Deploy Enforce using any MDM that supports script execution.Documentation Index
Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt
Use this file to discover all available pages before exploring further.
If your MDM has a dedicated guide (SimpleMDM, Jamf Pro, Mosyle, or Iru/Kandji), use that instead for provider-specific instructions.
Prerequisites
- Admin access to your MDM solution
- Enforce deployment script and enrollment key from the Runlayer dashboard
- Your MDM must support running shell scripts on managed devices
Deployment Steps
Get Deployment Artifacts
In the Runlayer dashboard, go to Settings → Shadow MCPs. Under the Enforce section, click Configure and select your MDM platform. This opens a setup dialog that auto-generates an enrollment key and renders the deployment script.
Deploy the Script
Use your MDM’s script or command execution feature to deploy the generated script:
- Create a new script/command in your MDM console
- Paste the generated script contents
- Configure the execution frequency
- Assign to target devices
- Save and deploy
MDM scripts typically run as root. The generated script handles this by detecting and running operations as the logged-in user where needed.
Verification
Verify in Runlayer
Navigate to Settings → Shadow MCPs and confirm your Enforce configuration card is active. View intercepted tool calls on the Shadow page.
Log Locations
| Platform | Log Location |
|---|---|
| macOS | /var/log/runlayer/ai_watch_enforce.log |
| macOS (fallback) | /tmp/runlayer-ai_watch_enforce.log |
The fallback log location is used when the primary path (
/var/log/runlayer/) cannot be written to due to permissions.Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General failure (no user logged in, missing config, enrollment failed) |
| 2 | Network failure (cannot reach PyPI) |
| 3 | Installation failure (uv or CLI install failed, hooks install failed) |