How to write your own checks for 1Password Device Trust

1Password Device Trust (Kolide) allows you to create your own fully custom checks using osquery.

You can only create custom checks for desktop devices that are running the Kolide agent. Mobile checks are not currently supported.

Step 1: Create new check

To create a new check:

1. Sign in to Kolide and select Checks from the dashboard.
2. Select Add New Checks in the upper right.
3. Select the Build Your Own tab and then Start With a Blank Template.
4. Select Create New Draft.

You can also request a new check from Kolide staff by selecting Suggest a Check instead of starting with a blank template.

Step 2: Osquery SQL

To determine how a check finds failing devices, you’ll need to write rules using Osquery SQL. The SQL should always emit at least one row that contains a column called KOLIDE_CHECK_STATUS with a value of PASS or FAIL.

Select which device(s) to target for the check from the drop-down menu. You can use the included example SQL text to test creating and running the check.

After entering your Osquery SQL:

1. In the right-hand sidebar, select the check type: Generate a single issue or Generate separate issues for each failing result.
2. Select the platform(s) the check will run against: macOS, Windows, and/or Linux.
3. Select Add Example Data and add an example failure. You can use the included example for testing.
4. Select Test Run to test against the selected target device(s).

Step 3: Check Details

Proceed to the Check Details tab.

The check details section lets other admins know what problem the check will detect. It also allows you to define an issue title to display to end users on the sign in page.

Fill in the following information:

• Check Name: Give your check an identifiable name.
• Issue Title: Write a descriptive title that explains the problem the check addresses.
• Check Description: Add a brief description that explains what the check fixes and why.

Step 4: Notification Text

Proceed to the Notification Text tab.

This is a critical step that makes sure end users have all the information they need to solve the detected issue on their own.

On this page, you’ll need to fill out two important fields:

1. The rationale, which explains to end users why the detected issue is important to fix.
2. The fix instructions, which help the end user correct the issue on their own.

Step 5: Privacy Center

Proceed to the Privacy Center tab.

On this page you can add any relevant information for end users around privacy concerns. You’ll also need to assign example data to each targeted platform by selecting examples added on the Osquery SQL tab.

With this last step done, you can now publish the check.

Step 6: Review and publish the check

To publish the check, select Review & Publish Check. You’ll see a confirmation screen.

Select Publish Check. Next, in the pop-up, select Enable Check. The Configuration sidebar for the check will automatically open.

In the Configuration sidebar, you can determine how aggressive you want the check to be, balancing mitigating the vulnerability with the productivity of your team. You may decide the vulnerability is serious enough to warrant immediately blocking devices from accessing company data. Giving your team members an extra day can also be a reasonable choice, depending on your risk tolerance.

To adjust how many days team members have to mitigate the issue, see How to set remediation strategies for 1Password Device Trust checks.

Learn more

• Get Started with 1Password Device Trust
• How to configure 1Password Device Trust checks
• How to manage tags for 1Password Device Trust checks
• How to measure the compliance level of 1Password Device Trust checks
• How to set remediation strategies for 1Password Device Trust checks