We've Renamed Failures to Issues

Summary: We have switched UI, Slack App, Web URLs, and API endpoints to use the word "Issue" instead of the word "Failure." Any existing APIs endpoints and properties using the term "Failure" will still work, and any Webhooks fired for "Failures" will still fire as before. With that said, we highly encourage you to move over to their Issue counterparts. See the API documentation for more information.


When communicating directly with end-users, choosing your language precisely is essential. It's so essential we spent a bit of time talking about this precise topic in our Honest Security guide.

In Kolide, we have several areas where language can be improved, but one of the biggest problem-areas was using the word "Failure" to describe how we track the problems we find on a device. This is not a great word choice. For many, the word failure calls to mind other negative terms like "neglect," "dereliction," or a "screw-up." It's also a word that has a degree of finality to it. It's a word designed to define a bad end-state, not one that necessarily invites action.

Instead of the word failure, we are going with the word that still communicates our intent but softens the language and makes it easier to associate with a device, not a person. That word is Issue. The word is short, easy to spell, and most importantly, doesn't carry the same weight and implied finality as the word failure. Saying, "Your device has Issues that need your attention," flows much better than it would if we kept Failures.

To that end, our UI, Slack app, our URLs, and even back-end APIs will now feature the word 'Issues' over the word 'Failures.' 

While we have made this change throughout the app, we will continue to refer to Check status as "Failing" or "Passing." The only difference is a device that Fails a Check will produce an Issue (not a Failure).

To help with the transition, we are doing the following:

  • URLs: We will automatically redirect any existing URLs that contain the word Failures to the corresponding Issue URL. Ex: https://k2.kolide.com/x/inventory/devices/x/failures would become https://k2.kolide.com/x/inventory/devices/x/issues
  • API: We have not removed any API endpoints or properties with the word Failure in them. We've only made additive changes to the API.
  • Webhooks: We will still fire any original "Failure" webhooks, in addition to firing the new "Issue" webhooks. 

We hope you find this change an improvement. If you have other suggestions on improving the language throughout the app (especially in the Slack app), please reach out and let us know.

New Inventory: Microsoft Office Add-Ins

As part of our mission to provide world-class ground truth about devices enrolled in Kolide, I am excited to announce the latest addition to Inventory, Microsoft Office Add-Ins.

Why List Microsoft Office Add-ins?

For the unfamiliar, Microsoft Office Add-ins are extensions that end-users can install with most Microsoft Office products like Word, Excel, and Outlook. These extensions can support new media types, extend the user interface, or even integrate with third-party services (ex: Zoom or Wikipedia).

Like web browsing, the documents employees interact with within Microsoft Office are often incredibly sensitive and contain confidential information essential to the business or customers. Add-ins (depending on their permissions) have unprecedented access to documents and emails, allowing them to read or even alter their contents. While Microsoft does a reasonable job of vetting obvious malicious add-ins, there are sometimes cases where an add-in provides a service by transmitting parts or potentially all content in a document to the third-party serve (ex: Grammarly). These freemium services may be undesirable or potentially even violate the company's existing data sharing and privacy agreements like the GDPR.

To that end, we wanted to provide a way to easily enumerate these add-ins, their capabilities, and other relevant info, right in Inventory, for both Mac and Windows devices.

Feature Overview

Every Office Add-in has a manifest file that gives us unique insight into the add-in capabilities, permissions, and type on both Mac and Windows devices. To view this information across the fleet, browse directly to the Microsoft Add-in section in Inventory.

There are many types of add-ins and specific capabilities associated with each. We encourage you to refer to the official Microsoft Office developer documentation to learn more about interpreting this data in Inventory.

In addition, Microsoft Office Add-ins join many other "installable" Inventory items in our global search. Here is an example of finding an add-in called "Wikipedia." You can also search for Add-ins by their unique identifiers.


Microsoft Add-in Store Enhancement

Beyond collecting data from each endpoint, Kolide will also attempt to source data about the add-in from Microsoft's Add-in Store called Microsoft App Source. From there, we can pull essential data like the latest published version, the last release date, and the average rating.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose, privacy information, and a representative example data set, which a Mac or Windows device will return in the Privacy Center.


