Jamf MDM Deployment

Overview

MCP Endpoint Shield can be deployed enterprise-wide via Jamf Pro for seamless, automated installation across your organization's macOS devices.

Why Use MDM Deployment?

MDM deployment provides significant advantages over manual installation:

• Zero-touch deployment - Automatic installation at user login

• Centralized management - Configure and monitor from a single console

• Consistent configuration - Ensure all devices have the same security posture

• Automated updates - Devices automatically pull the latest version on each login

• Compliance tracking - Monitor deployment status and coverage

Supported Platforms

• ✅ Jamf Pro - Enterprise MDM solution

Architecture

Prerequisites

Before deploying via Jamf, ensure you have the following:

1. AKTO_API_TOKEN

• Obtain from the Akto platform

• Will be deployed securely via Jamf encrypted parameters

2. AKTO_API_BASE_URL

• Your Akto data ingestion URL (e.g. https://<account-id>-guardrails.akto.io)

3. MANIFEST_URL

• Provided by Akto during onboarding

• Enables auto-update: devices check this URL on each login to determine if a newer version is available

4. Jamf Pro Access

Permissions to create/edit:

• Scripts

• Policies

• Smart Groups (optional)

• Extension Attributes (optional)

Deployment Script

This deployment uses a single script (install.sh). The script:

1. Fetches the latest version manifest (latest.json) from the URL you provide

2. Compares installed version vs manifest — skips if already up to date

3. Downloads the signed/notarized .pkg and installs it

4. Writes config.env (token, feature flags) to the user's home directory

5. The pkg's embedded postinstall handles file placement, LaunchAgent setup, and hook installation

No manual package upload to Jamf is required.

install.sh

• Purpose: Install or update Akto Endpoint Shield

• Run as: Root (auto-detects logged-in user)

• Parameter 4: AKTO_API_TOKEN (encrypted)

• Parameter 5: AKTO_API_BASE_URL

• Parameter 6: MANIFEST_URL (provided by Akto — enables auto-update)

• Parameter 7: PKG_URL (direct pkg URL — fallback if MANIFEST_URL not set)

uninstall.sh

• Purpose: Removes Akto Endpoint Shield from user's system

• Run as: Root (auto-detects logged-in user)

• Cleanup: Includes removal of MCP server configurations

Phase 1: Upload Scripts to Jamf Pro

Navigate to Settings → Computer Management → Scripts → + New

Script 1: install.sh

• Display Name: Akto Endpoint Shield - Install

• Category: Security

• Execution: Root (default — do not change)

• Parameter Labels:

  • Parameter 4: AKTO_API_TOKEN

  • Parameter 5: AKTO_API_BASE_URL

  • Parameter 6: MANIFEST_URL (provided by Akto — enables auto-update)

  • Parameter 7: PKG_URL (direct pkg URL — fallback if MANIFEST_URL not used)

Paste the contents of install.sh (provided by Akto) as the script body.

Script 2: uninstall.sh

• Display Name: Akto Endpoint Shield - Uninstall

• Category: Security

• No parameters needed

Paste the contents of uninstall.sh (provided by Akto) as the script body.

Extension Attribute (Optional but Recommended)

Navigate to Settings → Computer Management → Extension Attributes → + New

• Display Name: Akto Endpoint Shield Version

• Description: Reports installed version of Akto Endpoint Shield

• Data Type: String

• Inventory Display: General

• Input Type: Script

Script:

Smart Group (Optional)

Navigate to Computers → Smart Computer Groups → + New

• Name: Akto Endpoint Shield Not Installed

• Criteria:

  • Extension Attribute "Akto Endpoint Shield Version" is "Not Installed"

  • Operating System Version greater than or equal to 10.13.x

Phase 2: Create Jamf Policy

Navigate to Computers → Policies → + New

General Settings

• Display Name: Install Akto Endpoint Shield

• Enabled: Yes

• Triggers:

  • ✅ Login (user login trigger)

  • ✅ Recurring Check-in (optional, for catch-up)

• Execution Frequency: Once per user per computer

  For auto-updates: change frequency to Ongoing — the script skips reinstall if already at the latest version (based on the manifest), so running on every login is safe.

• Category: Security

No Package Required

The script downloads and installs the pkg automatically. Do not add a package to this policy.

Scripts

Add Akto Endpoint Shield - Install with Priority: Before

Parameter Values:

Configuration (which MCP clients to protect, hook settings) is managed via the Akto dashboard after install — no Jamf policy changes needed.

Scope

Choose one of the following scoping options:

Option A: Target Specific Group

• Targets: Smart Group "Akto Endpoint Shield Not Installed"

Option B: All Computers (install + auto-update)

• Targets: All Computers

• Frequency: Ongoing

Option C: Specific Departments/Locations

• Targets:

  • Department: Engineering, Security, etc.

  • Location: Office A, Remote Workers, etc.

User Interaction (Optional)

• Start Message: Leave empty for silent installation

• Complete Message: "Akto Endpoint Shield has been installed to protect your MCP servers."

• Or leave both empty for completely silent deployment

Maintenance

• Update Inventory: Yes (recommended)

Phase 3: Create Uninstall Policy (Optional)

Navigate to Computers → Policies → + New

General Settings

• Display Name: Uninstall Akto Endpoint Shield

• Enabled: Yes

• Triggers:

  • ✅ Self Service (user-initiated only for safety)

• Execution Frequency: Ongoing

• Category: Security

Scripts

• Select: Akto Endpoint Shield - Uninstall

• Priority: Before

Scope

• Targets: All Computers (available to all, but Self Service only)

Self Service

• Make the policy available in Self Service: Yes

• Display Name: Uninstall Akto Endpoint Shield

• Description: "Remove Akto Endpoint Shield from your computer. This will restore your MCP server configurations to their original state."

