Tray app
The PermitUSB tray app runs in every signed-in user's session. It exists to make enforcement transparent: when a device is blocked, the user sees why, immediately.
What it shows
- A status icon (shield green / amber / red)
- A tooltip summarising current state ("123 rule(s) loaded")
- Toast notifications on every block: device name + matched rule
- A status panel listing the most recent events, current policy etag, last sync time
States
| State | Icon | Meaning |
|---|---|---|
| Healthy | Shield, green | Policy fresh; enforcement live. |
| Stale | Warning, amber | Hasn't reached the cloud recently. Default-block in effect. |
| Tamper | Error, red | Refresh-token replay or service-stop attempt detected. Re-enrollment needed. |
| Trial expired | Warning, amber | Billing lapsed. Enforcement disabled. Add a card to resume. |
How it talks to the service
Named pipe \\.\pipe\PermitUSB.Agent. The pipe ACL allows LocalSystem + Administrators full access and Interactive Users read+write. The tray polls the pipe every five seconds for a status snapshot — small enough that the polling cost is invisible.
Disabling the tray
The tray is registered as a per-user run-key by the MSI. To suppress it, removeHKLM\Software\Microsoft\Windows\CurrentVersion\Run\PermitUSB.Tray. Enforcement keeps working — only the user-facing affordance disappears. We don't recommend this for end-user machines (transparency is the whole point), but it's a reasonable choice for kiosks where a tray icon would be confusing.