Nightfall macOS Agent Deployment: JAMF MDM
This document explains the process of installing the Nightfall AI agent using JAMF.
The JAMF installation consists of the following steps.
Prerequisites
You are a Systems Administrator in Nightfall
You have administrator access to JAMF Pro
Target macOS devices are onboarded.
On your Nightfall console, navigate to https://app.nightfall.ai/endpoint and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.
To install the Nightfall agent in stealth mode (without notifing the end-user), see Install Nightfall AI Agent for MAC OS.
mdm_pre_installation_script.sh
The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:
Loading API keys
Rebuilding folders
Resetting launch daemons
NightfallAI_Profile_with_Browser_Extension.mobileconfig
This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.
Silently installs/enables the Nightfall browser extension
Allows the extension to run without prompts
Authorizes required permissions (content inspection, file uploads, scanning)
Grants macOS Privacy Permissions required by Nightfall:
Full Disk Access (FDA)
System Events/Automation Permissions
Application Control Permissions
Configures the payloads for browser + system integration
Prevents users from tampering with the security controls
Step 1 - Connect JAMF Pro to Nightfall (API-based MDM Onboarding)
This step enables automated mapping of user profiles to devices without requiring manual scripts.
API-based MDM onboarding allows Nightfall to automatically map the user email attribute to specific devices by syncing device inventory from your JAMF Pro instance.
What You'll Need from JAMF Pro
To connect JAMF Pro to Nightfall, you'll need:
Jamf Pro URL (for example:
https://yourcompany.jamfcloud.com)Client ID
Client Secret
The Jamf Pro API client must have permissions to read device and computer inventory.
Creating API Credentials in JAMF Pro
Log in to your JAMF Pro instance
Navigate to Settings > System > API Roles and Clients
Under the API Roles tab, click the + New button.
Configure the following:
Display Name:
Nightfall API RolePrivileges: Grant access to:
Read Computer Inventory Collection
Read Mobile Device Inventory Collection
Read Computers
Click Save
Next, navigate to the API Clients tab and click the + New button.
Configured the following:
Display Name:
Nightfall API ClientAPI roles: Select the newly created role.
Enable/disable API Client: Enable the API client.
Click Save
Copy the Client ID and Client Secret. You will need these in the next step.
Connecting JAMF Pro to Nightfall
Log in to the Nightfall Console at https://app.nightfall.ai
Navigate to Settings → MDM Profile
Click Add MDM
Select Jamf Pro from the list of supported MDM providers
Enter the following information:
Jamf Pro URL: Your JAMF instance URL (e.g.,
https://yourcompany.jamfcloud.com)Client ID: The Client ID you created in JAMF Pro
Client Secret: The Client Secret you created in JAMF Pro
Click Connect
Nightfall will validate the credentials and begin syncing device information automatically.
Important: This API-based connection enables Nightfall to automatically map user email addresses to devices. You do not need to deploy any additional scripts for user-to-device mapping when using this method.
After Connection
Once connected, Nightfall will periodically sync device inventory from JAMF Pro. You can now proceed to deploy the Nightfall agent to your devices following the steps below.
Step 2 - Upload The Nightfall MDM Profile of your choice to Jamf Pro
In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.
Choose
NightfallAI_Profile_with_Browser_Extensions.mobileconfig.
Log in to your Jamf Pro account.
Navigate to Computers > Configuration Profiles.
Click the Upload button.
Click the Upload button and upload
NightfallAI_Profile_with_Browser_Extensions.mobileconfig.In the Scope tab, add the target devices or device groups to which this profile should be deployed.
Click Save.
Once assigned, profiles will be automatically deployed as part of the next Jamf inventory cycle.
The MDM profile has to be deployed on target machines prior to deploying additional payload. In Jamf, you can enforce this requirement through the creation of a Smart Group in which you can set the presence of the profile created above as a pre-requisite for any other payload targeting the group.
Step 3 - Upload and Add Pre-Installation Check Script
This script checks if the required profiles are installed and that the endpoint agent is at the desired version.
Unpack the zip file provided and locate the
mdm_pre_install_check_script.shfile under the.\\mdm_scripts\\folderOn Jamf Pro, navigate to Settings > Computer management > Scripts
Click the + New button.
Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Check").
Click on the Script tab.
Paste the contents of
mdm_pre_install_check_script.shinto the script editor.Click Save.
Step 4 - Upload and Add the Pre-Installation Script
This script configures the target machine and prepares it to connect to your Nightfall instance once the package is deployed.
Locate the
mdm_pre_installation_script.shfile under the.\\mdm_scripts\\folderOn Jamf Pro, navigate to Settings > Computer management > Scripts
Click the New button.
Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Script").
Click on the Script tab.
Paste the contents of
mdm_pre_installation_script.shinto the script editor.Click Save.
Step 6 - Create a Policy and Add scripts and package
Navigate to Computers > Policies.
Click the + New button.
Enter a display name for the policy (e.g., "Deploy Nightfall AI").
From the General tab, configure the Trigger and Execution Frequency as needed.
Click Package from the left pane & click on configure
Add
Nightfall AI AgentpackageClick on Scripts from the left pane & click on configure
Add
Pre-Install Check ScriptandPre-Install Script. Ensure the Priority isBeforeand the sequence is [ The scripts must be run once & in sequence to prepare the machine for the package install. ] -Pre-Install Check Script
Pre-Install Script
Click on Scope and determine the Target, Limitations, and Exclusions per need.
Click Save.
Frequently Asked Questions (FAQs)
Do I still need to install a Nightfall agent on devices after API-based onboarding?
Yes. API-based MDM onboarding enables Nightfall to map user email addresses to devices automatically. You still need to deploy the Nightfall agent to the devices using the steps above.
What permissions does Nightfall need in JAMF Pro?
Nightfall requires least privilege access to device inventory. It does not modify device settings or configurations. The user email to device attribution is automatically managed with API-based MDM onboarding and no manual scripts are needed.
What happens if API credentials expire or are revoked?
If credentials expire or are revoked:
Device syncing will stop. New devices added or removed will not be reflected in Nightfall during that time.
Nightfall will surface an error in the console.
You can re-authenticate or update credentials without reconfiguring policies.
Can I disconnect or change my MDM connection later?
Yes. Contact Nightfall Support to disconnect or update your MDM connection from Settings → MDM Profile.
Who should I contact if onboarding fails?
If you encounter issues:
Verify API credentials and permissions in JAMF Pro
Check the error message in the Nightfall console
Contact Nightfall Support for assistance
Last updated
Was this helpful?