Deploy Aikido Device Protection with Fleet

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

• Your Device Protection Token (copied from the user group selector)

• The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

• The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Add the Aikido Device Protection configuration profile

1. Download the Aikido .mobileconfig file.

2. In the Fleet console, go to Controls → OS settings → Configuration profiles.

3. Select your target fleet from the dropdown in the upper-left corner.

4. Click Add profile and upload the downloaded .mobileconfig file. Fleet signs it automatically.

5. Monitor deployment status by hovering over the profile row and clicking the (i) icon — profiles move from Verifying to Verified within approximately one hour.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

Fleet deploys static CA certificates as a configuration profile with a Certificate payload.

1. Wrap the Shared Root CA Certificate in a .mobileconfig file with a Certificate payload. You can use Apple Configurator 2 or iMazing Profile Editor to create this profile.

2. In the Fleet console, go to Controls → OS settings → Configuration profiles.

3. Select the same target fleet.

4. Click Add profile and upload the certificate .mobileconfig.

Upload and configure the Aikido Device Protection installer

1. In the Fleet console, go to Software in the main navigation.

2. Select your target fleet from the dropdown in the upper-left corner.

3. Click Add software → Custom package and upload the Aikido Device Protection .pkg.

4. Click Advanced options and paste the following into the Pre-install script field, replacing AIK_SAFE_CHAIN_TOKEN with your real token:

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

1. Click Add software.

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout.

1. Confirm the Aikido Device Protection configuration profile shows Verified for all target hosts — check Controls → OS settings → Configuration profiles → (i).

2. Confirm the Aikido Device Protection CA certificate profile also shows Verified.

3. Only then install the Aikido Device Protection package: open the target host's detail page, go to Software → Library, find the package, and click Install.

Reboot devices after installation

Restart your target devices after the agent installation completes. The agent fully activates on the next boot.

Verify the deployment

On a test device, confirm:

1. The system extension is activated:

   Copy

   systemextensionsctl list | grep aikido

   Expect to see the extension marked [activated enabled].

2. Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.