Home / Admins / Apps

Apps

Overview

The Apps feature helps Kolide administrators discover and protect work-related web applications used by employees, across their organization.

App Discovery aggregates data from usage sources such as browser activity and desktop app installations to identify which web apps employees commonly use and where company data may be stored.
Extended Device Compliance allows administrators to notify end-users about device health issues, and impede access to work-related apps (whether or not they support SSO) via the 1Password Browser Extension.
Managed App Instances allows administrators to protect individual Google Workspace SAML SSO configured applications, and ensures only devices that are known and secure can authenticate.

Web App Discovery is only available for customers who are subscribed to a version of Kolide with Extended Device Compliance. To learn more of how you can obtain this functionality Contact Kolide Support.

When you click Apps in the navigation menu, you are taken to the Discovered tab of the Web Apps page, which provides an overview of apps Kolide has detected usage of by your team members. The Discovered apps page is like an inbox; as you reason about the apps Kolide finds, you can move them from their initial status of Discovered, to Accepted, Rejected, or Ignored.

On the overview page you can:

Review a list of all apps Kolide has discovered usage of across your organization.
Find unfamiliar apps and learn what they might be used for.
Determine popularity of discovered apps by the number of people using them.
Review apps’ Data Risk scores to evaluate which apps represent the greatest concern.
Assign a Status, or configure Extended Device Compliance for one or many applications at a time, when clicking the checkbox next to an app’s name.

The Discovered Web Apps page in Kolide showing examples of apps that have been detected.

From the Discovered apps overview, you can click on any individual app to open its detail page. This detail page provides a description of the app, suggestions about the types of data it may process and store, and a detailed breakdown of its usage across your employees, such as how often it is used and when each employee last used it.

How usage is determined

Kolide determines web app usage through on-device queries run by its agent. These queries retrieve a count of total visits the end-user has made to work-related web apps in their browser, and also detect installations of companion desktop apps (e.g., Grammarly Desktop). Kolide ensures app discovery preserves your employees’ privacy by limiting what data is collected, and scoping that collection to only apps belonging to a pre-defined list of work-related web apps.

Kolide detected usage information is an estimate only. It does not capture browser visits that are made via Private Browsing or Incognito sessions. It will also not report any visits made that were subsequently cleared from the browser’s history.

For more information about how Kolide limits its data collection to preserve employee privacy, read more at: 1Password Support - Extended Device Compliance.

Assigning a Status to a Web App

Apps can be assigned one of four statuses: Discovered, Accepted, Rejected, and Ignored.

When usage of an app is first detected, it will be automatically marked as Discovered (unless it has been preconfigured as another status). Apps that have not yet been discovered, can be preconfigured with a status of Accepted, Ignored, or Rejected, via the Configure an App… button at the top right of the page.

To set a status for an app, you can use checkboxes to select apps in the list overview and configure their status using the Set a Status dropdown. Alternatively, you can click into an individual app’s detail page, then select the Mark App As dropdown.

You can choose one of the four following statuses:

⚪ Discovered: Web apps your team members are using that match Kolide’s pre-defined list of business-related apps. You can review discovered apps and choose if you want to protect them with Device Trust. (Only apps with discovered usage can be set to this status.)
🟢 Accepted: When you turn on Device Trust for an app, it will be automatically marked Accepted. Marking an app Accepted does not automatically turn on Device Trust.
⚫ Ignored: If you don’t want an app to appear in your Discovered apps list, but don’t want to accept or reject it right now, select Ignored. The app will be moved to the Ignored apps list on the Web Apps page.
🔴 Rejected: If you aren’t interested in adding Device Trust to an app, select Rejected. When you mark an app Rejected, Device Trust is automatically turned off for that app.

