MDM deployment

This guide covers how to deploy shft and its configuration profile through MDM. For platform-specific instructions, see the dedicated guides:

• Jamf Pro
• Kandji
• Mosyle
• Microsoft Intune

Packaging shft for MDM

shft is distributed as a standard macOS .pkg installer. The package installs shft.app to /Applications/.

Package details

No pre-install or post-install scripts are required. The app is self-contained with no dependencies.

Deployment scoping

Option 1: Deploy to all managed Macs

Scope shft to all managed devices. The app sits quietly in /Applications/ until needed. This ensures it's available whenever a device refresh happens.

Pros: Always ready when needed. No last-minute deployment. Cons: Uses disk space on Macs that may never need it (~50 MB).

Option 2: Deploy to devices in active refresh

Scope shft to a smart group of devices that are part of a current refresh cycle (e.g., devices with a specific asset tag, department, or hardware model being retired).

Pros: Targeted deployment; only devices that need it have it. Cons: Requires active management of the smart group.

Recommendation

Deploy to all managed Macs. The app is small, has no background processes, and does nothing until the user explicitly opens it. This eliminates the need to coordinate deployment timing with device refreshes.

Pre-staging vs on-demand deployment

Pre-staging (recommended)

Deploy both the shft app and its configuration profile to Macs before the user needs them. When it's time to migrate, the user just opens the app — everything is already in place.

On-demand

If you prefer not to pre-deploy, you can use MDM to push shft and the profile at migration time. Note that profile delivery requires the Mac to be online and checking in with MDM, so allow time for the profile to arrive before the user opens shft.

Configuration profile deployment

The shft configuration profile should be deployed as a custom settings or custom configuration profile payload. See Configuration profile reference for the full profile with all keys.

Deployment order

1. Deploy the PPPC profile — grants shft Full Disk Access so users don't see TCC consent prompts. See Privacy preferences profile. This must come from MDM — it cannot be installed manually.
2. Deploy the configuration profile — push the shft policy profile so it's in place when shft launches
3. Deploy the shft app — install the .pkg package

Deploy the PPPC profile before the app. If a user opens shft before the PPPC profile arrives, macOS will show "shft would like to access your Documents folder" prompts. Once the user dismisses these, the PPPC profile can't override their choice.

If the app is installed before the profile arrives, it will run in permissive default mode until the profile is delivered on the next MDM check-in. This is harmless but may confuse users who see categories they shouldn't.

Profile scope

The profile must target the user level (not device level). shft reads preferences via UserDefaults(suiteName: "com.shft.config"), which reads from the user's managed preferences namespace.

Disabled policy (Patchable integration)

If your organisation uses Patchable for app lifecycle management, deploying shft through Patchable automatically creates a disabled policy in your MDM. This policy:

• Deploys the shft package to the target scope
• Remains disabled until you explicitly enable it
• Can be linked to Patchable's auto-update workflow so shft stays current

To use this integration, add shft to your Patchable title list and follow the Patchable documentation for creating MDM deployment policies.

Uninstallation

To remove shft:

1. Remove the shft configuration profile from your MDM
2. Remove the shft app either via MDM uninstall command or by adding a script that removes /Applications/shft.app
3. Optionally, remove local logs at ~/Library/Application Support/shft/

shft has no background processes, launch daemons, or kernel extensions. Removing the .app bundle is a complete uninstall.