macOS - Data Collection & Auditing - Get Browser History

What the Browser History Collection Worklet does

This Automox Worklet™ extracts browsing history from four major browsers installed on macOS endpoints: Google Chrome, Mozilla Firefox, Safari, and Brave. The Worklet queries the SQLite database files that each browser uses to store history and outputs the results to your Automox Activity Log.

For each browser, the Worklet retrieves the URL visited, page title, visit timestamp, and visit count. You control the number of history entries returned using the number_of_lines parameter, and you can enable or disable collection for each browser individually.

Why collect browser history through Automox

Security teams may need to review browsing history during incident investigations to understand what sites a user visited before a malware infection or data breach. Browser history provides timeline evidence that helps reconstruct events leading to a security incident.

Compliance frameworks may require organizations to demonstrate they can audit user activity on corporate endpoints. This Worklet provides a standardized, documented method for collecting browser history across your macOS fleet.

HR or legal departments may request browser history as part of acceptable use policy investigations. This Worklet enables IT to retrieve the data remotely without physical access to the endpoint or disruption to the user.

How browser history collection works

1. Evaluation phase: The Worklet identifies the last logged-in user and searches for browser history database files in their Library folder. It checks for Chrome History, Firefox places.sqlite, Safari History.db, and Brave History files. If at least one history file exists, the endpoint is flagged for remediation.

2. Remediation phase: For each enabled browser, the Worklet copies the history database (to avoid locking issues), executes SQL queries using sqlite3 to extract visit data, and outputs the results. Chrome and Brave use Chromium's URL table schema. Firefox uses moz_places and moz_historyvisits tables. Safari uses history_visits and history_items tables.

Browser history collection requirements

• macOS workstation

• Automox Agent version 1.42.22 or later

• sqlite3 command line tool (included with macOS)

• For Safari history: Full Disk Access permission granted to the Automox Agent in System Preferences > Security and Privacy

• Configure show_chrome_history, show_firefox_history, show_safari_history, and show_brave_history variables to on or off

Expected browser history output

After running, the Activity Log displays history entries organized by browser. The history data appears directly in the Automox Activity Log for the Worklet execution. Each entry shows the visit timestamp, full URL, page title, and visit count. The output is limited to the most recent entries based on your configured number_of_lines value.

If Safari history cannot be accessed, the Worklet outputs a message indicating that Full Disk Access permissions need to be granted. Other browsers are unaffected and their history is still retrieved.

How to validate get browser history changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for get browser history.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as function, linebreak, cp, then rerun evaluation for compliance.