Endpoint compliance,
without the overhead.
A lightweight background agent validates hardware identity, resource headroom, running processes, and VPN state — then reports compliance against your versioned policy. No per-device configuration. No manual audits.
Enrollment in three steps
Generate enrollment code
Admin generates a short-lived code in the dashboard and distributes it via MDM or email.
Agent exchanges code
Agent presents the code to the posture API and receives a signed JWT bound to its hardware identity.
Periodic reports
Agent submits posture snapshots on a configurable schedule. Results appear in the admin device list immediately.
What gets checked
Hardware-Backed Identity
Agents enroll using TPM 2.0 where available — EK chain validation plus a credential activation challenge ensures the identity is bound to physical hardware. SMBIOS UUID and software fallbacks cover non-TPM devices.
Downgrade Attack Prevention
Once enrolled at a higher identity tier (e.g. TPM), re-enrollment to a lower tier is rejected unless an admin explicitly approves a force-downgrade. Prevents spoofing via software-only re-enrollment.
Versioned Policy Engine
Compliance policies are stored in DynamoDB with full version history. Agents fetch the current policy at report time. Admins can update policy without touching endpoints — changes take effect on the next check-in.
Posture Evaluation
Each report is evaluated against the active policy and produces a status: Compliant, Non-Compliant, Warning, or Unknown. Results flow into the admin dashboard alongside network test scores.
Process & Resource Checks
The agent captures CPU headroom, available RAM, active network adapters, and a process inventory. Policy rules can flag required or prohibited processes — enforce that conferencing software is running before a call.
VPN Detection
Every posture report includes VPN state detection. Admins can write policies that require VPN for remote workers or flag VPN-on paths that are known to degrade call quality.
Compliance at a glance
Every device gets a clear status after each report.