Skip to main content

Prerequisites

  • Mosyle Business admin access
  • Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)

Deployment Steps

1

Deploy PPPC Profile

Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.
The profile targets a dedicated runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.
Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (SettingsShadow MCPs), or use the button below:
  1. Switch to the Management tab in Mosyle Business
  2. Look for Certificates / Custom Profiles. If it is not available, click Activate New Profile Type and then click Activate under “Certificates / Custom Profiles”
  3. Click Add New Profile
  4. Provide a Name (e.g., “Runlayer Detect - Full Disk Access”) and click Select the file to upload the downloaded .mobileconfig
  5. Click Add Assignment to assign to target machines. It is recommended to assign to all devices, but must include all devices that will have Detect deployed
  6. Click Save
2

Get Deployment Artifacts

In the Runlayer dashboard, go to SettingsShadow MCPs and open or create a Detect configuration to copy the generated script and API key.
3

Create a Custom Command

  1. Under the Management tab, select Custom Commands
  2. Click Add new profile
  3. Provide a Name (e.g., “Runlayer Detect”), check Enable variables for this profile, and paste the generated script into the code box
  4. Switch to the Execution Settings tab and configure the execution frequency (at least daily recommended)
4

Assign to Devices

Click Add assignment to assign the profile to all devices that should run Detect
5

Save and Deploy

Click Save to begin deployment to target devices

Verification

1

Verify PPPC Profile

On a target device, verify the profile is installed:
profiles show -type configuration | grep -i runlayer
2

Verify Wrapper Binary

Check that the wrapper binary is installed and signed correctly:
ls -la /usr/local/bin/runlayer-scan
codesign -dv /usr/local/bin/runlayer-scan
3

Check Analytics

Navigate to Analytics in the Runlayer dashboard
4

Verify Devices

Confirm that devices are appearing in Detect data

Log Locations

PlatformLog Location
macOS/var/log/runlayer/ai_watch_detect.log

Exit Codes

CodeMeaning
0Success
1General failure (missing config)
2Network failure
3Installation failure