Ctrlk
Changelog NotificationsAPIAikido login

Deploy Aikido Device Protection with NinjaOne

Use NinjaOne MDM to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place.

All devices must be enrolled in NinjaOne MDM (via manual profile install or Apple Business Manager / Apple School Manager Automated Device Enrollment) before you begin.

Installation

1

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

  • Your Device Protection Token (copied from the user group selector)

  • The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

  • The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

2

Add the Aikido Device Protection configuration profile

  1. Download the Aikido .mobileconfig file and open it in a text editor so you can copy its XML contents.

  2. In the NinjaOne Admin Portal, click Administration in the left navigation pane, open the Policies drop-down, and select MDM Policies.

  3. Click Create New Policy (or edit an existing macOS policy) and select Apple as the platform with macOS as the device type.

  4. Give the policy a name (e.g. "Aikido Device Protection").

  5. Open the Custom payload section and click + Add payload.

  6. In the Add payload dialog, enter a name (e.g. "Aikido Device Protection") and paste the full XML contents of the .mobileconfig file into the Content field.

  7. Click Update to save the payload, then save the policy.

  8. Assign the policy to the target macOS device group.

NinjaOne deploys each custom payload as a separate MDM profile to the device. The Aikido .mobileconfig already contains all required payloads, so a single Add payload entry is enough.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

3

Deploy the Aikido Device Protection CA certificate

  1. In the NinjaOne Admin Portal, open the MDM policy you created for the configuration profile.

  2. Add a Certificate payload and upload the Shared Root CA Certificate (.pem file).

  3. Save and republish the policy.

4

Upload the Aikido Device Protection installer

  1. In the NinjaOne Admin Portal, go to AdministrationLibraryAutomation.

  2. Click + Add and select Installation.

  3. In the Install Application dialog, fill in the following:

    • Name: Aikido Device Protection

    • Description: Aikido Device Protection

    • Operating system: macOS

    • Installer: Upload the Aikido Device Protection .pkg file.

    • Run as: System

  4. Under Pre-script, paste the script below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt

  1. Save the installation package.

5

Deploy in the right order

Order matters. Both the configuration profile and the CA certificate must reach the device before or at the same time as the pkg. If the pkg installs first, macOS can ask the user for extra permissions.

  1. Assign the Aikido Device Protection MDM policy (containing both the configuration profile and CA certificate payloads) to the target device group.

  2. Verify both are installed on a test device before continuing.

  3. Deploy the Aikido Device Protection installation package to the same devices using a scheduled task, on-demand run, or a policy-based deployment.

6

Reboot devices after installation

  1. In the NinjaOne Admin Portal, go to AdministrationLibraryAutomation.

  2. Click + Add and select Script.

  3. Set Operating system to macOS, Run as to System, and paste:

#!/bin/zsh
shutdown -r now

  1. Deploy this script to the same device group after the agent installation automation completes.

The agent fully activates on the next boot.

7

Verify the deployment

On a test device, confirm:

  1. The system extension is activated:

    systemextensionsctl list | grep aikido

    Expect to see the extension marked [activated enabled].

  2. Open System SettingsGeneralLogin Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem
Fix

Users still see the popup

Make sure the configuration profile is scoped correctly and installed before the package policy runs

Extension is waiting for user approval

Check the System Extensions payload and confirm the team ID and bundle ID match exactly

The package installs but the device does not connect

Confirm the token script ran before the package install and that the token was copied correctly

Duplicate extension entries appear

Reboot the device

The content filter is not approved silently

Re-upload the .mobileconfig profile and verify it is installed on the device

Last updated

Was this helpful?