Agent Enrollment
Agents are lightweight services that run on your endpoints (servers, workstations, laptops) and communicate with TridentStack Control over gRPC. Once enrolled, an agent continuously reports system information, software inventory, patch status, and vulnerability data back to the platform, and receives commands for update installation, policy enforcement, and compliance evaluation.
Each agent maintains a persistent connection to the TridentStack Control gateway, so changes you make in the console (approving updates, assigning policies, triggering scans) are delivered to endpoints in real time.
Prerequisites
Supported operating systems
| Platform | Minimum Version |
|---|---|
| Windows Server | 2012 R2 and later |
| Windows Desktop | 8.1 and later |
| Ubuntu | 20.04 and later |
| Debian | 12 and later |
All features, including application updates, are supported on all Windows versions listed above.
Network requirements
Agents require outbound access on port 443 (gRPC over HTTPS) to reach the TridentStack Control gateway. No inbound ports need to be opened on the endpoint.
If your network uses a proxy or firewall with TLS inspection, ensure that the TridentStack Control gateway domain is allowlisted. The agent uses HTTP/2 (gRPC), which some older proxy appliances do not support.
Enrollment tokens
Each tenant has an enrollment token that is automatically created when your account is provisioned. The token is pre-filled into the quick install commands on the Agent Installers page, so in most cases you do not need to copy it manually.
To view or regenerate your token:
- Log in to TridentStack Control.
- Navigate to Settings in the left sidebar.
- Select the Agent Installers tab.
- Your enrollment token and ready-to-use install commands are displayed on the page.
Treat your enrollment token like a password. Anyone with the token can register agents to your tenant. If you suspect a token has been compromised, regenerate it from the Agent Installers page.
Enrollment flow
The following diagram shows what happens when you install and start an agent:
Windows installation
Quick install (recommended)
The fastest way to install the agent is the PowerShell one-liner shown on the Agent Installers page. Open PowerShell as Administrator and run the command displayed there. It downloads the MSI, installs silently with your enrollment token, and cleans up.
The command is pre-filled with your enrollment token, so no manual token entry is needed.
The quick install command is ready to copy from Settings > Agent Installers. Just click the copy button next to the PowerShell command.
MSI installer (scripted or GPO)
For SCCM, Intune, Group Policy, or other management tools, download the MSI from the Agent Installers page and deploy with msiexec:
msiexec /i TridentStack-Control.msi ENROLLMENT_TOKEN="<your-token>" /qn /norestart
The /qn flag runs the installer silently with no UI. The /norestart flag prevents automatic reboots.
If you regenerate your enrollment token, any previously distributed install commands using the old token will fail to enroll new agents. Update your deployment scripts with the new token after regeneration. Existing agents already enrolled are not affected.
Linux installation
Run the following one-liner as root (or with sudo):
curl -fsSL https://control.tridentstack.com/api/agent-packages/installer/linux/install | sudo bash -s -- --key <your-token>
This script will:
- Detect your distribution and architecture.
- Download the appropriate
.debpackage. - Install the TridentStack Control agent as a systemd service.
- Configure the agent with your enrollment token.
- Start the service immediately.
Agents automatically update to the latest version. No manual updates are needed after initial enrollment.
Verifying enrollment
After installation, the agent should appear in TridentStack Control within 60 seconds:
- Navigate to Agents > Endpoints in the left sidebar.
- Look for the new endpoint by hostname.
- Confirm the Status column shows Online.
Once online, the agent begins its first telemetry refresh, reporting system information, installed software, and applicable updates. This initial data collection typically completes within a few minutes.
Troubleshooting
Agent does not appear in Endpoints
If the agent does not show up after 60 seconds, work through these checks in order:
1. Verify the agent service is running.
On Windows:
Get-Service 'TridentStack-ControlService'
The service status should be Running.
On Linux:
sudo systemctl status tridentstack-agent
The service should show active (running).
2. Check network connectivity.
Confirm the endpoint can reach the TridentStack Control gateway on port 443. Test with:
curl -v https://gateway.tridentstack.com
If the connection times out or is refused, check your firewall rules and proxy configuration.
3. Verify the enrollment token.
An expired or invalid token will prevent registration. Go to Settings > Agent Installers and confirm the token you used matches the one displayed. If in doubt, regenerate the token and reinstall the agent with the new value.
4. Check agent logs.
On Windows, logs are located at:
C:\ProgramData\TridentStack Control\logs\
On Linux, use journalctl:
sudo journalctl -u tridentstack-agent --no-pager -n 50
Look for connection errors, authentication failures, or TLS handshake issues.
Agent shows as Offline
If an agent previously appeared but now shows Offline:
- The endpoint may be powered off or disconnected from the network.
- A firewall change may be blocking outbound traffic on port 443.
- The agent service may have stopped. Restart it and check logs for errors.