Skip to content

Crayonic Agent

Overview

The Crayonic Agent is a Windows service that runs on each monitored endpoint. It detects and reports Crayonic device activity (Badge, KeyVault, Bridge), user sessions, smart-card reader events, and certificate usage, and delivers firmware updates to locally connected devices. The Agent reports to the Crayonic Device Manager platform over TLS with JWT authentication, and acts as the local bridge for Crayonic Credential Manager when CCM runs in the browser and needs to perform device-bound WebAuthn ceremonies.

What the Agent Does on the Endpoint

  • Session events — logon, logoff, lock, unlock, and session termination, with user identity and session context
  • Reader and card events — smart-card reader availability, PIV card insertion/removal in real time
  • Device events — Crayonic KeyVault and Badge USB connection/disconnection with firmware version and battery level
  • Certificate events — discovers certificates used on the endpoint and tracks expiration and issuer
  • Firmware updates — receives signed firmware packages from CDM and applies them to connected Crayonic devices
  • Workstation lock enforcement — locks the workstation when the user's Crayonic device is removed (configurable timeout)
  • Legacy application autofill — optional integration with Crayonic Password Manager to inject passkey-derived one-time passwords into legacy Windows apps
  • Secure reporting — TLS 1.3 to CDM, authenticated with a JWT bound to the machine registration
  • Offline buffering — events are cached locally while the network is unavailable and flushed on reconnect

System Requirements

  • Windows 10 (1903+) or Windows 11
  • Administrator privileges for installation
  • Outbound HTTPS access to the CDM backend (port 443)
  • Local port 17620 available for browser-based CCM integration (never exposed outside the machine)

Installation

The Agent ships as a signed MSI installer. Distribute centrally via Group Policy, SCCM or Intune, or install locally on individual machines.

  1. Download the latest Crayonic Agent build from the Downloads page.
  2. Run the MSI as an administrator.
  3. During setup, enter the CDM backend URL (e.g. https://api.example.com) supplied by your CDM administrator.
  4. The Agent registers the machine with CDM on first start and receives a unique machine identifier and bearer token.
  5. Confirm the Crayonic Agent service is running under services.msc.

Configuration

  • Connection settings (CDM backend URL, registration token) live in the Agent's local configuration file. Edit and restart the service to apply changes.
  • JWT validation — the Agent fetches public keys from the CDM backend's JWKS endpoint and from the CCM backend for local SPA integration. Key rotation is transparent: the Agent caches JWKS and picks up new Key IDs on the next refresh or service restart.
  • Port 17620 — exposes a local HTTPS endpoint used only by CCM running in the browser on the same machine. The Agent installs its self-signed certificate into the OS trust store on first run.

Logs & Troubleshooting

  • Agent events are written to the Windows Event Log under a dedicated Crayonic channel. Use Event Viewer to inspect them.
  • Service not reporting to CDM — check the outbound HTTPS route, firewall rules, and the configured backend URL. A corrupted registration token requires re-registration.
  • Browser shows "Agent disconnected" — confirm the service is running and that https://localhost:17620/v1/info returns a response in a local browser. A blocked local port or untrusted certificate is the usual cause.
  • Firmware update fails — confirm the device is plugged in via USB and that the user has approved any on-device prompts.

Integration with Crayonic Credential Manager

When CCM runs in the browser, it delegates WebAuthn ceremonies and device operations to the local Agent over https://localhost:17620. The Agent only accepts requests carrying a JWT issued by the trusted CCM backend, with strict origin binding and a consent handshake. This allows CCM to create and manage passkeys on the user's hardware wallet from a normal web session without any browser plug-ins.

Download

Latest Agent builds are on the Downloads page.