Welcome/Witness Anywhere Overview

Witness Anywhere Overview

Category
Witness Anywhere: Remote Device Security
WitnessAI Documentation
List

Quick Start
Welcome
Supported Applications & LLMs
Release Notes
March 19, 2026 WitnessAI Update
March 17, 2026 WitnessAI Update
March 12, 2026 WitnessAI Update
March 5, 2026 WitnessAI Update
February 26, 2026 WitnessAI Update
February 24, 2026 WitnessAI Update
February 10, 2026 WitnessAI Update
January 27, 2026 WitnessAI Update
January 20, 2026 WitnessAI Update
January 13, 2026 WitnessAI Update
December 18, 2025 WitnessAI Update
December 9, 2025 WitnessAI Update
November 25, 2025 WitnessAI Update
November 18, 2025 WitnessAI Update
November 11, 2025 WitnessAI Update
October 28, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 9, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
User Guide
Home
Discovery
Discovered Apps
App Catalog
Agents
Analytics
Conversations
Users
Alerts
Policies
Lists
Private Applications
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
File Attachments
GuardRail: Behavioral Activity
GuardRail: Data Protection
GuardRail: Harmful Response Prevention
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
Witness Anywhere Overview
Installation Overview
MacOS Binary Installation
Windows Binary Installation
Maintenance & Support
Stunnel
Azure Intune: Single-User VDI
Azure Intune: Multi-User VDI
CrowdStrike (Windows)
GPO (Windows)
Jamf (macOS)
SentinelOne
FAQ
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Accessibility
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption
 

Witness Anywhere Overview

Witness Anywhere extends WitnessAI coverage to employees working outside the corporate network.
In hybrid and remote environments, users often access AI tools from locations or devices that do not route through enterprise proxies or SSE infrastructure. Witness Anywhere addresses this gap by enforcing AI security and governance policies directly at the endpoint, regardless of where the user is working.
The solution provides complete WitnessAI visibility, control, and protection AI application usage across laptops, desktops, and mobile devices. It supports monitoring across more than 4,000 AI application URLs and captures relevant conversational context to enable auditing and analysis, while aligning with privacy and compliance requirements.
 

Deployment Options

Witness Anywhere is designed for enterprise-grade scalability, offering multiple deployment pathways tailored to the needs of large organizations.
💡
Note: When Enterprise Firewall or SASE endpoint agents are deployed on user devices, Witness Anywhere may not be required.
Please see full details below.

EDR Integration

For companies already leveraging CrowdStrike, Witness/Anywhere can be seamlessly integrated to enhance observability and control without disrupting existing workflows.

Mobile Device

Management (MDM) Solutions like Jamf, Kandji, and Fleet allow IT teams to centrally deploy Witness Anywhere across diverse device ecosystems.

Active Directory (AD)

Using tools such as Group Policy Objects (GPO) or Microsoft Intune, enterprises can deploy Witness Anywhere quickly and securely to devices managed through AD.

Firewall/SASE Endpoint Agents Co-Residing with Witness Anywhere

During WitnessAI deployment, our integrations will be configured on your Enterprise Firewall and SASE solutions. Depending on how network Endpoint Agents are configured on your devices, you may or may not need to deploy Witness Anywhere on them.

“Always ON” Firewall/SASE Endpoint Agents

When Firewall/SASE endpoint agents are configured in “Always On” mode, Witness Anywhere is not required. The Firewall/SASE integration seamlessly handles proxy chaining to the WitnessAI proxy.

“On-Demand” Firewall/SASE Endpoint Agents

When Firewall/SASE endpoint agents are configured in “On-Demand” mode, or when users have the ability to disable the agent, it is recommended to deploy Witness Anywhere (W/A). This ensures that AI traffic is properly forwarded to the Witness AI Proxy even when the Firewall/SASE agent is not active.
To maintain seamless connectivity when the Firewall/SASE agent is enabled, configure your Firewall or SASE solution to allow traffic to the following domains and ports:
  • Allow traffic toapi.{tenant-id}.{region}.witness.aion port 443
  • Allow traffic to*.proxy.{tenant-id}.{region}.witness.aion port 8443
If the Firewall or SASE solution performs SSL inspection for these destinations, ensure that the WitnessAI Proxy CA certificate is imported and trusted by the Firewall/SASE solution.
 

Unsupported Scenarios

Users with Multiple Accounts on a Device

On Windows machines with multiple user accounts (e.g., managed and local administrator accounts), Witness Anywhere registration will fail if the user is signed in with a local or personal account at the time of registration.
This occurs because the username or email associated with the local account does not match any entries in the WitnessAI Console user database.

Witness Anywhere Co-Resident with other PAC-Based Solutions

Since Witness Anywhere relies on the system PAC file to forward AI traffic to the WitnessAI Proxy, any other Firewall or agent solutions that modify the system's proxy or PAC configurations may interfere with Witness Anywhere’s traffic forwarding logic.
 

Maintenance Life Cycle

💡
Note: See the Maintenance & Support page for full details.

Installation

  • Witness Anywhere uses script-based deployment using installation PAC tokens.
  • Scripts are not persistent agents. Scripts do not self-update. Any script updates require redeployment using the customer’s endpoint management system.
  • Logs are written to system temporary directories. Script exit codes indicate success or failure. Fleet-level monitoring should be handled by the customer’s endpoint management platform.

Installation PAC Tokens

  • Tokens are used to generate installation scripts. Once a device is successfully registered, the token is no longer required. Token expiration does not affect existing installations. Expired tokens only prevent new device registrations with the expired token..
  • To onboard additional devices after token expiration, generate a new token in the WitnessAI Console.

Installation Updates & Backward Compatibility

  • Installations rarely require updating after initial installation. When updates are required, WitnessAI will publish notice in the current Release Notes, and our Customer Success Team will notify the appropriate customer contacts.
  • When WitnessAI releases updated installation scripts, existing installations are not modified automatically. Updates require explicit redeployment by administrators.

Proxy Enforcement

  • Witness Anywhere relies on system proxy and PAC configuration to enforce traffic routing.
  • WitnessAI highly recommends enforcing PAC configuration via MDM or Group Policy, Restricting local administrator access, and monitoring proxy configuration drift.
  • If users can modify proxy settings, enforcement may be bypassed.

Uninstallation/Removal

  • Witness Anywhere is removed with the flush script generated during during PAC Token creation.

Stunnel Maintenance

  • Witness Anywhere scripts automatically deploy Stunnel as a local encrypted proxy component. When Witness Anywhere is removed with the flush script, Stunnel is also removed.
  • Stunnel security or reliability updates are delivered through updated installation scripts provided by WitnessAI.