App Data Risk

Each web app has an associated data risk level. You can sort by data risk to quickly identify which apps may be important to protect with Device Trust. Kolide uses the following labels to categorize data risk:

Data Risk level	Description
1: Non-sensitive data	Publicly available, minimal risk
2: Low sensitivity	Basic internal data, general operations
3: Moderate sensitivity	Internal business data, non-critical personal data like names or emails
4: High sensitivity	Intellectual property, customer data, significant impact if exposed
5: Critical sensitivity	Financial records, PII, legal documents, or anything that could cause major business harm

Privacy Center

As part of the Discovered Apps feature, end-users will see a “Web App Activity" section in their End User Portal - Privacy Center.

The Web App Activity section shows the end-user which web apps usage information is collected for. Kolide defines 200+ work-related web apps, and only collects usage metrics related to those specified apps. The pre-defined list of apps cannot be expanded or changed by an administrator with Kolide access. New apps are only added by changing the Kolide source code, which is subject to rigorous code review.

Access the Privacy Center by selecting your profile in the top-right corner of Kolide, then selecting My Device. Next, select the security camera icon. You can also follow the link below:

Visit Your Privacy Center.

Extended Device Compliance

Premium Feature:

This feature is only available for customers who are subscribed to a version of Kolide with Extended Device Compliance. To learn more of how you can obtain this functionality Contact Kolide Support.

Requirements

This feature is currently in Early Access Preview, and has the following requirements:

Requires a 1Password Business Account
Requires the Nightly version of the 1Password browser extension in a Chrome-based web browser (eg. Google Chrome, Chromium, Microsoft Edge, Brave, Arc, etc.).
For more information about configuration requirements, and testing Extended Device Compliance, see our Extended Device Compliance Quick Start Guide.

Overview

Extended Device Compliance allows you to extend device health checks to the non-SSO managed and unmanaged web applications your employees are using for work.

When your team members attempt to access protected web apps, the 1Password browser extension checks their device health using Kolide, and provides self-serve remediation instructions for any failing Checks directly within the browser. If failing Checks are not resolved on a device, within a specified time frame, the 1Password browser extension will obscure the underlying page, impeding access to the app, until the user has fixed the problem.

Note:

Extended Device Compliance is a “soft-block” that acts more like a guardrail than an access management solution. Motivated end-users can work around the blocking behavior by disabling the 1Password browser extension, or opening the app in a different browser.

Unlike Kolide’s Device Trust Connect product which blocks access at the time of authentication, Extended Device Compliance will interrupt and block access to protected apps, even if the end-user is already signed in.

Enabling Extended Device Compliance can be accomplished on an individual app by using the Extended Device Compliance toggle, or via mass actions on the Web Apps index page using the checkboxes and “Set Extended Device Compliance” button.

Extended Device Compliance can be enabled for a single app, or for multiple apps at a time.

Once Extended Device Compliance has been enabled for an app, it will block or interrupt access based on the Blocking strategy configured for any of the failing Checks detected.

Notification States

There are 3 different user visible states that can be encountered when failing a Check.

Notify Only - A pop-over notification is shown in the top right of the active tab, informing the end-user that they have an issue with their device. The webpage underneath the pop-over is still visible and can be interacted with. The notification can be deferred without the user fixing the failing Check by clicking the button labeled Fix later.
Will Block - A pop-over notification is shown in the top right of the active tab, informing the end-user that their device will be blocked in x days, if they do not fix their failing Checks. The webpage underneath the notification is still visible and can be interacted with. The notification can be deferred without the user fixing the failing Check by clicking the button labeled Fix later.
Blocked - The webpage will be obscured by a blur overlay, and a pop-over notification will be shown in the top right of the active tab. The notification will inform the end-user that they cannot access the web app until they have fixed their failing device Checks.

Fixing Device Issues

Note:

If permitted in the Check’s remediation strategy configuration, a blocking Check may be “Snoozed” for a period of 8 hours, allowing the user to access the app without fixing the failing Check. Snoozing can be optionally disabled. Learn More about Snoozing a Check

When a user clicks an issue in the notification, they are taken to the Kolide End User Portal and shown details about the failing Check, as well as instructions for how to self-remediate the issue.

The Kolide End User Portal serves contextual fix instructions which guide end-users in self remediating issues on their device.

