FAQ
XFA checks things like whether your disk is encrypted, your screen locks automatically, your OS and browser are up to date, and antivirus or firewall protection is active, plus other checks. The exact list is set by your organization's policy, and XFA only reads these specific settings, never your files or activity.
No. XFA cannot take control of your device and has no admin rights to change settings on its own. It does not read your files, messages, browsing history, or installed apps beyond the specific security settings it checks. If something fails a check, XFA guides you to fix it yourself; it never fixes it for you.
Installing XFA takes only minutes and needs no account. When your organization asks you to verify a device, follow the link and download the XFA app: the Desktop Application on Windows, macOS, and Linux, or the Mobile App on iOS and Android. Open the installer, follow the prompts, then return to the verification screen to connect.
If your organization sees a device as "Lost connection," open the XFA app on that device (install or update it first if needed) and check that your organization is still connected. If it is not, accept the invitation again or follow the verification email your IT team sent. XFA then shares a fresh status automatically.
You may not need to uninstall at all. To stop sharing your device status, just disconnect from the organization inside the XFA app. To remove XFA completely, disconnect from all organizations first, then uninstall the app using your operating system's standard removal process for Windows, macOS, Linux, iOS, or Android.
No. On both macOS and Windows, the built-in antivirus and firewall provide a good level of security and are enough on their own; on Mac, this has always been the case. These are typically on by default, but if you or someone else turns them off, XFA will flag it during its checks.
The XFA agent checks your device and reports its status roughly every 6 hours, with the exact timing varied slightly so your active hours cannot be inferred from the pattern. Opening XFA on your device also triggers an immediate check, keeping your organization's view of your device status current.
XFA's Secrets in Environment check scans for environment variables whose names suggest they hold credentials, like API keys, tokens, or passwords, across shell configs, running processes, and system settings. It records only the variable name, never the actual value, and flags cases where those credentials could be exposed to any process on the device.
We look for variable names containing patterns like:
- KEY (e.g. API_KEY, PRIVATE_KEY, AWS_ACCESS_KEY)
- TOKEN (e.g. AUTH_TOKEN, GITHUB_TOKEN)
- SECRET (e.g. CLIENT_SECRET, JWT_SECRET)
- PASSWORD / PASSWD (e.g. DB_PASSWORD)
- CREDENTIAL (e.g. AWS_CREDENTIAL)
- OAUTH (e.g. OAUTH_TOKEN)
- ENCRYPTION_KEY, SIGNING_KEY
Where do we look?
- Process environment: variables inherited by all child processes
- Shell environments (bash, zsh, fish): variables set in shell config files
- Running process command lines: secrets passed as arguments (e.g.
docker run -e API_KEY=xxx) - macOS launchd session: variables inherited by GUI apps (IDEs, AI assistants)
- Windows registry: user and system-level environment variables
Secrets stored in environment variables are accessible to every process running in that context, including AI coding assistants, IDE plugins, and any tool launched from the terminal or desktop. This is a significant attack surface.
XFA's Unattended remote access check looks for third-party remote control tools, such as TeamViewer, AnyDesk, and Chrome Remote Desktop, that are configured to allow connections without your on-screen approval. Simply having these tools installed does not trigger a flag; only an active unattended access configuration does, since it can act as a persistent backdoor into your device.
Which tools are checked?
- TeamViewer
- AnyDesk
- Chrome Remote Desktop
XFA does not flag these tools simply for being installed. The check only triggers when unattended access is actively configured (for example, a permanent password is set or a service is running that allows connections without on-screen approval).
How do I fix this? To become compliant, you can either:
- Disable unattended access in the tool's settings (for example, remove the permanent password in TeamViewer, disable the unattended access option in AnyDesk, or remove your device from Chrome Remote Desktop).
- Uninstall the remote control tool entirely if you no longer need it.