To function properly, The Kolide Agent requires write access to a couple of locations on disk.
Local Database
The agent needs access to where it keeps a variety of local database and state files. By default, on a macOS and unix systems this is /var/kolide-k2/k2device.kolide.com
Binary Updates
For auto update to work, launcher must be able to write new versions to disk. These are placed along side the distributed binary, by default this is /usr/local/kolide-k2/bin/