Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

Prerequisites

  • Iru/Kandji admin access
  • At least one Blueprint configured with enrolled devices
  • Devices enrolled via Automated Device Enrollment (for Full Disk Access)

Deployment Steps

1

Deploy PPPC Profile

Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.
The profile targets a dedicated runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.
Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (SettingsShadow MCPs), or use the button below:
  1. Navigate to Library in Iru/Kandji
  2. Click Add NewCustom ProfileAdd & Configure
  3. Upload the downloaded .mobileconfig file, select Mac as the device family
  4. Assign to your target Blueprint(s)
  5. Click Save
2

Get Deployment Artifacts

In the Runlayer dashboard, go to SettingsShadow MCPs. Under the Detect section, click Configure and select your MDM platform. This opens a setup dialog that auto-generates an API key and renders the deployment script.
The API key is embedded in the generated script and will not be shown again after you close the dialog. Copy or download the script before closing.
3

Add a Custom Script Library Item

  1. Navigate to the Library section in Iru/Kandji
  2. Click Add NewCustom ScriptAdd & Configure
  3. Provide a Name (e.g., “AI Watch Detect”)
  4. Assign to your target Blueprint(s)
  5. Set Execution Frequency to Run daily (recommended) or Run every 15 minutes for more frequent scans
  6. Paste the generated script into the Audit Script field
  7. Click Save

Verification

1

Check Policy Status

Check the Custom Script’s Status tab in Iru/Kandji for execution results.
2

Verify in Runlayer

Navigate to Shadow in the Runlayer dashboard and confirm devices appear in the Detect data.
3

Review Discoveries

Review discovered shadow servers and skills.

Log Locations

PlatformLog Location
macOS/var/log/runlayer/ai_watch_detect.log
macOS (fallback)/tmp/runlayer-ai_watch_detect.log
The fallback log location is used when the primary path (/var/log/runlayer/) cannot be written to due to permissions.

Exit Codes

CodeMeaning
0Success
1General failure (no user logged in, missing config, credential storage failed)
2Network failure (cannot reach PyPI)
3Installation failure (uv or CLI install failed)