Features
Detect is always enabled after AI Watch is installed. Enforce and Sessions are controlled by package configuration, and one organization API key authenticates scanning, enforcement, and sessions; no enrollment keys are required.| Feature | Configuration | What it does |
|---|---|---|
| Detect | Always on | Discovers shadow MCP servers, skills, and plugins through scheduled scans |
| Enforce | Enforcement / AIWATCH_ENFORCEMENT | Installs client hooks that block unmanaged MCP sources and policy-check local tool activity |
| Sessions | Sessions / AIWATCH_SESSIONS | Installs the full event hook set for Sessions telemetry |
- Enforce is disabled by default. Set
Enforcement=true(macOS) orAIWATCH_ENFORCEMENT=1(Windows) to block unmanaged MCP sources and policy-check local tool activity. - Sessions is enabled by default. Set
Sessions=false(macOS) orAIWATCH_SESSIONS=0(Windows) to skip the full event/session hook set.
Sessions=false or AIWATCH_SESSIONS=0; omitting Sessions uses the default enabled state and installs hooks for monitoring-only telemetry.
Package configuration
Use Settings → MDM Configuration to create or edit an AI Watch configuration. The wizard picks your MDM, mints a single organization API key, and bakes the Enforce and Sessions values into the downloaded artifacts. ChangingEnforcement or Sessions does not require reinstalling the package. Re-push the configuration profile or MSI command/registry values; AI Watch picks up the new settings on the next bootstrap or hook execution.
macOS artifacts
The macOS package is a signed and notarized.pkg plus three MDM Configuration Profiles:
| File | Purpose |
|---|---|
aiwatch-<version>-macos-arm64.pkg | Installs the aiwatch binary, scan LaunchAgent, and hook bootstrap |
com.runlayer.aiwatch.config.mobileconfig | Tenant host, organization API key, Enforcement, and Sessions |
com.runlayer.aiwatch.pppc.mobileconfig | Full Disk Access / TCC grants |
com.runlayer.aiwatch.loginitems.mobileconfig | Pre-approves bundled LaunchAgents on macOS 13+ |
.pkg so tenant config and TCC grants are present before the first scan tick.
If you need multiple configurations, deploy one com.runlayer.aiwatch.config.mobileconfig per group. The .pkg, PPPC profile, and Login Items profile are universal and can be reused unchanged across all configurations.
Jamf Pro
Upload Configuration Profiles and the
.pkg via Policy.Workspace ONE
Use Custom Attributes for tenant host and organization API key.
Iru / Kandji
Edit the tenant profile and deploy through Blueprints.
SimpleMDM
Upload profiles and package through device groups.
Mosyle
Deploy profiles and package through Mosyle device groups.
Other macOS MDM
Use any MDM with Custom App and Custom Profile support.
Migrating from the legacy script-based macOS Detect rollout? Run Legacy macOS Detect Cleanup before rolling out the
.pkg.Windows artifacts
The Windows package is a signed MSI wrapped for Intune. The MSI writes tenant config toHKLM\Software\Runlayer\AIWatch.
| File | Purpose |
|---|---|
aiwatch-<version>-win-x64.intunewin | App package for Intune upload |
scan-on-detect/detect.ps1 | Runs aiwatch.exe scan from Intune detection |
scheduled/detect.ps1 + scheduled/remediate.ps1 | Schedules recurring scans through Intune Remediations |
assert/detect.ps1 + assert/remediate.ps1 | Asserts hook configs when Enforce or Sessions is enabled |
Intune
Deploy the MSI, configure capability properties, schedule Detect scans, and assert hook configs.
Manual and custom workflows
For individual test devices, use the feature pages:Run Detect manually
Install the Runlayer CLI and run
runlayer scan.Install Enforce manually
Install client hooks with
runlayer setup hooks.User and Identity Mapping
Understand how device usernames map to Runlayer users.
Remove AI Watch
Remove package-based and legacy script-based deployments.
Enforcement / Sessions to the desired values.