Documentation · MDM runbook

Kandji runbook

Managed deployment

Deploy BeProof using Kandji Library items and Auto Apps.

Prerequisites: Kandji tenant, macOS 14+ Apple Silicon fleet, signed PKG.


1. Import the app

Option A — Custom App (PKG)

  1. LibraryAdd Library ItemCustom Apps
  2. Upload BeProofApp-macos.pkg (build via build_mdm_pkg.sh)
  3. Set installation name BeProof
  4. Assign to Pilot Blueprint

Option B — DMG

Upload notarized BeProofApp-macos.dmg from AgAudit-releases if PKG repackaging is not required for pilot.


2. Privacy Preferences profile

  1. LibraryAdd Library ItemProfiles
  2. Use Privacy Preferences or upload signed com.beproof.app.pppc.mobileconfig
  3. Assign to Pilot Blueprint before app rollout

Customize Team ID and UUIDs per PPPC.md.


3. Org-policy overlay

  1. LibraryAdd Library ItemAudit & ComplianceCustom Script (or Files if using supported template)
  2. Run as Root, audit mode Once then Ongoing for drift correction
#!/bin/bash
set -euo pipefail
ORG_DIR="/Library/Application Support/BeProof"
SOURCE="/var/tmp/kandji/org-policy-overlay.json"  # deploy file via separate Library item
install -d -m 755 "$ORG_DIR"
install -m 644 "$SOURCE" "$ORG_DIR/org-policy-overlay.json"

Host customized org-policy-overlay.example.json as a Kandji File item pushed to /var/tmp/kandji/ or embed validated JSON in the script.

Required endpoint path:

/Library/Application Support/BeProof/org-policy-overlay.json

4. Parameter validation

Add a Custom Script audit check (optional):

test -f "/Library/Application Support/BeProof/org-policy-overlay.json" || exit 1
/usr/local/bin/beproof evaluate-policy --format json 2>/dev/null | grep -q '"auditMode":"managed"' || exit 2

Map exit codes in Kandji compliance reports.


5. Pilot checklist

  • PPPC profile installed
  • BeProofApp.app in /Applications
  • Overlay at system path
  • beproof verify-install succeeds
  • Export sample reviewed by security

See also: jamf.md (similar file-deploy patterns) · deploy README