# Deploy Aikido Device Protection with Miradore Use Miradore to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place. {% hint style="info" %} Deploying packages and scripts requires a Miradore **Premium** or **Premium+** subscription. {% endhint %} ## Installation {% hint style="warning" %} **Deploy the configuration before the installer.** The Aikido Device Protection configuration profile and token script must reach each device before the Aikido Device Protection `.pkg` is installed. If the package arrives first, macOS prompts the end user for extra permissions. Use a Business Policy with item dependencies (step 5) to enforce this order. {% endhint %} {% stepper %} {% step %} **Get your Aikido Device Protection token and package** Open [Aikido Device Protection](https://app.aikido.dev/endpoint-protection/devices) and click **Connect Device**. Download the Aikido Device Protection `.pkg` and copy your token. {% endstep %} {% step %} **Add the Aikido Device Protection configuration profile** 1. [Download the Aikido `.mobileconfig` file](https://raw.githubusercontent.com/AikidoSec/safechain-internals/refs/heads/main/docs/aikido-endpoint.mobileconfig). 2. In the Miradore admin console, go to **Management** → **Configuration profiles**. 3. Click **Add** → **macOS** → **Advanced (custom)**. 4. Upload the downloaded `.mobileconfig` file. 5. Click **Save**. This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items. {% endstep %} {% step %} **Create the pre-install token script** Miradore runs scripts as separate application items. Create a script that writes the token to disk before the package installs. 1. In the Miradore admin console, go to **Management** → **Applications**. 2. Click **Add** → **macOS application** → **Script** → **Next**. 3. Give it a name (e.g. "Aikido Device Protection - token"). 4. Paste the script below into the **Script** field. Replace `AIK_SAFE_CHAIN_TOKEN` with your real token. ```bash #!/bin/zsh echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt ``` 5. Click **Create**. {% endstep %} {% step %} **Upload the Aikido Device Protection installer** 1. In the Miradore admin console, go to **Management** → **Applications**. 2. Click **Add** → **macOS application** → **PKG (Uploaded)** → **Next**. 3. Click **Select file** and upload the Aikido Device Protection `.pkg`. 4. Fill in the required fields: * **Application name** (e.g. "Aikido Device Protection") * **Bundle identifier** (e.g. `dev.aikido.endpoint`) * **Version** 5. Click **Create** and wait for the package to finish processing before continuing. {% endstep %} {% step %} **Deploy in the right order using a Business Policy** Use a Business Policy to deploy all three items in the correct order: profile first, then script, then package. 1. In the Miradore admin console, go to **Management** → **Business policies**. 2. Click **Add**, give the policy a name, and set its status to **Disabled**. 3. Add all three items to the policy: the configuration profile, the token script, and the `.pkg`. 4. Set the deployment order using item dependencies: * Select the token script, click **Actions** → **Edit item dependency**, and set the configuration profile as its dependency. * Select the `.pkg`, click **Actions** → **Edit item dependency**, and set the token script as its dependency. 5. Assign the policy to your target devices using tags. 6. Set the policy status to **Enabled**. {% hint style="info" %} Miradore only supports one dependency per item. The chain must be: configuration profile → token script → package. {% endhint %} {% endstep %} {% step %} **Verify the deployment** On a test device, confirm: 1. The system extension is activated: ```bash systemextensionsctl list | grep aikido ``` Expect to see the extension marked `[activated enabled]`. 2. Open **System Settings** → **General** → **Login Items & Extensions** and confirm the Aikido Device Protection entries cannot be toggled off. 3. To review deployment status, go to **Management** → **Action log** and filter by "Business policy" in the **Sender** field. {% endstep %} {% endstepper %} ## Troubleshooting | Problem | Fix | | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | Users still see the popup | Make sure the configuration profile is scoped correctly and installed before the package policy runs | | Extension is waiting for user approval | Check the System Extensions payload and confirm the team ID and bundle ID match exactly | | The package installs but the device does not connect | Confirm the token script ran before the package install and that the token was copied correctly | | Duplicate extension entries appear | Reboot the device | | The content filter is not approved silently | Re-upload the `.mobileconfig` profile and verify it is installed on the device | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/aikido-device-protection/deploying-aikido-endpoint/deploy-aikido-endpoint-with-miradore.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.