Jamf Pro

Deploy and manage Safety Endpoint on macOS devices using Jamf Pro Policies

This guide covers deploying Safety Endpoint to macOS devices using Scripts and Policies in Jamf Pro. The deployment uses a lightweight shell script that installs, updates, and verifies Safety Endpoint on a recurring schedule.

Jamf Pro required. Jamf Now does not support scheduled script execution. This guide requires Jamf Pro.

Overview

Safety Endpoint is deployed using two Jamf Pro components:

Script — uploaded once under Settings, contains the deployment logic
Policy — references the script, defines when and where it runs

The script downloads the official setup script from Safety over HTTPS and executes it. Since the setup script is idempotent, it handles installation, updates, and health checks internally. A built-in throttle ensures the script runs at most once per hour, even if the policy triggers more frequently.

The script reports status through its exit code:

Exit Code

Meaning

Safety Endpoint is installed and up to date (or skipped — last run was less than 1 hour ago)

Setup failed — requires manual review

Prerequisites

Before starting, make sure you have:

Jamf Pro admin access with permissions to create Scripts and Policies
Enrollment key from the Safety Platform — click Manage Enrollment Key → Create Enrollment Key
Target devices running macOS 12 or later enrolled in Jamf Pro

Deploy Safety Endpoint

Get Your Enrollment Key

Log in to the Safety Platform, click Manage Enrollment Key → Create Enrollment Key, and copy the generated key. This key links devices to your Safety organization.

Add the Script in Jamf Pro

In Jamf Pro, go to Settings → Computer management → Scripts
Click New Script
On the General tab:
- Display Name: Safety Endpoint - Run
- Category: Security (or your preferred category)
- Information: Installs and maintains Safety Endpoint via the official setup script
On the Script tab, paste the script below with your enrollment key:

run.sh

#!/bin/bash
# Safety Endpoint - Run Script (macOS/Linux)
# Template: values below are populated by the Safety Platform per organization.
# Paste this into your script field (Jamf Pro, Kandji, etc.)
# Run as: root | Trigger: recurring check-in
#
# Downloads the Safety Endpoint setup script and executes it.
# Includes a 1-hour throttle so frequent check-ins don't cause redundant runs.

# ── Organization Configuration ───────────────────────────────────────
ENROLLMENT_KEY="REPLACE_WITH_YOUR_ENROLLMENT_KEY"
# Comma-separated list of firewall tools to exclude (e.g. "pip,npm")
EXCLUDE_FIREWALL_TOOLS=""
# ─────────────────────────────────────────────────────────────────────

set -euo pipefail

SETUP_URL="https://getsafety.com/cli/setup.sh"
USER_AGENT="Safety-Endpoint/1 (run)"
STAMP_FILE="/var/tmp/.safety-endpoint-last-run"
THROTTLE_SECONDS=3600
MAX_STAMP_AGE=86400  # 24h — treat older/invalid stamps as stale

# ── Throttle: skip if last successful run was less than 1 hour ago ───
should_run=true
if [ -f "$STAMP_FILE" ]; then
    last=$(cat "$STAMP_FILE" 2>/dev/null) || last=""
    now=$(date +%s)

    if echo "$last" | grep -qE '^[0-9]+$'; then
        age=$((now - last))
        if [ "$age" -lt 0 ] || [ "$age" -gt "$MAX_STAMP_AGE" ]; then
            echo "[Safety Endpoint Setup] Stamp has invalid age (${age}s). Removing stale stamp."
            rm -f "$STAMP_FILE"
        elif [ "$age" -lt "$THROTTLE_SECONDS" ]; then
            echo "[Safety Endpoint Setup] Last run was ${age}s ago (< ${THROTTLE_SECONDS}s). Skipping."
            should_run=false
        fi
    else
        echo "[Safety Endpoint Setup] Stamp file corrupt. Removing."
        rm -f "$STAMP_FILE"
    fi
fi

if [ "$should_run" = "false" ]; then
    exit 0
fi

# ── Download and execute ─────────────────────────────────────────────
echo "[Safety Endpoint Setup] Downloading $SETUP_URL ..."

