Skip to content

Enable macOS EndpointSecurity and FDE profile#47448

Merged
allenhouchins merged 1 commit into
mainfrom
allenhouchins-evented-table-adds
Jun 12, 2026
Merged

Enable macOS EndpointSecurity and FDE profile#47448
allenhouchins merged 1 commit into
mainfrom
allenhouchins-evented-table-adds

Conversation

@allenhouchins

@allenhouchins allenhouchins commented Jun 11, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Member

Enable EndpointSecurity-based process and FIM events in fleet configs and add the Full Disk Access profile for macOS. Adds disable_endpointsecurity: false and disable_endpointsecurity_fim: false to agent_options in testing-and-qa.yml and workstations.yml (enables es_process_events and es_process_file_events). Adds an apple_settings.configuration_profiles entry in testing-and-qa.yml pointing to full-disk-access-for-fleetd.mobileconfig so osqueryd can inherit Full Disk Access.

Summary by CodeRabbit

  • Chores
    • Enhanced macOS security monitoring by updating fleet configurations to enable endpoint security event tracking.
    • Added Full Disk Access configuration profile to support expanded security monitoring capabilities.

@allenhouchins
Enable macOS EndpointSecurity and FDE profile
c98065b 
Enable EndpointSecurity-based process and FIM events in fleet configs and add the Full Disk Access profile for macOS. Adds disable_endpointsecurity: false and disable_endpointsecurity_fim: false to agent_options in testing-and-qa.yml and workstations.yml (enables es_process_events and es_process_file_events). Adds an apple_settings.configuration_profiles entry in testing-and-qa.yml pointing to full-disk-access-for-fleetd.mobileconfig so osqueryd can inherit Full Disk Access.
@allenhouchins allenhouchins marked this pull request as ready for review June 12, 2026 02:04
Copilot AI review requested due to automatic review settings June 12, 2026 02:04
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@allenhouchins allenhouchins merged commit 5f14fb0 into main Jun 12, 2026
11 checks passed
@allenhouchins allenhouchins deleted the allenhouchins-evented-table-adds branch June 12, 2026 02:04
@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6caafdcd-2785-4ee8-a889-1db5e6aa8f37

📥 Commits

Reviewing files that changed from the base of the PR and between 4d82562 and c98065b.

📒 Files selected for processing (2)
  • it-and-security/fleets/testing-and-qa.yml
  • it-and-security/fleets/workstations.yml

Walkthrough

This PR enables macOS EndpointSecurity capabilities across fleet configurations. The testing-and-qa fleet receives a Full Disk Access configuration profile to grant osqueryd the necessary permissions for EndpointSecurity table access. Both testing-and-qa and workstations fleets have their macOS eventing configuration updated to explicitly enable EndpointSecurity process events and file-level integrity monitoring events through feature toggles.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch allenhouchins-evented-table-adds

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@fleet-release fleet-release fleet-release approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@allenhouchins @fleet-release