Ctrlk
Changelog NotificationsAPIAikido login

Deploy Aikido Device Protection with Mosyle

Use Mosyle Business to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place.

Installation

1

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

  • Your Device Protection Token (copied from the user group selector)

  • The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

  • The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

2

Add the Aikido Device Protection configuration profile

  1. Download the Aikido .mobileconfig file.

  2. In the Mosyle admin console, go to ManagementManage macOSManagement Profiles (sidebar).

  1. Click "Certificates / Custom Profiles" and give it a name (e.g. "Aikido Device Protection").

  2. Upload the downloaded .mobileconfig file via Select File.

  3. Under Add Assignment, select your target device group with System scope.

  4. Click Save.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

3

Deploy the Aikido Device Protection CA certificate

  1. In the same view as Step 2. In sidebar under Management Profiles click Certificates / Custom Profiles again.

  2. Give it a name (e.g. "Aikido Device Protection Certificate") and upload the Shared Root CA Certificate (.pem file) via Select File.

  3. Under Add Assignment, select the same target device group with System scope.

  4. Click Save.

4

Create the pre-install token script

  1. In the same view as Step 3. In sidebar under Management Profiles click Custom Commands.

  2. Give the profile a name (e.g. "Aikido Device Protection - token").

  3. On the Code tab, click code box, select Free Scripting and paste the script below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

  1. Save the script

  2. On the Execution Settings tab, set Schedule to Only when saving the profile.

  3. Under Add Assignment, select the same target device group.

  4. Click Save.

Custom Commands run as root. Before moving to the next step, open the Custom Command profile and click View Results to confirm all target devices show a successful run.

5

Upload and deploy the Aikido Device Protection installer

  1. In the same view as Step 3. In sidebar under Management Profiles click Install PKG

  2. Select "Already have a .PKG"

  3. On "Host your .PKG file" select "Automatically set App info"

  4. Use this public URL "https://github.com/AikidoSec/safechain-internals/releases/latest/download/EndpointProtection.pkg" and enable "This app is Signed" and "Install as Managed". Continue with "Add Enterprise App"

  5. Give the profile a name (e.g. "Aikido Device Protection - Pkg").

  6. Under Add Assignment, select the same target device group.

  7. Click Save.

6

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout.

  1. Confirm the Aikido Device Protection configuration profile is installed: open the profile and click View Results, all target devices should show green.

  2. Confirm the Aikido Device Protection CA certificate is deployed: open the certificate profile and click View Results, all target devices should show green.

  3. Confirm the Aikido Device Protection - token Custom Command completed: open the profile and click View Results, all target devices should show a successful run.

  4. Only then save and assign the Install PKG deployment profile.

7

Reboot devices after installation

Restart your target devices after confirming the agent package has installed — check View Results on the Install PKG profile first. The agent fully activates on the next boot.

8

Verify the deployment

On a test device, confirm:

  1. The system extension is activated:

    systemextensionsctl list | grep aikido

    Expect to see the extension marked [activated enabled].

  2. Open System SettingsGeneralLogin Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem
Fix

Users still see the popup

Make sure the configuration profile is scoped correctly and installed before the package policy runs

Extension is waiting for user approval

Check the System Extensions payload and confirm the team ID and bundle ID match exactly

The package installs but the device does not connect

Confirm the token script ran before the package install and that the token was copied correctly

Duplicate extension entries appear

Reboot the device

The content filter is not approved silently

Re-upload the .mobileconfig profile and verify it is installed on the device

Last updated

Was this helpful?