RoboShadow Blog

Mac & Linux Agents, Expanded AutoFix Capabilities & Tighter Controls

Written by Zaima Lalmahomed | Jul 7, 2026 4:24:31 PM

We're back with another big release, and this time the team are very excited to announce that we've taken the RoboShadow Mac and Linux Agents out of Experimental Features. They are now globally available in Beta 🎉

We are well aware that this release has been a long time coming and we want you all to know that your support means the world to us. We've spent a lot of time working towards a very solid foundation to build and release these agents (2 years in the making), so rest assured that as with everything we release, our mission is to deliver the highest standard at the lowest cost possible for you. 

This comes alongside other highly requested features in this release:

  • AI App Upgrades
  • Custom Range & Schedule in External Scanner

  • CISA KEV Prioritisation in AutoFix
  • 365 CIS Benchmarks in AutoFix
  • User Applications

This release marks a major milestone for the team, and we're excited to share the progress we've made so far, with even more improvements already on the way. And we're not just stopping there, so stay tuned for our upcoming releases; they'll be packed with improvements and expanded coverage as we continue driving towards feature parity with leading solutions such as Qualys and Nessus.

We've included guided video tutorials to take you through these features, and you can find a list of more upcoming features at the bottom, but as always, don't hesitate to reach out to us directly at hello@roboshadow.com or terry.lewis@roboshadow.com if there's anything you'd like to ask about in particular.

In other news, please have a browse through our YouTube channel / LinkedIn page - we've been putting out a lot more content in terms of videos, interviews, articles etc. And there's a lot more exciting content coming out soon that I believe will be very insightful for our users, so make sure to keep an eye out.

One of our latest YouTube videos diving into Anthropic's Mythos:
 
 

We can only ask that you keep all of the feedback coming. It's how we build, improve and deliver strong results for you all, and we appreciate each and every bit of feedback - whether it's positive or negative.

Mac & Linux Agents:

Over the past months, many of you have been using these agents through our Experimental Features, helping us shape and improve them along the way, and we're delighted to now bring both agents out of experimental and into public release in Beta.

The RoboShadow Mac Agent and Linux Agent provide full vulnerability visibility across macOS and Linux devices, right alongside your Windows fleet, giving you a complete view of your endpoint security posture from a single platform.

Key Capabilities Overview

Capability

Mac Agent

Linux Agent

Vulnerability scanning & CVE matching

Device visibility (hostname, serial, IP, OS)

Hardware inventory (model, processor, memory, BIOS)

Software inventory (installed applications)

✅ (APT, RPM, Snap, Flatpak + manually installed binaries)

Firewall status monitoring

✅ (macOS firewall, GateKeeper, stealth mode)

✅ (UFW, iptables, ip6tables, nftables, firewalld)

Antivirus detection

✅ (17 products including CrowdStrike, SentinelOne, Defender, ClamAV, and more)

Disk & storage reporting

✅ (including LUKS encryption and Samba share detection)

OS update tracking

✅ (available & installed updates)

✅ (APT & YUM/DNF security and OS updates)

Ubuntu Pro / ESM detection

Coming Soon

ARM64 (Apple Silicon / aarch64) support

Once you've installed the agent, your Mac and Linux devices will appear in your device lists and reports. You can filter by operating system across Device Vulnerabilities, Hardware, Software, Antivirus, Disks, and OS Updates.

Note: These are read-only, visibility-first agents, that scan and report. They don’t make changes to your devices. Automated remediation remains Windows-only for now, as macOS patching is best handled via Apple Business Manager, and we’re working on apt-get update functionality for Linux in the near future. LAN scanning, CIS Benchmarks, and remote commands are also not available for Mac/Linux.

Watch Charlie’s video tutorial here:  

 

 

AI App Upgrades (Experimental Feature)

AI App Upgrades (or you may have heard us refer to it as AI AppGet) can be enabled through Experimental Features, and is designed to automate the remediation of software vulnerabilities for applications that don't currently have a standard WinGet upgrade path. By leveraging AI to research and source verified installation packages from trusted sources, this feature ensures that your device environment stays secure and up-to-date, even for niche or proprietary software. 

