Skip to main content

Quilr Endpoint Agent — Validate Installation (Windows + macOS)

Subtitle: Post-install validation steps for the Quilr Endpoint Agent. Works regardless of how the agent was deployed (Intune, Jamf, Kandji, ManageEngine, or manual).

Version: 2026.05.11

Table of Contents

  1. Overview
  2. macOS — Validate Installation
  3. Windows — Validate Installation
  4. Cross-Platform Functional Test (Claude.ai)
  5. Pass / Fail Summary
  6. When to Escalate

1. Overview

Use this page after a fresh install — or any time you need to confirm an existing endpoint is still healthy — to answer one question: is the Quilr Endpoint Agent installed correctly and actively intercepting traffic?

Each platform section walks through the same five concerns in order. A check that fails halts the chain; jump to the linked Troubleshooting Guide section for the fix, then come back and re-run from that step.

#ConcernWhat it proves
1Binaries / package installedThe installer ran and placed the agent on disk.
2Service / daemon runningThe agent process is alive under the system account.
3CA trust chain presentThe Quilr root + intermediate CAs are trusted machine-wide.
4Driver / extension activeTraffic interception layer (WFP on Windows, System Extension on macOS) is loaded.
5Permissions in placeFDA/PPPC on macOS, or browser extension on Windows.

Section 4 then runs a functional test with claude.ai that proves the agent is intercepting a real monitored AI host end-to-end.

2. macOS — Validate Installation

Run every command in Terminal with sudo rights (or sudo -i for the SQLite read).

Step 1. Agent binaries are installed

ls -ld /Applications/QuilrEndpointAgent.app && \
  defaults read /Applications/QuilrEndpointAgent.app/Contents/Info.plist CFBundleShortVersionString

Expected: the directory exists and a version string prints (e.g. 2026.05.08). If it fails: the pkg never installed — see Troubleshooting Guide §4.1.

Step 2. Agent daemons are running

pgrep -lf 'quilrai|quilrai-proxy'
sudo launchctl print system/ai.quilr.sentinel       | grep -E 'state =|last exit'
sudo launchctl print system/ai.quilr.quilrai-proxy | grep -E 'state =|last exit'

Expected: at least two PIDs (one quilrai, one quilrai-proxy); state = running on both LaunchDaemons; last exit code = 0. If it fails: see Troubleshooting Guide §5.1.

Step 3. Quilr CA chain is in the System keychain

COUNT=$(security find-certificate -a /Library/Keychains/System.keychain | grep -ci quilr)
echo "Quilr certs in System keychain: $COUNT (expect: 2)"

Expected: exactly 2 certificates — the Quilr root and intermediate. If it fails: see Troubleshooting Guide §4.4.

Step 4. Network Extension is activated

systemextensionsctl list | grep -i quilr

Expected: a line containing [activated enabled] (not [activated waiting for user], not absent). If it fails: see Troubleshooting Guide §4.6.

Step 5. Full Disk Access (PPPC) is granted via MDM

sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" \
  "select client, allowed, auth_reason from access \
   where service='kTCCServiceSystemPolicyAllFiles' and client like '%quilr%';"

Expected: at least one row with allowed=1 and auth_reason=4 (MDM grant). No user prompt should ever appear — if the user sees one, the PPPC profile wasn't pre-applied. If it fails: see Troubleshooting Guide §4.5.

macOS one-liner

Paste this whole block in Terminal — every line should report OK:

echo "1. binaries: $(test -d /Applications/QuilrEndpointAgent.app && echo OK || echo MISSING)"
echo "2. daemons : $(pgrep -lf 'quilrai|quilrai-proxy' >/dev/null && echo OK || echo NOT-RUNNING)"
echo "3. CAs     : $([ $(security find-certificate -a /Library/Keychains/System.keychain | grep -ci quilr) -eq 2 ] && echo OK || echo MISSING)"
echo "4. netext  : $(systemextensionsctl list | grep -qE 'quilr.*activated enabled' && echo OK || echo NOT-ACTIVE)"
echo "5. FDA     : $(sudo sqlite3 '/Library/Application Support/com.apple.TCC/TCC.db' \
                     "select allowed from access where service='kTCCServiceSystemPolicyAllFiles' and client like '%quilr%' limit 1;" \
                     2>/dev/null | grep -q '^1$' && echo OK || echo NOT-GRANTED)"

3. Windows — Validate Installation

Open PowerShell as Administrator. The first probe in each step is the fast path; the second confirms detail.

