When using the web you click on links which usually direct your browser
to a new URL. These URLs can look like
http://jetblue.com. The part of the URL that starts with
is called the scheme.
https there are many other types of schemes your
computer can understand. In fact, when you install new programs, they may
register new schemes. For example people who have the Slack chat application
installed can click on links that start with
slack://. If they do this,
the Slack chat client will open and potentially direct them to a specific
workspace, channel, or DM conversation.
Kolide is able to enumerate these schemes and determine what program will normally open, when a URL with that scheme is accessed.
Kolide's endpoint agent bundles in osquery to efficiently collect Mac App Schemes from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Unique identifier for the object
Device associated with the entry
Display name of the device associated with the entry
Application label for the handler
Name of the scheme/protocol
Time the row of data was first collected in the database
Time the row of data was last changed in the database
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT device_id, device_name,
MAX(CASE WHEN scheme = 'slack' AND handler = '/Applications/Slack.app' AND enabled = 'true' THEN 'true' ELSE 'false' END) AS default_slack_enabled,
MAX(CASE WHEN scheme = 'slack' AND enabled = 'true' THEN handler END) AS slack_registered_handler
FROM mac_app_schemes WHERE scheme = 'slack'
GROUP BY device_id, device_name
|/Applications/Slack 12.13.24 PM.app
Since new apps can register new schemes by simply downloading them, it's important that administrators can audit this portion of your system to look for the following:
- Suspicious apps that have taken over schemes where they are likely an undesirable choice (ex: any app other that Slack taking responsibility over
- Registration of schemes that are not well known and could be a vector for a future attack
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
An employer with access to your app schemes can get some insight into some of the apps you may have installed on the device.
When you use Kolide to list Mac App Scheme data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.