• Icon: Upload Akto icon if available

• Category: Security

Updating Akto Endpoint Shield

Updates are handled automatically. When Akto releases a new version, the MANIFEST_URL you configured in your Jamf policy will point to the updated package. Devices check this URL on each login and update if a newer version is available — no changes to your Jamf policy are needed.

To force an immediate reinstall: Set Jamf parameter $7 PKG_URL to the pkg URL provided by Akto (bypasses the manifest version check) and run the policy manually.

Testing

Test Plan

1. Create Test Group

   • Create a Smart Group: "Akto Shield Test Group"

   • Add 2-3 test computers to the group

2. Scope Policy to Test Group

   • Edit your installation policy

   • Change scope to target only "Akto Shield Test Group"

3. Test on First Machine

   • Log in as test user

   • Policy should trigger automatically at login

   • Verify installation:

4. Verify Functionality

   • Services running: launchctl list | grep akto-endpoint-shield

   • Config: ls -la ~/.akto-endpoint-shield/config/config.env (check permissions are 600)

   • Live logs: tail -f ~/.akto-endpoint-shield/logs/*.log

5. Test on Multiple Architectures

   • Test on Intel Mac

   • Test on Apple Silicon Mac

   • Verify universal binary works on both

6. Test Uninstallation

   • Run uninstall from Self Service

   • Verify complete removal

   • Check MCP configs are unwrapped

Verification Checklist

• Scripts upload successfully to Jamf

• Policy triggers at login

• Token deployed with correct permissions (600)

• Binary installed and executable at /usr/local/bin/akto-endpoint-shield

• Services start automatically

• Agent discovers MCP configurations

• HTTP proxy responds (check logs)

• Works on Intel Macs

• Works on Apple Silicon Macs

• Extension Attribute reports version correctly

• Uninstall removes all components

• Uninstall restores MCP configs

Rollout Strategy

Phase 1: Pilot (Week 1)

• Deploy to 5-10 test users

• Monitor for issues

• Gather feedback

• Verify no conflicts with existing tools

Phase 2: Department Rollout (Week 2-3)

• Deploy to engineering/security teams first

• Monitor service health

• Address any issues

• Expand to other departments incrementally

Phase 3: Organization-Wide (Week 4+)

• Scope policy to all computers with Ongoing frequency

• Monitor deployment metrics

• Provide user support/documentation

• Track compliance via Extension Attribute

Troubleshooting

Security Considerations

Token Storage

• Location: ~/.akto-endpoint-shield/config/config.env

• Permissions: 600 (readable only by owner)

• Encryption: Token passed via Jamf encrypted parameter (parameter 4)

• Access Control: Limit Jamf policy editing to security team

Best Practices

1. Rotate Tokens Regularly

• Update token in Jamf policy

• Install script updates config.env on next run

• Consider 90-day rotation schedule

2. Monitor Deployments

• Use Extension Attribute to track deployment status

• Create Smart Group for failed installations

• Review Jamf logs regularly

3. Least Privilege

• Binaries run as user, not system

• No system-level daemons

• All user data confined to ~/.akto-endpoint-shield/

4. Audit Trail

• Jamf logs all script executions

• Akto Endpoint Shield logs all activity in ~/.akto-endpoint-shield/logs/

• Token deployment is timestamped

File Locations

Useful Commands

Check Installation Status

Check Services

Check Configuration

Jamf Commands

Jamf Policy Parameters Reference

Support

• Jamf Issues: IT Helpdesk

• Akto Endpoint Shield Issues: Security Team

• Token Issues: Security Team

• Akto Platform: [email protected]

Related Documentation

• MCP Endpoint Shield Overview - General installation and manual setup

• Cursor Hooks - Alternative: Zero-installation hooks for Cursor IDE

• Claude CLI Hooks - Alternative: Zero-installation hooks for Claude CLI

• Gemini CLI Hooks - Alternative: Zero-installation hooks for Gemini CLI

• MCP Security - Security concepts and best practices

Deprecated: Legacy Deployment (deploy_token.sh + .pkg)

The legacy approach used three separate scripts and required uploading a .pkg file to Jamf for each release.

Legacy Architecture

• Installation Type: User-level (installs to ~/.local/bin/)

• Services: LaunchAgents (runs as user, not system-wide)

• Token Management: External configuration file (~/.config/mcp-endpoint-shield/config.env)

• Binary: Universal (Intel + Apple Silicon support)

• Deployment: Automated at login via Jamf policy

• Security: True user-level operation - no root privileges required

Legacy Scripts

deploy_token.sh

• Purpose: Deploys AKTO_API_TOKEN to user's config directory

• Run as: Logged-in user (NOT root)

• Jamf Parameter 4: AKTO_API_TOKEN (encrypted)

• Jamf Parameter 5: AKTO_API_BASE_URL

install_from_staging.sh

• Purpose: Installs MCP Endpoint Shield in user context

• Run as: Logged-in user (NOT root)

• Auto-detects: Package from Jamf cache

uninstall.sh

• Purpose: Removes MCP Endpoint Shield from user's system

Legacy Upload Steps

1. Upload mcp-endpoint-shield-Jamf-Installer.pkg via Settings → Computer Management → Packages

2. Upload deploy_token.sh as "MCP Endpoint Shield - Deploy Token" with parameters:

   • Parameter 4: AKTO_API_TOKEN

   • Parameter 5: AKTO_API_BASE_URL

3. Upload install_from_staging.sh as "MCP Endpoint Shield - Install User Package"

4. Create policy with:

   • Script 1: Deploy Token (Priority: Before) — with token parameters

   • Script 2: Install User Package (Priority: After)

   • Package: MCP Endpoint Shield pkg

   • Frequency: Once per user per computer

Legacy File Locations