Add best practice macOS setup (#23)

* Add policies

* Add them to teams

* Add policies

* Add automatic enrollment profile and macOS setup config

* Add profile

Author: noahtalerman

lib/automatic-enrollment.dep.json

@@ -0,0 +1,28 @@
+{
+	"profile_name": "Fleet's example automatic enrollment profile",
+	"allow_pairing": true,
+	"is_mdm_removable": true,
+	"org_magic": "1",
+	"language": "en",
+	"region": "US",
+	"skip_setup_items": [
+		"Accessibility",
+		"Appearance",
+		"AppleID",
+		"AppStore",
+		"Biometric",
+		"Diagnostics",
+		"FileVault",
+		"iCloudDiagnostics",
+		"iCloudStorage",
+		"Location",
+		"Payment",
+		"Privacy",
+		"Restore",
+		"ScreenTime",
+		"Siri",
+		"TermsOfAddress",
+		"TOS",
+		"UnlockWithWatch"
+	]
+}

lib/device-health.policies.yml renamed to lib/macos-device-health.policies.yml

@@ -1,3 +1,5 @@
+# The Fleet Enterprise Edition (EE) license applies to code in this file. See the license here: https://github.com/fleetdm/fleet/blob/main/ee/LICENSE
+
 - name: macOS - CIS - Ensure FileVault is enabled (MDM required)
   platform: darwin
   description: Checks that FileVault is enabled. FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it. This policy checks that filevault is enabled on the device and that the user is not allowed to disable it.

lib/windows-device-health.policies.yml

@@ -0,0 +1,74 @@
+# The Fleet Enterprise Edition (EE) license applies to code in this file. See the license here: https://github.com/fleetdm/fleet/blob/main/ee/LICENSE
+
+- name: Windows - CIS - Ensure Enable screen saver is enabled
+  platform: windows
+  description: |
+    This policy setting enables/disables the use of desktop screen savers.
+    The recommended state for this setting is: Enabled.
+  resolution: |
+    To establish the recommended configuration via GP, set the following UI path to Enabled:
+    'User Configuration\Policies\Administrative Templates\Control Panel\Personalization\Enable screen saver'
+    Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
+  query: |
+    SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive' and data = 1;
+- name: "Windows - CIS - Ensure Screen saver timeout enabled: 20 minutes or less"
+  platform: windows
+  description: |
+    This setting specifies how much user idle time must elapse before the screen saver is launched.
+    The recommended state for this setting is: Enabled: 900 seconds or fewer, but not 0. Note: This setting has no effect under the following circumstances:
+    -  The wait time is set to zero.
+    -  The "Enable Screen Saver" setting is disabled.
+    -  A valid screen existing saver is not selected manually or via the "Screen saver executable name" setting
+  resolution: |
+    To establish the recommended configuration via GP, set the following UI path to Enabled: 900 or fewer, but not 0:
+    'User Configuration\Policies\Administrative Templates\Control Panel\Personalization\Screen saver timeout'
+    Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
+  query: |
+    SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut' AND data <=1200 AND data > 0 ;
+- name: Windows - CIS - Ensure BitLocker is enabled
+  platform: windows
+  description: Full Disk Encryption (FDE) reduces the risk of compromise when a device is lost or stolen. This query lists any system that does not have BitLocker enabled on its OS drive (typically C:).
+  resolution: Ask your system administrator to turn on disk encryption in Fleet
+  query: SELECT * FROM bitlocker_info WHERE drive_letter='C:' AND protection_status != 1;
+- name: Windows - CIS - Ensure guest account is disabled
+  platform: windows
+  description: |
+    This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status'
+  query: |
+    SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</LocURI></Target></Item></Get></SyncBody>" and mdm_command_output == 0;
+- name: Windows - CIS - Ensure password is required to wake the computer from screen saver is enabled
+  platform: windows
+  description: |
+    This setting determines whether screen savers used on the computer are password protected.
+    The recommended state for this setting is: Enabled.
+  resolution: |
+    To establish the recommended configuration via GP, set the following UI path to Enabled:
+    'User Configuration\Policies\Administrative Templates\Control Panel\Personalization\Password protect the screen saver'
+    Note: This Group Policy path is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
+  query: |
+    SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure' and data = 1;
+- name: Windows - CIS - Ensure Remote Desktop is disabled
+  platform: windows
+  description: |
+    This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
+  resolution: |
+    To establish the recommended configuration via GP, set the following UI path to 'Disabled':
+    'Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services'
+  query: |
+    SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fDenyTSConnections' AND data = 1);
+- name: Windows - CIS - Ensure Remote Management is set to disabled
+  platform: windows
+  description: |
+    The Windows Remote Management (WinRM) service implements the WS-Management protocol for remote
+    management. WS-Management is a standard web services protocol used for remote software and
+    hardware management. The WinRM service listens on the network for WS-Management requests and processes them.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via domain GP, set the following UI path to 'Disabled':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Remote Management (WS-Management)'
+  query: |
+    SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinRM\\Start' AND data == 4);

teams/workstations-canary.yml

@@ -21,9 +21,9 @@ controls:
     custom_settings:
     - path: ../lib/windows-screenlock.xml
   macos_setup:
-      bootstrap_package:
-      enable_end_user_authentication:
-      macos_setup_assistant:
+      bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg
+      enable_end_user_authentication: true
+      macos_setup_assistant: ../lib/automatic-enrollment.dep.json
   scripts:
   - path: ../lib/remove-zoom-artifacts.script.sh
   - path: ../lib/reset-timezone.sh
@@ -37,7 +37,8 @@ queries:
   observer_can_run: true
   automations_enabled: false
 policies: 
-- path: ../lib/device-health.policies.yml
+- path: ../lib/macos-device-health.policies.yml
+- path: ../lib/windows-device-health.policies.yml
 agent_options: ./lib/agent-options.yml
 team_settings:
   webhook_settings:

teams/workstations.yml

@@ -21,17 +21,18 @@ controls:
     custom_settings:
     - path: ../lib/windows-screenlock.xml
   macos_setup:
-      bootstrap_package:
-      enable_end_user_authentication:
-      macos_setup_assistant:
+      bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg
+      enable_end_user_authentication: true
+      macos_setup_assistant: ../lib/automatic-enrollment.dep.json
   scripts:
   - path: ../lib/remove-zoom-artifacts.script.sh
   - path: ../lib/reset-timezone.sh
 queries: 
 - path: ../lib/collect-usb-devices.queries.yml
 - path: ../lib/collect-failed-login-attempts.queries.yml
 policies: 
-- path: ../lib/device-health.policies.yml
+- path: ../lib/macos-device-health.policies.yml
+- path: ../lib/windows-device-health.policies.yml
 agent_options: ./lib/agent-options.yml
 team_settings:
   webhook_settings: