> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/developer-machines/installation.md).

# Installation

The **Installation** section is where you generate, deploy, and manage Dev Machine Guard across your fleet. It has two pages:

* [**Script**](/developer-machines/installation/script.md) — a four-step wizard that generates a ready-to-deploy installation package for macOS, Windows, or Linux.
* [**Settings**](/developer-machines/installation/settings.md) — organization-wide configuration: the telemetry key agents authenticate with, and the device-activity threshold.

For step-by-step fleet rollout guides for each MDM platform, see [MDM Deployment](/developer-machines/installation/script/mdm-deployment.md).

## How Dev Machine Guard is deployed

Dev Machine Guard is delivered using a two-piece architecture:

* **The loader script** is a lightweight shell (macOS, Linux) or PowerShell (Windows) script that you deploy through your existing MDM or EDR tooling. It downloads the Dev Machine Guard binary, writes the embedded configuration to disk, and delegates execution to the binary.
* **The Dev Machine Guard binary** (`stepsecurity-dev-machine-guard`) is published on GitHub Releases at [`github.com/step-security/dev-machine-guard`](https://github.com/step-security/dev-machine-guard/releases). On each scheduled run, the loader:

  * Fetches a signed version manifest from the StepSecurity API.
  * Verifies the manifest signature against the StepSecurity releases public key, which is **embedded in the loader at the time it is generated**.
  * Downloads the binary identified by the manifest from GitHub Releases.
  * Verifies the binary's SHA-256 against the value in the signed manifest.
  * Executes the binary only if both verifications pass.

  The signature is an Ed25519 SSH signature, verified using `ssh-keygen -Y verify`. The signing key (`releases@stepsecurity.io`) is held by StepSecurity and is the trust root for every released build. The corresponding public key, which you can use to independently verify the signed checksum, is:

```
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN+WG4lOH/x6MysYOf1oY0PKXLLu9d3ZvQDcvq5Cboi releases@stepsecurity.io
```

This separation has two practical benefits:

1. You only need to deploy the loader script once via MDM. Binary updates are delivered automatically the next time the loader runs, without requiring an MDM redeploy.
2. Every binary the loader runs is cryptographically tied back to a single trust root: the StepSecurity releases signing key. Because that key is embedded in the loader rather than a per-build checksum, devices stay safe across version changes without re-deploying the loader. Substituting a malicious binary would require compromising both the StepSecurity API and the offline signing key, not just one or the other.

### Signed installer (Windows)

For Windows fleets, Dev Machine Guard also ships as a **signed Windows Installer (`.msi`)**, published on [GitHub Releases](https://github.com/step-security/dev-machine-guard/releases) for both x64 and ARM64 architectures. The MSI integrates natively with Windows application-management tooling (SCCM, Intune Win32 apps, GPO software installation), exposes a standard `ProductCode` and `UpgradeCode` for detection and supersedence, and never spawns PowerShell during install, upgrade, or uninstall.

The MSI is the recommended path for production Windows fleets, especially in environments where EDR blocks PowerShell from making outbound network calls. See [Windows MDM Deployment](https://claude.ai/developer-machines/installation-script/mdm-deployment/windows.md) for details.

## What the agent does not collect

The Dev Machine Guard binary is designed to collect only the metadata required for supply chain visibility. It does not collect:

* Source code
* Secrets or credentials
* Personal data outside the developer's installed tooling inventory

For details on what data Dev Machine Guard does collect, see the [Devices](/developer-machines/devices.md) page.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.stepsecurity.io/developer-machines/installation.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
