Skip to main content

What Gets Installed

This page enumerates every component the Waxell desktop endpoint agent lays down on macOS and Windows, what each one does, and where its files, state, and logs live. Use it to audit a managed deployment, scope a security review, or clean up a host.

Capture is OFF by default

Nothing on the endpoint terminates TLS or captures request payloads until an admin explicitly enables capture for a specific host. Out of the box the agent observes metadata flows only (process → destination host, timing, byte counts). See Turning capture on for the enable path.

macOS

The macOS agent ships as a single signed, notarized application bundle — Waxell Setup.app — distributed as a .dmg. The app embeds two network system extensions and a set of helper binaries; the helpers run as per-user LaunchAgents installed by the Setup UI at first run. All binaries are signed under Apple Developer Team ID 2RWC9968XY with the hardened runtime.

Components

ComponentBundle / binaryTypeWhat it does
Waxell Setupdev.waxell.setupApp (GUI)The AppKit setup UI. Enrolls the device against the tenant CA, installs the system extensions and helper LaunchAgents, and surfaces status. Installs to /Applications.
FlowMonitor extensiondev.waxell.setup.flowmonitorNetwork system extension (content filter)Metadata flow observation. Sees every connection's process, destination host (SNI / QUIC), and timing — without terminating TLS. This is the always-on, default capability.
ProxyMonitor extensiondev.waxell.setup.proxymonitorNetwork system extension (transparent proxy)TLS-termination payload capture (L0). For admin-enabled AI hosts only, terminates TLS with a tenant-CA-chained leaf, DLP-redacts on-device, and uploads. Off until a host is enabled.
WaxellPolicyDaemondev.waxell.setup.policydaemonHelper + LaunchAgentLong-polls the control plane and applies guard / capture policy to the local extensions.
WaxellFlowUploaderdev.waxell.setup.flowuploaderHelper + LaunchAgentBatches observed metadata flows and uploads them to the control plane.
WaxellCoworkWatcherdev.waxell.setup.coworkwatcherHelper + LaunchAgentWatches Claude Cowork activity and emits the cowork audit event stream.
wax-hookdev.waxell.setup.hookHelper (no LaunchAgent)Synchronous Claude Code hook, invoked per tool call. No daemon — the Setup UI wires it into ~/.claude/settings.json; the binary sits in the bundle awaiting invocation.
note

The Setup app is ~3 MB. The Python wax CLI is no longer bundled — all endpoint operations run as native Swift Mach-O helpers. Power users who want the dev CLI install it separately via pipx install waxell-observe.

File locations (macOS)

  • App bundle: /Applications/Waxell Setup.app
  • Embedded helpers: /Applications/Waxell Setup.app/Contents/Helpers/WaxellPolicyDaemon, WaxellFlowUploader, WaxellCoworkWatcher, wax-hook
  • LaunchAgent templates: /Applications/Waxell Setup.app/Contents/Resources/policy-daemon.plist.template, flow-uploader.plist.template, cowork-watcher.plist.template (substituted and installed into ~/Library/LaunchAgents/ at first run)
  • System extensions: activated from inside the app bundle and registered with the OS; managed via systemextensionsctl
  • Claude Code hook wiring: ~/.claude/settings.json
  • Managed config (MDM): delivered as a .mobileconfig profile (see installers/macos/mdm/)

Windows

The Windows agent ships as a signed MSI (Waxell-<ver>.msi). The MSI installs the Setup GUI, several auto-start LocalSystem services, the synchronous hook binary, and — for L0 payload capture — the WinDivert kernel driver. Managed configuration is delivered out-of-band via HKLM\SOFTWARE\Waxell (typically pushed by Intune / MDM).

Components

ComponentService / binaryTypeWhat it does
WaxellSetupWaxellSetup.exeApp (GUI)The Avalonia setup UI: service status, bridge status, enrollment. Also exposes --reset to clear persistent CNG keys + Waxell certs.
WaxellNetworkMonitorWaxellNetworkMonitorLocalSystem service (auto-start)ETW flow observation (DNS + Schannel + Kernel-Network), PID/time correlation, metadata flow upload, and user-mode WFP blocking of disallowed processes.
WaxellCoworkWatcherWaxellCoworkWatcherLocalSystem service (auto-start)Claude Cowork audit — emits the cowork event stream (parity with the macOS helper).
WaxellPolicyDaemonWaxellPolicyDaemonLocalSystem service (auto-start)Long-polls the control plane and writes effective guard / capture policy to disk for the other services to read.
wax-hookwax-hook.exeBinary (no service)Synchronous Claude Code hook, invoked per tool call.
WinDivertWinDivert .sys driverKernel driverPacket interception for L0 payload capture and HTTP/3 SNI extraction. Loaded only when capture is enabled.

All three services boot at device startup and pick up the managed config (HKLM\SOFTWARE\Waxell) the moment it's present.

File locations (Windows)

  • Program files: %PROGRAMFILES%\Waxell\Setup\ (WaxellSetup.exe, waxell-diagnose.ps1) and Service\ (the services + WinDivert driver)
  • State + logs: %PROGRAMDATA%\Waxell\ (ACL'd BUILTIN\Users: Modify so the policy bridge can write without elevation)
    • policy.json — the local policy the services enforce (block lists, etc.)
    • guard-effective.json — the resolved effective guard policy from the cascade
    • service.log — teed service logs
    • device-identity.json — the per-device enrollment identity (CSR → tenant intermediate)
  • Managed config: HKLM\SOFTWARE\WaxellApiUrl, ApiKey, CaptureEnabled, InterceptHosts, InterceptProcesses (ACL'd to SYSTEM + Administrators so ordinary users can't read the API key)
  • Tenant root CA: imported into LocalMachine\Root
  • Diagnostic bundle: "C:\Program Files\Waxell\Setup\waxell-diagnose.ps1"%TEMP%\waxell-diag-<datestamp>.zip
L0 payload capture on Windows is still being built

Windows L0 (TLS-termination payload capture) is in progress. It depends on the WinDivert kernel driver, which is blocked by HVCI / Memory Integrity on Windows 11 — WinDivertOpen returns ERROR_DRIVER_BLOCKED (1275). On those hosts the service silently downgrades to metadata-only: every other capability (metadata flows, app discovery, hook governance, guard cascade, cowork audit) keeps working; L0 and HTTP/3 SNI extraction are unavailable until an attestation-signed driver ships. See the Memory Integrity (HVCI) section.

See also