New Inventory: Microsoft Office Add-Ins

As part of our mission to provide world-class ground truth about devices enrolled in Kolide, I am excited to announce the latest addition to Inventory, Microsoft Office Add-Ins.

Why List Microsoft Office Add-ins?

For the unfamiliar, Microsoft Office Add-ins are extensions that end-users can install with most Microsoft Office products like Word, Excel, and Outlook. These extensions can support new media types, extend the user interface, or even integrate with third-party services (ex: Zoom or Wikipedia).

Like web browsing, the documents employees interact with within Microsoft Office are often incredibly sensitive and contain confidential information essential to the business or customers. Add-ins (depending on their permissions) have unprecedented access to documents and emails, allowing them to read or even alter their contents. While Microsoft does a reasonable job of vetting obvious malicious add-ins, there are sometimes cases where an add-in provides a service by transmitting parts or potentially all content in a document to the third-party serve (ex: Grammarly). These freemium services may be undesirable or potentially even violate the company's existing data sharing and privacy agreements like the GDPR.

To that end, we wanted to provide a way to easily enumerate these add-ins, their capabilities, and other relevant info, right in Inventory, for both Mac and Windows devices.

Feature Overview

Every Office Add-in has a manifest file that gives us unique insight into the add-in capabilities, permissions, and type on both Mac and Windows devices. To view this information across the fleet, browse directly to the Microsoft Add-in section in Inventory.

There are many types of add-ins and specific capabilities associated with each. We encourage you to refer to the official Microsoft Office developer documentation to learn more about interpreting this data in Inventory.

In addition, Microsoft Office Add-ins join many other "installable" Inventory items in our global search. Here is an example of finding an add-in called "Wikipedia." You can also search for Add-ins by their unique identifiers.


Microsoft Add-in Store Enhancement

Beyond collecting data from each endpoint, Kolide will also attempt to source data about the add-in from Microsoft's Add-in Store called Microsoft App Source. From there, we can pull essential data like the latest published version, the last release date, and the average rating.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose, privacy information, and a representative example data set, which a Mac or Windows device will return in the Privacy Center.


We collect Microsoft Add-ins by default. If you don't want to collect this data from your devices, you can also use our new data collection opt-out feature.


New Inventory: Safari Extensions

Up until today, Kolide has not attempted to collect Safari Extensions. Osquery's built-in support has been broken since Safari 11, and with the extension API story still shaking out on the Apple side, it wasn't clear if our efforts would be made obsolete in a future Safari version.

But with the recent release of Safari 15, things have moved in a positive direction. Apple has dramatically improved the reliability of, and consequently the developer experience around, web extensions. We expect that more and more app developers will begin porting their Firefox Addons and Chrome Extensions to Safari with these changes. In turn, end-users will install them as they become available.

Unfortunately, with a more diverse library of extensions comes a greater opportunity for bad actors to abuse it to potentially publish extensions of dubious value in exchange for an over-reach into the end-user's privacy. The first step of preparing for this eventuality is to gain greater visibility into the extensions installed across your fleet.

To help our customers do just that, we are excited to announce the inclusion of Safari Extensions in Inventory.

Starting today, Kolide can collect extension data from Safari 14 and Safari 15, including extensions built with the still relatively new web extension SDK (even including permission entitlements).

In addition, Safari extensions join many other "installable" Inventory items in our global search. Here is an example of finding an APP extension that comes with NetNewsWireApp.

Apple App Store Enhancement

Beyond collecting data from each Mac endpoint, Kolide will also attempt to send the bundle_identifier of the extension to Apple's App Store API to determine the latest version and when that version was published, among other data.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose, privacy information, and a representative example data set, which a Mac will return in the Privacy Center.

We collect Safari Extensions by default. If you don't want to collect this data from your Mac fleet, you can also take advantage of our new data collection opt-out feature.


Introducing Live Refresh

At Kolide, we do our best to strike a healthy balance between the performance impact of our agent and the usefulness of the data we collect in the UI. In practice, this means we optimize every query to minimize impact and run expensive queries as infrequently as necessary. 

