Kandji macOS Runbook

Use this runbook to deploy Thoth governance to managed macOS endpoints with Kandji.

1. Choose release source

Use Release Channels + Verification and select one:

• notarized PKG (thoth-macos-universal.pkg) for Kandji package deployment (recommended)
• Homebrew tap for admin bootstrap/testing only

Validate trust artifacts before rollout:

• checksums.sha256
• sigstore-metadata.json + *.sigstore.json
• sbom.cdx.json + sbom.spdx.json
• provenance.json

2. Upload package to Kandji

In Kandji:

1. Create/update a Custom App for thoth-macos-universal.pkg.
2. Configure auto-update policy tied to your approved release channel.
3. Scope to test devices first.

3. Deploy managed runtime config

Deploy thoth-config.json to:

/Library/Application Support/Thoth/thoth-config.json

Include onboarding values:

• tenant_id
• apex_domain
• environment

Do not hardcode customer values in scripts committed to source control.

4. Deploy setup script

Create a Kandji Script item to:

• validate thoth and thothctl are installed
• wrap ~/Library/Application Support/Claude/claude_desktop_config.json
• restart Claude Desktop if config changed

Use recurring enforcement to heal drift.

5. Optional Santa alignment

If Santa is enabled, apply trust rules from:

• santa-metadata.json
• signing-metadata.json

See Santa macOS Trust Policy.

6. Validate on pilot endpoints

thoth --version
thothctl --version
thoth health --json
thoth status

Also verify:

• /Library/Application Support/Thoth/thoth-config.json exists
• Claude config is wrapped and governed
• logs show successful policy checks

7. Rollout pattern

1. Test group
2. Pilot group
3. Production scope

Hold rollback package assignment ready before widening scope.

Troubleshooting

Related docs

• Release Channels + Verification
• Intune Onboarding Overview
• Jamf Onboarding Overview
• Deployment Validation Matrix