Agent Installation
The One Defend is delivered as a module of the unified RMM agent — not as a separate binary. When you activate the Defend subscription, existing RMM-enrolled devices begin collecting EDR telemetry without any reinstallation.
Unified Agent Architecture
The One RMM agent is a single binary that loads modules based on your organization's license:
- RMM — Remote monitoring, patching, scripting (always active)
- Defend — EDR telemetry collection and response actions
- Backups — Endpoint backup and recovery
- Migrate — Data migration tooling
This CrowdStrike-style model means one install covers all endpoint products.
Enabling Defend on Existing Devices
If your devices already have the RMM agent:
- Activate the Defend subscription in Hub Billing
- The agent checks license entitlements on its next heartbeat
- The Defend module loads and begins telemetry collection
- Device appears as Defend: Active in the console within minutes
No reboot or reinstall required.
New Device Enrollment with Defend
For new devices where RMM has not yet been installed:
- Download the agent installer from the RMM console
- Run the installer (MSI on Windows, PKG on macOS, DEB/RPM on Linux)
- The agent enrolls with RMM and immediately loads the Defend module if your subscription includes it
- Certificate-based enrollment establishes device identity (see Device Enrollment)
Telemetry Collection by Platform
| Platform | Collection Method | Events |
|---|---|---|
| Windows | Event Tracing for Windows (ETW) | Process, network, file, registry, DLL, service, scheduled task, logon |
| macOS | Endpoint Security Framework (ESF) | Process, network, file, logon |
| Linux | eBPF probes | Process, network, file, logon |
Network Requirements
The agent requires outbound HTTPS (port 443) to:
- Event Hub —
theonedefend-events.servicebus.windows.netfor telemetry delivery - Defend API — For enrollment, certificate renewal, and response action commands
- RMM management channel — Maintained even during device isolation
Agent Resource Impact
| Resource | Typical Usage |
|---|---|
| CPU | < 1% average (spikes during batch signing) |
| RAM | ~50 MB |
| Disk | Local encrypted buffer (AES-256-GCM) for telemetry batching |
| Network | ~50–200 MB/day per endpoint depending on activity level |
Telemetry volume can be tuned by adjusting the sampling rate and event type toggles in the agent configuration.
Agent Configuration
The Defend module supports the following configuration options:
- Batch interval — How frequently telemetry is sent (default: 1000ms)
- Event type toggles — Enable/disable collection of process, network, file, registry, or DLL events
- Process exclusions — Skip telemetry for known-good processes (e.g., backup agents, AV scanners)
- Path exclusions — Skip file monitoring for specific directories
- Sampling rate — Reduce telemetry volume for high-activity endpoints (0.0–1.0)
Tamper Protection
The agent includes a tamper detection watchdog that monitors for:
- Unauthorized agent process termination
- Modification of agent binaries or configuration files
- Removal of the Defend module
Tamper events are reported to the Defend API via HMAC-signed webhook, generating a critical alert in the console.
Next Steps
- Device Enrollment — Certificate-based enrollment details
- Telemetry Collection — What data is collected and how
- Detection Rules — How telemetry becomes detections