# Build optional arguments
SETUP_ARGS="--enrollment-key $ENROLLMENT_KEY"
[ -n "$EXCLUDE_FIREWALL_TOOLS" ] && SETUP_ARGS="$SETUP_ARGS --exclude-firewall-tools $EXCLUDE_FIREWALL_TOOLS"

if command -v curl >/dev/null 2>&1; then
    # shellcheck disable=SC2086
    curl -fsSL -A "$USER_AGENT" "$SETUP_URL" | bash -s -- $SETUP_ARGS
elif command -v wget >/dev/null 2>&1; then
    # shellcheck disable=SC2086
    wget -qO- --user-agent="$USER_AGENT" "$SETUP_URL" | bash -s -- $SETUP_ARGS
else
    echo "[Safety Endpoint Setup] ERROR: curl or wget required" >&2
    exit 1
fi

# ── Mark successful run (atomic write) ───────────────────────────────
tmp_stamp=$(mktemp "${STAMP_FILE}.XXXXXX")
date +%s > "$tmp_stamp"
mv -f "$tmp_stamp" "$STAMP_FILE"

Make sure you replace REPLACE_WITH_YOUR_ENROLLMENT_KEY with your actual enrollment key before saving the script.

Click Save

Create the Setup Policy

In Jamf Pro, go to Computers → Policies
Click New Policy
On the Options tab, configure the General section:
- Display Name: Safety Endpoint - Setup
- Enabled: checked
- Category: Security
- Trigger: check both Recurring Check-in and Enrollment Complete
- Execution Frequency: Ongoing

Using Ongoing with Recurring Check-in means the policy triggers at every check-in, but the script's built-in 1-hour throttle ensures it only performs work once per hour. The Enrollment Complete trigger ensures new Macs get Safety Endpoint immediately after enrollment.

Attach the Script to the Policy

Still on the Options tab, click Scripts in the left sidebar
Click Configure
Select the Safety Endpoint - Run script you created earlier
Leave script parameters empty (the enrollment key is embedded in the script)

Set the Scope

Click the Scope tab
Under Targets, set Target Computers to All Computers or select specific computer groups
Use the Limitations and Exclusions tabs if you need to narrow the scope further

Save and Verify

Click Save to deploy the policy.

Quick test: To verify the setup works on a specific Mac without waiting for the next check-in, run the following command on the device as root:

sudo jamf policy

This forces an immediate check-in and triggers the policy. Check the policy logs in Jamf Pro to confirm it completed successfully.

Monitor Compliance

After deployment, monitor your fleet status in Jamf Pro:

Go to Computers → Policies
Select Safety Endpoint - Setup
Click Logs to view execution history

Status

What It Means

Action

Completed

Script ran successfully

None — Safety Endpoint is installed or was already up to date

Failed

The script exited with a non-zero code

Click the log entry to view script output for error details

Pending

Device has not checked in yet

Wait for the next scheduled check-in

To view logs for a specific device, go to Computers → Search Inventory → select the device → History → Policy Logs.

Uninstall Safety Endpoint

If you need to remove Safety Endpoint from devices, create a separate policy with the uninstall wrapper script. Like the deployment script, it downloads the official uninstall script from Safety over HTTPS and executes it.

The uninstall script removes all Safety Endpoint artifacts from the machine, including configuration, firewall wrappers, package manager settings, and data for all user profiles.