We collect Microsoft Add-ins by default. If you don't want to collect this data from your devices, you can also use our new data collection opt-out feature.


New: Custom Slack Messages for Checks

At Kolide, we encourage our customers to entrust their users with the responsibility of keeping their devices secure and compliant. If you can communicate honestly and concisely with people about issues on their devices, they will be motivated to fix them, and more importantly, learn something in the process.

We invest a lot of time writing a clear rationale and precise fix instructions for every Check we ship in the product to accomplish this. We try to put ourselves in the shoes of every type of user—from the most technical to someone who has never opened the terminal before— and write Slack messages that are accessible, clear, and actionable.

While we work hard at this, we can never be perfect. Kolide will always be at a disadvantage to admins who work with their users every day and deeply understand their needs. These admins can often improve these messages for their staff in a way that does not apply to every Kolide user.

To that end, It gives me great pleasure to announce that as of today, Kolide allows customers to fully customize the rationale and fix instructions for every Check on the platform. Let me show you how it works.

How to Get Started

To get started, click on the "(...)" actions dropdown next to any Check and click "Configure." Find the section you'd like to change in the Check configuration sidebar and click "Edit..." within the Slack notification preview.


Supplementing an Official Kolide Message

In many cases, you may wish to only add a note, either just before or just after Kolide's official messaging. To support this, Kolide allows you to supplement its existing messages. Supplementing is an excellent choice because it enables you to continue to benefit from any changes Kolide will make to the template but allows you to communicate additional information to your users.


Fully Customizing a Message

Sometimes supplementing is not enough, and you will want to completely change the content of a message to best suit your users. To that end, the "Compose Custom Text" option gives admins complete control over the message without any approval from Kolide.


In both cases (full customization and supplemental changes), Kolide will put your organization name under the header of the section modified so end-users know the instructions came right from your company.



Revision History, Markdown, and Liquid

Kolide will put a notice in the audit log for every change and keep a complete revision history. You can revert to a previous known good state if any undesired changes are introduced to the templates.

As for formatting, instead of asking you to learn a new formatting API, all of Kolide's templates are written in standard markdown and automatically converted to Slack's block format.

For advanced users who want to include conditionals or display data from the Device, Check, or Failure the message is about, Kolide allows you to use the liquid syntax. The documentation for the variables for each Check can be found right in the edit window.



In closing, we are very excited to bring this message customization functionality to Kolide. We cannot wait to continue to improve this experience as folks explore the feature and provide feedback. Happy writing!

New Inventory: Safari Extensions

Up until today, Kolide has not attempted to collect Safari Extensions. Osquery's built-in support has been broken since Safari 11, and with the extension API story still shaking out on the Apple side, it wasn't clear if our efforts would be made obsolete in a future Safari version.

But with the recent release of Safari 15, things have moved in a positive direction. Apple has dramatically improved the reliability of, and consequently the developer experience around, web extensions. We expect that more and more app developers will begin porting their Firefox Addons and Chrome Extensions to Safari with these changes. In turn, end-users will install them as they become available.

Unfortunately, with a more diverse library of extensions comes a greater opportunity for bad actors to abuse it to potentially publish extensions of dubious value in exchange for an over-reach into the end-user's privacy. The first step of preparing for this eventuality is to gain greater visibility into the extensions installed across your fleet.

To help our customers do just that, we are excited to announce the inclusion of Safari Extensions in Inventory.

Starting today, Kolide can collect extension data from Safari 14 and Safari 15, including extensions built with the still relatively new web extension SDK (even including permission entitlements).

In addition, Safari extensions join many other "installable" Inventory items in our global search. Here is an example of finding an APP extension that comes with NetNewsWireApp.

Apple App Store Enhancement

Beyond collecting data from each Mac endpoint, Kolide will also attempt to send the bundle_identifier of the extension to Apple's App Store API to determine the latest version and when that version was published, among other data.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose, privacy information, and a representative example data set, which a Mac will return in the Privacy Center.

We collect Safari Extensions by default. If you don't want to collect this data from your Mac fleet, you can also take advantage of our new data collection opt-out feature.


