Overview
Velatir for Desktop needs a small set of operating system permissions to capture and inspect AI traffic on a managed device. Everything is requested at install time, and the list is short on purpose: there is no microphone, camera, location, or full-disk access.Windows
The installer asks for administrator rights once. It uses them to set up traffic capture, install the certificate Velatir needs to inspect AI traffic, and register the background service. After that, the CLI asks for elevation only for commands that change capture or configuration. Velatir then runs as a background service that starts automatically, so it keeps working across reboots without anyone needing to launch it. A tray icon shows when it is running.| Prompt | When | What it grants |
|---|---|---|
| User Account Control (UAC) | At install | Administrator rights for the installer |
| UAC for some CLI commands | Running velatir start, stop, set-api-key, and similar | Per-command elevation for changes |
macOS
The installer asks for an administrator password once, the standard macOS installer flow. Velatir captures traffic through an approved macOS system extension. There is no kernel extension and no patching of system frameworks.System extension approval
System extension approval
On first run, macOS asks the user to approve Velatir’s network extension in System Settings → General → Login Items & Extensions → Network Extensions. Until it is approved, capture cannot start. On managed Macs you can pre-approve it so there is no prompt; see Enterprise deployment. The extension grants no access to files, user data, or any other system resource.
Certificate
Certificate
Velatir trusts its per-device certificate in the macOS System keychain, so browsers and apps inspect correctly. Some runtimes keep their own trust store; see Troubleshooting. To use your own certificate authority instead, see Bring your own certificate.
| Prompt | When | What it grants |
|---|---|---|
| Administrator password | At install | Permission to run the installer |
| System extension approval | First run | Permission to load Velatir’s network extension |
| Authorisation for some CLI commands | Running velatir start, stop, set-api-key, and similar | Per-command elevation for changes |
Next steps
VPN compatibility
How Velatir works alongside corporate VPNs.
Enterprise deployment
Silent install, bring-your-own CA, and MDM rollouts.
Data privacy
What Velatir stores and how it scrubs sensitive content.
Troubleshooting
Diagnose certificate and approval issues.