Kolide Side Dishes

At Kolide, we typically ship changes and improvements to the product multiple times a day. The vast majority of these changes are modest improvements not worthy of their own change-log post, but together, they can make a big difference. We call these smaller features side dishes!

In this edition of side dishes, we have four exciting features to announce!

Improved Privacy Center Sign-In Experience

Over the last several months, we have invested a lot of energy into Kolide's Privacy Center, including letting users see the full set of device properties, checks, and other queries run on their device. While these improvements are great, end-users can't realize their benefits if they need to spend time fighting with a sign-in screen instead of reading the content. 

We've updated our Slack application to give end-users buttons instead of links to the Privacy Center to make things a lot easier. Unlike the normal Privacy Center links (which will lead most end-users to a sign-in screen), these buttons will actually open the browser using a secret and personalized URL that will automatically sign them in. 

Additionally, we've made some improvements to the privacy command to give end-users more information about their data before sending them to the Privacy Center. You can see an example below:

We've built this with security in mind. For example, Kolide administrators who sign in to the Privacy Center using one of these magic buttons will still need to authenticate fully when they try to access any sensitive functionality.

New Automatic Device Deletion Settings

As our customers continue to grow the number of devices they enroll, many of them are looking for more advanced options to manage when inactive devices are removed automatically or if multiple device records exist in Kolide for a device with the same serial number.

With our new Automatic Device Deletion setting screen, you can tune the behavior of those options to your liking. If you find yourself frustrated by seeing too many retired devices, or old instances of devices that have to be re-provisioned to new users, I highly recommend checking out these new settings.

Renamed Device Privacy to Restrictions

Our Device Privacy settings page has been renamed to Restrictions to reflect the options available on that screen better. Here you will continue to find settings that allow you to turn off features, restrict Osquery tables, and restrict the visibility of data collected about devices.

Kolide MDM Column 

For those taking advantage of our MDM capabilities, we've added a new column in Inventory called "Kolide MDM." This will enable sorting and filtering by the managed state of the device.

Additionally the attribute kolide_mdm was added to the Device API response

Introducing Live Refresh

At Kolide, we do our best to strike a healthy balance between the performance impact of our agent and the usefulness of the data we collect in the UI. In practice, this means we optimize every query to minimize impact and run expensive queries as infrequently as necessary. 

Sometimes though, when actively viewing a device, you may want the most recent information possible. To assist with this use case, we are rolling out a new feature called Live Refresh. Here it is in action!

Data Last Retrieved Timestamps

Being able to refresh data live starts with understanding when the data you are currently looking at was collected. To help with this, we have updated all of our widgets and device property tables to show the last time the information was retrieved from a device.

In some cases, like the Security Features widget shown above, many queries contribute to this display; when this happens, Kolide shows the retrieved date of the oldest data in the widget.

Kicking Off a Live Refresh

Kicking off a Live Refresh is as easy as clicking the Refresh Data button on any applicable device widget or device property screen. The necessary queries needed to populate the widget's display will be immediately issued to the device. If the device is online, the refresh should return in 10 to 15 seconds. You can also kick off refreshes for offline devices. Then, when they come online, they will refresh their data ASAP.

Once a refresh is done, the widget or table will change colors, letting you know the new data is ready to be reloaded. Simply click the "reload data" button, and the new data will load right into the UI.

While the feature is extremely straightforward, building it was no small task. In fact, a lot of it relied on the work we did to ship our data device collection control capabilities earlier this year. I want to thank the entire engineering team at Kolide for their hard work in making this feature happen. I want to also thank our customers for all of their input, leading to this feature being fully realized. We look forward to your feedback!

New Slack Option - Skip Personal Device Enrollment

A few weeks ago, we introduced a new dedicated options screen for managing the behavior of Kolide's Slack App. This week, we added a new option to this screen for organizations that do not want their end-users to enroll their personal devices into Kolide.


Previously, when any user self-enrolled a device, Kolide's Slack app would ask if it was a personal or organization-owned device. However, some organizations may not want to allow end-users to enroll their personal devices. 

If this sounds like you, change the setting to Allow ONLY organization-owned devices to enroll in Kolide. Once saved, this part of the enrollment process will be skipped, and every newly enrolled device will be marked as organization-owned.

Please Note: This setting does not convert previously enrolled personal devices into organization-owned ones. To convert them, you will need to simply remove/delete those devices from Kolide and have the user re-enroll them with the new correct choice.

API - New Global Failures Endpoints

In March, we introduced a new global failures view to Kolide. This view makes it much easier for administrators to locate failures without clicking into a specific Check. 

