Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

Prerequisites

  • Mosyle admin access
  • Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)

Deployment Steps

1

Deploy PPPC Profile

Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.
The profile targets a dedicated runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.
Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (SettingsShadow MCPs), or use the button below:
  1. Switch to the Management tab in Mosyle
  2. Look for Certificates / Custom Profiles. If it is not available, click Activate New Profile Type and then click Activate under “Certificates / Custom Profiles”
  3. Click Add New Profile
  4. Provide a Name (e.g., “AI Watch Detect - Full Disk Access”) and click Select the file to upload the downloaded .mobileconfig
  5. Click Add Assignment to assign to target machines. It is recommended to assign to all devices, but must include all devices that will have Detect deployed
  6. Click Save
2

Get Deployment Artifacts

In the Runlayer dashboard, go to SettingsShadow MCPs. Under the Detect section, click Configure and select your MDM platform. This opens a setup dialog that auto-generates an API key and renders the deployment script.
The API key is embedded in the generated script and will not be shown again after you close the dialog. Copy or download the script before closing.
3

Create a Custom Command

  1. Under the Management tab, select Custom Commands
  2. Click Add new profile
  3. Provide a Name (e.g., “AI Watch Detect”), check Enable variables for this profile (use %Email% for username, %DeviceName% for device name), and paste the generated script into the code box
  4. Switch to the Execution Settings tab and configure the execution frequency (at least daily recommended)
4

Assign to Devices

Click Add assignment to assign the profile to all devices that should run Detect
5

Save and Deploy

Click Save to begin deployment to target devices

Verification

1

Check Policy Status

Verify script execution status in your MDM console.
2

Verify in Runlayer

Navigate to Shadow in the Runlayer dashboard and confirm devices appear in the Detect data.
3

Review Discoveries

Review discovered shadow servers and skills.

Log Locations

PlatformLog Location
macOS/var/log/runlayer/ai_watch_detect.log
macOS (fallback)/tmp/runlayer-ai_watch_detect.log
The fallback log location is used when the primary path (/var/log/runlayer/) cannot be written to due to permissions.

Exit Codes

CodeMeaning
0Success
1General failure (no user logged in, missing config, credential storage failed)
2Network failure (cannot reach PyPI)
3Installation failure (uv or CLI install failed)