AgentP working and installation modes

In this topic, you will learn about the three working modes and the two installation modes of AgentP.

AgentP working modes: Windows

AgentP can work in three different modes on Windows:

  • Single-user mode: This mode is designed mainly for computers used by a single user, such as personal laptops. Every new user that logs in to the computer must onboard AgentP manually. When the user is logged out, the computer has no access to the secure network.

  • User-based multi-user mode: This mode is designed mainly for computers used by a single user, such as personal laptops, that need to keep secure network access even when the user is logged out. It can also be used on shared computers, but in that case, when the user is logged out, the computer keeps secure network access with the privileges of the last user who was logged in.

    In this mode, AgentP recognizes the identity of the user who is currently logged in to the computer, and authenticates that user with the network. If the user logs out and another user logs in, AgentP identifies the newly logged in user.

    This is the default multi-user mode if at least one of the following conditions is true:

    • The device uses an operating system other than Windows.
    • Portnox Cloud is integrated with an authentication repository other than Microsoft Entra ID or Active Directory.
    • Your tenant was created before March 18, 2024, and you did not turn on the Install computer certificate option.

  • Multi-user mode: This mode is designed mainly for shared computers. When the user is logged out, the computer keeps secure network access using a dedicated computer certificate.

    In this mode, AgentP recognizes the identity of the user who is currently logged in to the computer, and authenticates that user with the network. If the user logs out and another user logs in, AgentP identifies the newly logged in user.

    This is the default multi-user mode if all of the following conditions are true:

    • The device uses Windows 10 or later.
    • Portnox Cloud is integrated with Microsoft Entra ID or Active Directory as the authentication repository.
    • Your tenant was created after March 18, 2024, or you manually turned on the Install computer certificate option.

  • Kiosk mode: In this mode, AgentP does not identify any users, but identifies the device only. This mode is for computers such as kiosks.

    You must manually activate the kiosk mode by configuring AgentP.

    This can be the running mode if all of the following conditions are true:

    • The device uses Windows 10 or later.
    • Portnox Cloud is integrated with Microsoft Entra ID or Active Directory as the authentication repository (required because only these repositories manage computer accounts).
    • You manually activated the kiosk mode.

To learn more about these modes and how they use certificates, see the following topic: AgentP and certificates.

AgentP installation modes: Windows

AgentP can be installed in two different modes:

  • Interactive mode: In this mode, AgentP shows the onboarding screen, where the user has to manually select the correct repository and use single sign-on to onboard, or enter their user credentials.

  • Unattended mode: In this mode, AgentP does not show the onboarding screen or shows it briefly for information purposes. The user is automatically onboarded on the basis of their Entra ID or Active Directory account. This mode is not available for other repositories.

To learn how to install AgentP in unattended mode, see the following topic: Onboard Windows devices with AgentP in unattended or kiosk mode.

AgentP Working Mode: macOS

On macOS, certificates and network configuration profiles are managed per user. AgentP installs certificates only into the logged-in user’s keychain, and these certificates are not shared with other user accounts on the device. Each macOS user therefore maintains an independent certificate store and configuration profile set. Although macOS also provides a system keychain for system-wide certificates, AgentP does not install or use certificates in the system keychain.

macOS cannot join Entra ID (Azure AD) as a device, and device-bound certificates or device accounts are not supported. Because of this, macOS cannot provide a Windows-style kiosk mode based on a device identity, and AgentP cannot operate with a device-wide certificate.

To simulate a shared or kiosk-like mode, we recommend that you create a dedicated service user account in your identity provider and onboard the macOS device with AgentP under that account. This shared service account acts as the network identity for the device.

AgentP Working Mode: iOS/Android

iOS and Android devices are inherently designed as single-user systems from an identity-certificate perspective. While Android supports multiple user profiles and iOS supports limited supervised-mode multi-user configurations on iPads, each profile or user instance is fully isolated. AgentP, certificates, and configuration profiles are bound to the active user profile only.

If multiple users must operate a shared mobile device, the operating system must be configured to use separate, isolated user profiles for each person. Each profile handles its own onboarding and stores its own certificates. When the active OS user changes, that user may onboard with AgentP independently or not use AgentP at all, and they cannot access the certificate data or configuration belonging to another user.

AgentP Working Mode: Linux

On Linux, certificates and network configuration (including 802.1X settings) are typically stored at the system level rather than per user. As a result, onboarding with AgentP enrolls the Linux device itself rather than a specific user identity. Any user who logs into the machine, locally or remotely, will use the system’s onboarding identity and associated credentials.

Linux does not support joining Entra ID as a device in the same way that Windows does. While Linux can integrate with Entra ID for user authentication (for example, via SSSD, PAM, or third-party agents), it cannot register as a managed Entra ID device capable of holding device-scoped certificates. Therefore, Linux cannot request device-bound certificates from Entra ID, either through AgentP or native tooling.

On single-user Linux machines, this behavior is generally acceptable because the system identity effectively represents the only user. On multi-user Linux devices, we recommend creating a dedicated service account in your identity provider to represent the shared machine and using that user account during onboarding. Configure the service account with the minimal privileges required so that all users of the device inherit only the intended level of access.