You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Update documentation and scripts for Gatekeeper/System Policy Control demo
- Changed references from "Visual Studio Code blocked" to "Visual Studio Code first launch blocked" in multiple documents to clarify the demo narrative.
- Updated last modified dates to 2026-05-07 across various planning and specification documents.
- Revised demo scripts to ensure Visual Studio Code is installed but not launched before applying the Gatekeeper policy.
- Added new fixture for Firefox first-launch block dialog and updated existing VS Code block dialog fixture.
- Adjusted evidence bundle schema to reflect changes in the expected failure messages for Gatekeeper assessments.
- Enhanced test scripts to include broader app launch block dialog checks.
Copy file name to clipboardExpand all lines: README.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
6
6
-**Status:** Active
7
7
-**Owner:** Frank Lesniak
8
-
-**Last Updated:** 2026-05-06
8
+
-**Last Updated:** 2026-05-07
9
9
-**Scope:** User-facing overview for `franklesniak/macOSLab`, including the fastest safe starting path, project boundaries, current phase status, validation commands, deferred work, and license information.
@@ -22,7 +22,7 @@ This repository is not a production Mac management platform, not legal advice, n
22
22
23
23
Start at [docs/Start-Here.md](docs/Start-Here.md), then read [docs/Prereqs.md](docs/Prereqs.md) before running any provider or cloud workflow. The implementation is delivered in phase checkpoints; the coding agent can continue through locally verifiable, non-destructive phases and pauses at the owner-validation boundary before live demo validation, release, branch protection, destructive provider/cloud actions, or optional Phase 10 expansion.
24
24
25
-
For the MMSMOA demo path, Demo 4 uses a Gatekeeper/System Policy Control pivot: a lab-only Intune Settings Catalog policy makes Visual Studio Code fail under App-Store-only execution rules, the fixture-backed validation captures that expected failure, and rollback proves the known-good VM state. FileVault and Defender remain required validation guides and backup proof paths, but they are not the live break-and-rollback failure.
25
+
For the MMSMOA demo path, Demo 4 uses a Gatekeeper/System Policy Control pivot: a lab-only Intune Settings Catalog policy makes Visual Studio Code fail on first launch under App-Store-only execution rules, the fixture-backed validation captures that expected failure, and rollback proves the known-good VM state. FileVault and Defender remain required validation guides and backup proof paths, but they are not the live break-and-rollback failure.
Copy file name to clipboardExpand all lines: TODO-Phase-08-Validation-Loop.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
6
6
-**Status:** Local implementation complete; Defender retained and Gatekeeper pivot added
7
7
-**Owner:** Repository owner
8
-
-**Last Updated:** 2026-05-06
8
+
-**Last Updated:** 2026-05-07
9
9
-**Scope:** Deferred verification for Defender health evidence and Gatekeeper/System Policy Control fixture validation.
10
10
11
11
## Confirmed Preflight Evidence
@@ -16,7 +16,7 @@ Defender validation evidence should be collected inside a disposable macOS guest
16
16
17
17
The owner approved the recommended Defender lifecycle on 2026-05-05: use Intune-based Defender deployment as the default demo path, with a preinstalled-Defender fallback for rehearsal or live-cloud timing issues. The owner then configured the Intune macOS Defender path and supplied a working guest `mdatp health` capture from a disposable enrolled VM.
18
18
19
-
The Demo 4 live failure path is now Gatekeeper/System Policy Control blocking Visual Studio Code, with Defender retained as required validation content and backup proof. The committed Gatekeeper fixtures are sanitized text examples; final session sign-off still requires rehearsal capture from the actual demo guest.
19
+
The Demo 4 live failure path is now Gatekeeper/System Policy Control blocking Visual Studio Code on first launch, with Defender retained as required validation content and backup proof. The committed Gatekeeper fixtures are sanitized text examples; final session sign-off still requires rehearsal capture from the actual demo guest.
