Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Fleet Management

Fleet management is how security teams deploy and control Quint across developer machines, CI runners, and cloud VMs. From a single dashboard, you can enroll new machines, push policy updates, monitor daemon health, and maintain fleet-wide visibility into AI agent activity.

How It Works

Enrollment

Every daemon enrollment follows the same three-step flow:
1

Generate Deploy Token

A security admin creates a deploy token in the Quint dashboard. Tokens are scoped to an organization and can be restricted to specific machine groups or environments. Each token is a standard Quint API key (qk_...) with fleet:enroll scope.
2

Run Install Script

Install via the .pkg installer (macOS) or the one-line install script:
# macOS .pkg
sudo installer -pkg quint-latest.pkg -target /

# Or one-line install script
curl -fsSL https://install.quintai.dev | sh -s -- --token <deploy-token>
The .pkg installs the LaunchDaemon and QuintAgent.app (ES extension). The script auto-detects the OS and architecture.
3

Daemon Auto-Registers

On first start, the daemon sends a registration request to the Quint cloud API with the deploy token and a machine fingerprint (hostname, OS, architecture, MAC address hash). The API validates the token, creates a machine record, and returns the organization’s policy bundle.
Deploy tokens can be revoked at any time from the dashboard. Revoking a token prevents new enrollments but does not affect already-enrolled daemons.

Fleet Deployment Methods

MethodStatusUse Case
.pkg installerShippedmacOS: LaunchDaemon + QuintAgent.app (ES extension)
curl + deploy tokenShippedIndividual developer machines, quick setup
Signed .pkg via MDMNextJamf, Intune, Kandji distribution
Ansible / Puppet / ChefPost-seedConfiguration management at scale
Helm chartPost-seedKubernetes clusters and containerized workloads
GitHub Actions / GitLab CIPost-seedCI/CD pipeline protection
The .pkg installer and curl script are the shipping methods today. The .pkg includes both the Go daemon and the QuintAgent.app (ES system extension). Configuration lives at /etc/quint/config.yaml.

Policy Distribution

Policies flow from the dashboard to every daemon in the fleet:
  1. Define — Security admins create or update policies in the dashboard (risk thresholds, blocked tools, alert rules)
  2. Store — The cloud API versions each policy change and stores it in Postgres
  3. Sync — Daemons receive policy updates on their next heartbeat (every 30 seconds). Policies can also be force-pushed for critical changes.
  4. Enforce — The daemon applies policies locally with zero cloud dependency. If the cloud is unreachable, the last-synced policy remains in effect.
  5. Report — Policy verdicts (ALLOW, BLOCK, ALERT) are included in audit events synced back to the cloud
Daemons enforce the last-synced policy if they lose cloud connectivity. Design your default policies with this in mind — they should be safe to run independently.

Health Monitoring

Every daemon sends a heartbeat to the cloud API every 30 seconds. The heartbeat includes:
FieldDescription
machine_idUnique machine fingerprint
hostnameMachine hostname
os / archOperating system and architecture
daemon_versionInstalled daemon version
protection_tierCurrent tier: proxy, kernel, or both
uptimeTime since daemon last started
active_agentsNumber of AI agents currently tracked
last_action_atTimestamp of most recent intercepted action
policy_versionHash of currently enforced policy bundle
statushealthy, degraded, or error

Health States

Healthy

Daemon is running, intercepting traffic, and syncing with cloud. Heartbeat received within the last 60 seconds.

Degraded

Daemon is running but reporting issues: cloud sync failures, certificate expiry warnings, or high memory usage.

Offline

No heartbeat received for more than 5 minutes. Machine may be off, daemon may have crashed, or network is unreachable.

Dashboard Fleet View

The fleet view in the Quint dashboard provides a single pane of glass for all enrolled machines:
ColumnDescription
MachineHostname and OS badge
StatusHealth indicator (healthy / degraded / offline)
ProtectionCurrent tier (Proxy / Kernel / Both)
AgentsNumber of active AI agents on this machine
Last SeenTime since last heartbeat
Risk SummaryBreakdown of recent verdicts (allowed / blocked / alerted)
PolicyCurrently enforced policy version
VersionDaemon version with upgrade-available indicator

Fleet Grouping

Machines can be organized into groups for targeted policy application:
  • By environment — Development, Staging, Production
  • By team — Engineering, Data Science, Security
  • By role — Developer workstations, CI runners, Cloud VMs
Groups are assigned during enrollment (via deploy token scope) or manually in the dashboard.

Fleet Lifecycle

1

Enroll

Generate deploy token, run install script on target machine. Daemon registers and receives initial policy bundle.
2

Monitor

Dashboard shows real-time fleet health. Alerts fire for offline daemons, policy drift, or version mismatches.
3

Update Policies

Push policy changes from the dashboard. All daemons in scope pick up changes within 30 seconds.
4

Upgrade

New daemon versions are distributed via the same install mechanism. The daemon restarts with zero downtime (graceful handoff).
5

Decommission

Revoke the machine from the dashboard. The daemon stops syncing and can be uninstalled. Audit history is retained in the cloud.