Ctrlk
Changelog NotificationsAPIAikido login

Deploy Aikido Device Protection with Iru / Kandji

Use Iru / Kandji to roll out Aikido Device Protection across your organization and protect managed macOS devices with a consistent setup.

Installation

1

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

  • Your Device Protection Token (copied from the user group selector)

  • The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

  • The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

2

Upload the Aikido Device Protection configuration profile to Iru

  1. Download the Aikido .mobileconfig file

  2. In Iru, go to the Library.

  3. Upload the .mobileconfig file as a Custom Profile.

  4. Assign it to the same Blueprint as the app.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

3

Deploy the Aikido Device Protection CA certificate

  1. In Iru, go to the Library and add a new Certificate library item.

  2. Upload the Shared Root CA Certificate (.crt file).

    1. You can convert the pem file to crt using the following command openssl x509 -outform der -in your-cert.pem -out your-cert.crt

  3. Assign it to the same Blueprint as the configuration profile.

4

Upload the Aikido Device Protection installer

  1. In Iru, add the Aikido Device Protection .pkg as a custom app.

  2. Add this preinstall script

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

  1. Assign the app to the same Blueprint.

5

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout.

  1. Deploy the Aikido Device Protection configuration profile

  2. Deploy the Aikido Device Protection CA certificate

  3. Verify both have reached all target devices before continuing — check status in the Iru console

  4. Deploy the Aikido Device Protection app

6

Reboot devices after installation

Restart your target devices after the agent installation completes. The agent fully activates on the next boot.

7

Verify the deployment

On a test device, confirm:

  1. The system extension is activated:

    systemextensionsctl list | grep aikido

    Expect to see the extension marked [activated enabled].

  2. Open System SettingsGeneralLogin Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem
Fix

Users still see the popup

Make sure the Aikido Device Protection configuration profile is assigned correctly and deployed before the app

Extension is waiting for user approval

Confirm the Aikido Device Protection configuration profile is installed on the device and reboot

Duplicate extension entries appear

Reboot the device

Proxy still is not approved silently

Re-upload the Aikido Device Protection configuration profile and confirm it is assigned to the same Blueprint as the app

Users can still disable Aikido Device Protection in Login Items

Re-upload the Aikido Device Protection configuration profile and reboot the device

Last updated

Was this helpful?