diff --git a/fleets/workstations.yml b/fleets/workstations.yml
index 7974bf6..57a687c 100644
--- a/fleets/workstations.yml
+++ b/fleets/workstations.yml
@@ -1,9 +1,191 @@
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+#
+# workstations.yml
+# 
+# Use this fleet manifest to configure controls, software,
+# automations, policies, and reports that apply only to
+# computing devices (hosts) in this particular fleet.
+# 
+# > Note: By convention, the "💻 Workstations" fleet is
+# > where all company-owned laptops, PCs, and other
+# > productivity endpoints (i.e. computers) are enrolled.
+#
+# To see all supported options, check out:
+#   • https://fleetdm.com/docs/configuration/yaml-files
+#
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 name: "💻 Workstations"
-policies:
-reports:
-agent_options:
 controls:
+  macos_setup:
+    ###########################################################
+    # Configure the macOS setup experience
+    # 
+    # (Optional) edit the automatic enrollment profile referenced
+    # here to change which items are skipped during macOS setup
+    # and other aspects of the end user's experience during
+    # their first few minutes with their new Mac.
+    #
+    # For more, see:
+    #   • https://fleetdm.com/docs/configuration/yaml-files#macos-setup
+    #   • https://developer.apple.com/documentation/devicemanagement/profile
+    #   • https://support.apple.com/guide/deployment/automated-device-enrollment-management-dep73069dd57/web
+    ###########################################################
+    macos_setup_assistant: ../platforms/macos/enrollment-profiles/automatic-enrollment.dep.json
+    
+    ###########################################################
+    # Uncomment to use single-sign on (SSO) to authenticate 
+    # end users during first-time setup of new computers.
+    #
+    # Read more:
+    #   • https://fleetdm.com/docs/configuration/yaml-files#end-user-authentication
+    #   • https://fleetdm.com/guides/setup-experience#end-user-authentication
+    ###########################################################
+    # enable_end_user_authentication: true
+
+  ###########################################################
+  # Configuration profiles
+  # 
+  # For more, see:
+  #   • https://fleetdm.com/docs/configuration/yaml-files#apple-settings-and-windows-settings
+  #
+  # Note: Instead of including all profiles with `paths`,
+  # you can also switch to using `path` and including each 
+  # specific configuration profile one by one, which allows
+  # for scoping using labels.  For example:
+  # ```
+  # - path: ../platforms/macos/configuration-profiles/1password-managed-settings.mobileconfig
+  #   labels_include_any:
+  #     - "Macs with 1Password installed"
+  # ```
+  ###########################################################
+  macos_settings:
+    custom_settings:
+      - paths: ../platforms/macos/declaration-profiles/*.json
+      - paths: ../platforms/macos/configuration-profiles/*.mobileconfig
+  windows_settings:
+    custom_settings:
+      - paths: ../platforms/windows/configuration-profiles/*.xml
+  
+  ###########################################################
+  # Managed disk encryption
+  #
+  # To enable and enforce disk encryption with key escrow on
+  # all supported platforms, uncomment `enable_disk_encryption`.
+  #
+  # Read more here:
+  #   • https://fleetdm.com/guides/enforce-disk-encryption
+  ###########################################################
+  # enable_disk_encryption: true
+
+  ###########################################################
+  # Managed OS updates
+  #
+  # To enable and enforce managed OS updates on macOS/Windows,
+  # uncomment `macos_updates` and `windows_updates`.
+  #
+  # See also:
+  #   • https://fleetdm.com/docs/configuration/yaml-files#macos-updates
+  #   • https://fleetdm.com/docs/configuration/yaml-files#windows-updates
+  #   • https://fleetdm.com/guides/enforce-os-updates
+  ###########################################################
+  # macos_updates:
+  #   deadline: "2030-04-01"
+  #   minimum_version: "26.0"
+  #   update_new_hosts: true
+  # windows_updates:
+  #   deadline_days: 7
+  #   grace_period_days: 2
+
+  # TODO: mike: Go add documentation links for each section below
+  # (and write up the software section in here and the personal mobile devices fleet manifest)
+
+  ###########################################################
+  # Script library
+  # 
+  # Note: You probably don't need to change the next few lines.
+  #
+  # > To make a script available for use with Fleet for helpdesk
+  # > use cases and in your custom automations, just include it
+  # > in the appropriate folder for the primary platform where it
+  # > is intended to run.  It will be included automatically
+  # > using `paths` below.
+  ###########################################################
+  scripts:
+    - paths: ../platforms/macos/scripts/*.sh
+    - paths: ../platforms/windows/scripts/*.ps1
+    - paths: ../platforms/linux/scripts/*.sh
+
+###########################################################
+# Reports
+#
+# Note: You probably don't need to change the next few lines.
+#
+# > To set up a report in Fleet for collecting data, include
+# > it as a .yml file in `platforms/all/reports/` or if it
+# > is specific to a particular platform, then in the appropriate
+# > folder for that platform.  It will be included automatically
+# > using `paths` below.
+###########################################################
+reports:
+  - paths: ../platforms/all/reports/*.yml
+  - paths: ../platforms/macos/reports/*.yml
+  - paths: ../platforms/windows/reports/*.yml
+  - paths: ../platforms/linux/reports/*.yml
+
+###########################################################
+# Policies & automations
+#
+# Note: You probably don't need to change the next few lines.
+#
+# > To set up a policy in Fleet to implement automations or
+# > ensure compliance with organizational security standards
+# > or regulations, include it as a .yml file in the
+# > appropriate folder for the primary platform where it
+# > is intended to run.  It will be included automatically
+# > using `paths` below.
+###########################################################
+policies:
+  - paths: ../platforms/macos/policies/*.yml
+  - paths: ../platforms/windows/policies/*.yml
+  - paths: ../platforms/linux/policies/*.yml
+
+###########################################################
+# Software available for install
+#
+# Read more here:
+#   •  https://fleetdm.com/docs/configuration/yaml-files#software
+###########################################################
 software:
-settings:
-  secrets:
-    - secret: "$FLEET_WORKSTATIONS_ENROLL_SECRET"
\ No newline at end of file
+  fleet_maintained_apps:
+    # macOS apps
+    # …
+    # - slug: slack/darwin # Slack for macOS
+    #   self_service: true
+    #   setup_experience: true
+    #   categories:
+    #     - Communication
+    #     - Productivity
+
+    # Windows apps
+    # …
+    # - slug: slack/windows # Slack for Windows
+    #   self_service: true
+    #   setup_experience: true
+    #   categories:
+    #     - Productivity
+    #     - Communication
+    #   labels_include_any:
+    #     - "x86-based Windows hosts"
+
+  packages: # Custom packages (if any)
+    # macOS custom packages
+    # …
+
+    # Windows custom packages
+    # …
+
+    # Linux custom packages
+    # …
+
+  app_store_apps: # Apps to install via VPP from the macOS App Store, if any
+    # …