20
20
21
21
Owner-supplied Defender evidence from a lab macOS environment also confirms:
Defender validation is guest-scoped. The daily-driver host Mac is intentionally not required to have Defender installed. `mdatp health` evidence MUST be collected inside the disposable enrolled macOS guest.
15
15
16
-
Defender remains a required validation model for the accepted session contract, but it is no longer the live Demo 4 break-and-rollback failure. Demo 4 uses Gatekeeper/System Policy Control to block VS Code because that rollback story is deterministic and does not depend on Defender portal timing. The default Defender path is Intune-based Defender deployment after enrollment. A preinstalled-Defender guest MAY be kept only as a rehearsal or live-cloud timing fallback and MUST be labeled as a fallback.
16
+
Defender remains a required validation model for the accepted session contract, but it is no longer the live Demo 4 break-and-rollback failure. Demo 4 uses Gatekeeper/System Policy Control to block VS Code on first launch because that rollback story is deterministic and does not depend on Defender portal timing. The default Defender path is Intune-based Defender deployment after enrollment. A preinstalled-Defender guest MAY be kept only as a rehearsal or live-cloud timing fallback and MUST be labeled as a fallback.
Copy file name to clipboardExpand all lines: docs/Demo-Runbook.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
6
6
-**Status:** Active
7
7
-**Owner:** Repository owner
8
-
-**Last Updated:** 2026-05-06
8
+
-**Last Updated:** 2026-05-07
9
9
-**Scope:** MMSMOA demo runbook for media verification, provider paths, validation evidence, recovery pivots, and owner dry-run boundaries.
10
10
-**Related:**[Start Here](Start-Here.md), [Troubleshooting](Troubleshooting.md), [Evidence and CAB](Evidence-and-CAB.md), [Snapshot Strategy](Snapshot-Strategy.md)
11
11
@@ -56,7 +56,7 @@ Before traveling or presenting:
56
56
5. Do not sign in to Company Portal yet.
57
57
6. Shut down the guest.
58
58
7. Capture the `Pre-Enroll` checkpoint.
59
-
8. Start from `Pre-Enroll` on reliable network, complete Company Portal enrollment, install and launch Visual Studio Code, wait for Intune sync and baseline policy delivery, then capture `Post-Enroll-Baseline`.
59
+
8. Start from `Pre-Enroll` on reliable network, complete Company Portal enrollment, install Visual Studio Code, verify baseline acceptance with `spctl --assess -vv "/Applications/Visual Studio Code.app"`, do not launch Visual Studio Code, wait for Intune sync and baseline policy delivery, then capture `Post-Enroll-Baseline`.
60
60
9. Use `Post-Enroll-Baseline` as the default live demo starting point.
61
61
62
62
Use live enrollment during the talk only as an optional walkthrough. If the network is slow, say: "Enrollment is cloud-timed, so the stage path starts from a prepared enrolled checkpoint and the evidence records what changed."
@@ -82,7 +82,7 @@ Run the checklist helper:
82
82
```
83
83
84
84
1. Start from the prepared enrolled Demo 4 VM at `Post-Enroll-Baseline`.
85
-
2. Confirm Visual Studio Code launches before the break policy lands.
85
+
2. Confirm Visual Studio Code is installed but has not been launched before the break policy lands.
86
86
3. Assign or sync the lab-only Gatekeeper policy.
87
87
4. In Company Portal, run **Check Status**.
88
88
5. Leave the VM alone while Demo 3 runs.
@@ -152,7 +152,7 @@ Audience-visible summary:
152
152
PASS MDM enrollment profile present
153
153
PASS Gatekeeper assessment enabled
154
154
PASS System Policy Control profile detected
155
-
FAIL VS Code blocked by App-Store-only policy (expected failure)
155
+
FAIL VS Code first launch blocked by App-Store-only policy (expected failure)
Copy file name to clipboardExpand all lines: docs/Evidence-Redaction.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
6
6
-**Status:** Active
7
7
-**Owner:** Repository owner
8
-
-**Last Updated:** 2026-05-06
8
+
-**Last Updated:** 2026-05-08
9
9
-**Scope:** Documents `Protect-MacLabEvidence` behavior, sensitive field names, value-shape redaction, and verification expectations for macOSLab evidence.
