Device Check Deployment

Deploy the endpoint check script to get device security scores on your dashboard.

How it works

The PosturIQ device check is a lightweight script (PowerShell on Windows, Bash on macOS) that checks security settings on each device and reports results to your dashboard. It can run as a one-time check or be installed as a weekly scheduled task.

No admin rights required to run (optional for some checks)

No persistent service or background process

Reports only security settings - no user data, no telemetry

Scripts are pre-configured with your report token - no manual setup needed

What it checks

Security checks per platform. Most are shared across Windows and macOS, with a few platform-specific ones:

1. Malware protection (Defender / XProtect)

2. OS patching and updates

3. Disk encryption (BitLocker / FileVault)

4. Firewall enabled

5. Remote access disabled

6. Local admin accounts

7. Screen lock timeout

8. Browser protection

9. SMBv1 disabled (Windows) / Gatekeeper (macOS)

10. UAC enabled (Windows) / Automatic updates (macOS)

11. Software updates (Windows - via winget)

1

Generate a report token

The report token links device check results to your organization. Generate one from your PosturIQ dashboard:

  1. Log in at app.posturiq.com
  2. Go to Settings
  3. Under Device Security Check, click Generate Report Token

Once generated, you'll see a shareable link and a download button. The token is embedded into every script you download or share - users never need to enter it manually.

Token rotation: If you need to invalidate an existing token, click Rotate Token in Settings. A new token is generated and the old one stops working immediately. You'll need to redeploy scripts with the new token.

2

Get the scripts

After generating a report token, you'll see a shareable link in Settings. Copy it and open it yourself, or send it to employees - no PosturIQ login required.

The link opens a page with tabs for:

  • Check - one-time run (Windows: download .cmd, macOS: copy-paste a curl command into Terminal)
  • Install - sets up a weekly scheduled task so checks run automatically
  • Uninstall - removes the scheduled task and scripts

Windows deployment

Option A: Share link (employees self-service)

Send the share link to employees. They download the .cmd file and double-click it. For a one-time check, that's all - results appear on your dashboard within seconds.

For ongoing weekly checks, employees use the Install tab instead. The installer requests admin privileges, copies the script to C:\ProgramData\PosturIQ\, and creates a weekly scheduled task running as SYSTEM.

Option B: RMM deployment (multiple devices)

Push the Install .cmd via your RMM tool and run it with the -Silent flag. The installer handles everything automatically - it downloads the check script, saves it to C:\ProgramData\PosturIQ\, and creates a weekly scheduled task running as SYSTEM.

PosturIQ-Install.cmd -Silent

The scheduled task picks a random weekday per machine to spread reports across the week.

Option C: Intune

Deploy as a Platform Script (Devices > Scripts and remediations) set to run weekly. Use the -Silent flag to suppress console output.

macOS deployment

Option A: Share link (employees self-service)

Send the share link to employees. From the macOS tab, they copy a curl command, paste it into Terminal, and press Enter. No file download needed - results appear on your dashboard within seconds.

For weekly checks, use the Install tab. The install command pipes through sudo bash and creates a launchd job that runs the check automatically.

Option B: RMM / MDM deployment

Push the install script via your RMM and run it as root. No interactive prompts - it works unattended out of the box.

sudo bash PosturIQ-Install-Mac.sh

Uninstall

Windows: Download the uninstaller from the share link (Uninstall tab) and double-click, or run manually:

schtasks /delete /tn "PosturIQ Check" /f && rmdir /s /q C:\ProgramData\PosturIQ

macOS: Download the uninstaller from the share link, or run manually:

sudo launchctl unload /Library/LaunchDaemons/com.posturiq.check.plist && sudo rm -rf /Library/PosturIQ /Library/LaunchDaemons/com.posturiq.check.plist

Troubleshooting

Device doesn't appear on dashboard

Run the check script manually and check the console output. Common causes: network connectivity, rotated report token (download fresh scripts), or PowerShell execution policy blocking the script.

Some checks show "Unknown"

Some checks need admin/root access for full detail. The installer sets up the scheduled task to run as SYSTEM (Windows) which has the required privileges. For one-time checks, right-click the .cmd and select "Run as administrator".

Token was rotated - devices stopped reporting

After rotating the report token in Settings, all previously deployed scripts stop working. Download fresh scripts and redeploy them to your devices.

macOS: "unidentified developer" warning

Right-click the .command file and select Open, then click Open again in the dialog. This only needs to be done once.