The OrchestratorOverviewPolicies & MDMHow It Connects
The StudioOverviewExtensionsHow It Works
ResourcesBlogFAQAbout
Get in touch
Early Access

Policies & Managed Deployment

One installer. Every plugin configured. Every user compliant.

IT managers define what gets installed, how it's configured, and who gets what. A lightweight installer provisions the entire environment for every employee and collaborator — client, plugins, models, settings — in minutes, not hours.

Planned for Q3/Q4 2026Register your interest to shape the design and get early access.

The problem

AI tooling at scale is an IT management problem

Without central control, every user installs different versions, skips plugins, picks their own models, and changes settings. IT can't see what's running, can't enforce standards, and can't prove compliance.

78%
of employees bring their own AI tools to work, outside IT control
Microsoft Work Trend Index 2024
$670K
additional cost per data breach involving shadow AI
IBM Cost of a Data Breach 2025
52.7%
of purchased SaaS licenses go unused across the organisation
Zylo SaaS Management Index 2025
51 days
lost per employee per year to technology friction
WalkMe State of Digital Adoption 2026

The light installer

Auth first. Then provision. Then monitor.

A 10 MB installer that authenticates via SSO, fetches an encrypted policy, and provisions the complete environment. IT distributes it through their existing MDM — Intune, Jamf, or any deployment tool.

Your existing MDM distributes the installer
Microsoft IntuneJamf ProSCCM / Ansible
Pushes installer
LIGHT INSTALLER
Authenticate · Fetch Policy · Download · Verify · Configure · Enroll

Provisions
What lands on the user's machine
Swarmix Client
pinned version
Plugins
configured per policy
AI Models
embeddings, rankers
Settings
locked or defaults
01

Authenticate

The installer opens your organisation's SSO provider (Entra ID, Okta, Google) in the system browser. No credentials are stored locally. Auth happens before any software is downloaded.

02

Fetch Policy

After authentication, the installer requests the user's resolved policy from the Swarmix server. The policy is encrypted and signed — tailored to the user's group membership and role.

03

Provision

The installer downloads the client app, plugins, and models specified by the policy. Every artifact is SHA256-verified. Post-install steps configure embeddings, vector stores, and plugin settings.

04

Enroll

The device exchanges cryptographic keys with the server and registers for ongoing policy management. From this point, the client's built-in policy agent handles updates automatically.

05

Launch

The client app starts with everything configured. The user is productive immediately — the right plugins, the right models, the right settings. No manual setup, no guesswork.

Inside a policy

Everything IT needs to control the rollout

A policy is a declarative specification: which client version, which plugins, which models, which settings — and who gets it.

Policy: Engineering Team — Standard
v7 · Active · Targets: Engineering, ML Team
Client
Channelstable
Version^2.5.0
Auto-updatewithin constraint
Plugins
Code Intelligence^1.2.0 (required)
Documents^1.0.0 (required)
Knowledge Intellatest (optional)
Post-Install
Embedding modelMiniLM-L6-v2 (91 MB)
Ranker modelms-marco-MiniLM (85 MB)
Vector storeinitialise on first run
Settings & Restrictions
Server URLlocked
Telemetrylocked (enabled)
Plugin installblocked (policy only)
Signed: Ed25519Encrypted: AES-256-GCM

Capabilities

Enterprise-grade control without the complexity

Six capabilities that give IT managers full control over what users run — without slowing them down.

Encrypted Policy Documents

Policies are signed with Ed25519 and encrypted per-device with AES-256-GCM. The server resolves, merges, and delivers each user's policy after authentication. No plaintext policies on disk.

  • Per-org signing keys with rotation
  • Per-device encryption via X25519 key exchange
  • Anti-replay protection with version enforcement
  • At-rest encryption via OS keychain (DPAPI, Keychain, libsecret)

Bundle Composition

Each policy resolves to a concrete bundle: a specific client version, a set of plugins at pinned versions, configuration overrides, and post-install steps — all verified by SHA256 checksums.

