Frequently Asked Questions (FAQ): Duo Desktop Agent
General Information
Duo Desktop is a lightweight agent that helps control access to institutional applications when devices do not meet certain security requirements. The agent checks the security posture of the connecting system to determine if requirements such as antivirus, disk encryption, etc. are met before allowing access to sensitive applications.
Duo Desktop currently checks for Trellix on all university-managed devices that access high-risk UCLA applications.
In compliance with the UC Information Security Investment Plan announced by UCOP in February 2024, all systems (including personal devices) that connect to university applications must have the UC-approved endpoint detection and response (EDR) software, Trellix Endpoint Security, installed. The Duo Desktop agent is being deployed to check whether Trellix is installed on the connecting endpoint before allowing it to connect to certain UCLA applications.
By ensuring that Duo Desktop is installed on systems accessing sensitive UCLA applications, this helps to ensure that Trellix, the only UC-approved cybersecurity Endpoint Detection and Response (EDR) tool is protecting our most valuable infrastructure.
To continue accessing the list of protected applications, Duo Desktop must be installed by May 28, 2025 in alignment with the deadline for implementation of the UC Security Investment Plan.
Installing Duo Desktop
Install Duo Desktop
The Duo Desktop agent can be downloaded and installed from the Duo website free of charge.
https://duo.com/docs/checksums#duo-desktop
The Duo Desktop agent supports all modern operating systems including Windows, macOS, and Linux. Local administrator rights on the endpoint are required to complete the installation.
Self-install During Authentication
When accessing Duo Desktop-protected applications, you are presented with self-installation of the client. Local admin rights to the system are required to complete the installation.
 
Additional information on how to install can be reviewed on our Duo Desktop Getting Started webpage
If Duo Desktop is not installed by 5/28/25, the next time a user attempts to access a UCLA application that is now being enforced by Duo Desktop, the login process will automatically redirect them to instructions on how to download and install the agent. Once Duo Desktop is installed, the agent will perform a check to ensure that Trellix is installed on the connecting machine before granting access to the application.
If the user is unable to complete the Duo Desktop install, they will not be able to access the application until they are able to receive assistance to properly install the agent.
 
You may verify Duo Desktop is properly setup by visiting the Duo Desktop Test site.
The system tray bar on Windows and macOS devices will display an icon for Duo Desktop when installed.
 
Duo Desktop runs in the background with a small footprint. It only actively engages when you authenticate into a protected application.
The Duo Desktop agent does not collect any personally identifiable information (PII), file data, or information that can be used to determine browsing history or other personal information. The agent collects basics system identifier information such as:
 
| Data Elements | ||
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
A complete list of data collected can be reviewed at https://help.duo.com/s/article/5566?language=en_US.
Duo Desktop has a minimal resource footprint and should not cause performance issues, even on older systems.
Duo Desktop includes an auto-update option during installation, which is enabled by default. It checks for updates and installs them automatically—no manual reinstall required.
In such cases, users will need to contact their local IT support team to assist with installation. The software cannot be installed without administrator privileges.
Duo MFA verifies your identity with a second factor (e.g., push notification), while Duo Desktop verifies device's security posture. Both work together to ensure secure access to high-risk applications.
Application Enforcement Information
UCLA is adopting a risk-based approach to enforcement with the Duo Desktop agent. The initial application enforcement list will focus on high-risk applications that store, process, or transmit Protection Level 4 data which is the most sensitive classification as defined by UC policy. This includes applications that deal with financial data, human resources and personnel information, student data, and/or critical IT applications.
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
 | 
| 
 | 
 | 
*Signing DocuSign envelopes will not require authentication via Duo Desktop + Trellix
**Office 365 refers to the UCLA Enterprise Messaging instance only and includes all online Microsoft productivity apps including Outlook, OneDrive, etc. Locally-installed Microsoft Office applications are not impacted.
No. Only a curated list of high-risk applications containing Protection Level 3 or 4 data will be protected initially. Future applications will be added following a risk-based approach to protect sensitive data.
No, if you have a local login to any of these applications you will not be postured before login. This is also applicable when inviting external collaborators to applications who do not have a UCLA Logon and would not sign-in via SSO.
No, UCLA applications already behind SSO will not need to be reconfigured to support Duo Desktop. The security check occurs at the authentication-level, before the application permissions or access controls are validated.
Yes. Each protected application has its own Duo Desktop policy. Even if you’re already logged into one application, accessing another protected one will trigger a new Duo check specific to that app.
There is no grace period. If your device does not meet posture requirements (e.g., Duo Desktop not installed or Trellix not detected), access to protected applications will be blocked at login. However, in urgent scenarios, users can be temporarily exempted by contacting the IT Support Center.
Users needing urgent access outside of regular support hours can contact the IT Support Center. If appropriate, they may be added to a temporary exception group ("bypass group") to regain access until support is available.
The Duo Desktop Agent UI will by default display health checks for operating system (OS) patch level, system password, disk encryption, and firewall status. This display is not customizable, and are not part of the enforcement check to access high-risk UCLA applications. The only compliance check that will be enforced will be whether Trellix HX, the only UC-approved EDR product, is installed. There is no option to display EDR compliance on the Duo Desktop Agent UI at this time.
 
Compatibility and Exclusions
Only Windows-based tablets will be required to run Duo Desktop. Smartphones and other tablets will not be required to run Duo Desktop or be postured for Trellix when connecting to UCLA applications.
By default, UCLA students and emeriti will automatically be exempted from having to run Duo Desktop and/or Trellix on their systems to access UCLA applications.
In urgent situations, users may be temporarily added to an exception group by contacting the IT Support Center to regain access while they work through compliance.
Each device you use to access protected applications must meet the Duo Desktop and Trellix requirements. You'll need to install Duo Desktop on every system you regularly use for UCLA access.
A posture check is performed every time you authenticate into a protected application. If your system falls out of compliance (e.g., Trellix removed), access will be blocked until the issue is resolved.
Support and Resources
For additional questions or assistance, please contact DTS Help Desk:
Phone: (310) 267-HELP (4357)
Email: help@it.ucla.edu
Office: 124 Kerckhoff Hall
- Visit the Duo Desktop Getting Started webpage for detailed install instructions
- Watch this step-by-step video on using Duo Desktop to access protected UCLA applications.