Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Device Agent

The Matproof Device Agent is a lightweight tray application that runs on each user’s machine and reports endpoint compliance evidence to your Matproof organization. It produces evidence for ISO 27001 (A.8.8), SOC 2 (CC7.1), HIPAA (164.308), NIS 2 (Art. 21), DORA (Art. 9), and PCI DSS (6.3.1) — without needing a separate MDM product.

What the Agent Checks

Every hour, the agent runs 10 native compliance checks on the host machine:
CheckWhat it verifies
Disk encryptionFileVault is enabled on the boot volume
AntivirusXProtect / built-in malware protection is active
Password policyMinimum length and complexity meet your policy
Screen lockScreen lock is enabled with an acceptable timeout
FirewallApplication Firewall is enabled
OS patch freshnessmacOS version is supported and current
Antivirus signature freshnessXProtect definitions are recent
BackupA backup destination is configured and recent
MDM enrollmentDevice is enrolled in MDM (if your org requires it)
Idle-lock verifiedThe screen actually locks after the configured timeout (not just configured to)
Every 6 hours, the agent additionally captures a software inventory of installed applications via system_profiler. The inventory feeds CVE matching (see below).

CVE Matching (Tier 3A)

The agent’s installed-app inventory is joined against the NVD CVE database by Matproof’s API. For around 30 high-impact applications (browsers, communication tools, dev runtimes, IDEs, containerization), Matproof maintains a curated CPE map that converts each installed version into a precise CPE identifier and queries the NVD for known vulnerabilities affecting that version. The result:
  • A vulnerableAppsCount per device on the device list
  • Evidence rows automatically created on the relevant control (installed_apps evidence)
  • Findings raised for high or critical CVEs affecting devices in your fleet
  • 24-hour cache to stay within NVD’s rate limits
This satisfies the “vulnerability management on endpoints” requirements in ISO 27001 A.8.8, SOC 2 CC7.1, NIS 2 Art. 21, DORA Art. 9, and PCI DSS 6.3.1.

Platform Support

OSStatusArchitecture
macOS 12+ (Monterey, Ventura, Sonoma, Sequoia)Generally availableIntel x64, Apple Silicon arm64
Windows 10 / 11Betax64
LinuxRoadmap
Builds are code-signed and notarized with the Matproof Apple Developer ID and stapled before distribution.

System Requirements

RequirementMinimum
macOS12 (Monterey)
Windows10
Memory256 MB RAM available
Disk200 MB
NetworkOutbound HTTPS to agents.matproof.com and api.matproof.com

Installation

1

Download the installer

From your Matproof portal, navigate to People > [Your User] > Devices and click Install Device Agent. The portal serves the right DMG (Intel or Apple Silicon) automatically.Direct DMG link: https://agents.matproof.com/installers/Matproof-Device-Agent-{version}-{arch}.dmg
2

Run the installer

On macOS, open the DMG and drag Matproof Device Agent to Applications. Launch it once from Applications to register the tray icon.
3

Pair the agent with your account

The agent opens your default browser to the Matproof portal pairing page. Sign in (if you aren’t already), and the portal returns a one-shot code to the agent over localhost. The agent registers with your organization automatically.
4

First check-in

Within 60 seconds the first compliance check runs and the device appears in your organization’s device list under People > Devices.

Updates

The agent supports auto-updates via electron-updater. Matproof publishes signed builds to agents.matproof.com/installers/ and the agent checks for new versions on launch and periodically.

Privacy and Data Minimization

The agent reports only the compliance signals listed above and the installed-app inventory. It does not:
  • Read user files, documents, browsing history, or chat content
  • Capture screenshots
  • Run keystroke logging
  • Track location
  • Send raw command output — only the boolean result of each check
  • Send installed-app inventory to anywhere other than your Matproof organization
The full list of check methods and their data minimization is in packages/device-agent/SPEC.md in the Matproof source repository (Enterprise customers under NDA can request access).

What Admins See

In the Matproof app under People > Devices:
  • One row per registered device with owner, OS, last check-in, and overall pass/fail
  • Drilldown to the individual checks and their last-known state
  • vulnerableAppsCount column reflecting CVE matches
  • Evidence tied to the relevant controls (e.g. encryption evidence on the “Endpoint Disk Encryption” control)
  • Findings raised automatically for failed checks or critical CVEs

Manual Evidence Collection (Devices Without the Agent)

For devices where the agent can’t be installed (Linux until GA, BYOD without consent, vendor-managed machines), Matproof supports manual evidence upload. The required evidence types and how to obtain them on each OS are described below.

macOS (Monterey, Ventura, Sonoma, Sequoia)

Enable FileVault
  1. Open System SettingsPrivacy & SecurityFileVault
  2. Click Turn On FileVault, enter your password, and record the recovery key
  3. Screenshot the FileVault settings page showing “FileVault is enabled for the disk”
Screen Auto-lock
  1. System SettingsLock Screen
  2. Set Start Screen Saver when inactive to ≤ 5 minutes
  3. Set Require password after sleep or screen saver begins to Immediately
  4. Screenshot showing both settings
Automatic Security Updates
  1. System SettingsGeneralSoftware UpdateAutomatic Updates
  2. Enable all toggles
  3. Screenshot the page showing updates enabled
Antivirus (XProtect)XProtect is built into macOS and runs by default. Verify macOS is fully updated and screenshot the Software Update page.Firewall
  1. System SettingsNetworkFirewall
  2. Turn on the firewall
  3. Screenshot the firewall settings page showing it enabled

Windows 10 and 11

Enable BitLocker
  1. Press Start, type Manage BitLocker, open it
  2. Select the system drive (usually C:) and click Turn on BitLocker
  3. Save the recovery key to a Microsoft Account, USB drive, or your secure store
  4. Screenshot the BitLocker Drive Encryption window showing “On” for C:
Screen Lock after 5 Minutes
  1. StartSettingsPersonalizationLock screenScreen timeout settings
  2. Set Screen turns off to 5 minutes
  3. SettingsAccountsSign-in optionsRequire sign-in: When PC wakes up
  4. Screenshot both settings
Minimum Password Length (Local Policy)
  1. Press Win + R, type secpol.msc
  2. Navigate to Account PoliciesPassword Policy
  3. Set Minimum password length to 8 or more
  4. Screenshot the Password Policy window
Automatic Updates
  1. SettingsUpdate and SecurityWindows UpdateAdvanced options
  2. Enable Automatic updates
  3. Screenshot showing updates enabled
Antivirus (Windows Defender)
  1. SettingsUpdate and SecurityWindows SecurityVirus and threat protection
  2. Verify Real-time protection is on
  3. Screenshot the Windows Security window
Manual evidence is uploaded as a comment plus attachment on the relevant device task. Tag the upload with the user’s email so it ties back to the right person in your team.

Frameworks Covered

FrameworkMapped Requirement
ISO 27001A.8.1, A.8.2, A.8.7, A.8.8, A.8.20
SOC 2CC6.1, CC6.6, CC6.7, CC7.1
HIPAA164.308(a)(5), 164.310(d)(1), 164.312(a)(1)
NIS 2Article 21(2)(d), 21(2)(g)
DORAArticle 9(2), 9(3), 9(4)(g)
PCI DSS6.3.1, 8.6.3, 9.5

Findings

See how device-agent findings flow into your unified findings view

Cloud Tests

Cloud-side configuration checks that pair with endpoint checks