These docs cover Pulse Endpoint (paid). Pulse Lite is the free, local-only build — features such as Splunk integration, MDM deployment, the CLI, upload, and licensing don't apply to it. Compare editions →
Security & Privacy
Pulse Endpoint is designed with security in mind. Here is a complete breakdown of how data is handled in transit and at rest.
Data Collected
The device heartbeat transmits only the fields listed below — the full license key (used for server-side RSA signature verification), a hashed hardware identifier (HMAC-SHA256 of the Mac's hardware UUID, keyed by the license email), the app version, and the license tier. No telemetry, performance metrics, user activity, keystrokes, browsing data, or other personally identifiable information is ever sent.
| Field | Example | Purpose |
|---|---|---|
| license_key | (base64-encoded signed key) | Full license key; server verifies RSA signature before recording anything |
| hardware_uuid | a3f8c1...(HMAC-SHA256) | Hashed device identifier for seat counting |
| app_version | 1.0.0 | Pulse Endpoint version for update tracking |
| license_type | pulse_seat | License tier for fleet management |
Encryption in Transit
- TLS 1.2+ — All heartbeat communication uses HTTPS. macOS App Transport Security enforces a minimum of TLS 1.2 for all connections.
- Certificate validation — Pulse Endpoint uses the system trust store to validate server certificates. Connections to endpoints with invalid or expired certificates are rejected.
- No plaintext fallback — HTTP connections are never attempted. The endpoint enforces HTTPS with automatic redirect.
Encryption at Rest
- Server-side — Device activation records are stored in a PostgreSQL database with AES-256 encryption at rest.
- Client-side — The license key is stored in macOS UserDefaults (
com.qlabs.pulse.plist), protected by macOS file permissions and FileVault disk encryption when enabled. - License key format — License keys are cryptographically signed (RSA-2048, SHA-512) to prevent tampering. The signature is verified locally against an embedded public key.
Network Requirements
Pulse Endpoint sends a heartbeat to the licensing server once every 24 hours. The request includes the full license key; the server verifies its RSA-2048/SHA-512 signature before recording anything. The server returns a signed verdict — ok, over_limit, or revoked — that the app verifies against its embedded public key.
https://licensing.pulseformac.dev/api/heartbeat- Protocol: HTTPS (port 443)
- Frequency: Once every 24 hours
- Required: Yes — Pulse Endpoint requires a successful, verified license check-in at least once every 14 days. After 14 consecutive days without a verified response, metric collection stops until connectivity is restored or a new key is entered.
If your environment uses a web proxy or firewall, licensing.pulseformac.dev must be allowlisted on port 443. This is the only external endpoint Pulse Endpoint contacts for licensing (apart from any Splunk HEC URLs you configure).
Seat overage never stops collection. If active device count exceeds purchased seats, Pulse Endpoint continues to collect on all Macs and you receive an email notification with instructions to add seats. No automatic charges apply.