Welcome/Witness Anywhere Overview/Maintenance & Support

Maintenance & Support

Category
Witness Anywhere: Remote Device Security
WitnessAI Documentation
List

Quick Start
Welcome
Supported Applications & LLMs
Release Notes
March 19, 2026 WitnessAI Update
March 17, 2026 WitnessAI Update
March 12, 2026 WitnessAI Update
March 5, 2026 WitnessAI Update
February 26, 2026 WitnessAI Update
February 24, 2026 WitnessAI Update
February 10, 2026 WitnessAI Update
January 27, 2026 WitnessAI Update
January 20, 2026 WitnessAI Update
January 13, 2026 WitnessAI Update
December 18, 2025 WitnessAI Update
December 9, 2025 WitnessAI Update
November 25, 2025 WitnessAI Update
November 18, 2025 WitnessAI Update
November 11, 2025 WitnessAI Update
October 28, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 9, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
User Guide
Home
Discovery
Discovered Apps
App Catalog
Agents
Analytics
Conversations
Users
Alerts
Policies
Lists
Private Applications
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
File Attachments
GuardRail: Behavioral Activity
GuardRail: Data Protection
GuardRail: Harmful Response Prevention
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
Witness Anywhere Overview
Installation Overview
MacOS Binary Installation
Windows Binary Installation
Maintenance & Support
Stunnel
Azure Intune: Single-User VDI
Azure Intune: Multi-User VDI
CrowdStrike (Windows)
GPO (Windows)
Jamf (macOS)
SentinelOne
FAQ
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Accessibility
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption

Witness Anywhere Maintenance & Support

Installation Token Lifecycle

Installation tokens are required only for initial device registration.
  • Tokens are used to generate installation scripts.
  • Once a device is successfully registered, the token is no longer required.
  • Token expiration does not affect existing installations.
  • Expired tokens prevent new device registrations only.
To onboard additional devices after token expiration:
  • A new installation token must be generated in the WitnessAI Console.
  • Customers must also generate and deploy new installation scripts that reference the new token for any new device registrations.
  • Existing devices do not need to be reinstalled or updated.

Installation Script Lifecycle

Witness Anywhere uses script-based deployment.
  • Installation and removal scripts are not persistent agents.
  • Scripts do not self-update.
  • Script updates require redeployment using the customer’s endpoint management system (MDM, EDR, or GPO).
Customers should treat scripts as versioned deployment artifacts and manage rollout through standard IT change control processes.

Monitoring Installations

Installation tracking depends on the deployment method used.
  • CrowdStrike and SentinelOne
      • Installation success and failure can be tracked using reports available in the respective EDR consoles.
  • Windows GPO deployments
      • Scripts execute on the client side and do not report status back to Active Directory. There is no centralized reporting through GPO.
Additional notes:
  • Installation scripts generate local logs on the endpoint to record execution results.
  • Script exit codes indicate success or failure.
  • WitnessAI can provide a registered devices report from the backend upon request.
Witness Anywhere does not currently provide centralized install telemetry in the console.

Version Tracking

Witness Anywhere does not expose installed script or component versions in the console.
Customers can track installed components using:
  • Endpoint software inventory (for example, checking the installed Stunnel version via the system software list)
  • Deployment scripts used for installation, which identify the bundled Stunnel version
The WitnessAI backend does not store or report Stunnel version information for deployed devices.

Script Updates & Backward Compatibility

When WitnessAI releases updated installation scripts:
  • Existing installations are not modified automatically.
  • No service interruption occurs.
  • Updates require explicit redeployment by administrators.
This ensures predictable behavior and customer-controlled change management.

Proxy Enforcement & Bypass Prevention

Witness Anywhere relies on system proxy and PAC configuration to enforce traffic routing.
If users can modify proxy settings, enforcement may be bypassed.
Recommended controls:
  • Enforce PAC configuration via MDM or Group Policy
  • Restrict local administrator access
  • Monitor proxy configuration drift

Optional Proxy Lock

The registration script includes an optional proxy lock feature that prevents standard users from modifying system proxy and PAC settings.
This behavior is controlled by a configurable variable in the installation script.
(Default value is false.)
Proxy lock configuration example (plain text):
$proxylock = $false 
# Change value to $true to prevent users from changing system proxy settings.
Customers may manually update this value prior to deployment if stricter enforcement is required.
This setting is typically managed through MDM or script customization workflows.

Stunnel Maintenance

Witness Anywhere deploys Stunnel as a local encrypted proxy component.
  • Stunnel is installed and configured automatically during registration.
  • Removal is handled via the Witness Anywhere flush script.
  • Customers do not patch Stunnel independently.

Stunnel Updates & Security Patching

Stunnel upgrades are delivered through updated installation scripts provided by WitnessAI.
The recommended upgrade path is:
  1. Run the Flush script
  1. Download and deploy the new Register script that contains the updated package
In certain cases, WitnessAI may provide a targeted patch script for Stunnel upgrades if required.
Additional notes:
  • WitnessAI uses Stunnel only for its core upstream TLS tunneling functionality.
  • Stunnel is upgraded only when vulnerabilities affect core functionality or required features.
  • WitnessAI enforces strict backend security controls, allowing only authorized traffic through Stunnel connections.
  • When Stunnel updates are released, release notes will document:
    • The reason for the update
    • Addressed vulnerabilities or issues
    • Required customer actions