Deploy the macOS agent — PatchPilot Docs

Supported macOS versions

macOS 12 (Monterey) and later, on both Apple Silicon and Intel. Earlier versions may work but are not tested.

Get an enrolment token

From the admin console: Settings > API Keys > Create. The token is prefixed ppk_.

One-liner install

On the target Mac, as an admin user:

curl -fsSL https://patchpilot.co.uk/downloads/install-macos.sh \
  | sudo bash -s -- \
      --host https://patchpilot.co.uk \
      --api-key ppk_your_token

The installer:

Installs Homebrew if it isn't already present (as the console user, not root).
Installs jq via brew.
Writes the agent to /usr/local/bin/patchpilot-agent with config in /etc/patchpilot/ (mode 0600).
Registers a LaunchDaemon at /Library/LaunchDaemons/io.patchpilot.agent.plist.
Performs first check-in immediately.

Verify enrolment

sudo launchctl list | grep io.patchpilot
sudo log show --predicate 'subsystem == "io.patchpilot.agent"' --last 5m

The device will appear in Devices in the admin console within ~60 seconds.

What's collected

Installed apps and brew formulae with available updates.
Apple softwareupdate queue (system / Safari / XProtect).
FileVault status.
Application Firewall state and stealth-mode setting.
OS version, hardware identifier, system uptime.

MDM-managed Macs

If your fleet is managed by an MDM (Jamf, Kandji, Mosyle, etc.), wrap the install command in a managed script and pass the --api-key as a managed parameter. The PatchPilot agent does not claim MDM authority — it sits alongside your MDM and contributes patch + compliance signals.

PatchPilot doesn't replace Apple's MDM channel. We don't push profiles, we don't enforce DEP. We track posture, patch third-party apps, and surface the evidence your auditor wants.

Uninstall

sudo launchctl bootout system /Library/LaunchDaemons/io.patchpilot.agent.plist
sudo rm /Library/LaunchDaemons/io.patchpilot.agent.plist
sudo rm -rf /etc/patchpilot /usr/local/bin/patchpilot-agent