View Other Properties


View Other Properties

How to List Package Install History Across All Macs

Using Kolide, you can easily view and query Mac Package Install History across your fleet.


Devices running macOS keep a record of all software installed on the device including but not limited to:

  • Installed Applications
  • Software updates
  • Configuration/definition updates for built-in macOS security tools like XProtect, Gatekeeper and Malware Removal Tool (MRT)

This information can be viewed in the macOS GUI by following the steps below:

  1. Open the Apple Menu by clicking the Apple icon at the top left of your screen
  2. In the dropdown menu, click the item labeled About this Mac
  3. In the dialog window that appears, click the button labeled: System Report
  4. In the System Report window, in the left-hand sidebar, scroll down to the section labeled Software and click the item labeled Installations

For more information about the macOS System Report tool, please refer to the official Apple Support documentation: About System Information on your Mac

What Mac Package Install History Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Package Install History from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Package Install History Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

installed_at Timestamp

The time the package was installed

name Text

The display name of the installed package

package_content_type Text

The package's content type (optional)

package_id Text

The unique label / package identifier

package_source Enum::Text

The installation source of the package

Can be one of the following:

  • appstoreagent - Installed via the AppStore
  • softwareupdated - Installed via the Software Update service
  • installer - Installed via a third-party installer
version Text

The text representation of the version

version_major Bigint

version's semver major version (ex: 4.2.1 would yield 4)

version_minor Bigint

version's semver minor version (ex: 4.2.1 would yield 2)

version_patch Bigint

version's semver patch version (ex: 4.2.1 would yield 1)

version_subpatch Bigint

version's numeric status fourth position number (ex: would yield 6)

version_pre Text

version's semver pre-release version (ex: 1.2.3-prerelease+build would yield pre-release)

version_build Text

version's semver build version (ex: 1.2.3-prerelease+build would yield build)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

Why Should I Collect Mac Package Install History?

Reviewing the software installation history of your device can be a helpful procedure when attempting to do a variety of tasks, including but not limited to:

  • Verifying/auditing the successful installation of required software (including when it was installed)
  • Verifying the regular successful update of built-in macOS security services (XProtect, Gatekeeper, MRT)
  • Verifying/Identifying when particular software updates were installed.
  • Reviewing when potentially malicious software was installed on a device.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Software installation history provides basic information (date of installation, version, name) about software installed on your device. This could potentially include software used for personal or sensitive reasons, for example:


When you use Kolide to list Mac Package Install History data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

Mac Apps
apps, software
Linux RPM Packages
centos, rpm, software, packages
Linux Debian Packages
debian, software, packages
View full list of Kolide's Device Properties
Book A Demo
Book A Demo