Update macos-device-health.policies.yml (#17785)

- Add 1Password recovery kit policy

it-and-security/lib/macos-device-health.policies.yml

@@ -53,3 +53,9 @@
   description: This policy checks if maximum amount of time (in minutes) the device is allowed to sit idle before the screen is locked. End users can select any value less than the specified maximum.
   resolution: An an IT admin, deploy a macOS, screen saver profile with the maxInactivity option set to 20 minutes.
   platform: darwin
+- name: macOS - No 1Password emergency kit stored on desktop or in downloads
+  query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM file WHERE filename LIKE '%Emergency Kit%.pdf' AND (path LIKE '/Users/%%/Desktop/%%' OR path LIKE '/Users/%%/Documents/%%' OR path LIKE '/Users/%%/Downloads/%%' OR path LIKE '/Users/Shared'));
+  critical: false
+  description: "Looks for PDF files with file names typically used by 1Password for emergency recovery kits."
+  resolution: "Delete 1Password emergency kits from your computer, and empty the trash. 1Password emergency kits should only be printed and stored in a physically secure location."
+  platform: darwin