Student agent
Windows 10 version 1809 or later, or Windows 11. A native tray app, delivered as MSIX. This is the only managed-device surface — there is no Mac, Chromebook, or iPad agent.
What it takes to run Anchor for your school.
Anchor is self-hosted: your school runs its own backend in your own Azure tenant, and student devices talk only to that. This page is the IT summary — requirements, how it deploys, rollout, and the network shape. For the authoritative, step-by-step setup it hands you straight off to the GitHub docs, which are kept current with the code.
Requirements
Anchor is deliberately narrow: Edge-only enforcement on managed Windows laptops, one backend per school. That focus is a design choice, not a roadmap gap — there is no Mac, Chromebook, or iPad student client, and no multi-tenant SaaS.
Browser
Microsoft Edge (Chromium), with the Anchor extension. Edge-only by design: URL enforcement runs inside Edge, so other browsers are out of scope on the student device.
Teacher dashboard
Any modern browser. The dashboard is a web app — nothing to install on the teacher's side, on whatever device they already use.
Backend
Microsoft Azure. Each school self-hosts a small set of free-tier resources (App Service, Azure SQL, SignalR, Static Web App) in its own subscription. Single-tenant by design.
How it's deployed
Self-hosted, single-tenant, in your own Azure
You run one Anchor backend for your school, in your school's Azure subscription. The student devices and the teacher dashboard talk only to that backend — your data stays in your Azure. Plink Labs operates no backend, receives no student data, and has no access to your deployment.
Sign-in reuses the school's existing Entra ID: teachers and students sign in with the Microsoft accounts they already have, against your own tenant. The deploy creates two single-tenant Entra app registrations (the API and the dashboard SPA); there are no separate Anchor passwords to manage and no third-party identity provider in the loop.
Rollout
Three pieces to push, all through tools you already run. The GitHub docs carry the exact commands and settings — this is the shape of the work.
01
The agent
Distribute the student agent as an MSIX package through Microsoft Intune (or your existing MDM), to the managed Windows laptops in scope.
02
The extension
Force-install the Anchor extension from the Microsoft Edge Add-ons store via Edge policy, so it is present and pinned on every managed device.
03
The backend
Stand up your Azure backend with scripts/setup.ps1 — one command provisions the resources, the Entra registrations, and the GitHub deploy wiring. A direct Bicep deploy and a portal walkthrough are documented as manual alternatives.
Network
Plain HTTPS outbound — no proxy surgery
Everything runs over HTTPS/TLS. Each student device makes outbound connections to your school's Azure backend (the App Service API) and to Azure SignalR for the realtime session channel — the same kind of HTTPS traffic to *.azurewebsites.net and the SignalR service that the rest of your Microsoft cloud already uses.
Anchor needs no proxy certificate, no TLS interception, and no MITM on its connections. Because enforcement and reporting are device-resident and outbound-only, it is BYOD-friendly: it does not depend on devices sitting behind a particular network, so it works on school Wi-Fi and at home alike.
Read the authoritative docs
This page is a summary; the GitHub docs are the source of truth and track the code. Start with the setup guide and follow its links.
README
What Anchor is, the architecture diagram, the five components, and how to build and run each piece locally.
docs/SETUP.md
The authoritative end-to-end setup: Entra app registrations, the Bicep deploy, App Service settings, admin consent, and the GitHub secrets/variables — with a manual fallback for every step.
docs/RELEASE.md
The deploy pipeline and the authoritative inventory of every secret and variable the deploy workflows consume.
infra/README.md
The Azure infrastructure: the one-command bootstrap, the direct-Bicep deploy, the portal walkthrough, every template parameter, and the resources created.
Get started
Deploy the backend, then roll out the clients
Stand up your school's backend first, then push the agent and the extension to your managed devices. The setup guide walks the backend end to end; the agent ships from GitHub Releases, and the extension installs from the Edge store.