New Check/Inventory: macOS Screenlock

At long last, we are excited to announce the most requested Check at Kolide–macOS Screenlock.

You can find this new check and configure notifications for it at https://k2.kolide.com/x/checks/75237/failures/open.

This check is comprehensive in that it not only checks if screenlock settings are configured correctly, it also ensures that the system will go to sleep or activate the screensaver after an appropriate amount of idle time.

To pass this Check on macOS, the following must be true:

  1. The require password after sleep or screensaver begins setting must be checked under the Security and Privacy pane in System Preferences
  2. The grace period dropdown next for this setting must be set to 5 minutes or less.
  3. Your system must either be configured to sleep or activate the screensaver after 10 minutes of idle time, regardless if it is running on battery or directly connected to an electrical outlet. 

These passing states were carefully chosen after reviewing the Center for Internet Security macOS guidelines and interviewing many of our customers about what values they thought struck a good balance between security and device usability.

New Inventory - Screenlock Configs

In addition, we have also exposed data about macOS screenlock configurations in Inventory. You can find this Inventory item at https://k2.kolide.com/x/inventory/mac_screenlock_configs.

In this Inventory Item we expose the following columns:

  • Screenlock Enabled - true if the require password after sleep or screensaver begins setting is checked under the Security and Privacy pane in System Preferences.
  • Screenlock Grace Period - The amount of time in seconds (or "Immediately") the computer can be asleep or the screensaver activated before a password is required to unlock the computer.
  • Minimum Effective Idle - The amount of time in seconds the computer must be idle before it either sleeps or activates the screensaver.
  • Display Sleep Idle A/C - The amount of time in seconds (or "Never") the computer must be idle while connected to power before the screen turns off.
  • Display Sleep Idle Battery - The amount of time in seconds (or "Never") the computer must be idle while running on battery power before the screen turns off. 
  • Screensaver Idle - The amount of time in seconds (or "Never") the computer must be idle before activating the screensaver based on the end-user's desired preferences
  • Screensaver Idle Last Modified At - The exact time the user (or NULL) modified the screensaver idle time settings in the UI.
  • Screensaver Idle Managed - The amount of time in seconds (or NULL) the computer must be idle before activating the screensaver based on a managed preference set by an administrator.

The long journey getting this data.

If you are curious why this Check was challenging to create or are interested in how we reverse-engineered macOS to accurately gather this information (and how we open-sourced it as a new virtual table in osquery), I suggest reading our write-up on our blog at https://blog.kolide.com/checking-macos-screenlock-remotely-62ab056274f0.

As always, let us know if you have any questions, concerns or feedback about this Check!

Improvements to Device Deduplication & Deletion

Last week, Kolide rolled out several changes to our deduplication logic. This logic is how our platform decides if incoming device data belongs to existing device record, or, should constitute the enrollment of a new device.

Our original deduplication logic focused on making a best effort at combining devices into a single record whenever possible. We've since discovered that not only is this aggressive deduplication logic unnecessary, it can actually cause issues in a variety of common scenarios such as:

  • New hardware that was set up using Mac's Migration Assistant
  • Previously enrolled devices that have since been reformatted and provisioned to new employees
  • Unique Virtual Machines built from a snapshot from a previously enrolled VM

Kolide's new deduplication logic now handles all of the above scenarios correctly by generating a new device record in every instance. If you've noticed a few more devices than you are used to, it's likely because several devices were silently afflicted by one of the situations mentioned earlier.

In line with these changes, the tombstone created when a device is removed from Kolide, will now only prevent the re-enrollment of that specific agent installation. This change should eliminate confusion for new employees when re-enrolling re-imaged devices that were previously deleted in K2.

We believe these changes will dramatically improve your experience using Kolide and appreciate all the feedback and technical details you've shared with us that allowed us to improve this logic.

If you notice any irregularities or have questions about this change, please reach out via the Intercom widget or support@kolide.com.



 

This Week’s Quality of Life Improvements

We deploy improvements to Kolide daily, but not every individual update deserves its own entry in our change-log. This week however, we've shipped a number of small improvements that, when considered together, may be impactful to how you use Kolide. Here are four items that we think you will enjoy reading about.

Filter Checks By Untagged & Failing Percent

After shipping our new Check page filtering experience and Check tagging, we've received a lot of great feedback from many of you that it would be nice to be able to filter Checks that have no assigned tags, or filter Checks by their failing percentage.

As of Monday, these two filters are now available. Keep the suggestions coming!


Disable Optional Onboarding Messages

When you use Kolide's Onboarding feature, Kolide may send additional messages to an end-user if they enroll a device that is missing the appropriate permissions on macOS. Sometimes though, you may not want your users to receive this message if you plan on granting the permissions en-masse later via an MDM like Jamf

Now you can turn off this optional message (and any future optional messages we may decide to send) in the Onboarding Customization Screen


Track OUs and Suspended Accounts in G Suite

If you already integrate your G Suite account with Kolide, you know we keep track of those accounts in Inventory. When an account is deleted, instead of archiving it on our end, we mark it as missing. Sometimes though, G Suite accounts are not deleted, merely suspended. Kolide now can differentiate between an active account, a suspended account, and a missing account, which we display in the "Status" column in the table of G Suite identities.

