# Deploy Aikido Device Protection with Iru / Kandji

Use Iru / Kandji to roll out Aikido Device Protection across your organization and protect managed macOS devices with a consistent setup.

## Installation

{% stepper %}
{% step %}
**What you'll need**

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

* Your **Device Protection Token** (copied from the user group selector)
* The **Shared Root CA Certificate** (`.pem` file — downloaded in the dashboard)
* The **Aikido Device Protection installer** (`.pkg` file — downloaded in the dashboard)

If you're missing any of these, go back to the [Aikido Device Protection dashboard](https://app.aikido.dev/endpoint-protection/devices), click **Connect Device**, and complete the pre-flight steps.
{% endstep %}

{% step %}
**Upload the Aikido Device Protection configuration profile to Iru**

1. [Download the Aikido `.mobileconfig` file](https://raw.githubusercontent.com/AikidoSec/safechain-internals/refs/heads/main/docs/aikido-endpoint.mobileconfig)
2. In Iru, go to the Library.
3. Upload the `.mobileconfig` file as a **Custom Profile**.
4. Assign it to the same Blueprint as the app.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

<figure><img src="/files/DmG7xnDI2IwmC3Q4OAqF" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/a7Jo98HRpL8SyUT74Lv8" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
**Deploy the Aikido Device Protection CA certificate**

1. In Iru, go to the **Library** and add a new **Certificate** library item.
2. Upload the Shared Root CA Certificate (`.pem` file).
3. Assign it to the same Blueprint as the configuration profile.
   {% endstep %}

{% step %}
**Upload the Aikido Device Protection installer**

1. In Iru, add the Aikido Device Protection `.pkg` as a custom app.
2. Add this **preinstall** script

```bash
#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt
```

3. Assign the app to the same Blueprint.

<figure><img src="/files/IZOTSvJ8IGptYRmB6MUD" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
**Deploy in the right order**

The profile and CA certificate must be on the device before the installer, or macOS will prompt users for permission.

1. Deploy the **Aikido Device Protection** configuration profile
2. Deploy the **Aikido Device Protection** CA certificate
3. Verify both have reached all target devices before continuing — check status in the Iru console
4. Deploy the **Aikido Device Protection** app
   {% endstep %}

{% step %}
**Reboot devices after installation**

In Iru, add a **Custom Script** library item to the same Blueprint, placed after the agent install item:

```bash
#!/bin/zsh
shutdown -r now
```

Set it to run **once**.

The agent fully activates on the next boot.
{% endstep %}

{% step %}
**Verify the deployment**

On a test device, confirm:

1. The system extension is activated:

   ```bash
   systemextensionsctl list | grep aikido
   ```

   Expect to see the extension marked `[activated enabled]`.
2. Open **System Settings** → **General** → **Login Items & Extensions** and confirm the Aikido Device Protection entries cannot be toggled off.
   {% endstep %}
   {% endstepper %}

## Troubleshooting

| Problem                                                         | Fix                                                                                                                      |
| --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| Users still see the popup                                       | Make sure the Aikido Device Protection configuration profile is assigned correctly and deployed before the app           |
| Extension is waiting for user approval                          | Confirm the Aikido Device Protection configuration profile is installed on the device and reboot                         |
| Duplicate extension entries appear                              | Reboot the device                                                                                                        |
| Proxy still is not approved silently                            | Re-upload the Aikido Device Protection configuration profile and confirm it is assigned to the same Blueprint as the app |
| Users can still disable Aikido Device Protection in Login Items | Re-upload the Aikido Device Protection configuration profile and reboot the device                                       |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/aikido-device-protection/deploying-aikido-endpoint/deploy-aikido-endpoint-with-iru-kandji.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.