# Nightfall macOS Agent Deployment: JAMF MDM

This document explains the process of installing the Nightfall AI agent using JAMF.

The JAMF installation consists of the following steps.

1. [Connect JAMF Pro to Nightfall (API-based MDM Onboarding)](#step-1-connect-jamf-pro-to-nightfall-api-based-mdm-onboarding)
2. [Upload Device Profiles to Jamf Pro](https://help.nightfall.ai/exfiltration-prevention/exfiltration-prevention-for-mac-devices/nightfall-agent-deployment-with-jamf#step-1-upload-device-profiles-to-jamf-pro)
3. [Upload and Add the Pre-Installation Check Script](https://help.nightfall.ai/exfiltration-prevention/exfiltration-prevention-for-mac-devices/nightfall-agent-deployment-with-jamf#step-2-upload-and-add-pre-installation-check-script)
4. [Upload and Add the Pre-Installation Script](https://help.nightfall.ai/exfiltration-prevention/exfiltration-prevention-for-mac-devices/nightfall-agent-deployment-with-jamf#step-3-upload-and-add-the-pre-installation-script)
5. [Upload the Nightfall App Package](https://help.nightfall.ai/exfiltration-prevention/exfiltration-prevention-for-mac-devices/nightfall-agent-deployment-with-jamf#step-4-upload-the-nightfall-app-package)
6. [Create a Policy and Add scripts and package](https://help.nightfall.ai/exfiltration-prevention/exfiltration-prevention-for-mac-devices/nightfall-agent-deployment-with-jamf#step-5-create-a-policy-and-add-scripts-and-package)

## **Prerequisites**

* You are a Systems Administrator in Nightfall
* You have administrator access to JAMF Pro
* Target macOS devices are onboarded.
* On your Nightfall console, navigate to <https://app.nightfall.ai/endpoint> and click the **Download Package** button on the top right corner of the page. Click **Download Package for macOS** and unpack the contents of the downloaded file.

{% hint style="info" %}
To install the Nightfall agent in stealth mode (without notifing the end-user), see [#stealth-installation](https://help.nightfall.ai/data-exfiltration-prevention/exfiltration_endpoint/installation_mac/..#stealth-installation "mention").
{% endhint %}

<table data-header-hidden data-full-width="false"><thead><tr><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><strong>mdm_pre_installation_script.sh</strong></td></tr><tr><td valign="top"><p>The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:</p><ul><li>Loading API keys</li><li>Rebuilding folders</li><li>Resetting launch daemons</li></ul></td></tr><tr><td valign="top"><strong>NightfallAI_Profile_with_Browser_Extension.mobileconfig</strong></td></tr><tr><td valign="top"><p>This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.</p><ul><li>Silently installs/enables the Nightfall browser extension</li><li>Allows the extension to run without prompts</li><li>Authorizes required permissions (content inspection, file uploads, scanning)</li><li><p>Grants macOS Privacy Permissions required by Nightfall:</p><ul><li>Full Disk Access (FDA)</li><li>System Events/Automation Permissions</li><li>Application Control Permissions</li></ul></li><li>Configures the payloads for browser + system integration</li><li>Prevents users from tampering with the security controls</li></ul></td></tr></tbody></table>

{% stepper %}
{% step %}

## **Step 1 -** Connect JAMF Pro to Nightfall (API-based MDM Onboarding)

**This step enables automated mapping of user profiles to devices without requiring manual scripts.**

API-based MDM onboarding allows Nightfall to automatically map the user email attribute to specific devices by syncing device inventory from your JAMF Pro instance.

#### What You'll Need from JAMF Pro

To connect JAMF Pro to Nightfall, you'll need:

* **Jamf Pro URL** (for example: `https://yourcompany.jamfcloud.com`)
* **Client ID**
* **Client Secret**

The Jamf Pro API client must have permissions to read device and computer inventory.

#### Creating API Credentials in JAMF Pro

1. Log in to your JAMF Pro instance
2. Navigate to **Settings** > **System** > **API Roles and Clients**
   1. Under the **API Roles** tab, click the **+ New** button.
      1. Configure the following:
         * **Display Name**: `Nightfall API Role`
         * **Privileges**: Grant access to:
           * Read Computer Inventory Collection
           * Read Mobile Device Inventory Collection
           * Read Computers
      2. Click **Save**
   2. Next, navigate to the **API Clients** tab and click the **+ New** button.
      1. Configured the following:
         * **Display Name:** `Nightfall API Client`
           * **API roles:** Select the newly created role.
           * **Enable/disable API Client:** Enable the API client.
      2. Click **Save**
      3. Copy the **Client ID** and **Client Secret**.\
         You will need these in the next step.

#### Connecting JAMF Pro to Nightfall

1. Log in to the **Nightfall Console** at <https://app.nightfall.ai>
2. Navigate to **Settings** → **MDM Profile**
3. Click **Add MDM**
4. Select **Jamf Pro** from the list of supported MDM providers
5. Enter the following information:
   * **Jamf Pro URL**: Your JAMF instance URL (e.g., `https://yourcompany.jamfcloud.com`)
   * **Client ID**: The Client ID you created in JAMF Pro
   * **Client Secret**: The Client Secret you created in JAMF Pro
6. Click **Connect**

Nightfall will validate the credentials and begin syncing device information automatically.

