# Deploy Aikido Device Protection with Omnissa Workspace ONE Use Omnissa Workspace ONE UEM to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place. {% hint style="info" %} All devices must be enrolled in Workspace ONE UEM before you begin. {% endhint %} ## Installation {% hint style="warning" %} **Deploy the configuration before the installer.** The Aikido Device Protection configuration profile must reach each device before the Aikido Device Protection `.pkg` is installed. If the package arrives first, macOS prompts the end user for extra permissions. Workspace ONE doesn't guarantee deployment order when you assign items to a smart group, so verify the profile is installed on a test device before you push the package. See the final step for the full order. {% endhint %} {% stepper %} {% step %} **Get your Aikido Device Protection token and package** Open [Aikido Device Protection](https://app.aikido.dev/endpoint-protection/devices) and click **Connect Device**. Download the Aikido Device Protection `.pkg` and copy your device protection token. {% endstep %} {% step %} **Add the Aikido Device Protection configuration profile** 1. [Download the Aikido `.mobileconfig` file](https://raw.githubusercontent.com/AikidoSec/safechain-internals/refs/heads/main/docs/aikido-endpoint.mobileconfig). 2. In the Workspace ONE UEM console, go to **Resources** → **Profiles and Baselines**. 3. Click **Add**, then **Upload Profile**. 4. Select **macOS** and upload the downloaded `.mobileconfig` file. 5. Click **Save and Continue**. 6. Assign the profile to the target smart group. 7. Click **Save & Publish**. This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items. {% endstep %} {% step %} **Create the pre-install script** 1. In the Workspace ONE UEM console, go to **Resources** → **Scripts**. 2. Click **Add** and select **macOS**. 3. On the **General** tab, give the script a name (e.g. "Aikido Device Protection Token"). 4. On the **Details** tab, set **Script Type** to **Zsh** and enter the script below. Replace `AIK_SAFE_CHAIN_TOKEN` with your real token. ```bash #!/bin/zsh echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt ``` 5. On the **Assignment** tab, assign the script to the same smart group. 6. Click **Save**. 7. Run the script using **Run Now** and confirm it completes on your test device before you deploy the package. {% hint style="info" %} Scripts require Intelligent Hub 20.10 or later on the device. {% endhint %} {% endstep %} {% step %} **Upload the Aikido Device Protection installer** 1. Generate a `.plist` metadata file for the package using the Omnissa Admin Assistant Tool — drag and drop the `.pkg` onto the tool. 2. In the Workspace ONE UEM console, go to **Resources** → **Apps** → **Native** → **Internal**. 3. From the **Add** dropdown, select **Application File**. 4. Upload the Aikido Device Protection `.pkg` and click **Save**, then **Continue**. 5. Upload the generated `.plist` metadata file and click **Save**, then **Continue**. 6. Assign the app to the same smart group and publish. {% endstep %} {% step %} **Deploy in the right order** {% hint style="warning" %} Order matters. The MDM profile must reach the device before the `.pkg` is installed. If the package arrives first, macOS prompts the end user for extra permissions. {% endhint %} 1. Save and publish the **Aikido Device Protection** configuration profile. 2. Run the **pre-install script** to write the token and confirm it completes. 3. Publish the **Aikido Device Protection** app. {% hint style="info" %} Workspace ONE doesn't guarantee the order in which items assigned to a smart group are delivered. To be safe, apply the profile to a test device first, confirm it's installed, and only then deploy the package. {% endhint %} {% endstep %} {% step %} **Verify the deployment** On a test device, confirm: 1. The system extension is activated: ```bash systemextensionsctl list | grep aikido ``` Expect to see the extension marked `[activated enabled]`. 2. Open **System Settings** → **General** → **Login Items & Extensions** and confirm the Aikido Device Protection entries cannot be toggled off. {% endstep %} {% endstepper %} ## Troubleshooting | Problem | Fix | | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | Users still see the popup | Make sure the configuration profile is scoped correctly and installed before the package policy runs | | Extension is waiting for user approval | Check the System Extensions payload and confirm the team ID and bundle ID match exactly | | The package installs but the device does not connect | Confirm the token script ran before the package install and that the token was copied correctly | | Duplicate extension entries appear | Reboot the device | | The content filter is not approved silently | Re-upload the `.mobileconfig` profile and verify it is installed on the device | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/aikido-device-protection/deploying-aikido-endpoint/deploy-aikido-endpoint-with-workspace-one.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.