View Other Properties

Contents

View Other Properties

How to List App Schemes Across All Macs

Using Kolide, you can easily view and query Mac App Schemes across your fleet.

Introduction

When using the web you click on links which usually direct your browser to a new URL. These URLs can look like https://google.com or http://jetblue.com. The part of the URL that starts with https and http is called the scheme.

Besides http and https there are many other types of schemes your computer can understand. In fact, when you install new programs, they may register new schemes. For example people who have the Slack chat application installed can click on links that start with slack://. If they do this, the Slack chat client will open and potentially direct them to a specific workspace, channel, or DM conversation.

Kolide is able to enumerate these schemes and determine what program will normally open, when a URL with that scheme is accessed.

What Mac App Scheme Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac App Schemes from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac App Schemes Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

enabled Boolean

true if this handler is the OS default, else false

external Boolean

true if this handler does NOT exist on macOS by default, else false

handler Text

Application label for the handler

protected Boolean

true if this handler is protected (reserved) by macOS, else false

scheme Text

Name of the scheme/protocol

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Non-Default Slack URL handler registered to open Slack links
Kolide SQL
SELECT device_id, device_name,
MAX(CASE WHEN scheme = 'slack' AND handler = '/Applications/Slack.app' AND enabled = 'true' THEN 'true' ELSE 'false' END) AS default_slack_enabled,
MAX(CASE WHEN scheme = 'slack' AND enabled = 'true' THEN handler END) AS slack_registered_handler
FROM mac_app_schemes WHERE scheme = 'slack' 
GROUP BY device_id, device_name
Example Results
device_name default_slack_enabled slack_registered_handler
hannahs-imac false /Applications/Slack 2.app
Gemmas-MacBook-Pro false /Users/gemma/Downloads/Slack.app
Mac-mini false /Applications/Slack 12.13.24 PM.app
jordan false /Applications/Slack copy.app
Conference-Room-Zoom false /Applications/Schlack.app

Why Should I Collect Mac App Schemes?

Since new apps can register new schemes by simply downloading them, it's important that administrators can audit this portion of your system to look for the following:

  • Suspicious apps that have taken over schemes where they are likely an undesirable choice (ex: any app other that Slack taking responsibility over slack://)
  • Registration of schemes that are not well known and could be a vector for a future attack

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

An employer with access to your app schemes can get some insight into some of the apps you may have installed on the device.

When you use Kolide to list Mac App Scheme data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
ARP Cache Entries
network
New
Mac Apps
apps, software
New
DNS Resolvers
network, dns
View full list of Kolide's Device Properties
Book A Demo
Book A Demo