  • Client release pinning by version or constraint
  • Plugin versions with dependency resolution
  • Post-install steps: model downloads, config writes, setup scripts
  • Incremental updates — only download what changed

Group-Based Targeting

Assign policies to groups, roles, or individual users. When a user belongs to multiple groups, policies merge deterministically — plugins are unioned, restrictions follow most-restrictive-wins.

  • Native groups or SCIM-synced from your IdP
  • Priority-based merge for conflicting settings
  • Most-restrictive-wins for security restrictions
  • Policy preview before publishing

Phased Deployment

Roll out changes in phases — canary to 5%, then engineering, then everyone. Success criteria gate each phase. If error rates spike, the system pauses and optionally rolls back automatically.

  • Canary, phased, scheduled, and immediate strategies
  • Success criteria: min success rate, max error rate
  • Auto-proceed or manual approval between phases
  • One-click rollback to previous policy

Compliance Monitoring

Every enrolled device reports its state on a configurable interval. The dashboard shows compliance percentage, drift events, stale devices, and deployment progress — all auditable.

  • Real-time compliance status per device
  • Drift detection with configurable remediation
  • Stale device tracking and auto-unenrollment
  • Full audit log for SOC 2 and ISO 27001

MDM Enforcement

When an organisation requires managed installation, the server blocks unenrolled clients. Three enforcement modes let you roll out gradually: audit first, then partial, then full.

  • Org-level mdm_required flag
  • Audit, partial, and full enforcement modes
  • Configurable grace period for new users
  • Device attestation tokens on every request

Phased rollouts

Ship updates like you ship code — progressively.

Create a deployment, pick a strategy, and define success criteria. The scheduler rolls out your policy in phases. Each phase waits for enough devices to report success before proceeding.

If error rates exceed your threshold, the deployment pauses automatically. One click rolls back to the previous policy. Every device, every phase, every error is logged for audit.

Adaptive sync intervals speed up during active deployments and throttle back during steady state — no bandwidth storms, no thundering herds.

Canarycomplete
5% of engineering
8/8 devices
Engineeringactive
All engineers
41/79 devices
Everyonepending
All groups
0/162 devices

Works with your stack

Complement your MDM. Don't replace it.

Your device MDM handles the device. Swarmix policies handle the application. The installer is an MSI, PKG, or DEB — distribute it the way you already distribute everything else.

Intune / Entra ID

Push the installer MSI via Intune. Groups sync from Entra ID via SCIM. SSO for authentication.

Jamf / Apple MDM

Distribute the PKG via Jamf policies. Keychain integration for at-rest policy encryption.

Ansible / SCCM

Automate with DEB/RPM packages. Silent mode for headless deployment. Scripts for detection.

SCIM Sync

Groups and users sync from your Identity Provider. Policy targeting mirrors your AD structure.

The outcome

From hours of setup to minutes of productivity

< 5 minUser onboarding
100%Compliance visibility
1-clickRollback capability
ZeroUnmanaged installations

Drift detection

If something changes, you know immediately.

The policy agent on each device continuously compares actual state to desired state. If a user uninstalls a required plugin, changes a locked setting, or installs an unapproved extension — the dashboard shows it within minutes.

Remediation is configurable per restriction: auto-fix silently, warn and fix, report to admin, or block the app until resolved. You control the trade-off between user freedom and organisational compliance.

Compliant
Settings match policy, plugins present and verified
Drift
Locked setting changed or required plugin removed
Error
Policy application failed — needs IT attention
Stale
Device hasn't checked in within the expected window

Interested in managed deployment?

We're designing policies and MDM integration now. Register your interest to influence the roadmap and be the first to try it.

Register interestSee the Orchestrator

Built for developers today.
Available for everyone tomorrow.

Early Access

Get early access

Swarmix is almost ready. Leave your email and we'll send you an access code.

  • Free during early access
  • Limited spots available