macOS Deployment Reference (Jamf)
Jamf-focused deployment reference for installing, configuring, and validating Thoth MCP Proxy on managed macOS fleets.
This reference explains how to deploy Thoth MCP Proxy (thoth) to managed macOS endpoints using Jamf Pro.
For policy sequencing, parameter setup, and rollout workflow, start with Jamf Onboarding Overview and Jamf macOS Runbook.
Use Intune Onboarding Overview and platform runbooks under Deployments for Intune workflows.
Quick Start
Use this flow for a pilot rollout in under 10 minutes.
- Choose install source:
curl -fsSL https://install.atensecurity.com/thoth | sh(recommended)- Direct release asset from
atensecurity/thoth
- Scope the install policy to a pilot smart group.
- Deploy a runtime configuration profile with required environment variables.
- Validate deployment on endpoints.
Full Deployment Guide
Objectives
- Install Thoth MCP Proxy across managed macOS fleets.
- Start the service automatically at boot with LaunchDaemon.
- Register endpoints and maintain 60-second heartbeat check-ins.
- Push policy updates through managed runtime configuration.
- Maintain auditable operational controls for rotation, rollback, and incidents.
Prerequisites
- Jamf Pro admin access with package/profile/script deployment rights.
- Tenant ID (
THOTH_TENANT_ID). - Fleet-scoped API key material.
- Endpoint labels:
THOTH_FLEET_IDTHOTH_ENV=prodTHOTH_ENROLLMENT_SOURCE=jamf
Endpoint routing contract
| Purpose | URL pattern | Env var |
|---|---|---|
| Control-plane host + API key management | https://<tenant>.<apex-domain> | — |
| Endpoint proxy policy checks | https://enforce.<tenant>.<apex-domain> | Auto-derived from THOTH_TENANT_ID + THOTH_APEX_DOMAIN |
| Endpoint registration + check-ins | https://grid.<tenant>.<apex-domain> | Auto-derived from THOTH_TENANT_ID + THOTH_APEX_DOMAIN |
Runtime Configuration
Deploy runtime values via managed profiles or managed config files. Do not hardcode runtime values in the LaunchDaemon plist.
Validation notes:
- Keep
THOTH_REQUIRE_NON_ROOT=truein production. - Use file-backed secrets where possible. If
THOTH_API_KEY_FILEis unset,thothdefaults to~/.thoth/proxy_api_key.json. - Set
THOTH_ENFORCER_FAILURE_DECISIONexplicitly per environment. thothderivesenforcer_urlandgovapi_urlfromtenant_id+apex_domain.- Endpoint identity defaults to managed device ID override (if provided), then OS machine identity, then hostname fallback.
govapi_urlis derived automatically ashttps://grid.<tenant>.<apex-domain>.
Installation via Jamf
- Choose install source:
- Online install script (recommended):
curl -fsSL https://install.atensecurity.com/thoth | sh - Direct asset from
https://github.com/atensecurity/thoth/releases
- Online install script (recommended):
- Verify checksum against release
checksums.sha256. - Ensure final installed binary path is
/usr/local/bin/thoth. - Scope to pilot devices.
- Install and validate paths.
- Validate binary.
- Validate LaunchDaemon state and install log.
Bootstrap + Check-in Validation
On first startup, Thoth MCP Proxy performs endpoint registration and check-in.
Validate endpoint health:
Expected:
registration_ok=trueor endpointok=trueconfig_drifted=falsecurrent_version_ok=true
Fleet SLO:
- Endpoint appears in Fleet view within 60 seconds.
Extension Attributes + Smart Groups
Use a Jamf Extension Attribute script to parse health output and map it to smart groups.
Suggested smart groups:
healthy_current_versiondrifted_configproxy_unreachableoutdated_version
Policy Updates (No Repack Required)
Use managed configuration profile updates to push policy changes without rebuilding the package.
- Update enforcement mode inputs, routing tags, and key references.
- Roll out via pilot then progressive waves.
- Validate with
thoth health --jsonbefore widening scope. - Runtime policy updates hot-reload from
THOTH_POLICY_PROFILE_PATH. - Enforce signature verification with
THOTH_POLICY_PROFILE_HMAC_SECRET.
Operational guides:
What gets installed on your system
| Path | Purpose |
|---|---|
/usr/local/bin/thoth | Primary Thoth MCP Proxy executable |
/Library/LaunchDaemons/com.atensecurity.thoth.plist | LaunchDaemon service definition |
/Library/Application Support/Thoth/ | Runtime state and policy files |
/etc/thoth/ | Configuration directory |
/var/log/thoth-install.log | Installer and postinstall log |