Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

Migrating from the script-based Detect deployment? Run Clean Up Script-Based macOS Detect Deployment before rolling out the .pkg so the old runlayer-scan artifacts don’t conflict with com.runlayer.aiwatch.

Overview

A signed, notarized aiwatch binary installs once per device via .pkg. Tenant config (host + org API key) is pushed via MDM Configuration Profile. A bundled LaunchAgent runs scheduled scans (default 15 min).

Prerequisites

  • Devices enrolled via UAMDM (User-Approved MDM) or DEP/ADE. TCC payloads are ignored on manually-enrolled MDM.
  • An organization API key with the Detect Scan role minted in Settings → API Keys in the Runlayer dashboard. Record the secret value (rl_org_...).
  • Your Runlayer tenant host URL (e.g. https://your-instance.runlayer.com).
Apple Silicon only for now. The current release ships an arm64 .pkg.

Artifacts

The package is a .zip named aiwatch-<version>-macos-arm64.zip. Contents:
FilePurpose
aiwatch-<version>-macos-arm64.pkgSigned + notarized installer (binary + bundled LaunchAgent)
com.runlayer.aiwatch.pppc.mobileconfigFull Disk Access / TCC grants (upload as-is)
com.runlayer.aiwatch.loginitems.mobileconfigPre-approves LaunchAgent on macOS 13+ (upload as-is)
Contact your Runlayer account team if you don’t have the .zip yet.
Deploy the three Configuration Profiles before the .pkg. Profiles must land in /Library/Managed Preferences/ and TCC before the bundled LaunchAgent’s first scan tick — otherwise aiwatch logs host not configured and TCC denies project-config reads until the next MDM sync.

Deployment

1

Define two Custom Attributes (one-time per Organization Group)

  1. Devices → Provisioning → Custom Attributes → Add.
  2. CustomAttribute1 → set value to your tenant host URL (e.g. https://your-instance.runlayer.com).
  3. CustomAttribute2 → set value to your org API key secret (rl_org_...).
2

Upload PPPC + Login Items profiles

  1. Devices → Profiles → Add → Upload.
  2. Upload com.runlayer.aiwatch.pppc.mobileconfig and com.runlayer.aiwatch.loginitems.mobileconfig as-is. Both pre-pinned to Developer ID team AF2M8HC7A2.
  3. Assign to your target Smart Group.
3

Upload the WS1 tenant-config profile

  1. Devices → Profiles → Add → Upload.
  2. Upload com.runlayer.aiwatch.config.ws1.mobileconfig as-is — no editing. WS1 substitutes {CustomAttribute1} / {CustomAttribute2} at deploy time.
  3. Assign to the same Smart Group.
4

Upload the .pkg

  1. Apps & Books → Internal → Add Application.
  2. Upload aiwatch-<version>-macos-arm64.pkg.
  3. Assign to the same Smart Group.
To rotate values later: update the Custom Attribute values in the WS1 console and re-publish the profile. No .pkg reinstall.