Endpoint Agent · Step 3 of 7

Manual Installation

Install on a single device by hand — ideal for a pilot machine, a technician build, or reproducing an issue. The macOS flow is fully scripted below; Windows installs by running the MSI locally.

🔑
Local administrator rights required Manual installation must run as a local administrator — on macOS an admin account with sudo rights, on Windows an elevated session (Run as administrator). The installer writes to the system trust store, installs a system service/driver, and (macOS) loads a system extension, none of which are possible as a standard user.
🔐
Critical order: trust the CAs first Always import the Quilr root + intermediate CAs before installing the package, so the agent’s first TLS handshake with the Quilr control plane succeeds.

Prerequisites for this device

  • Local administrator account with sudo rights
  • Physical / console access (Screen Sharing or a logged-in session)
  • macOS 13+ on the current release
  • Network access to the Quilr distribution host and control plane (proven in Step 2)
  • The install bundle: quilr-endpoint-agent-install-bundle.zip
1

Download & stage the bundle

bash
# Download from the Quilr CDN
curl -fLO https://quilr-extensions.quilr.ai/endpoint-agent/prod/mac/installer/quilr-endpoint-agent-install-bundle.zip

# Unzip to a working directory
unzip quilr-endpoint-agent-install-bundle.zip -d ~/Downloads/quilr/

Bundle contents

  • certs/quilr-root-ca.crt — root CA
  • certs/quilr-ea-intermediate-ca.crt — intermediate CA
  • quilr-endpoint-agent-installer.pkg
  • .mobileconfig files — MDM only; skip for manual install
2

Trust the CA certificates (do this first)

Do this by hand in Keychain Access — no Terminal needed:

  1. Open Keychain Access (Applications → Utilities) and select the System keychain on the left.
  2. File → Import Items… and import certs/quilr-root-ca.crt into the System keychain; authenticate as administrator. Repeat for certs/quilr-ea-intermediate-ca.crt.
  3. Double-click each imported Quilr certificate, expand Trust, and set “When using this certificate” to Always Trust. Close the window and authenticate to save.
Prefer the command line? Show CLI equivalent
bash · sudo
cd ~/Downloads/quilr/quilr-endpoint-agent-install-bundle

# Add root CA
sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain certs/quilr-root-ca.crt

# Add intermediate CA
sudo security add-trusted-cert -d -r trustAsRoot \
  -k /Library/Keychains/System.keychain certs/quilr-ea-intermediate-ca.crt

Verify

verify
security find-certificate -a /Library/Keychains/System.keychain | grep -i quilr | wc -l
Expected: 2
3

Install the agent package

Install — double-click the package

  1. In Finder, double-click quilr-endpoint-agent-installer.pkg.
  2. Follow the macOS Installer wizard: Continue → Install, authenticating as an administrator.
  3. If no tenant config is found, the installer prompts for your Tenant ID — enter the value from Quilr support and continue.
  4. Wait for “The installation was successful.”
Install QuilrAI Endpoint Agent
The macOS pkg prompts for the Quilr Tenant ID — type it in and click OK.
ℹ️
Tenant ID The installer looks for /tmp/quilr-endpoint-agent.json first; if it is not there, it asks for the Tenant ID on screen. So for a manual install you can simply double-click and type it when prompted.
Pre-seed the Tenant ID instead (skip the prompt)
bash
# Create before installing; the installer reads it and skips the on-screen prompt
printf '{"tenant_id":"%s","discover_skip":false}\n' "<TENANT-ID>" \
  > /tmp/quilr-endpoint-agent.json
Prefer the command line? Show CLI equivalent
bash · sudo
sudo installer -pkg quilr-endpoint-agent-installer.pkg -target /

Verify installation

verify
ls -d /Applications/QuilrAIProxy.app
sudo launchctl list | grep -i quilrai
pgrep -lf "quilrai|quilrai-proxy"
4

Approve the System Extension

  1. Open System Settings → Privacy & Security
  2. Find the “System Extension Blocked” message for QuilrAIProxy
  3. Click Allow and authenticate as administrator
  4. When prompted “…would like to filter network content,” click Allow
verify
systemextensionsctl list | grep -i quilr
Expected: [activated enabled]
5

