Contents

How to List Safari Extensions Across All Macs

Using Kolide, you can easily view and query Mac Safari Extensions across your fleet.

Introduction

Safari provides the ability to extend the core functionality of the browser via the installation of 'extensions'. Extensions may be published by Apple or by 3rd party authors, and can be distributed by being bundled with Apps or downloaded directly from the Apple App Store.

Kolide collects metadata about Safari Extensions such as their name, their publisher, their version, and whether they are enabled. Kolide does not collect any data for legacy Safari Extensions used in Safari 11 or prior.

For more information about Safari extensions please consult the following links:

What Mac Safari Extension Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Safari Extensions from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Safari Extensions Schema

Column	Type	Description
id	Primary Key	Unique identifier for the object
device_id	Foreign Key	Device associated with the entry
device_name	Text	Display name of the device associated with the entry
app_store_icon_url	Text	The App Store url of the icon
app_store_latest_version	Text	The latest version available for this extension in the App Store
app_store_latest_version_released_at	Timestamp	The time the latest version was released for this extension in the App Store
app_store_report	Jsonb	The raw JSON response from Apple App Store API
app_store_updated_at	Timestamp	The freshness of Apple App Store data associated with this extension
bundle_identifier	Text	The bundle_identifier of the `.appex` file associated with the extension
copyright	Text	A developer provided copyright notice
description	Text	A developer provided description
enabled	Boolean	`true` if extension is enabled otherwise `false` or `NULL` if unknown
extension_type	Enum::Text	The type of Safari extension Can be one of the following: `app` - An extension bundled with an existing App `web` - An extension built using the Web Extension API and distributed in the App Store
has_injected_content	Boolean	`true` if extension able to inject HTML, JS, or CSS into a third-party page otherwise `false` or `NULL` if unknown Note on data collection: This value is only available for extensions where `mac_safari_extensions.extension_type` is `app`
installed_at	Timestamp	The time the Safari extension was installed/added
mac_app_id	Foreign Key	The Mac App associated with the extension
name	Text	The name of the Safari extension as shown in the Safari UI
permissions	Text[]	The permissions required by the Safari extension. MDN Extension Permissions Reference Note on data collection: This value is only available for extensions where `mac_safari_extensions.extension_type` is `web`
team_identifier	Text	The team signing identifier sealed into the extension signature
uid	Bigint	The uid of the user paired with the Safari installation for this extension
unique_id	Text	The bundle_identifier of the extensions concatenated with the user paired with the Safari installation
username	Text	The username of the user paired with the Safari installation for this extension
version	Text	The text representation of the version
version_major	Bigint	`version`'s semver major version (ex: `4.2.1` would yield `4`)
version_minor	Bigint	`version`'s semver minor version (ex: `4.2.1` would yield `2`)
version_patch	Bigint	`version`'s semver patch version (ex: `4.2.1` would yield `1`)
version_subpatch	Bigint	`version`'s numeric status fourth position number (ex: `4.2.1.6` would yield `6`)
version_pre	Text	`version`'s semver pre-release version (ex: `1.2.3-prerelease+build` would yield `pre-release`)
version_build	Text	`version`'s semver build version (ex: `1.2.3-prerelease+build` would yield `build`)
collected_at	Timestamp	Time the row of data was first collected in the database
updated_at	Timestamp	Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Search for installations of browser extension by name (1Password)

Kolide SQL

WITH 
collated_extensions AS (
  SELECT
    device_id,
    browser_type AS browser,
    uid, 
    name, 
    identifier, 
    version, 
    '' AS profile
  FROM device_chrome_extensions
  UNION ALL
  SELECT
    device_id,
    'firefox' AS browser,
    uid, 
    name, 
    identifier, 
    version, 
    '' AS profile
  FROM device_firefox_addons
  UNION ALL
  SELECT
    device_id,
    'safari' AS browser,
    uid, 
    name, 
    team_identifier AS identifier, 
    version, '' AS profile
  FROM mac_safari_extensions
  )
  SELECT 
    COUNT(*) AS install_count, 
    name, 
    browser, 
    identifier, 
    version 
  FROM collated_extensions 
  WHERE name ILIKE '%1password%'
  GROUP BY identifier, name, browser, version
  ORDER BY install_count DESC
  LIMIT 10

Example Results

name	browser	version	identifier	install_count
1Password – Password Manager	chrome	2.3.4	aeblfdkhhhdcdjpifhhbdiojplfjncoa	27
1Password extension (desktop app required)	chrome	4.7.5.90	aomjjhallfgjeglblehebfpbcfeobpgk	11
1Password – Password Manager	chrome	2.3.3	aeblfdkhhhdcdjpifhhbdiojplfjncoa	8
1Password – Password Manager	chrome	2.3.2	aeblfdkhhhdcdjpifhhbdiojplfjncoa	8
1Password	safari	7.9.5	2BUA8C4S2C	8
1Password	safari	7.9.2	2BUA8C4S2C	7
1Password – Password Manager	firefox	2.3.3	{d634138d-c276-4fc8-924b-40a0ea21d284}	4
1Password	safari	7.8	2BUA8C4S2C	4
1Password beta (desktop app required)	chrome	4.7.6.2	phicbbndgmmpogmijjkbmdhpioaieaha	4
1Password for Safari	safari	2.2.3	2BUA8C4S2C	3

Why Should I Collect Mac Safari Extensions?

Due to the high-value of a user's browser activity, Safari is a frequent target of malicious extension authors who wish to obtain secure details about an end-user (eg. sites they visit, credit cards they use, etc.) and its extension configuration should be regularly audited to ensure that they are not at risk of attack.

Safari extension installations are cataloged and tracked to facilitate a number of potential purposes, for example:

Reviewing installed extensions to verify the desired configuration of Safari (eg. 1Password extension is installed)
Discovering potential malicious extensions

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Safari Extensions which you install could reveal suggestive details about your personal browsing habits if they are named after a specific service you utilize. For example:

eBay Bid Sniper
Adult Website Video Downloader
Netflix Region Unblocker
Safari BitCoin Miner

When you use Kolide to list Mac Safari Extension data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.