Skip to main content
Deploy MCP Watch to macOS devices managed by Mosyle Business.

Prerequisites

  • Mosyle Business admin access
  • Organization API key from Runlayer with MCP Watch Scan role (see below)
  • Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)
Organization API keys authenticate MDM-deployed scripts without per-device enrollment.
1

Navigate to API Keys

Go to Settings in the Runlayer dashboard and select the API Keys tab
2

Create a New Key

Click + Create Organization API Key
3

Configure the Key

  • Name (required): Enter a descriptive name (e.g., “MDM MCP Watch”)
  • Role: Select MCP Watch Scan
4

Copy the Key

Copy the generated key (starts with rl_org_) and store it securely
Organization API keys are shown only once. Store them securely and treat them like passwords.

Deployment Steps

1

Deploy PPPC Profile

MCP Watch needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.
The profile targets a dedicated runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.
  1. Switch to the Management tab in Mosyle Business
  2. Look for Certificates / Custom Profiles. If it is not available, click Activate New Profile Type and then click Activate under “Certificates / Custom Profiles”
  3. Click Add New Profile
  4. Provide a Name (e.g., “Runlayer MCP Watch - Full Disk Access”) and click Select the file to upload the downloaded .mobileconfig
  5. Click Add Assignment to assign to target machines. It is recommended to assign to all devices, but must include all devices that will have MCP Watch deployed
  6. Click Save
2

Generate the Script

Fill in your organization’s settings below to generate a customized deployment script.Mosyle-specific configuration tips:
  • DEVICE_NAME: Use the Mosyle variable %DeviceName% to identify the device.
3

Create a Custom Command

  1. Under the Management tab, select Custom Commands
  2. Click Add new profile
  3. Provide a Name (e.g., “Runlayer MCP Watch”), check Enable variables for this profile, and paste the generated script into the code box
  4. Switch to the Execution Settings tab and configure the execution frequency (at least daily recommended)
4

Assign to Devices

Click Add assignment to assign the profile to all devices that should run MCP Watch
5

Save and Deploy

Click Save to begin deployment to target devices

Verification

After deployment, verify on target devices and in the Runlayer dashboard:
1

Verify PPPC Profile

On a target device, verify the profile is installed:
profiles show -type configuration | grep -i runlayer
2

Verify Wrapper Binary

Check that the wrapper binary is installed and signed correctly:
# Check binary exists
ls -la /usr/local/bin/runlayer-scan

# Verify signature
codesign -dv /usr/local/bin/runlayer-scan
3

Check Analytics

Navigate to Analytics in the Runlayer dashboard
4

Verify Devices

Confirm that devices are appearing in MCP Watch data
5

Review Shadow Servers

Review any discovered shadow servers and take action as needed

Log Locations

PlatformLog Location
macOS/var/log/mcp-watch.log

Exit Codes

CodeMeaning
0Success
1General failure (missing config)
2Network failure
3Installation failure