Overview
After enrolling a Linux device with Swif, you may notice temporarily elevated CPU and memory usage from the swif-agent and syscheck (system checker) services. This article explains why this happens, what to expect, and when resource usage should return to normal.
Why Does This Happen?
When the Swif agent runs on a Linux device for the first time, it performs several resource-intensive operations during the initial setup:
Installs required dependencies — including osquery and the Swif Desktop App
Updates the system package manager — the agent refreshes your package manager repositories (e.g.,
apt update) to ensure it installs the latest stable versions of all required packages. This update process can temporarily consume significant CPU and memory.Applies assigned policies — all policies configured for the device are evaluated and enforced during enrollment
Installs additional packages via the package manager — depending on your system configuration, this may involve
dpkg,snap, or other package tools, all of which require compute resources
In testing, peak memory usage of approximately 769 MB RAM has been observed during this initial window, and CPU usage may spike for the first 5–10 minutes after enrollment.
What Are the swif-agent and syscheck Services?
Swif runs two complementary services on Linux devices:
Service | Purpose |
swif-agent | The primary management agent. Handles policy enforcement, reporting, and device management. |
syscheck (system checker) | A companion service that ensures the agent stays healthy and up to date. |
Because Linux does not have a built-in MDM infrastructure (unlike macOS or Windows), these two services monitor each other every 30 seconds:
The agent service checks whether the system checker is running — and restarts it if needed.
The system checker checks whether the agent service is running — and restarts it if needed.
The system checker also periodically verifies the agent version and triggers an automatic update if a newer version is available on the server.
This mutual-monitoring design ensures the Swif agent remains operational and current, even if one service encounters an issue.
Is This Normal?
Yes. The elevated resource usage during initial enrollment is expected behavior. During testing, the following CPU usage was observed in the first 5 minutes after enrollment:
Process | Average CPU Usage |
| ~6.5% |
| ~0.09% |
| ~19.9% |
| ~6.7% |
Most of the CPU usage comes from the system's own package management tools — not from the Swif agent itself. Once the initial setup completes, resource usage drops to minimal levels.
What Should I Do?
Wait for enrollment to complete. Allow 5–10 minutes after initial enrollment for all setup tasks to finish. CPU and memory usage should stabilize after this period.
Avoid interrupting the process. Stopping the agent or system checker during initial setup may cause the enrollment to restart, extending the period of high resource usage.
Check your package manager. If resource usage remains elevated for an unusually long time, it may be related to slow package manager repository updates on your network. Ensure your device has reliable internet connectivity.
Do not remove the
syscheckservice. This is a required component of Swif's Linux management architecture. Removing it will impact the agent's ability to self-heal and stay up to date.
When to Contact Support
If CPU or memory usage remains high for more than 30 minutes after enrollment, or if you observe persistent performance degradation during normal operation (not during initial setup), please contact Swif support with the following details:
Your device identifier
Output of
toporpidstatshowing process-level resource usageThe time the device was enrolled
Any relevant kernel or system logs (
journalctl -u swif-agentandjournalctl -u syscheck)