Browse Deployment & Agents
- Application categories (Zero Trust app management)
- Active Directory group policies
- Content categories
- Custom block pages
- Don't mix DNS providers
- Prevent DNS bypass
- Safe Search explained
- Safe Search supported search engines
- Security categories
- Working with policies
- Working with allow and block lists
- YouTube Restricted Mode explained
Roaming clients (device agents)
Install the ScoutDNS device agent on Windows and macOS so devices stay protected on or off the network. Zero-touch profile-keyed installs, encrypted DoH, per-user reporting, and dynamic policy.
The ScoutDNS device agent (Scout360) is a lightweight client that keeps managed devices protected wherever they are, home Wi-Fi, hotels, coffee shops, LTE. Installs are silent, profile-keyed, and self-updating. The agent uses DNS-over-HTTPS (DoH) on port 443 so traffic looks like normal HTTPS to any in-path network appliance.
Key capabilities:
- Zero-touch silent installs. Dynamically generated install files have profile keys embedded, so no extra input is required during deployment.
- Encrypted DNS via DoH on port 443.
- On- and off-network protection. The agent keeps filtering active even when the device leaves your corporate network.
- Granular reporting. Per-device and per-user logs become available once the agent is installed.
- Dynamic policy. A profile can apply different policies based on whether the device is on a ScoutDNS-configured network or off-site.
How the agent works under the hood
Two services run on each protected device:
Device Agent
- On startup and at every network change, the agent records the existing network DNS servers and any joined domains. This info is used to handle local queries correctly (such as queries for
*.corpor other local-only domains). - Connectivity check. If ScoutDNS is reachable, the agent binds
127.0.0.1:53(IPv4) and::1(IPv6) on the loopback adapter and intercepts DNS. - Fail-open behavior. If ScoutDNS can’t be reached, the agent restores the device’s original DNS settings. It keeps polling and reverts to ScoutDNS as soon as the service is reachable again.
- Continuous monitoring. The agent watches for network, user, and device changes and adjusts settings accordingly.
Device Agent Updater
- Runs as a separate service to keep the agent on the latest version.
- Backs up the current binary before installing an update.
- Updates happen in the background within seconds, no user prompts.
- If a freshly installed update can’t reach ScoutDNS, the updater automatically rolls back to the last working version.
Step 1: Configure a profile
Profiles link policies to groups of client devices. Every device installed with a given profile key inherits that profile’s settings.
Profile options
| Field | What it controls |
|---|---|
| Profile Name | A label like “Sales Team”, “Office Staff”, or “Engineers” |
| Default Policy | The fallback policy the device uses unless something more specific applies |
| Profile Description | Free-text note for internal reference |
| Block Page | The custom block page template applied to this group |
| Enable User Policies | Lets Active Directory policies override the profile policy when matching groups exist in Personas |
| Dynamic Policy | Apply different policies based on device location (on a ScoutDNS-configured network vs roaming) |
When Dynamic Policy is enabled, you can:
- Assign a specific policy per location, OR let the device inherit site/network rules whenever it connects to a ScoutDNS-configured network.
- Assign a different policy for off-site / roaming devices.
- Site detection is based on your configured ScoutDNS sites and networks.
[!TIP] Use multiple profiles when users are assigned specific devices. If you can identify users via Active Directory instead, prefer fewer profiles plus AD-group-based Personas, easier to manage at scale.
Local forwarding (default behavior)
By default, the agent records the local resolvers found on each network it joins and forwards these query types to them automatically:
- Designated local domains like
.local, plus local reverse lookups. - Assigned domains for devices joined to an Active Directory.
The default forwarding handles most networks correctly. For special cases (some VPN configurations, devices that aren’t yet domain-joined), use the Local Forwarding tab on the profile.
Assign local forward zones
Create explicit forward-zone rules when you need precise control:
| Setting | Behavior |
|---|---|
| Domain | The domain you want to forward (e.g. corp.example.com) |
| Resolvers: Auto | Forward to discovered local resolvers first; fail through to ScoutDNS via WAN if they don’t respond |
| Resolvers: Specific IPs | Forward only to the listed resolver IPs (up to 4), in order; fail through to ScoutDNS via WAN if all fail |
[!NOTE] Default forwarding works for most networks. Explicit local forward zones are most useful with certain VPN configurations or for clients that aren’t joined to an Active Directory service yet.
