macOS endpoint
BeProof app + CLI
The admin console is BeProof's web UI for security and fleet teams. It aggregates posture from managed Mac endpoints enrolled in your organization — heartbeat, audit freshness, sanitized review items, and signed policy bundles.
Fleetin BeProof means your organization's enrolled managed Macs — not a separate product. Each endpoint runs the BeProof app in managed mode, sends signed metadata-only summaries to the control plane, and pulls org policy overlays. The admin console is the read-and-respond layer for security teams.
Production admin console: sign in at /fleet/login with your organization email and password (Firebase Identity Platform). Local demo builds may still offer a one-click Acme Corp walkthrough with sample data.
Ops runbook for GCP bootstrap (Identity Platform, Vercel env, membership): see infra/gcp/REAL_PILOT.md in the repository.
Organization-wide posture: active devices, 24h reporting, stale audit rate (POL-M02), per-device health, and shortcuts to open review items.
Inventory of enrolled Macs with app version, enrollment time, last heartbeat, and active policy bundle revision.
Sanitized analyst workflow for policy violations surfaced from managed endpoint audits — title, summary, severity, rule id, device hostname. No raw evidence paths.
Org admins publish a signed org overlay + allowlist JSON bundle. Enrolled endpoints download the new revision on the next policy sync.
Org admins issue one-time enrollment tokens from the admin console. Each token is single-use, expires after 72 hours by default, and binds the endpoint to your tenant org policy.
Org admins invite additional console users by email and role. Fleet admins can view the roster read-only. All invite, role change, and remove actions are recorded in the admin audit log.
Admin roles are stored in the control plane per tenant and resolved via /api/v1/me after Firebase sign-in. Demo builds may use dev headers locally; production requires Identity Platform id tokens.
| Role | Capabilities |
|---|---|
| org_admin | Full access: metrics, review mutations, policy publish, enrollment tokens, member invite/remove/role, admin audit log |
| security_analyst | Review queue assign + bulk approve/exception |
| fleet_admin | Read fleet state + create enrollment tokens + read-only members list; no review mutations, policy publish, or member changes |
| auditor_readonly | Read-only fleet and review queue |
Policy evaluation stays on the endpoint. The control plane never receives raw SQLite databases or secret values — only signed, metadata-only fleet summaries and heartbeat fields defined in the fleet evidence contract (packages/contracts). The admin console reads that org-scoped posture; it does not scan workstations.
BeProof app + CLI
Jamf · Intune · Kandji · Fleet
GCP Cloud Run + Postgres
Vercel + Firebase Auth
Policy evaluation stays on the endpoint. The control plane receives signed, allowlisted metadata only — never raw SQLite or secrets.
See also Reference architecture, Managed deployment (MDM), and Policy Pack v1.2.2.