Lost Mode Now Available on Windows Devices

Earlier this year, we introduced Lost Mode for Mac and Lost Mode for Linux, features that enable the IT team and end-users to work together to locate a misplaced or stolen device. 

Today, we are excited to announce we've completed our Lost Mode cross-platform support with the release of Lost Mode for Windows!

Like Lost Mode for Mac and Linux, this new feature surveys nearby Wi-Fi Access Points to help determine the Windows device's precise geolocation. We consider this a highly-sensitive feature that requires informed end-user consent each time it is used across all platforms.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions!

New Check: Windows Important Updates Missing

After many weeks of research and engineering, we at Kolide are very proud to announce the immediate availability of several new Windows-based features:

  • Device Check: Windows Important Updates Missing
  • Device Detail Page Widget: Windows Update
  • Inventory Item: Windows Pending Updates

Windows Important Updates Missing

This new Check enumerates important Windows updates that have not been installed within 2 days of becoming available.

While building this check, data accuracy was considered paramount. We did not want to return information about updates that did not apply to the device or were already installed. To achieve this specificity, we upgraded Kolide's agent to directly communicate with the Windows Update API, ensuring that the pending updates returned are always relevant and accurate for each device. This also means as soon as updates are installed correctly, they will disappear the next time we query the API.

Another top priority was to ensure that any failures we generated were only for important updates. Important to us means significant updates with security mitigations, anti-malware signatures, updates with high-criticality, or updates that reference bug fixes. If Kolide generates a failure for a missing update, you can bet it's going to be one that your users should install.

Finally, we wanted to go above and beyond when generating the step-by-step instructions for end-users and ensure that the titles for the updates match the titles in the Windows Update UI, even if they are in a different language.

Inventory and Widgets

To round out this new capability, we wanted to offer more than just an opinionated check. We also wanted to visualize information about Windows Update's configuration and provide our customers with information about all available updates (not just the important ones).

To that end, we've created the following Widget, which will now appear on all of your Windows Devices!

Additionally, if you're the type that wants to see all your data in one big table, you can review all pending Windows updates (including optional updates) in our new Inventory: Windows Pending Updates.

Or review the Windows Update Agent configuration in the new Inventory: Windows Update Config to find individuals who haven't scanned for updates in over a week whose updates are paused.

Reporting

If you are participating in our Reporting beta, you will also have access to all of this new inventory data in a queryable database. You can use this capability to perform aggregate queries (like counting data across devices) on data stored in Kolide's Inventory.

Location Services Check & Inventory

In the new Osquery 4.7.0 release (which is now automatically distributing to all of our customers), we contributed a new macOS table called Location Services. This table simply determines the status of a Mac's Location Services API, which can be adjusted by the end-user in System Preferences and within the Security & Privacy preference pane.

Without Location Services, several critical features like Find My Mac will not work correctly. To help our customers determine the status of Location Services, we are excited to introduce several features designed to take advantage of this new table as well as other work we've done in Kolide's agent.

New Check: Location Services Disabled

The Location Services Check allows our customers to track which Macs have Location Services disabled, and reaches out to end-users to turn the setting back on.

New Widget & Inventory

In addition to the Check, we've gone the extra mile to not just simply report on the global state of the Location Services, but to also enumerate the state of its advanced settings and the apps that requested (and were perhaps granted) a Location Services entitlement. 

The new Location Services widget will list all known apps and services that have requested entitlement to Location Services. If the status light is green, that means the entitlement was granted, and if the compass pin is present, it indicates location was accessed in the last 24 hours.

In addition to the widget, you can also peruse both the state of System Services and the Authorized Apps in Inventory.

If you find yourself not interested in collecting information about Location Services, you will be pleased to learn that you can now opt-out of any of Kolide's data collection, right from the the relevant Inventory screens!

Reporting Beta

For those of you who are participating Reporting SQL DB beta, you'll be happy to learn all of the new information regarding Location Services is now fully documented and available to query.

The New Global Failures View

You may have recently noticed a new top-level navigation option, Failures, in Kolide. We'd love to take a few minutes to walk you through this new Failures view, along with other improvements we made as a part of this feature's release.

