Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

Deploy Detect using any MDM that supports custom configuration profiles and script execution.
If your MDM has a dedicated guide (SimpleMDM, Jamf Pro, Intune, Mosyle, or Iru/Kandji), use that instead for provider-specific instructions.

Prerequisites

  • Admin access to your MDM solution
  • Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)
  • Your MDM must support:
    • Deploying custom .mobileconfig configuration profiles
    • Running shell scripts on managed devices

Deployment Steps

1

Get Deployment Artifacts

In the Runlayer dashboard, go to SettingsShadow MCPs. Under the Detect section, click Configure and select your MDM platform. This opens a setup dialog that auto-generates an API key and renders the deployment script.
The API key is embedded in the generated script and will not be shown again after you close the dialog. Copy or download the script before closing.
2

Deploy the Script

Use your MDM’s script or command execution feature to deploy the generated script:
  1. Create a new script/command in your MDM console
  2. Paste the generated script contents
  3. Configure a recurring execution schedule (at least daily recommended)
  4. Assign to target devices
  5. Save and deploy
MDM scripts typically run as root. The generated script handles this by detecting and running operations as the logged-in user where needed.

Deploy PPPC Profile

Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.
The profile targets a dedicated runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.
Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (SettingsShadow MCPs), or use the button below:
  • Upload the downloaded file as a custom configuration profile
  • Assign it to all devices that will run Detect
  • Push the profile to devices

Verification

1

Check Policy Status

Verify script execution status in your MDM console.
2

Verify in Runlayer

Navigate to Shadow in the Runlayer dashboard and confirm devices appear in the Detect data.
3

Review Discoveries

Review discovered shadow servers and skills.

Log Locations

PlatformLog Location
macOS/var/log/runlayer/ai_watch_detect.log
macOS (fallback)/tmp/runlayer-ai_watch_detect.log
The fallback log location is used when the primary path (/var/log/runlayer/) cannot be written to due to permissions.

Exit Codes

CodeMeaning
0Success
1General failure (no user logged in, missing config, credential storage failed)
2Network failure (cannot reach PyPI)
3Installation failure (uv or CLI install failed)