Big Changes to Our macOS Agent
We recently made a few critical updates to our agent for macOS. We’ll get into the details shortly, but the quick version is: if you are currently leveraging an MDM to deliver Kolide to your users, we recommend updating your policy with the information below.
What Does the Kolide Agent Do?
Essentially, the agent is responsible for collecting all of the data about the individual devices in your fleet and communicating that data to Kolide. You can think of it as the piece of our service responsible for establishing the ground truth.
What Changed for macOS
Three related changes happened in tandem:
- We started shipping an app bundle
- We changed the Apple account that signs the binary and package.
The new account is:
- The way to grant Kolide Full Disk Access has changed
Transitioning to an app bundle instead of the previously provided plain binary gives us the foundation for new features later this year. (Hint hint: keep in touch!) This was also a practical change as it keeps Kolide in line with platform expectations.
Full Disk Access
Full Disk Access is an important setting to enable because it allows Kolide to do the following tasks:
- To list other apps that also have disk access that may not need it.
- To inspect system files that give us a better understanding of the device’s security.
- Look for evidence of plain text credentials in your downloads, documents, and desktop folders.
- Finally, to read the file name of our installation package to assist with user-to-device association.
Full Disk Access for MDM Packages
While you should consult your MDM provider’s documentation on how to correctly add the SystemPolicyAllFiles permissions for an app, you will need the following information to update the short profile:
Identifier Type -
'identifier "com.kolide.agent" and anchor apple generic and certificate 1[field.1.2.840.113622.214.171.124.6] /* exists */ and certificate leaf[field.1.2.840.1136126.96.36.199.13] /* exists */ and certificate leaf[subject.OU] = X98UFR7HA3'
Feel free to use the example profile here:
<key>Services</key> <dict> <key>SystemPolicyAllFiles</key> <array> <dict> <key>Allowed</key> <true /> <key>CodeRequirement</key> <string>identifier "com.kolide.agent" and anchor apple generic and certificate 1[field.1.2.840.1136188.8.131.52.6] /* exists */ and certificate leaf[field.1.2.840.1136184.108.40.206.13] /* exists */ and certificate leaf[subject.OU] = X98UFR7HA3</string> <key>Comment</key> <string>Allow kolide access to device and user level files</string> <key>Identifier</key> <string>com.kolide.agent</string> <key>IdentifierType</key> <string>bundleID</string> </dict> </array> </dict>
If you need assistance with these changes, please reach out to Support. Otherwise, we look forward to sharing more about the new features coming soon to Kolide in the next couple of months!