Deploy Aikido Device Protection with Hexnode

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

• Your Device Protection Token (copied from the user group selector)

• The Shared Root CA Certificate (.pem file -- downloaded in the dashboard)

• The Aikido Device Protection installer (.pkg file -- downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Add the Aikido Device Protection configuration profile

1. Download the Aikido .mobileconfig file.

2. In your Hexnode portal, go to Policies and create a new blank policy for macOS.

3. Under the macOS tab, go to Configurations and click Configure next to Deploy Custom Configuration.

4. Click Upload and select the downloaded .mobileconfig file.

5. Go to Policy Targets, assign the policy to the target devices or device groups, and save.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

1. In your Hexnode portal, go to Policies and create a new blank policy for macOS.

2. Under the macOS tab, go to Security and click Configure next to Certificates.

3. Click Add Certificate and upload the Shared Root CA Certificate (.pem file).

4. Go to Policy Targets, assign it to the same target devices or device groups, and save.

Upload the Aikido Device Protection installer

1. In your Hexnode portal, go to Apps → +Add Apps → Enterprise App.

2. Select macOS as the platform and upload the Aikido Device Protection .pkg file.

3. Complete the app details and save to finish adding it to your app inventory.

Create the install policy

1. In your Hexnode portal, go to Policies and create a new blank policy for macOS.

2. Under the macOS tab, go to App Management and click Configure next to Mandatory Apps.

3. Add the uploaded Aikido Device Protection app.

4. Click Configure next to the app and add a Pre-install script with the content below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

1. Go to Policy Targets, assign it to the same target devices or device groups, and save.

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout.

1. Deploy the Aikido Device Protection configuration profile policy.

2. Deploy the Aikido Device Protection CA certificate policy.

3. Verify both have reached all target devices before continuing -- check device compliance status in the Hexnode console.

4. Deploy the Aikido Device Protection install policy.

Reboot devices after installation

1. In your Hexnode portal, go to Manage → Devices and select the target devices.

2. Choose Actions → Device Control → Restart Device.

The agent fully activates on the next boot.

Verify the deployment

On a test device, confirm:

1. The system extension is activated:

   Copy

   systemextensionsctl list | grep aikido

   Expect to see the extension marked [activated enabled].

2. Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.