Deploy Aikido Device Protection with Iru / Kandji

Use Iru / Kandji to roll out Aikido Device Protection across your organization and protect managed macOS devices with a consistent setup.

Installation

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

Your Device Protection Token (copied from the user group selector)
The Shared Root CA Certificate (.pem file — downloaded in the dashboard)
The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Upload the Aikido Device Protection configuration profile to Iru

Download the Aikido .mobileconfig file
In Iru, go to the Library.
Upload the .mobileconfig file as a Custom Profile.
Assign it to the same Blueprint as the app.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

In Iru, go to the Library and add a new Certificate library item.
Upload the Shared Root CA Certificate (.pem file).
Assign it to the same Blueprint as the configuration profile.

Upload the Aikido Device Protection installer

In Iru, add the Aikido Device Protection .pkg as a custom app.
Add this preinstall script

#!/bin/zsh
# Don't forget to replace the AIK_SAFE_CHAIN_TOKEN you created in the first step.
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt

Assign the app to the same Blueprint.

Deploy in the right order

Order matters. Both the MDM profile and the CA certificate must land on the device before or at the same time as the pkg. If the pkg installs first the user will be asked for additional permissions.

Deploy the Aikido Device Protection configuration profile
Deploy the Aikido Device Protection CA certificate
Verify both have reached all target devices before continuing — check status in the Iru console
Deploy the Aikido Device Protection app

Reboot devices after installation

In Iru, add a Custom Script library item to the same Blueprint, placed after the agent install item:

#!/bin/zsh
shutdown -r now

Set it to run once.

The agent fully activates on the next boot.

Verify the deployment

On a test device, confirm:

The system extension is activated:
```
systemextensionsctl list | grep aikido
```
Expect to see the extension marked [activated enabled].
Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem

Fix

Users still see the popup

Make sure the Aikido Device Protection configuration profile is assigned correctly and deployed before the app

Extension is waiting for user approval

Confirm the Aikido Device Protection configuration profile is installed on the device and reboot

Duplicate extension entries appear

Reboot the device

Proxy still is not approved silently

Re-upload the Aikido Device Protection configuration profile and confirm it is assigned to the same Blueprint as the app

Users can still disable Aikido Device Protection in Login Items

Re-upload the Aikido Device Protection configuration profile and reboot the device

Last updated 21 hours ago

Was this helpful?