Agent
CommandIT Agent Suite
Service v1
5 min
functional specification 1\ introduction & overview 1 1 purpose the commandit agent service is a lightweight, secure background application installed on managed endpoints its primary functions are to establish and maintain a unique, verifiable identity for each managed device collect comprehensive hardware, software, os, network, security, and performance data monitor endpoint health and status report collected data and status changes to the central commandit platform receive and execute commands/scripts from the platform enforce configured policies (compliance, security) provide data for troubleshooting, asset management, security posture assessment, and compliance reporting, while preventing device duplication 1 2 target platforms microsoft windows (client 10, 11; server 2016, 2019, 2022 and later 32 bit and 64 bit ) windows on arm (arm64) support included, noting potential limitations in deep hardware data availability compared to x86 64 requiring specific testing apple macos (latest 3 major versions supporting both intel and apple silicon (arm64) architectures via universal binary, noting collection method differences where applicable) linux (common server distributions ubuntu lts 18 04+, rhel/centos/rocky 7+, debian 10+ 64 bit) 2\ core architecture & concepts 2 1 execution runs as a persistent background service (windows service, macos launchd daemon, linux systemd service) with high privileges (localsystem on windows, root on macos/linux) required for deep system inspection and task execution built in go (universal binary for macos) 2 2 communication communicates exclusively with the commandit server api over secure https/tls channels (tls 1 2+) all data transmission must be encrypted agent validates server certificate; server authenticates agent via its unique identity 2 3 local caching utilizes a local, persistent data store (e g , embedded sqlite database) to cache current configuration and policies received from the server store the last known state of collected inventory data for delta comparisons maintain the processing state for event log monitoring (e g , last record id/timestamp processed per log source) to prevent duplicates locally queue data uploads and command results, enabling offline operation and upload upon reconnection store unique ids of locally detected events (e g , fim, pii, threats) and their upload status for queueing 2 4 agent identity each agent instance possesses a unique device id (uuid) and authenticates using a device secret this identity is established during the initial registration process and stored securely locally (dpapi/keychain) it is preserved during agent updates and standard repairs but cleared upon uninstallation or when clone detection triggers re registration 3\ key features & modules 3 1 1 manual installation ui & workflow (client site) (minimal ui functionality) if parameters missing, installer may fail or require post install configuration if gui implemented later requires technician authentication workflow select org > select optional location > optional asset tag entry > optional coa details (version, key) entry > triggers registration process 3 2 core agent management check in & clone detection agent connects ( post /api/v1/agent/{deviceid}/checkin using deviceid / secret ) every 60 seconds payload includes current hardware identifiers backend validation authenticates agent retrieves stored hw ids compares current hw ids with stored ids (logic needs tolerance/tuning for vms/winarm) backend response (match) processes check in, updates devices last agent checkin , returns config/commands (including fast mode toggle) backend response (mismatch) if significant mismatch detected rejects check in, responds "hardware mismatch re register required" , does not update last agent checkin (admin intervention needed for legitimate hw changes) agent response to mismatch clears local identity restarts full registration process (section 3 1) self update fetches assigned agentupdatepolicies downloads/applies updates securely per policy reports status to agentupdatestatuslog (core service handles update checks based on policy) health monitoring monitors own service status/resources reports health ( devices agent health ) configuration management downloads/applies assigned agentconfigurations and related policies during check in 3 3 inventory collection schedule performs a full inventory scan upon installation and then on a regular schedule (e g , daily, configurable) detects changes between full scans (delta) and uploads changes frequently (based on