Pult Presence Docs
Pult Agent

Security & Data

What the Pult Agent collects, how it protects credentials, and what it explicitly does not access on your devices.

This page consolidates the security-relevant details of the Pult Agent in one place -- what data it collects, how that data is transmitted and stored, and what it does not do.

What Data Is Collected

During Enrollment

When a device enrolls (via manual sign-in or bootstrapping), the agent sends a one-time enrollment request containing:

  • Device name -- the device's hostname.
  • Operating system and version -- e.g., "macOS 15.2.1" or "Windows 11 23H2".
  • Device serial number -- the hardware serial number reported by the operating system.
  • OS username -- the username of the signed-in OS account.
  • Bootstrap token -- included only when using automated enrollment.

The server also sees the device's public IP address from the HTTPS connection. This information is shown to the admin reviewing the Device Auth Request.

During Normal Operation

Once enrolled, the agent periodically sends a presence beacon containing:

  • Local IPv4 addresses -- the private IP addresses of the device's physical network adapters (WiFi and wired). See Network Interface Filtering below.

A future release will also include:

  • Device activity state -- whether the device is actively in use (e.g., awake vs. sleeping, lid open vs. closed). This will improve presence accuracy -- a sleeping device at the office will not count as active presence. No details about what the user is doing will be collected, only whether the device is awake.

Beyond these signals, no other device data is included in the beacon. The server observes the public IP address from the incoming HTTPS connection. Both the public and local IPs are used to match the device against configured presence location subnets. After matching, only the resulting location name and timestamp are stored -- the IP addresses themselves are not persisted.

The agent also periodically refreshes its access token and fetches the user's profile (name, email) to display in the tray menu. No device data is sent during these requests.

What Is NOT Collected

The Pult Agent does not access or transmit any of the following:

  • MAC addresses -- the agent does not currently read or send network adapter MAC addresses. A future version may support opt-in device data collection (including MAC addresses) to eliminate the need for a separate MDM integration. This will always be strictly opt-in and disabled by default.
  • Running processes or installed software -- no system inventory is performed.
  • Browsing history or application usage -- no network traffic is inspected.
  • File system contents -- the agent does not read, scan, or index files on the device.
  • Screen captures or keystrokes -- no screen recording, screenshots, or input monitoring.
  • GPS or precise location -- the agent determines office presence via IP matching only, not geolocation.
  • IPv6 addresses -- only IPv4 addresses are collected.
  • Off-network activity -- when the device is outside a configured office network, no data is captured. The beacon still reaches the server, but no presence record is created because the IP does not match any known location.

The Pult Agent is designed exclusively for office presence detection. It does not monitor whether an employee is working, idle, or offline. No data about personal activities, non-work usage, or time spent away from the office is collected or inferred. When a device is not connected to a known office network, it is simply invisible to Pult.

Network Interface Filtering

The agent only reports IP addresses from physical network adapters (WiFi and Ethernet). It deliberately excludes virtual and tunnel interfaces, including:

  • VPN tunnel adapters
  • Virtual machine network bridges (e.g., VMware, VirtualBox, Hyper-V)
  • Container networking (e.g., Docker bridge interfaces)
  • Loopback adapters
  • Bluetooth network adapters

This filtering is applied per platform to ensure that only IPs from genuine office network connections are reported. If you use a VPN, the VPN adapter's IP is excluded -- but you still need to configure a split-tunnel exclusion so that the beacon itself is sent from the office network's public IP.

Transport Security

All communication between the agent and the Pult backend occurs over HTTPS (TLS) to gql.api.pult.com on port 443.

The agent uses the operating system's root certificate store for TLS verification. If your organization uses a TLS inspection proxy, ensure the proxy's root certificate is installed in the OS trust store.

Credential Storage

The agent stores authentication credentials in the operating system's secure credential store:

PlatformStorage
macOSKeychain
WindowsCredential Manager
LinuxSecret Service (via D-Bus)

Stored credentials include the access token and bootstrap token (if applicable). These are never written to disk in plain text.

The one exception is file-based bootstrap token deployment, where a token file is temporarily stored on disk. The agent deletes the file immediately after reading the token and transferring it to secure storage.

Crash Reporting

The agent includes automatic crash reporting that sends diagnostic data to Pult infrastructure when an unexpected error occurs. Crash reports contain:

  • Stack traces and error messages from the agent process.
  • Basic environment information (OS, agent version).

Crash reports do not contain user data, presence information, IP addresses, or any data collected during normal operation. Crash reporting is disabled in development builds.

Automatic Session Expiry

If the agent cannot reach the backend for an extended period or its access token becomes permanently invalid, it automatically signs out and stops sending beacons. The tray menu reflects the signed-out state.

To resume presence detection, the device must re-enroll -- either through manual sign-in or by deploying a new bootstrap token. This ensures that stale or compromised sessions do not persist indefinitely.

Independent Security Assessment

The Pult Agent (both macOS and Windows) has undergone an independent penetration test conducted by a third-party security firm following OWASP Top 10 and NIST 800-115 methodologies. The assessment found no high- or medium-severity vulnerabilities. Detailed reports are available through the Pult Trust Center.

Last updated on Apr 20, 2026, 10:18 PM

Pult Agent

A lightweight desktop application for automatic office presence detection on macOS, Windows, and Linux.

Installation Guide

Step-by-step instructions for manually installing the Pult Agent on macOS, Windows, and Linux.

On this page

What Data Is CollectedDuring EnrollmentDuring Normal OperationWhat Is NOT CollectedNetwork Interface FilteringTransport SecurityCredential StorageCrash ReportingAutomatic Session ExpiryIndependent Security Assessment