MDM Deployment
Overview
Akto MCP Endpoint Shield provides enterprise-grade Mobile Device Management (MDM) support for seamless deployment and centralized management across your organization's devices.
Why MDM Integration Matters
In enterprise environments, manually configuring security tools on hundreds or thousands of developer machines is impractical. MDM support enables:
Zero-touch deployment across all managed devices
Centralized configuration and policy management
Automated updates and patch management
Compliance enforcement and audit trails
Remote monitoring of security posture
Supported MDM Platforms
Akto MCP Endpoint Shield integrates with leading MDM solutions:
✅ Microsoft Intune (Windows, macOS)
✅ Jamf Pro (macOS, iOS)
✅ Workspace ONE (VMware)
✅ Kandji (macOS)
✅ Mosyle (Apple devices)
✅ ManageEngine (Cross-platform)
✅ IBM MaaS360
✅ Any standard MDM supporting package deployment
Key MDM Capabilities
1. Automated Deployment
Silent installation without user interaction
Pre-configured API tokens pushed via MDM profiles
Automatic service startup on device enrollment
Version control and automated updates
2. Centralized Configuration
Configuration profiles for standard settings
Environment variables managed via MDM
Policy enforcement (blocking vs. monitoring mode)
Custom server lists and whitelist management
3. Compliance & Monitoring
Health check reporting back to MDM console
Installation verification via scripts
Log collection for security audits
Compliance dashboards in Akto platform
Prerequisites
Active Akto account with API token
MDM platform with package deployment capability
Administrator access to MDM console
MCP Endpoint Shield installer package (.pkg for macOS, .msi for Windows, .deb for Linux)
Step 1: Prepare the Installation Package
For macOS (Jamf Pro, Intune, Kandji)
Download the installer
Contact Akto Support to get
akto-mcp-endpoint-shield.pkgThe
.pkgfile is signed and notarized by Apple for secure installationDeveloper ID: Akto, Inc.
Notarization: Apple-verified for Gatekeeper compatibility
Upload to your MDM file repository
Why signing and notarization matters:
✅ Passes Gatekeeper checks on macOS 10.15+ without manual overrides
✅ No security warnings during installation
✅ Compatible with MDM silent installs (no user interaction required)
✅ Trusted by Apple - package integrity verified
✅ Meets enterprise security policies for managed devices
Create a configuration profile:
Upload to MDM:
Navigate to Configuration Profiles section
Upload the
.plistconfigurationAssign to target device groups
For Windows (Intune, ManageEngine)
Download the installer:
Contact Akto Support to get
akto-mcp-endpoint-shield.msiUpload to your MDM software repository
Create installation script:
Configure in Intune:
Go to Apps → Windows apps → Add
Select Line-of-business app
Upload the
.msifileAdd the PowerShell script as a post-install action
Assign to device groups
For Linux (Fleet, Canonical Landscape)
Download the installer:
Create deployment script:
Deploy via MDM:
Use your MDM's script execution capability
Schedule deployment to target device groups
Set execution frequency (one-time for new devices)
Step 2: Configure Auto-Discovery Settings
The agent will automatically discover and protect MCP servers. However, you can customize behavior via MDM-managed configuration files.