One Place To View All Of Your Check Failures

In the UI, when a device fails a check, the information about that failure could be found in that particular Check's details page or on the Device's failure overview page.

Now, there is a third place to view this failure data across all checks and all devices.

Having this data in one place enables several compelling use-cases:

  • Organizing failures by tag (for example: "Show me all failures that belong to a Check with the Critical tag)
  • Searching across all failure metadata for keywords (ex: looking for the word "prod" might bring up some interesting results for failures belonging to more than one check)
  • Locating failures, devices, and people where end-users may be ignoring the notifications from Kolide.

Data and UI Consistency

While building this feature, we wanted to ensure the way we were showing failure data across different contexts was going to be consistent (even CSV exports). We also wanted to make sure the ability to filter and traverse the various failure states were preserved, no matter what part of the UI you were in.

The "Total" Tab - Viewing All Failures

In the spirit of giving administrators the most flexibility when filtering, sorting, and searching failure data, we've created a new tab called Total which allows you to see all failures, regardless of the failure's actual state.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored! 

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored!

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

Improved Failure Recheck Tracking

One sore spot a few customers raised to us is that when you re-check a failure, we immediately consider it "re-checked", even before we got the answer from the device! Now when re-checking, Kolide only updates the timestamp when we actually hear from the device.


This is just the start of many other features we plan to release for Checks this year. Stay tuned!

Lost Mode Now Available on Linux Devices

Early in January, we introduced Lost Mode for Mac, a beta feature in which the security team and end-users can work together to locate a device that was either misplaced or stolen. We are now excited to announce this same functionality is now available on Linux devices!


Just like Lost Mode for Mac, this new feature survey's nearby WiFI Access Points to help determine the Linux device's precise geolocation. Also just like Lost Mode for Mac, we consider this an extremely sensitive operation which requires informed end-user consent each time it is used.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions! 

Wondering about Windows support? Well, a little birdie told me that we might have something to say about that before the end of March. Stay tuned!

New Feature - Control Device Data Collection

Kolide's Inventory feature is designed to collect, enrich, and visualize important data from enrolled devices. We built it to preemptively answer many essential questions administrators have about their devices that Osquery is well suited to answer.

Before adding new device properties to Inventory, we discuss their utility and privacy implications internally and proceed accordingly. Unfortunately, if our customers felt differently about these decisions in the past, they had little recourse to customize further what data was collected. 

After writing the "collecting data honestly" section in honest.security, we knew we had to do better. To that end, we are proud to announce new features that enable Kolide administrators to more finely control what data is collected and displayed within Inventory and the features that rely on it.

For instance, let's say you don't really want Kolide to enumerate the Chrome Extensions your users install. You can now browse to the Chrome Extensions section in Inventory and select Disable Device Property.

Since Inventory is the source of truth for many features in Kolide, like widgets and checks, a modal will appear, which will advise you on precisely which features of Kolide might be impacted, allowing you to make a value-driven decision around the collection of any particular category of data.

Besides providing opt-out capabilities, this feature will also allow Kolide to ship new Inventory device properties that require explicit opt-in from an administrator. Starting today, we support ARP Cache as our first opt-in Inventory property.

Privacy Center

As part of our efforts to increase transparency to end-users, we have overhauled the UI of the Privacy Center and included a list of the data collected from devices.


Wrapping Up

We are excited for our privacy-minded customers to take advantage of this feature and truly customize the data collection to a level they and their end-users feel comfortable with.

If you are interested in using it, we encourage you to read our Help Center guide before diving in, as it contains more information than we could possibly fit in this announcement post.

New Check - Silver Sparrow

On February 18th, Red Canary working with MalwareBytes broke the news that they had discovered a latent malware infection is as many as 30,000 Macs. They posted a detailed analysis online and dubbed this new threat Silver Sparrow.

What makes Silver Sparrow so interesting is that while the malware had the capability to do real damage, its final payload was never executed by its authors and operators. It is also one of the first variants of Mac malware in the wild that was compiled to run natively on Macs with Apple Silicon.

