MDM Deployment Overview
Deploy the Pult Agent at scale using your MDM system.
For organizations managing devices centrally, the Pult Agent can be deployed via your MDM system. This automates both the installation and the enrollment process so employees don't need to install or sign in manually.
Deployment Steps
A typical MDM deployment involves three parts:
- Install the agent -- Upload the Pult Agent installer (
.pkgfor macOS,.msifor Windows) to your MDM and deploy it to target devices. - Provision the bootstrap token -- Deploy the bootstrap token to each device so the agent can enroll automatically. Depending on your MDM, this may be done via MSI properties, a post-install script, or file-based deployment.
- Approve device requests -- As devices enroll, review and approve the device authentication requests in the Pult Dashboard.
Platform-Specific Guides
Windows
- Microsoft Intune Deployment -- Complete guide using PSAppDeployToolkit for Intune Win32 App deployment.
- For other MDMs that run installers in user context, use MSI properties directly:
msiexec /i pult-agent.msi BOOTSTRAP_TOKEN="your-token" AUTOLAUNCHAPP=1BOOTSTRAP_TOKEN and AUTOLAUNCHAPP fail when the installer runs as SYSTEM (common
for Intune Win32). Use the Intune guide above instead of MSI properties there. Background:
Bootstrap Token Deployment (Method 2 -- MSI properties).
macOS
For macOS, the recommended pattern mirrors the Intune flow on Windows: build a single wrapper .pkg
that bundles the signed Pult Agent.app together with a postinstall script that writes the
bootstrap token. You then upload that wrapper to your MDM as a standard package install.
- Choose a deployment path:
- Build the macOS MDM Package -- one wrapper
.pkgcontaining the agent and an embedded bootstrap token. Works with any macOS MDM. - In-Browser PKG Builder -- the same
wrapper, built directly in your browser. No Mac required; your
.pkgand bootstrap token stay on your machine. - macOS Deployment via Post-install Script
-- skip the wrapper if your MDM supports post-install scripts (e.g. Kandji). The canonical
Pult-signed
.pkgdeploys as-is; the script provisions the token separately.
- Build the macOS MDM Package -- one wrapper
- Deploy through your MDM:
- Jamf Pro -- includes Extension Attribute, Smart Group, and Policy setup for continuous compliance.
- For Kandji, Mosyle, Workspace ONE, etc., upload the wrapper as a standard package install.
- Configure managed login items to ensure the agent auto-starts and users can't disable it.
Auto-Start Configuration
Windows
The MSI installer registers the agent for auto-start via a registry entry
(HKLM\Software\Microsoft\Windows\CurrentVersion\Run) by default (AUTOSTART_ALLUSERS=1).
macOS
macOS requires a separate MDM configuration profile to ensure the agent starts automatically and cannot be disabled by the user. See Managed Login Items.
Version Detection
Use these scripts in your MDM to detect the installed agent version (useful for triggering automatic updates):
macOS:
#!/bin/bash
APP_PATH="/Applications/Pult Agent.app"
REQUIRED_VERSION="0.2.10-beta1"
if [[ ! -d "$APP_PATH" ]]; then
exit 1
fi
INSTALLED_VERSION=$(/usr/bin/defaults read "$APP_PATH/Contents/Info.plist" CFBundleShortVersionString 2>/dev/null)
if [[ "$INSTALLED_VERSION" == "$REQUIRED_VERSION" ]]; then
exit 0
else
exit 1
fiWindows (PowerShell):
$AgentPath = "C:\Program Files\Pult Agent\pult-agent.exe"
$RequiredVersion = "0.2.10-beta1"
if (-not (Test-Path $AgentPath)) {
exit 1
}
$InstalledVersion = (Get-Item $AgentPath).VersionInfo.FileVersion
if ($InstalledVersion -eq $RequiredVersion) {
exit 0
} else {
exit 1
}Exit code 0 = compliant (correct version), exit code 1 = non-compliant (triggers re-install).
Last updated on May 13, 2026, 12:37 PM