> ## Documentation Index
> Fetch the complete documentation index at: https://docs.velatir.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions

> The operating system permissions Velatir for Desktop needs on Windows and macOS, and why

## Overview

Velatir for Desktop needs a small set of operating system permissions to capture and inspect AI traffic on a managed device. Everything is requested at install time, and the list is short on purpose: there is no microphone, camera, location, or full-disk access.

## Windows

The installer asks for administrator rights once. It uses them to set up traffic capture, install the certificate Velatir needs to inspect AI traffic, and register the background service. After that, the [CLI](/desktop-app/cli) asks for elevation only for commands that change capture or configuration.

Velatir then runs as a background service that starts automatically, so it keeps working across reboots without anyone needing to launch it. A tray icon shows when it is running.

| Prompt                     | When                                                        | What it grants                         |
| -------------------------- | ----------------------------------------------------------- | -------------------------------------- |
| User Account Control (UAC) | At install                                                  | Administrator rights for the installer |
| UAC for some CLI commands  | Running `velatir start`, `stop`, `set-api-key`, and similar | Per-command elevation for changes      |

## macOS

The installer asks for an administrator password once, the standard macOS installer flow. Velatir captures traffic through an approved macOS **system extension**. There is no kernel extension and no patching of system frameworks.

<AccordionGroup>
  <Accordion title="System extension approval">
    On first run, macOS asks the user to approve Velatir's network extension in **System Settings → General → Login Items & Extensions → Network Extensions**. Until it is approved, capture cannot start. On managed Macs you can pre-approve it so there is no prompt; see [Enterprise deployment](/desktop-app/enterprise-deployment). The extension grants no access to files, user data, or any other system resource.
  </Accordion>

  <Accordion title="Certificate">
    Velatir trusts its per-device certificate in the macOS System keychain, so browsers and apps inspect correctly. Some runtimes keep their own trust store; see [Troubleshooting](/desktop-app/troubleshooting). To use your own certificate authority instead, see [Bring your own certificate](/desktop-app/bring-your-own-ca).
  </Accordion>
</AccordionGroup>

| Prompt                              | When                                                        | What it grants                                 |
| ----------------------------------- | ----------------------------------------------------------- | ---------------------------------------------- |
| Administrator password              | At install                                                  | Permission to run the installer                |
| System extension approval           | First run                                                   | Permission to load Velatir's network extension |
| Authorisation for some CLI commands | Running `velatir start`, `stop`, `set-api-key`, and similar | Per-command elevation for changes              |

## Next steps

<CardGroup cols={2}>
  <Card title="VPN compatibility" icon="globe" href="/desktop-app/vpn-compatibility">
    How Velatir works alongside corporate VPNs.
  </Card>

  <Card title="Enterprise deployment" icon="building" href="/desktop-app/enterprise-deployment">
    Silent install, bring-your-own CA, and MDM rollouts.
  </Card>

  <Card title="Data privacy" icon="lock" href="/security/data-privacy">
    What Velatir stores and how it scrubs sensitive content.
  </Card>

  <Card title="Troubleshooting" icon="life-buoy" href="/desktop-app/troubleshooting">
    Diagnose certificate and approval issues.
  </Card>
</CardGroup>
