For testing, you can load the extension with osqueryi.
By default, osquery does not want to load extensions not owned by root. You can either change the ownership of macadmins_extension.ext to root, or run osquery with the --allow_unsafe flag.
osqueryi --extension /path/to/macadmins_extension.extFor production deployment, you should refer to the osquery documentation.
| Table | Description | Platforms | Notes |
|---|---|---|---|
file_lines |
Read an arbitrary file | Linux / macOS / Windows | Use the constraint path and last to specify the file to read lines from |
filevault_users |
Information on the users able to unlock the current boot volume when encrypted with Filevault | macOS | |
google_chrome_profiles |
Profiles configured in Google Chrome. | Linux / macOS / Windows | |
macos_profiles |
High level information on installed profiles enrollment | macOS | |
mdm |
Information on the device's MDM enrollment | macOS | Code based on work by Kolide. Due to changes in macOS 12.3, the output of profiles show -type enrollment can only be generated once a day. If you are running this command with another tool, you should set the PROFILES_SHOW_ENROLLMENT_CACHE_PATH environment variable to the path you are caching this. The cache file should be json with the keys dep_capable and rate_limited present, both booleans representing whether the device is capable of DEP enrollment and whether the response from profiles show -type enrollment is being rate limited or not. |
munki_info |
Information from the last Munki run | macOS | Code based on work by Kolide |
munki_installs |
Items Munki is managing | macOS | Code based on work by Kolide |
network_quality |
Output from the networkQuality binary |
macOS | This binary is only present on macOS 12 |
puppet_info |
Information on the last Puppet run | Linux / macOS / Windows | |
puppet_logs |
Logs from the last Puppet run | Linux / macOS / Windows | |
puppet_state |
State of every resource Puppet is managing | Linux / macOS / Windows | |
puppet_facts |
Puppet facts | Linux / macOS / Windows | |
unified_log |
Results from macOS' Unified Log | macOS | Use the constraints predicate and last to limit the number of results you pull, or this will not be very performant at all. Use level with a value of info to include info level messages. Use level with a value of debug to include info and debug level messages. (select * from unified_log where last="1h" and level="debug" and predicate='processImagePath contains "mdmclient"';) |