New Feature - Add Your Own Device Notes

While Kolide can collect and visualize a lot of useful information from the devices themselves, sometimes, the most useful pieces of data about a device can come from the people who oversee them.

To that end, we've added a new way for Kolide team members with access to the admin UI to write unstructured notes. When you visit the device overview page, you will now see a new widget called Device Notes.

In this widget, simply write any notes about the device you wish to record, and then click save note.  As you can see, the notes support basic Markdown formatting, including links and headers.

If you or another team member make a mistake or want to review the history of notes on a particular device, you can click Revision History and easily restore any previous version of the notes.

In addition to being accessible in the UI, both the raw markdown and the rendered HTML versions of notes are now included in the Device API response.

Finally, we've also updated the overview page for Private Devices to include a limited set of informational widgets, including this new notes widget.

This is just one of many features we plan to roll out this year to help our customers better identify and record useful information about their devices. Until then, please let us know if you have any feedback or improvements, you would like to see.

Osquery 4.7.0 Inventory Improvements

Recently, the Kolide change-log has been bursting at the seams with improvements and new features, and while it's been fun bringing good news and cheer to you all on a near-daily basis, enough is enough. 

Instead of dragging this out over the next three days, we decided to create one big post with all of the Inventory improvements we've recently shipped to close out the week. Let's get started!

New Inventory Item - macOS System Extensions

Apple introduced their safer alternative to Kernel Extensions called System Extensions with the release of macOS Catalina in 2019. Now with Big Sur, Kernel Extensions are no more. Thanks to some incredible work by Kumarak of Trail of Bits, Osquery 4.7.0 now supports enumerating these extensions.

We are excited to announce that we've added these System Extensions to the default set of macOS Inventory

Improved Inventory - Windows User Metadata

On macOS, Kolide is not only able to enumerate the users of a particular device, but it can also enumerate additional metadata, like the number of times the user logged in or the last time the password was set.

Starting this week, Windows joins the party! Using WMI, Kolide can now collect additional metadata information about the device's user accounts, including:

  • last_logged_in_at - When the user last logged in.
  • logins_count - The total number of times the device user logged into the system.
  • failed_logins_count - The total number of times someone attempted to access a user account with incorrect credentials.
  • password_last_set_at - The precise time the user's password was changed or initially set.
  • password_expires_at - The precise time the user's password expires (when applicable).
  • windows_user_type - The type of Windows User (Ex: "Normal Account", "Domain Trust Account", etc.)

This information can be extremely helpful for our customers who really want to understand who the device's primary user is (based on login count). Additionally, knowing when a user last changed their password can be invaluable if you want to ensure that the user's password meets the complexity requirements in the most recent set policy.

You can check out these new columns in the Device Users Inventory section.

Improved Inventory - Google Chrome Extensions

The term Google Chrome Extension has become a bit of a catch-all with the recent arrival of many different browsers based on the Chromium open-source project. It's common-place now to find end-users installing Chromium extensions in Brave, Edge, or even Opera.

To that end, Kolide leverages all the great work done in Alessandro Gario of Trail of Bits in Osquery 4.7.0 to help you sort out which extensions belong to which browser, the enabled state of the extension, among other important details.

Check out the Google Chrome Inventory to peruse this new information.

Improved Inventory & Widget - macOS FileVault Status

I recently contributed an improvement to the disk_encryption table in Osquery that more clearly defines the difference between a encrypted disk and one that FileVault actually protects. At the same time, we also updated our built-in FileVault Check.

Now that these improvements are shipped in Osquery itself, we have updated our Disk Space widget and added the new column in Inventory. 

You can see the new filevault_status and related fields in the Storage Devices Inventory section

As always, please do not hesitate to reach out with questions or feedback!

Lost Mode Now Available on Windows Devices

Earlier this year, we introduced Lost Mode for Mac and Lost Mode for Linux, features that enable the IT team and end-users to work together to locate a misplaced or stolen device. 

Today, we are excited to announce we've completed our Lost Mode cross-platform support with the release of Lost Mode for Windows!

Like Lost Mode for Mac and Linux, this new feature surveys nearby Wi-Fi Access Points to help determine the Windows device's precise geolocation. We consider this a highly-sensitive feature that requires informed end-user consent each time it is used across all platforms.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions!

Lost Mode Now Available on Linux Devices

Early in January, we introduced Lost Mode for Mac, a beta feature in which the security team and end-users can work together to locate a device that was either misplaced or stolen. We are now excited to announce this same functionality is now available on Linux devices!

Just like Lost Mode for Mac, this new feature survey's nearby WiFI Access Points to help determine the Linux device's precise geolocation. Also just like Lost Mode for Mac, we consider this an extremely sensitive operation which requires informed end-user consent each time it is used.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions! 

Wondering about Windows support? Well, a little birdie told me that we might have something to say about that before the end of March. Stay tuned!

