Overview
The Formal Endpoint simplifies connecting to protected resources by automating authentication and connection management. It also includes a powerful CLI.Access
Contact Formal support or your workspace administrator for approved Formal Endpoint distribution and deployment guidance.Setup
Log In with AWS SigV4
Use AWS SigV4 when the Formal Endpoint should authenticate as a Formal machine identity.Set up AWS SigV4 auth
Complete the AWS SigV4 authentication
prerequisites. You can
skip the API usage examples.This includes creating an active AWS cloud integration in Formal.
Verify your local AWS identity
Confirm the Formal Endpoint host can call AWS STS:The returned AWS principal must match the Formal machine identity.
Configure the Formal Endpoint
Add this setting to If
~/.formal/config.toml:auth_mode already exists, replace its value instead of adding another
line.Connecting to Resources
Avoiding Credentials
After you log in, confirm your session with:formal connect for a , the Formal Endpoint injects Formal credentials for you. You do not pass Formal usernames or passwords to the client.
- SSH and Kubernetes: Your
~/.ssh/configand~/.kube/configare updated so tools use the right paths and identity. - Other technologies: A localhost listener is started. Point your client at that address and port without supplying Formal credentials.
Transparent Proxy
Transparent proxy is supported on macOS only.
- Run:
- Approve any system prompts so the Formal Formal Endpoint network extension can run.
- Start the transparent proxy:
<resource-name> with the name from formal ls. Traffic to that resource’s hostname then goes through the Connector transparently.
CLI Reference
Optional Update Checks
Formal Endpoint update checks are disabled by default. To enable update polling and the tray update icon, add this to~/.formal/config.toml:
Hide the Tray Icon
To run the Formal Endpoint without a system tray icon, add this to~/.formal/config.toml:
Managed Preferences (MDM overrides)
On macOS, MDM administrators can override any~/.formal/config.toml setting through the com.formal.desktop managed-preferences domain. Deploy the values as Forced (locked) keys in a com.apple.ManagedClient.preferences payload.
Forced managed preferences take precedence over config.toml and apply even when the file is absent. Available keys:
| Managed preference key | Type | config.toml setting |
|---|---|---|
checkForUpdates | bool | check_for_updates |
hideSystrayIcon | bool | hide_systray_icon |
transparentProxyEnable | bool | transparent_proxy.enable |
transparentProxyEnforce | bool | transparent_proxy.enforce |
transparentProxyFail | string | transparent_proxy.fail (open or closed) |
transparentProxyAllowQuic | bool | transparent_proxy.allow_quic |
fixtures/mdm_setup/ for a full example payload.
Authentication
List Resources
↑/k- Move up↓/j- Move downenter- Connect to resource/- Filter resourcesq- Quit?- Show help
Connect to Resources
Databases (PostgreSQL, MySQL, MongoDB)
--launch argument to launch the appropriate CLI program after connecting (for example psql or ssh), e.g.
Specify Native User
If you need to specify a different native user than the default one assigned to your user, you can specify it using the convention:formal@[the_name_of_the_native_user].
SSH
~/.ssh/config automatically.
Kubernetes
~/.kube/config to route through the Connector.
Disconnect
Policy Evaluation
Test policies locally:Decrypt Data
Decrypt Formal-encrypted data:S3 Operations
The Formals3 command automatically routes traffic to the right Connector so your users don’t have to worry about formatting the right parameters for S3.
Interact with S3 through Formal:
Device Trust
The Formal Endpoint reports device information for policy enforcement:- Hardware model and serial number
- OS version and security settings
- System Integrity Protection status
- Secure boot status
Headless Mode
The Formal Desktop app supports being launched in headless mode. This can be useful in server environments without a GUI or keyring support. To start the agent in headless mode, you can use the following command:Using an API Key
The Formal Desktop app supports using an API key to authenticate to the Control Plane. First, you will need to create an API key on the Formal Console. Create one under API Keys in the console. To start the agent with an API key, you can use the following command:MDM Deployment
Deploy the Formal Endpoint organization-wide via your MDM with an approved package from Formal support:- Request the approved deployment package from Formal support.
- Add it as a custom app in your MDM (Jamf, Intune, etc.).
- Push it to all user devices.
Need help deploying via MDM? Contact Formal support for assistance.
Troubleshooting
App not running
App not running
Error:
WARNING: CLI cannot connect to the Formal app. Please make sure the Formal app is running.Solution:- Check that Formal is visible in system tray
- Restart the Formal app
- On Linux:
systemctl start --user formal
Command not found
Command not found
Error:
bash: formal: command not foundSolution:- Reinstall CLI: Click tray icon → Preferences → Install in PATH
- Or create symlink manually (see Setup section)
- Or add alias to
.bashrc/.zshrc
Connection fails
Connection fails
Solution:
- Check resource exists:
formal ls - Ensure Connector is running
- Check network connectivity
Best Practices
Keep App Running
Keep App Running
The Formal Endpoint must be running for CLI commands to work. Enable “Launch at
startup” in preferences.
Use Descriptive Resource Names
Use Descriptive Resource Names
When connecting via
formal connect, use tab completion to find resources
quickly.Leverage the TUI
Leverage the TUI
formal ls provides an interactive way to explore and connect to resources
without memorizing names.Disconnect When Done
Disconnect When Done
Always disconnect from resources when finished to free up local ports.