Ctrlk
Portal

macOS MDM Deployment

Deploy We360.ai macOS agent via MDM — Jamf, Mosyle, Kandji, Hexnode, Addigy, and SimpleMDM setup for mass endpoint monitoring.

The MyZen macOS installer is distributed as a standard .pkg file, which can be deployed through any MDM that supports macOS package distribution. This guide covers deployment steps, PPPC configuration profiles, and background items management for each supported MDM platform.

App & Team Identifiers

Apple Developer Team ID: 5KPT5U8WVR (Zenstack Private Limited)

Bundle Identifiers:

Variant
Bundle ID
Install Path

Standard

ai.we360.MyZenV2

/Applications/MyZenV2.app

Stealth

ai.zs.zs

/usr/local/zs/zs.app

Code Requirement (Stealth):

identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5KPT5U8WVR"

To extract the code requirement yourself, run on a Mac with the app installed:

codesign -dr - /usr/local/zs/zs.app    # Stealth
codesign -dr - /Applications/MyZenV2.app # Standard

Important Points for Stealth App Install

Do not rename the stealth installer file. The stealth installer filename is tied to your organization's license. Renaming it, or allowing extra characters to be appended (e.g. (1) or (2) from duplicate downloads), will cause the installation to fail.

If you're having issues with the Stealth App installation, with install please check the /tmp/zs-postinstall.log . If the PACKAGE_PATH variable in the first few lines does not match the package file name as downloaded from portal, you will require a pre-install script to run on the machine before the package can be installed, as our unique package name contains your tenant/org's license details.

The following preinstall script should work:

#!/bin/sh
basename "<pkg_file_name>" .pkg | base64 --decode | tee /Library/Preferences/zs.json

If your MDM does not support pre-install scripts, please contact our support team for a custom installer. (Not all custom installer requests may be approved)

Restart may be required after MDM install. When installing via MDM, by default our installer tries to start the apps immediately via launchctl. This should not fail unless there's some MDM or OS level controls blocking this. A logout/login or system restart may be required to circumvent such scenarios.

macOS Permissions

MyZen requires several macOS privacy permissions. How they are granted depends on whether you use an MDM with PPPC support.

With MDM (PPPC profile):

  • Accessibility — can be pre-approved via a PPPC configuration profile.

  • Browser URL Reading (AppleEvents/Automation) — can be pre-approved via PPPC per browser. If not granted via PPPC, the user will be prompted to allow browser URL access the first time a browser is used.

  • Screen Recording (Optional)cannot be approved via any MDM. Apple does not allow Screen Recording to be granted programmatically. The end user must approve this manually.

Without MDM:

  • All permissions will prompt the user at first use.

After granting Screen Recording permission, the user must perform a logout/login or restart the MyZen/zs app for the permission to take effect.

Configuration Profiles

Three .mobileconfig profiles are provided for MDM deployment. Deploy these before installing the agent PKG.

Profile
Filename
Purpose

PPPC (Privacy Preferences)

zs-pppc.mobileconfig

Pre-approves Accessibility, simplifies Screen Recording prompt, and grants browser Automation (AppleEvents) for URL reading

Background Items

zs-background-items.mobileconfig

Suppresses "Background Items Added" notification and prevents users from disabling ZS services (macOS 13+)

Screen Capture (standalone)

zs-screen-capture.mobileconfig

Standalone Screen Recording PPPC entry — use if you deploy screen capture permissions separately

PPPC profiles must be delivered via MDM. Manually installed .mobileconfig files (double-clicked by users) cannot grant TCC permissions — macOS may ignore TCC payloads from user-installed profiles for security reasons.

Background Items (macOS 13+)

Starting with macOS 13 Ventura, macOS shows a "Background Items Added" notification when an application installs LaunchAgents or LaunchDaemons. Users can disable these from System Settings > General > Login Items & Extensions. The background items profile prevents this.

Managed background items for MyZen:

Mode
Launch Agent Label
Updater Daemon Label

Standard

ai.we360.MyZenV2

ai.we360.MyZenV2-updater

Stealth

ai.zs.zs

ai.zs.zs-updater

The provided profile uses a TeamIdentifier rule (5KPT5U8WVR) which covers all current and future LaunchAgents/Daemons signed by Zenstack.

Install Locations

MDM administrators may need these paths for configuration profiles, detection rules, or post-install scripts.

