Skip to main content
DashboardConversationsExecutions
Connect
Getting Started

Setup — MDM deployment

Push one profile from your MDM and every managed device enrolls, trusts the tenant CA, and reports its AI apps — zero end-user action.

Download your profile

Generated for your tenant with a dedicated, revocable enrollment key embedded — no terminal, no API key to paste. Capture stays OFF until you enable a host on the Guard tab.

macOS profile (.mobileconfig)

The file embeds your tenant key — upload it straight to your MDM, don't email it around.

Just trying it out? Test on one machine — no MDM

The same agent, as a signed & notarized download you run yourself — no fleet, no IT. Install it, paste your tenant key in the app, and it starts reporting AI apps. Good for a single machine before you roll it out fleet-wide.

Download for Mac (Apple Silicon)
  • Signed & Apple-notarized — opens cleanly, no Gatekeeper warning.
  • One-time approval: macOS asks you to Allow the network extension in System Settings (the MDM profile is what makes that silent).
  • Capture stays OFF — same default as the fleet path.
  • Intel Macs & a direct Windows download are coming once those installers finish signing — use the MDM flow above for Windows today.
Step-by-step install guide →

What the profile installs

Tenant CA trust

A per-tenant root CA, trusted fleet-wide via the universal cert-trust payload — works with any MDM, no SCEP.

System-extension allow

Pre-approves the Waxell network extension by Team ID, so it activates without a user prompt.

Managed config

The enrollment URL + tenant key + capture scope. The app reads it and configures the extension.

Deploy in 4 steps (Hexnode / Jamf / Kandji / Intune)

1

Download the profile

Use the Download button above (or curl with a tenant key + ?hosts=… to pre-enable capture).
2

Upload to your MDM

  • Hexnode — Policies → macOS → Custom Configuration → upload the .mobileconfig
  • Jamf Pro — Configuration Profiles → Upload → Custom Settings
  • Intune — Devices → macOS → Configuration → Templates → Custom
  • Kandji — Library → Add → Custom Profile
3

Deploy the agent + scope

Also deploy the Waxell Setup .pkg (Apps → Enterprise App) and assign both to your Mac device group.
4

Verify

Within minutes each Mac enrolls + scans. Watch the AI Apps tab fill in.

Privacy & safety

  • Interception is default-OFF — nothing is terminated until an admin enables capture per host on the Guard tab.
  • TLS is terminated only for catalog AI hosts — never banking, health, or mail.
  • Secrets & PII are DLP-redacted on-device — raw payloads never leave the machine.