DEX Architecture

  • Release version: Australia
  • Updated June 16, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of DEX Architecture

    Digital End-User Experience (DEX) architecture in ServiceNow describes how cloud-native services, endpoint agents, and data flows connect end-user devices to your ServiceNow instance. It leverages ServiceNow shared services, a multitenant, cloud-native platform that enables secure, bi-directional communication between DEX endpoint agents and your instance without requiring a MID Server. This architecture supports authentication, message buffering, stateful stream processing, and secure policy updates for endpoint agents.

    Show full answer Show less

    Key Components and Functionality

    • Agent Client Collector (ACC): Installed on end-user devices (e.g., laptops, VDIs), ACC collects device-level performance and operational metrics, manages collection frequency via configurable policies, and executes remedial actions such as cache clearing or application restarts.
    • Browser Extension: Tracks application performance and network metrics like page load time and jitter, routing data securely through ServiceNow shared services.
    • DEX Desktop Assistant: Integrates ServiceNow functions into end-user workflows, offering monitoring of local apps, request management, push notifications, and network testing.

    Agent Registration and Communication

    After installation, ACC registers with your ServiceNow instance and downloads necessary certificates. Communication between ACC and the instance occurs over secure HTTPS and a mutual TLS (mTLS)-secured gRPC channel, enabling encrypted, authenticated, and bi-directional data exchange. Metrics and policy data flow through ServiceNow shared services using Hermes Messaging Service and Stream Connect, which isolate organizational data within a multitenant environment.

    Data Security and Isolation

    • Allowlist: Ensures agents execute only verified commands, preventing unauthorized scripts.
    • Certificate Signing: Plugins and scripts are signed to guarantee authenticity and integrity, blocking malicious deployments.
    • Role-Based Access: Actions and data access are restricted based on ServiceNow roles, ensuring only authorized users can perform advanced operations.
    • Audit Logging: All remedial actions are logged for traceability in the Remedial Action Executions table.
    • Data Isolation: Organizational data is separated at the messaging service level, using client certificates to maintain secure tenant boundaries.

    Data Access and Retention

    Collected data is transformed and made available within your ServiceNow instance only to users with appropriate DEX roles, adhering to standard ServiceNow data governance practices. Raw device metrics are retained for up to seven days, while aggregated metrics for trending are stored longer. Hermes Messaging Service retains data in transit for 36 hours by default, with no other shared services storing metric data persistently during transmission.

    Digital End-User Experience (DEX) architecture describes the cloud-native services, endpoint agents, and data flows that connect end-user devices to your ServiceNow instance.

    DEX uses a set of new multitenant, cloud-native services called ServiceNow shared services. In this architecture, DEX endpoint agents can communicate with the ServiceNow shared services without a MID Server. ServiceNow shared services provide authentication to DEX agents and enable message buffering and stateful stream processing of data sent to your ServiceNow instance and a time series datastore. ServiceNow shared services also enable a secure way to send policy updates and on-demand execution of checks on the DEX agents. ServiceNow shared services enable secure bi-directional communication between your ServiceNow instance and the DEX endpoint agents.

    Figure 1. DEX architectural diagram
    High-level architectural diagram of Digital End-User Experience.

    Binaries installed on endpoints

    • Agent Client Collector (ACC): Deployed onto the end-user device endpoints such as a laptop or Virtual Desktop infrastructure (VDI) to collect various device level performance and operational metrics. ACC enables you to do the following:
      • Configure a policy frequency to control what metrics are collected and the frequency of collection. To learn more about the metrics collected by DEX, see View collected metrics with Metrics analyzer.
      • Run remedial actions on the endpoint, such as clearing cache and restarting an application.
    • Browser extension: Helps track application performance and network metrics like page load time and network jitter. The communication between the browser extension and ACC, as well as the device and application metrics, are routed via the ServiceNow shared services. For more information, see Enable DEX browser extension.
    • DEX Desktop Assistant: Enables employees to incorporate ServiceNow functionality into their daily workflow, providing access to monitoring local applications, requests, and push notifications and to performing network tests.

    Agent registration highlights

    • After the installation, ACC is registered on your organization's ServiceNow instance and the required certificates are downloaded from the instance. All the communication between ACC and your instance happens over secured HTTPS.
    • After the ACC registration, a connection with the ServiceNow shared services is established. The agent is authenticated with the shared services via the downloaded certificates.
    • ACC opens a bi-directional communication with the ServiceNow shared services using Remote Procedure Call (gRPC) connection. gRPC connection is a secure and encrypted channel to send and receive data from the endpoints. The channel is secured via mutual Transport Layer Security (mTLS).
    • ACC sends various devices and application performance metrics to the shared services.
    • The instance also pushes data, such as DEX policies, to the agent via this bi-directional channel.
    • The ServiceNow shared services use the ServiceNow Hermes Messaging Service and Stream Connect to isolate your organization's data.

      For more information, see Hermes and Stream Connect.

    • Raw metrics collected from endpoints are processed further using the shared services and eventually pushed to your ServiceNow instance.
    • Some of the configuration device metrics and agent heartbeats are directly pushed to the ServiceNow instance. The operation is performed over a secured HTTPS channel via a REST endpoint.

    Data security

    Various security measures help verify that scripts run securely.

    • Allowlist: File shipped along with the agent verifying that no command other than the ones in the allowlists can be executed.

      For more information on the list, see Generate an Agent Client Collector allow list.

    • Plugins certificate signing: The scripts are packaged in plugins which are deployed to the endpoint. To verify data integrity, the plugins can be signed by a certificate so that there are no malicious plugins deployed.

      For more information on certificate signing, see Secure a custom plugin with a certificate.

    • Role-based access: All actions are available to only specific roles and user criteria within ServiceNow. For example, advanced actions can be assigned to the DEX engineer role and basic actions to the Service Desk.

      For more information, see Configure the Remedial Actions Framework.

    • Audit: All action runs are audited in the Remedial Action Executions table (ssn_reacf_remedial_action_execution).

      For information about emergency plans (such as notification and restore the service), see DEX subscription.

    Data isolation

    Your data is stored in a separate topic when the Hermes Messaging Service and Stream Connect persist in the file system while data is sent and received.

    The agent client certificate issued by your ServiceNow instance holds the instance name for your organization. After the agent is authenticated, the instance name from the agent certificate is used to keep data isolated within a shared services cluster.

    mTLS is used for a secure communication between the agent and server components. The agent authenticates itself using a client certificate with the following parameters:
    • Public Key Algorithm: id-ecPublicKey (ECDSA)
    • Key Size: 256-bit
    • Elliptic Curve: NIST Curve P-256

    Elliptic curve cryptography provides strong encryption and efficient key exchange.

    Agent assets and plugins (like DEX) that are downloaded from your ServiceNow instance through the shared services are signed by ServiceNow or the asset owners during their release. Signing verifies the authentication and integrity of the agent asset or plugin.

    Data access

    All collected data is transformed and presented on your ServiceNow instance.

    Any data collected in the context of DEX is visible to users only with appropriate DEX roles. For more information about the DEX roles, see Installed with DEX.

    When following the standard ServiceNow practices on data governance, no special handling is required for DEX.

    Data retention

    All the raw metrics collected from devices are stored in the ServiceNow instance for a maximum of seven days. Aggregated metrics are stored for a longer duration based on the type of aggregation. Aggregation metrics are used to show trend lines for various metrics. Hermes Messaging Service stores data for 36 hours by default. No other ServiceNow shared services store any metric data in transit.