Overview
The Proxara device service is a native background service for macOS and Windows that intercepts AI-bound traffic at the operating system network layer. It covers all applications on the device: browsers, desktop AI apps (Claude Desktop, ChatGPT Desktop), coding tools, CLI utilities, and API calls.
Proxara intercepts at the OS network layer, so coverage is universal across browsers, desktop AI apps, coding tools, CLIs, and API calls under a single inspection point.
The service runs as a LaunchDaemon on macOS and a Windows Service on Windows. It installs silently, starts at boot, and auto-updates. Employees see a brief monitoring notice on first use of any AI tool, customizable with your firm name and compliance contact.
This deployment involves system-level changes
The device service installs a root certificate authority, modifies network routing, and runs as a privileged system service. These steps require administrative access and should be coordinated with your IT team. This guide is written for IT administrators.
Prerequisites
Before beginning deployment, confirm the following with your IT team:
| Requirement | Details |
|---|---|
| Operating system | macOS 13 (Ventura) or later, or Windows 10 21H2 or later |
| Administrative access | Root (macOS) or SYSTEM/Administrator (Windows) privileges for installation |
| MDM platform | Recommended for silent deployment. JAMF, InTune, Kandji, Mosyle, or equivalent. Manual installation is also supported. |
| Network access | Outbound HTTPS to api.proxara.ai on port 443 |
| Local ports | Ports 8443, 8444, and 19850 available on localhost (not exposed externally) |
| Disk space | Approximately 15 MB (binary, certificates, and configuration) |
What the Installer Does
The installation package performs the following steps automatically.
- Installs the service binary to
/Library/Application Support/Proxara/bin/(macOS) orC:\Program Files\Proxara\(Windows). Approximately 5 MB. - Generates a root CA certificate carrying X.509 Name Constraints that exclude sign-in, banking, healthcare, government, and security-tooling domains in the certificate itself. The certificate is unique to each device, and the agent issues a leaf certificate only for a destination with positive evidence it is an AI service.
- Installs the root CA in the operating system trust store (System Keychain on macOS, Trusted Root Certification Authorities on Windows). This allows the service to inspect HTTPS traffic to AI domains.
- Deploys a Firefox enterprise policy that enables Firefox to trust enterprise root certificates. This is a standard Mozilla enterprise deployment mechanism.
- Registers the system service as a LaunchDaemon (macOS) or Windows Service. The service starts at boot and auto-restarts on failure.
- Enrolls the device with Proxara's API to receive its configuration, API key, and tenant assignment.
- Installs QUIC blocking rules via pf (macOS) or WFP (Windows) to prevent browsers from bypassing the TCP proxy via UDP/443. These rules apply only to resolved AI domain IPs.
- Configures traffic routing. On macOS, a Network Extension redirects AI domain connections to the local proxy. On Windows, a PAC (Proxy Auto-Config) file is configured via the system proxy setting.
The Root Certificate
The certificate excludes sensitive domains in its own Name Constraints
The root CA contains a Name Constraints extension whose excluded subtrees bar sign-in and identity, banking and payments, healthcare, government, and security-tooling domains. On platforms that enforce name constraints, a certificate this CA issues for an excluded domain does not validate, and the exclusions are readable directly out of the certificate, so a security team can audit the boundary from the artifact itself. Beyond that, the agent decrypts a connection only on positive evidence the destination is an AI service and tunnels everything else through without inspection. Sign-in, banking, healthcare, and government traffic is never intercepted.
Covered domains
Out of the box, the service covers the major AI providers:
- claude.ai
- anthropic.com
- chatgpt.com
- openai.com
- gemini.google.com
- perplexity.ai
- copilot.microsoft.com
- deepseek.com
- grok.com
- x.ai
This list is not fixed. Internal AI tools, third-party AI wrappers, and new providers can be added through the governance console at any time. The domain registry refreshes automatically every 30 minutes, so changes take effect across all devices without restarting the service.
Traffic to domains not on the list passes through unmodified. The service does not inspect, intercept, or log non-AI traffic.
Certificate lifecycle
| Certificate | Validity | Storage |
|---|---|---|
| Root CA | 10 years | PEM and DER files in the service data directory. Private key stored with filesystem permissions restricted to root/SYSTEM. |
| Per-domain leaf certificates | 90 days | Generated on demand, cached in memory. Not persisted to disk. |
Removal
Running proxara-agent --uninstall removes the root CA from the OS trust store, deletes all certificate files, and removes the Firefox enterprise policy. The device is returned to its original state.
Deployment Paths
MDM Deployment
JAMF, InTune, Kandji, Mosyle, or equivalent
- Proxara provides the signed installer package (.pkg for macOS, .msi for Windows)
- Upload the package to your MDM as a managed application
- Optionally pre-deploy the configuration profile (.mobileconfig for macOS) to set the API key and tenant ID before installation
- Deploy to target devices
- For macOS: approve the System Extension in MDM (or instruct employees to approve in System Settings > Privacy & Security)
The installer runs silently. Employees see no prompts during installation. The monitoring notice appears on their first AI tool visit.
