Skip to main content
All CollectionsEmployee and ISMS Management3 | Employee OnboardingSecfix Agent
Secfix Agent
Secfix Agent

What is the Secfix Agent?

Michalina Cechosz avatar
Written by Michalina Cechosz
Updated yesterday

The Secfix Agent is a lightweight, read-only monitoring tool developed by Secfix to assess and verify endpoint security compliance. It is based on the open-source project osquery, maintained by the Linux Foundation. By collecting non-sensitive data from employee devices, the agent helps organizations ensure compliance with security standards and streamline certification processes.

Key functions of the Secfix Agent include:

  • Verifying system configurations (e.g., OS version, screen lock, antivirus presence)

  • Listing installed applications and browser extensions (Chrome, Firefox, Edge)

  • Monitoring for password manager usage

  • Providing visibility into device details like OS type and machine serial number

The agent runs daily and does not modify any system settings or access sensitive data such as passwords or browsing history.

Who Should Install the Secfix Agent

Primary Users

  • Employees using company-owned devices: Installation is required to maintain consistent security compliance.

  • Freelancers using personal devices: Installation is optional but recommended. Alternatively, these devices can be managed as custom assets.

Alternatives to Installing the Secfix Agent

If installation is not feasible, consider the following alternatives:

  • Mobile Device Management (MDM): Use tools like Jamf or Jumpcloud, although these may miss critical compliance queries.

  • Use osquery directly: The Secfix Agent enhances osquery’s capabilities with compliance-focused configurations.

  • Enforce requirements via BYOD policy:

    • Refer to POL-04: Information Security & Acceptable Use Policy

    • Require antivirus, hard disk encryption, screen lock, and password manager

  • Manual tracking (only for small teams):

    • Employees submit monthly evidence of compliance

    • Suitable for teams with 1–2 users, not scalable

Security of the Secfix Agent

The Secfix Agent is designed with security and transparency at its core.

Key Security Features

  • Read-only access: Cannot alter files or configurations

  • Limited data scope: Does not access passwords, emails, or browsing history

    Custom osquery build: Dangerous tables are excluded

  • Signed and verified binaries: Distributed via Docker Notary with encryption and multi-factor access

  • ISO 27001 compliance: Over 120 security controls in place

  • Pentested infrastructure: Tested by the NCC Group for osquery and Docker Notary integrity

FAQ

Can the Secfix Agent access passwords or credentials in environment variables?

No. The agent cannot read temporary shell sessions or access secure credentials. Storing permanent credentials in shell variables is a security risk and should be avoided.

How is the osquery process protected from external access?

  • One-way communication from osquery daemon to the fleet server

  • Encrypted with SSL TLS DV SHA256

  • Installer includes a secure enrollment token

  • Verified builds signed by Apple and Microsoft

What if employees using private devices refuse to install the agent?

  1. Use MDM software (e.g., Jamf, Jumpcloud)

  2. Enforce requirements via your BYOD policy

  3. Manually track compliance, though not scalable

Related Articles
Security of the Secfix Agent
Security tools to monitor compliance
Installing the Secfix Agent
Assigning Computers to Employees
Understanding sync intervals on Secfix
Did this answer your question?