3LS Platform Documentation

Technical guides for enrolling the `guardian` runtime into 3LS Platform. Guardian enforces company AI policy at the endpoint before prompts, uploads, and tool actions leave the organization.

Enroll an Agent Configuration Reference

Start here

Get the `guardian` runtime enrolled and connected to 3LS Platform, then move into configuration, examples, and platform details. Start with the Windows Quick Start if you are onboarding managed endpoints for the first time.

→ Enroll guardian → Stored credentials and state → Configuration reference → Platform-specific notes

Related technical topics

Follow the technical path from enrollment through policy and operational workflows.

→ Shadow AI and agentic tools → Example policies → Platform overview → Capability pages

What this section is for

This is the technical destination for enrollment, configuration, examples, and implementation details. Marketing pages stay visual and product-led; technical specifics live here.

Enroll guardian into 3LS Platform

The onboarding flow is token-based: an administrator issues an enrollment token, guardian enrolls into 3LS Platform, and the service returns agent credentials for ongoing configuration polling.

Enrollment flow

1

Issue an enrollment token

A tenant admin or superadmin creates an enrollment token through the management server.

2

Send host and platform metadata

The agent enrolls by sending hostname, platform, OS version, agent version, and machine identifier.

3

Receive credentials

The server returns an account identifier, agent identifier, agent token, and config version.

4

Start config polling

The agent stores its credentials locally and begins polling for configuration updates with the issued agent token.

Enrollment sequence

Admin: issue enrollment token
Agent: POST /enroll with host metadata
Server: return agent_id, agent_token, config_version
Agent: store credentials and begin config polling

Stored credentials and state

After enrollment, the agent keeps the minimum state needed to identify itself and retrieve configuration updates.

Server URL

The management server the agent enrolled against.

Agent ID

The identity assigned to the enrolled device.

Agent token

Credential used to authenticate later configuration and event operations.

Config version

Starting configuration version returned during enrollment.

Configuration reference and examples

Use this section for configuration structure, example policies, and platform-specific behavior. This is where YAML and reference material belong.

Reference areas

Configuration file structure

Example policies and starter configurations

Enrollment and token lifecycle behavior

Polling, updates, and operational notes

Platform notes

Windows-specific options and paths

Cross-platform policy fields

Example configurations for managed deployments

Technical troubleshooting references

Shadow AI and agentic tools

Technical deployments often need to account for unmanaged usage across agentic tools, coding assistants, and browser-based AI workflows.

Recognize tools in use

Track approved and unmanaged usage across tools like Codex, Claude, and other agentic assistants.

Tie usage to controls

Map discovery and classification to the policy and configuration references documented here.

Move between docs and platform views

Use the platform page for product concepts and this section for implementation detail.