Two new checks for the ChatGPT macOS app

Two new checks for the ChatGPT macOS app

Fritz Ifert-Miller by Fritz Ifert-Miller on

With the recent announcement of OpenAI’s ChatGPT desktop application for macOS, users gain access to LLM workflows outside of their browser. ChatGPT’s broad adoption by employees across industries, and around the world, has put employers, compliance, and security teams into high gear as they seek to balance the gains made in productivity with the potential risks of how these tools are being used.

One of the most common concerns among employers when it comes to the utilization of generative AI is the possibility of sensitive or secure company data being fed into the larger ChatGPT training model, which is then used by individuals external to the organization.

In August of 2023, OpenAI announced their Enterprise offering of ChatGPT which introduced collaboration functionality, as well as security and privacy guardrails. Specifically with regards to model training they called out the following:

You own and control your business data in ChatGPT Enterprise. We do not train on your business data or conversations, and our models don’t learn from your usage.

This enterprise functionality was enthusiastically welcomed by teams who could now implement generative AI into their workflows while mitigating the risk it posed to their company.

However, these guardrails are only effective as long as employees are logged into an enterprise workspace, and not their personal workspace. It’s crucial then to verify that the ChatGPT desktop app is configured properly to ensure data is not going somewhere it isn’t supposed to.

By default, the ChatGPT app opens with the sidebar closed. This hides not only your chat history, but also your logged-in workspace:

A screenshot of the ChatGPT app's home screen, with the sidebar closed.

When we open the sidebar, we can see this account is actually logged into a personal workspace:

A screenshot of the ChatGPT app with a visible sidebar. A pop-up shows the user is signed into their personal account.

That’s why we’re excited to announce a new Check for the ChatGPT macOS app which ensures users are not using their personal ChatGPT workspace while logged into the app.

 screenshot of Kolide showing that Jason Meller's MacBook Pro has been blocked from using ChatGPT because they're using a personal account.

Verifying Active Account and Workspace ID

The ChatGPT app keeps preferences and settings stored on disk, including what user accounts are logged in, and which account/workspace is currently active. In order to validate users are working on the correct account, an administrator must provide their Workspace ID, which can be retrieved from the OpenAI ChatGPT admin portal.

A screenshot of the ChatGPT admin portal, with the Workspace ID field highlighted.

Your team may have more than one workspace, which is why you can provide as many as necessary.

A screenshot of Kolide showing a configuration window titled 'ChatGPT Mac App Should Use Approved Workspace'.

1Password Extended Access Management will then retrieve the local settings from the user’s ChatGPT desktop app, and verify that the active workspace matches one of the IDs you’ve provided. If the active ChatGPT workspace does not match one of your provided values, end-users will be prompted to switch workspaces as shown below:

  1. Ensure you are logged into the user account johnny-appleseed.
  2. Open Spotlight search via the following keyboard shortcut: ‘Command + Spacebar’.
  3. Type to locate your ChatGPT application and press Enter to launch.
  4. With the ChatGPT app open and the window in focus, expand the sidebar by clicking the icon in the upper-left corner.
  5. On the bottom of the sidebar, click your name to reveal a list of alternative accounts.
  6. Select the account associated with your organization.
  7. Close the application.

If you do not see an alternative account to choose, please contact your IT team for support. In the meantime, you can log out of the application to pass the check.

What if the ChatGPT app isn’t installed, or isn’t logged in?

Only users with the desktop app installed will be considered in-scope for this Check, and those without the app installed will pass automatically. Likewise, users who have installed the app but have not yet logged in will be considered passing. Only users who are logged in with an active Workspace ID which does not match your supplied values will be reported as failing this Check.

Reducing the risk of LLM usage with 1Password Extended Access Management’s ChatGPT Check

In a recent survey of knowledge workers conducted by Kolide, 89% of respondents reported using AI for work-related purposes at least once per month. AI-based tools are becoming as ubiquitous as the calculator and their prevalence within the workspace shows no sign of slowing. The genie cannot be put back in the bottle, but we must be able to verify these tools are being used appropriately and safely.

1Password Extended Access Management’s ChatGPT Check helps employees use the workflows that make them most productive, without putting the company’s data at risk, by making sure that data is going only where it is intended and nowhere else.

Principal Product Manager

Fritz Ifert-Miller - Principal Product Manager Fritz Ifert-Miller - Principal Product Manager

Tweet about this post