New Feature - Add Your Own Device Notes

While Kolide can collect and visualize a lot of useful information from the devices themselves, sometimes, the most useful pieces of data about a device can come from the people who oversee them.

To that end, we've added a new way for Kolide team members with access to the admin UI to write unstructured notes. When you visit the device overview page, you will now see a new widget called Device Notes.

In this widget, simply write any notes about the device you wish to record, and then click save note.  As you can see, the notes support basic Markdown formatting, including links and headers.

If you or another team member make a mistake or want to review the history of notes on a particular device, you can click Revision History and easily restore any previous version of the notes.

In addition to being accessible in the UI, both the raw markdown and the rendered HTML versions of notes are now included in the Device API response.

Finally, we've also updated the overview page for Private Devices to include a limited set of informational widgets, including this new notes widget.


This is just one of many features we plan to roll out this year to help our customers better identify and record useful information about their devices. Until then, please let us know if you have any feedback or improvements, you would like to see.

Lost Mode Now Available on Windows Devices

Earlier this year, we introduced Lost Mode for Mac and Lost Mode for Linux, features that enable the IT team and end-users to work together to locate a misplaced or stolen device. 

Today, we are excited to announce we've completed our Lost Mode cross-platform support with the release of Lost Mode for Windows!

Like Lost Mode for Mac and Linux, this new feature surveys nearby Wi-Fi Access Points to help determine the Windows device's precise geolocation. We consider this a highly-sensitive feature that requires informed end-user consent each time it is used across all platforms.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions!

The New Global Failures View

You may have recently noticed a new top-level navigation option, Failures, in Kolide. We'd love to take a few minutes to walk you through this new Failures view, along with other improvements we made as a part of this feature's release.

One Place To View All Of Your Check Failures

In the UI, when a device fails a check, the information about that failure could be found in that particular Check's details page or on the Device's failure overview page.

Now, there is a third place to view this failure data across all checks and all devices.

Having this data in one place enables several compelling use-cases:

  • Organizing failures by tag (for example: "Show me all failures that belong to a Check with the Critical tag)
  • Searching across all failure metadata for keywords (ex: looking for the word "prod" might bring up some interesting results for failures belonging to more than one check)
  • Locating failures, devices, and people where end-users may be ignoring the notifications from Kolide.

Data and UI Consistency

While building this feature, we wanted to ensure the way we were showing failure data across different contexts was going to be consistent (even CSV exports). We also wanted to make sure the ability to filter and traverse the various failure states were preserved, no matter what part of the UI you were in.

The "Total" Tab - Viewing All Failures

In the spirit of giving administrators the most flexibility when filtering, sorting, and searching failure data, we've created a new tab called Total which allows you to see all failures, regardless of the failure's actual state.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored! 

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored!

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

Improved Failure Recheck Tracking

One sore spot a few customers raised to us is that when you re-check a failure, we immediately consider it "re-checked", even before we got the answer from the device! Now when re-checking, Kolide only updates the timestamp when we actually hear from the device.


This is just the start of many other features we plan to release for Checks this year. Stay tuned!

Lost Mode Now Available on Linux Devices

Early in January, we introduced Lost Mode for Mac, a beta feature in which the security team and end-users can work together to locate a device that was either misplaced or stolen. We are now excited to announce this same functionality is now available on Linux devices!


Just like Lost Mode for Mac, this new feature survey's nearby WiFI Access Points to help determine the Linux device's precise geolocation. Also just like Lost Mode for Mac, we consider this an extremely sensitive operation which requires informed end-user consent each time it is used.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions! 

Wondering about Windows support? Well, a little birdie told me that we might have something to say about that before the end of March. Stay tuned!

New Feature - Control Device Data Collection

Kolide's Inventory feature is designed to collect, enrich, and visualize important data from enrolled devices. We built it to preemptively answer many essential questions administrators have about their devices that Osquery is well suited to answer.

