Deel Agent uses the OSQuery framework to monitor and manage devices across multiple platforms.
You can deploy it to your entire estate through your MDM tool in a few clicks. Once deployed, your Deel IT asset tracker will automatically populate with details about every device in your global fleet—simplifying the management of your IT equipment worldwide.
Once installed, you can:
- View the Pending import tab to see devices discovered by the Agent
- Import devices and add them to the asset tracker
- Access detailed device statistics
In this article
Here’s what you’ll find in this article:
- Before you begin
- Installing the Agent (trial or manual deployment)
- Deploying the Agent through MDM
- Uninstalling the Agent
- Importing devices
- Device health
- Agent architecture + security
Before you begin
The Deel Agent is lightweight and has minimal system requirements. It requires approximately 30MB of disk space when compressed and 120MB when uncompressed. Administrator privileges are needed for installation and uninstallation.
Installing the Agent (trial or manual deployment)
The Agent can be installed manually or distributed through your MDM provider. During the activation flow, you’ll be prompted to either deploy the Agent or trial it.
After accepting the Terms & Conditions, the installation package for your selected OS (Mac or Windows) will download. You can then run the installer on your device to complete the installation.
The installer is universal for your entire organization—no unique installer per worker is needed.
You can distribute the installation packages to your workers and ask them to install the Agent. Note that workers will need admin access on their devices to complete the installation.
Deploying the Agent through MDM
For a more automated approach, deploy the Agent to your entire fleet using your MDM tool. Since MDM providers handle software deployment differently, refer to your MDM provider’s documentation for specific instructions.
Uninstalling the Agent
To uninstall the Agent, use the following commands:
On Mac: Run sudo bash /Library/HofyAgent/uninstall.sh as root. Allow up to 300 seconds for the process to complete.
On Windows: Execute Start-Process -Wait msiexec.exe -ArgumentList "/x {0F874714-9488-4060-AF85-9D72F38951A1} /quiet" -Verb RunAs.
Importing devices
Once the Deel Agent is installed on a device and reports back, the device will appear in your asset tracker as Pending import. To include it in the main Deel IT asset tracker, you’ll need to import it.
We use an auto matching logic for newly discovered devices:
1. The system checks if the device’s serial number matches an existing device in your asset tracker.
2. If no match is found, we use OSquery to pull the user’s email address from their Chrome profile (if Chrome is used). This email is then matched with the user’s email in Deel.
You can also:
- Manually match devices or change the auto-assigned assignee.
- Ignore devices you don’t want to import.
Device health
Deel Agent displays the following device health statistics:
- MDM profile
- Battery health
- Disk space
- Disk encryption
- Last restart
- IP address
Agent architecture + security
The Deel Agent is built on OSQuery, providing a read-only, SQL-like interface to the host operating system. Each agent binary (`.msi` or `.pkg` file) is signed with Deel credentials and is unique to your organization, including a custom installer and uninstaller.
To ensure efficiency and security, we use a custom build of the agent that applies least privilege principles, reducing the amount of information queried from the host. A watchdog process is also in place to limit resource consumption (CPU, RAM), ensuring the Deel Agent remains lightweight and non-intrusive.
Security Measures:
- The OSQuery scope is predefined during binary creation, ensuring only authorized queries are executed. Unauthorized queries outside this scope are not possible.
- Data is transmitted hourly to Deel servers using authenticated, TLS-secured connections and is segregated by organization within a multi-tenant architecture.
- We follow data minimization principles, collecting only the data necessary for asset tracking, hardware, and software management.
- All data sent from the OSQuery agent is encrypted using TLS, and endpoint security configurations ensure only secure connections (HTTPS) are accepted, requiring TLS certificates on the server.
- A watchdog process caps resource usage at 10% of CPU for 12 seconds and limits RAM usage to 200 MB. Queries exceeding these limits are terminated.
- Profiling is used to analyze, optimize, and benchmark query performance before deployment.
- Queries are executed once per hour on a predetermined schedule. Ad-hoc querying of the host is not supported.