# Deploy Aikido Device Protection with Mosyle Use Mosyle Business to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place. ## Installation {% stepper %} {% step %} **What you'll need** Before starting, make sure you have the following from the Aikido Device Protection dashboard: * Your **Device Protection Token** (copied from the user group selector) * The **Shared Root CA Certificate** (`.pem` file — downloaded in the dashboard) * The **Aikido Device Protection installer** (`.pkg` file — downloaded in the dashboard) If you're missing any of these, go back to the [Aikido Device Protection dashboard](https://app.aikido.dev/endpoint-protection/devices), click **Connect Device**, and complete the pre-flight steps. {% endstep %} {% step %} **Add the Aikido Device Protection configuration profile** 1. [Download the Aikido `.mobileconfig` file](https://raw.githubusercontent.com/AikidoSec/safechain-internals/refs/heads/main/docs/aikido-endpoint.mobileconfig). 2. In the Mosyle admin console, go to **Management** → **macOS** → **Management Profiles** → **Certificates / Custom Profiles**. 3. Click **Add new profile** and give it a name (e.g. "Aikido Device Protection"). 4. Upload the downloaded `.mobileconfig` file. 5. Under **Add Assignment**, select your target device group with **System** scope. 6. Click **Save**. This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items. {% endstep %} {% step %} **Deploy the Aikido Device Protection CA certificate** 1. In the Mosyle admin console, go to **Management** → **macOS** → **Management Profiles** → **Certificates / Custom Profiles**. 2. Click **Add new profile**, select the certificate type, and upload the Shared Root CA Certificate (`.pem` file). 3. Under **Add Assignment**, select the same target device group with **System** scope. 4. Click **Save**. {% endstep %} {% step %} **Create the pre-install token script** Mosyle does not have a built-in pre-install hook for PKG deployments. Use a **Custom Command** profile to write the token to disk before the package installs. 1. In the Mosyle admin console, go to **Management** → **macOS** → **Management Profiles** → **Custom Commands**. 2. Click **Add new profile** and give it a name (e.g. "Aikido Device Protection - token"). 3. On the **Code** tab, select **Free Scripting** and paste the script below. Replace `AIK_SAFE_CHAIN_TOKEN` with your real token. ```bash #!/bin/zsh # Write the token so the agent registers with the correct user group echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt # Signals the installer to run completely silently, with no user prompts touch /tmp/aikido_endpoint_mdm_install.txt ``` 4. On the **Execution Settings** tab, set **Schedule** to **Only once**. 5. Under **Add Assignment**, select the same target device group. 6. Click **Save**. {% hint style="info" %} Custom Commands run as root. Before moving to the next step, open the Custom Command profile and click **View Results** to confirm all target devices show a successful run. {% endhint %} {% endstep %} {% step %} **Upload and deploy the Aikido Device Protection installer** **Upload the package** 1. In the Mosyle admin console, go to **Management** → **macOS** → **Management Profiles** → **Install PKG**. 2. Click the **CDN** tab, then **Upload** and select the Aikido Device Protection `.pkg`. 3. Wait for the upload to reach 100% and confirm it. **Create the deployment profile** 1. Click the **Profiles** tab inside Install PKG. 2. Click **Add new profile** and give it a name (e.g. "Aikido Device Protection"). 3. Click **+ Add Application** and select the package you uploaded. 4. Under **Add Assignment**, select the same target device group. 5. Click **Save**. {% endstep %} {% step %} **Deploy in the right order** The profile and CA certificate must be on the device before the installer, or macOS will prompt users for permission. 1. Confirm the **Aikido Device Protection** configuration profile is installed: open the profile and click **View Results** — all target devices should show green. 2. Confirm the **Aikido Device Protection** CA certificate is deployed: open the certificate profile and click **View Results** — all target devices should show green. 3. Confirm the **Aikido Device Protection - token** Custom Command completed: open the profile and click **View Results** — all target devices should show a successful run. 4. Only then save and assign the **Install PKG** deployment profile. {% endstep %} {% step %} **Reboot devices after installation** 1. In the Mosyle admin console, go to **Management** → **macOS** → **Management Profiles** → **Custom Commands**. 2. Click **Add new profile**, select **Free Scripting**, set **Schedule** to **Only once**, and paste: ```bash #!/bin/zsh shutdown -r now ``` 3. Under **Add Assignment**, select the same target device group and click **Save**. Deploy this profile after confirming the agent package has installed — check **View Results** on the Install PKG profile first. The agent fully activates on the next boot. {% endstep %} {% step %} **Verify the deployment** On a test device, confirm: 1. The system extension is activated: ```bash systemextensionsctl list | grep aikido ``` Expect to see the extension marked `[activated enabled]`. 2. Open **System Settings** → **General** → **Login Items & Extensions** and confirm the Aikido Device Protection entries cannot be toggled off. {% endstep %} {% endstepper %} ## Troubleshooting | Problem | Fix | | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | Users still see the popup | Make sure the configuration profile is scoped correctly and installed before the package policy runs | | Extension is waiting for user approval | Check the System Extensions payload and confirm the team ID and bundle ID match exactly | | The package installs but the device does not connect | Confirm the token script ran before the package install and that the token was copied correctly | | Duplicate extension entries appear | Reboot the device | | The content filter is not approved silently | Re-upload the `.mobileconfig` profile and verify it is installed on the device | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/aikido-device-protection/deploying-aikido-endpoint/deploy-aikido-endpoint-with-mosyle.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.