polling cycle, section 3 4) supports on demand full sync request from the server requires elevated privileges (administrator/root) for comprehensive data access data points the agent shall collect and report the following categories of data using the specified os native methods where applicable this data populates corresponding server side tables or jsonb fields after being cached and synchronized locally (see section 4 1 2) hardware system manufacturer ( devices ) (win wmi (get ciminstance win32 computersystem) manufacturer ; mac ioreg rd1 c ioplatformexpertdevice | grep manufacturer or system profiler sphardwaredatatype ; lin sudo dmidecode s system manufacturer ) system model ( devices ) (win wmi (get ciminstance win32 computersystem) model ; mac system profiler sphardwaredatatype | grep 'model name' ; lin sudo dmidecode s system product name ) system serial number ( devices ) (win wmi (get ciminstance win32 bios) serialnumber ; mac system profiler sphardwaredatatype | grep 'serial number' ; lin sudo dmidecode s system serial number ) smbios uuid ( devices ) (win wmi (get ciminstance win32 computersystemproduct) uuid ; mac system profiler sphardwaredatatype | grep 'hardware uuid' ; lin sudo dmidecode s system uuid ) firmware/bios details ( devicehardware bios info jsonb) including manufacturer, version, release date, secure boot status (win ps confirm securebootuefi or wmi win32 secureboot ; mac check sip status csrutil status / startup security utility state; lin mokutil sb state or check /sys/firmware/efi/efivars/secureboot ) chassis details ( devicehardware chassis info jsonb) including manufacturer, type, serial (win wmi win32 systemenclosure ; mac infer from model; lin dmidecode t chassis , dmidecode s chassis ) motherboard details ( devicehardware motherboard info jsonb) including manufacturer, product name, serial number (win wmi win32 baseboard ; mac n/a directly; lin dmidecode s baseboard ) cpu details ( devicehardware cpu details jsonb) including model string, max clock speed, core count, logical processor count, architecture, virtualization support flags (win wmi win32 processor ; mac sysctl machdep cpu hw ; lin /proc/cpuinfo , lscpu ) memory summary including total physical ram, slots used/total ( devicehardware ) (win wmi win32 computersystem , wmi win32 physicalmemoryarray ; mac sysctl hw\ memsize , system profiler spmemorydatatype ; lin /proc/meminfo , sudo dmidecode t memory ) memory module details including slot, capacity, type, speed, manufacturer, part number, serial number ( devicehardware ram details jsonb) (win wmi win32 physicalmemory ; mac system profiler spmemorydatatype ; lin sudo dmidecode t memory ) physical disk details including model, manufacturer, serial number, firmware, interface type, media type (ssd/hdd) , capacity, smart status, power on hours , and associated storage controller link id ( physicaldisks ) (methods win wmi win32 diskdrive / get physicaldisk / get storagereliabilitycounter ; mac system profiler / diskutil info / smartctl ; lin lsblk / hdparm / smartctl / nvme ) storage controllers identify installed storage controllers (sata, nvme, scsi, raid, hba) collect name, manufacturer, model (where available), driver version (methods win wmi win32 scsicontroller / idecontroller , get pnpdevice ; mac system profiler spstoragedatatype /etc ; lin lspci k , lsscsi ) stored locally in cache storage controllers network adapter details including name, description, mac address, manufacturer , status (up/down), link speed ( devicenetworkadapters ) (methods win wmi win32 networkadapter / get netadapter ; mac networksetup / ifconfig ; lin ip link / lspci / lsusb ) video controller details including name, manufacturer, adapter ram, wddm version (win) , directx support level (win) , driver version ( devicehardware video controllers jsonb) (methods win wmi win32 videocontroller ; mac system profiler spdisplaysdatatype ; lin lspci / glxinfo ) sound device details including name, manufacturer ( devicehardware sound devices jsonb) (methods win wmi win32 sounddevice ; mac system profiler spaudiodatatype ; lin lspci / aplay l ) usb controller details ( devicehardware usb controllers jsonb) (methods win wmi win32 usbcontroller ; mac system profiler spusbdatatype ; lin lsusb ) battery details including status, capacity, health, runtime estimates ( devicebattery ) (methods win wmi win32 battery ; mac ioreg / pmset ; lin /sys/class/power supply/bat ) tpm status including presence, enabled, activated, spec version ( devices configuration jsonb) (methods win ps get tpm /wmi win32 tpm ; mac secure enclave status; lin /dev/tpm / tpm2 tools ) system firmware type (uefi) ( devicehardware bios info jsonb) (methods win registry/ systeminfo /wmi; mac assume uefi; lin check /sys/firmware/efi ) hardware sensor readings temperatures (cpu, zones), fan speeds ( cache sensor readings ) (methods win wmi msacpi thermalzonetemperature / win32 fan /vendor wmi; mac sudo powermetrics / ioreg ; lin lm sensors / /sys/class/thermal / /sys/class/hwmon requires tools/config ) device virtualization type determine and report virtualization status code (1 5) agent shall perform checks for guest status, platform hypervisor, hyper v role ( vmms ), and common type 2 hypervisors (methods as detailed previously) stored locally in cache device summary docid\ c5imqr wsqe0ceutsamzc operating system os name, version, build, arch, edition/sku, install date, last boot time, uptime, language, domain/workgroup membership, domain role ( devices , osupgradehistory ) (methods wmi, registry, sw vers , uname , /etc/os release , uptime , etc ) os activation status, partial license key ( devicesoftware ) (win wmi softwarelicensingproduct ; mac/lin n/a) reboot pending status ( devices ) (methods check win registry/cbs, mac/lin /var/run/reboot required ) system activity state last input timestamp, screensaver active, session locked ( cache device summary ) (methods os apis like getlastinputinfo , systemparametersinfo , wmi win32 logonsession , cgsessioncopycurrentdictionary , x utils, dbus) storage logical disks/volumes including drive letter/mount point, volume label, file system, total size, free space, relationship to underlying physical storage (parent type/ids), and is os drive flag agent shall identify and flag the logical disk containing the running os ( devicelogicaldisks ) (methods win wmi win32 logicaldisk , %systemdrive% , get volume | get partition | get disk ; mac diskutil list/info , df ; lin lsblk f , df , check / mount point) stored locally in cache logical disks mapped network drives (letter, path, user sid) ( mappednetworkdrives ) (methods win wmi win32 mappedlogicaldisk / net use ; mac/lin mount , check user context) disk encryption status (method, state, protectors) ( devicediskencryptionstatus ) (methods manage bde /wmi win32 encryptablevolume , fdesetup / diskutil , cryptsetup ) recovery key handling as per section 8 1 network configuration network adapter ip config ( devicenetworkadapters ) (methods wmi win32 networkadapterconfiguration / get netipconfiguration ; mac ifconfig / networksetup ; lin ip addr show ) static routes ( devicestaticroutes ) (methods wmi win32 ip4routetable / route print ; mac/lin netstat nr ) current wireless connection details and list of visible ssids ( wirelessnetworks ) (methods win netsh wlan ; mac airport / system profiler ; lin iwconfig / nmcli ) lldp/cdp neighbor information ( networkconnections ) (requires external daemons/tools) open network ports & pid ( deviceopenports ) (methods netstat , ss , get nettcpconnection ) hyper v host configuration (windows only) if device virtualization type = 4, collect detailed host settings virtual switches, default paths, live migration, storage migration, replication, general settings, virtual sans stored locally in cache hyperv tables (methods wmi root\virtualization\v2 namespace queries msvm virtualethernetswitch , msvm virtualsystemmanagementservice , msvm virtualsystemmigrationservicesettingdata , msvm replicationservicesettingdata , msvm virtualsystemmanagementservicesettingdata , msvm virtualsan , etc ) docid\ klizqoowr3tbjtulqyfn3 hyper v vm inventory (windows only) if device virtualization type = 4, collect inventory of guest vms name, guid, state, health, status, cpu count, memory assigned, uptime, guest os/ips (via kvp), config path, notes stored locally in cache hyperv vms (methods wmi root\virtualization\v2 msvm computersystem , msvm summaryinformation , msvm kvpexchangecomponent , etc ) docid\ lg9phrdfst4qztbjb2lwe detailed collection for other hypervisor types (type 5) is post v1 software & services installed applications ( devicesoftware ) (methods win registry uninstall/ get package ; mac /applications / system profiler / pkgutil ; lin dpkg / rpm /snap/flatpak) running services ( deviceservices ) (methods win get service /wmi; mac launchctl list ; lin systemctl list units ) running processes ( deviceprocesses ) (methods win get process /wmi; mac ps aux ; lin ps aux ) startup items ( devicestartupitems ) (methods win registry/folders/task scheduler; mac launchagents/daemons/login items; lin systemd/cron/autostart) device driver information (provider, version, date, signed, associated