Add controls (configuration profiles/scripts) for policies to fleetdm.com/queries

[sharon-fdm]

Goal

User story
As a system admin with a fleet of hosts,
I want to have the the information of how to remediate failing policies on devices by using either configuration-profiles or scripts on macOS and Windows,
so that I can apply these remediations where needed for the original problems to be corrected.

Key results

This request relates to the quarterly key result, ☯️ "The yin and the yang", where we want fleetdm.com/queries to include the top selected policies and their OS settings.

Original requests

None

Context

• Product designer: @mike-j-thomas
• The Digital experience team is updating fleetdm.com/queries to render these configuration profiles and scripts on the website. Check out the wireframes here.
• @noahtalerman: Jamf's Compliance Editor might help us get started w/ the config profiles and scripts. It looks like you can install the tool from the releases page in GitHub, choose CIS Benchmarks, and generate profiles/scripts for those benchmarks.

Changes

• [ ] Add configuration profiles and scripts: For each policy in the standard query library, add the configuration_profile and/or script that enforces the control (see examples below for formatting)
• [ ] Add policies: For each Windows configuration profile, add it the corresponding a policy in the standard query library. If there's no corresponding policy, add a new one.

Example (configuration_profile):

apiVersion: v1
kind: policy
spec:
  name: Ensure a password is required to wake the computer from sleep or screen saver is enabled
  ...
  configuration_profile: |  
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
      ...
    </plist> 

Example (script):

apiVersion: v1
kind: policy
spec:
  name: Ensure a password is required to wake the computer from sleep or screen saver is enabled
  ...
  script: |  
    #!/bin/bash

    sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Test Message 1"

[allenhouchins]

The heavy lifting has already been done if we just integrate with this: https://github.com/usnistgov/macos_security

[noahtalerman]

@mike-j-thomas and @sharon-fdm is this a feature request? Do we think we want to dedicate engineering resources to it?

This one ended up in the "New requests" column in the drafting board and it's assigned to Mike Thomas.

I'm not sure what the next steps are...

[sharon-fdm]

Sorry @noahtalerman, I created this for @mike-j-thomas as a skeleton temporary ticket. Please remove any labels so that it's not on your board until it's ready.

[noahtalerman]

@mike-j-thomas heads up, I moved this to the digital experience board.

[mike-j-thomas]

@noahtalerman, I'd like to pass this request back to you. I'm not sure what board it should live on. For context, if you are not already aware, @lukeheath suggested that we enlist help from Engineering to create configuration profiles/scripts for the policies listed on https://fleetdm.com/queries.

Draft for reference: https://www.figma.com/design/3he8e72251IEnF6dBafKq1/%F0%9F%9A%A7-fleetdm.com-(scratchpad)?node-id=15999-37683

[noahtalerman]

Hey @mike-j-thomas happy to help! Can you please schedule 30 mins w/ me?

This request relates to the quarterly goal, ☯️ "The yin and the yang", where we want fleetdm.com/queries to include the top selected policies and their OS settings.

To catchup me up on the vision for the "yin and the yang." During the call, I think we can come up w/ a plan on how we get there.

[noahtalerman]

UPDATE: @noahtalerman: We decided to go w/ the add new script and configuration_profile keys options.

---

UPDATE: @noahtalerman: After thinking about this again, I think the script and configuration_profile option might be easier to build and maintain. It's also clearer. Next steps are hoping on a call w/ @eashaw and @mike-j-thomas to understand level of effort and decide.

---

@mike-j-thomas and I chatted and we think we want to add a new control key that includes the "Create or edit a configuration profile..." text and the configuration profile XML or script Shell/Powershell: standard-query-library.yml`.

What this could look like in standard-query-library.yml:

apiVersion: v1
kind: policy
spec:
  name: Ensure a password is required to wake the computer from sleep or screen saver is enabled
  ...
  control: |  
   Create or edit a configuration profile with the following information:
   ```xml
   <SyncBody>
  <Replace>
    <CmdID>1</CmdID>
    <Item>
      <Target>
        <LocURI>./Device/Vendor/MSFT/Policy/Config/Clipboard/AllowCopyPaste</LocURI>
      </Target>
      <Data>0</Data> <!-- Disable clipboard copy-paste -->
    </Item>
  </Replace>
</SyncBody>
   ```

Other options:

• Do the same but use the existing resolution key. Makes sense to avoid adding another key except,fleetctl preview uses the standard-query-library.yml. The XML would be added to resolutions in the fleetctl preview environments
• Add a new script and configuration_profile key. If script is present, then fleetdm.com knows to render "Create or edit a script..." instead of "Create or edit a configuration profile..." and vice versa. If both configuration_profile and script are present, then both show up on fleetdm.com. This is rare scenario but happens for CIS Benchmarks at least once for the custom login window CIS Benchmark.
• Add new control and control_type keys. For policies that require a script and a profile we could make it so that these are lists.
  • @eashaw: this would make editing the YAML trickier than two separate script and configuration_profile keys.
  • @noahtalerman: What about policies that require many scripts or many configuration profiles? We can always update the one script or one configuration profile to enforce many controls. Apple and Windows MDM protocols allow for many payloads in one profile. Scripts can be customized.

[noahtalerman]

Hey @sharon-fdm, I think this story is now ready for specs. I assigned you and moved it to the "Ready for spec" column.

[noahtalerman]

@noahtalerman: Jamf's Compliance Editor might help us get started w/ the config profiles and scripts. It looks like you can install the tool from the releases page in GitHub, choose CIS Benchmarks, and generate profiles/scripts for those benchmarks.

FYI @sharon-fdm Jamf has a helpful tool for generating profiles/scripts. I added this^ same note to the issue description so that the engineer that works on this story can check that out.

[noahtalerman]

Hey @sharon-fdm it looks like this user story still needs to estimated. I'm leaving this user story in "Specified" for now. Please feel free to move it over once it's fully estimated.

[sharon-fdm]

@noahtalerman, yes, I'm still working on it. It seems we are talking about 44 policies in the page you referred to. Will estimate soon.

[noahtalerman]

Hey @sharon-fdm heads up that I'm going to bring this to Zay to see if we can get the Customer success to take this one. That way we can free up some engineering capacity.