View Other Properties

Contents

View Other Properties

How to List Apps Across All Macs

Using Kolide, you can easily view and query Mac Apps across your fleet.

Introduction

The primary means of software installation on macOS are bundles called Apps. These .app bundles may include software installed by the operating system, by the end-user via download, or by the end-user via the App Store. This inventory catalogs all apps found on a device regardless of installation path, so long as they are registered with the macOS LaunchServices API and then enumerates various metadata about the application such as version, the executable binary run by the app, and whether the software is signed.

To see a similar list on your device, you can follow the steps below:

  1. Click on the Apple menu at the top left of your screen,
  2. Click the item labeled "About this Mac" in the drop-down
  3. On the Overview tab of the About this Mac screen, click the button labeled "System Report..."
  4. In the sidebar on the left, scroll down to the section labeled "Software", and then click on the subitem labeled "Applications"

Kolide additionally enriches the data returned by osquery, by also retrieving the icon data for all installed apps.

What Mac App Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Apps from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Apps Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

applescript_enabled Text

Info properties NSAppleScriptEnabled label

arch Text

If applicable, the arch of the signed code

bundle_identifier Text

Info properties CFBundleIdentifier label

bundle_name Text

Info properties CFBundleName label

bundle_package_type Text

Info properties CFBundlePackageType label

category Text

The UTI that categorizes the app for the App Store

compiler Text

Info properties DTCompiler label

copyright Text

Info properties NSHumanReadableCopyright label

development_region Text

Info properties CFBundleDevelopmentRegion label

display_name Text

Info properties CFBundleDisplayName label

element Text

Does the app identify as a background agent

environment Text

Application-set environment variables

info_string Text

Info properties CFBundleGetInfoString label

last_opened_at Timestamp

The last time the application was opened.

Note on data collection: This value is updated automatically by LaunchServices on the device everytime an app is opened. The LaunchServices DB is occasionally cleared by major macOS updates, so a NULL doesn't always mean the app was never opened, especially if the OS was recently updated.

minimum_system_version Text

Minimum version of macOS required for the app to run

name Text

Name of the .app folder

path Text

Absolute and full Name.app path

signature_authority Text

Certificate Common Name

signature_cdhash Text

Hash of the application Code Directory

signature_identifier Text

The signing identifier sealed into the signature

signature_team_identifier Text

The team signing identifier sealed into the signature

signed Boolean

true if the app is signed, otherwise false

bundle_short_version Text

The text representation of the version

bundle_short_version_major Bigint

bundle_short_version's semver major version (ex: 4.2.1 would yield 4)

bundle_short_version_minor Bigint

bundle_short_version's semver minor version (ex: 4.2.1 would yield 2)

bundle_short_version_patch Bigint

bundle_short_version's semver patch version (ex: 4.2.1 would yield 1)

bundle_short_version_subpatch Bigint

bundle_short_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)

bundle_short_version_pre Text

bundle_short_version's semver pre-release version (ex: 1.2.3-prerelease+build would yield pre-release)

bundle_short_version_build Text

bundle_short_version's semver build version (ex: 1.2.3-prerelease+build would yield build)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find unused copies of Adobe software which may indicate a provisioned license is no longer being utilized or needed.
Kolide SQL
SELECT 
  name, 
  bundle_identifier, 
  device_name, 
  last_opened_at
FROM mac_apps 
WHERE bundle_identifier ILIKE 'com.adobe%'
AND bundle_name IN(
    'Photoshop',
    'Photoshop CC'
    'Illustrator',
    'Illustrator CC',
    'After Effects',
    'Acrobat Pro',
    'Acrobat Pro DC',
    'InDesign',
    'InDesign CC',
    'Premiere Pro',
    'Premiere Pro CC',
    'Adobe Audition'
)
AND ( last_opened_at ISNULL
OR last_opened_at < (NOW() - interval '90 days')) 
AND last_opened_at IS NOT NULL
LIMIT 5

Example Results
name device_name last_opened_at bundle_identifier
Adobe Illustrator.app Ashleys-MacBook-Pro 2018-02-16T20:52:52.000Z com.adobe.illustrator
Adobe InDesign CC 2018.app daves-imac 2018-02-14T21:56:28.000Z com.adobe.InDesign
Adobe After Effects CC 2017.app jens-imac-pro 2018-03-19T20:54:26.000Z com.adobe.AfterEffects
Adobe Audition 2020.app Bills-MacBook-Air 2020-05-03T21:16:33.000Z com.adobe.Audition
Adobe Acrobat.app Steve-MacBook-Pro.local 2018-02-15T18:00:48.000Z com.adobe.Acrobat.Pro
Find outdated installations of Google Chrome
Kolide SQL
WITH 
chrome_stable_split AS (
  SELECT 
    version AS latest_stable, 
    version_major, 
    version_minor, 
    version_build, 
    version_patch 
  FROM google_chrome_latest_releases 
  WHERE channel = 'stable' 
  AND platform = 'mac'
)
SELECT
  ma.device_name, 
  bundle_short_version AS installed_version,
  latest_stable,
  CASE WHEN (
      bundle_short_version_major < version_major
   OR bundle_short_version_major <= version_major AND bundle_short_version_minor < version_minor
   OR bundle_short_version_major <= version_major AND bundle_short_version_minor <= version_minor AND bundle_short_version_patch < version_build
   OR bundle_short_version_major <= version_major AND bundle_short_version_minor <= version_minor AND bundle_short_version_patch <= version_build AND bundle_short_version_subpatch < version_patch
   ) THEN 'true' ELSE 'false' END AS chrome_requires_update
  
FROM mac_apps ma, chrome_stable_split 
WHERE bundle_identifier = 'com.google.Chrome' LIMIT 16
Example Results
device_name name latest_stable installed_version chrome_requires_update
balthazar Google Chrome.app 102.0.5005.61 99.0.4844.51 true
daves-imac Google Chrome.app 102.0.5005.61 100.0.4896.127 true
Gens-MacBook-Pro-3 Google Chrome.app 102.0.5005.61 100.0.4896.127 true
Conference-Room-Zoom Google Chrome.app 102.0.5005.61 90.0.4430.85 true
Caitlins-MacBook-Pro-2 Google Chrome.app 102.0.5005.61 100.0.4896.75 true
Jimmys-MacBook-Air Google Chrome.app 102.0.5005.61 102.0.5005.61 false
Debras-MacBook-Pro Google Chrome.app 102.0.5005.61 102.0.5005.61 false

Why Should I Collect Mac Apps?

App installations are cataloged and tracked to facilitate a number of potential purposes, for example:

  • Ensuring required software (VPN, Antivirus, Password Manager) is installed
  • Discovering potential malicious software
  • Tracking the install count of various licensed software (eg. Adobe Creative Suite, Microsoft Office)
  • Finding unsigned software

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

An employer with access to your app installations can determine the following:

  • What applications you have installed on your device (and the path of their installation)
  • The most recent timestamp for when you last opened each application

When you use Kolide to list Mac App data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
Mac Package Install History
software, apps, install-history, updates
New
Linux RPM Packages
centos, rpm, software, packages
New
Mac App Schemes
apps, network, default-software
View full list of Kolide's Device Properties
Book A Demo
Book A Demo