Deploy BeProof using Kandji Library items and Auto Apps.
Prerequisites: Kandji tenant, macOS 14+ Apple Silicon fleet, signed PKG.
1. Import the app
Option A — Custom App (PKG)
- Library → Add Library Item → Custom Apps
- Upload
BeProofApp-macos.pkg(build via build_mdm_pkg.sh) - Set installation name BeProof
- Assign to Pilot Blueprint
Option B — DMG
Upload notarized BeProofApp-macos.dmg from AgAudit-releases if PKG repackaging is not required for pilot.
2. Privacy Preferences profile
- Library → Add Library Item → Profiles
- Use Privacy Preferences or upload signed com.beproof.app.pppc.mobileconfig
- Assign to Pilot Blueprint before app rollout
Customize Team ID and UUIDs per PPPC.md.
3. Org-policy overlay
- Library → Add Library Item → Audit & Compliance → Custom Script (or Files if using supported template)
- Run as Root, audit mode Once then Ongoing for drift correction
#!/bin/bash
set -euo pipefail
ORG_DIR="/Library/Application Support/BeProof"
SOURCE="/var/tmp/kandji/org-policy-overlay.json" # deploy file via separate Library item
install -d -m 755 "$ORG_DIR"
install -m 644 "$SOURCE" "$ORG_DIR/org-policy-overlay.json"Host customized org-policy-overlay.example.json as a Kandji File item pushed to /var/tmp/kandji/ or embed validated JSON in the script.
Required endpoint path:
/Library/Application Support/BeProof/org-policy-overlay.json4. Parameter validation
Add a Custom Script audit check (optional):
test -f "/Library/Application Support/BeProof/org-policy-overlay.json" || exit 1
/usr/local/bin/beproof evaluate-policy --format json 2>/dev/null | grep -q '"auditMode":"managed"' || exit 2Map exit codes in Kandji compliance reports.
5. Pilot checklist
- PPPC profile installed
- BeProofApp.app in
/Applications - Overlay at system path
-
beproof verify-installsucceeds - Export sample reviewed by security
See also: jamf.md (similar file-deploy patterns) · deploy README