- Gatekeeper fixture scans that fail if committed fixtures contain Team IDs, profile UUIDs, or local home paths.
57
57
58
-
Gatekeeper screenshots and recordings are local stage assets only. The repository may keep a generic text reference that a VS Code block dialog was captured during rehearsal, but it MUST NOT commit the screenshot, recording, exact personal file path, Team ID, tenant identifier, profile UUID, device identifier, UPN, or app bundle.
58
+
Gatekeeper screenshots and recordings are local stage assets only. The repository may keep generic text references or sanitized dialog transcripts for VS Code first-launch evidence and secondary-app rehearsal evidence, but it MUST NOT commit the screenshot, recording, exact personal file path, Team ID, tenant identifier, profile UUID, device identifier, UPN, or app bundle.
Copy file name to clipboardExpand all lines: docs/Intune-Validation.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
6
6
-**Status:** Active
7
7
-**Owner:** Repository owner
8
-
-**Last Updated:** 2026-05-06
8
+
-**Last Updated:** 2026-05-07
9
9
-**Scope:** Documents fixture-backed Intune compliance and Gatekeeper/System Policy Control validation, plus cloud-state warnings for macOSLab.
10
10
-**Related:**[Evidence and CAB](Evidence-and-CAB.md), [Snapshot Strategy](Snapshot-Strategy.md), [Gatekeeper App Store only test](../examples/TestCases/Gatekeeper-AppStoreOnly.yml), [Gatekeeper recovered test](../examples/TestCases/Gatekeeper-Recovered.yml), [Compliance smoke test](../examples/TestCases/Compliance-SmokeTest.yml)
11
11
@@ -47,7 +47,9 @@ The repository does not commit a sample `.mobileconfig`. A local profile install
47
47
48
48
Use split validation plans:
49
49
50
-
-[Gatekeeper-AppStoreOnly.yml](../examples/TestCases/Gatekeeper-AppStoreOnly.yml) represents `Broken-Policy-State`; it expects the profile to be present and VS Code to be rejected as an expected failure.
50
+
-[Gatekeeper-AppStoreOnly.yml](../examples/TestCases/Gatekeeper-AppStoreOnly.yml) represents `Broken-Policy-State`; it expects the profile to be present and VS Code first launch to be rejected as an expected failure.
51
51
-[Gatekeeper-Recovered.yml](../examples/TestCases/Gatekeeper-Recovered.yml) represents rollback to `Post-Enroll-Baseline`; it expects `spctl` to accept VS Code and launch evidence to show recovery.
52
52
53
+
The live demo MUST NOT use an app that was already launched and admitted before the App-Store-only policy arrived. A previously launched app can continue opening and make the policy look ineffective. The preferred path is to install or stage Visual Studio Code before `Post-Enroll-Baseline`, verify baseline acceptance with `spctl --assess -vv "/Applications/Visual Studio Code.app"`, and reserve the first GUI launch for `Broken-Policy-State`. Firefox MAY be used as a secondary staged app only when it follows the same not-launched-before-policy rule.
54
+
53
55
This pattern is for high-risk policies, repeated validation loops, demo scenarios, and evidence that must be reproducible. It is not a requirement to create a YAML plan for every low-risk Intune setting change.
- Separate local folder for installers, such as `~/Demo/Installers`.
28
28
- Separate local folder for VM storage, outside the repository.
29
29
- Network path that allows APNs, Intune, Microsoft Graph, Defender, and Apple software update endpoints when running live validation.
30
-
- Visual Studio Code installed inside the enrolled demo guest before capturing `Post-Enroll-Baseline` when rehearsing Demo 4.
