New Inventory: Mac Startup Configuration

Have you ever wondered if a Mac had an EFI firmware password set or if Secure Boot has been turned off? Well, instead of wondering, you can now instantly look up the state of these options and other boot settings in our newly released device property in Inventory called Mac Startup Configuration.

The settings reported in the device property can help administrators better understand the security posture of a Mac. For example, a Mac with Secure Boot off may be at greater risk of being infected by malware that changes the master boot record (MBR). Additionally, the presence of a firmware password could prevent an administrator from reprovisioning a device to a new employee if they forget to turn it off before shipping the Mac back to HQ.

New Inventory Widget

To help you interpret these startup options, we have created a new widget that summarizes them with icons and easy-to-read statuses.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose,  privacy information, and the example data set a Mac will return in the Privacy Center.

If you don't want to collect this data from your Mac fleet, you can also take advantage of our new data collection opt-out feature.

A Note About Older Macs or Macs with Apple Silicon

Macs running Apple Silicon instead of an Intel processor do not support several of these startup options. These options include Firmware options and the ability to boot Windows. For these devices and older Intel Macs without a T2 series chip, you'll see the value "Not Applicable" for any relevant settings.

As always, please let us know if you have any questions, suggestions, or improvements we can make. We hope you get value out of the additional visibility.

New Slack App Access Control Setting

Kolide's Slack app enables end-users to identify and self-resolve important issues on their device. Our Slack app has always been a major part of our Honest Security strategy, so it's important we break down as many barriers as possible to enable every single one of our customers to use it.

To that end, we are excited to be rolling out new access control settings for the Slack app. These settings are perfect for organizations that have widely rolled out the Kolide agent but haven't taken the plunge with the Slack app. Many may want to test the self-remediation workflow with just a handful of users before rolling it out widely.

To support this use case, we just launched a new settings page available to administrators that will control precisely who can and cannot interact with the Slack app.

Notice the section labeled, "Who Can Communicate With the Kolide Slack App." If you choose the option "Only users who have who have been explicitly Onboarded," then anyone who hasn't been explicitly invited to use the app in the onboarding manager will not receive any messages from the Slack app. If these same users try to initiate an interaction with the Slack app, they will be greeted with a message that looks like this...


We've also updated the onboarding manager to make the onboarding status for each user much clearer and highlight important settings that impact the Slack experience front and center.


This new setting truly turns off all possible Slack notifications, even notifications that an administrator may directly initiate. So, for example, if you decide to restrict the Slack app to just onboarded users and then try to ping them manually, you will instead see a gentle reminder to onboard them first. This is true even for sensitive device notifications.

We still recommend the original behavior, but we hope this additional setting can help many organizations test out the Slack application in a controlled manner before committing to a company-wide roll-out.

As always, we welcome your questions, comments, and feedback.

Privacy Center - Detailed Checks and More!

A few weeks ago, we announced a major set of improvements to our Privacy Center. These changes give end-users an unprecedented level of transparency into what data is collected from their devices so they can feel confident in enrolling in Kolide, an important principle in Honest Security.

After launching these improvements, we received a ton of positive feedback and some great suggestions we could implement to improve it further. To that end, I am excited to announce two major improvements that we've just shipped.

Detailed Checks

The biggest part of this update is a major improvement to the Checks section of the Privacy Center. Before this update, Checks were simply listed with a hover tooltip of the description. While this was a great start, the list wasn't very user-friendly, nor did it provide end-users with enough information to understand the purpose of each Check or what data was sent to Kolide from their devices.

This new experience is much better.

First, we organized related Checks together into lists and added rich icons, making them much easier to browse.

Second, we added write-ups for each Check that include the query that runs on the device, the purpose of the Check, and even privacy information when applicable. Here is an example of the Check named "1Password - Disallow Plain Text Emergency Kit".

Finally, we've also updated the CSV export to include the description, privacy information, and Checklist name.

View Only Relevant Information For Your Devices

The primary goal of the Privacy Center is to ensure users can understand what data will be collected about their device before they enroll. Once a device is enrolled, however, an end-user may want to transition to an experience where they only see information about Checks and other queries that run on their device.

To help, we've added a filter at the top of the page that will automatically hide any device properties, Checks, and scheduled queries that are not run on their currently enrolled device(s).


This filter is also available when drilling into a Checklist that contains many Checks, as shown below.


We are so excited to see these changes in action and cannot wait to hear more feedback from you. We have many exciting changes for Checks planned this month, and our updated Privacy Center lays a great foundation for their arrival.

As always, please do not hesitate to reach out with questions. 

Query Runbook and Privacy Center Enhancements

As part of our commitment to honest.security, I am so excited to announce some major changes to our end-user accessible Privacy Center, which just went live.

We had two big goals with this feature. 

