Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt

Use this file to discover all available pages before exploring further.

The Toktra agent runs on macOS, Windows, and Linux. This page covers deploying agents silently at scale across a managed fleet. For a single-machine install, see the Quickstart.
Each platform has its own agent page with build requirements, configuration details, and troubleshooting. See macOS, Windows, and Linux.

Deployment overview

Deploying Toktra involves two things:
  1. Pushing the agent package — the installer or package that puts the agent binary on the device.
  2. Pre-approving system components — on macOS, the Network Extension requires MDM pre-approval to install silently. On Windows, the WFP driver requires elevation. Linux packages handle this through the package manager.
Once installed, each agent automatically enrolls with Toktra by generating a key pair, submitting a Certificate Signing Request (CSR), and receiving a signed device certificate from Toktra’s intermediate CA. No manual configuration is required on the device.

macOS — Kandji or Jamf

The macOS agent requires a Network Extension, which macOS blocks from installing without user interaction unless an MDM profile pre-approves it.
1

Build and notarize the package

Download the Toktra .pkg installer from Settings → Downloads in the dashboard, or build it from source if your security policy requires it. The package must be notarized with a valid Apple Developer ID before deployment.
2

Push the MDM configuration profile

Upload com.toktra.agent.mobileconfig to your MDM and push it to the target device group. This profile pre-approves the com.toktra.agent.extension Network Extension for the Toktra team ID, preventing the user prompt.Replace TOKTRA_TEAM_ID in the profile with your Apple Developer Team ID before uploading.
In Kandji, go to Library → Add → Custom Profile, upload the .mobileconfig file, and assign it to the relevant blueprint.
3

Deploy the package silently

After the profile is applied, deploy the .pkg installer via your MDM’s software deployment feature. The installer runs silently without user prompts.
In Kandji, add a Custom App under Library, upload the .pkg, and assign it to the blueprint. Set the install type to Install Automatically.
The macOS agent also ships a LaunchDaemon plist (com.toktra.agent.plist) and a watchdog plist (com.toktra.watchdog.plist). These are included in the .pkg installer and are installed automatically to keep the agent running after reboots.

Windows — Intune or SCCM

The Windows agent ships as an MSI package. It installs a WFP callout driver, a Windows Service, and the Edge browser extension. The driver installation requires administrator privileges.
1

Obtain the MSI

Download the Toktra MSI from Settings → Downloads in the dashboard. The installer is built with WiX v4 and is signed with a Sectigo EV certificate.
2

Deploy via Intune or SCCM

In Intune, go to Apps → Windows apps → Add, select Line-of-business app, and upload the .msi. Set the install command:
msiexec /i ToktraAgent.msi /qn
Assign the app to the relevant device group. Intune deploys it silently on the next sync.
3

Verify the service is running

After deployment, confirm the Toktra Windows Service is running:
Get-Service -Name ToktraAgent
The service status should be Running. Configuration is stored in the Windows registry at HKLM\SOFTWARE\Toktra\Agent. Device certificates are stored in the Windows Certificate Store, not on the filesystem.
The WFP callout driver observes network traffic but never blocks it — all traffic is permitted. Toktra only records connection metadata. No firewall rules are added.

Linux — package manager

The Linux agent ships as .deb and .rpm packages. It runs as a systemd service and uses eBPF for socket-level monitoring. Linux kernel 5.10 or later with BTF support is required.
1

Add the Toktra package repository

curl -fsSL https://packages.toktra.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/toktra.gpg
echo "deb [signed-by=/usr/share/keyrings/toktra.gpg] https://packages.toktra.io/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/toktra.list
sudo apt update
2

Install the agent

sudo apt install toktra-agent
The post-install script enables and starts the toktra-agent systemd service automatically.
3

Verify the daemon is running

systemctl status toktra-agent
Configuration lives at /etc/toktra/agent.conf (TOML format). Environment variables override the config file.
For fleet-scale Linux deployments, Toktra ships an osquery table extension (toktra_connections) that lets you query LLM usage data directly from Fleet or Kolide alongside your other device inventory.

Enrollment overview

When a Toktra agent starts for the first time on a new device, it:
  1. Generates an Ed25519 key pair on the device.
  2. Submits a Certificate Signing Request (CSR) to the Toktra enrollment endpoint.
  3. Receives a signed X.509 device certificate from Toktra’s intermediate CA. The certificate is valid for 90 days.
  4. Uses that certificate for mutual TLS on all subsequent connections to Toktra.
Certificates are renewed automatically before expiry. You don’t need to manage certificate rotation manually.
On macOS, device certificates are stored in the system Keychain under the Toktra agent’s entitlement. On Windows, they are stored in the Windows Certificate Store (not the filesystem). On Linux, they are stored at /etc/toktra/certs/.
The agent retries enrollment with exponential backoff. Check that the device has outbound HTTPS access to ingest.toktra.io. On macOS, also verify that the Network Extension is approved in System Settings → Privacy & Security → Extensions.
Yes. Contact your Toktra account team to configure pre-provisioned certificates for environments where devices cannot reach the enrollment endpoint during initial setup.