Skip to main content
Choose the installation method that best fits your needs:

Installation Options

OptionBest ForDescription
Manual ExecutionTesting, individual devicesRun CLI commands directly on a device
MDM IntegrationEnterprise deploymentDeploy via SimpleMDM, Jamf Pro, or Intune
Custom IntegrationCustom infrastructure, unsupported MDMsBuild your own integration with modular components

Manual Installation

For testing or individual device setup, you can manually install and run MCP Watch.

Installing the Runlayer CLI

The Runlayer CLI is distributed via PyPI and runs using uvx (part of the uv package manager). macOS/Linux: 
# Install uv if not already installed
curl -LsSf https://astral.sh/uv/install.sh | sh

# Run the Runlayer CLI
uvx runlayer --help
Windows (PowerShell): 
# Install uv if not already installed
powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"

# Run the Runlayer CLI
uvx runlayer --help

Configuring Credentials

Use the login command to authenticate with Runlayer: 
uvx runlayer login --host https://app.runlayer.com
This opens your browser for authentication. After logging in, your credentials are saved to ~/.runlayer/config.yaml (macOS/Linux) or %USERPROFILE%\.runlayer\config.yaml (Windows). Alternatively, you can pass credentials directly to commands using --secret: 
uvx runlayer scan --host https://app.runlayer.com --secret rl_your_api_key_here

Running a Scan

# Run a scan and submit results to Runlayer
uvx runlayer scan

# Dry run - see what would be submitted without sending
uvx runlayer scan --dry-run

# Verbose output
uvx runlayer scan --verbose

Viewing Results

After a scan, view discovered servers in the Runlayer dashboard:
  1. Navigate to Analytics
  2. The MCP Watch section shows:
    • Total devices scanned
    • Managed vs. shadow servers
    • Newly discovered shadow servers

MDM Integration

For enterprise-wide deployment, use your MDM (Mobile Device Management) solution to deploy MCP Watch to all devices. We provide step-by-step guides for popular MDM platforms:
macOS Full Disk Access: The macOS deployment script includes an embedded executable (runlayer-scan) that receives Full Disk Access and Application Data access via a PPPC profile deployed through your MDM. This wrapper binary is specifically designed to bypass macOS TCC permission dialogs and enable silent scanning for shadow MCP servers on enrolled devices. By granting FDA only to this wrapper binary (not to general-purpose tools like uvx), permissions are scoped exclusively to MCP Watch scans.

SimpleMDM

macOS deployment

Jamf Pro

macOS deployment

Intune

Windows deployment

Creating an Enrollment Key

Enrollment keys allow devices to automatically register with Runlayer and obtain API credentials for scanning. You’ll need one before deploying via MDM. Enrollment Keys List
1

Navigate to Enrollment Keys

Go to Settings in the Runlayer dashboard and select the Enrollment Keys tab
2

Create a New Key

Click + Create Enrollment KeyCreate Enrollment Key
3

Configure the Key

  • Name (required): Enter a descriptive name (e.g., “Production MDM”)
  • Description (optional): Add context about the key’s purpose
4

Copy the Key

Copy the generated key (starts with rl_enroll_) and store it securelyEnrollment Key Created
Enrollment keys are shown only once. Store them securely and treat them like passwords.

Custom Integration

Use these modular components to build your own MCP Watch integration when:
  • Your MDM doesn’t support script execution
  • You need more control over the execution environment
  • You want to integrate with custom deployment infrastructure
  • You need custom scheduling (cron, Task Scheduler, etc.)

Installing UV

UV is the Python package manager required to run the Runlayer CLI. macOS/Linux: 
curl -LsSf https://astral.sh/uv/install.sh | sh
Windows (PowerShell): 
powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"

Installing the Runlayer CLI

Install the CLI as a tool (recommended for automated deployments): 
uv tool install runlayer
To pin a specific version: 
uv tool install runlayer==0.9.0

Updating the Runlayer CLI

uv tool install runlayer --force
Or to update to a specific version: 
uv tool install runlayer==1.0.0 --force

Running MCP Watch Scan

uvx runlayer scan --host https://app.runlayer.com --secret rl_your_api_key_here
Or if credentials are configured in ~/.runlayer/config.yaml: 
uvx runlayer scan

Example: Cron Job (macOS/Linux)

Run MCP Watch daily at 9 AM: 
# Edit crontab
crontab -e

# Add this line
0 9 * * * /path/to/uvx runlayer scan

Example: Task Scheduler (Windows)

Create a scheduled task to run daily: 
$action = New-ScheduledTaskAction -Execute "uvx" -Argument "runlayer scan"
$trigger = New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -TaskName "MCP Watch Scan" -Action $action -Trigger $trigger