The first was to give end-users more visibility into what Kolide can potentially collect about their device before they even decide to enroll. Secondly, we wanted to give end-users visibility into the ad-hoc queries which have run on their devices and other important events, like device assignment and re-assignment.

A lot is going on with this enhancement, so beyond documenting those changes in this post, I've also recorded a short video walkthrough of the new Privacy Center.


The Query Runbook

Our goal with Kolide is to enable security and IT teams to be open and transparent about the tools that run on company-provisioned devices and the data that they collect. Accordingly, we've updated the Privacy Center to give end-users an unprecedented level of detail about both of those topics.

Before today, users could request a download of all of their device's Inventory data in a zip file. While this was a good start, it had two usability issues:

  • Users needed to enroll a device before they could understand what data was collected.
  • Users were forced to pore over undocumented CSV files that gave little insight into the meaning or intent of the data contained.

We've done our best to address both of these items and provide an unprecedented level of insight into the way Kolide works and why it collects what it does.

Data Kolide collects by default

Today, in the Kolide Privacy Center, you and your end-users can find an exhaustive list of the data that Kolide collects when certain devices are enrolled.

No one likes long text-based lists, so to make browsing the info easier, we've added beautiful iconography to represent each device property. If you want to know more about an item, simply click the link, and you'll be sent to a detailed page explaining what that item is, the security/IT rationale for collecting it, and even potential privacy considerations.

Transparency into how data is collected from your device:

Additionally, you can explore the queries we run on our endpoint agent to collect data about a specific property.


Preview the data Kolide collects!

The most important capability for an individual who wants to understand more about what Kolide does and does not collect is previewing the data from properties before enrolling their device. To assist in this process, we've added examples of what the data sent to Kolide looks like. 

This gives users the confidence they need to understand that their private data will not be transmitted.



All of this information is available for every single device property Kolide can collect. If you or your end-users have any concerns about collecting certain types of data, remember, you can now disable data collection for those items.


Personalized Audit Log

To further round out our commitment to transparency, we now maintain a separate audit log for each end-user in the system. Today, this audit log captures the following events:

  • Automatic Device Assignment
  • Manual Device Assignment (or unassignment)
  • Device Removal
  • Completed Live Queries

From now on, these audit logs are available to all end-users in the Privacy Center's sidebar. You can even export the entire list to CSV for later review. We believe this capability will help foster trust between IT teams and end-users.


On certain events like Live Query, you and end-users can see additional details by simply clicking the event name.


In this case, the end-user can see who ran the query, what results were returned, and even access a copy of the data sent from their device to Kolide.

Scheduled Queries

Before this enhancement, end-users had little visibility into endpoint data collection that organizations set up via our Logging Pipeline or through a feature called Continuous Running Live Queries.

To address this, we've added a new section to the Privacy Center called Scheduled Queries. It provides a complete list of all queries running on an end-user's assigned devices and a list of queries that may run on devices they enroll in in the future.


Like our Query Runbook and Live Query Audit Logs, we allow the end-users to see informative details related to these queries.

Feedback

These new changes are available in the Privacy Center right now. We have a lot more planned in the future, and we cannot wait to hear your feedback about these new improvements.

New Feature - Add Your Own Device Notes

While Kolide can collect and visualize a lot of useful information from the devices themselves, sometimes, the most useful pieces of data about a device can come from the people who oversee them.

To that end, we've added a new way for Kolide team members with access to the admin UI to write unstructured notes. When you visit the device overview page, you will now see a new widget called Device Notes.

In this widget, simply write any notes about the device you wish to record, and then click save note.  As you can see, the notes support basic Markdown formatting, including links and headers.

If you or another team member make a mistake or want to review the history of notes on a particular device, you can click Revision History and easily restore any previous version of the notes.

In addition to being accessible in the UI, both the raw markdown and the rendered HTML versions of notes are now included in the Device API response.

Finally, we've also updated the overview page for Private Devices to include a limited set of informational widgets, including this new notes widget.


This is just one of many features we plan to roll out this year to help our customers better identify and record useful information about their devices. Until then, please let us know if you have any feedback or improvements, you would like to see.

Lost Mode Now Available on Windows Devices

Earlier this year, we introduced Lost Mode for Mac and Lost Mode for Linux, features that enable the IT team and end-users to work together to locate a misplaced or stolen device. 

Today, we are excited to announce we've completed our Lost Mode cross-platform support with the release of Lost Mode for Windows!

Like Lost Mode for Mac and Linux, this new feature surveys nearby Wi-Fi Access Points to help determine the Windows device's precise geolocation. We consider this a highly-sensitive feature that requires informed end-user consent each time it is used across all platforms.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions!

