Skip to main content
Deploy MCP Watch to macOS devices using any MDM that supports custom configuration profiles and script execution.
If your MDM has a dedicated guide (SimpleMDM, Jamf Pro, Intune, or Mosyle), use that instead for provider-specific instructions.

Prerequisites

  • Admin access to your MDM solution
  • Organization API key from Runlayer with MCP Watch Scan role (see below)
  • Devices enrolled via User-Approved MDM or Automated Device Enrollment (for Full Disk Access)
  • Your MDM must support:
    • Deploying custom .mobileconfig configuration profiles
    • Running shell scripts on managed devices
Organization API keys authenticate MDM-deployed scripts without per-device enrollment.
1

Navigate to API Keys

Go to Settings in the Runlayer dashboard and select the API Keys tab
2

Create a New Key

Click + Create Organization API Key
3

Configure the Key

  • Name (required): Enter a descriptive name (e.g., “MDM MCP Watch”)
  • Role: Select MCP Watch Scan
4

Copy the Key

Copy the generated key (starts with rl_org_) and store it securely
Organization API keys are shown only once. Store them securely and treat them like passwords.

Deployment Steps

1

Deploy PPPC Profile

MCP Watch needs to read MCP config files in TCC-protected directories (Desktop, Documents, Application Support). Without a PPPC profile, macOS shows a permission dialog on every scan.
The profile targets a dedicated runlayer-scan wrapper binary so that Full Disk Access is scoped to the scan process only — not to general-purpose tools like uvx.
  • Upload the downloaded file as a custom configuration profile
  • Assign it to all devices that will run MCP Watch
  • Push the profile to devices
2

Generate the Script

Fill in your organization’s settings below to generate a customized deployment script.Configuration tips:
  • DEVICE_NAME: Use your MDM’s variable for the device name or serial number. Common variables include $DEVICE_NAME, %DeviceName%, $SERIAL_NUMBER, etc.
3

Deploy the Script

Use your MDM’s script or command execution feature to deploy the generated script:
  1. Create a new script/command in your MDM console
  2. Paste the generated script contents
  3. Configure a recurring execution schedule (at least daily recommended)
  4. Assign to the same devices that received the PPPC profile
  5. Save and deploy
MDM scripts typically run as root. The generated script handles this by detecting and running operations as the logged-in user where needed.

Verification

After deployment, verify on target devices and in the Runlayer dashboard:
1

Verify PPPC Profile

On a target device, verify the profile is installed:
profiles show -type configuration | grep -i runlayer
2

Verify Wrapper Binary

Check that the wrapper binary is installed and signed correctly:
# Check binary exists
ls -la /usr/local/bin/runlayer-scan

# Verify signature
codesign -dv /usr/local/bin/runlayer-scan
3

Check Analytics

Navigate to Analytics in the Runlayer dashboard
4

Verify Devices

Confirm that devices are appearing in MCP Watch data
5

Review Shadow Servers

Review any discovered shadow servers and take action as needed

Log Locations

PlatformLog Location
macOS/var/log/mcp-watch.log

Exit Codes

CodeMeaning
0Success
1General failure (missing config)
2Network failure
3Installation failure