Deploy Aikido Device Protection with Jamf

Use Jamf Pro to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place.

These steps use Jamf Pro. If you use Jamf School, the menus and payload names can differ.

Installation

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

Your Device Protection Token (copied from the user group selector)
The Shared Root CA Certificate (.pem file — downloaded in the dashboard)
The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Add the Aikido Device Protection configuration profile

Download the Aikido .mobileconfig file.
In Jamf Pro, create or upload a Configuration Profile for macOS.
Upload the downloaded .mobileconfig file.
Scope it to the target devices.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

In Jamf Pro, go to Computers → Configuration Profiles.
Create a new profile, add a Certificates payload, and upload the Shared Root CA Certificate (.pem file).
Scope it to the same target devices as the configuration profile.

Upload the Aikido Device Protection installer

In Jamf Pro, go to Computers → Packages.
Upload the Aikido Device Protection .pkg.
Confirm the package finishes processing before you use it in a policy.

Create the install policy

In Jamf Pro, go to Computers → Policies.
Create a new policy scoped to the same devices.
Add a script that writes the token before the package installs.
Add the uploaded Aikido Device Protection package to the policy.

Use this script. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt

If you use a recurring check-in trigger, keep the policy available only after the profiles are scoped.

Deploy in the right order

Order matters. Both the configuration profile and the CA certificate must reach the device before the pkg. If the pkg installs first, macOS can ask the user for extra permissions.

Deploy the Aikido Device Protection configuration profile.
Deploy the Aikido Device Protection CA certificate.
Verify both have reached all target devices before continuing — check profile and certificate status in the Jamf Pro console.
Deploy the Aikido Device Protection install policy.

Reboot devices after installation

In Jamf Pro, go to Computers → Policies and create a new policy.
Add a Restart Options payload and set it to Restart.
Scope it to the same target devices and trigger it after the agent package has installed.

The agent fully activates on the next boot.

Verify the deployment

On a test device, confirm:

The system extension is activated:
```
systemextensionsctl list | grep aikido
```
Expect to see the extension marked [activated enabled].
Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem

Fix

Users still see the popup

Make sure the configuration profile is scoped correctly and installed before the package policy runs

Extension is waiting for user approval

Check the System Extensions payload and confirm the team ID and bundle ID match exactly

The package installs but the device does not connect

Confirm the token script ran before the package install and that the token was copied correctly

Duplicate extension entries appear

Reboot the device

The content filter is not approved silently

Re-upload the .mobileconfig profile and verify it is installed on the device

Last updated 22 hours ago

Was this helpful?