Skip to content

Installation on MacOS (in Asset Mode)

XplicitTrust can run on MacOS systems in two modes:

  • Client Mode: for regular users to access services (like SSH, HTTPS, remote desktop, etc).

  • Asset Mode: services (like SSH, HTTPS, remote desktop, etc) can be remotely accessed from an XplicitTrust client, or from another system running in Asset Mode.

On this page are the instructions for Asset Mode.


To install the XplicitTrust agent:

  1. Download client at

  2. Double click on the downloaded file to install (and accept any prompts, if necessary).
    Please wait until you see a system tray icon that looks as follows, before moving to the next step:


  1. To register the machine as an asset and (optionally) add it to the default policicy run:
    xtna-util -user <XplicitTrust admin email address> -default-policy
  2. Open the URL that xtna-util returns in a browser to authenticate.
  1. Go to the admin console settings page

  2. Create a new "Asset Creation Token", configure it, download and store it in a secure place

  3. Use the token to register assets

    xtna-util -domain <tenant domain> -token <token>
  1. Go to the admin console assets page

  2. Click "Create new" button, fill out form, click "Apply"

  3. Click "Download Config" icon at top of the form box:


  4. Copy the configuration to the asset and run:

sudo xtna-util -import xtna-*.xtconfig
  1. A window (on the machine where you are installing) will open asking if you want to import the XplicitTrust config file.

    If you don't see the window, please look in the task bar (not the system tray) for an icon that looks like this (highlighted in red), and click on it:

    Agree Window

    Please click "Yes" in the window:

    Agree Window

  2. The XplicitTrust icon in the system tray should now look like this:


    This means the installation was successful, and the system is now connected.

System Tray Icons

You can see the status of your XplicitTrust Windows client in the menu bar:


XplicitTrust tunnels are up and running, click on it to see status information.

Authenticating Agent is authenticating itself, tunnels are not up yet.

Offline Agent is offline.


If the registration fails or the agent is not able to get Online check that outgoing HTTPS connections (TCP port 443) are allowed. For the best experience, allow outgoing connections on UDP port range 51820 - 60000.

Consult the FAQ to learn more about troubleshooting firewalls.