If you wish, You can even configure the integration to stop importing suspended accounts.

In addition, if you use Organization Units (OUs) to organize users in G Suite, Kolide will now collect and display this information in Kolide's Inventory under G Suite Identities.



See the Original Name of Renamed Devices

Kolide allows you to change the display name of any device you have in Inventory. While this feature is helpful, it can still be helpful to see the Device's current hostname without having to dig for it.

Now when you view a Device with a customized name, we will display its current hostname parenthetically next to it.

 We also now show this information in the global search!

If you want to remove a custom name, simply click the "Actions" button on the Device's overview page, select "Edit Device Name", delete all of the text in the input field that appears, and press "Save". 


We hope these improvements make a difference and improve how you use Kolide. As always, we look forward to your feedback!

New: macOS iCloud Settings & Windows Security Center Widgets

We recently shipped three new widgets on the Device details page: two for Windows Devices, and one for macOS.

Widgets are our way of visualizing and summarizing information that we collect about devices via the Kolide agent. We created these widgets with the goal of giving Kolide administrators relevant, accurate, and glanceable information when viewing a specific Device's details. 

Below is a quick summary of three new widgets.

macOS - iCloud Settings

This widget shows you the iCloud information for the primary user of your device (if available). This information is not only helpful when determining whether an employee has a work-based or personal email associated with their device, you can also glance at what services are syncing content from their device to their iCloud account. This is especially useful if you do not want users accidentally syncing work-related files to their personal iCloud Drive.



Windows - Registered Security Products

Microsoft Windows has a handy API which allows Kolide to see the products that take on the role of the primary Firewall provider or Antivirus software. While Kolide has been collecting this information in Inventory for a while, we felt that we should be visualizing this information on the Device's detail view. Not only can you see the product names, but we can use this API to inform you if the signatures are properly updating.


Windows - Security Center

Unlike the other two widgets that visualize previously collected information, this widget contains new information from a recently added Osquery table we contributed to the project a few months ago. This table allows Kolide to enumerate the health of subsystems monitored by the Windows Security Center. We can now can summarize this information concisely in the widget below.


As always, we hope you find this information useful and easy to digest as you peruse your Windows and Mac devices enrolled in Kolide. If you have suggestions, or feedback about these widgets, or have specific requests about additional information you'd like to see make our short-list, please let us know.

Inventory and Live Query Performance Improvements

If you have thousands of devices enrolled in Kolide, you may have noticed some modest speed improvements when browsing Inventory and using Live Query last week.

These speed boosts are part of a major initiative we rolled out last week to speed up the application. These improvements include:

  • JS, CSS, and other assets are now served via a CDN
  • Live Query is much smoother when querying thousands of devices at the same time
  • The global search bar now renders results much faster
  • Sorting and Filtering on the Devices table based on owner name and primary username is faster

There are still many areas to improve, but the performance improvements we have implemented should make browsing Inventory a more pleasant experience for organizations with many thousands of devices.

New AWS EC2 Inventory Features

Starting today, when you enroll an AWS EC2 device into Kolide (or an existing EC2 devices checks in), Kolide will collect additional information about that instance, that you and your team may find useful.

Bringing this information to Kolide is part of our commitment to displaying as many accurate and relevant details about enrolled devices as possible to ensure you have an accurate understanding of each the the assets you've enrolled.


Accurate EC2 Hardware Names and Device Images

If a device is an AWS EC2 instance, instead of showing a generic VM hardware type (usually HVM domU) we now indicate it's an EC2 VM and display the instance type and size.

Also, instead of an image of a generic laptop, Kolide will now show the EC2 logo with the instance type superimposed.


AWS EC2 Widget

We have built a simple widget on the Device overview page that will now display important information about the EC2 instance, including its associated AWS Account ID, Region/AZ, and the precise time the instance was launched.

In addition to these details, Kolide will collect and display the primary public SSH key used to access to the device (which we calculate an MD5 fingerprint to make it easier for you to cross correlate with the User SSH Keys inventory)

To see all the details collected by Kolide, you can browse the main inventory category at https://k2.kolide.com/x/inventory/ec2_instances.


Super Duper Search

If you are unfamiliar with Super Duper Search, it is the global search capability at the top of Kolide's navigation. This search feature can help you find devices, people, and installables (apps, packages, extensions, etc.) by just simply searching their name or other relevant unique details.

With this update, you can now search for EC2 instances by their instance ID and their primary MAC address.

What can we do to make this even better?

Have feedback on these features, or wish we were doing more for AWS devices? Let us know! In the meantime, we hope these additions make your experience enrolling AWS devices a little bit better.