ACC Admin Workspace - Agent OnboardingOverview As part of the June 2026 store app release of ACC Admin Workspace (bundled with the ITOM Infra Services Workspace store app), an Agent onboarding page has been added to help with customer deployments. This article walks you through deploying Agent Client Collector (ACC) clients in your environment. ACC clients are small programs installed on your servers and computers that collect data and send it back to your ServiceNow instance. Your license determines which capabilities are available. Choose the product that matches your goal: ProductWhat it doesBest forACC-V (Visibility)Discovers servers, endpoints, and installed software without credentials. Builds and maintains your CMDB.Servers and endpoints across data centers and branch offices. Works alongside traditional Discovery for comprehensive coverage.ACC-M (Monitoring)Collects system and application metrics from your hosts and feeds ITOM Health dashboards with threshold-based alerting.Infrastructure monitoring where you want a single agent instead of a separate monitoring stack.ACC-L (Log Analytics)Streams log data from your hosts directly into Health Log Analytics. No syslog infrastructure required.Centralized log collection from servers that cannot reach a syslog endpoint, or where you want ServiceNow to own the full pipeline.DEX (Digital Experience)Measures endpoint performance, application responsiveness, and user experience scores from employee devices.IT teams who need visibility into what employees actually experience on their devices. Before you begin, one of the most important decisions is choosing how your agents will communicate with ServiceNow. There are two supported paths: MID Server with ACC Listener — Agents connect to a MID Server you operate on your own network. The MID Server then relays data to your ServiceNow instance. This path uses an API Key for authentication.ITOM Cloud Services (ICS) — Agents connect directly to a ServiceNow-managed cloud gateway over the internet. No on-premises relay server is required. This path uses certificate-based authentication, which ServiceNow manages automatically. The section below will help you choose the right path for your environment. Section 1: Preparing for the Deployment Taking time to plan before you install anything will save you from common failures later. Choose your connectivity path Use the table below to decide which path fits your environment: ConsiderationMID Server with ACC ListenerITOM Cloud Services (ICS)Where are your agents?On-premises data centers or corporate networksRemote workers, branch offices, or anywhere with internet accessDo you want to manage your own infrastructure?Yes — you deploy and maintain MID ServersNo — ServiceNow manages the gatewaySupported productsACC-V, ACC-M, ACC-L, SAM/HAM, DEXDEX (required), ACC-V (specific scenarios); ACC-M and ACC-L require MIDAuthentication methodAPI Key or Mutual TLS (mTLS)Certificates (automatically issued and renewed by ServiceNow) You can also use both paths together in a hybrid deployment — for example, MID Servers for your data center servers and ICS for remote employee laptops. Verify your ServiceNow instance is ready Before deploying any clients, confirm the following in your ServiceNow instance: The Agent Client Collector Framework application is installed (app ID: com.agent-now).The product-specific application is installed (e.g., ITOM Visibility for ACC-V).Your instance version supports the ACC product you are deploying — check your product documentation if unsure. Tip: Always deploy to a test environment first before rolling out to production. Verify your MID Server is ready (MID Server path only) If you are using the MID Server path, confirm the following on each MID Server that will serve as an ACC Listener: MID Server is on the Yokohama release or later.The server has at least 4 CPU cores and 10 GB of disk space (50 GB recommended for log collection workloads).The AgentClientCollector capability is enabled on the MID Server.Capacity: Plan for approximately 1000 agents per GB of MID Server heap memory with a maximum of 8,000 agents per MID Server at 8 GB heap. Use the lower end of this range when planning to leave headroom for growth.For best security, use MID Servers dedicated to ACC rather than sharing them with Discovery or other capabilities. Confirm your computers meet the requirements Supported operating systems: Windows: Windows Server 2016 or later, Windows 10 or later, Windows 11Linux: RHEL/CentOS 7+, Ubuntu 18.04+, Debian 9+, SLES 12+macOS: macOS 10.15 (Catalina) or later Each computer needs at least 500 MB of free disk space and 100–200 MB of available memory for the agent to run normally. Security consideration: Both the ACC executable and the bundled Ruby executable should be allowed to run by any antivirus or endpoint protection software. Linux consideration: The /tmp directory should be writeable for data collection to properly function. Not supported: Running agents within containers is not supported. Install on the host system