Manual Installation
For evaluation or small-scale deployment
- Proxara provides the signed installer package
- Run the installer with administrative privileges
- macOS: approve the System Extension when prompted
- The service starts immediately and enrolls with Proxara's API
macOS: sudo installer -pkg proxara-agent.pkg -target /
Windows: run the .msi as Administrator, or msiexec /qn /i proxara-agent.msi
macOS System Extension approval
macOS requires explicit approval for System Extensions. With MDM, this can be pre-approved via a configuration profile containing a SystemExtensions payload. Without MDM, employees will see a prompt in System Settings asking them to allow the Proxara Network Extension. This is a one-time step.
Configuration
The service reads its configuration from a JSON file in the data directory. For MDM deployments, this can be pre-deployed via a configuration profile. For manual installations, the service enrolls with Proxara's API on first launch and receives its configuration automatically.
Configuration file location
| Platform | Path |
|---|---|
| macOS | /Library/Application Support/Proxara/config.json |
| Windows | C:\ProgramData\Proxara\config.json |
Key settings
| Field | Description | Default |
|---|---|---|
api_endpoint | Proxara API URL | https://api.proxara.ai |
api_key | Authentication key (provided by Proxara) | Set during enrollment |
tenant_id | Firm identifier | Set during enrollment |
fail_open | If true, traffic passes through when the API is unreachable | true |
sensitivity_threshold | Controls auto vs. manual review (0-100) | 50 |
consent_given | Pre-set to true to skip the employee consent notice (for MDM) | false |
The fail_open and sensitivity_threshold settings can be updated remotely via the Proxara governance console without redeploying or restarting the service.
Network Architecture
All components run locally on the employee's device. No inbound network connections are required.
| Component | Port | Purpose |
|---|---|---|
| MITM proxy | 127.0.0.1:8444 | Intercepts and inspects AI domain HTTPS traffic |
| Transparent bridge | 127.0.0.1:8443 | Receives redirected traffic from the Network Extension or system proxy, converts to CONNECT tunnels |
| Companion API | 127.0.0.1:19850 | Serves the injected UI script, WebSocket events, consent and confirmation endpoints |
Outbound connections
- api.proxara.ai:443 for classification, event reporting, device enrollment, configuration refresh, and auto-update checks
- AI provider domains:443 proxied through the local MITM for inspection, then forwarded to the original destination
No other outbound connections are made. The service does not phone home, collect telemetry, or communicate with any third-party service beyond the Proxara API and the AI providers.
What Happens on Day One
- Proxara provisions your dedicated backend environment (handled entirely by Proxara)
- Your IT team deploys the installer package via MDM or manual installation
- The service enrolls with Proxara's API and receives its configuration
- The root CA is generated and installed in the OS trust store
- Employees use AI tools normally. The service intercepts, classifies, and redacts in real time.
- On first AI tool visit, employees see a brief, customizable monitoring notice
- Flagged interactions are delivered to you through email, Slack, or Teams
What Proxara Handles
Proxara provisions a dedicated, single-tenant cloud environment for your firm on AWS. This is a fully isolated deployment. There is no shared infrastructure, no multi-tenant database, and no data commingling with any other customer. Proxara has no ability to read your data outside of the operational access needed to keep the environment running.
What runs in your environment
| Component | What it does |
|---|---|
| Classification API (EC2) | Receives prompts from the device service, classifies sensitive entities, returns redaction instructions. Processes in real time and discards inputs immediately. |
| AWS Bedrock (Claude) | AI inference for classification. Runs within a dedicated AWS account in the region you choose. No model training on your data. Optionally replaced with a self-hosted model on GPU instances for zero external API calls. |
| PostgreSQL (RDS) | Stores audit records, vocabulary policies, and configuration. AES-256 encrypted with customer-managed KMS keys. |
| S3 Archive Storage | Stores flagged interaction records for up to 7 days until archived or dismissed. AES-256 encrypted. S3 Object Lock (WORM) available. |
| Governance Console | Web interface for managing policies, sensitivity thresholds, alert routing, and archive connections. Accessible to your designated compliance officers only. |
Proxara manages provisioning, updates, monitoring, and maintenance. Your firm does not need to set up or maintain anything on the server side.
If your firm prefers to host the environment yourself, Proxara provides deployment templates and documentation for customer-managed AWS deployments. In that model, Proxara has no access to your data and acts as a software licensor only. This is also available as an MSP-managed deployment through your existing IT provider.
If you integrate with a compliance archive (Smarsh, Global Relay, or equivalent), Proxara configures that connection as well.
Timeline
by Proxara
to MDM
to devices
Uninstallation
The service includes a complete uninstall command that reverses all changes:
This removes:
- The root CA from the OS trust store
- The Firefox enterprise policy
- All QUIC blocking rules
- The system service registration
- The system proxy configuration (Windows)
- All data files (configuration, session database, certificates, update staging)
For MDM deployments, include the uninstall command in the package's removal script so it runs automatically when the application is removed.
Verification
After deployment, IT can verify the service is running correctly:
Check service status
Returns JSON with the service version, active session count, and running state.