Device Registration

Using Kolide
Home / Using Kolide / Device Registration

Device Registration

Device registration is the process that, when completed, allows a device to be used for Kolide’s device trust authentication. Registration establishes a trustworthy link between the device, the Kolide service, and a person associated with your organization.

Goals / Objectives

The goal of device registration is for the Kolide service to establish a way for a customer’s device to prove its identity during future authentication attempts. To accomplish this, Kolide uses registration to bootstrap public-key-based authentication between the two parties.

Note:
For more technical information about Kolide’s device trust security and cryptography, see our article entitled Device Trust Architecture.

In addition to the above, Kolide uses registration as an opportunity to establish a strong link between an end-user and a device, and inform them about what Kolide is and how it works.

How To Register Your First Computer

Computers (Mac, Windows, or Linux Devices) can be registered to Kolide by following these steps:

  1. Click on the Kolide icon in your system’s menu bar and select Register Device.

    Note:
    If the Kolide app is missing, you will need to obtain and run the Kolide Launcher Agent installation package for your platform.
    Warning:
    Unlike the Kolide Mobile App, Kolide’s Launcher Agent is designed to only allow a computer to be associated with a single customer’s Kolide service.

  2. In the browser that opens, you may be asked to authenticate via your authentication provider. Once authenticated, you will be presented with the registration confirmation screen as shown below. Click Register Device to complete the registration process.

  3. You will be redirected to a verification page where your device’s posture will be checked. While Kolide uses this opportunity to ask the user to take care of any issues that may block their device on the next authentication attempt, this step is optional; the device is already registered.

Registering Additional Computers

Kolide “bootstraps” the device trust by allowing an end-user without any registered devices to register their first device by simply proving their identity via their pre-existing SSO authentication. This bootstrapping strategy is referred to in the industry as Trust on First Use (TOFU).

However, once the user registers their first device, Kolide will not allow the user to register any other devices unless they can prove they are in possession of a device that Kolide already trusts, or they must get explicit approval from a Kolide administrator.

Let’s discuss both options below:

Self-Service Registration

To register another device via self-service registration:

  1. First, follow the steps in How To Register Your First Computer. Instead of the device being registered, you’ll receive the following prompt.

  2. Click Register using an existing trusted device.

  3. This will open a modal explaining that on an existing registered device you need to click on the Kolide icon in your menubar (or system tray on Windows) and click the Pending Registration Request item.

  4. Once clicked, a web browser will open for you to confirm the final approval.

    Note:
    A record of all self-approvals and self-rejections is available in your organization’s Kolide audit log. These logs are also accessible programmatically.

  5. Once you click approve, the device you are attempting to register will be automatically registered and authentication will proceed as usual.

Admin Approved Registration

If the user explicitly requests it, or does not have any devices that can be used for self-registration, the user will be prompted to request the device be manually registered by an administrator.

Warning:
Manually approving a device registration is an inherently dangerous action. Bad actors without access to a registered device will do anything they can to fool your administrators into approving devices that are not actually used by the requesting user.

Admins should always verify the intent of the requester through secure channels in addition to the details of the device before approving a registration.

To do this, we recommend in-person conversations, video calls, or voice calls, where the identity of an individual can be visually and auditorily confirmed. Verifying a user’s registration attempt by messaging them on Slack is not good enough!

To do so, the end-user first follows the steps in How To Register Your First Computer and then fills out the following form:

Once complete, all Kolide admins will receive a notification email directing them to go to the Requests top-level menu item and approve the request there as shown below.

Simply click Approve and the end-user will be notified. Otherwise, click Reject and supply an internal and an end-user visible reason for the rejection.

Note:
A record of these administrative approvals/rejections is available in your organization’s Kolide audit log. These logs are also accessible programmatically.

How To Register Mobile Devices

Mobile Devices (iPhones, iPads, and Android devices) can be registered by following these steps:

Note:
Currently, you cannot register a mobile device in Kolide without a computer that is already registered. You can register your first computer by following these steps.

  1. If you haven’t already, obtain the official Kolide app from your mobile device’s official app store.

  2. Tap the app to launch it. If this isn’t your first registration on this mobile device, first tap Register with a new Organization. As directed by the app, open the web browser on a computer that is already registered in and visit https://auth.kolide.com/setup.

  3. On your previously registered computer, complete any required authentication and then click I’ve got the app. This will reveal a QR code you will scan on your phone.

