Enforcement Agent Settings and Downloads

Install the TMWS Enforcement Agent to client machines to enforce the use of a PAC file for traffic forwarding and to automatically deploy the TMWS certificate to supported browsers.

Before the installation, configure Enforcement Agent settings and download the installation package from the TMWS management console.

  1. Go to Administration > SERVICE DEPLOYMENT > Enforcement Agent.
  2. On the Enforcement Agent page, configure the following in the Customize Agent Settings section.



    Agent platform

    Click Windows or macOS to specify the settings for the operating system to which you want to install the agent.

    Agent tray icon

    This setting is enabled by default. To disable this setting, clear the Show status check box.

    When enabled, the agent icon displays on the system tray of the computer.

    • Windows

    • macOS

    The agent tray icon allows you to perform the following tasks:

    • Temporarily disable the agent

      Temporarily disabling the agent requires an access key, which you can generate from the Disable Agent section at the bottom of the Enforcement Agent screen on the management console.

    • View the proxy status

      The Status window displays the Enforcement Agent version number, user logon information, and PAC file name.


      The user logon information and PAC file name are only available on Windows endpoints.

    • Log out and log in as another user

      On the Status window, you can click Log out to allow the current user to log out of the Enforcement Agent and another user to log on.

      Upon clicking Log out, a notification message appears, requiring you to clear cookies and cache in your browser, close all browser windows, and then click OK.

      After logout, open a browser window and browse an HTTP website. Type the logon credentials of another user on the screen that appears to log on as this user.


      This function is only available on Windows endpoints.

    Forbidden browser(s)

    There are no forbidden browsers by default.

    If users have installed several browsers on their computers and you do not want to forward traffic from certain browsers to TMWS, specify the original file name of the main executable for the forbidden browser. The file extension, such as .exe, is optional. Separate multiple entries with commas.

    The name of a forbidden browser should be the original file name of the main executable file of the browser. To identify the original file name of the browser:

    • On a Windows computer, open the installation folder of the browser, locate and right-click the main executable file, and click Properties. For example, Firefox's file name is firefox and Opera's is launcher.

    • On a macOS computer, go to Utilities > Activity Monitor and then find the process name of the browser. For example, Chrome's process name is Google Chrome.

    Uninstall agent password

    TMWS requires a password to prevent unauthorized uninstallation of the agent. The password displays as plain text for your reference.


    Trend Micro recommends using a complex password to prevent users from uninstalling the Enforcement Agent.

    Hosted PAC file

    Select a PAC file from the drop-down list.

    TMWS provides a default PAC file for use on Windows and macOS. The PAC files already created on the PAC Files screen are also listed. For more information on adding a PAC file, see PAC Files.

    Proxy port

    Specify the local proxy port number.


    The default value is 8080.

    The proxy port is only available on Windows endpoints.

  3. In the Download agent installer area, click the button for the operating system (Windows or macOS) to which you want to install the agent.

    The agent installation package downloads. For information on installing and deploying the agent, see Enforcement Agent Deployment.

  4. In the Disable Agent section, generate an access key for temporarily disabling the agent on client computers.
    1. Click Create Access Key.
    2. In the Expiration date area, click the calendar button to specify a date and then click Generate.

      On computers, the access key expires at 23:59 on the selected day, following the system time on the computer.

    3. In the Agent access key area that re-appears, view the generated access key.
    4. Record the access key and then provide it to users who need to temporarily disable the agent.