pnpdeviceid) ( cache drivers ) (methods win wmi win32 pnpsigneddriver ; mac system profiler / kextstat ; lin lspci k / lsusb v / modinfo ) running status of known backup services (methods get service , launchctl list , systemctl status ) web browser details browser identification (name, version, path, default), installed extensions (id, name, ver, enabled, user context), key security policy settings stored locally in cache browsers , cache browser extensions , cache browser config (methods registry, file properties, profile dirs, plists, mdm profiles, package managers) local security & configuration local user accounts ( localuseraccounts ) (methods win wmi win32 useraccount ; mac dscl ; lin /etc/passwd ) local groups ( localgroups ) (methods win wmi win32 group ; mac dscl ; lin /etc/group ) local group memberships ( localgroupmemberships ) (methods win wmi/ net localgroup ; mac dscl ; lin getent group ) local user profile details (path, size, status, last used, password age) ( cache local user profiles ) (methods win wmi win32 userprofile / win32 networkloginprofile + size calc; mac /users/ / du / stat / pwpolicy ; lin /home/ / du / stat / chage ) local security/password policy settings ( localsecuritypolicysettings ) (methods win secedit /export ; mac pwpolicy / security ; lin /etc/login defs /pam) detailed audit policy settings ( cache audit policy ) (methods win auditpol /get ; mac audit control p ; lin auditctl l ) windows firewall profiles & rules configuration ( devicefirewallprofiles , devicefirewallrules ) (methods win netsh / get netfirewall ; mac socketfilterfw / pfctl ; lin iptables / nft / ufw ) epp/av status (os level visibility for 3rd party) ( endpointprotectionstatus ) (methods win wmi securitycenter2 ; mac/lin service/process checks) detailed microsoft defender configuration ( cache defender config ) (methods win ps get mppreference ) network shares hosted locally & their share permissions ( networkshares , sharepermissions ) (methods win wmi win32 share / net share ; mac sharing / smbutil ; lin samba tools/config) ntfs permissions ( filesystempermissions ) (methods win icacls / get acl ; mac/lin ls le / getfacl if enabled ) installed printers ( deviceprinters ) (methods win wmi win32 printer ; mac/lin lpstat p ) monitored registry values ( monitoredregistryvalues ) (methods win registry api based on config ) scheduled tasks ( devicescheduledtasks ) (methods win schtasks /api; mac launchctl list ; lin crontab /systemd timers) session info active user sessions ( devicesessions ) (methods win query user /wmi; mac who / last ; lin who / last ) history os upgrades ( osupgradehistory ) (methods win registry/logs; mac plist/logs; lin package logs) 3 4 data polling & caching strategy polling cycle agent performs data collection cycles for inventory, performance snapshots, and security state information default frequency every 300 seconds (5 minutes) fast polling mode frequency every 30 seconds (entered/exited via server command) on demand trigger supports immediate full data collection via server command (not delta) local caching mechanism (sqlite) uses live and committed table pairs for delta tracking (see section 4 1) data scope polling cycle collects data for categories listed under inventory (3 3), performance (3 4 1), and security state (3 5) event logs and active application tracking use separate mechanisms (3 6, 3 11) 3 4 1 performance monitoring data collection system metrics collects core system performance metrics (cpu usage %, ram usage %, disk iops/latency/queue length, network adapter throughput) as part of the main polling cycle (300s/30s) populates deviceperformancesnapshots (methods perfmon, sysctl, iostat, /proc/ stats) process metrics collects resource usage (cpu, memory, disk/network io) for running processes as part of the main polling cycle populates deviceprocesses (methods wmi, ps, /proc/\[pid]/stat) 3 5 security state monitoring data collection (collection follows the polling cycle defined in 3 4) collects epp/av status (os level for 3rd party), detailed microsoft defender configuration , firewall status & config/rules, patch status, compliance results, local policy settings, disk encryption status & recovery key (securely handled per 8 1) , secure boot status populates respective tables using methods outlined in 3 3 3 6 event log monitoring configuration & polling receives definitions ( eventlogdefinitions ) polls configured logs every 300 seconds (configurable) local state tracking uses cache eventlog position locally to track last processed event record id/marker per source upload uploads