Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide requires Jamf Pro. Jamf Now and Jamf School have different script deployment capabilities.

Prerequisites

  • Jamf Pro admin access
  • Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)

Deployment Steps

1

Deploy PPPC Profile

Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.
The profile targets a dedicated runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.
Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (SettingsShadow MCPs), or use the button below:
  1. Navigate to Computers > Configuration Profiles
  2. Click New and upload the downloaded .mobileconfig file
  3. Scope to target computers/groups
  4. Save and deploy
2

Get Deployment Artifacts

In the Runlayer dashboard, go to SettingsShadow MCPs. Under the Detect section, click Configure and select your MDM platform. This opens a setup dialog that auto-generates an API key and renders the deployment script.
The API key is embedded in the generated script and will not be shown again after you close the dialog. Copy or download the script before closing.
3

Upload to Jamf Pro

  • Navigate to Settings > Computer Management > Scripts
  • Click New
  • Enter a display name (e.g., “AI Watch Detect”)
  • Paste the generated script contents
  • Set Priority to “After” (runs after other policies)
  • Save
4

Create a Policy

  • Navigate to Computers > Policies
  • Click New
  • Configure the policy:
    • General: Name it (e.g., “Deploy AI Watch Detect”)
    • Scripts: Add your uploaded script
    • Scope: Select target computers or groups
    • Trigger: Recurring Check-in or Login
    • Frequency: Set to Ongoing for repeated execution
5

Save and Deploy

Save the policy to begin deployment to target devices

Verification

1

Check Policy Status

Verify policy execution status in Jamf Pro under the policy’s Logs tab.
2

Verify in Runlayer

Navigate to SettingsShadow MCPs and confirm your Detect configuration card is active. View detailed results on the Shadow page.
3

Review Discoveries

Review discovered shadow servers and skills.

Log Locations

PlatformLog Location
macOS/var/log/runlayer/ai_watch_detect.log
macOS (fallback)/tmp/runlayer-ai_watch_detect.log
The fallback log location is used when the primary path (/var/log/runlayer/) cannot be written to due to permissions.

Exit Codes

CodeMeaning
0Success
1General failure (no user logged in, missing config, credential storage failed)
2Network failure (cannot reach PyPI)
3Installation failure (uv or CLI install failed)