> **Important:** This API-based connection enables Nightfall to automatically map user email addresses to devices. You do not need to deploy any additional scripts for user-to-device mapping when using this method.

#### After Connection

Once connected, Nightfall will periodically sync device inventory from JAMF Pro. You can now proceed to deploy the Nightfall agent to your devices following the steps below.
{% endstep %}

{% step %}

## Step 2 - Upload and Add Pre-Installation Check Script

This script checks if the required profiles are installed and that the endpoint agent is at the desired version.

1. Unpack the zip file provided and locate the `mdm_pre_install_check_script.sh` file under the `.\\mdm_scripts\\` folder
2. On Jamf Pro, navigate to **Settings** > **Computer management** > **Scripts**
3. Click the **+ New** button.
4. Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Check").
5. Click on the **Script** tab.
6. Paste the contents of `mdm_pre_install_check_script.sh` into the script editor.
7. Click **Save**.
   {% endstep %}

{% step %}

## Step 3 - **Upload and Add the Pre-Installation Script**

This script configures the target machine and prepares it to connect to your Nightfall instance once the package is deployed.

1. Locate the `mdm_pre_installation_script.sh` file under the `.\\mdm_scripts\\` folder
2. On Jamf Pro, navigate to **Settings** > **Computer management** > **Scripts**
3. Click the **New** button.
4. Enter a display name for the script (e.g., "Nightfall AI Pre-Installation Script").
5. Click on the **Script** tab.
6. Paste the contents of `mdm_pre_installation_script.sh` into the script editor.
7. Click **Save**.
   {% endstep %}

{% step %}

## **Step 4 - Upload The Nightfall MDM Profile of your choice to Jamf Pro** <a href="#step-4-profile" id="step-4-profile"></a>

1. In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.
   1. Choose `NightfallAI_Profile_with_Browser_Extensions.mobileconfig`.
2. Log in to your Jamf Pro account.
3. Navigate to **Computers** > **Configuration Profiles**.
4. Click the **Upload** button.
5. Click the **Upload** button and upload `NightfallAI_Profile_with_Browser_Extensions.mobileconfig`.
6. In the **Scope** tab, add the target devices or device groups to which this profile should be deployed.
7. Click **Save**.

Once assigned, profiles will be automatically deployed as part of the next Jamf inventory cycle.

{% hint style="danger" %}
The MDM profile has to be deployed on target machines prior to deploying additional payload. In Jamf, you can enforce this requirement through the creation of a Smart Group in which you can set the presence of the profile created above as a pre-requisite for any other payload targeting the group.
{% endhint %}
{% endstep %}

{% step %}

## Step 5 - **Upload the Nightfall App Package**

1. Navigate to **Settings** > **Computer management** > **Packages**
2. Click the **+** **New** button.
3. Enter a display name for the package (e.g., "Nightfall AI Agent").
4. Click the **Choose File** button and upload `nightfall-ai-agent-signed.pkg`.
5. Click **Save**.
   {% endstep %}

{% step %}

## Step 6 - Create a **Policy and Add scripts and package**

1. Navigate to **Computers** > **Policies**.
2. Click the **+** **New** button.
3. Enter a display name for the policy (e.g., "Deploy Nightfall AI").
4. From the **General** tab, configure the **Trigger** and **Execution Frequency** as needed.
5. Click **Package** from the left pane & click on configure
6. Add `Nightfall AI Agent` package
7. Click on Scripts from the left pane & click on configure
8. Add `Pre-Install Check Script` and `Pre-Install Script`. Ensure the Priority is `Before` and the sequence is \[ The scripts must be run once & in sequence to prepare the machine for the package install. ] -
   1. Pre-Install Check Script
   2. Pre-Install Script
9. Click on Scope and determine the Target, Limitations, and Exclusions per need.
10. Click **Save**.
    {% endstep %}
    {% endstepper %}

## Frequently Asked Questions (FAQs)

**Do I still need to install a Nightfall agent on devices after API-based onboarding?**

Yes. API-based MDM onboarding enables Nightfall to map user email addresses to devices automatically. You still need to deploy the Nightfall agent to the devices using the steps above.

**What permissions does Nightfall need in JAMF Pro?**

Nightfall requires least privilege access to device inventory. It does not modify device settings or configurations. The user email to device attribution is automatically managed with API-based MDM onboarding and no manual scripts are needed.

**What happens if API credentials expire or are revoked?**

If credentials expire or are revoked:

* Device syncing will stop. New devices added or removed will not be reflected in Nightfall during that time.
* Nightfall will surface an error in the console.
* You can re-authenticate or update credentials without reconfiguring policies.

**Can I disconnect or change my MDM connection later?**

Yes. Contact Nightfall Support to disconnect or update your MDM connection from Settings → MDM Profile.

**Who should I contact if onboarding fails?**

If you encounter issues:

* Verify API credentials and permissions in JAMF Pro
* Check the error message in the Nightfall console
* Contact Nightfall Support for assistance