Create Custom Policy File
Location: /etc/akto-mcp-endpoint-shield/policy.json (Linux/macOS) or C:\ProgramData\Akto\mcp-endpoint-shield\policy.json (Windows)
Example policy:
Deploy Policy via MDM
For Jamf:
For Intune:
Create a Device Configuration Profile
Use Custom Settings for file deployment
Upload
policy.jsonto target path
Step 3: Deploy to Target Devices
Scope Configuration
Define device groups:
Engineering_Developers → Full deployment with auto-wrap enabled
Security_Team → Deployment with audit mode enabled
Contractors → Strict blocking mode with limited allowlist
Example Jamf Smart Group:
Deployment Schedule
Staged rollout recommended:
Pilot group (10-20 users) → Week 1
Early adopters (100 users) → Week 2
Full deployment → Week 3+
Installation Command Examples
Jamf:
Intune:
Fleet:
Step 4: Verify Deployment Status
Check Installation via MDM Console
Navigate to Computers → Inventory
Search for application:
Akto MCP Endpoint ShieldView Installation Status and Version
Go to Apps → All apps →
Akto MCP Endpoint ShieldCheck Device install status
Review Installation errors if any
Automated Health Check Script
Deploy this script via MDM to verify installation:
Schedule in MDM:
Frequency: Daily
Remediation: Auto-restart service if failed
Alerting: Notify security team on repeated failures
Step 5: Monitor and Maintain
Centralized Logging
Configure log forwarding to SIEM:
For Splunk:
For Azure Sentinel:
Update Management
Automatic updates via MDM:
Jamf Patch Management:
Subscribe to Akto MCP Shield patch definition
Set auto-update policy: Install updates within 7 days
Test updates on pilot group first
Intune Update Ring:
Compliance Reporting
Key metrics to track:
Installation success rate (target: >95%)
Agent uptime (target: >99%)
Policy violations detected per device
Blocked threats count
Configuration drift incidents
View in Akto Dashboard:
Navigate to MCP Shield → Enterprise Console
Filter by MDM deployment group
Export compliance reports for audits
🔍 Auto-Detection
Akto MCP Endpoint Shield automatically detects MCP client configurations:
Cursor → Reads
~/.cursor/mcp.jsonVisual Studio Code → Reads
.vscode/mcp.jsoninside your workspaceClaude Desktop → Reads Claude’s MCP config JSON
For each detected MCP server config:
The JSON file is parsed.
Each server entry is automatically wrapped with Akto MCP Endpoint Shield.
Your MCP clients transparently run through the shield without requiring manual reconfiguration.
👉 You don’t need to manually edit your MCP config files — the wrapper handles this for you.
📄 Example — Cursor mcp.json
Original file (before wrapping):
Automatically wrapped file (after Akto MCP Endpoint Shield):
What changed:
mcp-endpoint-shieldis now the entry command.Original server command (
npx -y chrome-devtools-mcp@latest) is passed through--exec.
🔧 Manual Setup
Follow these steps to manually set up and run MCP Endpoint Shield to protect your MCP servers.
Prerequisites
You have the
mcp-endpoint-shieldbinary availableYou have an Akto API token
uninstall MCP Endpoint Shield if installed previously using installers
Start the Agent
The agent automatically discovers and protects your MCP servers.
Expected output:
Keep this terminal running. The agent will:
Find your MCP configuration files (Cursor, VS Code, Claude Desktop)
Wrap your MCP servers with security
Sync security policies from Akto backend
Watch for changes and auto-update configs
Protecting Local MCP Servers (STDIO)
Let the Agent Wrap It (Recommended)
If the agent is running (Step 2), it will automatically detect and wrap your config. Your MCP configuration will be automatically modified to route through the security shield.
Example transformation:
Before:
After (automatic):
Restart your MCP client (Cursor/VS Code) to apply changes.
Manual Wrapping (If Not Using Agent)
If you're not running the agent, manually edit your MCP config file (e.g., ~/.cursor/mcp.json):
Before:
After:
Key changes:
Change
commandto the full path ofmcp-endpoint-shieldAdd
"stdio", "--name", "<server-name>", "--akto-api-token", "<your-token>", "--exec"to the start ofargsPlace the original command (
npx) and arguments (-y,chrome-devtools) after--exec
Restart your MCP client to apply changes.
Protecting Remote MCP Servers (HTTP)
For HTTP-based MCP servers, run the HTTP proxy in a new terminal:
Expected output:
Keep this terminal running.
Note: The proxy runs on port 57294 by default.
Configure Your Remote MCP Server
Original config (direct connection to remote server):
Protected config (route through proxy):
Key changes:
Change
urltohttp://localhost:57294/mcp/streamableKeep your existing
Authorizationheader (or any other headers)Add new header
mcp-server-base-urlwith the original remote server URL
The proxy will:
Receive requests at
http://localhost:57294/mcp/streamableRead the
mcp-server-base-urlheader to know where to forwardApply security policies
Forward to your actual remote MCP server
Return the response back to your client
Restart your MCP client to apply changes.