Before adding new device properties to Inventory, we discuss their utility and privacy implications internally and proceed accordingly. Unfortunately, if our customers felt differently about these decisions in the past, they had little recourse to customize further what data was collected. 

After writing the "collecting data honestly" section in honest.security, we knew we had to do better. To that end, we are proud to announce new features that enable Kolide administrators to more finely control what data is collected and displayed within Inventory and the features that rely on it.

For instance, let's say you don't really want Kolide to enumerate the Chrome Extensions your users install. You can now browse to the Chrome Extensions section in Inventory and select Disable Device Property.

Since Inventory is the source of truth for many features in Kolide, like widgets and checks, a modal will appear, which will advise you on precisely which features of Kolide might be impacted, allowing you to make a value-driven decision around the collection of any particular category of data.

Besides providing opt-out capabilities, this feature will also allow Kolide to ship new Inventory device properties that require explicit opt-in from an administrator. Starting today, we support ARP Cache as our first opt-in Inventory property.

Privacy Center

As part of our efforts to increase transparency to end-users, we have overhauled the UI of the Privacy Center and included a list of the data collected from devices.


Wrapping Up

We are excited for our privacy-minded customers to take advantage of this feature and truly customize the data collection to a level they and their end-users feel comfortable with.

If you are interested in using it, we encourage you to read our Help Center guide before diving in, as it contains more information than we could possibly fit in this announcement post.

New Check - Silver Sparrow

On February 18th, Red Canary working with MalwareBytes broke the news that they had discovered a latent malware infection is as many as 30,000 Macs. They posted a detailed analysis online and dubbed this new threat Silver Sparrow.

What makes Silver Sparrow so interesting is that while the malware had the capability to do real damage, its final payload was never executed by its authors and operators. It is also one of the first variants of Mac malware in the wild that was compiled to run natively on Macs with Apple Silicon.

This Malware is already well-detected by commodity anti-virus solutions, and Apple has done its part to help stop the spread by revoking the development certificate used to sign the malicious installer.

While Kolide isn't intended to be used as a comprehensive malware detection platform, we often as a courtesy hunt for prolific threats on behalf of our customers. Based on the information we have today, it appears no Kolide customers have been infected by this malware.

Even so, out of an abundance of caution, Kolide has developed a simple Check to look for this malware and deployed it to each of our customers. 

Please let us know if you have any follow-up questions or concerns about Silver Sparrow, malware, or the Checks feature of Kolide. 

Untrusted Extension - The Great Suspender

Making the rounds recently on Twitter was a tweet concerning a popular Chrome Extension, The Great Suspender.

The thread outlines an all too common situation. The author of a once beloved Chrome Extension sells their ownership interest to a third party, who then updates the extension to include spyware. In the case of The Great Suspender, this potentially includes transmitting the end-user's browsing history, and even modifies the web pages you visit directly in the browser.

Luckily, the user community caught these changes in The Great Suspender and pressured the new owner to back these updates out. With that said, it may be only a matter of time before those same malicious capabilities might be deployed once again.

To that end, Kolide is shipping a new Evil Chrome Extension Check for this extension, preloaded with an end-user notification you can deploy to help your employees understand the situation, and uninstall the extension if it is present.

If you would like to know more about this specific extension, feel free to check out the best comprehensive article we've found on the subject on LifeHacker.

Introducing Device Lost Mode (*Beta)

We are excited to announce the immediate availability of Device Lost Mode.

Like its name implies, Lost Mode is useful if you or the device's end-user cannot locate their device. Once Lost Mode is enabled on a compatible device, (macOS only during the beta), Kolide will survey the local Wifi Access Points and triangulate the device's precise geolocation.

Like many upcoming Kolide features, both Kolide administrators and end-users can benefit from this feature. With that in mind, if a device in Lost Mode is assigned to a person with a Slack identity, then they will be able to access some Lost Mode features directly from the Kolide Slack App's Home Tab.

