The Smallstep Agent
Smallstep ensures that access to financial data, code repositories, PII, and other sensitive resources is only possible from trusted devices.
The Smallstep Agent offers a uniform experience for device identity across macOS, Windows, and Linux, and is foundational to Smallstep's high-assurance device attestation workflow, automating the enrollment and delivery of client certificates, and configuring the components that depend on them.
The agent runs as a background service on all platforms. On macOS and Windows, the agent includes an optional desktop app that provides visibility into the agent's status and aids in troubleshooting.
The Smallstep Agent operates differently for Linux. For Linux specific instructions, see Smallstep Agent for Linux.
Download
On macOS and Windows, the Smallstep Agent includes an optional desktop app UI for transparency and troubleshooting. The agent runs as a background service on all platforms.
Installers for macOS, Windows and Linux can be also be downloaded from GitHub releases. Releases are signed with, and can be verified, by cosign.
| Platform | Release |
|---|---|
| macOS | Latest Version |
| Linux (Flatpak) | Latest Version |
| Linux (.deb) | Latest Version |
| Linux (.rpm) | Latest Version |
| Windows | Latest Version |
System Requirements
Windows
- Windows 10 or later (Windows Home editions are not supported.)
- Trusted Platform Module (TPM 2.0)
Linux
- Flatpak, or Debian 12+, Ubuntu 22.04+, Fedora 38+
systemd-based service manager- Trusted Platform Module (TPM 2.0)
- p11-kit
- tpm-tss2
macOS
- macOS 13 (Ventura) or later
- Secure Enclave
Runtime Requirements
All platforms require an internet connection for normal operation.
Windows
- Administrator privileges - the Smallstep Agent requires privilege escalation to be able to communicate to the TPM
macOS
- Location permission - to enable management of Wifi networks, the Smallstep Agent needs location permission
- Keychain access - the Smallstep Agent uses the macOS keychain to store both keys and certificates it manages
- Network Extension entitlement - the Smallstep Agent requests the Network Extension entitlement so that it can manage VPN connections
Linux
- TPM read/write permission - the Smallstep Agent communicates to the TPM from user-space using
tpm-tss2, and the running user must have read/write permissions to the TPM resource manager (typically/dev/tpmrm0)
Connectivity Requirements
The Smallstep Agent connects to the following Smallstep hosts:
- Your CA:
<your-team>.ca.smallstep.comand subdomains - Agent API:
control.infra.smallstep.com - Smallstep API:
gateway.smallstep.com - TPM Attestation CA:
att.smallstep.com
File Access
On all platforms, the Smallstep Agent creates and manages a directory on the filesystem in a well-known location for management of keys and certificates. However, it does not access any other file on a device except the one it creates.
- On macOS:
$HOME/Library/Application Support/Smallstep - On Windows:
%LOCALAPPDATA%/Smallstep - On Linux:
$XDG_RUNTIME_DIR/step-agentand$XDG_CONFIG_HOME/step-agent
Telemetry
The Smallstep Agent collects and reports some data from the host device as part of its normal operation. These are:
- Device Identifiers from TPM-enabled platforms
- Device/Computer Name
- Device/Computer Hostname
- Chipset Architecture
- Operating System Version
- WAN IP Address
Last updated on January 5, 2026
Introducing
Device Identity
Ensure that only company-owned devices can access your enterprise's most sensitive resources.