Sometimes though, when actively viewing a device, you may want the most recent information possible. To assist with this use case, we are rolling out a new feature called Live Refresh. Here it is in action!

Data Last Retrieved Timestamps

Being able to refresh data live starts with understanding when the data you are currently looking at was collected. To help with this, we have updated all of our widgets and device property tables to show the last time the information was retrieved from a device.

In some cases, like the Security Features widget shown above, many queries contribute to this display; when this happens, Kolide shows the retrieved date of the oldest data in the widget.

Kicking Off a Live Refresh

Kicking off a Live Refresh is as easy as clicking the Refresh Data button on any applicable device widget or device property screen. The necessary queries needed to populate the widget's display will be immediately issued to the device. If the device is online, the refresh should return in 10 to 15 seconds. You can also kick off refreshes for offline devices. Then, when they come online, they will refresh their data ASAP.

Once a refresh is done, the widget or table will change colors, letting you know the new data is ready to be reloaded. Simply click the "reload data" button, and the new data will load right into the UI.

While the feature is extremely straightforward, building it was no small task. In fact, a lot of it relied on the work we did to ship our data device collection control capabilities earlier this year. I want to thank the entire engineering team at Kolide for their hard work in making this feature happen. I want to also thank our customers for all of their input, leading to this feature being fully realized. We look forward to your feedback!

New Inventory: Mac Startup Configuration

Have you ever wondered if a Mac had an EFI firmware password set or if Secure Boot has been turned off? Well, instead of wondering, you can now instantly look up the state of these options and other boot settings in our newly released device property in Inventory called Mac Startup Configuration.

The settings reported in the device property can help administrators better understand the security posture of a Mac. For example, a Mac with Secure Boot off may be at greater risk of being infected by malware that changes the master boot record (MBR). Additionally, the presence of a firmware password could prevent an administrator from reprovisioning a device to a new employee if they forget to turn it off before shipping the Mac back to HQ.

New Inventory Widget

To help you interpret these startup options, we have created a new widget that summarizes them with icons and easy-to-read statuses.

Privacy Center & Data Collection

Like all of our device properties, we have documented the purpose,  privacy information, and the example data set a Mac will return in the Privacy Center.

If you don't want to collect this data from your Mac fleet, you can also take advantage of our new data collection opt-out feature.

A Note About Older Macs or Macs with Apple Silicon

Macs running Apple Silicon instead of an Intel processor do not support several of these startup options. These options include Firmware options and the ability to boot Windows. For these devices and older Intel Macs without a T2 series chip, you'll see the value "Not Applicable" for any relevant settings.

As always, please let us know if you have any questions, suggestions, or improvements we can make. We hope you get value out of the additional visibility.

New Feature - Add Your Own Device Notes

While Kolide can collect and visualize a lot of useful information from the devices themselves, sometimes, the most useful pieces of data about a device can come from the people who oversee them.

To that end, we've added a new way for Kolide team members with access to the admin UI to write unstructured notes. When you visit the device overview page, you will now see a new widget called Device Notes.

In this widget, simply write any notes about the device you wish to record, and then click save note.  As you can see, the notes support basic Markdown formatting, including links and headers.

If you or another team member make a mistake or want to review the history of notes on a particular device, you can click Revision History and easily restore any previous version of the notes.

In addition to being accessible in the UI, both the raw markdown and the rendered HTML versions of notes are now included in the Device API response.

Finally, we've also updated the overview page for Private Devices to include a limited set of informational widgets, including this new notes widget.


This is just one of many features we plan to roll out this year to help our customers better identify and record useful information about their devices. Until then, please let us know if you have any feedback or improvements, you would like to see.

Osquery 4.7.0 Inventory Improvements

Recently, the Kolide change-log has been bursting at the seams with improvements and new features, and while it's been fun bringing good news and cheer to you all on a near-daily basis, enough is enough. 