New Feature - Control Device Data Collection

Kolide's Inventory feature is designed to collect, enrich, and visualize important data from enrolled devices. We built it to preemptively answer many essential questions administrators have about their devices that Osquery is well suited to answer.

Before adding new device properties to Inventory, we discuss their utility and privacy implications internally and proceed accordingly. Unfortunately, if our customers felt differently about these decisions in the past, they had little recourse to customize further what data was collected. 

After writing the "collecting data honestly" section in, we knew we had to do better. To that end, we are proud to announce new features that enable Kolide administrators to more finely control what data is collected and displayed within Inventory and the features that rely on it.

For instance, let's say you don't really want Kolide to enumerate the Chrome Extensions your users install. You can now browse to the Chrome Extensions section in Inventory and select Disable Device Property.

Since Inventory is the source of truth for many features in Kolide, like widgets and checks, a modal will appear, which will advise you on precisely which features of Kolide might be impacted, allowing you to make a value-driven decision around the collection of any particular category of data.

Besides providing opt-out capabilities, this feature will also allow Kolide to ship new Inventory device properties that require explicit opt-in from an administrator. Starting today, we support ARP Cache as our first opt-in Inventory property.

Privacy Center

As part of our efforts to increase transparency to end-users, we have overhauled the UI of the Privacy Center and included a list of the data collected from devices.

Wrapping Up

We are excited for our privacy-minded customers to take advantage of this feature and truly customize the data collection to a level they and their end-users feel comfortable with.

If you are interested in using it, we encourage you to read our Help Center guide before diving in, as it contains more information than we could possibly fit in this announcement post.

New Check/Inventory: macOS Screenlock

At long last, we are excited to announce the most requested Check at Kolide–macOS Screenlock.

You can find this new check and configure notifications for it at

This check is comprehensive in that it not only checks if screenlock settings are configured correctly, it also ensures that the system will go to sleep or activate the screensaver after an appropriate amount of idle time.

To pass this Check on macOS, the following must be true:

  1. The require password after sleep or screensaver begins setting must be checked under the Security and Privacy pane in System Preferences
  2. The grace period dropdown next for this setting must be set to 5 minutes or less.
  3. Your system must either be configured to sleep or activate the screensaver after 10 minutes of idle time, regardless if it is running on battery or directly connected to an electrical outlet. 

These passing states were carefully chosen after reviewing the Center for Internet Security macOS guidelines and interviewing many of our customers about what values they thought struck a good balance between security and device usability.

New Inventory - Screenlock Configs

In addition, we have also exposed data about macOS screenlock configurations in Inventory. You can find this Inventory item at

In this Inventory Item we expose the following columns:

  • Screenlock Enabled - true if the require password after sleep or screensaver begins setting is checked under the Security and Privacy pane in System Preferences.
  • Screenlock Grace Period - The amount of time in seconds (or "Immediately") the computer can be asleep or the screensaver activated before a password is required to unlock the computer.
  • Minimum Effective Idle - The amount of time in seconds the computer must be idle before it either sleeps or activates the screensaver.
  • Display Sleep Idle A/C - The amount of time in seconds (or "Never") the computer must be idle while connected to power before the screen turns off.
  • Display Sleep Idle Battery - The amount of time in seconds (or "Never") the computer must be idle while running on battery power before the screen turns off. 
  • Screensaver Idle - The amount of time in seconds (or "Never") the computer must be idle before activating the screensaver based on the end-user's desired preferences
  • Screensaver Idle Last Modified At - The exact time the user (or NULL) modified the screensaver idle time settings in the UI.
  • Screensaver Idle Managed - The amount of time in seconds (or NULL) the computer must be idle before activating the screensaver based on a managed preference set by an administrator.

The long journey getting this data.

If you are curious why this Check was challenging to create or are interested in how we reverse-engineered macOS to accurately gather this information (and how we open-sourced it as a new virtual table in osquery), I suggest reading our write-up on our blog at

As always, let us know if you have any questions, concerns or feedback about this Check!

Improvements to Device Deduplication & Deletion

Last week, Kolide rolled out several changes to our deduplication logic. This logic is how our platform decides if incoming device data belongs to existing device record, or, should constitute the enrollment of a new device.

Our original deduplication logic focused on making a best effort at combining devices into a single record whenever possible. We've since discovered that not only is this aggressive deduplication logic unnecessary, it can actually cause issues in a variety of common scenarios such as:

  • New hardware that was set up using Mac's Migration Assistant
  • Previously enrolled devices that have since been reformatted and provisioned to new employees
  • Unique Virtual Machines built from a snapshot from a previously enrolled VM

Kolide's new deduplication logic now handles all of the above scenarios correctly by generating a new device record in every instance. If you've noticed a few more devices than you are used to, it's likely because several devices were silently afflicted by one of the situations mentioned earlier.

