How Does Kolide Use Osquery?

General information about the osquery project can be found at

At Kolide, the osquery config consists of several things:

  • All scheduled queries are compatible with the device's reported platform. These scheduled queries come from one of many sources:

    • Queries that populate data in Kolide's Inventory

    • Queries that power Checks

    • Queries that have been scheduled to run continuously by you or your team in Live Query

    • Queries that have been scheduled to run continuously by you or your team in Log Pipeline

  • Also included is information about potential osquery ATC (Automatic Table Creation) registration.

    • ATC is a feature of osquery which allows you to specify an SQLite database on disk and query it as if it were an osquery virtual table.

    • This functionality can be helpful because many applications and system utilities store settings/preferences in SQLite databases.

At this time, Kolide ships a global configuration for ATC tables, meaning all customers have the same ATC tables registered. It should be noted these ATC configuration blocks are not indicative of data being accessed or queries being run, merely the capability to retrieve data from those sources if a query targets that ATC generated table.

  • The presence of a configuration block on its own does not indicate the data is being accessed, so until a query is run via Live Query, or scheduled to run, this ATC block only shows the potential capability of retrieving data from this source.

  • ATC tables are something only Kolide can configure, so an admin could not, for example, create a 'Chrome Browser History' ATC table that allowed you to scrape all of a device's browser history.

  • An admin cannot directly modify the osquery config on a device, but actions they take within the Kolide app will be reflected in changes to the configuration. The following examples demonstrate times the config would change due to actions within the Kolide App:

  • Adding or Removing a Scheduled Live Query

  • Enabling or Disabling a Check

  • Enabling or Disabling an Inventory Property (e.g. ceasing collection of Apps inventory would remove that query from the osquery config)

  • Adding or Removing a Log Pipeline Query

From a privacy standpoint, the primary concern of most people would be the possibility of malicious use of Live Query to collect details about a device that is not pertinent to an appropriate IT or Security use case. For example, looking for files on disk with file names like "CoverLetter.txt" or "Resume.pdf"

  • Kolide has attempted to limit the likelihood of these scenarios by surfacing as much data as possible through the Privacy Center. In the case of Live Query, giving the end-user an audit record of the queries run against their device, including the query that was run, the person who ran the query, and the results returned from the end-user's device.

A secondary concern might be an “evil admin,” government intimidation, or other compromises at Kolide. The short answer is that there is always a certain degree of risk that developers will turn evil and do something unexpected or of government intimidation - there’s no way to eliminate that risk completely. You accept this same risk from any other software you use as well. The most that we can ask of you is that you trust that Kolide's controls are effective.

Is Kolide Open Source?

Yes! You can find the device launcher agent source code at:

Our Company Doesn’t Use Slack, Does Kolide Plan to Support Other Chat Platforms?

Eventually, yes. Our initial goal is to perfect the UX and interactions in the Slack app before we support other platforms. Let us know what other platform you use!

What Does Kolide Use as a Hosting Provider?

Kolide uses Heroku for hosting. If you’d like to learn more about Heroku, you can find their security page at: ​​

Privacy Center

Kolide’s Privacy Center is where every user can learn about the data that Kolide collects. The Privacy Center can be accessed before or after a person’s device has been enrolled. This is intentional so that users can get their questions answered before the agent is downloaded.

The Privacy Center can be found at:

Most endpoint security companies leave it up to the administrators to field questions that end-users may have about the agent they installed on their device(s). Instead, Kolide is an Honest Security company, and we believe very strongly that everyone has the right to know precisely what data is collected from their devices through the agent, who queried the data, and who in the organization can view that data.

Therefore, the Privacy Center surfaces exactly what data is being collected through Kolide by your company, by whom, and when it was collected. The Privacy Center also includes explanations for why specific Checks are necessary to ensure security and allows you to read through the queries used in those Checks. Lastly, users are able to download an export of data through the Privacy Center for personal review.

Can Kolide See or Report Personal Information from a Device?

Kolide does not collect or report on browsing history, pictures, messages sent or received, or other types of obviously personal information, as we have built Kolide with both personal privacy and corporate security requirements in mind.

However, Kolide may pick up some potentially personal information such as: the device’s Apple ID, the presence of certain browser extensions known to have security vulnerabilities, or potentially even some file names if your team is using an applicable Check such as to detect plain text MFA codes for GitHub.

What is Live Query?

Yes! Read more here.

Does Kolide Support SSO or SAML Login?

It does! Please check out our help document here!

Does Kolide Offer a Public API?

Yes! Programatic access via an API is currently available. You can find our API docs under Settings > Developers > API Documentation, or here:

For access, feel free to message us via Intercom, or by emailing us at with questions!

Does Kolide Offer a Log Pipeline?

Yes! This is available under Tools > Log Pipeline.

What happened to Kolide Cloud (2019)?

Kolide got a major upgrade!

In May of 2019, we launched the newest iteration of our SaaS security platform. We have taken the feedback and lessons learned over the last few years to streamline the Kolide experience for a straightforward, cohesive experience. Meet K2, our newest product, with User Focused Security in mind. 

Why should I be excited about this upgrade?

Better cross platform support in the form of:

  • Automatic Device User Assignment now available for Windows and Linux (in addition to existing Mac support)

  • Automatic Updates for Windows Kolide Agent

User Focused Security that empowers your users:

  • Our Kolide Slackbot can direct message your users (or a specified channel) when their device is not compliant with your organization's Checks (eg. DM’ing a user with instructions on how to enable their System Firewall)

  • Our User Privacy Center allows your teammates to view what is collected about their device and who can see it. 

Inventory allows you to browse data without writing SQL!

  • Inventory catalogs all of your employee and device information offline to browse, filter and soon build notifiable checks on top of. See how many devices have a given piece of software installed across your infrastructure. Check to see which users do not have GitHub 2 Factor Authorization enabled.

We’ve streamlined Kolide, keeping the best features & making them better!

Does this product have Remote Shell?

After careful deliberation and response to customer feedback, we ultimately decided to remove the Remote Shell capability altogether, which was part of Kolide Cloud. The overwhelming sentiment was users did not feel comfortable with software that allows administrators to silently run arbitrary commands on their device. We believe the future of this feature is the capability to dynamically ship configuration profiles for devices, and to allow users to self-remediate device issues using an interactive Slack bot.

Will the performance of K2 be better than Cloud?

Yes, we’ve spent a lot of time decreasing the impact of Kolide on end-user devices. After initial enrollment, the K2 version of the launcher agent now performs fewer queries at a lower frequency in favor of relying on our server infrastructure doing more of the processing and analysis. This means less impact on your user’s devices for a better experience.

Has your security and architecture changed in K2?

K2 features a new and improved authentication system and a new multi-tenant architecture. We have updated our security documents to reflect these changes which can be requested by contacting If we do not currently have an MNDA in place with you, please feel free to send this along as well.

Did this answer your question?