The Drata Agent is the part of Drata’s compliance stack that actually touches employee devices. It is a lightweight, read-only desktop application that runs in the system toolbar, reads a narrow set of security configuration settings, and reports them back to the Drata platform on a daily schedule. If a SOC 2 or ISO 27001 audit depends on showing that every endpoint has disk encryption, screen lock, antivirus, a password manager, and automatic updates enabled, the Agent is the thing that produces that evidence.
This guide covers exactly what it does, how it works, how to install it on macOS, Windows, and Linux, and what to do when it stops syncing.
What Is the Drata Agent?
The Drata Agent is a desktop application built with Electron, the same framework used by Slack, VS Code, and Discord. It uses osquery, an open-source endpoint instrumentation tool created at Facebook and now maintained as a Linux Foundation project, to query the operating system for specific configuration values. The Agent runs from the system toolbar — the menu bar on macOS, the system tray on Windows, and the indicator area on Linux — and synchronises once per day with Drata’s backend.
The full source code of the Agent has been open source since June 2023. Anyone can audit the code on Drata’s GitHub organisation, including security teams that need to validate it before deploying to the fleet.
The Agent supports the latest two major versions of each operating system. On macOS, that currently means macOS 26 (Tahoe) and macOS 15 (Sequoia), with Agent version 3.9.0 or higher. On Windows, it covers the two most recent stable versions Microsoft actively maintains. On Linux, only LTS distributions are supported; Ubuntu 22.04 LTS and 24.04 LTS are the current supported targets.
What the Drata Agent Does (and Does Not Do)
The Agent collects a tightly scoped list of configuration data points — specifically the items that map to typical SOC 2 and ISO 27001 device-level controls.
The Agent does read: disk encryption status (FileVault, BitLocker, LUKS); screen lock and screensaver configuration; installed antivirus or endpoint protection software; installed password manager applications; operating system version and update status; the list of installed applications and browser extensions for Chrome, Firefox, and Internet Explorer (used to detect AV and password manager presence); and the operating system identifier and machine serial number for asset attribution.
The Agent does not read keystrokes, browsing history, file contents, clipboard data, screen contents, network traffic, or any application data. Access is strictly read-only at the system-preferences level. The Agent cannot make changes to the device, push configuration, or remediate failed controls. If a check fails, the employee or IT team fixes it manually; the Agent simply observes whether the fix worked on the next sync.
Important: Read-only does not mean invisible. The Agent enumerates installed applications and browser extensions to detect antivirus and password manager presence, and this list is sent to Drata. If that level of visibility is a concern for privacy or works council requirements, address it before rollout — not after.
How Does the Drata Agent Work?
Once installed and registered, the Agent runs continuously in the background. It performs scheduled checks, reports results to Drata, and updates itself when new versions ship.
Synchronization Process
The Agent syncs once per day. The sync runs at the first opportunity each calendar day: typically, the first network connection after the device was off or asleep, the moment the user logs in if the Agent autostarts, or any manual trigger from the toolbar menu. The data sent is small — a structured report of the configuration values the Agent read, plus the Agent version and machine identifier. There is no telemetry of user activity.
When the sync succeeds, the device’s compliance status in Drata updates within a few minutes. When it fails, the device may show an Unable to get data status, and the corresponding controls in Drata will appear unconfirmed until the next successful sync.
Automatic Updates
The Agent updates itself. When a new version is released, the Agent shows a notification asking the user to allow the update. Updates are mandatory — running an outdated Agent eventually causes registration and sync failures. Linux installations through Ubuntu’s package manager auto-update via the system updater starting with version 3.6; AppImage installations and Arch AUR builds need to be updated manually or through the AUR helper.
Prerequisites Before Installing the Drata Agent
Before installation, three things need to be in place.
First, the device user needs an active Drata account with employee onboarding tasks assigned.
Second, the operating system must be a supported version.
Third, the user needs administrator rights on the device to install the application, since it registers a startup item.
The user will also need access to their work email during installation. Registration uses a magic-link verification flow, and the verification email arrives within a minute of clicking Register Drata Agent in the Drata UI.
How to Install the Drata Agent on Mac
There are two practical paths on macOS: install through Homebrew Cask, or download the signed installer directly from MyDrata.