Step 1. MSI is installed (registry-reported version)

Get-ChildItem `
  HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*, `
  HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
  Get-ItemProperty | Where-Object DisplayName -like '*Quilr*' |
  Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

Expected: at least one row showing Quilr Endpoint Agent with a DisplayVersion and Publisher = Quilr AI. If it fails: the MSI never installed — re-check the Intune Win32 / ManageEngine deployment status.

Step 2. Windows service is running

Get-Service | Where-Object { $_.Name -match 'quilrai|quilr' } |
  Select-Object Name, Status, StartType

Expected: at least one row with Status = Running and StartType = Automatic.

If the service exists but isn't running:

Get-Service -Name <ServiceName> | Start-Service

If it fails: confirm the MSI postinstall completed; check the agent log under %PROGRAMDATA%\quilrai\logs\ (confirm the exact path with Quilr support).

Step 3. WFP filter / callout driver is registered

netsh wfp show state file=$env:TEMP\wfp.xml | Out-Null
Select-String -Path $env:TEMP\wfp.xml -Pattern 'quilr|quilrai' -SimpleMatch | Select -First 5

Expected: lines describing Quilr/QuilrAIProxy filters or callouts. If it fails: the driver was not installed by the MSI (or was unloaded). Reboot the device; if it still fails, escalate.

Step 4. Quilr CA chain is in the Local Machine trust store

certutil -store Root | Select-String -Pattern 'Quilr' -SimpleMatch
certutil -store CA   | Select-String -Pattern 'Quilr' -SimpleMatch

Expected: Quilr root in the Root store and Quilr intermediate in the CA (Intermediate) store. If it fails: the Intune Trusted Certificate profiles (or ManageEngine cert deployment) didn't apply. Re-sync the device.

Step 5. Browser extension is force-installed (Edge + Chrome)

Open edge://extensions and chrome://extensions on the device. The Quilr extension must be:

  • Present in the list
  • Enabled
  • Marked "Installed by your organization" with no Remove button

Or check from the command line:

Get-ChildItem `
  'HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist', `
  'HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist' `
  -ErrorAction SilentlyContinue | Get-ItemProperty

Expected: entries of the form <extension-id>;<update-url> for the Quilr extension. If it fails: the Intune Settings Catalog policy (Edge ExtensionInstallForcelist / Chrome equivalent) didn't apply. Re-sync.

Windows one-liner

Paste this whole block in elevated PowerShell — every line should report OK:

$msi = (Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*,`
                    HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
        Get-ItemProperty | ? DisplayName -like '*Quilr*').Count
$svc = (Get-Service | ? { $_.Name -match 'quilrai|quilr' -and $_.Status -eq 'Running' }).Count
$wfp = & netsh wfp show state file=$env:TEMP\wfp.xml | Out-Null
       (Select-String $env:TEMP\wfp.xml -Pattern 'quilr|quilrai' -SimpleMatch).Count
$root = (certutil -store Root 2>$null | Select-String 'Quilr' -SimpleMatch).Count
$mid  = (certutil -store CA   2>$null | Select-String 'Quilr' -SimpleMatch).Count
$ext  = (Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist `
         -ErrorAction SilentlyContinue).PSObject.Properties.Count

"1. MSI installed   : $(if($msi -gt 0){'OK'}else{'MISSING'})"
"2. service running : $(if($svc -gt 0){'OK'}else{'NOT-RUNNING'})"
"3. WFP filters     : $(if($wfp -gt 0){'OK'}else{'NOT-REGISTERED'})"
"4. CA chain        : $(if($root -gt 0 -and $mid -gt 0){'OK'}else{'MISSING'})"
"5. Edge extension  : $(if($ext -gt 0){'OK'}else{'NOT-FORCED'})"

4. Cross-Platform Functional Test (Claude.ai)

This proves the agent is actively intercepting an AI host — not just installed.

macOS

# Watch the live intercept stream in one Terminal
sudo log stream --predicate 'subsystem == "ai.quilr.endpoint"' --info \
  | grep -iE 'matched|intercepted|claude'

Then, in Safari or Firefox (not Chrome with the extension), open https://claude.ai/, sign in if needed, and send a one-line prompt.

