Prerequisites Validation

Before installing anything, prove from a pilot device that every Quilr backplane host answers on TCP 443. A single blocked host means the agent cannot enroll or report — fix it with your firewall/proxy team first.

Connectivity check — per environment

Run the hosted check on a pilot endpoint — it is fetched and executed directly, so there is no copy-paste of the script body and no transcription mistakes. Pick your Environment in the top bar to get the exact command (the environment is passed as an argument). Run PowerShell elevated; the shell version needs nc. Every host must print OK.

& ([scriptblock]::Create((irm https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/Windows/quilr-connectivity-check.ps1))) -Env us

# Paste into an elevated PowerShell console
$targets = @(
  'discover.quilrai.dev','log.quilrai.dev','quilr-extensions.quilr.ai',
  'app.quilr.ai','dlpone.quilr.ai'
)
foreach ($h in $targets) {
    $ok = Test-NetConnection -ComputerName $h -Port 443 -InformationLevel Quiet -WarningAction SilentlyContinue
    "{0,-34}  TCP/443  {1}" -f $h, $(if ($ok) { 'OK' } else { 'BLOCKED' })
}

curl -fsSL https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/macOS/quilr-connectivity-check.sh | sh -s -- us

# Paste into Terminal (needs nc)
for h in discover.quilrai.dev log.quilrai.dev quilr-extensions.quilr.ai \
         app.quilr.ai dlpone.quilr.ai; do
  if nc -z -G 5 "$h" 443 2>/dev/null || nc -z -w 5 "$h" 443 2>/dev/null; then s=OK; else s=BLOCKED; fi
  printf "%-34s  TCP/443  %s\n" "$h" "$s"
done

Quilr connectivity check  -  US POC
------------------------------------------------------------
discover.quilrai.dev          TCP/443  OK
log.quilrai.dev               TCP/443  OK
quilr-extensions.quilr.ai     TCP/443  OK
app.quilr.ai                  TCP/443  OK
dlpone.quilr.ai               TCP/443  OK
------------------------------------------------------------
RESULT: all hosts reachable on TCP/443.

& ([scriptblock]::Create((irm https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/Windows/quilr-connectivity-check.ps1))) -Env usa

# Paste into an elevated PowerShell console
$targets = @(
  'discover.quilrai.dev','log.quilrai.dev','quilr-extensions.quilr.ai',
  'quilr-extensions.quilrai.com',
  'app.quilrai.com','dlpone.quilrai.com'
)
foreach ($h in $targets) {
    $ok = Test-NetConnection -ComputerName $h -Port 443 -InformationLevel Quiet -WarningAction SilentlyContinue
    "{0,-34}  TCP/443  {1}" -f $h, $(if ($ok) { 'OK' } else { 'BLOCKED' })
}

curl -fsSL https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/macOS/quilr-connectivity-check.sh | sh -s -- usa

# Paste into Terminal (needs nc)
for h in discover.quilrai.dev log.quilrai.dev quilr-extensions.quilr.ai \
         quilr-extensions.quilrai.com \
         app.quilrai.com dlpone.quilrai.com; do
  if nc -z -G 5 "$h" 443 2>/dev/null || nc -z -w 5 "$h" 443 2>/dev/null; then s=OK; else s=BLOCKED; fi
  printf "%-34s  TCP/443  %s\n" "$h" "$s"
done

Quilr connectivity check  -  US Prod
------------------------------------------------------------
discover.quilrai.dev          TCP/443  OK
log.quilrai.dev               TCP/443  OK
quilr-extensions.quilr.ai     TCP/443  OK
quilr-extensions.quilrai.com  TCP/443  OK
app.quilrai.com               TCP/443  OK
dlpone.quilrai.com            TCP/443  OK
------------------------------------------------------------
RESULT: all hosts reachable on TCP/443.

& ([scriptblock]::Create((irm https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/Windows/quilr-connectivity-check.ps1))) -Env japan

# Paste into an elevated PowerShell console
$targets = @(
  'discover.quilrai.dev','log.quilrai.dev','quilr-extensions.quilr.ai',
  'app-jp.quilr.ai','dlpone-jp-1.quilr.ai'
)
foreach ($h in $targets) {
    $ok = Test-NetConnection -ComputerName $h -Port 443 -InformationLevel Quiet -WarningAction SilentlyContinue
    "{0,-34}  TCP/443  {1}" -f $h, $(if ($ok) { 'OK' } else { 'BLOCKED' })
}

curl -fsSL https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/macOS/quilr-connectivity-check.sh | sh -s -- japan

# Paste into Terminal (needs nc)
for h in discover.quilrai.dev log.quilrai.dev quilr-extensions.quilr.ai \
         app-jp.quilr.ai dlpone-jp-1.quilr.ai; do
  if nc -z -G 5 "$h" 443 2>/dev/null || nc -z -w 5 "$h" 443 2>/dev/null; then s=OK; else s=BLOCKED; fi
  printf "%-34s  TCP/443  %s\n" "$h" "$s"
done

Quilr connectivity check  -  JP POC
------------------------------------------------------------
discover.quilrai.dev          TCP/443  OK
log.quilrai.dev               TCP/443  OK
quilr-extensions.quilr.ai     TCP/443  OK
app-jp.quilr.ai               TCP/443  OK
dlpone-jp-1.quilr.ai          TCP/443  OK
------------------------------------------------------------
RESULT: all hosts reachable on TCP/443.

