This guide requires Jamf Pro. Jamf Now and Jamf School have different script deployment capabilities.
Prerequisites
- Jamf Pro admin access
- Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)
Deployment Steps
Deploy PPPC Profile
Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (Settings → Shadow MCPs), or use the button below:
The profile targets a dedicated
runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.- Navigate to Computers > Configuration Profiles
- Click New and upload the downloaded
.mobileconfigfile - Scope to target computers/groups
- Save and deploy
Get Deployment Artifacts
In the Runlayer dashboard, go to Settings → Shadow MCPs and open or create a Detect configuration to copy the generated script and API key.
Upload to Jamf Pro
- Navigate to Settings > Computer Management > Scripts
- Click New
- Enter a display name (e.g., “Runlayer Detect”)
- Paste the generated script contents
- Set Priority to “After” (runs after other policies)
- Save
Create a Policy
- Navigate to Computers > Policies
- Click New
- Configure the policy:
- General: Name it (e.g., “Deploy Runlayer Detect”)
- Scripts: Add your uploaded script
- Scope: Select target computers or groups
- Trigger: Recurring Check-in
- Frequency: Set to Ongoing for repeated execution
Verification
Log Locations
| Platform | Log Location |
|---|---|
| macOS | /var/log/runlayer/ai_watch_detect.log |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General failure (missing config) |
| 2 | Network failure |
| 3 | Installation failure |