From 9eaaaf8af312f44c03584c7b61121271354213da Mon Sep 17 00:00:00 2001
From: Joanne Stableford <59930035+JoStableford@users.noreply.github.com>
Date: Thu, 11 Apr 2024 15:36:09 -0400
Subject: [PATCH] Update macos-device-health.policies.yml to add check macOS
 version (#18218)

Adding new policy to the macos-device-health.policies.yml that checks if
the device meets minimum macOS (currently set to 14.4.1) and enables it
for calendar events.
Reference https://github.com/fleetdm/confidential/issues/6015

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
---
 .../lib/macos-device-health.policies.yml      | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/it-and-security/lib/macos-device-health.policies.yml b/it-and-security/lib/macos-device-health.policies.yml
index b706cd80c120..350b1f530f70 100644
--- a/it-and-security/lib/macos-device-health.policies.yml
+++ b/it-and-security/lib/macos-device-health.policies.yml
@@ -44,7 +44,7 @@
         username = ''
     ) 
     AND NOT EXISTS (
-        SELECT 1 FROM managed_policies WHERE 
+      SELECT 1 FROM managed_policies WHERE 
         domain='com.apple.screensaver' AND 
         name='idleTime' AND 
         CAST(value AS INT) > 1200
@@ -54,8 +54,24 @@
   resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes.
   platform: darwin
 - name: macOS - No 1Password emergency kit stored in desktop, documents, or downloads folders
-  query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%/Desktop/%' OR path LIKE '/Users/%/Documents/%' OR path LIKE '/Users/%/Downloads/%' OR path LIKE '/Users/Shared/%'));
+  query: SELECT 1 WHERE 
+    NOT EXISTS (
+      SELECT 1 FROM file WHERE 
+        filename LIKE '%Emergency Kit%.pdf' AND 
+        (path LIKE '/Users/%/Desktop/%' OR path LIKE '/Users/%/Documents/%' OR path LIKE '/Users/%/Downloads/%' OR path LIKE '/Users/Shared/%')
+    );
+  critical: false
+  description: Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders.
+  resolution: Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location.
+  platform: darwin
+- name: macOS - Check if latest version
+  query: SELECT 1 WHERE 
+    EXISTS ( 
+      SELECT major, concat_ws(".", major, minor, patch) AS "macOS Version" FROM os_version --Sonoma WHERE 
+        (major = "14" AND "macOS Version" < "14.4.1")
+    );
   critical: false
-  description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits. To protect the performance of your devices, the search is one level deep and limited to the Desktop, Documents, Downloads, and Shared folders."
-  resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location."
+  description: This policy check if macOS version is most recent version available.
+  resolution: From the Apple menu, select System Settings. Navigate to General > Software Update.
   platform: darwin
+  calendar_events_enabled: true