Skip to main content
Migrating from the script-based Detect deployment? Run Clean Up Script-Based macOS Detect Deployment before rolling out the .pkg so the old runlayer-scan artifacts don’t conflict with com.runlayer.aiwatch.

Overview

A signed, notarized aiwatch binary installs once per device via .pkg. Tenant config (host + org API key, plus an enrollment key for Enforce) is pushed via MDM Configuration Profile. The .pkg bundles up to three launchd units: a scan LaunchAgent (user, default 15 min) for Detect, plus — when an EnrollmentKey is set — an enroll LaunchAgent (user, every 60 min, runs aiwatch enroll) and a hook-install LaunchDaemon (root, fast-retries every 60 s for the first 10 min after install then hourly, runs aiwatch setup hooks install --mdm) for Enforce.

Prerequisites

  • Devices enrolled via UAMDM (User-Approved MDM) or DEP/ADE. TCC payloads are ignored on manually-enrolled MDM.
  • An organization API key with the Detect Scan role minted in Settings → Organization API keys in the Runlayer dashboard. Record the secret value (rl_org_...).
  • Your Runlayer tenant host URL (e.g. https://your-instance.runlayer.com).
Apple Silicon only for now. The current release ships an arm64 .pkg.

Artifacts

The package is a .zip named aiwatch-<version>-macos-arm64.zip. Contents:
FilePurpose
aiwatch-<version>-macos-arm64.pkgSigned + notarized installer (single aiwatch binary + scan & enroll LaunchAgents + hook-install LaunchDaemon)
com.runlayer.aiwatch.pppc.mobileconfigFull Disk Access / TCC grants (upload as-is)
com.runlayer.aiwatch.loginitems.mobileconfigPre-approves the bundled LaunchAgents on macOS 13+ (upload as-is; LabelPrefix=com.runlayer.aiwatch covers all current and future user-context units)
Contact your Runlayer account team if you don’t have the .zip yet.
Deploy the three Configuration Profiles before the .pkg. Profiles must land in /Library/Managed Preferences/ and TCC before the bundled LaunchAgent’s first scan tick — otherwise aiwatch logs host not configured and TCC denies project-config reads until the next MDM sync.

Deployment

1

Define two Custom Attributes (one-time per Organization Group)

  1. Devices → Provisioning → Custom Attributes → Add.
  2. CustomAttribute1 → set value to your tenant host URL (e.g. https://your-instance.runlayer.com).
  3. CustomAttribute2 → set value to your org API key secret (rl_org_...).
2

Upload PPPC + Login Items profiles

  1. Devices → Profiles → Add → Upload.
  2. Upload com.runlayer.aiwatch.pppc.mobileconfig and com.runlayer.aiwatch.loginitems.mobileconfig as-is. Both pre-pinned to Developer ID team AF2M8HC7A2.
  3. Assign to your target Smart Group.
3

Upload the WS1 tenant-config profile

  1. Devices → Profiles → Add → Upload.
  2. Upload com.runlayer.aiwatch.config.ws1.mobileconfig as-is — no editing. WS1 substitutes {CustomAttribute1} / {CustomAttribute2} at deploy time.
  3. Assign to the same Smart Group.
4

Upload the .pkg

  1. Apps & Books → Internal → Add Application.
  2. Upload aiwatch-<version>-macos-arm64.pkg.
  3. Assign to the same Smart Group.
To rotate values later: update the Custom Attribute values in the WS1 console and re-publish the profile. No .pkg reinstall.