Skip to main content
Migrating from the script-based Detect deployment? Run Clean Up Script-Based macOS Detect Deployment before rolling out the .pkg so the old runlayer-scan artifacts don’t conflict with com.runlayer.aiwatch.

Overview

A signed, notarized aiwatch binary installs once per device via .pkg. Tenant config (host + org API key, plus an enrollment key for Enforce) is pushed via MDM Configuration Profile. The .pkg bundles up to three launchd units: a scan LaunchAgent (user, default 15 min) for Detect, plus — when an EnrollmentKey is set — an enroll LaunchAgent (user, every 60 min, runs aiwatch enroll) and a hook-install LaunchDaemon (root, fast-retries every 60 s for the first 10 min after install then hourly, runs aiwatch setup hooks install --mdm) for Enforce.

Prerequisites

  • Devices enrolled via UAMDM (User-Approved MDM) or DEP/ADE. TCC payloads are ignored on manually-enrolled MDM.
  • An organization API key with the Detect Scan role minted in Settings → Organization API keys in the Runlayer dashboard. Record the secret value (rl_org_...).
  • Your Runlayer tenant host URL (e.g. https://your-instance.runlayer.com).
Apple Silicon only for now. The current release ships an arm64 .pkg.

Artifacts

The package is a .zip named aiwatch-<version>-macos-arm64.zip. Contents:
FilePurpose
aiwatch-<version>-macos-arm64.pkgSigned + notarized installer (single aiwatch binary + scan & enroll LaunchAgents + hook-install LaunchDaemon)
com.runlayer.aiwatch.pppc.mobileconfigFull Disk Access / TCC grants (upload as-is)
com.runlayer.aiwatch.loginitems.mobileconfigPre-approves the bundled LaunchAgents on macOS 13+ (upload as-is; LabelPrefix=com.runlayer.aiwatch covers all current and future user-context units)
Contact your Runlayer account team if you don’t have the .zip yet.
Deploy the three Configuration Profiles before the .pkg. Profiles must land in /Library/Managed Preferences/ and TCC before the bundled LaunchAgent’s first scan tick — otherwise aiwatch logs host not configured and TCC denies project-config reads until the next MDM sync.

Deployment

1

Upload PPPC profile

Computers → Configuration Profiles → Upload. Upload com.runlayer.aiwatch.pppc.mobileconfig as-is. Scope to your AI Watch Smart Group.The profile pins Full Disk Access to Developer ID team AF2M8HC7A2 + identifier com.runlayer.aiwatch — only the Anysource-signed binary satisfies the CodeRequirement. No edits.
2

Upload Login Items profile

Computers → Configuration Profiles → Upload. Upload com.runlayer.aiwatch.loginitems.mobileconfig as-is. Scope to the same Smart Group.Pre-approves the bundled LaunchAgent on macOS 13+ so users don’t see “Background Item Added” notifications.
3

Create the tenant-config profile via JSON Schema

  1. Computers → Configuration Profiles → New → Application & Custom Settings → External Applications → Add → Custom Schema.
  2. Preference Domain: com.runlayer.aiwatch.
  3. Paste the contents of com.runlayer.aiwatch.jamf.schema.json into the schema source field.
  4. Fill in Tenant Host (e.g. https://your-instance.runlayer.com) and Org API Key (the rl_org_... secret).
  5. Scope to the same Smart Group.
4

Upload the .pkg and create a deployment Policy

Jamf → Computers → Management Settings → Computer Management → Packages → New. Upload aiwatch-<version>-macos-arm64.pkg.Create a Policy to deploy the package: Computers → Policies → New. Add the package, set Trigger to Recurring Check-in and Frequency to Once per computer. Scope to the same Smart Group.
Devices receive managed preferences at /Library/Managed Preferences/com.runlayer.aiwatch.plist. Rotating the API key later: edit the Jamf profile and re-publish — no .pkg reinstall.