Iru deployment

Iru handles custom agent deployment through Library items scoped to Blueprints. Installing mngd on an Iru-managed org is two library items: a Custom App for the installer, and a Custom Profile for the enrollment token.

This guide assumes Iru’s modern UI (as of late 2025). Older tenants with the legacy library may have slightly different labels.

Prerequisites

An enrollment token from Settings → Enrollment in the mngd dashboard (shaped like mngd_K7X2-M9QR-4WPN). Click Profile on the same row while the plaintext is still revealed to download a ready-to-deploy config profile.
Iru admin access with permission to create Library items and edit Blueprints.
The universal signed mngd pkg from https://cdn.mngd.app/agent/mngd-agent-latest.pkg. The same pkg works for every org — per-org configuration happens after install via the enrollment token.

Step 1: Upload the mngd installer as a Custom App

In Iru, go to Library → Add → Custom App.
Display name: mngd agent.
Installation type: Installer Package.
Upload the mngd-agent.pkg.
Audit script: leave empty (Iru will verify the receipt by default, which is fine — the pkg uses a stable identifier).
Install on: Run once per device. The agent manages its own self-update, so Iru doesn’t need to re-push.
Assign to your target Blueprint(s) and save.

Step 2: Ship the enrollment profile

The agent reads its enrollment credentials from the com.mngd.agent Managed Preferences domain and any lockdown overrides from the legacy com.mngd domain. Iru delivers both via a Custom Profile.

Easy path: in the mngd portal under Settings → Enrollment, after generating a token click Profile while the reveal banner is still up. Upload the downloaded .mobileconfig to Iru as a Custom Profile. Done — skip to step 3.

Manual path (for embedding lockdown keys alongside enrollment):

Go to Library → Add → Custom Profile.
Display name: mngd Enrollment.

Build a .mobileconfig with two payloads. Replace REPLACE-WITH-UUID placeholders with fresh UUIDs (uuidgen on macOS).

Payload 1 — enrollment (com.mngd.agent domain):

<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadContent</key>
<dict>
  <key>com.mngd.agent</key>
  <dict>
    <key>Forced</key>
    <array>
      <dict>
        <key>mcx_preference_settings</key>
        <dict>
          <key>EnrollmentToken</key>
          <string>mngd_K7X2-M9QR-4WPN</string>
          <key>ServerURL</key>
          <string>https://api.mngd.app</string>
        </dict>
      </dict>
    </array>
  </dict>
</dict>

Payload 2 (optional) — lockdown keys in the com.mngd domain. See the Jamf Pro guide for the key catalogue; every key works identically regardless of MDM.

Re-sign with your org’s signing certificate if you have one (Iru accepts unsigned profiles but end-user devices will show “Not verified” in Settings → Profiles).
Assign to the same Blueprint(s) as the Custom App in Step 1.
Save and publish.

Step 3: Verify installation

Iru enforces Library items on the device’s next sync (usually every 15 minutes). To force an immediate check:

sudo iru run

Then confirm the agent picked up the config:

sudo defaults read /Library/Managed\ Preferences/com.mngd.agent.plist
sudo defaults read /Library/Managed\ Preferences/com.mngd.plist 2>/dev/null
ls /Applications/mngd.app
log stream --predicate 'subsystem == "com.mngd.agent"' --info

In the mngd dashboard, go to Devices. The device should appear within a minute of the agent’s first check-in.

Troubleshooting

Custom App shows as failed in Iru

Open Library → mngd agent → Installation History on the failing device. Iru surfaces the installer exit code there.
Most failures are Gatekeeper-related on unsigned builds — use the signed .pkg from the mngd dashboard, not a dev build.
Custom App installs run as root via Iru’s agent, so user-scope errors (home directory not accessible, etc.) suggest the installer is misbehaving rather than the Iru pipeline. File it with mngd support along with the installer log at /var/log/install.log.

Agent installed but doesn’t appear in the mngd dashboard

defaults read /Library/Managed Preferences/com.mngd.agent.plist must show both EnrollmentToken and ServerURL. If it doesn’t, the Custom Profile didn’t land — check the Blueprint scope.
If the profile is present but the agent’s menu-bar icon shows “Not enrolled”, the token is revoked or typo’d. Generate a fresh token in Settings → Enrollment, re-download the profile, and push it.
Confirm the device can reach ServerURL. Iru itself doesn’t care about egress to the mngd server, but the agent does — add api.mngd.app to any corporate proxy allowlist.

Config profile changes don’t take effect

Iru pushes profile updates on its own cadence. After a profile edit, force a sync:

sudo iru run

The mngd agent re-reads the managed preferences on its next sync (default 10 minutes, configurable via SyncIntervalMinutes). If you need an immediate agent refresh:

sudo killall cfprefsd
sudo launchctl kickstart -k system/com.mngd.agent

Uninstalling

Order matters — remove the device from the Blueprint first, otherwise the enrollment profile re-writes EnrollmentToken into com.mngd.agent on the next check-in and a future install silently re-enrolls the device.

Remove the device from the Blueprint that assigns the mngd agent Custom App and mngd Enrollment Custom Profile.
Add a Library → Script Library item that runs an uninstall script built from Uninstall the agent. Copy the system-level command block into the script; for the per-user cleanup, Iru scripts run as root so substitute the logged-in user into the ~ paths (the CURRENT_USER=$(stat -f%Su /dev/console) idiom works). Set execution frequency to Run once and scope it to the Blueprint you’re decommissioning.
Delete the device from the mngd dashboard if you want it removed immediately — Iru’s removal alone just stops the agent syncing.