Since releasing this feature, we've heard a lot of great feedback from our customers that would love to list failures without needing to know anything about a check beforehand. Well, we've heard you, and we are proud to announce that we've just shipped an update to our API that enables just this use-case. So let's run through the changes.

New Failures Endpoints

View the documentation about this endpoint.

The new failures endpoints make it simple to list and access specific failures without knowing anything about the check or device they belong to. Here are some things you can do today.

List All Failures

https://k2.kolide.com/api/v0/failures

This endpoint lists all failures for all enabled checks, regardless of their resolved/open/ignored state. Once you have an API token, you can call it using the following curl example:

curl -H "Authorization: Bearer $PRODAPIKEY" 'https://k2.kolide.com/api/v0/failures'

List Failures By Status

Failures can be ignored, resolved, or open. Accordingly, you can scope the list of failures using those keywords as shown below:

https://k2.kolide.com/api/v0/failures/open
https://k2.kolide.com/api/v0/failures/resolved
https://k2.kolide.com/api/v0/failures/ignored

curl -H "Authorization: Bearer $PRODAPIKEY" 'https://k2.kolide.com/api/v0/failures/open'

curl -H "Authorization: Bearer $PRODAPIKEY" 'https://k2.kolide.com/api/v0/failures/resolved' 

curl -H "Authorization: Bearer $PRODAPIKEY" 'https://k2.kolide.com/api/v0/failures/ignored' 

All of these endpoints respond with a structure that matches the https://k2.kolide.com/api/v0/devices/<deviceID>/failures https://k2.kolide.com/api/v0/checks/<checkID>/failures endpoints.

Show A Specific Failure

Before, admins could only retrieve details for a single failure through the device or check API endpoints. Now, if you know the failure's ID, you can use just the following endpoint:

curl -H "Authorization: Bearer $PRODAPIKEY" 'https://k2.kolide.com/api/v0/failures/$FAILUREID'

New Failure Attribute - escalation_status

In addition, we've added a new attribute to the failure entity to indicate the escalation status of the failure. The escalation_status attribute can have one of the following values:

  • Not Escalated
  • User contact attempts exhausted
  • User requested help
  • No owner assigned

You can get more information, including full response schemas, on our API documentation site.


As always, we welcome comments and feedback from our API users. If you have a use case, please reach out to us via support@kolide.co or Intercom, and we'd love to chat about it.

New Inventory: Mac Startup Configuration

Have you ever wondered if a Mac had an EFI firmware password set or if Secure Boot has been turned off? Well, instead of wondering, you can now instantly look up the state of these options and other boot settings in our newly released device property in Inventory called Mac Startup Configuration.

The settings reported in the device property can help administrators better understand the security posture of a Mac. For example, a Mac with Secure Boot off may be at greater risk of being infected by malware that changes the master boot record (MBR). Additionally, the presence of a firmware password could prevent an administrator from reprovisioning a device to a new employee if they forget to turn it off before shipping the Mac back to HQ.

New Inventory Widget

To help you interpret these startup options, we have created a new widget that summarizes them with icons and easy-to-read statuses.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose,  privacy information, and the example data set a Mac will return in the Privacy Center.

If you don't want to collect this data from your Mac fleet, you can also take advantage of our new data collection opt-out feature.

A Note About Older Macs or Macs with Apple Silicon

Macs running Apple Silicon instead of an Intel processor do not support several of these startup options. These options include Firmware options and the ability to boot Windows. For these devices and older Intel Macs without a T2 series chip, you'll see the value "Not Applicable" for any relevant settings.

As always, please let us know if you have any questions, suggestions, or improvements we can make. We hope you get value out of the additional visibility.

New Slack App Access Control Setting

Kolide's Slack app enables end-users to identify and self-resolve important issues on their device. Our Slack app has always been a major part of our Honest Security strategy, so it's important we break down as many barriers as possible to enable every single one of our customers to use it.

To that end, we are excited to be rolling out new access control settings for the Slack app. These settings are perfect for organizations that have widely rolled out the Kolide agent but haven't taken the plunge with the Slack app. Many may want to test the self-remediation workflow with just a handful of users before rolling it out widely.

To support this use case, we just launched a new settings page available to administrators that will control precisely who can and cannot interact with the Slack app.

Notice the section labeled, "Who Can Communicate With the Kolide Slack App." If you choose the option "Only users who have who have been explicitly Onboarded," then anyone who hasn't been explicitly invited to use the app in the onboarding manager will not receive any messages from the Slack app. If these same users try to initiate an interaction with the Slack app, they will be greeted with a message that looks like this...


We've also updated the onboarding manager to make the onboarding status for each user much clearer and highlight important settings that impact the Slack experience front and center.


