# Deploy Aikido Endpoint with Jamf Use Jamf Pro to deploy Aikido Endpoint across your managed macOS fleet with the required permissions in place. {% hint style="info" %} These steps use Jamf Pro. If you use Jamf School, the menus and payload names can differ. {% endhint %} ## Installation {% stepper %} {% step %} #### Get your Aikido Endpoint token and package Open [Aikido Endpoint](https://app.aikido.dev/endpoint-protection/devices) and click **Connect Device**. Download the Aikido Endpoint `.pkg` and copy your endpoint token. {% endstep %} {% step %} #### Create the System Extensions profile in Jamf 1. In Jamf Pro, go to **Computers** → **Configuration Profiles**. 2. Create a new profile for **macOS** at the **Computer Level**. 3. Add the **System Extensions** payload. 4. Allow this system extension: * **Team Identifier:** `7VPF8GD6J4` * **System Extension Bundle Identifier:** `com.aikido.endpoint.proxy.l4.dist.extension` 5. Save the profile. 6. Scope it to the target devices. Make sure the extension is approved silently. Users should not need to approve it manually. {% endstep %} {% step %} #### Add the content filter profile 1. [Download the Aikido `.mobileconfig` file](https://raw.githubusercontent.com/AikidoSec/safechain-internals/refs/heads/main/docs/.mobileconfig). 2. In Jamf Pro, create or upload a **Configuration Profile** for macOS. 3. Upload the downloaded `.mobileconfig` file. 4. Scope it to the same devices as the system extension profile. This profile enables the network content filter Aikido Endpoint needs. {% endstep %} {% step %} #### Upload the Aikido Endpoint installer 1. In Jamf Pro, go to **Computers** → **Packages**. 2. Upload the Aikido Endpoint `.pkg`. 3. Confirm the package finishes processing before you use it in a policy. {% endstep %} {% step %} #### Create the install policy 1. In Jamf Pro, go to **Computers** → **Policies**. 2. Create a new policy scoped to the same devices. 3. Add a script that writes the token before the package installs. 4. Add the uploaded Aikido Endpoint package to the policy. Use this script. Replace `AIK_SAFE_CHAIN_TOKEN` with your real token. ```bash #!/bin/zsh echo "AIK_SAFE_CHAIN_TOKEN" > /tmp/aikido_endpoint_token.txt touch /tmp/aikido_endpoint_mdm_ca_install.txt ``` If you use a recurring check-in trigger, keep the policy available only after the profiles are scoped. {% endstep %} {% step %} #### Deploy in the right order {% hint style="warning" %} Order matters. The configuration profiles must reach the device before or at the same time as the pkg. If the pkg installs first, macOS can ask the user for extra permissions. {% endhint %} 1. Deploy the **System Extensions** profile. 2. Deploy the **Content Filter** profile. 3. Deploy the **Aikido Endpoint** install policy. 4. Reboot a test device if the extension state does not refresh immediately. {% endstep %} {% step %} #### Verify the deployment Run this on a test device: ```bash systemextensionsctl list ``` Expected result: ``` * * 7VPF8GD6J4 com.aikido.endpoint.proxy.l4.dist.extension (0.1/1) AikidoEndpointL4ProxyExtension [activated enabled] ``` {% endstep %} {% endstepper %} ## Troubleshooting | Problem | Fix | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | Users still see the popup | Make sure both configuration profiles are scoped correctly and installed before the package policy runs | | Extension is waiting for user approval | Check the System Extensions payload and confirm the team ID and bundle ID match exactly | | The package installs but the device does not connect | Confirm the token script ran before the package install and that the token was copied correctly | | Duplicate extension entries appear | Reboot the device | | The content filter is not approved silently | Re-upload the `.mobileconfig` profile and verify it is installed on the device |