> ## Documentation Index
> Fetch the complete documentation index at: https://docs.asymptotelabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Security & IT Rollout Guide
> Deploy Beacon endpoint telemetry and forward events into security operations workflows.
Beacon gives Security and IT teams local endpoint visibility into supported [agent harnesses](/runtimes). It captures supported activity, normalizes it into a stable endpoint event schema, and writes JSONL for local inspection or customer-managed forwarding.
Beacon is local-only by default. The endpoint agent does not require a Beacon-hosted account, remote policy fetch, or external network dependency during normal collection. Use [Asymptote Managed](/deployment/managed) when you need centralized retention, search, governance, investigations, access control, or rollout support.
## Rollout Path
Start with a small macOS group that represents the agent harnesses and teams you want to observe. Decide which runtimes are in scope, whether events stay local at first, and which MDM group owns the initial package rollout.
Confirm install coverage, collector health, runtime log freshness, configured harness scope, and expected event coverage before expanding.
Deploy the signed and notarized macOS package through Jamf Pro, Fleet, or another MDM. Production deployments use system mode and write events to `/var/log/beacon-agent/runtime.jsonl`.
Keep local JSONL on the endpoint, then add forwarding into your SIEM, observability stack, object storage, or customer-managed pipeline when the destination policy is approved.
## Deployment Decisions
Before broad rollout, document these decisions:
| Decision | What to define |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| Runtime scope | Which supported harnesses are approved for collection and whether optional runtime integrations are in scope. |
| Install mode | Local evaluation, root-managed system install, or MDM package rollout. |
| Event destination | Local JSONL only, Wazuh localfile, supported forwarding destination, object storage, or customer-managed pipeline. |
| Access and retention | Who can read local logs, how long downstream systems retain events, and which teams own review. |
| Managed handoff | Whether the rollout now needs centralized visibility, policy controls, investigations, SSO/RBAC, or private infrastructure. |
## Validation Signals
Track these signals in your device-management platform or operations dashboard:
| Area | Recommended signal |
| --------------------- | ------------------------------------------------------------------------------------- |
| Install coverage | Beacon package or binary version is present |
| Collector health | `com.beacon.endpoint.collector` is running |
| Event freshness | Last runtime event age is within your expected window |
| Runtime configuration | Configured harnesses match the approved deployment scope |
| Forwarding readiness | Runtime log exists and is writable; downstream forwarding is configured when required |
For command-level checks, see [Endpoint status](/cli/endpoint-status), [Endpoint discover](/cli/endpoint-discover), and [Local testing](/guides/local-testing).
## Guides
Answer procurement and security review questions about local collection, data inventory, content handling, endpoint behavior, and disclosure policy.
Plan managed macOS rollout with the packaged system agent.
Deploy and inventory Beacon with Jamf Pro policies and extension attributes.
Deploy Beacon with Fleet software, policies, queries, and scripts.
Forward Beacon events to Wazuh, Splunk HEC, Falcon LogScale, Elastic, Datadog, Sumo Logic, Rapid7 InsightIDR, or a customer-managed SIEM pipeline.
Review the normalized JSONL contract used for endpoint events.
Also review [Agent harness integrations](/runtimes) to confirm supported runtimes, deployment modes, storage paths, and forwarding boundaries.
## When to Move to Managed
Open Source works well when your team wants local endpoint telemetry and controls the downstream destination. Consider [Asymptote Managed](/deployment/managed) when you need:
* centralized ingest, retention, search, and detections
* fleet-wide visibility across endpoints, users, and teams
* policy controls, identity mapping, approvals, and investigation workflows
* SSO, RBAC, audit trails, onboarding, and rollout support
For dedicated infrastructure, stricter data boundaries, or residency requirements, ask about Private Deployment. [Contact us](https://asymptotelabs.ai/contact) to discuss Managed or Private Deployment.
## Boundaries
Beacon currently focuses on endpoint telemetry for supported agent harnesses and local endpoint configuration context. It does not provide kernel or process monitoring, shell history collection, cloud audit ingestion, browser or SaaS telemetry, credential-use attribution, or automatic mutation of Factory Droid shell profiles. Use [Log Forwarding](/log-forwarding) for supported SIEM, observability, object-storage, local JSONL, and customer-managed destinations.