update README

Author: tstromberg

Makefile

@@ -60,7 +60,13 @@ build-openbsd:
 	GOOS=openbsd GOARCH=amd64 $(GOBUILD) $(BUILD_FLAGS) -o $(SERVER_BINARY)-openbsd-amd64 $(SERVER_PATH)
 	GOOS=openbsd GOARCH=amd64 $(GOBUILD) $(BUILD_FLAGS) -o $(AGENT_BINARY)-openbsd-amd64 $(AGENT_PATH)
 
-build-all: build-linux build-darwin build-freebsd build-openbsd
+build-windows:
+	GOOS=windows GOARCH=amd64 $(GOBUILD) $(BUILD_FLAGS) -o $(SERVER_BINARY)-windows-amd64.exe $(SERVER_PATH)
+	GOOS=windows GOARCH=amd64 $(GOBUILD) $(BUILD_FLAGS) -o $(AGENT_BINARY)-windows-amd64.exe $(AGENT_PATH)
+	GOOS=windows GOARCH=arm64 $(GOBUILD) $(BUILD_FLAGS) -o $(SERVER_BINARY)-windows-arm64.exe $(SERVER_PATH)
+	GOOS=windows GOARCH=arm64 $(GOBUILD) $(BUILD_FLAGS) -o $(AGENT_BINARY)-windows-arm64.exe $(AGENT_PATH)
+
+build-all: build-linux build-darwin build-freebsd build-openbsd build-windows
 
 ko-build:
 	ko build --bare ./cmd/server

README.md

@@ -1,12 +1,14 @@
-# gitMDM 🧪
+# gitMDM
 
-The MDM for folks that care about security.
+The SOC-2 compliance solution for the discerningly paranoid security engineer.
+
+![logo](./media/logo_small.png "gitMDM logo")
 
 ## Your Problem
 
 Your startup just hit the enterprise sales milestone where someone asks "are you SOC 2 compliant?" Meanwhile, your engineering team runs OpenBSD on ThinkPads, Arch on Frameworks, and that one person still dailying Plan 9.
 
-Traditional MDMs run as root, execute arbitrary code from their cloud servers, and auto-install binaries downloaded from the internet. Your security engineer just had an aneurysm.
+Traditional MDMs run as root, execute arbitrary code from cloud servers, and auto-install binaries downloaded from the internet. Your security engineer just had an aneurysm.
 
 ## Our Solution
 
@@ -30,43 +32,47 @@ Your Team: "...continue"
 
 ## Demo
 
-Visit our demo instance at https://gitmdm.codegroove.dev/
+Visit our demo instance at https://gitmdm.codegroove.dev/ - OK, so it's actually our prod instance.
+
+## Quick Start
 
-## Quick Start for the Impatient
+Build static binaries:
+
+```bash
+make all
+```
+
+Run a server:
 
 ```bash
-# On your secure server (Cloud Run, or laptop, we don't judge)
 ./gitmdm-server -git /opt/compliance
+```
 
-# On your OpenBSD machine
-$ doas pkg_add gitmdm-agent  # just kidding, compile it yourself
-$ ./gitmdm-agent --install --server https://comply.internal --join XXXX
+If you are a fan of Google Cloud Run, check out `./hacks/deploy.sh` for a deployment script.
 
-# On your Linux laptop
-$ ./gitmdm-agent --install --server https://comply.internal --join XXXX
+On a client:
 
-# On that Mac the designer insisted on
+```bash
 $ ./gitmdm-agent --install --server https://comply.internal --join XXXX
 ```
 
-## What SOC 2 Actually Requires vs What We Check
+## What kind of checks do we do?
 
-| SOC 2 Says | Traditional MDMs Do | We Do |
-|------------|---------------------|--------|
-| Disk encryption | Run as root to verify and enforce | Check encryption status as user |
-| Screen locks | Execute scripts as root to enforce policies | Read your existing screensaver config |
-| OS updates | Download and install updates as root | Report current version numbers |
-| Firewall enabled | Execute commands as root to modify rules | Check firewall status (read-only) |
+* Full Disk Encryption
+* Screen locks
+* OS updates
+* Firewall
 
-## Platform Detection That Actually Works
+## What kind of bizarre platforms do you support?
 
 ```yaml
 # Your snowflake setups, our problem:
 - MATE on OpenBSD (we see you)
 - Sway on Alpine (of course)
 - i3 on Debian (classic)
 - Whatever that custom Wayland compositor you wrote is
-- Even macOS (unfortunate, but supported)
+- macOS (10.15+)
+- Windows 11/10 (though we've never tried it)
 ```
 
 We detect 11+ desktop environments because your team refuses to standardize.
@@ -87,26 +93,24 @@ The server literally cannot execute commands. We removed the code. It's not ther
 
 ## For Your Compliance Team
 
-"What if someone tampers with the agent?"
+> "What happens if someone compromises the server?"
 
