Required Security Agent Decision Workflow

What kind of endpoint is it?

Flowchart

For additional details per endpoint type, see the relevant section below.

Includes servers located in a datacenter or cloud infrastructure.

Security Agents Required:

A laptop, desktop workstation, tablet, etc (def.)

Includes all end user devices running a general-purpose workstation operating system, e.g. Windows Enterprise, macOS, or Linux.

Security Agents Required:

Platform-specific Device Management¹ per Device Management.
Elastic Defend per SI-3, Implementation 4.4.
Platform-specific Privilege Manager per Endpoint Privilege Management.
- Windows: Admin By Request
- MacOS: Privileges

Proofpoint DLP is additionally required per Data Loss Prevention where the answer is YES to any of the following questions:

Does the workstation store or process Critical data (DC-6)?
Is the workstation assigned to a person designated by security as a Very Attacked Person (VAP)?
Does the workstation belong to a business unit designated by security as storing or processing monitored data (RA-2)?
Is this workstation traveling outside the United States? DLP is required for the duration of the travel.

If you have questions about any of these criteria, contact the Endpoint Security team (endpoint-security@tamu.edu).

Includes all end user devices running mobile operating systems, e.g. iOS, iPadOS, or Android.

Identical to Workstations where a supported agent exists. As of 2026-06-10, this is:

Kiosks; digital signage players; embedded devices, etc.

What security agents are required?

Can the device support user-installable applications? If YES, then follow guidance for End User Devices above.
- When operating a compute cluster refer to HPC Cluster.
If NO, then speak to the Endpoint Security team about an exception to required controls.

Deployment of device management platforms e.g. Intune, JAMF, Ansible, etc., are out of scope for the Security Agent Standardization project. ↩ ↩²