Once the failing Check has been resolved, the notification will update letting the end-user know that their device is “All good” and the notification can be dismissed. If the device has multiple failing Checks and only some are resolved, the notification will update to show the partial state of completion.

Managed App Instances

Premium Feature:

This feature is is unavailable for organizations that have purchased Device Trust Core. Contact Kolide Support if you have questions about your plan, or wish to upgrade.

Note:

This feature is applicable only to applications managed by Google Workspace SSO. If your SSO provider is Microsoft Entra, or Okta, you can manage which applications are protected by Device Trust in your respective Entra or Okta admin interface.

Managed App Instances are individual configurations of Google SSO managed, SAML-compatible, web-apps, which can be protected with Device Trust.

When a Managed App Instance has been created and configured, end-users will have to complete an additional step when attempting to sign into that app. After entering their username and password, or providing their passkey, they’ll be redirected to Kolide Device Trust. Kolide will verify that the device is registered and passing all configured Checks before allowing the sign-in to complete.

It is important to note that there are two ways in which Device Trust can be configured with Google Workspace SSO:

Protect all Apps with Device Trust: This will put Device Trust in front of any app that you sign into using your Google Workspace SSO, including Google apps such as Gmail, Google Docs, etc..
Protect individual Apps with Device Trust: In this configuration you must create a Managed App Instance for each app you wish to protect. Managed App Instances cannot be created for Google apps (eg. Gmail, Google Docs, etc.) and as a result you cannot protect Google apps with Device Trust using this method.

Configuring a Managed App Instance

Configuring a Managed App Instance can be done using the preexisting templates in the Apps catalog, or by creating a new Custom App. Both methods are detailed below.

Step 1: Add an App

Add an App From the App Catalog

In Kolide, select the item labeled Apps in the top navigation.
Select + Add Application. If you’re an early access customer, select Configure an app.
Search or scroll to find the app you want to add, then select it.
Optionally edit the app’s name, description, icon.
Choose whether you want the application to be visible in the 1Password browser extension app launcher, or the Kolide End User Portal.
Select Next Step.

Add a Custom App

If the SAML app you want to create a managed instance for does not exist in Kolide’s app catalog, you can add it manually by following the steps below:

In Kolide, select the Apps tab.
Select + Add Application. If you’re an early access customer, select Configure an app.
Select Add Custom App.
Enter the name of the app. Optionally, add a description and custom icon.
Choose whether you want the application to be visible in the 1Password browser extension app launcher, or the Kolide End User Portal.
Select Next Step.

Step 2: Configure App Settings

To connect your app to Kolide, you’ll need to copy and paste configuration details between the two. If you’re adding an app from the App Catalog, select the Docs button to learn where to find your app’s configuration details. If you’re adding a custom app, check your app’s documentation. Configuration setting names can vary by app.

Provide Your App’s Configuration Details to Kolide

Copy the Entity ID from your app and paste it into the Entity ID field in Kolide.
Copy the ACS URL from your app and paste it into the ACS URL field in Kolide.
If your app’s Audience URI is the same as the Entity ID, leave the Audience URI field blank. If the Audience URI field is different from the Entity ID, copy the Audience URI from your app and paste it into the Audience URI field in Kolide.
Copy the Response Host (name of the service provider) from your app and paste it into the Response Host field.
If your app requires the SAML response to be signed for authentication, select the checkbox next to Sign Response Body. Check your app’s documentation or configuration requirements to determine if this setting is necessary.

Provide Kolide’s Configuration Details to Your App

Copy the Entity ID (Issuer) from Kolide and paste it into the Entity ID (Issuer) field in your app.
Copy the Sign On URL from Kolide and paste it into the Sign On URL field in your app.
Copy the Metadata URL from Kolide and paste it into the Metadata URL field in your app.
Copy the Signing Certificate from Kolide and paste it into the Signing Certificate field in your app.

Optional App Settings

If your app allows signing AuthnRequests or requires sending information like Name ID Format, Single Sign-On URL, or Logout URL, add them to the Optional Settings fields in Kolide.