Item
Standard App Path
Stealth App Path

Application

/Applications/MyZenV2.app

/usr/local/zs/zs.app

Launch Agent

/Library/LaunchAgents/ai.we360.MyZenV2.plist

/Library/LaunchAgents/ai.zs.zs.plist

Updater Daemon

/Library/LaunchDaemons/ai.we360.MyZenV2-updater.plist

/Library/LaunchDaemons/ai.zs.zs-updater.plist

Config file

-

/Library/Preferences/zs.json

Install logs

/tmp/MyZenV2-*.log

/tmp/zs-*.log

General Deployment Sequence

Regardless of which MDM you use, follow this order:

  1. Deploy the PPPC profile (zs-pppc.mobileconfig) to target devices.

  2. Deploy the Background Items profile (zs-background-items.mobileconfig) to target devices.

  3. Upload and deploy the MyZen .pkg installer.

  4. Instruct end users to grant Screen Recording permission when prompted, then logout/login.

  5. Verify the agent appears online in the We360.ai dashboard.

Note: The PKG is signed by Zenstack Private Limited (Team ID 5KPT5U8WVR). You may need to add this to your allowed developers list.

MDM Platform Guides

Jamf Pro

PKG Upload & Deployment

  1. Log in to Jamf Pro (your-instance.jamfcloud.com).

  2. Navigate to Settings > Computer Management > Packages.

  3. Click New to create a new package entry.

  4. Upload the MyZen .pkg file.

  5. Set a Display Name (e.g., "MyZenV2 Stealth").

  6. Click Save.

  7. Navigate to Computers > Policies and click New.

  8. Configure the General payload:

    • Display Name: e.g., "Deploy MyZenV2"

    • Trigger: Recurring Check-in (or Enrollment Complete for new devices)

    • Execution Frequency: Once per computer

  9. Click the Packages payload and click Configure.

  10. Select the uploaded PKG and set the Action to Install.

  11. Click the Scope tab and add target computers or smart/static groups.

  12. Click Save.

PPPC Profile Deployment

Option A — Built-in PPPC builder:

  1. Navigate to Computers > Configuration Profiles.

  2. Click New.

  3. Set a Name (e.g., "ZS App Permissions").

  4. In the left sidebar, click Privacy Preferences Policy Control.

  5. Click Add (+).

  6. Fill in the fields:

    • Identifier: ai.zs.zs

    • Identifier Type: Bundle ID

    • Code Requirement: paste from codesign -dr - output

    • Static Code: No

  7. Under App or Service, click Add:

    • Select Accessibility and set to Allow.

  8. Repeat for additional permissions (AppleEvents for each browser).

  9. Scope to target computers and Save.

Option B — Upload pre-built profile:

  1. Navigate to Computers > Configuration Profiles > Upload.

  2. Upload zs-pppc.mobileconfig.

  3. Scope to target computers and Save.

Background Items

  1. Navigate to Computers > Configuration Profiles > New.

  2. Upload zs-background-items.mobileconfig (or use Managed Background Items payload in Jamf Pro 10.44+).

  3. Scope and Save.

Verification

  1. Navigate to Computers > Search Inventory and select a target device.

  2. Go to the Configuration Profiles tab — confirm both PPPC and Background Items profiles are installed.

  3. Go to the Applications tab — confirm MyZenV2 or zs.app is listed.

  4. Ask the end user to logout/login or restart.

  5. Verify the endpoint appears online in the We360.ai dashboard at portal.we360.ai.

Jamf Pro preserves the original PKG filename during distribution. Stealth deployments work without issues.

Jamf Now

PKG Upload & Deployment

  1. Log in to Jamf Now (your-instance.jamfnow.com).

  2. In the left sidebar, click Apps.

  3. Click Add an App and select the Upload Your App tab.

  4. Drag and drop the MyZen .pkg file, or click browse to select it.

  5. Jamf Now will process the file and show a Review Your App dialog.

  6. Verify the App Name (e.g., "zs") and the Bundle ID are correct.

  7. Click Done to finish the upload.

  8. Navigate to Blueprints and select the target Blueprint.

  9. Go to the Apps section and add the uploaded app.

  10. Click Save Blueprint.

  11. Devices assigned to this Blueprint will receive the app at next check-in.

PPPC Profile Deployment

  1. Navigate to Blueprints > target Blueprint.

  2. Go to the Custom Profiles section.

  3. Click Upload and select zs-pppc.mobileconfig.

  4. Click Save Blueprint.

Jamf Now does not have a built-in PPPC profile builder. You must upload a pre-built .mobileconfig file. The profiles provided in this guide are ready to use.

Filename renaming concern: Jamf Now may rename the uploaded PKG to app.pkg during distribution. This breaks MyZen's stealth licensing (which is encoded in the filename). Please request a custom stealth installer from our team. If unavailable, request our team for stealth config zs.json file, which has to be placed in /Library/Preferences/zs.json

Background Items

Upload zs-background-items.mobileconfig via the Custom Profiles section (same process as PPPC).

