# Installation Script

The Installation Script page is where you configure deployment and execution of the Dev Machine Guard data collection script.

<figure><img src="/files/l3pnDxeckK2MymWBOmNX" alt=""><figcaption></figcaption></figure>

The page provides a ready-to-deploy script for **macOS, Windows** and **Linux**. Use the platform tabs at the top of the page to switch between them.

### How Dev Machine Guard is deployed

Dev Machine Guard is delivered using a two-piece architecture:

* **The loader script** is a lightweight shell (macOS) or PowerShell (Windows) script that you deploy through your existing MDM or EDR tooling. It downloads the Dev Machine Guard binary, writes the embedded configuration to disk, and delegates execution to the binary.
* **The Dev Machine Guard binary** (`stepsecurity-dev-machine-guard`) is published on GitHub Releases at [`github.com/step-security/dev-machine-guard`](https://github.com/step-security/dev-machine-guard/releases). The loader downloads the configured version on first run and verifies it against an embedded SHA-256 checksum before executing it.

This separation has two practical benefits:

1. You only need to deploy the loader script once via MDM. Binary updates are delivered automatically the next time the loader runs, without requiring an MDM redeploy.
2. The binary is signed and checksum-verified at every run, so devices always execute the exact build StepSecurity published.

### Deploying the script

You can copy the script directly from the page or use the **Download** button in the top right.

Deploy the script to your developer machines using your existing MDM or EDR tooling. Because the loader handles binary download, version checking, and execution, no further configuration is required on the device.

### Updating the agent version

To roll out a new agent version:

1. Open the **Installation Script** page.
2. Select the new version from the **Agent Version** dropdown.
3. Confirm the change.

Devices that already have the loader deployed will pick up the new binary on their next scheduled run. You do not need to redeploy the loader through MDM.

### What the script does not collect

The Dev Machine Guard binary is designed to collect only the metadata required for supply chain visibility. It does not collect:

* Source code
* Secrets or credentials
* Personal data outside the developer's installed tooling inventory

For details on what data Dev Machine Guard does collect, see the [Devices](broken://pages/2jAFVePFzg7b6U1RHVhd) page.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/developer-machines/installation-script.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.