Deploy Aikido Device Protection with Addigy

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

• Your Device Protection Token (copied from the user group selector)

• The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

• The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Add the Aikido Device Protection configuration profile

1. Download the Aikido .mobileconfig file.

2. In the Addigy console, go to Catalog → Device Settings.

3. Click New, then select Custom Profile.

4. Upload the downloaded .mobileconfig file and give the profile a name (e.g. "Aikido Device Protection").

5. Click Save.

6. Click the three dots (...) next to the profile, select Assignments, choose your target policy, and click Save.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

1. In the Addigy console, go to Catalog → Device Settings.

2. Click New, then select Certificates.

3. Enter a payload name (e.g. "Aikido Device Protection CA") and upload the Shared Root CA Certificate (.pem file).

4. Click Save.

5. Click the three dots (...) next to the certificate profile, select Assignments, choose the same target policy, and click Save.

Upload and configure the Aikido Device Protection installer

1. In the Addigy console, go to Catalog → Software → Smart Software.

2. Click New and give the item a name (e.g. "Aikido Device Protection").

3. Click Select File(s) to open the File Manager and upload the Aikido Device Protection .pkg.

4. Select the uploaded file to attach it to the item.

5. Click Auto-fill under Install Command — Addigy generates the installer command automatically.

6. Prepend the following lines to the auto-filled install command, replacing AIK_SAFE_CHAIN_TOKEN with your real token:

# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

1. Click Save.

2. Click the three dots (...) next to the Smart Software item, select Assignments, choose the same target policy, and click Save.

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout.

1. Verify the Aikido Device Protection configuration profile is installed: open the profile in Catalog → Device Settings and confirm the assignment status shows all target devices.

2. Verify the Aikido Device Protection CA certificate is installed: do the same for the certificate profile.

3. Only after both profiles are confirmed on all target devices, trigger the Aikido Device Protection Smart Software deployment by assigning it to the policy (or letting the next policy check-in run).

Reboot devices after installation

Restart your target devices after the agent installation completes. In Addigy, you can do this per device via GoLive → Device Status → Device Commands → Restart. The agent fully activates on the next boot.

Verify the deployment

On a test device, confirm:

1. The system extension is activated:

   Copy

   systemextensionsctl list | grep aikido

   Expect to see the extension marked [activated enabled].

2. Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.