Customize the Privacy Center

We hope you are enjoying your summer (or winter for our friends in the Southern Hemisphere). We've been working hard on our end on a slew of changes to Kolide's Privacy Center. These new features are now available and can be found in the new Privacy Center Configuration screen

You can now limit who can sign into the Privacy Center (great when you are in the process of rolling out Kolide) and can control which authentication methods are shown to end-users when they are prompted to sign in. These new options join the major changes we made to the sign-in process we announced earlier this year.

With that said, perhaps my favorite feature is the ability to customize the content within the Privacy Center.

Add a Custom Section to the Privacy Center

Many of our customers have embraced the Privacy Center, which has quickly become the home base for end-users to learn about the company's endpoint security strategy. 

Over time we've gotten many requests to customize the content to include important company information relevant to their end-users. 

Starting today, Kolide administrators can create a custom section with any information they'd like. Text, links, and any other markdown formatted content can be displayed at the top of the Privacy Center for all end-users.

You can find these customization options in the new Privacy Center configuration screen under settings.

We hope everyone takes advantage of the Privacy Center customization to improve their end-users understanding of Kolide and point them to important security and IT resources. 

Kolide Side Dishes

At Kolide, we typically ship changes and improvements to the product multiple times a day. The vast majority of these changes are modest improvements not worthy of their own change-log post, but together, they can make a big difference. We call these smaller features side dishes!

In this edition of side dishes, we have four exciting features to announce!

Improved Privacy Center Sign-In Experience

Over the last several months, we have invested a lot of energy into Kolide's Privacy Center, including letting users see the full set of device properties, checks, and other queries run on their device. While these improvements are great, end-users can't realize their benefits if they need to spend time fighting with a sign-in screen instead of reading the content. 

We've updated our Slack application to give end-users buttons instead of links to the Privacy Center to make things a lot easier. Unlike the normal Privacy Center links (which will lead most end-users to a sign-in screen), these buttons will actually open the browser using a secret and personalized URL that will automatically sign them in. 

Additionally, we've made some improvements to the privacy command to give end-users more information about their data before sending them to the Privacy Center. You can see an example below:

We've built this with security in mind. For example, Kolide administrators who sign in to the Privacy Center using one of these magic buttons will still need to authenticate fully when they try to access any sensitive functionality.

New Automatic Device Deletion Settings

As our customers continue to grow the number of devices they enroll, many of them are looking for more advanced options to manage when inactive devices are removed automatically or if multiple device records exist in Kolide for a device with the same serial number.

With our new Automatic Device Deletion setting screen, you can tune the behavior of those options to your liking. If you find yourself frustrated by seeing too many retired devices, or old instances of devices that have to be re-provisioned to new users, I highly recommend checking out these new settings.

Renamed Device Privacy to Restrictions

Our Device Privacy settings page has been renamed to Restrictions to reflect the options available on that screen better. Here you will continue to find settings that allow you to turn off features, restrict Osquery tables, and restrict the visibility of data collected about devices.

Kolide MDM Column 

For those taking advantage of our MDM capabilities, we've added a new column in Inventory called "Kolide MDM." This will enable sorting and filtering by the managed state of the device.

Additionally the attribute kolide_mdm was added to the Device API response

Introducing Live Refresh

At Kolide, we do our best to strike a healthy balance between the performance impact of our agent and the usefulness of the data we collect in the UI. In practice, this means we optimize every query to minimize impact and run expensive queries as infrequently as necessary. 

Sometimes though, when actively viewing a device, you may want the most recent information possible. To assist with this use case, we are rolling out a new feature called Live Refresh. Here it is in action!

Data Last Retrieved Timestamps

Being able to refresh data live starts with understanding when the data you are currently looking at was collected. To help with this, we have updated all of our widgets and device property tables to show the last time the information was retrieved from a device.

In some cases, like the Security Features widget shown above, many queries contribute to this display; when this happens, Kolide shows the retrieved date of the oldest data in the widget.

Kicking Off a Live Refresh

Kicking off a Live Refresh is as easy as clicking the Refresh Data button on any applicable device widget or device property screen. The necessary queries needed to populate the widget's display will be immediately issued to the device. If the device is online, the refresh should return in 10 to 15 seconds. You can also kick off refreshes for offline devices. Then, when they come online, they will refresh their data ASAP.

