Deploy the Zeuslock Desktop Agent

Install the Zeuslock desktop agent on Windows, macOS, and Linux to catch AI tools that bypass the browser — Claude desktop, ChatGPT desktop, Cursor, JetBrains AI, and more.

Why the desktop agent matters

The browser extension covers ChatGPT, Claude, Gemini, Copilot, and the rest of the web AI surface. It does not see anything that happens outside the browser. That blind spot is growing fast: the Claude desktop app, ChatGPT desktop, native LLM clients, and IDEs with embedded AI like Cursor, Windsurf, and JetBrains AI now account for a serious share of employee AI usage.

The Zeuslock desktop agent closes that gap. It hooks into the same three-layer detection pipeline (local regex, NER, context heuristics) and enforces the same Monitor / Anonymize / Block policies you already configured in the Operator Console. One policy set, every channel.

Download URLs

The agent always installs from a single, signed URL per OS. These point at the current GA build:

  • Windows (MSI): https://download.zeuslock.ai/agent/windows/latest
  • macOS (.pkg, notarized): https://download.zeuslock.ai/agent/macos/latest
  • Linux (.deb and .rpm): https://download.zeuslock.ai/agent/linux/latest

Install on Windows

  1. Download the MSI from the URL above.
  2. Run an elevated install. The package is Authenticode-signed by Zeuslock SAS.
  3. The installer registers the zeuslock-agent service and adds a tray icon for the current user.
msiexec /i zeuslock-agent-latest.msi /qn /norestart

Install on macOS

  1. Download the .pkg from the macOS URL. The package is notarized by Apple and signed by Zeuslock SAS, so Gatekeeper will accept it without override.
  2. Run the installer. It places the agent in /Library/Application Support/Zeuslock and loads a system LaunchDaemon plus a per-user LaunchAgent for the tray.
  3. On first launch, macOS will ask for Input Monitoring permission so the agent can inspect prompts sent to desktop AI clients. Grant it under System Settings → Privacy & Security.
sudo installer -pkg zeuslock-agent-latest.pkg -target /

Install on Linux

Pick the package format that matches your distro. Both contain the same binary and systemd unit.

sudo dpkg -i zeuslock-agent-latest.deb
sudo systemctl enable --now zeuslock-agent
sudo rpm -i zeuslock-agent-latest.rpm
sudo systemctl enable --now zeuslock-agent

Pair the agent with your tenant

The agent ships unpaired. Until it has an org token, it does nothing.

  1. In the Operator Console, open Settings → Devices → Add device.
  2. Copy the one-time org token. It is scoped to your tenant and valid for 15 minutes.
  3. Open the agent tray, click Pair this device, paste the token, and confirm.

For unattended installs (Intune, GPO, Jamf, Ansible), pass the token at install time:

zeuslock-agent pair --token ZLK-XXXX-XXXX-XXXX

Verify it is running

  • Tray icon: solid blue means paired and connected; grey means offline.
  • CLI: zeuslock-agent status prints tenant, policy version, last heartbeat, and queue depth.
  • Operator Console: the device appears under Settings → Devices with a green dot within 30 seconds.

Log locations per OS:

  • Windows: C:\ProgramData\Zeuslock\logs\agent.log
  • macOS: /Library/Logs/Zeuslock/agent.log
  • Linux: journalctl -u zeuslock-agent

Resource usage

The agent is built for always-on background use. Typical footprint on a paired device:

  • RAM: ~80–120 MB resident.
  • CPU: near zero at idle; brief spikes only while a prompt is being scanned.
  • Disk: under 250 MB installed, plus a rotating 50 MB log buffer.
  • Network: outbound TLS 1.3 to *.zeuslock.ai only.

Updates

Auto-update is on by default. The agent checks the signed update channel every six hours and applies patches in a background swap with no user prompt.

For change-controlled environments, pin a channel in /etc/zeuslock/agent.toml (or the equivalent registry key on Windows):

update:
  channel: stable-pinned
  version: 3.28.0

We publish stable, stable-pinned, and edge. Stick to stable-pinned if you need to certify each version before rollout.

Uninstall

Windows: Settings → Apps → Zeuslock Agent → Uninstall, or:

msiexec /x {ZEUSLOCK-AGENT-GUID} /qn

macOS:

sudo /Library/Application\ Support/Zeuslock/uninstall.sh

Linux:

sudo apt remove zeuslock-agent     # Debian / Ubuntu
sudo dnf remove zeuslock-agent     # RHEL / Fedora

Uninstall leaves logs in place for forensic retention. Pass --purge to remove them.

Next step: mass deployment

Single-machine installs are fine for piloting. For org-wide rollout via Microsoft Intune, Google Workspace device management, or Active Directory GPO, see Mass deployment of the desktop agent.