instead. Check your network The port and destination your agents need to reach depends on your chosen connectivity path: MID Server path: Agents connect outbound to your MID Server's ACC Listener. The default port is 8800. You may configure a different port, but be aware that ports below 1024 (such as 443 or 80) are considered "privileged" on Linux and macOS. If you use one of those ports, the ACC service may need to run as root or an elevated administrator account, which weakens your security posture. We recommend keeping the default port of 8800, or choosing any port above 1024, so the agent can run as a standard limited-permission account. ICS path: Agents connect outbound to a ServiceNow-managed cloud gateway on port 443. The gateway address depends on your instance's region: Americas: itomcnc-prod-gateway-amer.sncapps.service-now.comEurope / Middle East / Africa: itomcnc-prod-gateway-emea.sncapps.service-now.comAsia Pacific: itomcnc-prod-gateway-apac.sncapps.service-now.com In both cases, all connections are outbound from the agent — no inbound firewall rules are required on the computers running the agent. Contact your network team early to get the necessary rules approved, as this is often the step with the longest lead time. If your computers go through a web proxy, make sure the proxy allows the relevant traffic. If your proxy inspects encrypted (SSL) traffic, it must be configured to bypass inspection for ServiceNow domains, as this will otherwise break the agent's secure connection. Proxy configuration can be made with the https-proxy or pac-file options in acc.yml or with a HTTPS_PROXY environment variable. See KB1943452 for more information. Plan your rollout Do not deploy to production on day one. A phased approach lets you catch problems early when they are easy to fix, rather than after thousands of agents are deployed. PhaseScopeWhat to validate before moving onPhase 0 — Non-production pilot5–10 agents in a test or dev environmentRun for 24–48 hours. Verify agent status, policy sync, check execution, and log output. Confirm your rollback procedure works.Phase 1 — Limited production50–100 agents in a single site, business unit, or network segmentMonitor for 48–72 hours. Confirm data flows end-to-end: agent → MID/ICS → instance → CMDB.Phase 2 — Broader rolloutAdditional sites or segments in wavesUse the ACC Admin Workspace to monitor health dashboards, error tracking, and registration rates. Adjust MID Server capacity or ICS configuration as needed.Phase 3 — Full deploymentAll remaining endpointsEstablish ongoing baselines for keepalive rates, check pass/fail ratios, and agent version currency. Involve the right teams A successful deployment needs sign-off from: Network team — to open firewall ports and approve traffic routesSecurity team — to approve the agent software and its permissionsDesktop or server operations team — to handle the actual software rollout Section 2: Registering Agents Whether you need a registration key depends on your connectivity path: ICS path: A registration key is required. Agents use it to authenticate and receive their security certificates from ServiceNow during first startup. You must generate and include the key before deploying.MID Server path: A registration key is not used. Agents authenticate to the MID Server using the API Key and are automatically connected to your instance from there. You do not need to generate or configure a registration key for this path. Generate a registration key (ICS path only) If you are using the MID Server path, skip this section — no registration key is needed. Log in to your ServiceNow instance as an administrator.Navigate to the Agent Client Collector application.Generate a registration key. You can use one key for all agents or create separate keys for different groups of computers (for example, a separate key for servers versus employee laptops).Keep the key available — you will enter it as needed during installation in Section 3. Security note: Do not reuse the same registration key in both production and test environments. Generate a separate key for each environment so that a key exposed in testing cannot affect production systems. Registration keys are automatically deleted after 90 days. Set up email notifications to minimize disruption for ongoing deployments. Section 3: Installation Once your environment is ready and you have your registration key (if needed), install the agent software on each computer. Get the installer Download the ACC installer from your ServiceNow instance. The instance provides the correct installer version matched to your environment. Your ServiceNow administrator can locate it under the Agent Client Collector application. Service account The agent runs as a background service and requires a dedicated user account on each computer. The installer creates a default service account automatically, so no action is required for most deployments. However, if your organization's security policy requires a custom account — for example, one managed by your identity team or with