  4. On your mobile device, scan the QR code with your mobile device’s camera. (If your mobile device does not have a camera, you can enter the registration code manually.) Once scanned, the screen will automatically advance and confirm the registration. You can now use this device to authenticate!

    Your QR code will likely look different than shown in the image above.

How To Control Registration Eligibility

By default, all supported platforms, regardless of their posture or configuration, are eligible to become registered in Kolide’s Device Trust solution.

However, many organizations may wish to limit which devices are allowed to be considered “trusted” in their organization. For example, they may only allow devices that are enrolled in the organization’s MDM solution, or have a special file or certificate on the filesystem. In some situations, an organization may want to disallow an entire platform from being allowed to enroll (e.g., Mobile Devices). To enable this, Kolide supports enacting specific registration requirements.

Note:
Modifying these settings has no impact on devices that are already registered in the system. It only impacts new registration eligibility.

To remove an existing registration, see this section.

To configure your organization’s registration requirements, go to Settings > Device Registration (note: you must be an administrator to control these settings).

Device Registration requirements. By default, all platforms are allowed.

Disabling a platform

If you wish to prevent an entire platform from registering, click the toggle next to that platform’s section so that it is in the “off” position. If you disable the Mobile Devices platform (shown below), you will also be given the opportunity to provide a message to end-users.

The message shown to the end-user when they attempt to register their mobile device.

Requiring certain checks to pass

Instead of preventing an entire platform from registering, you may wish to ensure a device is meeting certain requirements. To accomplish this, Kolide uses the same Checks system used to assess the device’s posture to ensure it is eligible to complete authentication.

How is this different than blocking devices that fail checks?:
You may be wondering why a Check that is already configured to block a device needs to also be listed here.

The reason is that blocking only temporarily impacts an already registered device’s ability to complete authentication. It’s not designed to stop devices from becoming officially associated with the organization via registration.

A good rule of thumb is if you don’t want end-users to self-remediate (or it’s a problem they can’t solve on their own), then you should make it a registration requirement. An example of this would be checking if the device is enrolled in the organization’s MDM provider.

On the other hand, if the device check is related to the device’s posture and is something the end-user can self-remediate, then it should not be a registration requirement. A good example of this is making sure a device’s web browsers are up-to-date.

To set requirements for a platform, check the checkbox labeled Restrict new registration to macOS devices which pass specified checks… and then, choose the checks you wish to make requirements. All of the checks listed here must be in a passing state for the device to be considered eligible for registration.

When an end-user attempts to register a device that does not meet all of the listed checks, they will see a screen like the following:

If an end-user asks you why a device wasn’t eligible, you can always see specifically which checks it was failing by finding it under Devices > Unregistered Devices and looking at which checks it is currently failing and comparing that with the list of registration requirements.

Authentication Modes

By default, Kolide will only allow the person who registered a device to use it for device trust authentication. If a different person attempts to use the device to sign into a protected resource, they will see the following screen:

There may be some situations where this behavior is undesirable. For instance, on shared devices, or in cases where an end-user regularly uses multiple identities when logging into services.

You can change this behavior to allow all the individuals imported into Kolide (listed in People top-level menu item) by performing the following steps:

  1. Click the Devices menu item in the top-level navigation. Locate the device you want to modify and click it to view its details page.

  2. In the registration info bar, click Only the Registered Owner Can Authenticate.

  3. In the modal that appears select Anyone listed in Kolide/People and then click Save.

  4. You will see the registration bar change to indicate Anyone Can Use This Device To Authenticate.

Note:
If a device with relaxed authentication is blocked, any user in possession of the device can view/address the blocking issues, even if they aren’t the primary registered user.

If you want to revert back to the original behavior, simply follow the procedure above again, but select Only the registered owner in the modal. Each time that you change this setting, the action is recorded in your organization’s Audit Log.

Removing Registration

De-registering a device is desirable when you want to make it available for a new user to register, but you want to preserve all the prior data Kolide has collected about the device.

  1. Click the Devices menu item in the top-level navigation. Locate the device you want to de-register and click it to view its details page.

  2. In the registration info bar, click Remove Registration and accept the warning confirmation.

Warning:
Mobile devices cannot exist in Kolide without a valid registration. If you remove the registration from a Mobile Device, you will remove it from Kolide entirely.