Skip to main content

Prerequisites

  • Kandji admin access
  • Enrollment key from Runlayer
  • At least one Blueprint configured with enrolled devices
Enrollment keys allow devices to automatically register with Runlayer and obtain API credentials.Enrollment Keys List
1

Navigate to Enrollment Keys

Go to Settings in the Runlayer dashboard and select the Enrollment Keys tab
2

Create a New Key

Click + Create Enrollment KeyCreate Enrollment Key
3

Configure the Key

  • Name (required): Enter a descriptive name (e.g., “Production MDM”)
  • Description (optional): Add context about the key’s purpose
4

Copy the Key

Copy the generated key (starts with rl_enroll_) and store it securelyEnrollment Key Created
Enrollment keys are shown only once. Store them securely and treat them like passwords.

Deployment Steps

1

Generate the Script

Fill in your settings below to generate a deployment script.Kandji-specific configuration tips:
  • ENROLLMENT_USERNAME: Use a Kandji variable for the user’s identity if available. Leave empty to use the device username.
  • ENROLLMENT_DEVICE_NAME: Use a Kandji variable for the device name. Leave empty to use the computer name.
2

Add a Custom Script Library Item

  1. Navigate to the Library section in Kandji
  2. Click Add NewCustom ScriptAdd & Configure
  3. Provide a Name (e.g., “Runlayer Config Sync”)
  4. Assign to your target Blueprint(s)
  5. Set Execution Frequency to Run daily (recommended) or Run every 15 minutes for more frequent syncs
  6. Paste the generated script into the Audit Script field
  7. Click Save

Verification

Open a client application (e.g., Cursor) on a target device and confirm the synced MCP servers appear. Check the Custom Script’s Status tab in Kandji for execution results. If something went wrong, check /var/log/runlayer-sync.log on the device. You can force an immediate check-in on a test Mac by running sudo kandji checkin in Terminal.