What is the difference between agent and agentless deployment?

Both options deliver kernel-enforced application control on the same MagicSword platform. Agentless deployment ships the policy via your existing management infrastructure (PowerShell, GPO, SCCM, Intune) and runs on your refresh cadence. The agent adds continuous intel propagation, endpoint telemetry for policy tuning, browser extension control, real-time persistence monitoring, and macOS and Linux coverage.

Can I run agent and agentless side by side?

Yes. The two deployment models are not mutually exclusive. Many teams deploy agentless on regulated or restricted segments where third-party software is not permitted, and the agent on the rest of the fleet for full telemetry and automatic intel updates. Both connect to the same portal, the same intel sources, and the same policy.

Does agentless support macOS or Linux?

Agentless deployment uses Windows Defender Application Control under the hood, which is Windows-native. macOS and Linux endpoints are covered by the agent, which uses Endpoint Security Framework on macOS and fanotify with optional eBPF LSM on Linux for equivalent kernel-level enforcement.

How quickly does agentless receive intel updates?

Agentless intel updates ship at your deployment cadence, typically the same window you use for any policy refresh through Intune, SCCM, or GPO. The agent receives intel updates continuously, with new threat indicators reaching endpoints within roughly two hours of the portal sync.

Deployment Options

Agent vs Agentless

Same enforcement. Different operating model.

Both options deliver the same threat intelligence and the same prevention. The difference is how it reaches your endpoints, and how your team wants to manage it.

MagicSword is application control built around current threat intelligence, automatic policy tuning, and real-time fleet visibility. The choice between agentless and agent comes down to how your environment is managed, what your compliance posture allows, and how frequently you need intel updates to land on endpoints. Both connect to the same portal, the same intel feeds, and the same policy engine.

Option A

Agentless

Doesn't add software to your endpoints. Often the only option allowed in regulated or restricted environments like financial services, healthcare, government, and classified networks, where third-party agents aren't permitted on the fleet.

Generate an application control policy in the portal and deliver it through the same tools you already use: PowerShell, GPO, SCCM, or Microsoft Intune. Intel updates ship with your next policy refresh.

Option B

Agent

A small app on the endpoint that picks up new threat intelligence within a couple of hours, watches what runs, and reports back. No need to redeploy a policy every time intel changes.

Works across Windows, macOS, and Linux. Adds browser extension control, persistence visibility, and live telemetry your team can use to tune policy. Best when you want updates to land automatically and full fleet visibility from day one.

Feature comparison

Both options deliver kernel-enforced application control. The differences are in how the system stays current and how visible the fleet is to your operators.

Capability

Agentless

Agent

Kernel-enforced application control

MagicSword is an application control platform. The deny decision happens at the kernel on every supported OS, and we add the intel, telemetry, and tuning workflow that raw policy editors don't.

Intel feed propagation to endpoints

New threat indicators (RMM abuse, vulnerable drivers, signed-binary misuse) flow to agent endpoints continuously. Agentless receives the same updates whenever you refresh the policy through your management pipeline.

On your redeploy cadence

Continuous (~2 hrs)

Deploys via Intune, SCCM, GPO, PowerShell

Agentless slots into existing Microsoft management infrastructure. The agent installer can be pushed through the same channels if preferred.

Optional

Endpoint software footprint

Agentless leaves no third-party process running on the endpoint, just the policy file. The agent runs a small daemon plus a system-tray UI, and adds telemetry and live policy delivery on top.

Policy only

Lightweight daemon + tray

Telemetry for Investigate and policy tuning

Tuning a policy benefits from knowing what actually executed. Agentless surfaces this through the data-collection PowerShell script, run on demand. The agent streams it continuously, so Investigate is always current.

Manual collection (PowerShell)

Continuous

Browser extension policy enforcement

Managed allow and block lists for browser extensions, with drift detection. A common path for data exfiltration and supply-chain risk, available with the agent.

Chrome, Edge, Firefox, Safari

Real-time persistence monitoring

The agent surfaces persistence events the moment they occur. Background Task Manager registrations on macOS, scheduled tasks on Windows, cron and systemd units on Linux.

BTM, scheduled tasks, cron, systemd

macOS and Linux coverage

Application control is platform-specific at the kernel. The agent integrates with each OS's native enforcement primitives so the deny decision lands kernel-side on Windows, macOS, and Linux. Cross-platform coverage ships through the agent.

Windows-focused

Per-endpoint heartbeat and health

Continuous endpoint health, last-seen timestamps, drift detection, version inventory. Useful when you need to confirm which endpoints have the current policy.

Break-glass and emergency audit override

Both models support flipping a policy to audit-only. Agentless does it through the same management pipeline used for deployment. The agent does it from the portal and reverts the same way.

Policy redeploy

One-click portal toggle

Connectivity to portal

Agentless connects when you publish a policy. The agent maintains an outbound HTTPS heartbeat for live updates and telemetry, no inbound ports.

Deployment windows

Persistent HTTPS

When agentless fits

You already manage Windows endpoints with Intune, SCCM, or GPO
Application control layers cleanly on top of your existing deployment pipelines. You keep the workflow your team already runs.
You cannot install third-party software on the fleet
Regulated environments, restricted segments, and air-gap-adjacent networks often prohibit additional endpoint software. Agentless ships only the policy file.
You are validating application control before broader rollout
Pilot a policy across a representative sample with zero endpoint footprint, run it in audit, and review the events before flipping to enforce.
Quarterly or monthly refresh cadence works for your threat model
If your patch cycle drives policy refresh and you can tolerate intel updates landing during your maintenance window, agentless fits the existing rhythm.

When the agent fits

You want intel-driven updates to land on endpoints automatically
New vulnerable drivers, RMM abuse indicators, and signed-binary research reach endpoints within roughly two hours of being published, without a redeploy.
You need browser extension policy enforcement
Sensitive data flows through the browser. The agent enforces a managed allow and block list across Chrome, Edge, Firefox, and Safari, and surfaces drift.
Your team uses Investigate to tune policies
Continuous telemetry means policy tuning works against the current execution profile of your fleet, not a snapshot from the last data-collection run.
You run macOS or Linux endpoints
The agent extends application control beyond Windows using Endpoint Security Framework on macOS and fanotify with optional eBPF on Linux. Same portal, same intel.
You want real-time persistence visibility
BTM launch items, scheduled tasks, cron jobs, and systemd units surface as events the moment they appear. Useful for catching post-execution persistence even when the initial execution was allowed.

You can run both

Mixed deployments are common

The two models are not mutually exclusive. Many teams run agentless on regulated or restricted segments where additional endpoint software is not permitted, and the agent on the rest of the fleet for continuous intel updates and full telemetry.

Both connect to the same portal, the same intel feeds, and the same policy versions. If you want to move a segment over later, it is just another deploy.

Not sure which path fits?

A 20-minute call is usually enough to map your existing deployment pipelines and threat model to the right starting point.