Deploy Aikido Device Protection with Intune
Use Microsoft Intune to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place.
Installation
What you'll need
Before starting, make sure you have the following from the Aikido Device Protection dashboard:
Your Device Protection Token (copied from the user group selector)
The Shared Root CA Certificate (
.pemfile — downloaded in the dashboard)The Aikido Device Protection installer (
.pkgfile — downloaded in the dashboard)
If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.
Add the Aikido Device Protection configuration profile
In the Intune admin center, go to Devices → macOS → Configuration → Create → New Policy.
Select macOS as the platform. Under Profile type, select Templates, then choose Custom.
Give the profile a name (e.g. "Aikido Device Protection").
Under Custom configuration profile name, enter a name and browse to the downloaded
.mobileconfigfile to upload it.Assign the profile to the target device group.
This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.
Deploy the Aikido Device Protection CA certificate
In the Intune admin center, go to Devices → macOS → Configuration → Create → New Policy.
Select platform macOS, profile type Templates, then choose Trusted certificate.
Upload the Shared Root CA Certificate (
.pemfile) and assign it to the same device group.
Upload the Aikido Device Protection installer
In the Intune admin center, go to Apps → macOS → Add.
Select macOS app (PKG) as the app type.
Upload the Aikido Device Protection
.pkgfile.On the Program tab, add a Pre-install script with the content below. Replace
AIK_SAFE_CHAIN_TOKENwith your real token.
#!/bin/zsh
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txtComplete the remaining tabs (Detection rules, Assignments) and assign the app as Required for the same device group.
Pre-install scripts require the Intune management agent version 2309.007 or later. The script must exit with code 0 for the installation to proceed.
Deploy in the right order
Order matters. Both the configuration profile and the CA certificate must reach the device before the pkg. If the pkg installs first, macOS can ask the user for extra permissions.
Intune deploys configuration profiles and apps independently. Make sure both the profile and certificate are assigned and synced before the app reaches devices:
Assign and sync the Aikido Device Protection configuration profile.
Assign and sync the Aikido Device Protection CA certificate.
Verify both appear on a test device before assigning the app.
Then assign the Aikido Device Protection app.
Reboot devices after installation
In the Intune admin center, go to Devices → macOS.
Filter to the target device group, select all devices, and click Restart from the bulk-action menu.
The agent fully activates on the next boot.
Verify the deployment
On a test device, confirm:
The system extension is activated:
systemextensionsctl list | grep aikidoExpect to see the extension marked
[activated enabled].Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.
Troubleshooting
Users still see the popup
Make sure the configuration profile is scoped correctly and installed before the package policy runs
Extension is waiting for user approval
Check the System Extensions payload and confirm the team ID and bundle ID match exactly
The package installs but the device does not connect
Confirm the token script ran before the package install and that the token was copied correctly
Duplicate extension entries appear
Reboot the device
The content filter is not approved silently
Re-upload the .mobileconfig profile and verify it is installed on the device
Last updated
Was this helpful?