Self-Remediation via Okta
Engage end-users during auth to self-remediate issues
Security & Compliance Checks
Monitor your entire Linux, Mac, and Windows fleet
Device Inventory
Your fleet represented in thousands of data points
Implement Zero Trust Access
Prevent unsecure devices from accessing your apps
Achieve 100% Device Compliance
Measure, achieve, and maintain your compliance goals
Gain Fleet Visibility
Become "all knowing" across Linux, Mac, and Windows
Help / Docs Product Changelog App Security Company
From the blog

Device Checks

Kolide has over a hundred checks to help you measure and achieve your organization's compliance and security goals. Here are some of our most popular:

Achieve your security and compliance goals with ease.

No SQL Queries to Write
User/Okta Driven Remediation
Security Training for End-Users

You can use Device Checks to...

Find and Securely Store 1Password Emergency Kits

1Password Emergency Kits usually contain the account's secret key and maybe even the master password. It's important that they are secured.
1password unencrypted-credentials no-mdm-resolution

Find Non-Genuine Windows Installations and Activate Them

Non-Genuine Windows is highly correlated with malware infection and the presence of other pirated software.
software licensing microsoft piracy no-mdm-resolution

Find and Secure Plain-Text GitHub 2FA Backup Codes

Github Two-Factor backup codes are as good as real passwords. It's important that they are secured.
github two-factor-codes unencrypted-credentials no-mdm-resolution

Block GitHub Copilot

Github Copilot can put the IP rights of your code at risk. You may want to block engineers from using it.
github shadow-it no-mdm-resolution

Block iCloud Private Relay

Disabling iCloud Private Relay on macOS may be good idea if it conflicts with an existing VPN or network auditing requirements.
vpn networking

Configure macOS Firewall to Block Unauthorized Connections

The macOS firewall comes disabled by default, but should be enabled whenever possible.
firewall networking

Find Macs with Remote Login Enabled and Disable it

Remote Login is essentially a Remote SSH server which can reduce the security of your Macs.
remote-login ssh macos-sharing-preferences

Find Macs With SIP Disabled and Enable It

SIP protects Macs by preventing them from running unauthorized code. It should be enabled.
startup-security os-integrity no-mdm-resolution

Ensure Ubuntu’s Unattended Upgrades Are Turned On

Enabling Unattended Upgrades ensures critical software on Ubuntu remains patched automatically. It's a must-have.
os-updates patching debian ubuntu no-mdm-resolution

Find Unencrypted SSH Keys and Encrypt Them

SSH keys are commonly used to sign into servers, push code, and verify identities. It's important they are password-protected.
ssh developers unencrypted-credentials no-mdm-resolution

Ensure Windows' Ransomware Protection is Enabled

Controlled Folder Access is the easiest way to stop ransomware, but isn't enabled by default.
ransomware malware windows-security-center

And many more checks...

