Skip to main content
Enforce intercepts MCP tool calls to apply security policies before execution. Unlike Detect (which discovers configurations), Enforce actively controls what shadow MCPs can do in real-time.

How It Works

When Enforce is installed, it intercepts MCP tool calls before execution:
  1. User invokes a tool — The AI assistant requests a tool call from a shadow MCP
  2. Intercept — The call is captured before reaching the MCP server
  3. Policy evaluation — The call is checked against your organization’s policies
  4. Decision — The call is either:
    • Allowed — Proceeds to the MCP server normally
    • Blocked — Prevented and logged for security review
  5. Audit logging — All intercepted calls are logged for visibility

What Gets Intercepted

Enforce intercepts tool calls from shadow MCP servers (those configured directly in the client, not through Runlayer). Tool calls to Runlayer-managed MCPs are handled by the Runlayer proxy and are not affected.

Supported Clients

ClientmacOSWindows
CursorComing soon
Additional client support is in active development. Check the Runlayer dashboard for the latest supported clients.

Deployment

MDM Deployment

Deploy Enforce across your organization directly from the Runlayer dashboard:
1

Navigate to Shadow MCPs

Go to SettingsShadow MCPs in the Runlayer dashboard
2

Configure Enforce

Click Configure under the Enforce section and select your MDM platform
3

Follow the Setup Guide

The in-app setup guide provides the deployment script and configuration for your MDM. Copy the generated script and enrollment key, then follow the instructions for your platform.

Manual Installation

For testing or individual device setup, install Enforce directly using the Runlayer CLI. Install the Runlayer CLI: 
curl -LsSf https://astral.sh/uv/install.sh | sh
Log in to your Runlayer instance: 
uvx runlayer login --host https://your-runlayer-instance.com
Install Enforce: 
uvx runlayer setup hooks --install --yes
FlagDescription
--installPerform the installation
--yesSkip confirmation prompts
--hostValidate this host exists in config before install
--client cursorInstall only for Cursor (default: all supported clients)
Verify installation: 
uvx runlayer setup hooks --status
Uninstall: 
uvx runlayer setup hooks --uninstall --yes

Troubleshooting

  1. Verify installation: uvx runlayer setup hooks --status
  2. Restart the client application after installation
  3. Check that the client is supported (currently Cursor on macOS)
  4. Ensure Enforce is installed for the correct client
  1. Ensure uv is installed: curl -LsSf https://astral.sh/uv/install.sh | sh
  2. Check network connectivity to your Runlayer instance
  3. Verify the host URL is correct
  4. Try running with verbose output for more details
  1. Check your Runlayer instance connectivity
  2. Review the number of policies being evaluated
  3. Contact Runlayer support if issues persist

Shadow MCP Overview

Understanding the shadow MCP problem

Detect

Discover shadow servers via scheduled scans

Policies

Configure access control policies

Audit Logs

View intercepted tool calls