new, matching events immediately after the polling cycle completes these events populate the server side deviceeventlogs table agent responsibility (data for server dedupe) agent must extract and transmit a unique source instance identifier (e g , os event record id) for each event log entry to the server 3 7 real time monitoring (ui triggered) supports entering/exiting "fast polling mode" (30s cycle for data in sec 3 4) based on server command received during 60s check in applies to services, processes, battery, performance metrics 3 8 \[moved to post v1] 3 9 command execution purpose allow execution of scripts/commands received from the server mechanism agent receives command details from agentcommandqueue during 60s check in execution contexts command payload specifies context agent must support system (default) executes as localsystem/root loggedinuser executes as the active logged in user (requires ipc with user session helper process) execution & timeout agent initiates process in specified context, enforces timeout from command details (default 300s), attempts termination on timeout results reporting agent reports status, exit code, stdout, stderr back to agentcommandqueue 3 10 location detection purpose to determine and report the approximate geographical location of the managed endpoint when the feature is explicitly enabled and os/user permissions allow activation & control this feature must be explicitly enabled via server side policy (e g , within agentconfigurations or a dedicated policy) if disabled by policy, the agent must not attempt to collect or report location data (beyond the basic external ip geolocation performed server side) furthermore, collection relies on os level location services which typically require end user consent configured via os privacy settings data collected when enabled and permitted, the agent shall attempt to collect latitude (decimal degrees) longitude (decimal degrees) accuracy (estimated radius in meters) timestamputc (when the location was determined) source method (e g , 'os gps', 'os wifi', 'os network', 'ip geolocation') collection methods & priority the agent service shall attempt to retrieve location data using the following methods in order of preference os location services (primary) utilize platform native location service apis if available and enabled/permitted by the user (win windows devices geolocation api; mac core location framework; lin geoclue service via d bus) this can provide varying accuracy based on available hardware (gps, wifi positioning, cellular) the agent shall report the accuracy provided by the os api (fallback server side) if os location services are unavailable, disabled, or permission is denied, the agent shall not attempt lower precision methods like browser geolocation itself instead, the commandit server backend can perform a geoip lookup based on the agent's reported external ip address (devices table) as a last resort this provides only approximate isp/city level location frequency location data collection occurs as part of the main data polling cycle (section 3 4) storage the most recently collected location data shall be stored server side (updating fields like devices last reported latitude, devices last reported longitude, devices last location report timestamp, plus new fields devices last location accuracy meters, devices last location source) this data is cached locally in cache device summary for delta sync 3 11 active application tracking purpose monitor and record the foreground application being actively used within each user session (note deployment requires consideration of user privacy) activation & control feature activation must be controlled server side through hierarchical settings (org/location/device) agent shall receive the final 'enabled' or 'disabled' state via its configuration profile if disabled, agent must not monitor or upload activity data monitoring when enabled, agent monitors foreground window changes for logged in user sessions data collected per activity period application name, process name, window title, url (best effort for browsers), start time, end time, duration, user session identifier collection methods (win getforegroundwindow / getwindowtext /etc , ui automation; mac nsworkspace /accessibility apis; lin x11 props/accessibility apis/wayland) local storage & upload buffers records locally in cache user activity log uploads periodically in batches does not use delta sync 3 12 uninstallation (default silent) purpose completely remove agent suite and configuration commands platform specific ( agent exe uninstall , uninstall sh ) requires admin/root behavior stops/deregisters services removes files/dirs, registry/plists, including identity ( deviceid / secret ) attempts best effort api de registration optional preserve logs uses standard return codes logs locally 3 13 repair purpose reset local caches/state without full reinstall/re registration command platform specific ( agent exe repair \[ wipe data] ) requires admin/root behavior standard clears config cache (forces re download) wipe data also clears local operational state/queues ( committed tables, outbound queue), forcing full data sync preserves identity ( deviceid / secret ) logs action locally 4\ data handling 4 1 local sqlite cache structure 4 1 1 agent configuration & identity cache agent config (key/value store; excludes raw device secret ) 4 1 2 delta synchronization cache ( live / committed pairs) purpose to track changes in inventory, status, and configuration data collected during polling cycles (defined in section 3 3) and upload only the differences (deltas) to the server mechanism for each relevant data category, two tables with identical schemas exist cache \[category] live and cache \[category] committed live tables contain the results of the most recent data collection poll for that category this table is overwritten or updated during each poll committed tables contain the data state that was last successfully synchronized with the commandit server delta process agent polls data and populates the live table(s) agent compares live data against committed data differences (new, changed, deleted records) constitute the delta payload agent uploads the delta payload via the api upon server confirmation of successful upload, the agent replaces the content of the committed table(s) with the content of the live table(s) full sync process a full resync is triggered daily (scheduled) or on demand by clearing the relevant committed tables this forces the next comparison to treat all current live data as new, resulting in a full upload for that category (event log tracking uses a separate mechanism and is excluded from this clearing process) conceptual delta tables (includes all v1 items) cache device summary live/ committed (incl activity state, virtualization type ) cache hardware summary live/ committed (incl secure boot, tpm, uefi status) cache ram modules live/ committed cache physical disks live/ committed (incl power on hours, storage controller link id ) cache logical disks live/ committed (incl is os drive , parent type , parent identifiers ) cache network adapters live/ committed (incl manufacturer) cache installed software live/ committed cache local users live/ committed (incl derived password flags) cache local groups live/ committed cache local group members live/ committed cache local user profiles live/ committed (incl size, status, last used, password age) cache printers live/ committed cache shares live/ committed cache share permissions live/ committed cache firewall profiles live/ committed cache firewall rules live/ committed cache epp status live/ committed (incl configuration details jsonb for defender) cache disk encryption live/ committed (excludes encrypted key, status only) cache patch status live/ committed cache compliance results live/ committed cache startup items live/ committed cache sessions live/ committed cache static routes live/ committed cache mapped drives live/ committed cache monitored registry live/ committed cache battery info live/ committed cache os history live/ committed cache sensor readings live/ committed cache drivers live/ committed (incl pnp device id ) cache browsers live/ committed cache browser extensions live/ committed cache browser config live/ committed cache audit policy live/ committed cache storage controllers live/ committed cache hyperv host config live/ committed cache hyperv virtual switches live/ committed cache hyperv virtual sans live/ committed cache hyperv lm networks live/ committed cache hyperv vms live/ committed 4 1 3 event log state cache eventlog position (pk log source identifier , last record id , last event timestamp ) 4 1 4 outbound data queue cache outbound queue (pk queue id , payload type , payload blob, added timestamp , retry count ) sensitive data in payload must be encrypted per section 8 1 4 1 5 user activity log buffer cache user activity log (pk activity log id , user session identifier , application name , process name , window title , url , start time utc , end time utc , duration seconds , upload status ) (does not use delta sync) 4 2 agent local cache pruning and management to maintain