Mosyle MDM Deployment

Overview

MCP Endpoint Shield can be deployed enterprise-wide via Mosyle MDM (Mobile Device Management) for seamless, automated installation across your organization's macOS devices.

Why Use MDM Deployment?

MDM deployment provides significant advantages over manual installation:

• Zero-touch deployment - Automatic installation at user login

• Centralized management - Configure and monitor from a single Mosyle console

• Consistent configuration - Ensure all devices have the same security posture

• Automated updates - Push new versions across the organization

• Compliance tracking - Monitor deployment status and coverage

Key Features of Mosyle Deployment

• One script handles everything: downloads the installer, deploys the token, installs to each user's home directory, and starts services automatically

• Runs at user sign-in: installs once per user, retries automatically if it fails

• No PKG upload to Mosyle required: the script downloads the installer directly from a URL provided by Akto.

• Minimal configuration: only 3 values to configure in the script

Prerequisites

Before deploying MCP Endpoint Shield via Mosyle, ensure you have the following:

1. Akto Credentials

• AKTO_API_TOKEN: obtain from your Akto platform dashboard

• AKTO_API_BASE_URL: your Akto instance URL (e.g. https://<account-id>-guardrails.akto.io)

2. Installer URL

• PKG download URL: request this from Akto ([email protected]); Akto will provide a direct download URL for the installer

• ⚠️ Important: Keep this URL confidential as it's tied to your organization

3. Mosyle Admin Access

Permissions to create/edit and manage:

• Custom Commands

• Device Group assignments

• Execution results and logs

4. Device Enrolment

• Target Macs must be enrolled and appear in your Mosyle dashboard

• Devices must have internet connectivity to download the installer

• Users must be able to log in to devices for installation to trigger

Deployment Process

1

Prepare the Installation Script

1. Obtain credentials from Akto

Contact Akto support team to request following information:

• Installation Script: install.sh file.

• Direct download URL for the installer (PKG_URL)

• Confirmation of your AKTO_API_TOKEN

• Your AKTO_API_BASE_URL

2. Configure the installation script

Open install.sh and fill in the CONFIG section at the top:

All other values (hook flags, wrap flags) can be left at their defaults or adjusted as needed.

Security Note

Do not commit install.sh with a real token to version control. Keep the filled-in copy local or in a secrets manager.

2

Upload to Mosyle

1. Create Custom Command profile

1. Log into your Mosyle Business console

2. Navigate to Management → Custom Commands

3. Click Add new profile

4. Name it: Akto Endpoint Shield - Install

5. Choose Category: Security (or create custom category)

2. Upload the script

1. Click the Code tab

2. Select code format: Shell Script (bash)

3. Paste the entire contents of your configured install.sh file

4. Review the pasted content for accuracy (verify CONFIG section is filled)

5. Click Save

3. Configure execution settings

Click the Execution Settings tab and configure:

Option

Configuration

Execute command

Select: Immediately when saving the profile, upon assignment, or based on schedule or events

Execution trigger

Tick Every user sign-in✅

Schedule

Only once (Event Required)✅

Why this configuration?

This combination runs the script on each user sign-in until it succeeds, then stops. If the download fails or no user is logged in, it retries automatically at the next sign-in.

The "only once" setting prevents repeated executions for the same user on the same device.

Leave all other options unchecked. Click Save to create the profile.

3

Deploy to Devices

1. Add Profile Assignment Based on Your Preferences

• Click + Add Assignment, choose users or devices, then select and confirm your assignment.

  
• Save the Custom Commands.

The script will run the next time each assigned user signs in.

2. Monitor deployment

Go to Management → Custom Commands, select your profile, and click View Results to see execution status:

• Success: Installation completed

• Pending: Awaiting user sign-in

• Failed: See troubleshooting section

4

Verify Installation

Verify on target device

On a target Mac after the user has signed in, open Terminal and run:

Verification checklist

• Binary exists at ~/.akto-mcp-endpoint-shield/bin/mcp-endpoint-shield

• Config file exists at ~/.akto-mcp-endpoint-shield/config/config.env

• Config file has correct permissions (chmod 600)

• Token is present in config file

• Both LaunchAgents are loaded (launchctl list)

• Installation log shows no errors

• Mosyle shows "Success" status for this device

Updating Akto Endpoint Shield

1. Request the updated installer URL from Akto ([email protected])

2. Update PKG_URL in the script with the new URL

3. Edit the script in Mosyle and save — Mosyle will re-run it on next sign-in

Uninstall Script

To remove Akto Endpoint Shield from devices:

1. In Mosyle → Custom Commands → Add new profile

2. Paste the contents of uninstall.sh

3. Name it: Akto Endpoint Shield - Uninstall

4. Execution Settings:

   • Event: ✅ Every user sign-in (or trigger manually)

   • Schedule: ✅ Only once (Event Required)

5. Assign to the target devices

Troubleshooting

Issue: Script shows "Failed" in Mosyle View Results

Symptoms: Custom Command status shows "Failed" or "Error"

Diagnostic command:

Common causes and solutions:

Issue: Services Not Running After Installation

Symptoms: launchctl list shows no Akto Endpoint Shield services

Solution - Manually load services:

Issue: Token Needs Updating After Installation

Symptoms: Services running but not authenticated; logs show "AKTO_API_TOKEN not configured"

Solution:

Edit the script in Mosyle with the new token. Then on the device:

Support

• For Akto platform issues: [email protected]

• For Mosyle issues: your IT administrator