Ctrlk
Changelog NotificationsAPIAikido login

Deploy Aikido Device Protection with JumpCloud

Use JumpCloud to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place.

All devices must be enrolled in JumpCloud Apple MDM before you begin.

Installation

Deploy the configuration profile and CA certificate before the installer. Both must reach each device before the Aikido Device Protection .pkg is installed. If the package arrives first, macOS prompts the end user for extra permissions. JumpCloud doesn't guarantee deployment order when you assign items to a device group, so verify both are installed on a test device before you push the package. See the final step for the full order.

1

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

  • Your Device Protection Token (copied from the user group selector)

  • The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

  • The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

2

Add the Aikido Device Protection configuration profile

  1. Download the Aikido .mobileconfig file.

  2. In the JumpCloud Admin Portal, go to Device ManagementPolicy Management.

  3. Click (+), select the Mac tab, and choose MDM Custom Configuration Profile. Click configure.

  4. Give the policy a name (e.g. "Aikido Device Protection").

  5. Under Settings, click upload file and select the downloaded .mobileconfig file.

  6. Select the Device Groups tab and assign the policy to the target device group.

  7. Click save.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

3

Deploy the Aikido Device Protection CA certificate

  1. In the JumpCloud Admin Portal, go to Device ManagementPolicy Management.

  2. Click (+), select the Mac tab, and choose Certificate.

  3. Upload the Shared Root CA Certificate (.pem file) and assign the policy to the same device group.

  4. Click save.

4

Create the pre-install command

  1. In the JumpCloud Admin Portal, go to Device ManagementCommands.

  2. Click + Command and select Command.

  3. Set Run As to root.

  4. Enter the script below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt

  1. Select the Device Groups tab and assign the command to the same device group.

  2. Click save.

  3. Run the command using Run Now before you deploy the package.

5

Upload the Aikido Device Protection installer

  1. In the JumpCloud Admin Portal, go to Device ManagementSoftware ManagementApple.

  2. Click (+Add New) and select JumpCloud Private Repo.

  3. Enter an Application Name (e.g. "Aikido Device Protection").

  4. Under Upload File, upload the Aikido Device Protection .pkg file and click Upload.

  5. Once processing completes, select the Device Groups tab and assign the app to the same device group.

  6. Click save, then confirm the install.

6

Deploy in the right order

Order matters. Both the configuration profile and the CA certificate must reach the device before the .pkg is installed. If the package arrives first, macOS prompts the end user for extra permissions.

  1. Assign and save the Aikido Device Protection configuration policy.

  2. Assign and save the Aikido Device Protection CA certificate policy.

  3. Verify both are installed on a test device — JumpCloud doesn't guarantee delivery order within a device group.

  4. Run the pre-install command to write the token, then deploy the Aikido Device Protection app.

7

Reboot devices after installation

  1. In the JumpCloud Admin Portal, go to Device ManagementCommands.

  2. Click + Command, select MDM Command, and choose Restart Device.

  3. Assign it to the same device group and click Run Now.

The agent fully activates on the next boot.

8

Verify the deployment

On a test device, confirm:

  1. The system extension is activated:

    systemextensionsctl list | grep aikido

    Expect to see the extension marked [activated enabled].

  2. Open System SettingsGeneralLogin Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem
Fix

Users still see the popup

Make sure the configuration profile is scoped correctly and installed before the package policy runs

Extension is waiting for user approval

Check the System Extensions payload and confirm the team ID and bundle ID match exactly

The package installs but the device does not connect

Confirm the token script ran before the package install and that the token was copied correctly

Duplicate extension entries appear

Reboot the device

The content filter is not approved silently

Re-upload the .mobileconfig profile and verify it is installed on the device

Last updated

Was this helpful?