Verification

  1. Navigate to Blueprints and select the target Blueprint.

  2. Check the Devices section — confirm the device appears and app is installed.

  3. Ask the end user to logout/login or restart.

  4. Verify the endpoint appears online in the We360.ai dashboard at portal.we360.ai.

Limitations

  • Custom Apps and Custom Profiles require the Jamf Now Plus plan.

  • No Smart Groups or conditional logic — only static Blueprint assignments.

  • Limited troubleshooting and logging compared to Jamf Pro.

Addigy

PKG Upload & Deployment

  1. Log in to Addigy (app.addigy.com).

  2. Navigate to Catalog > Software.

  3. Click New to create a new software item.

  4. Upload the MyZen .pkg file.

  5. Addigy auto-generates an _install.sh script. Review it — typically no changes are needed.

  6. Optionally configure a Condition to control when the install runs (e.g., only if the app is not already installed).

  7. Click Save.

  8. Navigate to Policies and select the target Policy.

  9. Add the software item to the Policy's Catalog.

  10. Devices in that Policy will receive the software.

PPPC Profile Deployment

Option A — Built-in profile builder:

  1. Navigate to Catalog > MDM Profiles.

  2. Click New to create a new profile.

  3. Select Privacy Preferences Policy Control payload.

  4. Configure the fields as described in the Identifiers section above.

  5. Click Save and add to target Policy.

Option B — Upload custom profile:

  1. Navigate to Catalog > MDM Profiles > Custom Profile.

  2. Upload zs-pppc.mobileconfig.

  3. Add to target Policy.

Background Items

Navigate to Catalog > MDM Profiles and use the Service Management - Managed Background Items payload, or upload zs-background-items.mobileconfig as a custom profile.

Addigy uses an agent-based architecture for software installs and MDM for profiles. Profile deployment may be slightly slower than software deployment. Addigy preserves the original PKG filename.

Mosyle Business

PKG Upload & Deployment

  1. Log in to Mosyle Business (business.mosyle.com).

  2. Navigate to Management (bottom navigation).

  3. Select Install App.

  4. Click Add new profile (top-right).

  5. Choose macOS as the platform.

  6. Select Enterprise App (not App Store).

  7. Choose Upload a PKG file as the source.

  8. Upload the MyZen .pkg file.

  9. Configure:

    • Installation type: "Install and keep" or "Install once"

    • Assignment: Scope to specific users, devices, or groups.

  10. Click Save.

PPPC Profile Deployment

Option A — Built-in builder:

  1. Navigate to Management.

  2. Select Privacy & Security > Privacy Preferences.

  3. Click Add new profile.

  4. Configure with the identifiers and code requirements above.

  5. Scope and Save.

Option B — Custom profile upload:

  1. Navigate to Management > Custom MDM Profiles.

  2. Upload zs-pppc.mobileconfig.

  3. Scope and Save.

Background Items

Use the Managed Background Items profile under the macOS 13+ management section, or upload zs-background-items.mobileconfig as a custom profile.

MyZen is a custom app — use the Enterprise App path, not "Auto Apps." Ensure the Package Identifier matches exactly to avoid reinstallation loops.

Kandji

PKG Upload & Deployment

  1. Log in to Kandji (your-tenant.kandji.io).

  2. Navigate to Library.

  3. Click Add New and select Custom App.

  4. Upload the MyZen .pkg file.

  5. Configure:

    • Install Type: "Install once per device" or "Continuously enforce"

    • Audit Script (optional):

  6. Click Save.

  7. Navigate to Blueprints and add the Custom App to the target Blueprint.

PPPC Profile Deployment

Option A — Native PPPC builder:

  1. Navigate to Library.

  2. Click Add New and select Privacy Preferences.

  3. Configure with identifiers and code requirements above.

  4. Toggle Accessibility to Allow.

  5. Click Save and add to target Blueprint.

Option B — Custom profile upload:

  1. Navigate to Library > Add New > Custom Profile.

  2. Upload zs-pppc.mobileconfig.

  3. Add to target Blueprint.

Background Items

Use the dedicated Managed Background Items library item. Kandji provides a UI to configure rules by label, bundle ID, or team ID. Add Team ID 5KPT5U8WVR.

Kandji's "Continuously enforce" mode will reinstall the app if the audit script fails — useful for ensuring the agent stays installed. Kandji preserves the original PKG filename.

Hexnode UEM

PKG Upload & Deployment

  1. Log in to Hexnode UEM (your-instance.hexnodemdm.com).

  2. Navigate to Apps > +Add Apps > Enterprise App.

  3. Select macOS as the platform.

  4. Upload the MyZen .pkg file.

  5. Provide a Name and optional description.

  6. Click Add.

  7. Navigate to Policies > New Policy (or edit an existing one).

  8. Go to macOS > App Management > Mandatory Apps.

  9. Select the uploaded app.

  10. Navigate to Policy Targets and assign to device groups.

  11. Click Save.

PPPC Profile Deployment

  1. Navigate to Policies > New Policy (or edit existing).

  2. Go to macOS > Security > Privacy Preferences.

  3. Click Configure.

  4. Add a new app entry:

    • Bundle Identifier: ai.zs.zs

    • Code Requirement: paste from codesign -dr - output

    • Permissions: Toggle Accessibility to Grant.

  5. Assign the policy to target devices/groups.

  6. Click Save.

Background Items

Use Policies > macOS > Security > Managed Background Items (Hexnode 7.8+).

Hexnode preserves the original PKG filename. PPPC profiles require the MDM channel (not the agent channel).

SimpleMDM

PKG Upload & Deployment

  1. Log in to SimpleMDM (a.simplemdm.com).

  2. Navigate to Apps in the left sidebar.

  3. Click Add App and choose Custom App (Enterprise App).

  4. Upload the MyZen .pkg file.

  5. Configure:

    • Name: e.g., "MyZenV2"

    • Deploy automatically: Toggle on if desired.

  6. Click Save.

  7. Navigate to Device Groups and assign the app.

PPPC Profile Deployment

Option A — Native PPPC builder:

  1. Navigate to Profiles in the left sidebar.

  2. Click Create Profile.

  3. Select Privacy Preferences payload.

  4. Configure with identifiers and code requirements above.

  5. Click Save and assign to a Device Group.

Option B — Custom profile upload:

  1. Navigate to Profiles > Create Profile > Custom.

  2. Upload zs-pppc.mobileconfig.

  3. Assign to a Device Group.

Background Items

Use Profiles > Create Profile > Managed Background Items, or upload zs-background-items.mobileconfig as a custom profile.

SimpleMDM preserves the original PKG filename. No Smart Groups — only static Device Group assignments.

ManageEngine Endpoint Central

ManageEngine Endpoint Central (formerly Desktop Central) is part of the Zoho ManageEngine suite and supports macOS MDM enrollment, app deployment, and configuration profiles.

Step 1 — Enroll macOS Devices

Before deploying apps or profiles, devices must be MDM-enrolled:

  1. Log in to ManageEngine Endpoint Central (cloud: endpointcentral.manageengine.com, or your on-premise URL).

  2. Navigate to MDM > Enrollment > Apple Enrollment.

  3. Ensure your Apple Push Notification (APNs) certificate is valid and uploaded.

  4. Choose an enrollment method:

    • Open Enrollment Link — share a URL with users to self-enroll.

    • Apple Business Manager (ABM) — for zero-touch automated enrollment.

    • Email Invitation — send enrollment invitations to users.

  5. Enrolled devices will appear under MDM > Inventory > Devices.

Step 2 — Deploy PPPC Profile (Before PKG)

Option A — Built-in macOS PPPC Policy (recommended):

ManageEngine Endpoint Central has a native macOS PPPC Policy builder under its configuration management:

  1. Navigate to Configuration > macOS PPPC Policy.

  2. Click Create Collection (or Add Configuration).

  3. Fill in:

    • Collection Name: e.g., "zen-apps-access-grants" (internal reference)

    • Description: "Allow permissions of Accessibility and per browser grants"

    • Category: macOS PPPC Policy

    • Platform: Mac

  4. Under the first app entry, configure the ZS agent:

    • Identifier: ai.zs.zs

    • Code sign requirement: identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5KPT5U8WVR"

    • Static code validation: No

    • Allowed permissions: Accessibility

    • Other permissions: User Controlled

  5. Add browser entries for AppleEvents (URL reading). Click Add for each browser:

    • Google Chrome:

      • Identifier: com.google.Chrome

      • Code sign requirement: identifier "com.google.Chrome" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV

      • Static code validation: No

    • Safari:

      • Identifier: com.apple.Safari

      • Code sign requirement: identifier "com.apple.Safari" and anchor apple

      • Static code validation: No

  6. Click Save.

  7. Navigate to Targets and select the target scope (Remote Office, custom groups, or individual devices).

  8. Click Deploy / Associate.

  9. Check the Execution Status — devices should show "Succeeded" after next check-in.

Option B — Custom profile upload:

