Deploy Aikido Device Protection with Omnissa Workspace ONE

What you'll need

Before starting, make sure you have the following from the Aikido Device Protection dashboard:

• Your Device Protection Token (copied from the user group selector)

• The Shared Root CA Certificate (.pem file — downloaded in the dashboard)

• The Aikido Device Protection installer (.pkg file — downloaded in the dashboard)

If you're missing any of these, go back to the Aikido Device Protection dashboard, click Connect Device, and complete the pre-flight steps.

Add the Aikido Device Protection configuration profile

1. Download the Aikido .mobileconfig file.

2. In the Workspace ONE UEM console, go to Resources → Profiles and Baselines.

3. Click Add, then Upload Profile.

4. Select macOS and upload the downloaded .mobileconfig file.

5. Click Save and Continue.

6. Assign the profile to the target smart group.

7. Click Save & Publish.

This profile allows the Aikido Device Protection system extension to load silently, enables the network content filter, and stops users from disabling background services in System Settings → Login Items.

Deploy the Aikido Device Protection CA certificate

1. In the Workspace ONE UEM console, go to Resources → Profiles and Baselines.

2. Click Add → Add Profile → macOS.

3. Add a Credentials payload, set the credential source to Upload, and upload the Shared Root CA Certificate (.pem file).

4. Assign it to the same smart group and click Save & Publish.

Create the pre-install script

1. In the Workspace ONE UEM console, go to Resources → Scripts.

2. Click Add and select macOS.

3. On the General tab, give the script a name (e.g. "Aikido Device Protection Token").

4. On the Details tab, set Script Type to Zsh and enter the script below. Replace AIK_SAFE_CHAIN_TOKEN with your real token.

#!/bin/zsh
# Write the token so the agent registers with the correct user group
echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt
# Signals the installer to run completely silently, with no user prompts
touch /tmp/aikido_endpoint_mdm_install.txt

1. On the Assignment tab, assign the script to the same smart group.

2. Click Save.

3. Run the script using Run Now and confirm it completes on your test device before you deploy the package.

Upload the Aikido Device Protection installer

1. Generate a .plist metadata file for the package using the Omnissa Admin Assistant Tool — drag and drop the .pkg onto the tool.

2. In the Workspace ONE UEM console, go to Resources → Apps → Native → Internal.

3. From the Add dropdown, select Application File.

4. Upload the Aikido Device Protection .pkg and click Save, then Continue.

5. Upload the generated .plist metadata file and click Save, then Continue.

6. Assign the app to the same smart group and publish.

Deploy in the right order

Deploy the configuration profile and CA certificate before the installer for a smoother rollout.

1. Save and publish the Aikido Device Protection configuration profile.

2. Save and publish the Aikido Device Protection CA certificate profile.

3. Verify both are installed on a test device — Workspace ONE doesn't guarantee delivery order within a smart group.

4. Run the pre-install script to write the token and confirm it completes.

5. Publish the Aikido Device Protection app.

Reboot devices after installation

1. In the Workspace ONE UEM console, go to Devices → List View.

2. Filter to the target smart group, select all devices, and click More Actions → Restart.

The agent fully activates on the next boot.

Verify the deployment

On a test device, confirm:

1. The system extension is activated:

   Copy

   systemextensionsctl list | grep aikido

   Expect to see the extension marked [activated enabled].

2. Open System Settings → General → Login Items & Extensions and confirm the Aikido Device Protection entries cannot be toggled off.