Deep Instinct is an AI-powered endpoint security platform that provides deep learning-based threat prevention for Mac devices. This guide walks you through deploying Deep Instinct silently across your fleet using Addigy Smart Software, including all required Device Settings (MDM Profiles) for Full Disk Access and System Extension permissions.
Overview
A complete Deep Instinct deployment in Addigy requires three components, which must be configured and deployed in this order:
- PPPC Device Setting (MDM Profile) — grants Full Disk Access to Deep Instinct processes
- System Extensions Device Setting (MDM Profile) — whitelists Deep Instinct's system extension
- Smart Software item — silently installs Deep Instinct using your organization's deployment credentials
Important: Deploy both Device Settings to your devices before deploying the software. Installing the software first may result in permission prompts appearing for end users.
Prerequisites
- Your organization's Deep Instinct deployment link (ends in
.deepinstinctweb.com) - Your Deep Instinct deployment token
- The Deep Instinct DMG installer file
Step 1: Create the PPPC Profile (Full Disk Access)
This profile grants Deep Instinct the Full Disk Access permissions it needs to scan and protect devices without prompting end users.
- Navigate to Catalog > Device Settings and click New.
- Select PPPC.
- Configure both the Access to Protected Files and Access to System Admin Files sections with the same set of entries below. For each entry, click Add New, fill in the fields, and make sure Allowed is checked.
Add the following entries to both PPPC sections:
| Identifier | Identifier Type | Code Requirement | Allowed |
|---|---|---|---|
com.deepinstinct.InstallerPermissionsPlugIn |
Bundle ID | identifier "com.deepinstinct.InstallerPermissionsPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" |
Yes |
com.deepinstinct.InstallerSettingsPlugIn |
Bundle ID | identifier "com.deepinstinct.InstallerSettingsPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" |
Yes |
com.deepinstinct.UIService |
Bundle ID | identifier "com.deepinstinct.UIService" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" |
Yes |
com.deepinstinct.DeepInstinctUtility |
Bundle ID | identifier "com.deepinstinct.DeepInstinctUtility" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" |
Yes |
/Library/DeepInstinct/Executables/DeepInstinctClassifier |
Bundle ID | anchor apple generic and identifier DeepInstinctClassifier and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = MV9BR98H24) |
Yes |
com.DeepInstinct.DeepInstinctAgent |
Bundle ID | identifier "com.DeepInstinct.DeepInstinctAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" |
Yes |
com.deepinstinct.mng |
Bundle ID | anchor apple generic and identifier "com.deepinstinct.mng" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24") |
Yes |
com.deepinstinct.InstallerSystemExtPermissionPlugIn |
Bundle ID | identifier "com.deepinstinct.InstallerSystemExtPermissionPlugIn" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24" |
Yes |
com.deepinstinct.at |
Bundle ID | anchor apple generic and identifier "com.deepinstinct.at" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "MV9BR98H24") |
Yes |
com.deepinstinct.DeepInstinctUtility.Extension |
Bundle ID | identifier "com.deepinstinct.DeepInstinctUtility.Extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = MV9BR98H24 |
Yes |
- Click Save in the bottom right.
Step 2: Create the System Extensions Profile
This profile whitelists Deep Instinct's system extension so it can load automatically without user approval.
- Navigate to Catalog > Device Settings and click New.
- Select System Extensions.
- Under Allowed Team Identifiers, enter:
MV9BR98H24 - Click Save.
Note: The Team Identifier
MV9BR98H24authorizes all system extensions signed by Deep Instinct. Do not add this value under Allowed System Extensions — it belongs only under Allowed Team Identifiers.
Step 3: Deploy Both Device Settings to Your Policy
Before proceeding to the software installation, add both Device Settings to the relevant Policy and confirm they have been applied to your target devices. You can verify delivery under GoLive > Device Settings > Installed Device Settings.
Step 4: Create the Smart Software Item
Once the profiles are deployed, create the Smart Software item to silently install Deep Instinct.
- Navigate to Catalog > Software and click New.
- Enter a name (e.g.,
Deep Instinct). - Under Installation Files, click Select File(s) and upload your Deep Instinct DMG file.
- Once uploaded, paste the following into the Installation Command field, substituting your actual file name, deployment link, and token:
[ -d "/Library/Application Support/Deep Instinct" ] || mkdir "/Library/Application Support/Deep Instinct" cp -R "YOUR_DMG_FILENAME.dmg" "/Library/Application Support/Deep Instinct/" hdiutil attach -nobrowse "/Library/Addigy/ansible/packages/Deep Instinct (1.0)/YOUR_DMG_FILENAME.dmg" sudo "/Volumes/Deep Instinct/installer.sh" YOUR_LINK_HERE.deepinstinctweb.com -token YOUR_TOKEN_HERE hdiutil detach "/Volumes/Deep Instinct/"
Replace the following placeholders before saving:
-
YOUR_DMG_FILENAME.dmg— the exact filename of the DMG you uploaded (e.g.,3.1.0.104_Deepinstinct.dmg). This must match in both thecpandhdiutil attachlines. -
YOUR_LINK_HERE.deepinstinctweb.com— your organization's Deep Instinct deployment URL -
YOUR_TOKEN_HERE— your Deep Instinct deployment token
- Click Save in the bottom right.
Tip: If your DMG filename includes spaces or special characters, make sure they are preserved exactly — including parentheses and version numbers — as the script is case- and character-sensitive.
Frequently Asked Questions
Why do I need to deploy the Device Settings before the software?
macOS requires that Full Disk Access and System Extension permissions be granted via MDM before a security agent like Deep Instinct runs for the first time. If the software installs first, macOS may prompt end users to grant permissions manually, or the agent may not function correctly.
Where do I find my Deep Instinct deployment link and token?
These are provided by Deep Instinct when you configure a deployment in the Deep Instinct management console. Contact your Deep Instinct administrator or account representative if you don't have these values.