Service Management

This guide explains how the agent stays healthy on the endpoint - the service model, tamper resistance, offline behaviour, and how it keeps itself current.

Service and watchdog

The agent runs as a Windows service with a companion watchdog. If one is disrupted, the other helps bring it back, so the agent keeps enforcing policy and checking in even after crashes or restarts.

Tamper resistance

The agent is built to resist local tampering - registry protections and service hardening make it difficult for a standard user to disable enforcement. This is why removal requires the uninstall credential when one is set.

Offline fail-closed

Restrictions don't depend on a live connection to the console. Where configured, the agent fails closed after a set period offline, so a device that loses connectivity keeps enforcing its policy rather than drifting open.

Staying current

The agent can update itself silently in the background so your fleet stays on a current build without manual reinstalls. The desktop Agent Console updates separately - see the upgrade guide for how the two differ.

Frequently asked questions

What happens if a device goes offline?

It keeps enforcing its assigned policy. If fail-closed is configured, enforcement tightens after the offline period you set.

Can a user just stop the service?

The agent is tamper-resistant, with a watchdog and registry protections that make casual disabling difficult. Removal requires the uninstall credential when set.

Do I have to update agents manually?

No. The agent can self-update silently. The desktop Agent Console is updated through its own separate download.

Something not behaving?

The troubleshooting guide walks through check-in failures, restrictions that don't apply, and console connectivity.