30
+
- Visual Studio Code installed inside the enrolled demo guest before capturing `Post-Enroll-Baseline` when rehearsing Demo 4. Do not launch Visual Studio Code before the broken-state step; the live block depends on first-launch Gatekeeper behavior. Firefox MAY be staged as a secondary app under the same rule.
31
31
- Sanitized Gatekeeper fixture text under `examples/TestCases/fixtures/` for stage-safe validation without live cloud timing.
32
32
33
33
Do not place `.ipsw`, `.dmg`, `.iso`, `.app`, screenshots, recordings, VM bundles, private keys, or credential files inside the repository.
Copy file name to clipboardExpand all lines: docs/Snapshot-Strategy.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
6
6
-**Status:** Active
7
7
-**Owner:** Frank Lesniak
8
-
-**Last Updated:** 2026-05-06
8
+
-**Last Updated:** 2026-05-07
9
9
-**Scope:** Defines the five-checkpoint model, restore warnings, report-only cloud cleanup posture, and checkpoint readiness expectations for `macOSLab`.
10
10
-**Related:**[Fidelity Boundaries](Fidelity-Boundaries.md), [Provider Version Matrix](Provider-Version-Matrix.md), [Prerequisites](Prereqs.md), [macOSLab repository specification](spec/macOSLab-repository-spec.md)
11
11
@@ -17,8 +17,8 @@ Snapshots are the reason the lab is fast, but they are also where local state an
17
17
| --- | --- |
18
18
|`Clean-OS`| Freshly installed guest, Setup Assistant complete, no demo software, never enrolled. |
19
19
|`Pre-Enroll`|`Clean-OS` plus Intune Company Portal at the sign-in screen; not enrolled. |
20
-
|`Post-Enroll-Baseline`| Fully enrolled, recently synced, deterministic healthy baseline. For Demo 4, Visual Studio Code is installed and launches successfully here. |
21
-
|`Broken-Policy-State`| Deterministic intentionally broken state for the engineered demo failure. For Demo 4, the Gatekeeper/System Policy Control profile blocks VS Code. |
20
+
|`Post-Enroll-Baseline`| Fully enrolled, recently synced, deterministic healthy baseline. For Demo 4, Visual Studio Code is installed or staged but has not been launched, and baseline `spctl` assessment accepts it. |
21
+
|`Broken-Policy-State`| Deterministic intentionally broken state for the engineered demo failure. For Demo 4, the Gatekeeper/System Policy Control profile blocks VS Code on first launch. |
22
22
|`Recovered-Known-Good`| Post-rollback healthy state, captured after report-only cloud cleanup review or manual reconciliation notes. For Demo 4, `spctl` accepts VS Code and the app launches again. |
23
23
24
24
Alternative checkpoint names are not allowed in v1 unless a caller explicitly opts into non-canonical names for local experimentation.
@@ -38,7 +38,7 @@ Use the VM lab for faster iteration, then use physical hardware where the fideli
38
38
4. Read [Snapshot-Strategy.md](Snapshot-Strategy.md) so checkpoint names and cloud-state warnings are clear before you enroll a VM.
39
39
5. Read [Fidelity-Boundaries.md](Fidelity-Boundaries.md) before turning VM evidence into a change ticket.
40
40
41
-
The first risky-policy sample is a lab-only Gatekeeper/System Policy Control validation against a disposable VM. The broken-state plan proves an App-Store-only policy blocks Visual Studio Code, and the recovered plan proves rollback restores the known-good app-launch state. The first expected evidence artifact is a redacted JSON record under the evidence output root configured by the test plan.
41
+
The first risky-policy sample is a lab-only Gatekeeper/System Policy Control validation against a disposable VM. The broken-state plan proves an App-Store-only policy blocks Visual Studio Code on first launch, and the recovered plan proves rollback restores the known-good app-launch state. The first expected evidence artifact is a redacted JSON record under the evidence output root configured by the test plan.
0 commit comments