Add the Uninstall Script

In Jamf Pro, go to Settings → Computer management → Scripts
Click New Script
On the General tab:
- Display Name: Safety Endpoint - Uninstall
- Category: Security
On the Script tab, paste the following:

uninstall-run.sh

#!/bin/bash
# Safety Endpoint - Uninstall Script (macOS)
# Paste this into your script field (Jamf Pro, Kandji, etc.)
# Run as: root | Schedule: one-time or on-demand
#
# Downloads the Safety Endpoint uninstall script and executes it.

set -euo pipefail

UNINSTALL_URL="https://getsafety.com/cli/uninstall.sh"
USER_AGENT="Safety-Endpoint/1 (run)"

echo "[Safety Endpoint Setup] Downloading $UNINSTALL_URL ..."
if command -v curl >/dev/null 2>&1; then
    curl -fsSL -A "$USER_AGENT" "$UNINSTALL_URL" | bash -s
elif command -v wget >/dev/null 2>&1; then
    wget -qO- --user-agent="$USER_AGENT" "$UNINSTALL_URL" | bash -s
else
    echo "[Safety Endpoint Setup] ERROR: curl or wget required" >&2
    exit 1
fi

# Clean up the throttle stamp if it exists
rm -f /var/tmp/.safety-endpoint-last-run

Click Save

Create the Uninstall Policy

Go to Computers → Policies → New Policy
On the Options tab, configure the General section:
- Display Name: Safety Endpoint - Uninstall
- Enabled: checked
- Category: Security
- Trigger: Custom — enter the event name: safetyUninstall
- Execution Frequency: Once per computer
On the Options tab, click Scripts → Configure → select Safety Endpoint - Uninstall
On the Scope tab, select the target computers or groups
Click Save

To trigger the uninstall on a device, run:

sudo jamf policy -event safetyUninstall

Self Service alternative: You can also make the uninstall policy available in Self Service. On the Self Service tab, check Make the policy available in Self Service, set the display name, and configure the button labels. Users with appropriate permissions can then trigger the uninstall themselves.

The script runs once per device with root privileges and will clean up:

Safety Endpoint binaries and system PATH entries
Per-user configuration, firewall wrappers, and shell profiles
Package manager configurations (pip, uv, npm)
Scheduled tasks and LaunchDaemons created by Safety Endpoint

Troubleshooting

Script fails with network errors

The script uses curl (pre-installed on macOS) to download the setup script over HTTPS. If the download fails:

Ensure the device has internet access to getsafety.com
If your network uses a proxy, set the HTTPS_PROXY environment variable at the system level — curl on macOS respects standard proxy environment variables automatically
Verify no network appliance is blocking or intercepting HTTPS traffic to getsafety.com

Policy does not run on devices

If the policy is not executing on target devices:

Verify the device is enrolled in Jamf Pro and checking in regularly (Computers → select device → General → Last Check-in)
Confirm the device is within the policy's Scope
Check that the Recurring Check-in trigger is enabled and the startup script is configured in Settings → Computer management → Check-In
Force an immediate check-in on the device with sudo jamf policy

Script shows "skipping" every time

The message Last run was Xs ago (< 3600s). Skipping. means the throttle is working as expected. The script only performs work once per hour. If you need to force a re-run (e.g., for testing), delete the timestamp file on the device:

sudo rm -f /var/tmp/.safety-endpoint-last-run
sudo jamf policy

Policy shows "Failed" but Safety Endpoint is installed

A failed status means the script exited with a non-zero code. This can happen if:

The setup script detected a problem during its health check
A newer version failed to install
A temporary network issue occurred during the run

Check the policy logs for the specific device to see the script output. The next check-in will retry automatically (subject to the 1-hour throttle).

Policy does not retry after a failure

Jamf Pro has an internal 1-hour cooldown after a policy failure — if the script fails, Jamf will not retry it on that device for approximately 1 hour, regardless of check-in frequency. This is a server-side setting and is not configurable via the GUI.

On Jamf Pro (on-premises), the cooldown can be shortened via a database setting
On Jamf Cloud, this is not configurable — but it aligns with our script's 1-hour throttle, so the behavior is consistent

During testing, if you need to force a retry after a failure, edit the policy in the Jamf Pro console and click Save (even without changes) — this resets the cooldown for all devices.

PreviousMCM (SCCM/MECM)NextManageEngine

Last updated 1 month ago

Was this helpful?