Agentless Verification
Agentless verification lets XFA check device security during sign-in without requiring users to install the XFA agent. It uses browser signals, discovery data, and device trust connectors to assess whether a device meets your organization's security policy.
The XFA agent is already privacy-respecting and designed for contractors and BYOD scenarios — it is lightweight and easy to install. Even so, XFA aims to minimize friction wherever possible. When XFA already knows the device signals it needs from the browser, it will offer users the option to continue without installation. This is particularly well-suited for situations where only a limited set of device checks need to be verified.
When to use it
Agentless verification is ideal for:
- BYOD environments where you can't mandate app installation
- Contractors and freelancers who need temporary access
- Reducing deployment friction when rolling out XFA across your organization
For deeper checks (e.g., detailed OS patch level, jailbreak detection, or per-app policies), the full XFA agent remains the best choice. Agentless and agent-based verification can be used side by side — XFA automatically uses the richest data available for each device.
How it works
Agentless verification combines up to three data sources during each sign-in:
Browser signals (User-Agent & Client Hints)
Every browser sends basic information about the operating system and browser version. XFA uses this to verify OS version and browser version requirements without any additional setup.
Discovery data
If you have Discovery connected to an identity provider, XFA can match the signing-in user to devices already known through discovery. This adds signals like management status and device ownership.
Device trust connectors
Google Chrome (and soon Microsoft Edge) can send richer device signals — such as disk encryption status, firewall state, and antivirus presence — directly to XFA during authentication. These connectors require a one-time setup in your browser management console.
Available checks
The tables below show which checks are available per platform when using agentless verification.
Desktop
| Check | Windows | macOS | Linux |
|---|---|---|---|
| OS version | ✓ | ✓ | ✓ |
| Browser version | ✓ | ✓ | ✓ |
| Disk encryption | ✓ | ✓ | ✓ |
| Firewall | ✓ | ✓ | ✓ |
| Antivirus | ✓ | ✓ | ✓ |
| Secure Boot | ✓ | ✓ | ✓ |
| Screen lock | ✓ | ✓ | ✓ |
Disk encryption, firewall, antivirus, secure boot, and screen lock require a device trust connector (e.g., Chrome Device Trust). Without a connector, only OS version and browser version are available on desktop.
Mobile
| Check | Android | iOS |
|---|---|---|
| OS version | ✓ | ✓ |
| Browser version | ✓ | ✓ |
| Disk encryption | ✓ | ✓ |
| Screen lock | ✓ | ✓ |
| Biometrics | ✓ | ✓ |
How to enable
- In the XFA dashboard, navigate to Agentless.
- Toggle the data sources you want to use:
- User-Agent and Client Hints — basic browser signals (recommended to always enable)
- Discovery data — requires Discovery to be configured
- Device trust connectors — requires additional setup (see below)
- Click Save.
- Make sure agentless is also enabled in each policy where you want to use it.
For step-by-step instructions on enabling agentless sign-in in your policies, see Agentless Sign In.
Device trust connectors
Device trust connectors allow managed browsers to send detailed device signals to XFA during authentication. This significantly expands the checks available in agentless mode.
Google Chrome Device Trust
Chrome Device Trust uses Chrome Enterprise Core (free) to send signals like disk encryption, firewall status, and more. See the Chrome Device Trust setup guide for step-by-step instructions.
Microsoft Edge Device Trust
Edge Device Trust support is coming soon. Stay tuned for updates.