Grant Full Disk Access

  1. Open System Settings → Privacy & Security → Full Disk Access
  2. Toggle QuilrAIProxy to on and authenticate
  3. If prompted, allow the app to restart — or restart the daemon manually:
bash · sudo
sudo launchctl bootout   system /Library/LaunchDaemons/com.sentinel.agent.plist
sudo launchctl bootstrap system /Library/LaunchDaemons/com.sentinel.agent.plist
verify
sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" \
  "select client, allowed from access \
   where service='kTCCServiceSystemPolicyAllFiles' and client like '%quilr%';"
Expected: allowed = 1

Key identifiers

Installed app/Applications/QuilrAIProxy.app
LaunchDaemon/Library/LaunchDaemons/com.sentinel.agent.plist (label com.sentinel.agent)
Agent bundle IDai.quilr.agent.sentinel
Developer Team IDW8FHSH4RM5
Runtime logs/Library/Logs/quilrai/
Install & upload logs/Library/Application Support/QuilrAI/logs/

Uninstall (preferred)

bash · sudo
sudo "/Library/Application Support/QuilrAI/quilrai-endpoint-uninstaller"

Prerequisites for this device

  • Local administrator rights — run PowerShell / the MSI elevated (Run as administrator)
  • Windows 10 (version 1809) or later / Windows 11, 64-bit
  • Network access to the Quilr distribution host and control plane (proven in Step 2)
  • %ProgramFiles%\QuilrAI\ excluded in AV / EDR (see Step 1)
  • The install bundle: quilr-endpoint-agent-win-install-bundle.zip
ℹ️
On Windows the MSI installs the service, the WinDivert driver, and writes both Quilr CAs into the Local Machine trust stores automatically. A manual install is just double-clicking the MSI and entering your Tenant ID in the setup wizard — no command line needed.
1

Download & extract the bundle

  1. In a browser, download quilr-endpoint-agent-win-install-bundle.zip from the Windows bundle URL (see Step 1).
  2. In File Explorer, right-click the ZIP → Extract All… → extract to e.g. C:\Staging\Quilr.

Bundle contents: certs\quilr-root-ca.crt, certs\quilr-ea-intermediate-ca.crt, and quilr-endpoint-agent.msi.

Prefer the command line? Show CLI equivalent
PowerShell (admin)
$url = 'https://quilr-extensions.quilr.ai/endpoint-agent/prod/windows/installer/quilr-endpoint-agent-win-install-bundle.zip'
Invoke-WebRequest $url -OutFile $env:TEMP\quilr-win.zip
Expand-Archive $env:TEMP\quilr-win.zip -DestinationPath C:\Staging\Quilr -Force
2

Install — double-click the MSI & enter your Tenant ID

  1. In File Explorer, double-click quilr-endpoint-agent.msi and approve the UAC prompt (local admin required).
  2. On the Quilr Tenant Configuration screen, type your Tenant ID into the Tenant ID (required) field, then click Next.
  3. Complete the wizard — Install → Finish. The service, WinDivert driver, and both Quilr CAs are installed automatically.
QuilrAI Endpoint Agent Setup×
Quilr Tenant Configuration
Enter your Quilr Tenant ID to bind this device to your organisation.

Your Tenant ID is provided by your IT administrator or in the Quilr admin console. It is required; without it, the agent cannot authenticate this device to your organisation.

The Quilr Tenant Configuration screen during MSI setup — type your Tenant ID and click Next.
Tenant ID is mandatory Setup will not proceed past this screen without it — without a tenant the agent cannot authenticate the device to your organisation. Get the value from your IT admin or the Quilr admin console.
Prefer the command line / silent install? Show CLI equivalent
PowerShell (admin)
msiexec /i "C:\Staging\Quilr\quilr-endpoint-agent.msi" /qn /norestart TENANTID=<TENANT-ID>
3

Verify the install

verify
Get-Service | Where-Object { $_.Name -match 'quilrai|quilr' } | Select Name, Status, StartType
certutil -store Root | findstr /i quilr
certutil -store CA   | findstr /i quilr
netsh wfp show state | findstr /i quilr
Expected: the Quilr service is Running / Automatic, both CAs appear, and WFP shows Quilr filters.
🌐
Browser coverage The endpoint agent excludes Microsoft Edge and Google Chrome. Use the Quilr Browser Extension track to cover those. Firefox and native apps are covered by the agent.
Exit criteria for Step 3 CAs trusted · package installed with tenant ID · (macOS) System Extension [activated enabled] and Full Disk Access allowed=1 · agent process/service running. Now confirm interception in Step 4.
BackPrerequisites Validation Step 3 of 7