Instead of dragging this out over the next three days, we decided to create one big post with all of the Inventory improvements we've recently shipped to close out the week. Let's get started!

New Inventory Item - macOS System Extensions

Apple introduced their safer alternative to Kernel Extensions called System Extensions with the release of macOS Catalina in 2019. Now with Big Sur, Kernel Extensions are no more. Thanks to some incredible work by Kumarak of Trail of Bits, Osquery 4.7.0 now supports enumerating these extensions.

We are excited to announce that we've added these System Extensions to the default set of macOS Inventory


Improved Inventory - Windows User Metadata

On macOS, Kolide is not only able to enumerate the users of a particular device, but it can also enumerate additional metadata, like the number of times the user logged in or the last time the password was set.

Starting this week, Windows joins the party! Using WMI, Kolide can now collect additional metadata information about the device's user accounts, including:

  • last_logged_in_at - When the user last logged in.
  • logins_count - The total number of times the device user logged into the system.
  • failed_logins_count - The total number of times someone attempted to access a user account with incorrect credentials.
  • password_last_set_at - The precise time the user's password was changed or initially set.
  • password_expires_at - The precise time the user's password expires (when applicable).
  • windows_user_type - The type of Windows User (Ex: "Normal Account", "Domain Trust Account", etc.)

This information can be extremely helpful for our customers who really want to understand who the device's primary user is (based on login count). Additionally, knowing when a user last changed their password can be invaluable if you want to ensure that the user's password meets the complexity requirements in the most recent set policy.

You can check out these new columns in the Device Users Inventory section.


Improved Inventory - Google Chrome Extensions

The term Google Chrome Extension has become a bit of a catch-all with the recent arrival of many different browsers based on the Chromium open-source project. It's common-place now to find end-users installing Chromium extensions in Brave, Edge, or even Opera.

To that end, Kolide leverages all the great work done in Alessandro Gario of Trail of Bits in Osquery 4.7.0 to help you sort out which extensions belong to which browser, the enabled state of the extension, among other important details.

Check out the Google Chrome Inventory to peruse this new information.


Improved Inventory & Widget - macOS FileVault Status

I recently contributed an improvement to the disk_encryption table in Osquery that more clearly defines the difference between a encrypted disk and one that FileVault actually protects. At the same time, we also updated our built-in FileVault Check.

Now that these improvements are shipped in Osquery itself, we have updated our Disk Space widget and added the new column in Inventory. 

You can see the new filevault_status and related fields in the Storage Devices Inventory section

As always, please do not hesitate to reach out with questions or feedback!

Lost Mode Now Available on Windows Devices

Earlier this year, we introduced Lost Mode for Mac and Lost Mode for Linux, features that enable the IT team and end-users to work together to locate a misplaced or stolen device. 

Today, we are excited to announce we've completed our Lost Mode cross-platform support with the release of Lost Mode for Windows!

Like Lost Mode for Mac and Linux, this new feature surveys nearby Wi-Fi Access Points to help determine the Windows device's precise geolocation. We consider this a highly-sensitive feature that requires informed end-user consent each time it is used across all platforms.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions!

Lost Mode Now Available on Linux Devices

Early in January, we introduced Lost Mode for Mac, a beta feature in which the security team and end-users can work together to locate a device that was either misplaced or stolen. We are now excited to announce this same functionality is now available on Linux devices!


Just like Lost Mode for Mac, this new feature survey's nearby WiFI Access Points to help determine the Linux device's precise geolocation. Also just like Lost Mode for Mac, we consider this an extremely sensitive operation which requires informed end-user consent each time it is used.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions! 

Wondering about Windows support? Well, a little birdie told me that we might have something to say about that before the end of March. Stay tuned!

New Feature - Control Device Data Collection

Kolide's Inventory feature is designed to collect, enrich, and visualize important data from enrolled devices. We built it to preemptively answer many essential questions administrators have about their devices that Osquery is well suited to answer.

