Enroll a device
Register a managed endpoint with the Threatmatic control plane
Enroll a device
Enrolling a device registers it with the Threatmatic control plane and activates real-time policy enforcement, identity mapping, and telemetry.
Prerequisites
- An active Threatmatic organization
- Admin access to the Console
- The device meets OS requirements (macOS 12+, Windows 10/11, Linux kernel 5.4+)
Steps
Generate an enrollment token
- Go to Devices → Enroll Device
- Select the target operating system
- Click Generate Token — tokens are valid for 24 hours
You can generate a token scoped to a specific device tag, group, or policy profile so newly enrolled devices inherit the correct configuration automatically.
Install the agent
Download the installer for the target OS and run it on the endpoint. See Deploy your first agent for platform-specific installation steps.
Enter the enrollment token
When prompted during installation, paste the enrollment token. The agent will authenticate with the control plane and complete registration.
Verify in the Console
- Go to Devices
- Confirm the device appears with status Active
- Check that the Region, OS, and Agent Version fields are populated correctly
Apply a tag (optional)
Tags allow you to target this device in policies without naming it explicitly.
- Click the device name
- Under Tags, click Add Tag
- Enter or select a tag (e.g.
managed,remote,contractor)
Agent-less enrollment
For devices where installing an agent is not possible (e.g. IoT, unmanaged BYOD), Threatmatic supports agent-less enrollment via network-level policy enforcement.
- Go to Devices → Enroll Device → Agent-less
- Enter the device's IP range or MAC address
- Assign a policy profile
- Click Enroll
Agent-less devices will appear in the Console with an Agent-less badge.
Next steps
How is this guide?
Last updated on