Deployment

Workforce AI Security relies on several endpoint components to monitor AI activity and enforce organizational usage policies. These components must be installed on every device to ensure full visibility across browser-based interactions, desktop applications, and agentic processes. Together, they form a unified monitoring layer that allows your organization to securely manage how users interact with AI tools.

Administrators distribute the package using existing endpoint management tools. The installation process may differ across environments, but all users receive the same components for their operating system. After deployment, the agents automatically apply organizational settings, communicate with the management engine, and enforce policies without requiring local configuration.

Limitations

The Web-only option is not available for Mac computers.

Prerequisites

Client Connectivity Requirements

Workforce AI Security requires access to the Internet, either directly or through a configured proxy.

Ensure that client devices where Workforce AI Security components are installed can reach the required external services.

The table below lists the connectivity requirements for the Workforce AI Security client.

Index

Hostname
1 *.iaas.checkpoint.com
2 cloudinfra-gw.portal.checkpoint.com
3 sc1.checkpoint.com
4 www.google.com/chrome/
clients2.googleusercontent.com
clients2.google.com
5 microsoftedge.microsoft.com
edge.microsoft.com
6 rep.checkpoint.com
7 web-rep.checkpoint.com
8 public-a-prod.cyata.ai
9 gwevents.checkpoint.com

Downloads

The Downloads page provides the Workforce AI Security components required for onboarding and deployment. Available download options depend on your license type.

AI Security Client

You can select one of these options:

  • Web Only

    Downloads the browser extension for protecting web‑based AI applications.

    This option is available with all license types.

  • Complete

    Downloads the browser extension and the desktop agent to protect web‑based and desktop AI applications.

    This option requires an Enterprise license.

If an option is not included in your license, it appears greyed out.

Note - If your tenant includes multiple license types, all download options are displayed. You can choose which package to deploy for each device.

To download and install the Workforce AI Security package:

  1. In the left menu, select Workforce > Deployment > Downloads.

  2. Select your operating system (Windows or Mac (macOS)).

  3. Select one of the available download options (Web Only or Complete).

  4. Click Download. The package is saved to your device.

  5. Run the downloaded package (Check Point AI Security) from the download location to install the client.

The installer deploys the components included in the selected package.

Agentic Endpoint Discovery

Agentic Endpoint Discovery allows organizations to identify agentic AI components running on endpoint devices. The discovery process collects inventory data by executing a lightweight discovery script on managed devices, without installing a dedicated endpoint agent.

This approach enables visibility into agentic applications while minimizing endpoint footprint and deployment complexity.

How the discovery works

  • The system uses a script‑based discovery mechanism.

  • The script scans the endpoint and reports discovered agentic components.

  • No resident or always‑running agent is installed on the device for this capability.

Deployment model

Agentic Endpoint Discovery can be deployed in two ways:

  1. MDM‑based deployment (Recommended)

    • The script is distributed using an MDM solution.

    • The script can be scheduled to run periodically (for example, daily).

    • This is the primary and recommended deployment model.

  2. Manual (self) execution

    • An administrator can manually copy and execute the script on a single endpoint.

    • This option is intended mainly for testing or proof‑of‑concept scenarios, not large‑scale deployment.

Supported platforms

The discovery script is available for:

  • Windows

  • macOS

Deployment Status

The Deployment Status page provides a centralized view of all devices where the components have been installed. This includes a device-level table and several visual widgets that summarize deployment health and policy consistency across the organization.

The Policy versions status widget displays how many devices are running the latest version of each enforced policy:

  • Access policy

  • Chats policy

  • Agents policy

Each bar is split into:

  • Devices running older policy versions

  • Devices running the latest version

This provides immediate visibility into policy rollout progress and highlights devices that have not updated.

The Device's Last Connection groups devices by their most recent connection time and displays both the number and percentage of devices in each category:

  • 24 hours – 7 days – Devices that connected within the last week.

  • 7 days – 30 days – Devices that have not connected for more than a week.

  • More than 30 days – Devices that have been inactive for over a month.

This breakdown allows you to assess overall deployment health at a glance and pinpoint devices that may require investigation, remediation, or reinstallation due to prolonged inactivity.

The deployment table provides key deployment details for each device, including user activity and policy status, allowing admins to monitor device engagement and identify inactive endpoints. You can add more deployment details to the table view through the hamburger menu at the top right.

Access policy, chat (DLP) policy, and agent policy display the version of the currently applied policy.

Note - The displayed policy version may differ from the browser version if the user has not logged in to the browser recently; in such cases, an info icon appears to indicate the browser is not up to date with the latest policy version.

To view the deployment status:

  1. In the left menu, select Workforce > Deployment > Deployment Status.

  2. Review the widgets to understand overall deployment health:

  3. Review the device table for detailed deployment information, including:

    • device name

    • user name

    • operating system and version

    • AI Security Client version

    • assigned access policy

    • assigned DLP (chat) policy

    • assigned agents policy

    • proxy status

    • last connection time

    In addition, you can click the hamburger menu () on the top right of the table and add more columns to the table, including:

    • device type

    • deployment time

    • MCP version

    • proxy version and more

Uninstalling Workforce AI Security

To uninstall the Workforce AI Security agents, see sk184888.