts:
-    - path: ./lib/remove-zoom-artifacts.script.sh
+    - path: ./lib/macos/scripts/remove-zoom-artifacts.script.sh
 ```
 
 ##### Agent options
@@ -37,4 +37,4 @@ controls:
 # default.yml
 agent_options:
   path: ./lib/agent-options.yml
-```
+```

lib/collect-usb-devices.queries.yml → lib/all/queries/collect-usb-devices.queries.yml

@@ -4,3 +4,4 @@
   interval: 360 # 6 minutes
   observer_can_run: true
   automations_enabled: false
+  platform: darwin,linux

lib/windows/configuration-profiles/passcode-settings-ddm.json

@@ -0,0 +1,10 @@
+{
+    "Type": "com.apple.configuration.passcode.settings",
+    "Identifier": "956e0d14-6019-479b-a6f9-a69ef77668c5",
+    "Payload": {
+        "MaximumFailedAttempts": 10,
+        "MaximumInactivityInMinutes": 5,
+        "MinimumLength": 12,
+        "MinimumComplexCharacters": 1
+    }
+}

teams/no-team.yml

@@ -1,10 +1,10 @@
-# Teams are available in Fleet Premium. 
+# Teams are available in Fleet Premium.
 
 # This file updates policies, controls, and software for hosts assigned to "No team."
 
 # To update queries and agent options for hosts assigned to "No team," use the default.yml file.
 
 name: No team
 policies:
-controls:
+controls: # This cannot be set here and in default.yml
 software:

teams/workstations-canary.yml

@@ -1,26 +1,26 @@
-# Teams are available in Fleet Premium. 
+# Teams are available in Fleet Premium.
 
 # This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations (canary)" team.
 
 # To add another team, create a new file in the teams/ directory and copy and paste the contents from this file.
-# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. 
+# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets.
 # Then add that secret to .github/workflows/workflow.yml as an env variable.
 # The secret name in the YAML file must match the secret name in GitHub Actions secrets.
 
 name: Workstations (canary)
 policies:
-  - path: ../lib/macos-device-health.policies.yml
-  - path: ../lib/windows-device-health.policies.yml
-  - path: ../lib/linux-device-health.policies.yml
+  - path: ../lib/macos/policies/macos-device-health.policies.yml
+  - path: ../lib/windows/policies/windows-device-health.policies.yml
+  - path: ../lib/linux/policies/linux-device-health.policies.yml
 queries:
-  - path: ../lib/collect-usb-devices.queries.yml
-  - path: ../lib/collect-failed-login-attempts.queries.yml
+  - path: ../lib/all/queries/collect-usb-devices.queries.yml
+  - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml
 agent_options:
   path: ../lib/agent-options.yml
 controls:
   scripts:
-    - path: ../lib/remove-zoom-artifacts.script.sh
-    - path: ../lib/set-timezone.script.sh
+    - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh
+    - path: ../lib/macos/scripts/set-timezone.script.sh
 team_settings:
   secrets:
     - secret: "$FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET"

teams/workstations.yml

@@ -1,26 +1,26 @@
-# Teams are available in Fleet Premium. 
+# Teams are available in Fleet Premium.
 
 # This file updates policies, queries, agent options, controls, and software for hosts assigned to the "Workstations" team.
 
 # To add another team, create a new file in the teams/ directory and copy and paste the contents from this file.
-# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets. 
+# Update the secret in the new file, then create the corresponding secret in GitHub Actions secrets.
 # Then add that secret to .github/workflows/workflow.yml as an env variable.
 # The secret name in the YAML file must match the secret name in GitHub Actions secrets.
 
 name: Workstations
 policies:
-  - path: ../lib/macos-device-health.policies.yml
-  - path: ../lib/windows-device-health.policies.yml
-  - path: ../lib/linux-device-health.policies.yml
+  - path: ../lib/macos/policies/macos-device-health.policies.yml
+  - path: ../lib/windows/policies/windows-device-health.policies.yml
+  - path: ../lib/linux/policies/linux-device-health.policies.yml
 queries:
-  - path: ../lib/collect-usb-devices.queries.yml
-  - path: ../lib/collect-failed-login-attempts.queries.yml
+  - path: ../lib/all/queries/collect-usb-devices.queries.yml
+  - path: ../lib/all/queries/collect-failed-login-attempts.queries.yml
 agent_options:
   path: ../lib/agent-options.yml
 controls:
   scripts:
-    - path: ../lib/remove-zoom-artifacts.script.sh
-    - path: ../lib/set-timezone.script.sh
+    - path: ../lib/macos/scripts/remove-zoom-artifacts.script.sh
+    - path: ../lib/macos/scripts/set-timezone.script.sh
 team_settings:
   secrets:
     - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET"