Prerequisites
- Kandji admin access
- At least one Blueprint configured with enrolled devices
- Devices enrolled via Automated Device Enrollment (for Full Disk Access)
Deployment Steps
Deploy PPPC Profile
Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (Settings → Shadow MCPs), or use the button below:
The profile targets a dedicated
runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.- Navigate to Library in Kandji
- Click Add New → General → Custom Profile → Add & Configure
- Upload the downloaded
.mobileconfigfile - Assign to your target Blueprint(s)
- Click Save
Get Deployment Artifacts
In the Runlayer dashboard, go to Settings → Shadow MCPs and open or create a Detect configuration to copy the generated script and API key.
Add a Custom Script Library Item
- Navigate to the Library section in Kandji
- Click Add New → Custom Script → Add & Configure
- Provide a Name (e.g., “Runlayer Detect”)
- Assign to your target Blueprint(s)
- Set Execution Frequency to Run daily (recommended) or Run every 15 minutes for more frequent scans
- Paste the generated script into the Audit Script field
- Click Save
Verification
Check Script Status
Check the Custom Script’s Status tab in Kandji for execution results. You can force an immediate check-in on a test Mac by running
sudo kandji checkin in Terminal.Log Locations
| Platform | Log Location |
|---|---|
| macOS | /var/log/runlayer/ai_watch_detect.log |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General failure (missing config) |
| 2 | Network failure |
| 3 | Installation failure |