Ctrlk
Changelog NotificationsAPIAikido login

Deploy Aikido Device Protection with Rippling

Use Rippling to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place.

All devices must be enrolled in Rippling MDM before you begin.

Installation

1

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

  • Your Device Protection Token (copied from the user group selector)

  • The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

  • The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

2

Upload the Aikido Device Protection configuration profile

  1. Download the Aikido .mobileconfig file.

  2. In Rippling, go to ITDevice ManagementConfigurations and select the macOS tab.

  3. Click Upload.

  4. Enter a Policy name (e.g. "Aikido Device Protection").

  5. Set Platform to macOS.

  6. Drop or select the downloaded .mobileconfig file.

  7. Click Save & continue.

Rippling requires .mobileconfig uploads to be done from a Mac. Uploading from another operating system may silently fail.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

3

Deploy the configuration profile

  1. In Configurations, switch to the Everything Else tab.

  2. Find the profile you just created.

  3. Click the three-dot menu on the right and select Deploy.

  4. Select the target employees or devices and click Save.

4

Deploy the Aikido Device Protection CA certificate

  1. In Rippling, go to ITDevice ManagementConfigurations and select the macOS tab.

  2. Click Upload, set Platform to macOS, and upload the Shared Root CA Certificate (.pem file).

  3. Click Save & continue.

  4. In Configurations, find the certificate you just uploaded, click the three-dot menu, select Deploy, and assign it to the same target employees or devices.

Verify the certificate appears on a test device before deploying the agent package.

5

Upload the Aikido Device Protection installer

  1. In Rippling, go to ITSoftware.

  2. Click Upload Software.

  3. Fill in the following fields:

    • Name: Aikido Device Protection

    • Operating System: macOS

    • Description: Aikido Device Protection

  4. Under Upload Installer File, drop or select the Aikido Device Protection .pkg file.

  5. Under Pre-install script, paste the script below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt

  1. Click Submit.

  2. Click Add on the newly created software item, then click Finished Selecting.

6

Deploy in the right order

Order matters. Both the configuration profile and the CA certificate must reach the device before the pkg. If the pkg installs first, macOS can ask the user for extra permissions.

  1. Confirm the Aikido Device Protection configuration profile is installed on a test device.

  2. Confirm the Aikido Device Protection CA certificate is installed on a test device.

  3. Find the Aikido Device Protection software item under ITSoftware, click Edit, select the target employees or devices, and click Save.

Newly created software items in Rippling may stay in a "Pending" status for a few minutes before they can be deployed.

7

Reboot devices after installation

  1. In Rippling, go to ITDevices.

  2. Select the target devices and choose Restart from the bulk actions menu (or open an individual device and select Restart from device actions).

The agent fully activates on the next boot.

8

Verify the deployment

On a test device, confirm:

  1. The system extension is activated:

    systemextensionsctl list | grep aikido

    Expect to see the extension marked [activated enabled].

  2. Open System SettingsGeneralLogin Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem
Fix

Users still see the popup

Make sure the configuration profile is scoped correctly and installed before the package policy runs

Extension is waiting for user approval

Check the System Extensions payload and confirm the team ID and bundle ID match exactly

The package installs but the device does not connect

Confirm the token script ran before the package install and that the token was copied correctly

Duplicate extension entries appear

Reboot the device

The content filter is not approved silently

Re-upload the .mobileconfig profile and verify it is installed on the device

Last updated

Was this helpful?