Choosing a deployment model

PingOne Privilege offers agent-based and agentless deployment models to meet different organizational needs and security requirements. Choosing the right model depends on your priorities for security, ease of deployment, and user experience.

Agent-based deployment with authenticator app

Agent-based deployment is recommended for organizations that require the highest level of device and user identity assurance. In this model, users install the PingOne Privilege agent on their device. The agent leverages the device’s Trusted Platform Module (TPM) to create a strong, hardware-backed identity using passkeys.

Diagram showing agent-based deployment architecture

Key features of this model include:

Strong device and user identity verification.
Continuous authorization and session monitoring.
Enhanced security for sensitive environments.

Agentless deployment with single sign-on

Agentless deployment is ideal for organizations seeking a fast, low-friction rollout or for those unable to install agents on all devices. Users access resources using the PCLI shell utility for SSH, cloud CLI, and Kubernetes, authenticating through PingOne SSO.

Diagram showing agentless deployment architecture

Key features of this model include:

Rapid deployment without device software installation.
Flexibility for organizations with diverse device management policies.
A phased approach to privileged access management (PAM).
Some trade-offs in device identity assurance and advanced security features.

Gateways and resource access

Both deployment models require gateways for accessing on-premises resources like servers, databases, and Kubernetes clusters. For cloud accounts, such as AWS, GCP, and Azure, direct access is supported without a gateway. Session logs are captured at the gateway for both models.