Skip to main content

Deploy Scan Agent with MDM

Deploy the Willow Scan Agent with MDM when you need a repeatable rollout across managed employee devices.

Prerequisites

  • Admin access to Willow.
  • Admin access to your MDM provider.
  • A pilot group of test devices.
  • The latest Willow Scan Agent files from the AI Discovery setup flow:
    • macOS: .pkg installer and .mobileconfig profile.
    • Windows: .zip package and .reg registry policy.

Minimum requirements

ComponentMinimum requirement
Willow Scan Agent target OSmacOS for the .pkg installer and .mobileconfig profile, or Windows x64 for the .zip package and .reg registry policy. Linux is not supported for Scan Agent deployment.
macOS deployment toolAn MDM provider that can deploy a signed .pkg installer and a custom .mobileconfig profile to managed Mac devices.
Windows deployment toolGPO, Intune, JumpCloud, or another endpoint tool that can import a .reg policy and run install.ps1 with administrator privileges.
Network accessDevices must be able to reach your Willow Connect URL from the generated configuration.

Willow does not publish separate minimum MDM version numbers for this flow. Use a currently supported MDM release that provides the deployment features listed above.

Expected outcome

After deployment, test devices install the Willow Scan Agent, receive the Willow connection profile or policy, and appear in the AI Discovery dashboard after the next scan interval.

Choose your provider

ProviderGuide
Jamf ProDeploy with Jamf
MosyleDeploy with Mosyle
KandjiDeploy with Kandji
Microsoft IntuneDeploy with Intune
Group PolicyDeploy with GPO
JumpCloudDeploy with JumpCloud
IruDeploy with Iru

Willow Guard browser extension deployment uses a separate Chrome policy. For browser-based AI visibility, see Deploy Willow Guard Browser Extension.

Rollout order

  1. Download the generated agent files from Willow.
  2. Upload the configuration profile or registry policy to your MDM.
  3. Upload the installer package or installation script to your MDM.
  4. Scope the configuration and installer to a pilot group.
  5. Verify devices report to AI Discovery.
  6. Expand the scope to the rest of the target population.

For macOS, deploy the .mobileconfig profile before or with the .pkg installer so the agent can read its Willow connection details on startup.

For Windows, import the .reg policy before or during the install script so the scheduled task starts with the correct configuration.

Connection details

The Scan Agent Setup modal shows Server URL and Auth Token under Connection Details.

These values are pre-filled in the downloaded config profile and registry file. Use them for manual or CLI-based installation, or when you need to convert the generated policy into another MDM format.

Do not edit the generated values unless Willow Support asks you to. Treat the auth token as sensitive.

Verify deployment

On a managed macOS device:

sudo launchctl print system/com.mcp-s-scan.agent
tail -n 50 /var/log/mcp-s-scan/agent-error.log

On a managed Windows device:

Get-ScheduledTask -TaskName "MCP-S-Scan Agent" | Select-Object State
Get-Content C:\ProgramData\mcp-s-scan\logs\agent.log -Tail 50

In Willow, open AI Discovery and confirm the pilot device appears with a recent last scan time.

Troubleshooting

SymptomCheck
Device does not appear in WillowConfirm the profile or registry policy was installed and contains the generated Willow connection values.
Agent installed but does not runCheck the launch daemon on macOS or scheduled task on Windows.
MDM shows install success but Willow has no scansReview local agent logs and verify the device can reach your Willow Connect URL.
Only some users report findingsConfirm the MDM scope includes the expected devices and that the agent package was not limited to a test group.