> ## Documentation Index
> Fetch the complete documentation index at: https://www.osohq.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Jamf

> Deploy Oso to macOS devices via Jamf Pro.

This page walks through deploying Oso to your organization's macOS devices using Jamf Pro.

* Oso environment ID (find it in **Organization Settings → Environments** in the [Oso dashboard](https://ui.osohq.com/settings/?tab=environments))
* Each computer must have a user assigned in Jamf Pro with an email address in the **User and Location** record. Jamf substitutes `$EMAIL` with that address when deploying configuration profiles.

## Step 1: Deploy the configuration profile

The configuration profile writes your Oso environment settings and the assigned user's email to each device's managed preferences.

1. Go to **Computers → Configuration Profiles** and click **New**.
2. Under the **General** tab, set:
   * **Name**: `Oso`
   * **Description**: `Configures Oso for AI traffic monitoring`
   * **Distribution Method**: Install Automatically
3. Select the **Application & Custom Settings** payload, choose **Upload**, and click **Add**.
4. Set the **Preference Domain** to `com.osohq.oso`.
5. In **Property List**, paste the following, replacing `YOUR_ENVIRONMENT_ID` with your Oso environment ID:

```xml theme={null}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>OSO_ENVIRONMENT</key>
    <string>YOUR_ENVIRONMENT_ID</string>
    <key>OSO_PROXY_URL</key>
    <string>https://agents.osohq.cloud</string>
    <key>OSO_API_URL</key>
    <string>https://cloud.osohq.com</string>
    <key>USER_EMAIL</key>
    <string>$EMAIL</string>
</dict>
</plist>
```

6. Under the **Scope** tab, select your target computers or smart group.
7. Click **Save**.

<Note>
  Jamf substitutes `$EMAIL` with the email on the computer's assigned user (**User and Location** record).
</Note>

## Step 2: Upload the install script

The install script runs silently on each device and does two things: it configures your coding agents (Claude Code, Cursor, Codex) to route traffic through Oso for session monitoring, and it registers the device and user with Oso for identity correlation. It reads `OSO_ENVIRONMENT` and `USER_EMAIL` directly from the managed plist written in Step 1, with no user interaction required.

Copy the script below.

```bash theme={null}
#!/bin/bash
# Oso Jamf Install Script
#
# Downloads and installs Oso non-interactively. Reads OSO_ENVIRONMENT and
# USER_EMAIL from the managed preferences written by the configuration profile.

set -euo pipefail

PLIST="/Library/Managed Preferences/com.osohq.oso.plist"

OSO_ENVIRONMENT=$(defaults read "$PLIST" OSO_ENVIRONMENT 2>/dev/null || true)
if [[ -z "$OSO_ENVIRONMENT" ]]; then
    echo "ERROR: OSO_ENVIRONMENT not set. Deploy the configuration profile first." >&2
    exit 1
fi

USER_EMAIL=$(defaults read "$PLIST" USER_EMAIL 2>/dev/null || true)
if [[ -z "$USER_EMAIL" ]]; then
    echo "ERROR: USER_EMAIL not set. Assign a user with an email address to this computer in Jamf Pro." >&2
    exit 1
fi

echo "Installing Oso for $USER_EMAIL (env: $OSO_ENVIRONMENT)..."

curl -fsSL https://install.osohq.com/install.sh | sh -s -- \
    --env "$OSO_ENVIRONMENT" \
    --email "$USER_EMAIL" \
    --force 

echo "Oso installation complete."
```

1. Go to **Settings → Computer Management → Scripts** and click **New**.
2. Under the **General** tab, set the **Name** to `Oso Install`.
3. Under the **Script** tab, paste the script above.
4. Click **Save**.

## Step 3: Create a policy to run the install script

1. Go to **Computers → Policies** and click **New**.
2. Under the **General** tab:
   * **Display Name**: `Oso Install`
   * **Triggers**: check **Enrollment Complete** and **Recurring Check-In**
   * **Execution Frequency**: Once per computer
3. Under the **Scripts** tab, click **Configure**, add `Oso Install`, and set **Priority** to **After**.
4. Under the **Scope** tab, select your target computers or smart group.
5. Click **Save**.

Devices that are already enrolled will run the script at their next check-in. To trigger an immediate run on a specific device, run `sudo jamf policy` in its terminal.

## Step 4: (Optional) Deploy the Chrome extension profile

To force-install the Oso Chrome extension, create another configuration profile with **two** Application & Custom Settings payloads.

1. Go to **Computers → Configuration Profiles**, click **New**, and set a **Name** (e.g. `Oso Chrome Extension`) under the **General** tab.
2. Select the **Application & Custom Settings** payload, choose **Upload**, and click **Add** to create the first payload. Set the **Preference Domain** to `com.google.Chrome` and paste:

```xml theme={null}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ExtensionInstallForcelist</key>
    <array>
        <string>nochaaflecnmeafkagnbiabpgahpledi;https://install.osohq.com/extension/chrome/update_manifest.xml</string>
    </array>
</dict>
</plist>
```

3. Click **Add** again to create a second payload. Set the **Preference Domain** to `com.google.Chrome.extensions.nochaaflecnmeafkagnbiabpgahpledi` and paste the following, replacing `YOUR_ENVIRONMENT_ID` with your Oso environment ID:

```xml theme={null}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>environmentId</key>
    <string>YOUR_ENVIRONMENT_ID</string>
    <key>userEmail</key>
    <string>$EMAIL</string>
</dict>
</plist>
```

4. Under the **Scope** tab, select your target computers or smart group, then click **Save**.

After the profile lands on a device, open `chrome://policy/` in Chrome and click **Reload policies** to apply immediately.

<Warning>
  **Chrome enterprise management requirement**

  Chrome (v119+) blocks force-installation of extensions not hosted on the Chrome Web Store unless it detects the device as enterprise managed. Devices enrolled in Jamf via user-approved MDM (self-enrollment) do not satisfy this requirement. Chrome requires either DEP/ADE supervision through Apple Business Manager or Chrome Browser Cloud Management (CBCM) enrollment.

  If `chrome://policy` shows `[BLOCKED]` next to the extension entry, enroll Chrome in CBCM:

  1. In the [Google Admin Console](https://admin.google.com), go to **Devices → Chrome → Connectors → Browser Cloud Management enrollment tokens**.
  2. Click **Add enrollment token**, give it a name, and copy the generated token.
  3. Add the following key to the `com.google.Chrome` payload's **Property List**, alongside `ExtensionInstallForcelist`:

  ```xml theme={null}
  <key>CloudManagementEnrollmentToken</key>
  <string>YOUR_CBCM_TOKEN</string>
  ```

  4. Redeploy the updated profile via Jamf.
  5. Fully quit and relaunch Chrome on the device (`⌘Q`, then reopen).

  After enrollment, `chrome://management` will show browser management and `chrome://policy` will show the extension installing without `[BLOCKED]`.
</Warning>

## Verifying deployment

After devices enroll, confirm the installation succeeded:

```bash theme={null}
# Managed preferences written by the configuration profile
defaults read "/Library/Managed Preferences/com.osohq.oso"

# Tool configs written by the installer (system-level)
cat "/Library/Application Support/ClaudeCode/managed-settings.json"
cat "/Library/Application Support/Cursor/hooks.json"
cat "/etc/codex/managed_config.toml"

# Identity registered with Oso
cat "/Library/Application Support/Oso/identity.json"

# Binaries installed
ls -la /usr/local/bin/oso-hook /usr/local/bin/oso-setup
```
