Endpoint agent overview
The OnTrackio endpoint agent is a small companion app that runs on employee Macs and Windows laptops, reporting each machine's hardware specs and installed software back to your workspace. It turns the hardware and software registers from records you maintain by hand into records the platform can verify against what employees actually run. This page explains what the agent is and the choices behind it; the how-to guides linked throughout cover deployment, enrolment, and the fleet view.
You reach the fleet at Admin → Agent fleet, where every paired device appears with its last-seen time, OS, and reported specs.
:::note Before you begin The agent is optional. The registers work fully without it — you can add, assign, and track any asset by hand. The agent enriches the part of your fleet that runs software; it does not replace the registers. :::
What the agent is for
Most asset data goes stale the moment you record it. A laptop gets a RAM upgrade, an employee installs a new design tool, a machine quietly drops off the network — and a hand-kept register never finds out. The agent closes that gap for managed laptops by reporting three things on a schedule:
| Reports | What | Cadence |
|---|---|---|
| Hardware spec | Manufacturer, model, serial, CPU, RAM, storage | Probed once per boot, sent on each heartbeat |
| Installed apps | The full list of installed applications at report time | Once per day |
| App usage | A per-app daily boolean — used today or not | Once per day |
Everything else about an asset — its place in the lifecycle, who it's assigned to, what it cost — stays an admin decision. The agent observes; it never reassigns, retires, or edits a record on its own.
Design constraints
The agent is built around four commitments, because an endpoint agent that employees distrust gets uninstalled — and an uninstalled agent reports nothing.
| Principle | What it means |
|---|---|
| Transparent | An always-visible tray icon links straight to the employee's own transparency page at /my/agent, where they see exactly what's collected. |
| Removable | Installs and uninstalls cleanly through Intune Company Portal. Uninstall tells the server first, so the fleet view matches reality immediately. |
| Minimal telemetry | Per-app usage is a daily yes/no — no minute-level tracking, no browser history, no URLs, no keystrokes, no screenshots. |
| Small footprint | A single compiled binary, no Electron and no runtime dependencies, roughly 8 MB on disk and near-zero CPU at rest. It samples the foreground app about once a minute. |
:::tip Privacy is a product feature here, not a footnote The narrow telemetry is deliberate. The agent answers IT's questions — what hardware do we have, what's installed, what's actually used — without becoming surveillance. For the exact, exhaustive list of every field, see what data is collected. :::
How a device joins your workspace
The agent uses a one-time pairing code to establish trust, then signs every later request with a key it never transmits again. The flow is deliberately employee-driven so a device only ever pairs to the person actually holding it.
- Intune installs the agent silently on a managed laptop, and a tray icon appears.
- The employee opens Pair with account from the tray, which opens a browser to their
My → My device page at
/my/agent. - The employee signs in and generates a short pairing code.
- The agent trades that code at the enroll endpoint for a
device_idand a privatesigning_key. The code is single-use and the key is stored in the OS secret store — macOS Keychain or Windows Credential Manager — never on disk in the clear. - From then on the agent sends one heartbeat roughly every 6 hours and one usage report each day at 02:00 local time, each one HMAC-signed with the key from step 4.
:::note The pairing code is the credential
Enrolment is the only unauthenticated step, so the platform throttles it hard against guessing.
Every request after enrolment carries an X-Agent-Signature HMAC-SHA256 header, and an
unsigned or wrongly-signed call is rejected. There is no password and no API token on the
device — the signing key does all the work.
:::
Why HMAC-signed requests
The agent talks to the same hostname your team uses, but it isn't a person with a login. Each request is signed with a key shared only between that one device and the server, so the server can prove a report came from a specific enrolled machine and was not tampered with in transit. Revoking a device clears its key server-side, which silently and immediately stops accepting anything signed with it — no password to rotate, no token to expire.
The exact bytes that go into the signature are part of the agent-to-server contract and are documented with the API, so anyone building a client against it can match the server's verification precisely.
How the agent fits the rest of the platform
The agent is a second, independent source of truth that reconciles against the records you keep by hand. Where the two overlap, the serial number is the join.
Hardware register
From a device's page in the fleet, you link it to a hardware record. The platform matches on serial number — reusing the existing record if one already carries that serial, or creating a new one if not — and refreshes specs like CPU, RAM, and storage from what the machine actually reports. The link is a deliberate admin action, because the agent can't tell whether a laptop is a personal device, a loaner, or already in the register under a different serial. Because the employee proved possession by pairing the agent from their own laptop, that link also stands in for the manual "I received this" acknowledgement.
Software register
A device's installed-apps report can be matched against your curated software catalog in one action. Recognised applications become software assignments for the device's owner; anything not in the catalog is listed back to you so you can decide whether to add it. Matching keys off each app's identifier first and falls back to a normalised name, so common products line up without manual tagging.
People
A paired device is tied to the employee who paired it, so their profile shows the laptop they hold and the laptop shows who holds it. That two-way link is what makes the agent useful at offboarding: a revoked device drops out of the fleet, and the registers it fed stay intact for the audit trail.
The fleet view and device states
The Agent fleet lists every paired device. You can search by hostname or person, filter by OS, show only active devices, and surface stale ones — anything not seen in more than 14 days, which usually means an uninstall or a machine that's been offline.
| State | Meaning |
|---|---|
| Active | Enrolled and reporting normally. |
| Stale | No heartbeat in more than 14 days — possibly uninstalled, or offline for leave. Worth a look, not automatically a problem. |
| Revoked | Cut off by an admin or by the agent's own uninstall. Its signing key is cleared, so the server accepts nothing further from it. |
Revoking always records a reason and writes to the audit log, so the fleet doubles as evidence that a departing employee's machine was de-provisioned.
Distributing the installer
The agent ships as a signed installer per platform — a notarized .pkg for macOS and a signed
.msi for Windows — built and uploaded by IT, then deployed through Intune. Admins manage the
published builds under Admin → Agent fleet, marking one version per OS as current. Employees
download the current build for their OS from their My → My device page; the download is served
through an authenticated stream, so nobody outside your workspace can fetch it by guessing a URL.
| Platform | Installer | Deploy as |
|---|---|---|
| macOS | Notarized .pkg | Intune line-of-business app, assigned Required |
| Windows | Signed .msi (wrapped as a Win32 app) | Intune Win32 app, assigned Required |
Limitations and trade-offs
| Boundary | What it means |
|---|---|
| Managed laptops only | The agent covers Macs and Windows laptops deployed through Intune. Monitors, docks, phones, and BYOD machines without the agent live in the register because you added them — the register is the complete picture, the agent enriches part of it. |
| Specs are as fresh as the last report | A device's specs are only as current as its most recent heartbeat. A machine that's offline or uninstalled keeps its last-known values until it reports again or you revoke it. |
| No live tracking | The agent reports inventory and a daily usage signal, not real-time location or minute-by-minute activity. It cannot tell you where a laptop physically is, only what it last reported. |
| Pause is uninstall | There is no in-app pause. The documented way for an employee to stop reporting is to uninstall through Company Portal, which revokes the device cleanly. |