This new setting truly turns off all possible Slack notifications, even notifications that an administrator may directly initiate. So, for example, if you decide to restrict the Slack app to just onboarded users and then try to ping them manually, you will instead see a gentle reminder to onboard them first. This is true even for sensitive device notifications.

We still recommend the original behavior, but we hope this additional setting can help many organizations test out the Slack application in a controlled manner before committing to a company-wide roll-out.

As always, we welcome your questions, comments, and feedback.

Privacy Center - Detailed Checks and More!

A few weeks ago, we announced a major set of improvements to our Privacy Center. These changes give end-users an unprecedented level of transparency into what data is collected from their devices so they can feel confident in enrolling in Kolide, an important principle in Honest Security.

After launching these improvements, we received a ton of positive feedback and some great suggestions we could implement to improve it further. To that end, I am excited to announce two major improvements that we've just shipped.

Detailed Checks

The biggest part of this update is a major improvement to the Checks section of the Privacy Center. Before this update, Checks were simply listed with a hover tooltip of the description. While this was a great start, the list wasn't very user-friendly, nor did it provide end-users with enough information to understand the purpose of each Check or what data was sent to Kolide from their devices.

This new experience is much better.

First, we organized related Checks together into lists and added rich icons, making them much easier to browse.

Second, we added write-ups for each Check that include the query that runs on the device, the purpose of the Check, and even privacy information when applicable. Here is an example of the Check named "1Password - Disallow Plain Text Emergency Kit".

Finally, we've also updated the CSV export to include the description, privacy information, and Checklist name.

View Only Relevant Information For Your Devices

The primary goal of the Privacy Center is to ensure users can understand what data will be collected about their device before they enroll. Once a device is enrolled, however, an end-user may want to transition to an experience where they only see information about Checks and other queries that run on their device.

To help, we've added a filter at the top of the page that will automatically hide any device properties, Checks, and scheduled queries that are not run on their currently enrolled device(s).


This filter is also available when drilling into a Checklist that contains many Checks, as shown below.


We are so excited to see these changes in action and cannot wait to hear more feedback from you. We have many exciting changes for Checks planned this month, and our updated Privacy Center lays a great foundation for their arrival.

As always, please do not hesitate to reach out with questions. 

Query Runbook and Privacy Center Enhancements

As part of our commitment to honest.security, I am so excited to announce some major changes to our end-user accessible Privacy Center, which just went live.

We had two big goals with this feature. 

The first was to give end-users more visibility into what Kolide can potentially collect about their device before they even decide to enroll. Secondly, we wanted to give end-users visibility into the ad-hoc queries which have run on their devices and other important events, like device assignment and re-assignment.

A lot is going on with this enhancement, so beyond documenting those changes in this post, I've also recorded a short video walkthrough of the new Privacy Center.


The Query Runbook

Our goal with Kolide is to enable security and IT teams to be open and transparent about the tools that run on company-provisioned devices and the data that they collect. Accordingly, we've updated the Privacy Center to give end-users an unprecedented level of detail about both of those topics.

Before today, users could request a download of all of their device's Inventory data in a zip file. While this was a good start, it had two usability issues:

  • Users needed to enroll a device before they could understand what data was collected.
  • Users were forced to pore over undocumented CSV files that gave little insight into the meaning or intent of the data contained.

We've done our best to address both of these items and provide an unprecedented level of insight into the way Kolide works and why it collects what it does.

Data Kolide collects by default

Today, in the Kolide Privacy Center, you and your end-users can find an exhaustive list of the data that Kolide collects when certain devices are enrolled.

No one likes long text-based lists, so to make browsing the info easier, we've added beautiful iconography to represent each device property. If you want to know more about an item, simply click the link, and you'll be sent to a detailed page explaining what that item is, the security/IT rationale for collecting it, and even potential privacy considerations.

Transparency into how data is collected from your device:

Additionally, you can explore the queries we run on our endpoint agent to collect data about a specific property.


Preview the data Kolide collects!

The most important capability for an individual who wants to understand more about what Kolide does and does not collect is previewing the data from properties before enrolling their device. To assist in this process, we've added examples of what the data sent to Kolide looks like. 

This gives users the confidence they need to understand that their private data will not be transmitted.



All of this information is available for every single device property Kolide can collect. If you or your end-users have any concerns about collecting certain types of data, remember, you can now disable data collection for those items.


Personalized Audit Log

To further round out our commitment to transparency, we now maintain a separate audit log for each end-user in the system. Today, this audit log captures the following events:

  • Automatic Device Assignment
  • Manual Device Assignment (or unassignment)
  • Device Removal
  • Completed Live Queries

From now on, these audit logs are available to all end-users in the Privacy Center's sidebar. You can even export the entire list to CSV for later review. We believe this capability will help foster trust between IT teams and end-users.


