Ctrlk
Changelog NotificationsAPIAikido login

Deploy Aikido Device Protection with Primo

Use Primo to deploy Aikido Device Protection across your managed macOS fleet with the required permissions in place.

All devices must be enrolled in Primo MDM before you begin.

Installation

1

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

  • Your Device Protection Token (copied from the user group selector)

  • The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

  • The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

2

Add the Aikido Device Protection configuration profile

  1. Download the Aikido .mobileconfig file.

  2. In the Primo admin console, go to MDMControls.

  3. Click Add control, select Custom file, and upload the downloaded .mobileconfig file.

  4. Give it a name (e.g. "Aikido Device Protection").

  5. Apply it to your target device group and save.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

3

Deploy the Aikido Device Protection CA certificate

Primo's custom file upload only accepts .mobileconfig files for macOS. You need to wrap the CA certificate in a configuration profile before uploading.

Wrap the certificate in a profile

  1. Download and open iMazing Profile Editor (free).

  2. Create a new macOS profile.

  3. Add a Certificates payload.

  4. Import the Shared Root CA Certificate (.pem file).

  5. Save the profile as a .mobileconfig file.

Upload to Primo

  1. In the Primo admin console, go to MDMControls.

  2. Click Add control, select Custom file, and upload the .mobileconfig you just created.

  3. Give it a name (e.g. "Aikido Device Protection CA").

  4. Apply it to the same target device group and save.

4

Create the pre-install token script

Primo does not have a built-in pre-install hook for PKG deployments. Use the script runner to write the token to disk before the package installs.

  1. In the Primo admin console, go to MDMControlsScripts.

  2. Click Add script and give it a name (e.g. "Aikido Device Protection — token").

  3. Paste the script below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

  1. Run the script on your target device group.

  2. Wait for the run to complete before continuing — check the script run results to confirm all target devices show success.

5

Upload the Aikido Device Protection installer

  1. In the Primo admin console, go to MDMSoftware.

  2. Click Add app and select Custom app.

  3. Upload the Aikido Device Protection .pkg file.

  4. Do not enable Install automatically yet — only enable it after confirming the previous steps have completed on all target devices.

  5. Click Add software.

6

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout. The token file must also exist before the installer runs.

  1. Confirm the Aikido Device Protection configuration profile is installed on all target devices — check the control status in MDM → Controls.

  2. Confirm the Aikido Device Protection CA certificate profile is installed on all target devices.

  3. Confirm the Aikido Device Protection — token script has run successfully on all target devices.

  4. Only then open the Aikido Device Protection custom app in MDM → Software, enable Install automatically, and save.

7

Reboot devices after installation

Restart your target devices after confirming the agent package has installed on all devices. The agent fully activates on the next boot.

8

Verify the deployment

On a test device, confirm:

  1. The system extension is activated:

    systemextensionsctl list | grep aikido

    Expect to see the extension marked [activated enabled].

  2. Open System SettingsGeneralLogin Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.

Troubleshooting

Problem
Fix

Users still see the popup

Make sure the configuration profile is scoped correctly and installed before the package policy runs

Extension is waiting for user approval

Check the System Extensions payload and confirm the team ID and bundle ID match exactly

The package installs but the device does not connect

Confirm the token script ran before the package install and that the token was copied correctly

Duplicate extension entries appear

Reboot the device

The content filter is not approved silently

Re-upload the .mobileconfig profile and verify it is installed on the device

Last updated

Was this helpful?