Step 2: Generate install files
Install files are dynamically generated from the profile, with the install key embedded so no command-line flags or post-install configuration are needed.
-
From the profile, click New Key.
-
Configure the key:
Option Values Platform Windows or macOS Architecture (Windows) x86 (32-bit) or x64 (64-bit) Architecture (macOS) x86 (Intel) or ARM (Apple Silicon / M-series) Duration How long the install key remains valid for auto-registration Installs Maximum number of registrations this key can authorize -
Save the key.
-
Click Download to retrieve the installer.
Editing an existing key
You can extend the duration or raise the install cap on a key at any time. Expired keys do not affect already-registered devices, keys are only consumed during the initial self-registration handshake.
Step 3: Deploy to devices
Installs are silent by default. There are no prompts during install, and no tray icons or other on-device indicators once the agent is running.
Windows
ScoutDNS generates an .msi file for Windows 10 and 11. Two common deployment paths:
- Group Policy / MDM: Upload the
.msito a network share and assign it via GPO (or push via Intune / your MDM). No command-line options, install keys, or tags are required, everything is baked into the file. - Manual install: Copy the
.msivia network share or USB. Install as a local administrator so standard users can’t stop or remove the service.
Some admins prefer to hide the agent from Add/Remove Programs to avoid accidental uninstalls.
[!WARNING] Installing with an expired key will still install the agent, but it can’t register. The client will use the network’s default resolvers and keep retrying until the key is reactivated or replaced.
macOS
ScoutDNS generates a .pkg file. Install on the target Mac with admin rights, or deploy through your MDM (Jamf, Intune for macOS, Kandji, etc.). Like Windows, no extra arguments, the install key is embedded.
Manage installed clients
Once installed, clients check in with ScoutDNS to register against the profile and start appearing in the Manage Clients view.
Manage Clients view
Filter by All / Online / Offline, on-site vs off-site, or by specific profile. Columns shown:
| Column | What it shows |
|---|---|
| OS | Operating system of the device |
| Client Name | Defaults to the hostname; can be overridden in Client Details |
| User | Most recently logged-in user |
| Status | Latest reported status |
| Last Sync | When the agent last checked in |
| Profile | Assigned profile |
| Version | Current device agent version |
| WAN / LAN | Last known external and internal IPs |
| Site | Last known site (from your configured sites) |
| Policy | Most recent policy applied to the device |
Client status states
| Status | Meaning |
|---|---|
| Online | Agent online, DNS filtered and encrypted |
| Offline | Agent offline, heartbeat not detected |
| Disabled | Agent has set DNS back to the network default and unbound from the loopback adapter |
| Uninstall | Uninstall queued; the agent runs its uninstall script on next check-in |
| Missing | No check-in for 30+ days |
Client Details view
Click a client to open Client Details, which shows recent activity, threats observed in the selected window, and editable device/network info.
Device Info:
- Name (custom display name, doesn’t change the OS hostname)
- Host Name and Full Host Name (FQDN if domain-joined)
- Profile (move the device to a different profile)
- Policy (set a device-level policy that overrides the profile policy)
- Last Sync
Network Info:
- Status, WAN IP, LAN IP, Username, Site, Domain
Remote actions
| Action | Effect | License/seat impact |
|---|---|---|
| Disable | Agent unbinds and restores network default DNS. Agent stays installed and waits for re-enable. | Does not release the seat |
| Forget | Removes the client from the UI. If the agent is still running, it reappears on next sync. | Releases the seat |
| Uninstall | Queues an uninstall command; the agent removes itself on next check-in. Can only be canceled before the client picks up the command. | Releases the seat |
[!IMPORTANT] After Uninstall executes, the device can only rejoin by reinstalling the agent. Use Disable instead if you want a temporary pause.
If a forgotten client tries to rejoin after all seats are consumed, it stays unlicensed and inactive until a seat becomes available.
Client log data
With the agent deployed, additional log fields become available. In the activity log:
- Add Client Name to the visible columns from the Advanced Options dropdown.
- Use the Column Selector icon to choose which fields to display and reorder them.
- Filter logs to a specific client and export.
Related
- Working with policies, assigning policies to profiles and individual devices
- Active Directory policies, per-AD-group policy via Personas (used when Enable User Policies is on)
- Custom block pages, block-page templates assigned per profile
- Browser HTTPS certificate errors, installing the ScoutDNS root cert for clean block-page rendering on HTTPS sites