Kolide's Inventory feature is designed to collect, enrich, and visualize important data from all enrolled devices in your fleet. While Kolide strives to strike a careful balance between the utility of the data collected and the privacy of end-users, some organizations may wish to exclude certain device properties from Kolide without having to resort to marking all devices as private. This article discusses how to opt-in and out of specific device properties in Inventory, and the effects those decisions will have on the rest of Kolide's product.
Disabling Device Properties in Inventory
Disabling a device property will immediately cause Kolide to cease collecting any related data on applicable devices. In addition, administrators can choose hide or erase previously collected data.
A Word About Dependencies
Since Kolide uses the data collected in Inventory to power many other features in the product, disabling inventory can have far-reaching and unintended effects. These effects include:
Inventory-based checks which rely on the data becoming disabled and their associated failures becoming hidden*
Some widgets on the device overview page presenting less information or disappearing entirely
Related active device property loggers in Log Pipeline turning off
Related search results no longer appearing in the global search bar in the header of the app
Related reporting tables and associated API endpoints disappearing in Kolide's reporting feature
* Osquery powered checks are unaffected by disabling device properties in Inventory.
When disabling a device property, Kolide will inform the administrator about these dependencies in detail so they can make an informed decision before they proceed. As an example, here is what an administrator might see when disabling the Chrome Extensions property.
How To Disable A Device Property
To disable a device property in Inventory, follow these steps:
Browse to the front page of Inventory
In the side-bar under Device Properties click the property you want to disable
In the upper-right corner of the header, select the Disable Device Property button.
Carefully read the warning in the modal that appears and press confirm.
Deleting Existing Data
By default, Kolide will also delete any previously collected data associated with a device property. If this is undesirable, administrators can opt-out of this behavior by unchecking the option named delete all existing data collected by this inventory item. Instead of being deleted, the data will simply be hidden and inaccessible to administrators until the device property is re-enabled.
Note: By law, any hidden data will still be made available to end-users who wish to export all data Kolide associates with their account and device. End-users perform this action in Kolide's Privacy Center.
Blocking Related Osquery Tables
Kolide primarily uses osquery SQL to collect data from endpoints via its agent. While disabling a device property will stop Kolide from collecting this data, it may not prevent administrators from running new Live Queries or adding new Log Pipeline packs that collect similar data. To assist administrators, Kolide will offer to add the relevant virtual tables to your organization's osquery table block list.
Note: This feature is offered as an additional convenience to Kolide administrators and is not intended to be an exhaustive enumeration of every possible virtual table capable of collecting the target data. For example, while disabling the
chrome_extensions table in osquery will prevent most administrators from accessing that data, it might be possible for a determined administrator to work around this restriction using utility tables like
Mandatory Device Properties
Kolide requires certain information from devices in order for its product to function correctly. When you attempt to disable device properties that would interfere with a critical function, the disable button will be unavailable as shown below.
Installables And Associated Installations
For certain types of data that Kolide collects like apps, extensions, and packages, Kolide will group the data in Inventory so it is easy to count the number of installations across all devices. When disabling these "installables", administrators should be aware that any decisions made will also impact the individual installations in inventory.
Controlling Who Can Disable/Enable Properties
Like other sensitive features, Kolide administrators can choose to hide this functionality from specific users, or from everyone using the existing access controls under Teams and Access or Device Privacy.
Enabling Device Properties
For previously disabled device properties (or certain device properties that are shipped disabled by default) administrators can easily enable them.
To do so, simply follow these steps:
Browse to the front page of Inventory
In the side-bar under Device Properties check the box to view any disabled device properties (if this box is missing, no properties are currently disabled)
Choose any disabled property from the list (they are formatted with strikethrough text and are alphabetically sorted alongside the enabled properties)
In the upper-right corner of the header, select the Enable Device Property button.
Carefully read the warning in the modal that appears and press enable.
If data was previously hidden (and not deleted), it will immediately re-appear. If data was deleted, it may take several hours before devices begin reporting this data into Kolide again.
Enabling Related Checks
When enabling a device property in Inventory, this may also make previously disabled Checks available. Administrators can choose to immediately enable these checks, or may do so at a later time by browsing the disabled tab on the Checks overview page.
Unblocking Related Osquery Tables
As shown in the screenshot of the confirmation modal above, Kolide will advise administrators to remove any related virtual tables from their blocklist. This blocklist only applies to administrators writing new queries in Live Query or Log Pipeline and does not impact Kolide's ability to collect data from devices to populate Inventory.