In line with these changes, the tombstone created when a device is removed from Kolide, will now only prevent the re-enrollment of that specific agent installation. This change should eliminate confusion for new employees when re-enrolling re-imaged devices that were previously deleted in K2.

We believe these changes will dramatically improve your experience using Kolide and appreciate all the feedback and technical details you've shared with us that allowed us to improve this logic.

If you notice any irregularities or have questions about this change, please reach out via the Intercom widget or


This Week’s Quality of Life Improvements

We deploy improvements to Kolide daily, but not every individual update deserves its own entry in our change-log. This week however, we've shipped a number of small improvements that, when considered together, may be impactful to how you use Kolide. Here are four items that we think you will enjoy reading about.

Filter Checks By Untagged & Failing Percent

After shipping our new Check page filtering experience and Check tagging, we've received a lot of great feedback from many of you that it would be nice to be able to filter Checks that have no assigned tags, or filter Checks by their failing percentage.

As of Monday, these two filters are now available. Keep the suggestions coming!

Disable Optional Onboarding Messages

When you use Kolide's Onboarding feature, Kolide may send additional messages to an end-user if they enroll a device that is missing the appropriate permissions on macOS. Sometimes though, you may not want your users to receive this message if you plan on granting the permissions en-masse later via an MDM like Jamf

Now you can turn off this optional message (and any future optional messages we may decide to send) in the Onboarding Customization Screen

Track OUs and Suspended Accounts in G Suite

If you already integrate your G Suite account with Kolide, you know we keep track of those accounts in Inventory. When an account is deleted, instead of archiving it on our end, we mark it as missing. Sometimes though, G Suite accounts are not deleted, merely suspended. Kolide now can differentiate between an active account, a suspended account, and a missing account, which we display in the "Status" column in the table of G Suite identities.

If you wish, You can even configure the integration to stop importing suspended accounts.

In addition, if you use Organization Units (OUs) to organize users in G Suite, Kolide will now collect and display this information in Kolide's Inventory under G Suite Identities.

See the Original Name of Renamed Devices

Kolide allows you to change the display name of any device you have in Inventory. While this feature is helpful, it can still be helpful to see the Device's current hostname without having to dig for it.

Now when you view a Device with a customized name, we will display its current hostname parenthetically next to it.

 We also now show this information in the global search!

If you want to remove a custom name, simply click the "Actions" button on the Device's overview page, select "Edit Device Name", delete all of the text in the input field that appears, and press "Save". 

We hope these improvements make a difference and improve how you use Kolide. As always, we look forward to your feedback!

New: macOS iCloud Settings & Windows Security Center Widgets

We recently shipped three new widgets on the Device details page: two for Windows Devices, and one for macOS.

Widgets are our way of visualizing and summarizing information that we collect about devices via the Kolide agent. We created these widgets with the goal of giving Kolide administrators relevant, accurate, and glanceable information when viewing a specific Device's details. 

Below is a quick summary of three new widgets.

macOS - iCloud Settings

This widget shows you the iCloud information for the primary user of your device (if available). This information is not only helpful when determining whether an employee has a work-based or personal email associated with their device, you can also glance at what services are syncing content from their device to their iCloud account. This is especially useful if you do not want users accidentally syncing work-related files to their personal iCloud Drive.

Windows - Registered Security Products

Microsoft Windows has a handy API which allows Kolide to see the products that take on the role of the primary Firewall provider or Antivirus software. While Kolide has been collecting this information in Inventory for a while, we felt that we should be visualizing this information on the Device's detail view. Not only can you see the product names, but we can use this API to inform you if the signatures are properly updating.

Windows - Security Center

Unlike the other two widgets that visualize previously collected information, this widget contains new information from a recently added Osquery table we contributed to the project a few months ago. This table allows Kolide to enumerate the health of subsystems monitored by the Windows Security Center. We can now can summarize this information concisely in the widget below.

As always, we hope you find this information useful and easy to digest as you peruse your Windows and Mac devices enrolled in Kolide. If you have suggestions, or feedback about these widgets, or have specific requests about additional information you'd like to see make our short-list, please let us know.

Inventory and Live Query Performance Improvements

If you have thousands of devices enrolled in Kolide, you may have noticed some modest speed improvements when browsing Inventory and using Live Query last week.

These speed boosts are part of a major initiative we rolled out last week to speed up the application. These improvements include:

  • JS, CSS, and other assets are now served via a CDN
  • Live Query is much smoother when querying thousands of devices at the same time
  • The global search bar now renders results much faster
  • Sorting and Filtering on the Devices table based on owner name and primary username is faster

There are still many areas to improve, but the performance improvements we have implemented should make browsing Inventory a more pleasant experience for organizations with many thousands of devices.

Show Previous EntriesShow Previous Entries