Go to Kolide
All Collections
Getting Started
Deploying the Kolide Installer to your organization

Deploying the Kolide Installer to your organization

Recommended best steps for distributing the Kolide installer package.
Fritz Ifert-Miller avatar
Written by Fritz Ifert-Miller. Updated over a week ago

Our implementation guide is here to help you quickly and easily set up your team with Kolide. After you've signed up for a fresh, new Kolide account, went through the Pre-Flight checklist (How fun was getting a report card? Did it make you feel like a kid again?), you're ready to share with your friends and colleagues.

Here are some suggestions based on a few common IT environments. For the sake of simplicity, we're going to be focusing on macOS in this article, however Windows and Linux are also supported. If there's something we don't cover here, or you have follow-up questions, click on the Intercom button below and start chatting with our team.

Deploying Kolide to your team can be done either directly through Slack or via an installation package if your team prefers to go direct. We'll start by covering how to distribute through Slack, but if you're looking for direct deployment instructions (MDM, Dropbox, etc.) feel free to skip down about halfway on this article.

Distributing through Slack

Deploying with the Kolide Slack app is the easiest way to get your team started. https://k2.kolide.com/1/onboarding

You can enable the Slack integration during pre-flight, or you can configure this in Inventory. This will propagate a list of your Slack users (including contractors).

Select the Onboarding tab:

There are a few ways you can onboard via Slack. The easiest way is to enable Automatic Onboarding (the image above shows that this is on, but this is not enabled by default). This will send a welcome message to your Slack team, along with steps on how to download the launcher agent and get started.

The other way to onboard is by selecting Slack users in your list manually, and clicking "Onboard via Slack". This will target the selected users only, giving you more control of who gets the Slack message. This is a great option if you want to deploy to only a few teammates at a time!

In both cases, here is a sample of what your users will see:

From here, they can select their launcher package and download it right from Slack!

You can track your team's progress in the onboarding page:

Another great feature is that you can customize the welcome message under "Review Onboarding Settings" by clicking "Configure Messages..."

Here, you can add additional instructions (like, "Contact Joe if you have questions or need help!"). Click Save when you're done. You can even send a Test message to yourself in Slack to see how this will look!

Distributing outside of Slack

The best way to deploy the Launcher if your team does not use Slack is by downloading and installing the package directly from the Downloads page. You can reach the Downloads page by clicking your Account avatar and navigating to Settings:

From here click on the Downloads item in the Sidebar:

Click on the download link for the OS of the device you want to enroll, the download will start automatically.

Now that you have the package downloaded, you can:

  • Distribute it via your MDM

  • Upload it to a local file server and share the location

  • Upload it to a sync & share service (Dropbox, Google Drive, etc.) and share a link 

  • Upload the installer as an attachment into your organization's Slack.

  • Put it on a USB drive and manually install on individual Macs

  • Deploy it en masse with Apple Remote Desktop

All of the above options require some degree of manual interaction from you as the admin. That's ok for smaller fleets, but doesn't necessarily scale well.

If you manage a larger fleet, chances are you are using a device management tool, such as Jamf or Munki, to automate your software installs. Each will have its own way of handling deployments, and we'll try to highlight a couple here (for the sake of simplicity, we will reference existing documentation where appropriate). You will need to grant Kolide full disk access when deploying and you can find an example custom configuration profile below.

For those using Jamf Pro: they have detailed documentation on how to upload and manage packages. In addition, you can find an excellent how-to video on deploying the package via policy here.

For Munki admins: because Munki is an open source project, you'll find a lot of community support resources, as well as differing opinions on how best to proceed. The official wiki can be found on Github. There is also an active Munki user and contributor community in the MacAdmins Slack.

Deploying via Fleetsmith: Fleetsmith does not currently support uploading custom packages. Because your Launcher is unique to your Kolide instance, that poses a problem. The solution - script it! Fleetsmith has the ability to deploy custom bash scripts to your macs, as described in this blog post. To deploy Kolide this way, you will need to:

  1. Upload a copy of your launcher.pkg to a secure but publicly available location. Note - as of writing this does not work with Google Drive, your mileage may vary.

  2. In Fleetsmith, select Apps & Settings > Custom Bash Script (Run Once), select or create a profile to which to add it (I'd suggest Global if you are enrolling your entire fleet), and paste in your script (example below).

This example places the package in /tmp  so that the it will be deleted on the next restart. You can choose to download the package to a different location, however you may want to update the script to delete it upon completion. 

Enabling Full Disk Access for MDM Deployment of Kolide

Kolide needs full disk access in order to assist with user-to-device association, identify evidence of plan text credentials, and to better inspect the system to understand the security of the device. If your organization uses MDM to manage its Macs, we have prepared a custom configuration profile that you can distribute that will grant the Kolide agent the correct permissions.

Please consult your MDM provider's documentation on how to correctly add the SystemPolicyAllFiles permissions for an app. You will need the following information to construct your own profile:

  • Identifier Type - bundleID

  • Identifier - com.kolide.agent

  • CodeRequirement - identifier "com.kolide.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X98UFR7HA3

Feel free to use the example profile below

<key>Services</key>
<dict>
    <key>SystemPolicyAllFiles</key>
    <array>
        <dict>
            <key>Allowed</key>
            <true />
            <key>CodeRequirement</key>
            <string>identifier "com.kolide.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X98UFR7HA3</string>
            <key>Comment</key>
            <string>Allow kolide access to device and user level files</string>
            <key>Identifier</key>
            <string>com.kolide.agent</string>
            <key>IdentifierType</key>
            <string>bundleID</string>
        </dict>
    </array>
</dict>

Once you have successfully created the profile in your MDM, you will then need to enable full disk access.

If you need any additional help constructing the profile or deploying Kolide to your team, please reach out to support.

Did this answer your question?