Live in 30 Minutes
Or Less.
From sign-up to your first client actively managed. Five steps, no professional services engagement, no week-long implementation project. Just you, the dashboard, and your endpoints.
Sign Up for Your
Partner Account
Create your MSP partner account at ctrllayer.com. No credit card required during the trial period. You get immediate access to the multi-tenant management dashboard with the ability to create up to 5 tenants and manage up to 50 endpoints at no cost.
What You Need
- Business email address
- MSP company name
- Estimated endpoint count
What You Get
- Multi-tenant dashboard access
- 5 trial tenants
- 50 trial endpoints
- 30-day full-feature trial
Configure Your
First Tenant
Create a tenant for your first client. Each tenant is a fully isolated environment with its own policies, users, endpoints, and compliance data. Think of it as a dedicated CtrlLayer instance for that client, managed from your single dashboard.
$ ctrllayer tenant create \
--name "Acme Corporation" \
--domain acme-corp \
--template standard-business
Tenant 'acme-corp' created successfully.
Tenant ID: tn_7f8a2b3c4d5e
Agent installer: https://dl.ctrllayer.com/agent/acme-corp The tenant comes pre-loaded with a policy template. You will customize it in Step 4, but for now, the defaults are sensible: block all elevation, allow self-service for common applications, and require approval for everything else.
Deploy Agents
to Endpoints
The CtrlLayer agent is a lightweight Windows service that manages privilege elevation on each endpoint. Deploy it using whichever method fits your workflow.
Group Policy (GPO)
For Active Directory environments, deploy the MSI via Group Policy Software Installation. The installer accepts a tenant code parameter that automatically registers the agent to the correct tenant.
msiexec /i ctrllayer-agent.msi /qn
TENANT_CODE=acme-corp
API_KEY=key_xxxxx
Microsoft Intune
Upload the MSI to Intune as a Line-of-Business app. Configure the tenant code and API key as app parameters. Assign to device groups and let Intune handle the rollout.
App type: Line-of-business (MSI)
Install command: auto-detected
Parameters: TENANT_CODE, API_KEY
RMM Script
Use your RMM platform's scripting engine to push the agent. We provide pre-built scripts for ConnectWise Automate, Datto RMM, NinjaRMM, and Syncro that handle download, installation, and registration in one step.
# PowerShell one-liner
irm https://dl.ctrllayer.com/install.ps1 |
iex -TenantCode acme-corp
Agents check in within 60 seconds of installation. You will see them appear in the dashboard as they come online, with OS version, hostname, and current admin group membership.
Set Policies for
the Client
With agents deployed and reporting, it is time to define the privilege policy for this client. Start from one of the built-in templates and customize as needed.
Standard Business
Removes local admin. Allows self-service elevation for common productivity apps (Office, Adobe, browsers). Requires approval for system tools, scripts, and installers. 15-minute elevation window.
Healthcare (HIPAA)
Standard Business rules plus: dual approval for EMR applications, 5-minute elevation window for PHI-adjacent tools, mandatory justification on every request, enhanced audit logging.
Financial Services
Standard Business rules plus: SOX-aligned controls, no self-service elevation for financial applications, time-of-day restrictions on elevation, quarterly access review enforcement.
Developer Workstation
Allows self-service elevation for development tools (IDEs, package managers, Docker, WSL). Blocks elevation for production database tools. 30-minute elevation window. No approval needed for allowlisted tools.
After applying a template, review the application allowlist with data from Step 3. If you ran agents in monitoring mode before enforcement, you will have a complete picture of what applications users are elevating. Add frequently used apps to the self-service list to minimize friction.
Go Live.
You Are Managing Privileges.
Switch the tenant from monitoring mode to enforcement mode. From this moment, the CtrlLayer agent actively manages privilege elevation on every endpoint. Users see the elevation prompt. Compliance checks start scoring. Audit logs begin recording.
$ ctrllayer tenant update acme-corp \
--mode enforce
Tenant 'acme-corp' switched to ENFORCE mode.
47 agents updated. Policy active on all endpoints.
Compliance checks: running.
Audit trail: recording. Go-Live Verification Checklist
Your First 30 Days
Success Checklist
Getting live is step one. Here is what the most successful MSP partners do in their first 30 days to maximize value and minimize support burden.
Monitor and Learn
- Review elevation request logs daily
- Identify applications to add to allowlist
- Adjust elevation duration if users need more time
- Verify no legitimate workflows are blocked
- Brief client's team on self-service process
Optimize Policies
- Refine application allowlist based on data
- Set up approval workflow notifications
- Configure alert thresholds for unusual activity
- Integrate alerts with your PSA/ticketing system
- Onboard a second client using lessons learned
Automate Reporting
- Configure branded compliance report template
- Schedule monthly automated report delivery
- Generate first compliance report for the client
- Review compliance check results and remediate warnings
- Prepare QBR slide with compliance trend data
Scale and Sell
- Deploy to remaining pilot clients
- Build CtrlLayer into your managed services proposal
- Create internal runbook for new client deployments
- Present security posture improvement to client leadership
- Identify prospects who would benefit from the service
Ready to Start?
Sign up for the MSP Partner Program and get your first client live today. Free trial for 30 days on up to 50 endpoints. No credit card required.