Kolide MDM — For Those That Don’t Need To Be “Managed”

A new Kolide product coming later this year

Jason Meller
Kolide
4 min readJun 24, 2020

--

Tl;dr Kolide is releasing a user-focused take on Apple device management called Kolide MDM later this year. Want to be one of the first to try it when it’s ready? You’ll want to add your name to the list; right now.

As I was writing this post, I learned of Fleetsmith’s recent announcement that they have been acquired by Apple. In my opinion, it’s now likely that the classic takes on MDM feature-set will eventually be subsumed by an official Apple-provided solution. This is great news for Fleetsmith and its employees; it’s interesting news for Apple-only shops, and it’s just terrible news for the people who hoped Fleetsmith would be taking their solution beyond the Apple ecosystem.

We’re already seeing some unfortunate fallout following the announcement. Fleetsmith appears to have pulled the third-party app catalog (and Osquery along with it). In short, their most loyal customers are not happy.

We at Kolide believe there is room in the market beyond the typical “table stakes” feature-set MDM products have provided, and we are committed to creating an experience that starts with Apple devices, but doesn’t just end there.

We are going to work at a feverish pace to get this product in your hands as soon as possible. If you are interested, get on the list.

You’ll find my original post below

MDM — which stands for Mobile Device Management — was not a term of art invented by Apple. Prior to the formal introduction of Apple’s take on the protocol, MDM products like Airwatch used unfriendly techniques, which required users to manually launch their agent apps, nagging users to do so via Apple’s push notification service. This was a terrible experience for end-users and corporate stakeholders alike. Apple recognized this untenable situation and released the first MDM protocol for the iPhone and iPad with iOS 4 in 2010.

Since then, Apple’s MDM protocol has made it onto macOS. With macOS 11 soft-deprecating the profiles command-line tool — by preventing it from silently installing configuration profiles — it’s clear MDM will become / already-is, the de-facto way of managing Macs.¹

I’ve always felt Apple’s MDM was a tentative truce in the cold war between Apple and the IT departments of the Fortune 500. MDMs include loads of features built for business, but all of those features are really all about one thing — creating standards and enforcing them across devices. This is what we think of when someone says they need to manage client devices.

But when we manage client devices, we can sometimes forget a simple truth; we also end up managing the people using them as well. Talented people all over the world choose Apple products because they serve them — not Apple — not their bosses. Apple’s MDM protocol and the third-party products that followed, inverted that relationship, bringing the corporate Mac experience in line with PCs running Windows — an experience Apple once lampooned.

The MDM protocol is incredibly powerful and with the changes coming in macOS 11, it will be capable of even more. The current incumbents in the overcrowded MDM product-market use it as a means for locking down devices or distributing corporate apps. We at Kolide think MDM can be way more than that.

Kolide is building a different MDM, for a certain type of businesses — one that already knows how to thread the needle between productivity, privacy, security, and user happiness; they want to help their users, they just don’t have the right tools to make it happen.

Our solution, will be one where we look at the MDM protocol, it’s capabilities, and imagine how they can be used to improve the Person to Mac experience, not ruthlessly censure it. How can we use MDM to give new employees the best onboarding experience of their career; expose them to helpful settings that make their work easier; allow them to temporarily opt-in and out of a specific enforcement; or even remotely fix problems, before they even need to contact the help desk?

Kolide has already rethought the typical security model with its work on User Focused Security. We believe for Apple devices, this missing piece will do the same for device management. In fact, we believe both solutions will elevate and compliment one another.

This new product will be ready later this year, but we are already taking signups for businesses who are interested in trying it out once it’s ready.

We will be talking in a lot more detail about this new product as we get closer to launch, but we hope that — at least philosophically — you are as excited as we are…

…We know your end-users will be when they try it.

  1. ^ From Apple’s What’s New for Enterprise and Education WWDC 2020

To increase data security and prevent unintended profile installation, Mac computers not enrolled in an MDM solution require users to manually install both enrollment and configuration profiles. When a profile is downloaded, an alert is shown to the user indicating that they need to finish profile installation in System Preferences. The user must launch System Preferences, navigate to the Profiles preference pane, and select the downloaded profile. At that point the user will see a window describing what the profile does. If no action is taken by the user roughly 8 minutes after the profile is downloaded, the profile is automatically removed from System Preferences.

The profiles command-line tool will no longer enable silent install of profiles. To initiate the installation of a profile using a script, use the command open path/to/profile.mobileconfig. This command queues the profile for installation so that it can be installed using System Preferences.

--

--

Jason Meller
Kolide
Editor for

Founder & CEO of Kolide. Business-focused security entrepreneur w/ passion for building apps that empower incident responders. Former Chief Strategist @Fireeye