Edit configuration profile's labels

[allenhouchins]

• @noahtalerman: User requested this because I want to make sure all my workstations are compliant as per CIS benchmarks. To resolve failing CIS benchmarks, some of these benchmarks require that a configuration profile is installed on the host.
  • @allenhouchins: A user might get promoted and this means they're given different CIS benchmark requirements. In this case, the baseline profiles stays the same but they might be exempt from specific profiles.
  • @noahtalerman: For scoping, the best practice is to use labels.
  • @allenhouchins: I want to be able to edit the scope of a profile.
  • @username: In the interim The user can change labels via GitOps. No way to edit a profile's labels in the UI

  • @username: Eventually TODO

[noahtalerman]

Problem

A number of CIS benchmarks can only be resolved via MDM and the delivery of configuration profiles. Also, as the number of Teams grow in my instance, I need to quickly see if I missed the scoping of a specific setting and be able to quickly resolve it.

What have you tried?

4.58 introduces script execution for policy failure automation which can be used as an alternative, though not as easily or straightforward.

Potential solutions

Allow for the selection of a configuration profile as part of the policy failure automation workflow.

What is the expected workflow as a result of your proposal?

An admin would upload the CIS benchmarks to Fleet, observe a policy failure that can only be addressed via MDM, select that policy through the Manage Automations interface and link it to a configuration profile which results in hosts failing that policy automatically installing the profile.