Skip to main content

Overview

Velatir for Desktop needs a small set of operating system permissions to capture and inspect AI traffic on a managed device. Everything is requested at install time, and the list is short on purpose: there is no microphone, camera, location, or full-disk access.

Windows

The installer asks for administrator rights once. It uses them to set up traffic capture, install the certificate Velatir needs to inspect AI traffic, and register the background service. After that, the CLI asks for elevation only for commands that change capture or configuration. Velatir then runs as a background service that starts automatically, so it keeps working across reboots without anyone needing to launch it. A tray icon shows when it is running.
PromptWhenWhat it grants
User Account Control (UAC)At installAdministrator rights for the installer
UAC for some CLI commandsRunning velatir start, stop, set-api-key, and similarPer-command elevation for changes

macOS

The installer asks for an administrator password once, the standard macOS installer flow. Velatir captures traffic through an approved macOS system extension. There is no kernel extension and no patching of system frameworks.
On first run, macOS asks the user to approve Velatir’s network extension in System Settings → General → Login Items & Extensions → Network Extensions. Until it is approved, capture cannot start. On managed Macs you can pre-approve it so there is no prompt; see Enterprise deployment. The extension grants no access to files, user data, or any other system resource.
Velatir trusts its per-device certificate in the macOS System keychain, so browsers and apps inspect correctly. Some runtimes keep their own trust store; see Troubleshooting. To use your own certificate authority instead, see Bring your own certificate.
PromptWhenWhat it grants
Administrator passwordAt installPermission to run the installer
System extension approvalFirst runPermission to load Velatir’s network extension
Authorisation for some CLI commandsRunning velatir start, stop, set-api-key, and similarPer-command elevation for changes

Next steps

VPN compatibility

How Velatir works alongside corporate VPNs.

Enterprise deployment

Silent install, bring-your-own CA, and MDM rollouts.

Data privacy

What Velatir stores and how it scrubs sensitive content.

Troubleshooting

Diagnose certificate and approval issues.