From 1746f020c7ea2c5f768273f940f6a4daf9f1ff27 Mon Sep 17 00:00:00 2001
From: Drew Baker <89049099+Drew-P-drawers@users.noreply.github.com>
Date: Fri, 31 May 2024 17:45:18 -0400
Subject: [PATCH] move min mac os required policy (#19431)

Adding previously removed mac os min required version back to global
macos device health policies

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).

---------

Co-authored-by: JD <spokanemac@users.noreply.github.com>
---
 it-and-security/lib/macos-device-health.policies.yml | 8 ++++++++
 it-and-security/teams/workstations-canary.yml        | 4 ++--
 it-and-security/teams/workstations.yml               | 8 --------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml
index f06480bd5035..c9b787915709 100644
--- a/it-and-security/lib/macos-device-health.policies.yml
+++ b/it-and-security/lib/macos-device-health.policies.yml
@@ -64,3 +64,11 @@
   description: Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders.
   resolution: Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location.
   platform: darwin
+- name: macOS - Check if latest version
+  query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5';
+  # patch query: SELECT 1 FROM os_version WHERE major = "14" AND minor = "5" AND patch >= "1";
+  critical: false
+  description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability.
+  resolution: We will update your macOS to the latest version.
+  platform: darwin
+  calendar_events_enabled: true  
\ No newline at end of file
diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml
index 947856c0eb33..cdff5d722568 100644
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@@ -92,8 +92,8 @@ controls:
     enable_end_user_authentication: true
     macos_setup_assistant: null
   macos_updates:
-    deadline: "2024-05-31"
-    minimum_version: "14.5"
+    deadline: ""
+    minimum_version: ""
   windows_settings:
     custom_settings: null
   windows_updates:
diff --git a/it-and-security/teams/workstations.yml b/it-and-security/teams/workstations.yml
index 148d952bd304..61d123a0d274 100644
--- a/it-and-security/teams/workstations.yml
+++ b/it-and-security/teams/workstations.yml
@@ -61,14 +61,6 @@ policies:
   - path: ../lib/macos-device-health.policies.yml
   - path: ../lib/windows-device-health.policies.yml
   - path: ../lib/linux-device-health.policies.yml
-  - name: macOS - Check if latest version
-    query: SELECT 1 FROM os_version WHERE major = '14' AND minor = '5';
-    # patch query: SELECT 1 FROM os_version WHERE major = "14" AND minor = "5" AND patch >= "1";
-    critical: false
-    description: Using an outdated macOS version risks exposure to security vulnerabilities and potential system instability.
-    resolution: We will update your macOS to the latest version.
-    platform: darwin
-    calendar_events_enabled: true
 queries:
   - path: ../lib/collect-failed-login-attempts.queries.yml
   - path: ../lib/collect-usb-devices.queries.yml