Installation via Homebrew
The Drata Agent is published as an official cask in the Homebrew repository, which is the cleanest install method for engineers who already use Homebrew for package management. The cask requires macOS 12 (Monterey) or newer. The install command is:
brew install –cask drata-agent
After Homebrew finishes, open Drata Agent.app from /Applications, then return to MyDrata and click Register Drata Agent. A magic-link email arrives shortly after. Open the link, copy the token portion of the URL, paste it into the Agent’s register dialog, and confirm.
Run or Build the Drata Agent on Mac
For organisations that want to build from source rather than use the published package, the GitHub repository contains the full Electron build pipeline. Build prerequisites include Node.js and electron-builder, and the osquery binaries need to be supplied separately. Drata explicitly notes that locally built packages are not signed and that production registration requires an active Drata account. Self-built Agents are useful primarily for security review, not day-to-day deployment.
How to Install the Drata Agent on Windows
Windows installation is direct download only. There is no official package on Chocolatey, Winget, or the Microsoft Store.
Step-by-Step Windows Installation
Log in to Drata, navigate to My Drata, and expand the Install the Drata Agent task. Select Windows as the operating system. The platform serves a signed .exe installer. Run the installer, accept the standard prompts, and let it complete — the Agent will appear in the system tray.
From the Drata web page, click Register Drata Agent. Open the verification email that arrives in your inbox, click Verify Drata Agent, and follow the prompts to complete registration. The first sync will run shortly after the Agent confirms successful registration.
Pro Tip: After Installation
After installation, the Agent will not sync immediately on its own schedule. Trigger a manual sync from the toolbar menu to confirm the install is working before closing the laptop and walking away.
How to Install the Drata Agent on Linux
Linux support is the most varied because of the distribution landscape. Drata officially supports Ubuntu LTS releases; community packaging covers Arch.
Ubuntu Linux Installation
For Ubuntu 22.04 LTS or 24.04 LTS, log into Drata, go to My Drata, expand Install the Drata Agent, and choose Linux. The .deb package downloads from the Drata CDN. Install it with the standard apt tooling or by double-clicking through the file manager.
Ubuntu 24.04 introduced AppArmor as a default enforcement layer for many Chromium-based applications, which historically broke Electron apps that did not ship a profile. Drata Agent 3.8.0 and later install with an unconfined AppArmor profile by default, which removes the need for the older– no-sandbox workaround. If strict AppArmor enforcement is required by internal policy, the alternative is to run the Agent as an AppImage — a portable Linux executable format that bundles the application and its dependencies, runs without installing into the system, and sidesteps the AppArmor profile question entirely.
Arch Linux (AUR)
Arch is not officially supported by Drata, but a community-maintained package on the Arch User Repository repackages the official Debian release. With an AUR helper like yay installed, the command is:
yay -S drata-agent
The package’s GitHub Actions pipeline checks the Drata release feed daily and rebuilds when a new version ships. Manual installation via makepkg from a git clone of the AUR repo is also straightforward. Use the AUR package only if internal policy permits unofficial community packaging — otherwise, the AppImage route is closer to a supported path.
Worth Knowing: Ubuntu Users
Ubuntu users still need to upload hard-drive-encryption evidence manually. LUKS configuration is not enumerated by the Agent in the same way FileVault and BitLocker are, so the encryption control on Linux is a manual evidence task in Drata, not an Agent check.
Installing the Drata Agent (New Experience)
Drata’s “New Experience” refers to its updated UI rolled out across customer accounts. The installation steps are functionally identical to the legacy flow: open My Drata, expand the Install the Drata Agent task, pick the installer for the operating system, run it, and register through the magic-link email.
The meaningful differences are visual — the task layout has been redesigned, the per-OS installer cards are clearer, and the verification status appears inline in the task pane rather than in a separate dialog. If the account has already migrated to the New Experience, follow the in-product prompts rather than older screenshots.
How to Resync the Drata Agent
Manual resync is the first thing to try when device status looks stale. Click the Drata icon in the toolbar — menu bar on macOS, system tray on Windows, indicator area on Linux. The menu shows the Agent’s current status, the timestamp of the last successful sync, and a Resync option. Click it. A successful sync updates the timestamp and pushes new data to Drata within a few minutes.
If the resync triggers an Unable to get data status or fails silently, the issue is usually with registration or network access to Drata’s API endpoints rather than with the Agent itself.
Troubleshooting the Drata Agent
Most Agent problems fall into one of three categories: a botched install, a registration that never completed, or a sync that cannot reach Drata’s backend.
Common Installation Issues
On macOS, the most common installation issue is Gatekeeper blocking an unsigned local build — the official Homebrew cask and direct download are signed, so only manually built packages trigger this.