a specific naming convention — you can create one before running the installer and assign it during setup. If you choose to create a custom service account, follow these guidelines to maintain a secure configuration: Windows: Rather than a standard local user account, use one of the following options: LocalSystem — a built-in Windows account that is simple to configure and requires no password management. It has broad access on the local machine, so use it only if your security policy permits it.Group Managed Service Account (gMSA) — the recommended option for domain-joined computers. A gMSA is managed by Active Directory, has no password for administrators to maintain, and can be scoped to only the permissions the agent needs. Work with your Active Directory team to provision a gMSA and assign it to the agent service during installation. Linux and macOS: Create a dedicated system user account (for example, svc-acc).This account should not be root and should not have general administrative privileges.Grant the account limited sudo access only for the specific commands the agent needs to collect data (such as reading hardware serial numbers). Work with your security team to define and approve exactly which commands are permitted before deployment.Port note: If you configure the MID Server ACC Listener to use a port below 1024, Linux and macOS will require the agent service to run as root in order to bind to that port. To avoid this and keep the agent running as a limited user, use port 8800 (the default) or any port above 1024. Install the agent Run the installer on each target computer. The installer is available for Windows (.msi), Linux (.rpm or .deb), and macOS. During installation, when needed, provide your connection details. Have the information below ready before you begin. For large rollouts, you can use standard software distribution tools such as SCCM, Intune, Ansible, Jamf, or Puppet to deploy the installer to many computers at once. Rate limit: Do not deploy to more than 5,000 computers per hour to avoid overloading your ServiceNow instance. Option A: Connecting through a MID Server (ACC Listener) Use this option for servers or if your agents are on the same network as your MID Server, or if you are running ACC-M, ACC-L, or SAM/HAM. Post installation, verify that the agent's configuration file (acc.yml) contains the following lines: backend-url: - "wss://your-mid-server.yourcompany.com:8800/ws/events" api-key: "your-api-key-here" Key points: Always use the MID Server's full hostname, not an IP address. This ensures the security certificate validates correctly and lets you change the server's IP in the future without reconfiguring every agent.The API Key authenticates each agent to the MID Server. Keep it confidential and restrict read access to the acc.yml file to the service account and administrators only.For best security, use MID Servers dedicated to ACC rather than sharing them with Discovery or other capabilities.Use a load balancer as the single endpoint for your agents. Rather than pointing agents directly at individual MID Servers, configure an application load balancer (such as AWS ALB, Azure Application Gateway, F5, or NGINX) in front of your MID Server pool and give agents a single hostname to connect to (e.g., acc-listener.yourcompany.com). This means you can add, remove, or replace MID Servers without reconfiguring any agents. The load balancer distributes connections across the pool and automatically routes around any MID Server that becomes unavailable. Set the load balancer's idle connection timeout to more than 60 seconds to accommodate agent keepalive intervals, and enable WebSocket support.Mutual TLS (mTLS) authentication: If your security policy requires stronger authentication, mTLS can be configured instead of an API Key. Each agent presents a client certificate to the MID Server, and the MID Server presents one in return. This requires provisioning certificates for each agent and configuring the MID Server to trust the issuing certificate authority. Consult the ACC-F documentation for the full mTLS setup procedure. Option B: Connecting through ITOM Cloud Services (ICS) Use this option for endpoints, remote or internet-connected devices, or when you want to avoid managing on-premises relay infrastructure. Post installation, verify that the agent's configuration file (acc.yml) contains the following lines. Do not include an API Key — ICS uses certificates for authentication, which ServiceNow issues and renews automatically: backend-url: - "https://itomcnc-prod-gateway-amer.sncapps.service-now.com:443" instance-url: "https://yourinstance.service-now.com" registration-key: "your-registration-key-here" connect-without-mid: true Replace amer with emea or apac to match your instance's region, and replace yourinstance with your actual instance name. If you are unsure of your region, contact ServiceNow Support. Key points: connect-without-mid: true tells the agent to connect directly to ICS rather than looking for a MID Server. This must be set for