Nightfall macOS Agent Deployment: JumpCloud MDM

Nightfall AI Endpoint Agent for macOS — JumpCloud MDM Installation Guide

Overview

This guide provides instructions for deploying the Nightfall AI Endpoint Agent to macOS devices via JumpCloud MDM. It highlights Software Management (Private Repository) as the preferred method, while also documenting an alternative method using Commands + hosted**.pkg**.

Prerequisites

  • macOS devices enrolled in JumpCloud MDM.

  • Deployment assets:

    • Configuration profile (default, recommended): NightfallAI_Profile_with_Browser_Extensions.mobileconfig

    • Pre-install script: mdm_pre_installation_script.sh

    • Nightfall agent nightfall-ai-agent-signed.pkg (signed for Software Management, or hosted on HTTPS for Commands)

mdm_pre_installation_script.sh

The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:

  • Loading API keys

  • Rebuilding folders

  • Resetting launch daemons

NightfallAI_Profile_with_Browser_Extension.mobileconfig

This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.

  • Silently installs/enables the Nightfall browser extension

  • Allows the extension to run without prompts

  • Authorizes required permissions (content inspection, file uploads, scanning)

  • Grants macOS Privacy Permissions required by Nightfall:

    • Full Disk Access (FDA)

    • System Events/Automation Permissions

    • Application Control Permissions

  • Configures the payloads for browser + system integration

  • Prevents users from tampering with the security controls

Step 1 — Deploy the Configuration Profile

Always use the default profile with browser extensions:

  1. In JumpCloud Admin Portal → Device Management → Configuration Profiles.

  2. Create a new macOS Custom Configuration Profile.

  3. Upload NightfallAI_Profile_with_Browser_Extensions.mobileconfig.

  4. Assign it to device groups or systems.

  5. Save and confirm devices receive the profile.

The Nightfall agent will only install correctly if the required .mobileconfig profile has been deployed beforehand.

Step 2 — Distribute the Agent

Preferred Method: Software Management (Private Repository)

  1. First, run the pre-install script as a Command:

    • In JumpCloud Admin Console → Device Management → Commands → + Command (macOS).

    • Attach both scripts:

      • mdm_pre_installation_script.sh

    • Assign this command to the same device groups you plan to assign the app.

    • Run it to ensure systems are properly prepared and to skip reinstall on healthy hosts.

  2. Then, assign the managed app:

    • In JumpCloud Admin Console → Software Management → Private Repository → Add App → Custom (Apple/macOS).

    • Upload the signed Nightfall nightfall-ai-agent-signed.pkg.

    • Assign it to the same device groups.

    • JumpCloud will install the agent as a managed application.

Important: Always run the script Command first before assigning the managed .pkg. This ensures proper environment setup and avoids unnecessary reinstalls.

Alternative Method: Commands + Hosted nightfall-ai-agent-signed.pkg

Use this method if you want scripts and installation tightly coupledIn JumpCloud Admin Console → Device Management → Commands → + Command (macOS).

  1. Attach both scripts:

    • mdm_pre_installation_script.sh

  2. Paste the following command (update PKG_URL):

    #!/bin/bash
set -euo pipefail

LOG="/var/log/nightfall_install.log"
PKG_URL="<https://your-bucket.s3.amazonaws.com/nightfall-ai-agent-signed.pkg>"
PKG_LOCAL="/tmp/nightfall-ai-agent-signed.pkg"

PREP="/tmp/mdm_pre_installation_script.sh"

echo "$(date) — Starting Nightfall install" >>"$LOG"

cp ./mdm_pre_install_check_script.sh "$PRECHECK"
cp ./mdm_pre_installation_script.sh "$PREP"
chmod +x "$PRECHECK" "$PREP"

if "$PRECHECK" >>"$LOG" 2>&1; then
  echo "$(date) — Agent already installed & healthy, skipping." >>"$LOG"
  exit 0
fi

"$PREP" >>"$LOG" 2>&1

curl -fL "$PKG_URL" -o "$PKG_LOCAL"
/usr/sbin/installer -pkg "$PKG_LOCAL" -target / >>"$LOG" 2>&1
rm -f "$PKG_LOCAL"

echo "$(date) — Nightfall install completed" >>"$LOG"

  3. Assign the command to devices or groups.

  4. Run now or schedule as needed.

Step 3 — Monitor & Verify

  • Software Management: Check JumpCloud’s app inventory to confirm installation.

  • Commands: View Commands → Results for logs and exit codes.

  • On-device: check /var/log/nightfall_install.log.

  • Confirm .mobileconfig profile is installed (profiles list).

  • Verify the Nightfall agent is running.

    • Launch Activity Monitor > CPU > Search for Nightfall.

    • Identify two running processes - one running as root and the second as the user.

  • Verify the endpoint is communicating with Nightfall.

    • Open Nightfall web console > Integrations > macOS > Manage.

    • Confirm the device(s) listed show as Agent Status = Connected

Recommendation

  • Default: Use Software Management (Private Repository) with a script Command run first for environment prep.

  • Alternative: Use Commands + hosted .pkg only if you need script-driven installs inline or cannot use the Private Repository.

PreviousNightfall macOS Agent Deployment: JAMF MDMNextNightfall macOS Agent Deployment: Kandji MDM

Last updated

Was this helpful?