-They can. It's their machine. They can also lie on spreadsheets. At least this has timestamps.
+Nothing. Perhaps they can clean up the old stale check-in data while they are there.
 
-"Is this enterprise-ready?"
+> "What if someone tampers with the agent?"
 
-No. But neither was Stripe when you started using it.
+They can. It's their machine. They can also lie on spreadsheets. At least this has timestamps.
 
-## Building
+> "Is this enterprise-ready?"
 
-```bash
-make all
-```
+No. But neither was Stripe when you started using it.
 
 ## Installation That Respects Your OS
 
 - **Linux**: systemd user service (falls back to cron if you're systemd-free)
-- **OpenBSD**: cron (because rc.d requires root and we're not animals)
+- **(Dragonfly|Net|Free|Open)BSD**: cron (because rc.d requires root and we're not animals)
 - **macOS**: launchd (the least worst option)
-- **FreeBSD/NetBSD**: cron (see OpenBSD)
+- **Windows**: Task Scheduler (runs as user, not SYSTEM)
 
 ---
 

cmd/agent/install.go

@@ -528,3 +528,105 @@ func uninstallCron() error {
 
 	return nil
 }
+
+// installWindows installs Windows Task Scheduler task.
+func installWindows(agentPath, _, _ string) error {
+	// Create the task XML content
+	taskXML := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-16"?>
+<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+  <RegistrationInfo>
+    <Description>GitMDM Compliance Agent</Description>
+  </RegistrationInfo>
+  <Triggers>
+    <LogonTrigger>
+      <Enabled>true</Enabled>
+    </LogonTrigger>
+  </Triggers>
+  <Principals>
+    <Principal id="Author">
+      <LogonType>InteractiveToken</LogonType>
+      <RunLevel>LeastPrivilege</RunLevel>
+    </Principal>
+  </Principals>
+  <Settings>
+    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
+    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
+    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
+    <AllowHardTerminate>true</AllowHardTerminate>
+    <StartWhenAvailable>true</StartWhenAvailable>
+    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
+    <IdleSettings>
+      <StopOnIdleEnd>false</StopOnIdleEnd>
+      <RestartOnIdle>false</RestartOnIdle>
+    </IdleSettings>
+    <AllowStartOnDemand>true</AllowStartOnDemand>
+    <Enabled>true</Enabled>
+    <Hidden>false</Hidden>
+    <RunOnlyIfIdle>false</RunOnlyIfIdle>
+    <WakeToRun>false</WakeToRun>
+    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
+    <Priority>7</Priority>
+    <RestartOnFailure>
+      <Interval>PT1M</Interval>
+      <Count>3</Count>
+    </RestartOnFailure>
+  </Settings>
+  <Actions Context="Author">
+    <Exec>
+      <Command>%s</Command>
+    </Exec>
+  </Actions>
+</Task>`, agentPath)
+
+	// Write task XML to temp file
+	tempFile, err := os.CreateTemp("", "gitmdm-task-*.xml")
+	if err != nil {
+		return fmt.Errorf("failed to create temp file: %w", err)
+	}
+	defer os.Remove(tempFile.Name()) //nolint:errcheck
+
+	if _, err := tempFile.WriteString(taskXML); err != nil {
+		return fmt.Errorf("failed to write task XML: %w", err)
+	}
+	tempFile.Close() //nolint:errcheck
+
+	// Delete existing task if present (ignore errors)
+	cmd := exec.Command("schtasks", "/Delete", "/TN", "GitMDM Agent", "/F") //nolint:noctx
+	_ = cmd.Run() //nolint:errcheck
+
+	// Create the scheduled task
+	cmd = exec.Command("schtasks", "/Create", "/TN", "GitMDM Agent", "/XML", tempFile.Name()) //nolint:noctx
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed to create scheduled task: %w\nOutput: %s", err, output)
+	}
+
+	// Start the task immediately
+	cmd = exec.Command("schtasks", "/Run", "/TN", "GitMDM Agent") //nolint:noctx
+	_ = cmd.Run() //nolint:errcheck // Best effort
+
+	return nil
+}
+
+// uninstallWindows removes Windows Task Scheduler task.
+func uninstallWindows() error {
+	// Stop the task
+	cmd := exec.Command("schtasks", "/End", "/TN", "GitMDM Agent") //nolint:noctx
+	_ = cmd.Run() //nolint:errcheck // Best effort
+
+	// Delete the task
+	cmd = exec.Command("schtasks", "/Delete", "/TN", "GitMDM Agent", "/F") //nolint:noctx
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		if !strings.Contains(string(output), "The system cannot find") {
+			return fmt.Errorf("failed to delete scheduled task: %w\nOutput: %s", err, output)
+		}
+		// Task doesn't exist, that's fine
+	}
+
+	// Try to stop any running agent process
+	cmd = exec.Command("taskkill", "/F", "/IM", "gitmdm-agent.exe") //nolint:noctx
+	_ = cmd.Run() //nolint:errcheck // Best effort
+
+	return nil
+}