performance and prevent excessive disk usage, the agent must manage its cache cache outbound queue management apply limits (whichever is reached first) age limit prune data older than configurable limit (default 14 days ) size limit prune oldest data (fifo) if total cache size exceeds configurable limit (default 250 mb ) cache user activity log management apply limits (whichever is reached first) age limit prune data older than configurable limit (default 3 days ) size limit prune oldest data (fifo) if table size exceeds configurable limit (default 100 mb ) 4 3 notes on server side event log deduplication while the agent uses cache eventlog position to avoid reprocessing events during normal operation, the ultimate safeguard against duplicate event entries in the commandit platform (especially after an agent reinstall, cache issues, or log rollovers) resides on the server side the commandit server backend must utilize the combination of the reporting agent's device id and the unique source event record id (provided by the agent with each event) to check for existing entries before inserting new records into the deviceeventlogs table matching entries based on this composite key should be discarded as duplicates 5\ configuration agent configured primarily via server policies ( agentconfigurations , monitoringpolicies , etc ) fetched during check in server policies control feature enablement (including evaluating hierarchical settings for features like active application tracking ), polling intervals, monitoring targets, update policies, log levels, and other operational parameters the agent shall apply the effective configuration state received from the server 6\ performance & resource management target low baseline resource usage (e g , <2% avg cpu, <200mb ram) resource intensive scans (inventory, patch status, compliance, fim, pii, detailed profile size/ntfs perms, audit policy) must be throttled and/or scheduled via server policy to minimize user impact agent activity tracking must also be efficient agent monitors own resource usage 7\ error handling & logging retry mechanisms for transient network/api errors local file based, rotating logs with configurable level ( agentconfigurations log level ) reports critical errors to the server 8\ security considerations 8 1 handling of highly sensitive data (recovery keys) the agent is required to collect bitlocker/filevault recovery keys where possible due to extreme sensitivity, these handling procedures must be strictly implemented 8 1 1 immediate asymmetric encryption recovery keys must be encrypted immediately upon collection using asymmetric cryptography before caching or transmission 8 1 2 server provided public key encryption must use a public key provided securely by the commandit server 8 1 3 no unencrypted caching or logging raw recovery keys must never be written unencrypted to the local cache or log files only encrypted blobs are queued/stored temporarily 8 1 4 secure transmission uploads containing encrypted keys must use validated tls 1 2+ 8 2 general security secure enrollment (embedded msp id + org/loc validation; technician auth for manual) secure communication (tls) authenticated via unique deviceid / secret agent identity ( secret ) stored securely locally (dpapi/keychain) agent process hardening and file protection required requires elevated privileges (system/root) but uses least privilege for specific tasks where feasible secure handling/retrieval of any credentials needed for local integrations 8 3 privacy considerations for activity tracking the active application tracking feature (section 3 11) collects detailed usage information deployment must comply with local privacy regulations and organizational policies clear communication/consent may be required this specification does not include screenshot capture or keystroke logging functionality 9\ platform support windows 10, 11, server 2016, 2019, 2022+ ( 32 bit and 64 bit x86 64; 64 bit arm64 ) (note feature parity, especially for deep hardware/driver details, requires specific testing on arm64) macos latest 3 major versions (supporting both intel (x86 64) and apple silicon (arm64) architectures via universal binary) (note specific data collection methods for sensors, firmware, drivers etc , require distinct implementations for intel vs apple silicon) linux ubuntu lts 18 04+, rhel/centos/rocky 7+, debian 10+ ( 64 bit x86 64 ) (note requires common utilities like dmidecode , lsblk , iproute2 tools like lm sensors , smartctl , mokutil may be needed for full data collection and might require installation/configuration )
