Deploy Aikido Device Protection with Miradore

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

• Your Device Protection Token (copied from the user group selector)

• The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

• The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Add the Aikido Device Protection configuration profile

1. Download the Aikido .mobileconfig file.

2. In the Miradore admin console, go to Management → Configuration profiles.

3. Click Add → macOS → Advanced (custom).

4. Upload the downloaded .mobileconfig file.

5. Click Save.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

1. In the Miradore admin console, go to Management → Configuration profiles.

2. Click Add → macOS → Certificate.

3. Upload the Shared Root CA Certificate (.pem file) and click Save.

Create the pre-install token script

Miradore runs scripts as separate application items. Create a script that writes the token to disk before the package installs.

1. In the Miradore admin console, go to Management → Applications.

2. Click Add → macOS application → Script → Next.

3. Give it a name (e.g. "Aikido Device Protection - token").

4. Paste the script below into the Script field. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

1. Click Create.

Upload the Aikido Device Protection installer

1. In the Miradore admin console, go to Management → Applications.

2. Click Add → macOS application → PKG (Uploaded) → Next.

3. Click Select file and upload the Aikido Device Protection .pkg.

4. Fill in the required fields:

   • Application name (e.g. "Aikido Device Protection")

   • Bundle identifier (e.g. dev.aikido.endpoint)

   • Version

5. Click Create and wait for the package to finish processing before continuing.

Reboot devices after installation

Restart your target devices after the agent installation completes. The agent fully activates on the next boot.

Deploy in the right order using a Business Policy

Use a Business Policy to deploy all five items in the correct order.

1. In the Miradore admin console, go to Management → Business policies.

2. Click Add, give the policy a name, and set its status to Disabled.

3. Add all five items to the policy: the configuration profile, the CA certificate, the token script, the .pkg, and the restart script.

4. Set the deployment order using item dependencies:

   • Select the CA certificate, click Actions → Edit item dependency, and set the configuration profile as its dependency.

   • Select the token script, click Actions → Edit item dependency, and set the CA certificate as its dependency.

   • Select the .pkg, click Actions → Edit item dependency, and set the token script as its dependency.

   • Select the restart script, click Actions → Edit item dependency, and set the .pkg as its dependency.

5. Assign the policy to your target devices using tags.

6. Set the policy status to Enabled.

Verify the deployment

On a test device, confirm:

1. The system extension is activated:

   Copy

   systemextensionsctl list | grep aikido

   Expect to see the extension marked [activated enabled].

2. Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

3. To review deployment status, go to Management → Action log and filter by "Business policy" in the Sender field.