How to List App Schemes Across All Macs
Using Kolide, you can easily view and query Mac App Schemes across your fleet.
Introduction
When using the web you click on links which usually direct your browser
to a new URL. These URLs can look like https://google.com or
http://jetblue.com. The part of the URL that starts with https and http
is called the scheme.
Besides http and https there are many other types of schemes your
computer can understand. In fact, when you install new programs, they may
register new schemes. For example people who have the Slack chat application
installed can click on links that start with slack://. If they do this,
the Slack chat client will open and potentially direct them to a specific
workspace, channel, or DM conversation.
Kolide is able to enumerate these schemes and determine what program will normally open, when a URL with that scheme is accessed.
What Mac App Scheme Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac App Schemes from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac App Schemes Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| enabled | Boolean |
|
|
| external | Boolean |
|
|
| handler | Text |
Application label for the handler |
|
| protected | Boolean |
|
|
| scheme | Text |
Name of the scheme/protocol |
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT device_id, device_name,
MAX(CASE WHEN scheme = 'slack' AND handler = '/Applications/Slack.app' AND enabled = 'true' THEN 'true' ELSE 'false' END) AS default_slack_enabled,
MAX(CASE WHEN scheme = 'slack' AND enabled = 'true' THEN handler END) AS slack_registered_handler
FROM mac_app_schemes WHERE scheme = 'slack'
GROUP BY device_id, device_name| device_name | default_slack_enabled | slack_registered_handler |
|---|---|---|
| hannahs-imac | false | /Applications/Slack 2.app |
| Gemmas-MacBook-Pro | false | /Users/gemma/Downloads/Slack.app |
| Mac-mini | false | /Applications/Slack 12.13.24 PM.app |
| jordan | false | /Applications/Slack copy.app |
| Conference-Room-Zoom | false | /Applications/Schlack.app |
Why Should I Collect Mac App Schemes?
Since new apps can register new schemes by simply downloading them, it's important that administrators can audit this portion of your system to look for the following:
- Suspicious apps that have taken over schemes where they are likely an undesirable choice (ex: any app other that Slack taking responsibility over
slack://) - Registration of schemes that are not well known and could be a vector for a future attack
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
An employer with access to your app schemes can get some insight into some of the apps you may have installed on the device.
When you use Kolide to list Mac App Scheme data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
