How to List Package Install History Across All Macs
Using Kolide, you can easily view and query Mac Package Install History across your fleet.
Introduction
Devices running macOS keep a record of all software installed on the device including but not limited to:
- Installed Applications
- Software updates
- Configuration/definition updates for built-in macOS security tools like XProtect, Gatekeeper and Malware Removal Tool (MRT)
This information can be viewed in the macOS GUI by following the steps below:
- Open the Apple Menu by clicking the Apple icon at the top left of your screen
- In the dropdown menu, click the item labeled About this Mac
- In the dialog window that appears, click the button labeled: System Report
- In the System Report window, in the left-hand sidebar, scroll down to the section labeled Software and click the item labeled Installations
For more information about the macOS System Report tool, please refer to the official Apple Support documentation: About System Information on your Mac
What Mac Package Install History Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac Package Install History from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac Package Install History Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| installed_at | Timestamp |
The time the package was installed |
|
| name | Text |
The display name of the installed package |
|
| package_content_type | Text |
The package's content type (optional) |
|
| package_id | Text |
The unique label / package identifier |
|
| package_source | Enum::Text |
The installation source of the package Can be one of the following:
|
|
| version | Text |
The text representation of the version |
|
| version_major | Bigint |
|
|
| version_minor | Bigint |
|
|
| version_patch | Bigint |
|
|
| version_subpatch | Bigint |
|
|
| version_pre | Text |
|
|
| version_build | Text |
|
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
Why Should I Collect Mac Package Install History?
Reviewing the software installation history of your device can be a helpful procedure when attempting to do a variety of tasks, including but not limited to:
- Verifying/auditing the successful installation of required software (including when it was installed)
- Verifying the regular successful update of built-in macOS security services (XProtect, Gatekeeper, MRT)
- Verifying/Identifying when particular software updates were installed.
- Reviewing when potentially malicious software was installed on a device.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
Software installation history provides basic information (date of installation, version, name) about software installed on your device. This could potentially include software used for personal or sensitive reasons, for example:
- eCigarette-Vaporizer-Control.app
- Adult-Toy-Control.app
- Fertility-Window-Tracker.app
- Torrenting-Software.app
When you use Kolide to list Mac Package Install History data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
