Contents

Changelog

Two New Checks for the ChatGPT macOS App

Fritz Ifert-Miller
May 15th, 2024

With the recent announcement of OpenAI’s ChatGPT desktop application for macOS, users gain access to LLM workflows outside of their browser. ChatGPT’s broad adoption by employees across industries, and around the world, has put employers, compliance, and security teams into high gear as they seek to balance the gains made in productivity with the potential risks of how these tools are being used.

One of the most common concerns among employers when it comes to the utilization of generative AI is the possibility of sensitive or secure company data being fed into the larger ChatGPT training model, which is then used by individuals external to the organization.

In August of 2023, OpenAI announced their Enterprise offering of ChatGPT which introduced collaboration functionality, as well as security and privacy guardrails. Specifically with regards to model training they called out the following:

You own and control your business data in ChatGPT Enterprise. We do not train on your business data or conversations, and our models don’t learn from your usage.

This enterprise functionality was enthusiastically welcomed by teams who could now implement generative AI into their workflows while mitigating the risk it posed to their company.

However, these guardrails are only effective as long as employees are logged into an enterprise workspace, and not their personal workspace. It’s crucial then to verify that the ChatGPT desktop app is configured properly to ensure data is not going somewhere it isn’t supposed to.

By default, the ChatGPT app opens with the sidebar closed. This hides not only your chat history, but also your logged-in workspace:

When we open the sidebar, we can see this account is actually logged into a personal workspace:

That’s why we’re excited to announce a new Check for the ChatGPT macOS app which ensures users are not using their personal ChatGPT workspace while logged into the app.

Verifying Active Account and Workspace ID

The ChatGPT app keeps preferences and settings stored on disk, including what user accounts are logged in, and which account/workspace is currently active. In order to validate users are working on the correct account, an administrator must provide their Workspace ID, which can be retrieved from the OpenAI ChatGPT admin portal.

Your team may have more than one workspace, which is why you can provide as many as necessary.

Kolide will then retrieve the local settings from the user’s ChatGPT desktop app, and verify that the active workspace matches one of the IDs you’ve provided. If the active ChatGPT workspace does not match one of your provided values, end-users will be prompted to switch workspaces as shown below:

  1. Ensure you are logged into the user account johnny-appleseed.
  2. Open Spotlight search via the following keyboard shortcut: ‘Command + Spacebar’.
  3. Type chatGPT.app to locate your ChatGPT application and press Enter to launch.
  4. With the ChatGPT app open and the window in focus, expand the sidebar by clicking the icon in the upper-left corner.
  5. On the bottom of the sidebar, click your name to reveal a list of alternative accounts.
  6. Select the account associated with your organization.
  7. Close the application.

If you do not see an alternative account to choose, please contact your IT team for support. In the meantime, you can log out of the application to pass the check.

What if the ChatGPT app isn’t installed, or isn’t logged in?

Only users with the desktop app installed will be considered in-scope for this Check, and those without the app installed will pass automatically. Likewise, users who have installed the app but have not yet logged in will be considered passing. Only users who are logged in with an active Workspace ID which does not match your supplied values will be reported as failing this Check.

What if I just don’t want my users putting ChatGPT on their laptop at all?
If you aren’t comfortable with your users installing the ChatGPT desktop application, we have a second Check which prohibits the installation of the macOS ChatGPT app entirely. When this Check is configured to block, a user who has ChatGPT installed will not be able to successfully authenticate until the app has been removed from their device.

Reducing the risk of LLM usage with Kolide’s ChatGPT Check

In a recent survey of knowledge workers conducted by Kolide, 89% of respondents reported using AI for work-related purposes at least once per month. AI-based tools are becoming as ubiquitous as the calculator and their prevalence within the workspace shows no sign of slowing. The genie cannot be put back in the bottle, but we must be able to verify these tools are being used appropriately and safely.

Kolide’s ChatGPT Check helps employees use the workflows that make them most productive, without putting the company’s data at risk, by making sure that data is going only where it is intended and nowhere else.

Share this story:

More articles you
might enjoy:

Deep Dives
Can ChatGPT Save Programmers?
Jason Meller
Deep Dives
89% of Workers Use AI–Far Fewer Understand the Risks
Elaine Atwell
Deep Dives
How Audio Deepfakes Trick Employees (And Moms)
Rachel Sudbeck
Watch a Demo
Watch a Demo