Jamf Pro deployment

mngd runs alongside your existing MDM rather than replacing it. If Jamf is already managing your Macs, this is the recommended way to get the mngd agent onto every Mac: upload the universal pkg as a Jamf package, ship a configuration profile carrying the enrollment token, and scope a policy to the devices you want covered.

This guide assumes Jamf Pro 11.x. Earlier versions work but the UI labels may differ.

Prerequisites

Before you start you need:

An enrollment token from Settings → Enrollment in the mngd dashboard (shaped like mngd_K7X2-M9QR-4WPN). The plaintext is shown once at creation — copy it or click Profile on the same row to download a ready-to-deploy config profile while the reveal banner is up.
Admin access to Jamf Pro with permission to upload packages, edit configuration profiles, and create policies.
The signed mngd installer pkg — the same universal pkg for every org, served from https://cdn.mngd.app/agent/mngd-agent-latest.pkg. No per-org credentials are embedded; enrollment happens post-install via the token.

Step 1: Upload the mngd installer

Download mngd-agent-latest.pkg from the mngd dashboard (or directly from the CDN URL above).
In Jamf Pro, go to Settings → Computer Management → Packages.
Click + New, give the package a display name (mngd agent), and upload the .pkg.
Set Priority to 10 (default). Leave Fill existing user template and Fill user templates unchecked — the agent is a system-scope install.
Save.

Step 2: Create (or upload) the enrollment profile

The agent reads its enrollment credentials from the com.mngd.agent Managed Preferences domain, and any lockdown overrides from the legacy com.mngd domain. You have two ways to get the enrollment profile into Jamf:

Easy path — upload the portal-generated profile. In the mngd web app, Settings → Enrollment, after generating a token click Profile (on the same row, while the plaintext is still revealed) to download a .mobileconfig. Upload it unchanged under Computers → Configuration Profiles → Upload. Jamf re-signs it on save. Skip to step 3.

Manual path — build it yourself. If you want to bundle the enrollment payload with other agent settings (display mode, update-check cadence, etc.):

Go to Computers → Configuration Profiles → + New.
Under Options, add an Application & Custom Settings → External Applications payload.
Click Add → Custom Schema (or Preference Domain on older Jamf versions).
Set Preference Domain to com.mngd.agent.
Add the enrollment keys:
```
<key>EnrollmentToken</key>
<string>mngd_K7X2-M9QR-4WPN</string>

<key>ServerURL</key>
<string>https://api.mngd.app</string>
```
Replace the token with the plaintext from Settings → Enrollment. The token is consumed once on first enrollment to obtain a per-device bearer credential; rotating the token later does not re-enroll already-enrolled devices.

Optional — add a second payload for the com.mngd domain to lock down agent behaviour:

Key	Type	Effect
`UpdateCheckFrequency`	String	`hourly` / `daily` / `weekly` / `manual`
`AutoInstallUpdates`	Boolean	Install without prompting the user
`DisplayMode`	String	`MenuBarOnly` / `DockOnly` / `Both` (default)
`DisabledFeatures`	Array	Feature keys to hide in the agent UI

Scope the profile to the same devices you plan to push the installer to. Save.

Notification preferences moved. Older versions of this guide documented Forced* MDM keys for pinning a user’s notification channel, quiet hours, and per-day Slack DM caps. Those keys were retired in the 2026-04 Slack redesign. Delivery window, timezone, and the silent-install transparency toggle are now per-user preferences set from the mngd Mac app, and admin-side overrides live in Settings → Notifications in the portal — no MDM payload required.

Step 3: Scope a policy to install the agent

Go to Computers → Policies → + New.
General tab:
- Display name: Install mngd agent
- Trigger: Recurring Check-in (fires within 30 min of next check-in)
- Frequency: Once per computer
Packages tab: click Configure, add the mngd agent package, leave Action as Install.
Scope tab: choose the smart group or device list you want to cover. Same scope you used on the Configuration Profile in Step 2.
Save.

The agent installs on each device’s next check-in, reads the config profile, and phones home to your mngd server.

Step 4: Verify installation

On a target device:

# Confirm the enrollment managed preferences landed.
sudo defaults read /Library/Managed\ Preferences/com.mngd.agent.plist

# (Optional) confirm any lockdown keys pushed under com.mngd.
sudo defaults read /Library/Managed\ Preferences/com.mngd.plist 2>/dev/null

# Confirm the agent binary is installed.
ls /Applications/mngd.app/Contents/MacOS

# Tail the agent log for the first check-in.
log stream --predicate 'subsystem == "com.mngd.agent"' --info

In the mngd dashboard, go to Devices. The device should appear within a minute of the install, with its most recent check-in timestamp. If the device doesn’t show up, see Troubleshooting below.

Troubleshooting

Device doesn’t appear after install

Check that /Library/Managed Preferences/com.mngd.agent.plist exists and contains EnrollmentToken + ServerURL. An agent without a token falls back to the manual paste-token screen on first launch.
If the profile is installed but the agent’s menu-bar icon shows “Not enrolled”, the token is likely revoked or typo’d. Generate a fresh token in Settings → Enrollment, download a new profile, and push it — already-enrolled devices are unaffected.
Confirm the device can reach the ServerURL hostname. Behind a corporate proxy you may need to add api.mngd.app to the proxy allowlist.
If you’re self-hosting with a private CA, deliver the root certificate via a separate Certificate payload on the same Configuration Profile.

”Not linked yet” shown in the agent

The agent installed and checked in, but no mngd user has been assigned to that device. Either:

Let the user click Claim this device in the agent (self-service), or
Assign the device to a user manually in the mngd dashboard under Devices → {device} → Assigned user.

User-scoped features (per-device Slack summary DMs, the silent-install transparency stream) don’t activate until a device is linked to a user — the agent has nowhere to send DMs without a Slack identity.

Configuration profile updates aren’t picked up

Jamf delivers profile changes on the next check-in, but the mngd agent caches them briefly. Force a refresh:

sudo killall cfprefsd
sudo launchctl kickstart -k system/com.mngd.agent

The agent will re-read both com.mngd.agent.plist and com.mngd.plist on its next sync cycle (default 10 minutes, configurable via SyncIntervalMinutes).

Uninstalling

Order matters — unscope the profile first, otherwise the next check-in re-writes EnrollmentToken into com.mngd.agent and the next pkg install silently re-enrolls the device.

Unscope the mngd Enrollment Configuration Profile so the managed preferences stop getting pushed.
Run an uninstall script via a Jamf Policy → Scripts payload, frequency Once per computer. Copy the command list from Uninstall the agent into a new script under Settings → Computer Management → Scripts and reference it from the policy. The system-level block (helper, LaunchDaemon, app bundle, helper logs) runs as root; the per-user block (keychain, user prefs, caches) needs $3 or CURRENT_USER substituted for ~ since Jamf scripts run as root.
Delete the device from the mngd dashboard (optional — devices that stop checking in are marked offline after the org’s offline threshold but never deleted automatically).