Two-approver production flow
Large waves need a second approver — and the operator who built the wave can’t sign it.
What it is
The capability, in plain terms
Production change is gated by a cryptographic two-person rule. Every approval is a signature over the exact wave being deployed; approvals expire after 24 hours and can only be redeemed once. Separation of duties is enforced by the platform, not by policy documents.
How it works
The machinery underneath
The bytes signed at approval are the bytes the device agents execute against — nothing can be changed in between. Agents refuse any command that doesn’t carry a fresh, valid approval, and the creator of a wave is structurally barred from approving it.
No single operator can deploy a wave alone.
Separation-of-duties evidence your auditor can use, generated as you work.
Stale or reused approvals simply don’t work.
Explore more features
End-user portal
A single calm page tells employees when their device migrates. They can start now or defer.
Live operator console
While the agents do the work on devices, your team watches and steers everything from one pane.
Failure quarantine & safe retries
Failures are isolated, diagnosed, and retried — not blast-radius events.