The New Global Failures View

You may have recently noticed a new top-level navigation option, Failures, in Kolide. We'd love to take a few minutes to walk you through this new Failures view, along with other improvements we made as a part of this feature's release.

One Place To View All Of Your Check Failures

In the UI, when a device fails a check, the information about that failure could be found in that particular Check's details page or on the Device's failure overview page.

Now, there is a third place to view this failure data across all checks and all devices.

Having this data in one place enables several compelling use-cases:

  • Organizing failures by tag (for example: "Show me all failures that belong to a Check with the Critical tag)
  • Searching across all failure metadata for keywords (ex: looking for the word "prod" might bring up some interesting results for failures belonging to more than one check)
  • Locating failures, devices, and people where end-users may be ignoring the notifications from Kolide.

Data and UI Consistency

While building this feature, we wanted to ensure the way we were showing failure data across different contexts was going to be consistent (even CSV exports). We also wanted to make sure the ability to filter and traverse the various failure states were preserved, no matter what part of the UI you were in.

The "Total" Tab - Viewing All Failures

In the spirit of giving administrators the most flexibility when filtering, sorting, and searching failure data, we've created a new tab called Total which allows you to see all failures, regardless of the failure's actual state.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored! 

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored!

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

Improved Failure Recheck Tracking

One sore spot a few customers raised to us is that when you re-check a failure, we immediately consider it "re-checked", even before we got the answer from the device! Now when re-checking, Kolide only updates the timestamp when we actually hear from the device.


This is just the start of many other features we plan to release for Checks this year. Stay tuned!

Lost Mode Now Available on Linux Devices

Early in January, we introduced Lost Mode for Mac, a beta feature in which the security team and end-users can work together to locate a device that was either misplaced or stolen. We are now excited to announce this same functionality is now available on Linux devices!


Just like Lost Mode for Mac, this new feature survey's nearby WiFI Access Points to help determine the Linux device's precise geolocation. Also just like Lost Mode for Mac, we consider this an extremely sensitive operation which requires informed end-user consent each time it is used.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions! 

Wondering about Windows support? Well, a little birdie told me that we might have something to say about that before the end of March. Stay tuned!

New Feature - Control Device Data Collection

Kolide's Inventory feature is designed to collect, enrich, and visualize important data from enrolled devices. We built it to preemptively answer many essential questions administrators have about their devices that Osquery is well suited to answer.

Before adding new device properties to Inventory, we discuss their utility and privacy implications internally and proceed accordingly. Unfortunately, if our customers felt differently about these decisions in the past, they had little recourse to customize further what data was collected. 

After writing the "collecting data honestly" section in honest.security, we knew we had to do better. To that end, we are proud to announce new features that enable Kolide administrators to more finely control what data is collected and displayed within Inventory and the features that rely on it.

For instance, let's say you don't really want Kolide to enumerate the Chrome Extensions your users install. You can now browse to the Chrome Extensions section in Inventory and select Disable Device Property.

Since Inventory is the source of truth for many features in Kolide, like widgets and checks, a modal will appear, which will advise you on precisely which features of Kolide might be impacted, allowing you to make a value-driven decision around the collection of any particular category of data.

Besides providing opt-out capabilities, this feature will also allow Kolide to ship new Inventory device properties that require explicit opt-in from an administrator. Starting today, we support ARP Cache as our first opt-in Inventory property.

Privacy Center

As part of our efforts to increase transparency to end-users, we have overhauled the UI of the Privacy Center and included a list of the data collected from devices.


Wrapping Up

We are excited for our privacy-minded customers to take advantage of this feature and truly customize the data collection to a level they and their end-users feel comfortable with.

If you are interested in using it, we encourage you to read our Help Center guide before diving in, as it contains more information than we could possibly fit in this announcement post.

New Check - Silver Sparrow

On February 18th, Red Canary working with MalwareBytes broke the news that they had discovered a latent malware infection is as many as 30,000 Macs. They posted a detailed analysis online and dubbed this new threat Silver Sparrow.

What makes Silver Sparrow so interesting is that while the malware had the capability to do real damage, its final payload was never executed by its authors and operators. It is also one of the first variants of Mac malware in the wild that was compiled to run natively on Macs with Apple Silicon.

This Malware is already well-detected by commodity anti-virus solutions, and Apple has done its part to help stop the spread by revoking the development certificate used to sign the malicious installer.

While Kolide isn't intended to be used as a comprehensive malware detection platform, we often as a courtesy hunt for prolific threats on behalf of our customers. Based on the information we have today, it appears no Kolide customers have been infected by this malware.

Even so, out of an abundance of caution, Kolide has developed a simple Check to look for this malware and deployed it to each of our customers. 

Please let us know if you have any follow-up questions or concerns about Silver Sparrow, malware, or the Checks feature of Kolide. 

Show Previous EntriesShow Previous Entries