Skip to main content
Migrating from the script-based Detect deployment? Run Clean Up Script-Based macOS Detect Deployment before rolling out the .pkg so the old runlayer-scan artifacts don’t conflict with com.runlayer.aiwatch.

Overview

A signed, notarized aiwatch binary installs once per device via .pkg. Tenant config (host + org API key, plus an enrollment key for Enforce) is pushed via MDM Configuration Profile. The .pkg bundles up to three launchd units: a scan LaunchAgent (user, default 15 min) for Detect, plus — when an EnrollmentKey is set — an enroll LaunchAgent (user, every 60 min, runs aiwatch enroll) and a hook-install LaunchDaemon (root, fast-retries every 60 s for the first 10 min after install then hourly, runs aiwatch setup hooks install --mdm) for Enforce.

Prerequisites

  • Devices enrolled via UAMDM (User-Approved MDM) or DEP/ADE. TCC payloads are ignored on manually-enrolled MDM.
  • An organization API key with the Detect Scan role minted in Settings → Organization API keys in the Runlayer dashboard. Record the secret value (rl_org_...).
  • Your Runlayer tenant host URL (e.g. https://your-instance.runlayer.com).
Apple Silicon only for now. The current release ships an arm64 .pkg.

Artifacts

The package is a .zip named aiwatch-<version>-macos-arm64.zip. Contents:
FilePurpose
aiwatch-<version>-macos-arm64.pkgSigned + notarized installer (single aiwatch binary + scan & enroll LaunchAgents + hook-install LaunchDaemon)
com.runlayer.aiwatch.pppc.mobileconfigFull Disk Access / TCC grants (upload as-is)
com.runlayer.aiwatch.loginitems.mobileconfigPre-approves the bundled LaunchAgents on macOS 13+ (upload as-is; LabelPrefix=com.runlayer.aiwatch covers all current and future user-context units)
Contact your Runlayer account team if you don’t have the .zip yet.
Deploy the three Configuration Profiles before the .pkg. Profiles must land in /Library/Managed Preferences/ and TCC before the bundled LaunchAgent’s first scan tick — otherwise aiwatch logs host not configured and TCC denies project-config reads until the next MDM sync.

Deployment

1

Edit the tenant-config profile

Open com.runlayer.aiwatch.config.mobileconfig in a text editor and replace both placeholders:
PlaceholderReplace with
REPLACE_WITH_TENANT_HOSTe.g. https://your-instance.runlayer.com
REPLACE_WITH_ORG_API_KEYthe actual rl_org_... secret
2

Upload the three Configuration Profiles

For each .mobileconfig (tenant config edited above, plus PPPC and Login Items as-is):
  1. Management → macOS → Profiles → Custom Profile.
  2. Upload the .mobileconfig.
  3. Assign to your target device groups.
PPPC + Login Items profiles are pre-pinned to Developer ID team AF2M8HC7A2 — no edits required.
3

Upload the .pkg as a Custom Package

  1. Management → macOS → Applications → Add a New App → Custom Apps.
  2. Upload aiwatch-<version>-macos-arm64.pkg.
  3. Assign to the same device groups.
To rotate the API key later: edit com.runlayer.aiwatch.config.mobileconfig, bump PayloadVersion on both the inner and outer payloads, re-upload. No .pkg reinstall.