macOS Deployment Guide

macOS Deployment Guide

Granting Full Disk Access Permissions

The Kolide Agent needs Full Disk Access (FDA) to improve the accuracy and better inspect the system to understand the security of the device. If your organization uses MDM to manage its Macs, we have prepared a custom configuration profile that you can distribute, which will grant the Kolide agent the correct permissions.

You should consult your MDM provider’s documentation on how to correctly add the SystemPolicyAllFiles permissions for an app. This information should help you craft a profile.

Profile Versions:
As a heads up, the version of the profile you need depends on what version of the Kolide Agent you originally installed. This is because the FDA permission is inherited from what the macOS launchd starts, and not what the agent has updated to.

If you need assistance with these changes, please reach out to Support.

Agent Versions 0.13 and Later (Includes 1.0)

This covers all agents since version 0.13, first released in December 2022. Be aware that if you’re using an MDM to distribute packages, you may have an older version being installed.

Key Information:

  • Identifier Type - bundleID
  • Identifier - com.kolide.agent
  • CodeRequirement - identifier "com.kolide.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X98UFR7HA3

Example Profile:

<key>Services</key>
<dict>
    <key>SystemPolicyAllFiles</key>
    <array>
        <dict>
            <key>Allowed</key>
            <true />
            <key>CodeRequirement</key>
            <string>identifier "com.kolide.agent" and anchor apple generic and
            certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
            and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
            and certificate leaf[subject.OU] = X98UFR7HA3</string>
            <key>Comment</key>
            <string>Allow kolide access to device and user level files</string>
            <key>Identifier</key>
            <string>com.kolide.agent</string>
            <key>IdentifierType</key>
            <string>bundleID</string>
        </dict>
    </array>
</dict>

Agent Versions 0.12 and below

Key Information:

  • Identifier Type - path
  • Identifier - /usr/local/kolide-k2/bin/launcher
  • CodeRequirement - identifier launcher and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = YZ3EM74M78

Example Profile:

<key>Services</key>
<dict>
    <key>SystemPolicyAllFiles</key>
    <array>
        <dict>
            <key>Allowed</key>
            <true />
            <key>CodeRequirement</key>
            <string>identifier launcher and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = YZ3EM74M78</string>
            <key>Comment</key>
            <string>Allow kolide access to device and user level files</string>
            <key>Identifier</key>
            <string>/usr/local/kolide-k2/bin/launcher</string>
            <key>IdentifierType</key>
            <string>path</string>
        </dict>
    </array>
</dict>

Enable Kolide’s Menubar App Notifications

The Kolide agent contains a menubar app that displays notifications to the end-user when their device’s authentication state changes. When the app first appears, users may be prompted to allow notifications. If they dismiss this request, they may miss critical notifications from the system.

The following MDM profile can be deployed to the Mac fleet as an easy way to ensure Kolide notifications are always enabled and visible to end-users.

Important:
This is a template with the intention of being used as a starting point. Please be sure to customize the profile for use with your organization and perform testing to ensure it produces the desired outcome.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>NotificationSettings</key>
            <array>
                <dict>
                    <key>BundleIdentifier</key>
                    <string>com.kolide.agent</string>
                    <key>CriticalAlertEnabled</key>
                    <true/>
                    <key>PreviewType</key>
                    <integer>1</integer>
                </dict>
            </array>
            <key>PayloadDescription</key>
            <string>Configures notifications settings for apps</string>
            <key>PayloadDisplayName</key>
            <string>Notifications</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.notificationsettings.B59EADBB-46D3-4368-B905-52D222FBCB27</string>
            <key>PayloadType</key>
            <string>com.apple.notificationsettings</string>
            <key>PayloadUUID</key>
            <string>B59EADBB-46D3-4368-B905-52D222FBCB27</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Kolide Agent</string>
    <key>PayloadIdentifier</key>
    <string>com.kolide.agent</string>
    <key>PayloadOrganization</key>
    <string>Kolide</string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>3ADA839E-DA1E-41F5-95DC-B6A78B3E8D97</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Suppress Background Task Notifications For Silent Installation

Many organizations choose to roll out the Kolide agent in Report Only Mode where the menu bar app is initially hidden. Please contact Kolide support if you are interested in this feature until the user registers the device.

Starting in macOS 13 (Ventura), Apple has introduced a new style of notification that informs users when the Kolide agent’s Launch Daemon is installed.

An example of the notification end-users receive when Kolide is rolled out via MDM

To suppress these notifications for a truly silent installation experience, the following MDM profile can be deployed to your Mac fleet. Keep in mind, this profile will suppress all notifications of this type, so you may wish to remove it later.

Important:
This is a template with the intention of being used as a starting point. Please be sure to customize the profile for use with your organization and perform testing to ensure it produces the desired outcome.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>NotificationSettings</key>
            <array>
                <dict>
                    <key>BundleIdentifier</key>
                    <string>com.apple.BTMNotificationAgent</string>
                    <key>NotificationsEnabled</key>
                    <false/>
                </dict>
            </array>
            <key>PayloadIdentifier</key>
            <string>com.apple.notificationsettings.12c05d0d-6231-4621-9ac6-a781a626951b</string>
            <key>PayloadType</key>
            <string>com.apple.notificationsettings</string>
            <key>PayloadUUID</key>
            <string>12c05d0d-6231-4621-9ac6-a781a626951b</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Disable Background Task Management Notifications</string>
    <key>PayloadDisplayName</key>
    <string>Disable Background Task Management Notifications</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.notificationsettings.5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>5ea4543d-f0fe-4f19-9e5f-7fab2051b712</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>