On certain events like Live Query, you and end-users can see additional details by simply clicking the event name.


In this case, the end-user can see who ran the query, what results were returned, and even access a copy of the data sent from their device to Kolide.

Scheduled Queries

Before this enhancement, end-users had little visibility into endpoint data collection that organizations set up via our Logging Pipeline or through a feature called Continuous Running Live Queries.

To address this, we've added a new section to the Privacy Center called Scheduled Queries. It provides a complete list of all queries running on an end-user's assigned devices and a list of queries that may run on devices they enroll in in the future.


Like our Query Runbook and Live Query Audit Logs, we allow the end-users to see informative details related to these queries.

Feedback

These new changes are available in the Privacy Center right now. We have a lot more planned in the future, and we cannot wait to hear your feedback about these new improvements.

New Feature - Add Your Own Device Notes

While Kolide can collect and visualize a lot of useful information from the devices themselves, sometimes, the most useful pieces of data about a device can come from the people who oversee them.

To that end, we've added a new way for Kolide team members with access to the admin UI to write unstructured notes. When you visit the device overview page, you will now see a new widget called Device Notes.

In this widget, simply write any notes about the device you wish to record, and then click save note.  As you can see, the notes support basic Markdown formatting, including links and headers.

If you or another team member make a mistake or want to review the history of notes on a particular device, you can click Revision History and easily restore any previous version of the notes.

In addition to being accessible in the UI, both the raw markdown and the rendered HTML versions of notes are now included in the Device API response.

Finally, we've also updated the overview page for Private Devices to include a limited set of informational widgets, including this new notes widget.


This is just one of many features we plan to roll out this year to help our customers better identify and record useful information about their devices. Until then, please let us know if you have any feedback or improvements, you would like to see.

Osquery 4.7.0 Inventory Improvements

Recently, the Kolide change-log has been bursting at the seams with improvements and new features, and while it's been fun bringing good news and cheer to you all on a near-daily basis, enough is enough. 

Instead of dragging this out over the next three days, we decided to create one big post with all of the Inventory improvements we've recently shipped to close out the week. Let's get started!

New Inventory Item - macOS System Extensions

Apple introduced their safer alternative to Kernel Extensions called System Extensions with the release of macOS Catalina in 2019. Now with Big Sur, Kernel Extensions are no more. Thanks to some incredible work by Kumarak of Trail of Bits, Osquery 4.7.0 now supports enumerating these extensions.

We are excited to announce that we've added these System Extensions to the default set of macOS Inventory


Improved Inventory - Windows User Metadata

On macOS, Kolide is not only able to enumerate the users of a particular device, but it can also enumerate additional metadata, like the number of times the user logged in or the last time the password was set.

Starting this week, Windows joins the party! Using WMI, Kolide can now collect additional metadata information about the device's user accounts, including:

  • last_logged_in_at - When the user last logged in.
  • logins_count - The total number of times the device user logged into the system.
  • failed_logins_count - The total number of times someone attempted to access a user account with incorrect credentials.
  • password_last_set_at - The precise time the user's password was changed or initially set.
  • password_expires_at - The precise time the user's password expires (when applicable).
  • windows_user_type - The type of Windows User (Ex: "Normal Account", "Domain Trust Account", etc.)

This information can be extremely helpful for our customers who really want to understand who the device's primary user is (based on login count). Additionally, knowing when a user last changed their password can be invaluable if you want to ensure that the user's password meets the complexity requirements in the most recent set policy.

You can check out these new columns in the Device Users Inventory section.


Improved Inventory - Google Chrome Extensions

The term Google Chrome Extension has become a bit of a catch-all with the recent arrival of many different browsers based on the Chromium open-source project. It's common-place now to find end-users installing Chromium extensions in Brave, Edge, or even Opera.

To that end, Kolide leverages all the great work done in Alessandro Gario of Trail of Bits in Osquery 4.7.0 to help you sort out which extensions belong to which browser, the enabled state of the extension, among other important details.

Check out the Google Chrome Inventory to peruse this new information.


Improved Inventory & Widget - macOS FileVault Status

I recently contributed an improvement to the disk_encryption table in Osquery that more clearly defines the difference between a encrypted disk and one that FileVault actually protects. At the same time, we also updated our built-in FileVault Check.

Now that these improvements are shipped in Osquery itself, we have updated our Disk Space widget and added the new column in Inventory. 

You can see the new filevault_status and related fields in the Storage Devices Inventory section

As always, please do not hesitate to reach out with questions or feedback!

Show Previous EntriesShow Previous Entries