Skip to main content
Deploy Runlayer hooks to macOS devices using any MDM that supports script execution.
If your MDM has a dedicated guide (SimpleMDM, Jamf Pro, or Mosyle), use that instead for provider-specific instructions.

Prerequisites

  • Admin access to your MDM solution
  • Configured enrollment key from Runlayer (see below)
  • Your MDM must support running shell scripts on managed devices
Enrollment keys allow devices to automatically register with Runlayer and obtain API credentials.Enrollment Keys List
1

Navigate to Enrollment Keys

Go to Settings in the Runlayer dashboard and select the Enrollment Keys tab
2

Create a New Key

Click + Create Enrollment KeyCreate Enrollment Key
3

Configure the Key

  • Name (required): Enter a descriptive name (e.g., “Production MDM”)
  • Description (optional): Add context about the key’s purpose
4

Copy the Key

Copy the generated key (starts with rl_enroll_) and store it securelyEnrollment Key Created
Enrollment keys are shown only once. Store them securely and treat them like passwords.

Deployment Steps

1

Generate the Script

Fill in your organization’s settings below to generate a customized deployment script.Configuration tips:
  • ENROLLMENT_USERNAME: Use your MDM’s variable for the user’s email or identity. Most MDMs support variables like $EMAIL, %Email%, or similar — check your MDM’s documentation.
  • ENROLLMENT_DEVICE_NAME: Use your MDM’s variable for the device name or serial number. Common variables include $DEVICE_NAME, %DeviceName%, $SERIAL_NUMBER, etc.
2

Deploy the Script

Use your MDM’s script or command execution feature to deploy the generated script:
  1. Create a new script/command in your MDM console
  2. Paste the generated script contents
  3. Configure the execution frequency
  4. Assign to the target devices
  5. Save and deploy
MDM scripts typically run as root. The generated script handles this by detecting and running operations as the logged-in user where needed.

Verification

1

Check Analytics

Navigate to Analytics in the Runlayer dashboard
2

Verify Devices

Confirm that devices are appearing with hooks installed
3

Test Interception

Have a user trigger a shadow MCP tool call and verify it appears in audit logs

Log Locations

PlatformLog Location
macOS/var/log/runlayer-hooks.log

Exit Codes

CodeMeaning
0Success
1General failure (missing config, enrollment failed)
2Network failure
3Installation failure