Watch Charlie’s video tutorial here:  

 

Note: Please view the results of the research before pushing out an update via AI Fix, to ensure that you're happy with the package that will be installed on the machine.

 

Custom Range & Schedule in External Scanner (Hour & Day)

RoboGuard Scheduled Scans allow you to automate your external security audits by setting up recurring vulnerability scans. So instead of manually triggering a scan, you can define specific intervals to ensure your external-facing assets are consistently monitored for threats.

This feature helps in maintaining compliance and ensures that new vulnerabilities are detected promptly without requiring manual intervention. The scheduling engine now allows you to define both the frequency of the scan and the exact timing (yearly, quarterly, monthly, weekly, down to the day and hour), and once a schedule is set, RoboGuard will automatically initiate the external scanner at the coordinated time.

Watch Charlie’s video tutorial here:  


Note:  The system operates on UTC (Coordinated Universal Time). Before finalising your schedule, double-check your local time zone against UTC to ensure the scan runs at your intended local time.

 

365 CIS Benchmarks in AutoFix (Experimental Feature)

The AutoFix CIS Benchmarks feature is designed to automate the remediation of security configuration gaps - you can now enable this through Experimental Features. Based on the Center for Internet Security (CIS) standards, this feature allows administrators to automatically resolve non-compliance issues across devices and Microsoft 365 environments. Automating these fixes means that organisations can ensure they maintain a continuous security posture without manual intervention, significantly reducing the window of vulnerability when a device or account falls out of compliance. 

Because this is a powerful capability that makes changes to your live Microsoft 365 tenant, we want to give you the full picture before you switch it on, including a safety note about avoiding lockouts: 

Some of the most valuable benchmarks, particularly those that create or tighten Conditional Access and authentication policies, are also the ones most capable of locking people out if your environment isn't ready for them.

🚨 The single most important rule: make sure your tenant already meets the benchmark's requirements before you apply the fix.

Examples:

  • Enforcing MFA: If you apply a rule that requires MFA for all users or admins, but some accounts don't yet have an MFA method registered, those accounts can be blocked at their next sign-in until they enrol. Confirm everyone (especially your admins) has MFA set up first.
  • Blocking legacy authentication: This is excellent for security, but it will break older mail clients, line-of-business apps, scripts, and service accounts that still rely on basic/legacy auth. Make sure those dependencies have been migrated first.
  • Requiring compliant or managed devices: A Conditional Access rule that demands an Intune-compliant or hybrid-joined device will block access from devices that don't meet that bar yet.

And one last note: AutoFix requires that your Microsoft 365 connection has write access, so if you’ve connected to RoboShadow as read-only, then remediation is intentionally blocked and you’ll only see assessment results.

Watch Charlie’s video tutorial here:  

 

 

CISA KEV prioritisation in AutoFix

The CISA Prioritisation and KEV integration in AutoFix is now fully released and allows IT administrators to automate software updates based on the risk level of detected vulnerabilities.

With this, you can tell a rule to only patch applications affected by CVEs that appear on CISA's catalogue of vulnerabilities confirmed to be exploited in the wild, cutting through the thousands of potential CVEs to focus your remediation on real, active attack vectors.

That, combined with a CVSS severity threshold, gives you a precise, risk-based patching strategy: for example, one rule that auto-patches anything Critical and on the KEV list immediately, and a separate, more relaxed rule for lower-severity updates. As always, the goal is to deliver upgrades that mean less noise, less decision fatigue, and far more confidence that every automated fix is addressing a genuine threat.

  Watch Charlie’s video tutorial here:  

 

Note: The rule for apps only fires when the CVE clears your CVSS threshold. This is the key behaviour to flag to users. If you enable both KEV and a CVSS threshold, they combine with AND logic: a CVE must be on the KEV list and score at or above your threshold to trigger a fix. Severity bands are Critical (9.0–10.0), High (7.0–8.9), Medium (4.0–6.9), Low (0.1–3.9), and you can fine-tune within a band (e.g. 7.5).

