The Kolide Agent

The Kolide Agent

Need Help?
Looking for installation/removal instructions or troubleshooting tips? Read Using Kolide - Agent.

Overview

The Kolide agent (also referred to as Kolide Launcher Agent) allows the Kolide service to communicate with Mac, Windows, and Linux devices. This article describes the agent’s capabilities and architecture across all of Kolide’s supported platforms.

Supported Platforms

Kolide ships and supports agent installers for macOS, Windows, RPM-based Linux, and Debian-based Linux.

Platform Min Version Latest Version Notes
macOS macOS 11 - Big Sur macOS 14 - Sonoma
Windows Windows 10 Windows 11 ARM support is not available
Linux (See Linux Support Notes) (See Linux Support Notes) ARM support is not available

Linux Support Notes:
Kolide offers official Debian and RPM installers for Linux-based operating systems. Kolide engineers test new releases of its agent against the last 2 LTS versions of Ubuntu and the latest version of Red Hat Enterprise Linux (RHEL) using both KDE and GNOME backed by X11 and Wayland.

Unless otherwise noted, when Kolide claims support for a specific platform, it means:

  • The installation packages work as expected.
  • The agent persists itself across restarts.
  • The uninstall process works.
  • The menu bar app appears in the system tray and all the items work.
  • The menu bar app can display system notifications to the end-user.
  • The device trust local server operates as expected.
  • The agent’s automatic update process works correctly.
  • The osquery daemon interacts with the Kolide service correctly.
  • Kolide official Checks work correctly.

Note:
Kolide’s agent is designed with resiliency in mind. In practice, this means Kolide will likely function below the minimum tested versions listed above. With that said, Kolide does not test changes in the agent outside of the versions listed in the table above, so if you do use Kolide on an unsupported platform, please proceed at your own risk.

Components

While Kolide’s agent is shipped in a single installer, it’s really a collection of technologies, each enabling different features and experiences within the Kolide service.

Osquery and Osquery Extension

Kolide’s service requires regularly updated information about a device’s current posture. To achieve this, the Kolide agent installs and persists a fully functional osquery daemon that directly interacts with the Kolide service. On macOS, Kolide ships Osquery’s official app bundle which is imbued with Apple’s Endpoint Security entitlement, allowing customers to use osquery’s process event monitoring and file monitoring features on the Mac.

In addition, Kolide also includes an osquery extension that registers new virtual tables that provide additional device information that osquery cannot obtain otherwise.

Note:
For more information about Kolide’s osquery extensions, including source code for the virtual tables, visit GitHub.

All components of osquery are kept up-to-date using the agent’s Automatic Update Capabilities.

Kolide’s agent includes a Menu Bar application that serves as an indicator of the current device’s registration status and health.

An example screenshot of Kolide’s Menu Bar application

In addition to displaying device health, the app is also capable of sending on-device notifications that inform end-users about any changes in their registration status or device health.

Updater

Kolide’s agent is capable of updating any of its components via a secure and automatic update system.

Updater adheres to The Update Framework (TUF) specification. Kolide uses a mirror like Google Cloud Storage to store update targets, and the agent uses the Golang implementation of TUF to ensure that targets have not been tampered with.

Local Server

The Kolide agent includes a web server that is only accessible via the local loopback interface (127.0.0.1) on a high-numbered port. Kolide uses this web server to identify devices accessing the service via a web browser and to issue commands to change the agent’s behavior (e.g., asking the agent to check in more frequently for 5 minutes).

Kolide uses public-key authenticated encryption to encrypt and sign confidential messages between the Kolide Service and the Kolide Agent (specifically libsodium’s crypto_box). For more information, please read About Kolide - Device Trust Architecture.

Network Communication

The Kolide agent connects to several HTTPS endpoints that together make up the Kolide service. All outbound communication across the internet is on port 443.

The list of domains (last changed 2023-11) is:

  • k2device.kolide.com
  • k2control.kolide.com
  • notary.kolide.co
  • dl.kolide.co
  • tuf.kolide.com
  • ingest.kolide.com

Additional Hosts for macOS Connectivity:
All modern versions of macOS check package and binary signatures for validity. This may require contacting Apple servers. For more information, including best practices for network administrators, please see Apple’s official documentation.