Verify Everything is Working
Check Agent Status
Look at the agent terminal - you should see:
No errors means it's working!
Check HTTP Proxy Status
Look at the proxy terminal:
Test Your MCP Server
Open your MCP client (Cursor, VS Code, Claude Desktop) and try using your wrapped MCP server. It should work normally, but now with security protection.
⚙️ Common Flags
--name <project_name>→ Friendly label used in logs and insights--akto-api-token <token>→ Your Akto API token--exec <command> [args...]→ Command to start your MCP server--env KEY=VALUE(repeatable) → Pass additional environment variables to the MCP process
Quick Command Reference
Terminal 1 - Agent:
Terminal 2 - HTTP Proxy:
Get Help:
This protects:
STDIO servers (like
npx -y chrome-devtools) via agentHTTP servers (remote MCP servers) via proxy
🔐 Enterprise Best Practices for MDM Deployments
1. Token Management
Use dedicated service accounts for API tokens
Rotate tokens every 90 days via automated scripts
Store tokens in MDM secrets vault (e.g., Azure Key Vault, AWS Secrets Manager)
Never hardcode tokens in configuration files
2. Network Considerations
Allow outbound HTTPS to
*.akto.ioon port 443Whitelist proxy settings if using corporate proxy
Configure firewall rules for HTTP proxy (port 57294)
Use VPN for remote workers
3. User Communication
Pre-deployment announcement explaining the security enhancement
Documentation with FAQs and support contact
Training sessions for power users
Feedback channel for reporting issues
4. Rollback Strategy
Keep previous version available in MDM repository
Test rollback procedure on pilot devices
Document rollback steps for IT helpdesk
Monitor for issues during first 48 hours post-deployment
5. Compliance & Auditing
Enable comprehensive logging (audit mode initially)
Integrate with SIEM for security monitoring
Schedule regular compliance reviews (monthly)
Document security incidents and response actions
🧩 Troubleshooting
Issue: AKTO_API_TOKEN is not set ➡ Cause: Environment variable not configured. ➡ Fix: Set the token with export AKTO_API_TOKEN="your-token" and verify with echo $AKTO_API_TOKEN.
Issue: Port already in use (HTTP Proxy) ➡ Cause: Port 57294 is already being used by another process. ➡ Fix 1: Find and kill the process with lsof -i :57294 and kill -9 PID. ➡ Fix 2: Use a different port with ./mcp-endpoint-shield http --port 8080 and update your config.
Issue: MCP server not working after wrapping ➡ Cause: Multiple possible causes. ➡ Fix:
Restart your MCP client,
Verify binary path with
which mcp-endpoint-shield,Check logs at
~/.akto-mcp-endpoint-shield/logs/or/var/log/akto-mcp-endpoint-shield/(if installed using installer)Test original command works standalone.
Issue: permission denied: ./mcp-endpoint-shield ➡ Cause: Binary doesn't have execute permissions. ➡ Fix: Run chmod +x ./mcp-endpoint-shield.
Issue: command not found: mcp-endpoint-shield ➡ Cause: Binary not in PATH or wrong path used. ➡ Fix: Use full path (./mcp-endpoint-shield or /usr/local/bin/mcp-endpoint-shield) or add to PATH with export PATH=$PATH:/path/to/binary/directory.
🔒 Guarantees
✅ Transparency: Safe traffic is never altered.
✅ Clarity: Unsafe traffic always results in a clear JSON-RPC error.
✅ Minimal footprint: Designed to stay invisible unless an issue occurs.
Get Support
There are multiple ways to request support from Akto. We are 24X7 available on the following:
In-app
intercomsupport. Message us with your query on intercom in Akto dashboard and someone will reply.Join our discord channel for community support.
Contact
[email protected]for email support.Contact us here.
Last updated