& ([scriptblock]::Create((irm https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/Windows/quilr-connectivity-check.ps1))) -Env india

# Paste into an elevated PowerShell console
$targets = @(
  'discover.quilrai.dev','log.quilrai.dev','quilr-extensions.quilr.ai',
  'quilr-extensions.quilrai.com',
  'platform.quilrai.com','dlp-platform.quilrai.com'
)
foreach ($h in $targets) {
    $ok = Test-NetConnection -ComputerName $h -Port 443 -InformationLevel Quiet -WarningAction SilentlyContinue
    "{0,-34}  TCP/443  {1}" -f $h, $(if ($ok) { 'OK' } else { 'BLOCKED' })
}

curl -fsSL https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/macOS/quilr-connectivity-check.sh | sh -s -- india

# Paste into Terminal (needs nc)
for h in discover.quilrai.dev log.quilrai.dev quilr-extensions.quilr.ai \
         quilr-extensions.quilrai.com \
         platform.quilrai.com dlp-platform.quilrai.com; do
  if nc -z -G 5 "$h" 443 2>/dev/null || nc -z -w 5 "$h" 443 2>/dev/null; then s=OK; else s=BLOCKED; fi
  printf "%-34s  TCP/443  %s\n" "$h" "$s"
done

Quilr connectivity check  -  IND Prod
------------------------------------------------------------
discover.quilrai.dev          TCP/443  OK
log.quilrai.dev               TCP/443  OK
quilr-extensions.quilr.ai     TCP/443  OK
quilr-extensions.quilrai.com  TCP/443  OK
platform.quilrai.com          TCP/443  OK
dlp-platform.quilrai.com      TCP/443  OK
------------------------------------------------------------
RESULT: all hosts reachable on TCP/443.

Reading the result: every host should print OK and the script exits 0. A blocked host looks like the following and the script exits 1 — fix it before continuing:

discover.quilrai.dev          TCP/443  OK
log.quilrai.dev               TCP/443  OK
quilr-extensions.quilr.ai     TCP/443  OK
app.quilr.ai                  TCP/443  BLOCKED
dlpone.quilr.ai               TCP/443  OK
------------------------------------------------------------
RESULT: one or more hosts BLOCKED - unblock and SSL-bypass them before installing.

If a host is BLOCKED

• Firewall: open outbound TCP/443 to the host.
• TLS-intercepting proxy / SWG: add the host to the SSL-bypass (no decryption) list. A re-signed certificate breaks the agent’s trust chain even when the port is technically reachable.
• DNS: confirm the host resolves on the endpoint’s resolver.

Re-run the check until every host reports OK.

File-type / MIME allow check

The agent bundle, updates, and config files are .exe .msi .msp .zip .json .toml .xml. If a download-control policy or SWG blocks or rewrites those types, install and updates fail. This check downloads a small probe of each type and confirms it arrives intact with the right Content-Type. It is environment-independent — run it once:

& ([scriptblock]::Create((irm https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/Windows/quilr-filetype-check.ps1)))

# Paste into PowerShell
$base = 'https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/mime-test'
$marker = 'QUILR-MIME-PROBE-OK'
foreach ($e in 'exe','msi','msp','zip','json','toml','xml') {
    $st = 'BLOCKED'; $ct = '-'
    try {
        $r = Invoke-WebRequest "$base/probe.$e" -UseBasicParsing -TimeoutSec 15
        $ct = "$($r.Headers['Content-Type'])"
        $body = if ($r.Content -is [byte[]]) { [Text.Encoding]::ASCII.GetString($r.Content) } else { [string]$r.Content }
        if ($body -like "*$marker*") { $st = 'OK' } else { $st = 'ALTERED' }
    } catch { $st = 'BLOCKED' }
    "{0,-6}  {1,-8}  {2}" -f ".$e", $st, $ct
}

curl -fsSL https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/macOS/quilr-filetype-check.sh | sh

# Paste into Terminal
base='https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/mime-test'
marker=QUILR-MIME-PROBE-OK
tmp="${TMPDIR:-/tmp}/qp.$$"
for e in exe msi msp zip json toml xml; do
  m=$(curl -sS -m 15 -o "$tmp" -w '%{http_code}|%{content_type}' "$base/probe.$e" 2>/dev/null)
  http=${m%%|*}; ct=${m#*|}
  if [ "$http" != 200 ]; then st=BLOCKED; ct="HTTP ${http:-000}"
  elif ! grep -q "$marker" "$tmp" 2>/dev/null; then st=ALTERED
  else st=OK; fi
  printf '.%-5s  %-8s  %s\n' "$e" "$st" "$ct"
done
rm -f "$tmp"

Expected output

Quilr file-type / MIME allow check
Base: https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/mime-test
----------------------------------------------------------------
.exe    OK        application/x-msdownload
.msi    OK        application/x-msi
.msp    OK        application/octet-stream
.zip    OK        application/zip
.json   OK        application/json
.toml   OK        application/toml
.xml    OK        application/xml
----------------------------------------------------------------
RESULT: all file types downloadable with intact content.

A type returning BLOCKED (download refused) or ALTERED (replaced by a block page) must be allowed on your SWG / download-control policy — see the file-type allow-list in Step 1.