The Kolide Agent
Overview
The Kolide agent (also referred to as Kolide Launcher Agent) allows the Kolide service to communicate with Mac, Windows, and Linux devices. This article describes the agent’s capabilities and architecture across all of Kolide’s supported platforms.
Supported Platforms
Kolide ships and supports agent installers for macOS, Windows, RPM-based Linux, and Debian-based Linux.
| Platform | Min Version | Latest Version | Notes |
|---|---|---|---|
| macOS | macOS 11 - Big Sur | macOS 15 - Sequoia | |
| Windows | Windows 10 | Windows 11 | ARM support is not available |
| Linux | (See Linux Support Notes) | (See Linux Support Notes) | ARM support is not available |
Unless otherwise noted, when Kolide claims support for a specific platform, it means:
- The installation packages work as expected.
- The agent persists itself across restarts.
- The uninstall process works.
- The menu bar app appears in the system tray and all the items work.
- The menu bar app can display system notifications to the end-user.
- The device trust local server operates as expected.
- The agent’s automatic update process works correctly.
- The osquery daemon interacts with the Kolide service correctly.
- Kolide official Checks work correctly.
Components
While Kolide’s agent is shipped in a single installer, it’s really a collection of technologies, each enabling different features and experiences within the Kolide service.
Osquery and Osquery Extension
Kolide’s service requires regularly updated information about a device’s current posture. To achieve this, the Kolide agent installs and persists a fully functional osquery daemon that directly interacts with the Kolide service. On macOS, Kolide ships Osquery’s official app bundle which is imbued with Apple’s Endpoint Security entitlement, allowing customers to use osquery’s process event monitoring and file monitoring features on the Mac.
In addition, Kolide also includes an osquery extension that registers new virtual tables that provide additional device information that osquery cannot obtain otherwise.
All components of osquery are kept up-to-date using the agent’s Automatic Update Capabilities.
Menu Bar App
Kolide’s agent includes a Menu Bar application that serves as an indicator of the current device’s registration status and health.
An example screenshot of Kolide’s Menu Bar application
In addition to displaying device health, the app is also capable of sending on-device notifications that inform end-users about any changes in their registration status or device health.
Updater
Kolide’s agent is capable of updating any of its components via a secure and automatic update system.
Updater adheres to The Update Framework (TUF) specification. Kolide uses a mirror like Google Cloud Storage to store update targets, and the agent uses the Golang implementation of TUF to ensure that targets have not been tampered with.
Local Server
The Kolide agent includes a web server that is only accessible via the local loopback interface (127.0.0.1) on a high-numbered port. Kolide uses this web server to identify devices accessing the service via a web browser and to issue commands to change the agent’s behavior (e.g., asking the agent to check in more frequently for 5 minutes).
Kolide uses public-key authenticated encryption to encrypt and sign
confidential messages between the Kolide Service and the Kolide Agent
(specifically libsodium’s crypto_box). For more information, please read
About Kolide - Device Trust Architecture.
Network Communication
The Kolide agent connects to several HTTPS endpoints that together make up the Kolide service. All outbound communication across the internet is on port 443.
The list of domains (last changed 2023-11) is:
- k2device.kolide.com
- k2control.kolide.com
- notary.kolide.co
- dl.kolide.co
- tuf.kolide.com
- ingest.kolide.com