Prerequisites
- Mosyle Business admin access
- Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)
Deployment Steps
Deploy PPPC Profile
Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (Settings → Shadow MCPs), or use the button below:
The profile targets a dedicated
runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.- Switch to the Management tab in Mosyle Business
- Look for Certificates / Custom Profiles. If it is not available, click Activate New Profile Type and then click Activate under “Certificates / Custom Profiles”
- Click Add New Profile
- Provide a Name (e.g., “Runlayer Detect - Full Disk Access”) and click Select the file to upload the downloaded
.mobileconfig - Click Add Assignment to assign to target machines. It is recommended to assign to all devices, but must include all devices that will have Detect deployed
- Click Save
Get Deployment Artifacts
In the Runlayer dashboard, go to Settings → Shadow MCPs and open or create a Detect configuration to copy the generated script and API key.
Create a Custom Command
- Under the Management tab, select Custom Commands
- Click Add new profile
- Provide a Name (e.g., “Runlayer Detect”), check Enable variables for this profile, and paste the generated script into the code box
- Switch to the Execution Settings tab and configure the execution frequency (at least daily recommended)
Verification
Log Locations
| Platform | Log Location |
|---|---|
| macOS | /var/log/runlayer/ai_watch_detect.log |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General failure (missing config) |
| 2 | Network failure |
| 3 | Installation failure |