Frequently Asked Questions (FAQ): Duo Desktop Agent
General Information
Duo Desktop is a lightweight agent that helps control access to institutional applications when devices do not meet certain security requirements. The agent checks the security posture of the connecting system to determine if requirements such as antivirus, disk encryption, etc. are met before allowing access to sensitive applications.
In compliance with the UC Information Security Investment Plan announced by UCOP in February 2024, all systems (including personal devices) that connect to university applications must have the UC-approved endpoint detection and response (EDR) software, Trellix Endpoint Security, installed. The Duo Desktop agent is being deployed to check whether Trellix is installed on the connecting endpoint before allowing it to connect to certain UCLA applications.
Duo Desktop must be installed by May 28, 2025 in alignment with the deadline for implementation of the UC Security Investment Plan.
Install Duo Desktop
The Duo Desktop agent can be downloaded and installed from the Duo website free of charge.
https://duo.com/docs/checksums#duo-desktop
The Duo Desktop agent supports all modern operating systems including Windows, macOS, and Linux. Local administrator rights on the endpoint are required to complete the installation.
Self-install During Authentication
When accessing Duo-protected applications, you are presented with self-installation of the client.
The Duo Desktop agent does not collect any personally identifiable information (PII), file data, or information that can be used to determine browsing history or other personal information. The agent collects basics system identifier information such as:
| Data Elements | ||
|
|
|
|
|
|
|
|
|
A complete list of data collected can be reviewed at https://help.duo.com/s/article/5566?language=en_US.
UCLA is adopting a risk-based approach to enforcement with the Duo Desktop agent. The initial application enforcement list will focus on high-risk applications that store, process, or transmit Protection Level 4 data which is the most sensitive classification as defined by UC policy. This includes applications that deal with financial data, personally identifiable information, and/or private health information.
A full list of applications will be announced in late-April 2025.
If Duo Desktop is not installed by 5/28/25, the next time a user attempts to access a UCLA application that is now being enforced by Duo Desktop, the login process will automatically redirect them to instructions on how to download and install the agent. Once Duo Desktop is installed, the agent will perform a check to ensure that Trellix is installed on the connecting machine before granting access to the application.
If the user is unable to complete the Duo Desktop install, they will not be able to access the application until they are able to receive assistance to properly install the agent.
Only Windows-based tablets will be required to run Duo Desktop. Smartphones and other tablets will not be required to run Duo Desktop or be postured for Trellix when connecting to UCLA applications.
The system tray bar on Windows and macOS devices will display an icon for Duo Desktop when installed.
Duo Desktop runs in the background with a small footprint. It only actively engages when you authenticate into a protected application.
Yes. Each protected application has its own Duo Desktop policy. Even if you’re already logged into one application, accessing another protected one will trigger a new Duo check specific to that app.
In such cases, users will need to contact their local IT support team to assist with installation. The software cannot be installed without administrator privileges.
Yes. In urgent situations, faculty may be temporarily added to an exception group by contacting the IT Support Center to regain access while they work through compliance.
Duo Desktop has a minimal resource footprint and should not cause performance issues, even on older systems.
Duo Desktop includes an auto-update option during installation, which is enabled by default. It checks for updates and installs them automatically—no manual reinstall required.
No. Only a curated list of high-risk applications containing Protection Level 3 or 4 data will be protected initially.