Once a refresh is done, the widget or table will change colors, letting you know the new data is ready to be reloaded. Simply click the "reload data" button, and the new data will load right into the UI.

While the feature is extremely straightforward, building it was no small task. In fact, a lot of it relied on the work we did to ship our data device collection control capabilities earlier this year. I want to thank the entire engineering team at Kolide for their hard work in making this feature happen. I want to also thank our customers for all of their input, leading to this feature being fully realized. We look forward to your feedback!

New Slack Option - Skip Personal Device Enrollment

A few weeks ago, we introduced a new dedicated options screen for managing the behavior of Kolide's Slack App. This week, we added a new option to this screen for organizations that do not want their end-users to enroll their personal devices into Kolide.


Previously, when any user self-enrolled a device, Kolide's Slack app would ask if it was a personal or organization-owned device. However, some organizations may not want to allow end-users to enroll their personal devices. 

If this sounds like you, change the setting to Allow ONLY organization-owned devices to enroll in Kolide. Once saved, this part of the enrollment process will be skipped, and every newly enrolled device will be marked as organization-owned.

Please Note: This setting does not convert previously enrolled personal devices into organization-owned ones. To convert them, you will need to simply remove/delete those devices from Kolide and have the user re-enroll them with the new correct choice.

New Inventory: Mac Startup Configuration

Have you ever wondered if a Mac had an EFI firmware password set or if Secure Boot has been turned off? Well, instead of wondering, you can now instantly look up the state of these options and other boot settings in our newly released device property in Inventory called Mac Startup Configuration.

The settings reported in the device property can help administrators better understand the security posture of a Mac. For example, a Mac with Secure Boot off may be at greater risk of being infected by malware that changes the master boot record (MBR). Additionally, the presence of a firmware password could prevent an administrator from reprovisioning a device to a new employee if they forget to turn it off before shipping the Mac back to HQ.

New Inventory Widget

To help you interpret these startup options, we have created a new widget that summarizes them with icons and easy-to-read statuses.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose,  privacy information, and the example data set a Mac will return in the Privacy Center.

If you don't want to collect this data from your Mac fleet, you can also take advantage of our new data collection opt-out feature.

A Note About Older Macs or Macs with Apple Silicon

Macs running Apple Silicon instead of an Intel processor do not support several of these startup options. These options include Firmware options and the ability to boot Windows. For these devices and older Intel Macs without a T2 series chip, you'll see the value "Not Applicable" for any relevant settings.

As always, please let us know if you have any questions, suggestions, or improvements we can make. We hope you get value out of the additional visibility.

New Slack App Access Control Setting

Kolide's Slack app enables end-users to identify and self-resolve important issues on their device. Our Slack app has always been a major part of our Honest Security strategy, so it's important we break down as many barriers as possible to enable every single one of our customers to use it.

To that end, we are excited to be rolling out new access control settings for the Slack app. These settings are perfect for organizations that have widely rolled out the Kolide agent but haven't taken the plunge with the Slack app. Many may want to test the self-remediation workflow with just a handful of users before rolling it out widely.

To support this use case, we just launched a new settings page available to administrators that will control precisely who can and cannot interact with the Slack app.

Notice the section labeled, "Who Can Communicate With the Kolide Slack App." If you choose the option "Only users who have who have been explicitly Onboarded," then anyone who hasn't been explicitly invited to use the app in the onboarding manager will not receive any messages from the Slack app. If these same users try to initiate an interaction with the Slack app, they will be greeted with a message that looks like this...


We've also updated the onboarding manager to make the onboarding status for each user much clearer and highlight important settings that impact the Slack experience front and center.


This new setting truly turns off all possible Slack notifications, even notifications that an administrator may directly initiate. So, for example, if you decide to restrict the Slack app to just onboarded users and then try to ping them manually, you will instead see a gentle reminder to onboard them first. This is true even for sensitive device notifications.

We still recommend the original behavior, but we hope this additional setting can help many organizations test out the Slack application in a controlled manner before committing to a company-wide roll-out.

As always, we welcome your questions, comments, and feedback.

Show Previous EntriesShow Previous Entries