This Malware is already well-detected by commodity anti-virus solutions, and Apple has done its part to help stop the spread by revoking the development certificate used to sign the malicious installer.

While Kolide isn't intended to be used as a comprehensive malware detection platform, we often as a courtesy hunt for prolific threats on behalf of our customers. Based on the information we have today, it appears no Kolide customers have been infected by this malware.

Even so, out of an abundance of caution, Kolide has developed a simple Check to look for this malware and deployed it to each of our customers. 

Please let us know if you have any follow-up questions or concerns about Silver Sparrow, malware, or the Checks feature of Kolide. 

Untrusted Extension - The Great Suspender

Making the rounds recently on Twitter was a tweet concerning a popular Chrome Extension, The Great Suspender.

The thread outlines an all too common situation. The author of a once beloved Chrome Extension sells their ownership interest to a third party, who then updates the extension to include spyware. In the case of The Great Suspender, this potentially includes transmitting the end-user's browsing history, and even modifies the web pages you visit directly in the browser.

Luckily, the user community caught these changes in The Great Suspender and pressured the new owner to back these updates out. With that said, it may be only a matter of time before those same malicious capabilities might be deployed once again.

To that end, Kolide is shipping a new Evil Chrome Extension Check for this extension, preloaded with an end-user notification you can deploy to help your employees understand the situation, and uninstall the extension if it is present.

If you would like to know more about this specific extension, feel free to check out the best comprehensive article we've found on the subject on LifeHacker.

Introducing Device Lost Mode (*Beta)

We are excited to announce the immediate availability of Device Lost Mode.

Like its name implies, Lost Mode is useful if you or the device's end-user cannot locate their device. Once Lost Mode is enabled on a compatible device, (macOS only during the beta), Kolide will survey the local Wifi Access Points and triangulate the device's precise geolocation.

Like many upcoming Kolide features, both Kolide administrators and end-users can benefit from this feature. With that in mind, if a device in Lost Mode is assigned to a person with a Slack identity, then they will be able to access some Lost Mode features directly from the Kolide Slack App's Home Tab.

Honest Security

You might be wondering how a company that practices Honest Security ensures a feature like Lost Mode–which can result in transferring extremely sensitive data (precise location)–adheres to those values? Among our existing practices of end-user transparency and administrator accessible audit-logging, we are excited to announce Lost Mode is the first feature that employs our new informed consent workflow.

Informed Consent

Informed Consent means that when a device has an assigned owner, a feature like Lost Mode can only be enabled when the end user explicitly authorizes the action via Slack. It also means that the consent can be revoked at any time. 

We plan on utilizing this consent workflow for all sorts of sensitive device actions going forward, including our upcoming MDM features.

If you'd like to learn more about Lost Mode, including how to disable it for specific Kolide administrators (or completely) please view our comprehensive help article.

We Have Updated Our FileVault Mac Check

Until today, Kolide has leveraged Osquery's disk_encryption table to report the Full Disk Encryption status of macOS in our check labeled "FileVault2 Primary Disk Encryption". 

However, we have discovered that Osquery considers the built-in SSD on M1 Macs and Macs with the T2 Secure Enclave to be "encrypted", even though their files can be trivially accessed by anyone with physical possession of the device without the user's password. Enabling FileVault is the only sure way to protect the data on your Mac.

Since our FileVault check was created to help our customer's ensure the data on their Macs are safe in the event the device is stolen, lost, or otherwise in the possession of an bad-actor, we have taken the following corrective actions:

  1. We have released a new version of our Kolide agent (0.11.17) which contains an accurate attestation about the status of FileVault
  2. We have updated our Check to utilize the new features of our agent.
  3. Since the latest release of Osquery is unable to obtain the status of FileVault, we have contributed our own patch for the benefit of the community.
  4. We have written an informative blog post about this situation to better educate Mac Admins who might be unfamiliar with the differences between Full Disk Encryption and FileVault on modern Macs.

We feel that these actions will better help not only Kolide customers, but anyone else who relies on Osquery for similar information.

As always, please let us know if you any follow-up questions or concerns.

Show Previous EntriesShow Previous Entries