Before adding new device properties to Inventory, we discuss their utility and privacy implications internally and proceed accordingly. Unfortunately, if our customers felt differently about these decisions in the past, they had little recourse to customize further what data was collected. 

After writing the "collecting data honestly" section in honest.security, we knew we had to do better. To that end, we are proud to announce new features that enable Kolide administrators to more finely control what data is collected and displayed within Inventory and the features that rely on it.

For instance, let's say you don't really want Kolide to enumerate the Chrome Extensions your users install. You can now browse to the Chrome Extensions section in Inventory and select Disable Device Property.

Since Inventory is the source of truth for many features in Kolide, like widgets and checks, a modal will appear, which will advise you on precisely which features of Kolide might be impacted, allowing you to make a value-driven decision around the collection of any particular category of data.

Besides providing opt-out capabilities, this feature will also allow Kolide to ship new Inventory device properties that require explicit opt-in from an administrator. Starting today, we support ARP Cache as our first opt-in Inventory property.

Privacy Center

As part of our efforts to increase transparency to end-users, we have overhauled the UI of the Privacy Center and included a list of the data collected from devices.


Wrapping Up

We are excited for our privacy-minded customers to take advantage of this feature and truly customize the data collection to a level they and their end-users feel comfortable with.

If you are interested in using it, we encourage you to read our Help Center guide before diving in, as it contains more information than we could possibly fit in this announcement post.

New Check/Inventory: macOS Screenlock

At long last, we are excited to announce the most requested Check at Kolide–macOS Screenlock.

You can find this new check and configure notifications for it at https://k2.kolide.com/x/checks/75237/failures/open.

This check is comprehensive in that it not only checks if screenlock settings are configured correctly, it also ensures that the system will go to sleep or activate the screensaver after an appropriate amount of idle time.

To pass this Check on macOS, the following must be true:

  1. The require password after sleep or screensaver begins setting must be checked under the Security and Privacy pane in System Preferences
  2. The grace period dropdown next for this setting must be set to 5 minutes or less.
  3. Your system must either be configured to sleep or activate the screensaver after 10 minutes of idle time, regardless if it is running on battery or directly connected to an electrical outlet. 

These passing states were carefully chosen after reviewing the Center for Internet Security macOS guidelines and interviewing many of our customers about what values they thought struck a good balance between security and device usability.

New Inventory - Screenlock Configs

In addition, we have also exposed data about macOS screenlock configurations in Inventory. You can find this Inventory item at https://k2.kolide.com/x/inventory/mac_screenlock_configs.

In this Inventory Item we expose the following columns:

  • Screenlock Enabled - true if the require password after sleep or screensaver begins setting is checked under the Security and Privacy pane in System Preferences.
  • Screenlock Grace Period - The amount of time in seconds (or "Immediately") the computer can be asleep or the screensaver activated before a password is required to unlock the computer.
  • Minimum Effective Idle - The amount of time in seconds the computer must be idle before it either sleeps or activates the screensaver.
  • Display Sleep Idle A/C - The amount of time in seconds (or "Never") the computer must be idle while connected to power before the screen turns off.
  • Display Sleep Idle Battery - The amount of time in seconds (or "Never") the computer must be idle while running on battery power before the screen turns off. 
  • Screensaver Idle - The amount of time in seconds (or "Never") the computer must be idle before activating the screensaver based on the end-user's desired preferences
  • Screensaver Idle Last Modified At - The exact time the user (or NULL) modified the screensaver idle time settings in the UI.
  • Screensaver Idle Managed - The amount of time in seconds (or NULL) the computer must be idle before activating the screensaver based on a managed preference set by an administrator.

The long journey getting this data.

If you are curious why this Check was challenging to create or are interested in how we reverse-engineered macOS to accurately gather this information (and how we open-sourced it as a new virtual table in osquery), I suggest reading our write-up on our blog at https://blog.kolide.com/checking-macos-screenlock-remotely-62ab056274f0.

As always, let us know if you have any questions, concerns or feedback about this Check!

Show Previous EntriesShow Previous Entries