Honest Security

You might be wondering how a company that practices Honest Security ensures a feature like Lost Mode–which can result in transferring extremely sensitive data (precise location)–adheres to those values? Among our existing practices of end-user transparency and administrator accessible audit-logging, we are excited to announce Lost Mode is the first feature that employs our new informed consent workflow.

Informed Consent

Informed Consent means that when a device has an assigned owner, a feature like Lost Mode can only be enabled when the end user explicitly authorizes the action via Slack. It also means that the consent can be revoked at any time. 

We plan on utilizing this consent workflow for all sorts of sensitive device actions going forward, including our upcoming MDM features.

If you'd like to learn more about Lost Mode, including how to disable it for specific Kolide administrators (or completely) please view our comprehensive help article.

We Have Updated Our FileVault Mac Check

Until today, Kolide has leveraged Osquery's disk_encryption table to report the Full Disk Encryption status of macOS in our check labeled "FileVault2 Primary Disk Encryption". 

However, we have discovered that Osquery considers the built-in SSD on M1 Macs and Macs with the T2 Secure Enclave to be "encrypted", even though their files can be trivially accessed by anyone with physical possession of the device without the user's password. Enabling FileVault is the only sure way to protect the data on your Mac.

Since our FileVault check was created to help our customer's ensure the data on their Macs are safe in the event the device is stolen, lost, or otherwise in the possession of an bad-actor, we have taken the following corrective actions:

  1. We have released a new version of our Kolide agent (0.11.17) which contains an accurate attestation about the status of FileVault
  2. We have updated our Check to utilize the new features of our agent.
  3. Since the latest release of Osquery is unable to obtain the status of FileVault, we have contributed our own patch for the benefit of the community.
  4. We have written an informative blog post about this situation to better educate Mac Admins who might be unfamiliar with the differences between Full Disk Encryption and FileVault on modern Macs.

We feel that these actions will better help not only Kolide customers, but anyone else who relies on Osquery for similar information.

As always, please let us know if you any follow-up questions or concerns.

Native Mac M1 Kolide Agent Now Available!

Happy Holidays, Kolide Members!

It has been a little over 5 weeks since Apple announced the M1 based Macs, and while we already have had a number of these devices enroll in Kolide using our intel-based agent, we are pleased to report that we are now distributing our agent so it runs natively on M1 based Macs. 

Going forward, all Kolide agents on version 0.11.15 or greater will be built as a universal binary, which will ensure that no matter which Mac you have, the binary will execute a native instruction set. This new native build should resolve the occasional instability we've seen running on the Intel-based agent under Rosetta 2. 

While this is an important milestone, you will still need Rosetta 2 on M1 Macs to run the osquery portion of our agent. We look forward to a future where this won't be necessary, and will keep you apprised of any relevant announcements from the osquery team. With that said, in our testing, osquery continues to run great on M1 Macs with Rosetta 2 emulation.

How to Upgrade

If you already have the agent installed on the M1 based Mac, you likely don't need to do anything! If it hasn't already, the new version of the agent (0.11.15) will automatically install through the auto-update process. 

However, if your M1 Mac hasn't checked into Kolide for a while, or you see you haven't received the update yet, we encourage you to re-install the agent. You can request a new agent installation package via the following mechanisms:

1. If you have the Slack app enrolled, simply message the app the command enroll and you will receive an up-to-date package for your selected environment.

2. If you are a Kolide admin, you can access the installation packages by browsing to the Downloads section of the app.

Mac M1 Data Quality Improvements

After the M1 Macs were released, we noticed a few discrepancies in the reporting data about the status of the Find My Mac feature and battery health. Kolide has resolved these issues in our agent and back-end.

Please let us know if you have any questions or concerns about M1 Macs! From all of us at Kolide, we hope you all have a safe and happy holiday season!

Show Previous EntriesShow Previous Entries