Deploy Aikido Device Protection with SimpleMDM

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

• Your Device Protection Token (copied from the user group selector)

• The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

• The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Add the Aikido Device Protection configuration profile

1. Download the Aikido .mobileconfig file.

2. In SimpleMDM, go to Profiles and click New Profile.

3. Select Custom Configuration Profile as the profile type.

4. Give it a name (e.g. "Aikido Device Protection").

5. Upload the downloaded .mobileconfig file, or open it in a text editor and paste its XML contents.

6. Click Create Profile.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

1. Convert the Shared Root CA Certificate from .pem to .crt:

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

1. Create a .mobileconfig profile containing a Certificates payload with the .crt file embedded. You can do this with Apple Configurator 2 (free from the Mac App Store): open it, create a new profile, add a Certificates payload, import your .crt file, and export as .mobileconfig.

2. In SimpleMDM, go to Profiles → New Profile → Custom Configuration Profile.

3. Give it a name (e.g. "Aikido Device Protection Certificate").

4. Upload the exported .mobileconfig file.

5. Click Create Profile.

Create the pre-install token script

SimpleMDM runs scripts separately from package installs, so you must run this script and confirm it completes on all target devices before deploying the package.

1. In SimpleMDM, go to Scripts and click New Script.

2. Give it a name (e.g. "Aikido Device Protection Token").

3. Paste the script below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

1. Set Run As to Root.

2. Click Save Script.

Upload the Aikido Device Protection installer

1. In SimpleMDM, go to Apps and click Add App.

2. Select macOS Package.

3. Upload the Aikido Device Protection .pkg file.

4. Click Save App.

Do not assign this app to your devices yet — wait until the profiles and token script are confirmed deployed in the next step.

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout.

1. Go to Devices → Groups and select your target device group.

2. On the Profiles tab, assign both the Aikido Device Protection configuration profile and the Aikido Device Protection Certificate profile.

3. Go to Scripts, open the Aikido Device Protection Token script, and click New Job.

4. Scope the job to the same device group and run it. Wait for all devices to report a successful run before continuing.

5. Back in the device group, open the Apps tab and assign the Aikido Device Protection package.

Reboot devices after installation

1. In SimpleMDM, go to Devices and select each target device.

2. Click Actions and select Restart.

The agent fully activates on the next boot.

Verify the deployment

On a test device, confirm:

1. The system extension is activated:

   Copy

   systemextensionsctl list | grep aikido

   Expect to see the extension marked [activated enabled].

2. Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.