fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Custom target (labels) for policies & queries

Open noahtalerman opened this issue 1 year ago • 3 comments

  • customer-reedtimmer : Gong snippet: https://us-65885.app.gong.io/call?id=2808168651046260366&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1199%2C%22to%22%3A1568%7D%5D
  • prospect-hubble: Gong snippet:
    • https://us-65885.app.gong.io/call?id=4210985230183928646&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A368%2C%22to%22%3A397%7D%5D
  • @allenhouchins: User requested this because they're trying to pass a compliance check and in order to do so, they want to make sure specific people's workstations meet unique compliance requirements. Some people, given what data they have access to, have to follow stricter compliance requirements (ex. longer password length, yubikey, etc.). These people's workstations will have the same baseline compliance requirements as all other workstations and thus they'll be in the same team in Fleet. In order to check the unique requirements, the user wants to add these workstations to a label and apply this label to strict policy.
    • @allenhouchins: Makes the audit smoother. Auditor is just going to see green and red. Going to have to justify red.
  • @noahtalerman: User requested this because they want to run queries that check to make sure end users aren't sharing sensitive data during their 2-week offboarding. They only want to run these queries on workstations assigned to employees who are offboarding so that they can limit the noise. They don't need this info form everyone else.
    • @noahtalerman: In the interim the user can break out separate teams for these use cases.
    • @noahtalerman: Eventually the user would be able to scope policies and queries using labels. Similar to configuration profiles.
  • @marko-lisica : Remember to add errors for cases when user enable install software automation for policy that has scope and software title has scope already.
  • @ddribeiro: deebradel: They're most interested in "include any" (aka OR) filtering.

User stories

  • #16413
  • #24097

noahtalerman avatar Nov 22 '24 18:11 noahtalerman

@noahtalerman I added a fresh gong snippet for customer-reedtimmer after today's call as they would like exclusions for labels supported. Let me know if you have any further questions!

Patagonia121 avatar Mar 06 '25 00:03 Patagonia121

@noahtalerman Additional context for us to re-evaluate this request. We have created some inconsistencies in usability. I am able to scope queries to labels. I am also able to scope the automatically generated "[Install] software" policies to labels, just not policies that I create as an admin.

allenhouchins avatar Apr 01 '25 14:04 allenhouchins

Additional context for us to re-evaluate this request. We have created some inconsistencies in usability. I am able to scope queries to labels. I am also able to scope the automatically generated "[Install] software" policies to labels, just not policies that I create as an admin.

@allenhouchins thanks for surfacing! Let's hit this one first during our next unpacking the why.

noahtalerman avatar Apr 01 '25 21:04 noahtalerman

Custom labels guide, Queries find truth, not noise, Compliance, abide.

fleet-release avatar May 19 '25 18:05 fleet-release