 

User Applications Now Enabled for All Organisations

As promised, we've now enabled User Apps for all organisations by default. You can still disable this feature as you please. 

User Applications covers any applications that are installed in the context of a user, providing complete visibility. We've made this progression to give you better posture out of the box and simplify your operations. Browsers and comms tools are the biggest day-to-day attack surface and the most frequent CVE/KEV churn, and predominantly install per-user. Excluding them by default leaves the worst offenders unpatched. 

They will be included in the Software and CVE pages, so be aware that you’ll likely see a spike in CVEs – this is completely normal as the data increases.



We’ve made upgrades to this so that you can now use AutoFix on User Apps, as well as the one-click fix button. We’ve also added in an option to stop AutoFix from updating User Apps if any issues are detected – you can enable this for select / all AutoFix rules as you wish via AI AutoFix Rules.

All of your User Apps are now synced against WinGet so you can update them in exactly the same way as usual.

How to access the feature:

  1. Navigate to Device Management in the top menu


  2. Select Device Vulnerabilities


  3. Scroll down to find User Apps (located next to System Apps)

 

A Reminder: TOPdesk PSA

Most of you will already be aware of this, but we just wanted to include a reminder that RoboShadow now supports TOPdesk as a native PSA integration. This feature allows IT teams and MSPs to streamline their vulnerability management by automatically synchronising security data with TOPdesk. 

RoboShadow will automatically generate a ticket in TOPdesk when a vulnerability that meets your specified criteria is detected, and once we verify that applications have been patched and the vulnerability is resolved, the corresponding ticket will be automatically closed. You can also define exactly what vulnerabilities trigger a ticket based on their CVSS score, to prevent 'alert fatigue'.

Watch Charlie’s video tutorial here:  

 

 

Other Improvements We've Made Across The Platform

We’ve also made upgrades across several areas:

  • Maintenance Windows
    You can now schedule by specific days of the week, giving you more control over when maintenance runs.

  • Auto-detected IPs
    This is in the External Scanner and allows you to view all agent devices, workstations, and servers that are behind an external IP address, and easily configure a scan.

  • Archived Devices Are Out of Beta
    We previously notified you of bug fixes and are pleased to announce the full release of this feature.

  • MCP is Out of Experimental Features
    Connects Claude directly to the RoboShadow platform, so you can ask questions on your security posture and get answers drawn directly from your data.

  • Support Tickets with Attachments
    You can now attach screenshots or PDFs (up to 5 files, 5 MB each) when raising a support ticket from the portal for faster diagnosis & less back-and-forth.

  • CyberHeal / AutoHeal improvements:
    - Uninstall Fixes for Windows Agent: more dependable application removal.
    - Zoom Fixes for User-Level Installs: resolves upgrade problems specifically for per-user Zoom installs – ties into the work we’ve done on User Apps.
    - Registry Cleanup on Upgrades: when an app has a corrupted registry, CyberHeal now detects and cleans it up automatically as part of the upgrade / uninstall pipeline. This has been enabled for specific apps with known issues, but we are planning to rollout across all apps.

 

Coming Soon

  • Scheduled scripts: set PowerShell scripts and packages to run at a future date/time, so maintenance lands in your chosen window rather than on the spot.
  • Single-org device groups: let organisation admins create and manage their own device groups without needing tenancy-admin access.
  • Org-level archived devices: set stale-device archiving policy per organisation rather than one tenancy-wide rule.
  • Attack surface automation: discovered subdomains and IPs from domain enumeration get scanned and monitored automatically, with no manual push. 
  • Enforced MFA: gives administrators the ability to mandate that all users within a Tenancy set up MFA before they're permitted to interact with the platform.

As always, our team is on hand if you’d like further guidance or want a second pair of eyes before you enable anything. Please do give these features a try and let us know what you think; as we keep iterating to you all, your feedback is what shapes where this feature will go next! 

Thank you for your ongoing support and feedback, and if you have any questions, please don’t hesitate to reach out to us at hello@roboshadow.com