If your MDM has a dedicated guide (SimpleMDM, Jamf Pro, Intune, Mosyle, or Kandji), use that instead for provider-specific instructions.
Prerequisites
- Admin access to your MDM solution
- Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)
- Your MDM must support:
- Deploying custom
.mobileconfigconfiguration profiles - Running shell scripts on managed devices
- Deploying custom
Deployment Steps
Deploy PPPC Profile
Detect needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.Download the PPPC profile from the Detect configuration page in the Runlayer dashboard (Settings → Shadow MCPs), or use the button below:
The profile targets a dedicated
runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.- Upload the downloaded file as a custom configuration profile
- Assign it to all devices that will run Detect
- Push the profile to devices
Get Deployment Artifacts
In the Runlayer dashboard, go to Settings → Shadow MCPs and open or create a Detect configuration to copy the generated script and API key.
Deploy the Script
Use your MDM’s script or command execution feature to deploy the generated script:
- Create a new script/command in your MDM console
- Paste the generated script contents
- Configure a recurring execution schedule (at least daily recommended)
- Assign to the same devices that received the PPPC profile
- Save and deploy
MDM scripts typically run as root. The generated script handles this by detecting and running operations as the logged-in user where needed.
Verification
Log Locations
| Platform | Log Location |
|---|---|
| macOS | /var/log/runlayer/ai_watch_detect.log |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General failure (missing config) |
| 2 | Network failure |
| 3 | Installation failure |