Expected: within ~2 seconds the log stream output emits a flow.matched ... claude.ai line. No certificate warning appears in the browser, and Claude responds normally.

Windows

# Watch the agent log (confirm exact path with Quilr support)
Get-Content "$env:PROGRAMDATA\quilrai\logs\proxy.log.*" -Tail 0 -Wait |
  Select-String -Pattern 'matched|claude' -SimpleMatch

Then, in Firefox or a native HTTPS client (not Edge/Chrome — those use the browser extension instead of the WFP driver), open https://claude.ai/ and send a prompt.

Expected: a matched … claude.ai line in the log within ~2 seconds; no certificate error; Claude responds normally.

TLS-chain check (both platforms)

The leaf cert presented at claude.ai should be Anthropic's real CA, not your corporate SWG's CA — otherwise an upstream proxy is decrypting Claude before the Quilr agent sees it, and interception will fail.

# macOS / Linux
openssl s_client -connect claude.ai:443 -servername claude.ai </dev/null 2>/dev/null \
  | openssl x509 -noout -issuer
# Windows (PowerShell 7+)
$tcp = New-Object Net.Sockets.TcpClient('claude.ai', 443)
$ssl = New-Object Net.Security.SslStream($tcp.GetStream())
$ssl.AuthenticateAsClient('claude.ai')
$ssl.RemoteCertificate.Issuer

Expected: the issuer string names a real CA (e.g. WE1, Let's Encrypt, DigiCert, Cloudflare Inc ECC CA-3). If it names your SWG (Netskope, Zscaler, etc.), the host needs to be on the SWG's SSL-bypass list — see the URL Exception List — AI Apps companion guide.

5. Pass / Fail Summary

The installation is healthy when every check below returns OK:

PlatformCheckMethod
macOSApp on disk§2 Step 1
macOSDaemons running§2 Step 2
macOS2 Quilr CAs in System keychain§2 Step 3
macOSNetwork Extension [activated enabled]§2 Step 4
macOSFDA granted via MDM (allowed=1, auth_reason=4)§2 Step 5
macOSClaude.ai prompt produces flow.matched log§4
WindowsQuilr MSI in registry uninstall keys§3 Step 1
WindowsQuilrAIProxy/Quilr Windows service Running§3 Step 2
WindowsWFP filters registered§3 Step 3
WindowsQuilr root in Root store + intermediate in CA§3 Step 4
WindowsEdge/Chrome force-install policy applied§3 Step 5
WindowsClaude.ai prompt produces a matched log line§4

If any check returns the non-OK string, that's where to start with the Troubleshooting Guide.

6. When to Escalate

Open a support ticket at support@quilr.ai with the items below if validation still fails after consulting the linked Troubleshooting sections:

  • The output of the macOS one-liner in §2 (or Windows one-liner in §3).
  • The output of the Claude.ai functional test in §4.
  • For macOS: a copy of /Library/Logs/quilrai/agent.stderr.log and proxy.log.YYYY-MM-DD for the day of the test.
  • For Windows: the most recent file under %PROGRAMDATA%\quilrai\logs\ (confirm the exact directory with Quilr support) and the Intune Management Extension log at %ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log.
  • Tenant UUID, device hostname, agent version, time window of the failed test, OS version.
  • Whether an upstream SWG (Netskope, Zscaler, Cisco Umbrella, Palo Alto, Forcepoint, …) is in the network path.

End of document — Quilr AI | Adapt AI Securely