Up until today, Kolide has not attempted to collect Safari Extensions. Osquery’s built-in support has been broken since Safari 11, and with the extension API story still shaking out on the Apple side, it wasn’t clear if our efforts would be made obsolete in a future Safari version.
But with the recent release of Safari 15, things have moved in a positive direction. Apple has dramatically improved the reliability of, and consequently the developer experience around, web extensions. We expect that more and more app developers will begin porting their Firefox Addons and Chrome Extensions to Safari with these changes. In turn, end-users will install them as they become available.
Unfortunately, with a more diverse library of extensions comes a greater opportunity for bad actors to abuse it to potentially publish extensions of dubious value in exchange for an over-reach into the end-user’s privacy. The first step of preparing for this eventuality is to gain greater visibility into the extensions installed across your fleet.
To help our customers do just that, we are excited to announce the inclusion of Safari Extensions in Inventory.
Starting today, Kolide can collect extension data from Safari 14 and Safari 15, including extensions built with the still relatively new web extension SDK (even including permission entitlements).
In addition, Safari extensions join many other “installable” Inventory items in our global search. Here is an example of finding an APP extension that comes with NetNewsWireApp.
Beyond collecting data from each Mac endpoint, Kolide will also attempt to send
bundle_identifier of the extension to Apple’s App Store API to determine
the latest version and when that version was published, among other data.
We collect Safari Extensions by default. If you don’t want to collect this data from your Mac fleet, you can also take advantage of our new data collection opt-out feature.