1Password
Disallow 1Password Emergency Kit to Be Stored in Plaintext
1Password
Ensure 1Password Extension is Installed and Enabled on Default Browser
1Password
Require 1Password 8 Meets Minimum Version
1Password
Require 1Password be Logged into Work Account
Android Lock Screen
Require Lock Screen Configuration
Android Software Updates
Ensure Android OS Is Up to Date
Apple Intelligence
Require Apple Intelligence to Be Disabled
Arc
Require Arc Browser To Be Up to Date
AWS Credentials
Require AWS Credentials File to Be Encrypted
BIOS
Require CPU "No Execute" to Be Enabled
BIOS
Require Secure Boot to Be Enabled
BitDefender
Require BitDefender App to Be Installed and Running
BitLocker
Require Primary Disk to Be Encrypted
Brave
Require Brave Browser to Be Up to Date
ClamAV
Require ClamAV to Be Installed and Running
ClamAV
Require Clamscan Job to Be Running
ClamAV
Require Freshclam Job to Be Running
CrowdStrike
Ensure Endpoint Device Meets Minimum Required ZTA Score
CrowdStrike
Require CrowdStrike Agent to Be Installed and Running
Device Uptime
Require Device to Be Restarted Regularly
Disk Health
Ensure Sufficient Free Space on Primary Disk
Dropbox
Dropbox App Should Not Be Installed
ESET
Require ESET Agent to Be Installed and Running
F5 VPN
Require F5 VPN to Be Installed
Firefox
Require Firefox Browser to Be Up to Date
Gatekeeper
Require macOS Gatekeeper to Be Enabled
GitHub Copilot
GitHub Copilot Should Not Be Installed
GitHub
Require GitHub 2FA Recovery Codes to Be Encrypted
Google Chrome
Require Chrome Browser to Be Up to Date
Google
Require GSuite 2FA Recovery Codes to Be Encrypted
Grammarly
Grammarly Browser Extension Should Not Be Installed
Grammarly
Grammarly Mac App Should Not Be Installed
Homebrew
Require Homebrew Packages To Be Up to Date
iCloud
Require iCloud Private Relay to Be Disabled
iOS Passcode
Require Passcode Configuration
iOS Software Updates
Ensure iOS Meets Minimum Required Version
iOS Software Updates
Ensure iOS Version Is Up to Date
iTerm2
Disallow Vulnerable iTerm2 Versions
iTerm2
Require Secure Keyboard Entry to Be Enabled
Kolide Agent
Require Kolide Agent to Have Full Disk Access Entitlement
Linux Disk Encryption
Require Disk To Be Encrypted
Linux Firewall
Ensure iptables Has Suitable Default Policy
Linux Firewall
Require Uncomplicated Firewall (UFW) To Be Enabled
Linux Package Updates
Ensure Linux Packages Are Up to Date
Linux Screen Lock
Require Cinnamon Secure Screen Lock Configuration
Linux Screen Lock
Require Gnome Secure Screen Lock Configuration
Linux Screen Lock
Require Mate Secure Screen Lock Configuration
Linux Workspace ONE UEM
Require Device To Be Enrolled
Linux Workspace ONE UEM
Require Device to be Enrolled in and Properly Configured to Workspace ONE
Linux Workspace ONE UEM
Require Device To Have All Profiles Installed
Linux Workspace ONE UEM
Require Device To Satisfy Dependencies
Login and Access
Ensure Root Account Shells Are Set to nologin
Login and Access
Ensure System Account Shells Are Set to nologin
Login and Access
Require Guest User Account to Be Disabled
Login and Access
Require Root Accounts Have a Password Set or Be Locked
Login and Access
Require System Account Passwords To Be Locked
Login and Access
Require User Account Passwords To Be Locked or Set
macOS Battery
Ensure Device Battery Is Healthy
macOS Finder
Require File Extensions to Be Visible in Finder
macOS Find My
Require Find My Service to Be Disabled
macOS Find My
Require Find My Service to Be Enabled
macOS Firewall
Require Firewall to Be Enabled
macOS Location Services
Require Location Services to Be Enabled
macOS MDM
Require Device to Be Enrolled in macOS MDM
macOS MDM
Require Jamf Protect Agent to Be Installed and Running
macOS Notifications
Require Sensitive Previews to Be Disabled on Lock Screen
macOS Screen Lock
Require Secure Screen Lock Configuration
macOS Sharing
Require Bluetooth Sharing to Be Disabled
macOS Sharing
Require Content Caching to Be Disabled
macOS Sharing
Require Disc Sharing to Be Disabled
macOS Sharing
Require File Sharing to Be Disabled
macOS Sharing
Require Internet Sharing to Be Disabled
macOS Sharing
Require Printer Sharing to Be Disabled
macOS Sharing
Require Remote Apple Events or App Scripting To Be Disabled
macOS Sharing
Require Remote Login to Be Disabled
macOS Sharing
Require Remote Management to Be Disabled
macOS Sharing
Require Screen Sharing to Be Disabled
macOS Software Updates
Ensure OS Meets Minimum Required Version
macOS Software Updates
Ensure OS Version Is Supported by Apple
macOS Software Updates
Ensure OS Version Is Up to Date
macOS Software Updates
Require Automatic Updates to Be Enabled
Microsoft Defender
Require Microsoft Defender ATP To Be Configured And Healthy
Microsoft Edge
Require Edge Browser To Be Up to Date
Microsoft Intune
Require Device Enrollment
Microsoft Intune
Require Regular Device Check In
Microsoft Software Licenses
Require Microsoft Windows to Be Licensed
Mobile OS
Ensure Device Is Enrolled in Organization MDM
Mobile OS
Ensure Device Is Not Jailbroken or Rooted
Munki
Require Munki to Be Installed and Run Recently
Network Time Protocol
Require Date and Time to Be Set Automatically
OpenAI
ChatGPT Mac App Should Not Be Installed
OpenAI
ChatGPT Mac App Should Use Approved Workspace
Password Policies
Require Password Policies to Be Configured Securely
Rapid7
Require Rapid7 App to Be Installed and Running
Remote Access
Remote Access Daemon Should Not Be Installed or Running
Removable Media
Require Autorun to Be Disabled
Salt
Require Salt App to Be Installed
SentinelOne
Require SentinelOne Agent to Be Installed, Running, and Configured
Sophos
Require Sophos App to Be Installed and Running
SSH Keys
Require SSH Keys to Be Encrypted
Sudo
Disallow Passwordless Invocation
Sudo
Require use_pty to Be Configured
Symantec
Require Symantec Endpoint Protection to Be Installed and Running
System Integrity Protection
Require System Integrity Protection to Be Enabled
Trelica
Require Trelica Browser Extension to Be Installed
Ubuntu
Ensure Cron Is Running
Ubuntu
Ensure OS Version Is Supported
Ubuntu
Require Unattended Upgrades to Be Properly Configured
Vulnerabilities
Insecure Zoom Video Conference Server
Windows 11
Disallow TPM/CPU Installation Bypass
Windows Explorer
Require File Extensions to Be Visible
Windows MDM
Require Device to Be Enrolled in Windows MDM
Windows Security Center
Require Antivirus to Be Enabled
Windows Security Center
Require Ransomware Protection (Controlled Folder Access) to Be Enabled
Windows Software Updates
Ensure Important OS Updates Are Installed
Windows Software Updates
Ensure OS Meets Minimum Version Requirement
Windows Software Updates
Ensure OS Version Is Supported by Microsoft
Windows UAC
Require User Account Control to Be Enabled
Zscaler
Require Zscaler App to Be Installed and Configured