View Other Properties

Contents

View Other Properties

How to List Location Services Authorized Apps Across All Macs

Using Kolide, you can easily view and query Mac Location Services Authorized Apps across your fleet.

Introduction

Location Services are a configurable preference on macOS under the Security & Privacy preference pane, which allows full state (Location Services enabled/disabled) and granular control of various services and software which can interact with the Location Services API of your device.

This inventory captures the per-application permissions configured under Location Services, including which apps have requested location permissions, which have been granted, and when they last collected location information from your device.

For more information about macOS Location Services refer to the official Apple support documentation: Manage which apps can detect your Mac location

What Mac Location Services Authorized App Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Location Services Authorized Apps from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Location Services Authorized Apps Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

authorized Boolean

true if this app is authorized to use Location Serivces; else false

bundle_identifier Text

The bundle ID associated with the authorized app

hidden Boolean

true if this app is hidden in the Location Services tab of the Security & Privacy section of System Preferences to use Location Serivces; else false

location_time_started Timestamp

The precise time this app started requesting data from the Location Services API. Note: location_time_start will be NULL for apps and services that are no longer collecting location data.

location_time_stopped Timestamp

The precise time this app stopped requesting data from the Location Services API. Note: If location_time_stopped is NULL and the start time is not NULL, then location collection is still ongoing.

path Text

The registered_path or the execution_path (if registered_path is NULL) of the authorized binary.

requirement Text

A TCC style requirement string describing the authorized app.

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Review non-Apple software with location services authorization
Kolide SQL
WITH
location_authorizations AS (
  SELECT 
    bundle_identifier,
    COUNT(*) AS authorized_count
  FROM mac_location_services_authorized_apps 
  WHERE bundle_identifier NOT ILIKE 'com.apple%'
  AND authorized = TRUE
  GROUP BY bundle_identifier
  )
SELECT 
  authorized_count AS authorized_devices_count,
  ma.name AS app_name
FROM location_authorizations
LEFT JOIN mac_apps ma USING(bundle_identifier)
GROUP BY authorized_devices_count, bundle_identifier, ma.name
ORDER BY authorized_devices_count DESC
Example Results
app_name authorized_devices_count
Google Chrome.app 4
85C27NK92C.com.flexibits.fantastical2.mac.helper.app 3
Fantastical.app 3
Firefox.app 3
Firefox Beta.app 3
Firefox ESR.app 3
Discord.app 1
Flux.app 1
Review common applications which have been denied location services authorization
Kolide SQL
WITH
location_authorizations AS (
  SELECT 
    bundle_identifier,
    COUNT(*) FILTER (WHERE authorized = FALSE) AS devices_denied,
    COUNT(*) FILTER (WHERE authorized = TRUE) AS devices_authorized
  FROM mac_location_services_authorized_apps
  WHERE bundle_identifier NOT LIKE 'com.apple%'
  GROUP BY bundle_identifier
)
SELECT 
  devices_denied,
  devices_authorized,
  ma.name AS app_name
FROM location_authorizations
LEFT JOIN mac_apps ma USING(bundle_identifier)
GROUP BY devices_authorized, devices_denied, bundle_identifier, ma.name
ORDER BY devices_denied DESC
Example Results
app_name devices_denied devices_authorized
Google Chrome.app 40 4
Visual Studio Code 2.app 28 0
Visual Studio Code 3.app 28 0
Visual Studio Code.app 28 0
Pop.app 25 0
Docker Desktop.app 24 0
Slack.app 23 0
Check if Find My service has adequate location services authorization to function properly
Kolide SQL
SELECT 
  mls.device_name, 
  authorized AS find_my_authorized,
  enabled AS location_services_global_state
FROM mac_location_services_authorized_apps mls
LEFT JOIN mac_location_services USING (device_id)
WHERE bundle_identifier = 'com.apple.findmy'
LIMIT 5;
Example Results
device_name find_my_authorized location_services_global_state
Jessicas-MacBook-Air true false
balthazar true true
Amandas-MacBook-Pro true false
derrick-imac false false
Conference-Room-Zoom true true

Why Should I Collect Mac Location Services Authorized Apps?

The collection of Location Services configuration information allows an administrator to see which applications on your device have permission to access your Mac's location information. This can be helpful for a variety of reasons, such as determining whether a malicious application is capable of harvesting location information about your Mac

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

This inventory does not capture location information, only the state and configuration of apps which have requested location services permissions.

When you use Kolide to list Mac Location Services Authorized App data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Mac Location Services Status
location, privacy, tcc
New
Windows Screenlock Status
screenlock, security, privacy
New
Mac Screenlock Status
screenlock, security, privacy
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free