View Other Properties

Contents

View Other Properties

How to List Safari Extensions Across All Macs

Using Kolide, you can easily view and query Mac Safari Extensions across your fleet.

Introduction

Safari provides the ability to extend the core functionality of the browser via the installation of 'extensions'. Extensions may be published by Apple or by 3rd party authors, and can be distributed by being bundled with Apps or downloaded directly from the Apple App Store.

Kolide collects metadata about Safari Extensions such as their name, their publisher, their version, and whether they are enabled. Kolide does not collect any data for legacy Safari Extensions used in Safari 11 or prior.

For more information about Safari extensions please consult the following links:

What Mac Safari Extension Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Safari Extensions from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Safari Extensions Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

app_store_icon_url Text

The App Store url of the icon

app_store_latest_version Text

The latest version available for this extension in the App Store

app_store_latest_version_released_at Timestamp

The time the latest version was released for this extension in the App Store

app_store_report Jsonb

The raw JSON response from Apple App Store API

app_store_updated_at Timestamp

The freshness of Apple App Store data associated with this extension

bundle_identifier Text

The bundle_identifier of the .appex file associated with the extension

copyright Text

A developer provided copyright notice

description Text

A developer provided description

enabled Boolean

true if extension is enabled otherwise false or NULL if unknown

extension_type Enum::Text

The type of Safari extension

Can be one of the following:

  • app - An extension bundled with an existing App
  • web - An extension built using the Web Extension API and distributed in the App Store
has_injected_content Boolean

true if extension able to inject HTML, JS, or CSS into a third-party page otherwise false or NULL if unknown

Note on data collection: This value is only available for extensions where mac_safari_extensions.extension_type is app

installed_at Timestamp

The time the Safari extension was installed/added

mac_app_id Foreign Key

The Mac App associated with the extension

name Text

The name of the Safari extension as shown in the Safari UI

permissions Text[]

The permissions required by the Safari extension. MDN Extension Permissions Reference

Note on data collection: This value is only available for extensions where mac_safari_extensions.extension_type is web

team_identifier Text

The team signing identifier sealed into the extension signature

uid Bigint

The uid of the user paired with the Safari installation for this extension

unique_id Text

The bundle_identifier of the extensions concatenated with the user paired with the Safari installation

username Text

The username of the user paired with the Safari installation for this extension

version Text

The text representation of the version

version_major Bigint

version's semver major version (ex: 4.2.1 would yield 4)

version_minor Bigint

version's semver minor version (ex: 4.2.1 would yield 2)

version_patch Bigint

version's semver patch version (ex: 4.2.1 would yield 1)

version_subpatch Bigint

version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)

version_pre Text

version's semver pre-release version (ex: 1.2.3-prerelease+build would yield pre-release)

version_build Text

version's semver build version (ex: 1.2.3-prerelease+build would yield build)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Search for installations of browser extension by name (1Password)
Kolide SQL
WITH 
collated_extensions AS (
  SELECT
    device_id,
    browser_type AS browser,
    uid, 
    name, 
    identifier, 
    version, 
    '' AS profile
  FROM device_chrome_extensions
  UNION ALL
  SELECT
    device_id,
    'firefox' AS browser,
    uid, 
    name, 
    identifier, 
    version, 
    '' AS profile
  FROM device_firefox_addons
  UNION ALL
  SELECT
    device_id,
    'safari' AS browser,
    uid, 
    name, 
    team_identifier AS identifier, 
    version, '' AS profile
  FROM mac_safari_extensions
  )
  SELECT 
    COUNT(*) AS install_count, 
    name, 
    browser, 
    identifier, 
    version 
  FROM collated_extensions 
  WHERE name ILIKE '%1password%'
  GROUP BY identifier, name, browser, version
  ORDER BY install_count DESC
  LIMIT 10
Example Results
name browser version identifier install_count
1Password – Password Manager chrome 2.3.4 aeblfdkhhhdcdjpifhhbdiojplfjncoa 27
1Password extension (desktop app required) chrome 4.7.5.90 aomjjhallfgjeglblehebfpbcfeobpgk 11
1Password – Password Manager chrome 2.3.3 aeblfdkhhhdcdjpifhhbdiojplfjncoa 8
1Password – Password Manager chrome 2.3.2 aeblfdkhhhdcdjpifhhbdiojplfjncoa 8
1Password safari 7.9.5 2BUA8C4S2C 8
1Password safari 7.9.2 2BUA8C4S2C 7
1Password – Password Manager firefox 2.3.3 {d634138d-c276-4fc8-924b-40a0ea21d284} 4
1Password safari 7.8 2BUA8C4S2C 4
1Password beta (desktop app required) chrome 4.7.6.2 phicbbndgmmpogmijjkbmdhpioaieaha 4
1Password for Safari safari 2.2.3 2BUA8C4S2C 3

Why Should I Collect Mac Safari Extensions?

Due to the high-value of a user's browser activity, Safari is a frequent target of malicious extension authors who wish to obtain secure details about an end-user (eg. sites they visit, credit cards they use, etc.) and its extension configuration should be regularly audited to ensure that they are not at risk of attack.

Safari extension installations are cataloged and tracked to facilitate a number of potential purposes, for example:

  • Reviewing installed extensions to verify the desired configuration of Safari (eg. 1Password extension is installed)
  • Discovering potential malicious extensions

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Safari Extensions which you install could reveal suggestive details about your personal browsing habits if they are named after a specific service you utilize. For example:

  • eBay Bid Sniper
  • Adult Website Video Downloader
  • Netflix Region Unblocker
  • Safari BitCoin Miner

When you use Kolide to list Mac Safari Extension data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Chrome Extensions
google, software, web-browsers, extensions
New
Firefox Add-ons
mozilla, software, web-browsers, extensions
New
VSCode Extensions
software, extensions, ide, developers
View full list of Kolide's Device Properties
Book A Demo
Book A Demo