  1. Navigate to Configuration > Profiles & Policies > macOS.

  2. Click Create Profile and select Custom Configuration.

  3. Upload zs-pppc.mobileconfig.

  4. Click Save and associate with target groups/devices.

Step 3 — Deploy Background Items Profile

  1. Navigate to MDM > Configuration > Profiles & Policies.

  2. Click Create Profile and select macOS.

  3. Name: e.g., "ZS Background Items".

  4. Select Custom Configuration as the payload type.

  5. Upload zs-background-items.mobileconfig.

  6. Click Save.

  7. Associate with the same target groups/devices as the PPPC profile.

Step 4 — Upload and Deploy the PKG

ManageEngine renames uploaded PKG files internally. The stealth installer's filename contains the encoded license key, so a rename breaks installation. You must use a custom installation command that renames the file back to the original before running installer. See the installation command below.

  1. Navigate to Software Deployment > Packages > Add Package.

  2. Select Mac as the platform.

  3. Fill in:

    • Application Name: e.g., "zs-mac" (internal reference only)

    • Version: Current version (e.g., "4.x")

    • Vendor: ai.zs

    • Package License Type: Commercial

    • Path Type: "This computer (used across multiple remote offices)"

  4. Upload two files:

    • The MyZen .pkg installer (e.g., zs.pkg)

    • The uninstallation script (remove_myzenv2_Version3.sh) — download this from the We360.ai admin portal

  5. Set the Installation Command to rename the file back to its original name before installing:

    Replace <CUSTOM_INSTALLER_PREFIX> with the exact original filename of your stealth PKG (without the .pkg extension). This is the filename as downloaded from the We360.ai portal.

  6. Set the Uninstallation Command to:

  7. Click Save.

  8. Navigate to Software Deployment > Deploy and create a new deployment configuration.

  9. Select the package and target the same groups/devices as your profiles.

  10. Deploy.

5KB
manageengine-package-reference.pdf
PDF
Open
ManageEngine Endpoint Central — Package configuration reference (PDF)
39KB
manageengine-pppc-reference.pdf
PDF
Open
ManageEngine Endpoint Central — PPPC policy configuration reference (PDF)

Step 5 — Verify Deployment

  1. Navigate to MDM > Inventory > Devices and select a target device.

  2. Check the Profiles tab — both PPPC and Background Items profiles should show as Installed.

  3. Check the Apps tab — the MyZen app should show as Installed.

  4. Ask the end user to logout/login or restart for the agent to start.

  5. Verify the endpoint appears online in the We360.ai dashboard at portal.we360.ai.

Cloud vs. on-premise: ManageEngine Endpoint Central supports both cloud and on-premise deployments. The navigation paths above apply to both. Ensure your instance has the macOS MDM module enabled (it is a separately licensed module in some editions).

APNs certificate renewal: Your Apple Push Notification certificate must be renewed annually. If it expires, MDM communication with all macOS/iOS devices will break. Set a calendar reminder 30 days before expiration. Navigate to MDM > Enrollment > Apple Enrollment > APNs Certificate to check the expiry date.

Platform Comparison

Feature
Jamf Pro
Jamf Now
Addigy
Mosyle
Kandji
Hexnode
SimpleMDM
ManageEngine

PKG upload

Yes

Yes (Plus)

Yes

Yes

Yes

Yes

Yes

Yes

Preserves PKG filename

Yes

Verify

Yes

Yes

Yes

Yes

Yes

Yes

Native PPPC builder

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Custom .mobileconfig upload

Yes

Yes (Plus)

Yes

Yes

Yes

Yes

Yes

Yes

Background Items Management

Yes

Via custom profile

Yes

Yes

Yes

Yes

Yes

Via custom profile

Smart Groups / conditional logic

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Supported Browsers for AppleEvents (URL Reading)

The PPPC profile (zs-pppc.mobileconfig) includes AppleEvents entries for the following browsers. This allows MyZen to read the active browser URL without triggering an Automation permission prompt for the user.

If a browser used in your organization is not listed above, you can add an additional AppleEvents entry to the PPPC profile using the browser's bundle ID and code requirement. Run codesign -dr - /Applications/BrowserName.app to obtain the values.

PPPC Profile Contents

Below is the full content of the zs-pppc.mobileconfig file for reference:

zs-pppc.mobileconfig (click to expand)
zs-background-items.mobileconfig (click to expand)
zs-screen-capture.mobileconfig (click to expand)
PreviousMicrosoft Intune (Windows)NextDirect Link

Last updated

Was this helpful?