On Windows, the installer occasionally fails when a previous version was uninstalled without removing its registry entries; the fix is to run the uninstaller from Control Panel, delete the residual Drata Agent folder under %LocalAppData%, and reinstall. On Ubuntu, a .deb install can fail if libgconf or other Electron dependencies are missing — running sudo apt –fix-broken install after the failed install usually resolves it.
Agent Not Syncing Correctly
If the Agent installs but does not sync, work through these checks in order. Open the Agent menu and confirm registration shows the user’s email rather than “Not Registered.” If registration is missing, re-run the magic-link flow from MyDrata. Confirm the device can reach *.drata.com over HTTPS — corporate proxies and split-tunnel VPNs are the most common blocker. Trigger a manual resync and watch for the status to update. If the Agent still reports Unable to get data after a fresh registration and a working network connection, capture the device logs and open a support ticket. The Agent has a built-in option to send logs to Drata directly from its menu.
Insider Note: “Unable to get data” almost always points at the Agent failing on one specific osquery check, not a total failure. The Agent reports per-check status, so look at Drata’s device page for which control is failing — it will usually be a screen-lock or AV check where the underlying setting genuinely is misconfigured.
Installation Methods at a Glance
Operating System | Supported Method(s) | Notes
|
|---|---|---|
macOS | Homebrew Cask / Direct download (.dmg) | Homebrew preferred for engineering teams. Requires macOS 15 or 26. Agent 3.9.0+. |
Windows | Direct download (.exe) | No package manager support. Clear registry entries if reinstalling. |
Ubuntu LTS | .deb package / AppImage | AppImage avoids AppArmor issues on 24.04. LUKS evidence is manual. |
Arch Linux | AUR (community, unofficial) | Not officially supported. Use only if internal policy permits. |
Conclusion
The Drata Agent is a narrowly scoped, read-only observer of device security configuration. It is not an EDR, an MDM, or a remediation tool. Used correctly, it removes the screenshot-and-spreadsheet busywork that used to dominate SOC 2 and ISO 27001 evidence collection, and gives compliance and IT teams a single live view of device control status through automated compliance monitoring.
The install path varies by operating system, but the registration flow is the same everywhere: download, install, click Register in MyDrata, click the magic link, paste the token. When something goes wrong, the manual resync option in the toolbar is the first stop, and the device logs are the second.
Frequently Asked Questions
What data does the Drata Agent collect?
The Agent reads disk encryption status (FileVault, BitLocker, LUKS), screen lock and screensaver settings, installed antivirus software, installed password manager applications, operating system version and update status, the list of installed apps and browser extensions, and the device’s OS identifier and serial number. It does not read keystrokes, file contents, browsing history, network traffic, or any application data.
Is the Drata Agent safe to install on my device?
The Agent has read-only access at the system-preferences level and cannot modify the device. Its source code has been open since June 2023 and is available on GitHub for inspection, and the Agent has been third-party security validated — Drata customers can request the validation report. That said, “safe” is a question that should be answered by an internal security review, not by a vendor claim. The open-source code makes that review possible.
Does the Drata Agent work on all operating systems?
It supports the latest two major versions of macOS, Windows, and Ubuntu LTS. macOS 26 (Tahoe) and macOS 15 (Sequoia) are current. Windows covers the two most recent Microsoft-maintained stable versions. Linux support is limited to LTS distributions — non-LTS releases like Ubuntu 25.10 are explicitly unsupported. Arch Linux is not officially supported but a community AUR package exists.
How do I know if the Drata Agent is running correctly?
Open the Agent from the system toolbar. The menu shows registration status, the timestamp of the last successful sync, and the current Agent version. A healthy Agent shows a recent sync timestamp and the user’s email address. Anything else — no email, a stale timestamp, or an Unable to get data message — signals a problem that needs attention.
How often does the Drata Agent sync data?
Once per day. The first opportunity each calendar day is taken — typically on first network connection after sleep or login. Manual resync is available at any time from the toolbar menu.
Can I uninstall the Drata Agent?
Yes, through the standard uninstall process for each operating system: Applications folder removal on macOS, Add/Remove Programs on Windows, apt remove drata-agent on Ubuntu, yay -Rns drata-agent on Arch. Uninstalling the Agent removes the device from automated compliance monitoring — the corresponding controls in Drata will need an alternative evidence source, or the Agent will need to be reinstalled.