4 posts tagged with "Devices"

XFA's unsafe AI mode check now recognises Claude Code's newer persisted permission modes alongside the legacy dangerouslySkipPermissions flag, so administrators get accurate reporting whenever an agent is configured to auto-approve every tool call.

The following values of permissions.defaultMode in ~/.claude/settings.json (or ~/.claude/settings.local.json) are now flagged as unsafe because they auto-approve every tool call, including shell commands and network requests:

• bypassPermissions — persisted equivalent of running with --dangerously-skip-permissions. Treat this as 'agent has full local user privileges'.
• auto — the new Claude Code 'Auto' mode. Same risk class: skips permission prompts via a classifier and is intended for sandboxed CI, not for personal devices.

Both modes are unsafe to run on machines with credentials or production access. Safe values (default, plan, acceptEdits) remain unflagged. Devices configured with either flagged mode are now reported in the Unsafe AI Mode check, and end users see remediation steps in the in-app guide.

Review your AI policies

XFA's Linux disk-encryption check now recognises TCG OPAL self-encrypting drives* alongside LUKS.

When drive locking is enabled on an OPAL-capable drive, the device counts as encrypted, giving administrators accurate compliance reporting for Linux devices that rely on hardware encryption.

Review your disk-encryption policy

XFA's Windows disk-encryption check now recognises VeraCrypt system-drive encryption* alongside BitLocker.

Devices whose Windows boot/system drive is encrypted with VeraCrypt are now reported as compliant automatically, no configuration required.

Review your disk-encryption policy

XFA's Linux integrity protection check now recognises AppArmor as a valid mandatory-access-control system, alongside SELinux.

Linux users who rely on AppArmor as their kernel-level integrity protection now pass the check automatically.