ICS deployments.instance-url points the agent to your specific ServiceNow instance so it can complete registration and receive policies.Agents must have outbound internet access to the ICS gateway on port 443.If your proxy performs SSL inspection, configure it to bypass inspection for *.service-now.com and *.sncapps.service-now.com. SSL inspection will break the certificate-based authentication that ICS relies on.ACC-M and ACC-L are not currently supported over ICS and require a MID Server. Add the agent to your security software's allow list If you use endpoint security tools such as CrowdStrike, Carbon Black, or Zscaler, add the ACC agent binaries and scripts to the allow list before deploying. Otherwise, the security software may block the agent from running. What happens when an agent starts for the first time Understanding the startup sequence helps diagnose issues if an agent does not appear in your instance: The agent reads its configuration file (acc.yml) and connects to your MID Server or ICS gateway.It sends a registration request containing its hostname, operating system, and agent version.Your ServiceNow instance creates an agent record, triggers credential-less discovery, and creates or updates a Computer CI in the CMDB.The agent begins sending keepalive signals every 60 seconds. Your instance sends back policies and data collection tasks. No credentials are exchanged during this process and no manual approval is needed. Within seconds of a successful startup, the agent should appear as active in the ACC Admin Workspace. Section 4: Configuration After installation, use this section to set up data collection rules and verify that agents are communicating with your instance. Connection settings were applied during installation — if you need to change them later, edit acc.yml directly and restart the agent service. Set up the allow list For security, agents will not run any data-collection task unless it is explicitly listed in an allow list file. This file controls exactly which commands the agent is permitted to execute. ServiceNow's built-in data collection tasks include their own allow lists automatically — you only need to add entries for any custom tasks you create. Have your security team review and approve all entries before deploying. Apply your changes After editing the configuration file, restart the agent service for the changes to take effect: Windows — run the following in an elevated command prompt: net stop "ServiceNow Agent" && net start "ServiceNow Agent" Linux — run in a terminal: sudo systemctl restart acc. macOS — run in a terminal: sudo launchctl unload /Library/LaunchDaemons/com.servicenow.agent.plist sudo launchctl load /Library/LaunchDaemons/com.servicenow.agent.plist Create data collection policies Policies tell agents which computers to monitor, what data to collect, and how often. You create and manage policies inside your ServiceNow instance — agents automatically receive policy updates without needing a reinstall. Confirm agents are connected To verify that your agents are running and communicating with your instance: In your ServiceNow instance, go to ITOM Infra Services Workspace > ACC agents and click on the Agents tab.Your newly installed agents should appear in the list with an Up status.Check the agent's local log file for the message "successfully connected to the url" — this confirms the agent is communicating with your instance. If an agent does not appear: Confirm the agent service is running on the computer.Check that the backend URL and any keys in acc.yml are correct.MID Server path: Verify that port 8800 (or your configured port) is open from the agent to the MID Server, and that the ACC Listener capability is enabled on the MID Server.ICS path: Verify that port 443 is open from the agent to the ICS gateway for your region, and confirm your proxy is not intercepting SSL traffic to ServiceNow domains.Review the agent log file for error messages and share them with your ServiceNow administrator if you need further assistance. Ongoing operations Once your deployment is complete, keep the following in mind for day-to-day management: Keepalive monitoring: Agents send keepalive signals every 60 seconds. If no keepalive is detected from an agent over time, it will be marked offline. Sudden drops in keepalive rates across multiple agents often indicate a network or service issue rather than a problem with individual agents.Policy sync: Confirm that new or updated policies distribute to agents within expected timeframes. You can track this in the ACC Admin Workspace.Version management: Track agent versions across your fleet and plan upgrade cycles using the same phased rollout approach you used for the initial deployment. Need Help? If you run into issues during any step of this process: Visit support.servicenow.com for technical support.Contact your ServiceNow account team for architecture guidance on larger deployments.Review KB1122613 for ACC deployment best practices.Review KB1702432 if planning a MID-less ACC-V deployment over ICS.