Agentless Verification
Agentless verification lets XFA check supported devices during sign-in without asking every user to install the native agent first. It is useful for lighter access flows, but coverage depends on browser support, discovery data, and the checks required by your policy.
The XFA agent is already privacy-respecting and designed for contractors and BYOD scenarios — it is lightweight and easy to install. Even so, XFA aims to minimize friction wherever possible. When XFA already knows the device signals it needs from the browser, it will offer users the option to continue without installation. This is particularly well-suited for situations where only a limited set of device checks need to be verified.
When to use it
Agentless verification is ideal for:
- BYOD environments where you can't mandate app installation
- Contractors and freelancers who need temporary access
- Reducing deployment friction when rolling out XFA across your organization
For deeper checks (e.g., detailed OS patch level, jailbreak detection, or per-app policies), the full XFA agent remains the best choice. Agentless and agent-based verification can be used side by side — XFA automatically uses the richest data available for each device.
How it works
Agentless verification combines up to three data sources during each sign-in:
Browser signals (User-Agent & Client Hints)
Every browser sends basic information about the operating system and browser version. XFA uses this to verify OS version and browser version requirements without any additional setup.
Discovery data
If you have Discovery connected to an identity provider, XFA can match the signing-in user to devices already known through discovery. This adds signals like management status and device ownership.
Device trust connectors
Google Chrome can send richer device signals, such as disk encryption status, firewall state, and antivirus presence, directly to XFA during authentication. Chrome Device Trust requires a one-time setup in your browser management console. Microsoft Edge support is coming soon.
Available checks
The tables below show which checks are available per platform when using agentless verification.
Desktop
| Check | Windows | macOS | Linux |
|---|---|---|---|
| OS version | ✓ | ✓ | ✓ |
| Browser version | ✓ | ✓ | ✓ |
| Disk encryption | ✓ | ✓ | ✓ |
| Firewall | ✓ | ✓ | ✓ |
| Antivirus | ✓ | ✓ | ✓ |
| Secure Boot | ✓ | ✓ | ✓ |
| Screen lock | ✓ | ✓ | ✓ |
Disk encryption, firewall, antivirus, secure boot, and screen lock require a device trust connector (e.g., Chrome Device Trust). Without a connector, only OS version and browser version are available on desktop.
Mobile
| Check | Android | iOS |
|---|---|---|
| OS version | ✓ | ✓ |
| Browser version | ✓ | ✓ |
| Disk encryption | ✓ | ✓ |
| Screen lock | ✓ | ✓ |
| Biometrics | ✓ | ✓ |
How to enable
- In the XFA dashboard, navigate to Agentless.
- Toggle the data sources you want to use:
- User-Agent and Client Hints — basic browser signals (recommended to always enable)
- Discovery data — requires Discovery to be configured
- Device trust connectors — requires additional setup (see below)
- Click Save.
- Make sure agentless is also enabled in each policy where you want to use it.
For step-by-step instructions on enabling agentless sign-in in your policies, see Agentless Sign In.
Device trust connectors
Device trust connectors allow managed browsers to send detailed device signals to XFA during authentication. This significantly expands the checks available in agentless mode.
Google Chrome Device Trust
Chrome Device Trust uses Chrome Enterprise Core (free) to send signals like disk encryption, firewall status, and more. See the Chrome Device Trust setup guide for step-by-step instructions.
Microsoft Edge Device Trust
Microsoft Edge Device Trust support is coming soon on Windows. It will let a managed Edge browser send richer device signals, such as disk encryption, firewall status, and antivirus presence, to XFA during authentication after a one-time setup in your Edge management console.