Organizations

Roll out local-first developer identity checks across managed devices.

Organizations can deploy PubKeySpace through device management, run scheduled per-user collection, and review signed reports in a team posture workflow.

Request alpha access Back to docs

Rollout model

MDM installs it. The user-scoped collector checks local posture.

01

Prepare package

Build a Developer ID signed and notarized package that installs the desktop app, local engine, and CLI helper.

02

Push config

Use MDM to provide org ID, collector URL, policy defaults, and optional workspace guidance.

03

Run per user

Run scheduled checks as the logged-in user so PubKeySpace can inspect user-owned SSH, Git, MCP, and passkey review surfaces.

04

Review posture

Track last seen, collector health, findings, accepted risk, policy drift, and version coverage across enrolled devices.

Cadence

Use separate schedules for scans, heartbeats, and updates.

Inventory scan

Run once every 24 hours by default. Increase to every 6-12 hours for higher-risk environments.

Collector heartbeat

Send health every 1-4 hours so admins can see devices that stopped reporting without constantly rescanning.

Update check

Check on app launch and daily. For managed teams, MDM should remain the source of truth for staged updates.

Updates

Managed updates should be boring.

Use MDM to deploy signed and notarized `.pkg` updates across device rings.

Keep optional in-app update checks for small teams or unmanaged installs later.

Track app version, engine version, policy version, and last successful collection in the team service.