Installing using MDM
Roll out to the fleet through your management platform. Pick your MDM below. Every path follows the same
golden sequence: CA certificates → configuration profiles → installer package, all scoped to the
Quilr-Pilot group first, then promoted to production.
Microsoft Intune — Windows (MSI as Win32 app)
Stage & package the MSI
Download quilr-endpoint-agent-win-install-bundle.zip (contains both .crt files and quilr-endpoint-agent.msi), then wrap with the Win32 Content Prep Tool:
IntuneWinAppUtil.exe -c C:\Staging\Quilr -s quilr-endpoint-agent.msi -o C:\Staging\OutThis produces quilr-endpoint-agent.intunewin.
Deploy CA certificates (optional)
The MSI installs the CAs automatically — create these profiles only for pre-deployment trust or central rotation. Devices → Configuration → Create policy, platform Windows 10 and later, profile type Trusted certificate:
- “Quilr Root CA” → upload
quilr-root-ca.crt→ store Computer certificate store – Root - “Quilr Intermediate CA” → upload
quilr-ea-intermediate-ca.crt→ store Computer certificate store – Intermediate
Assign both to the pilot group.
Deploy the MSI as a Win32 app
Apps → All apps → Add → Windows app (Win32), upload the .intunewin. Name “Quilr Endpoint Agent,” publisher “Quilr AI.”
| Field | Value |
|---|---|
| Install | msiexec /i "quilr-endpoint-agent.msi" /qn /norestart TENANTID=<TENANT-ID> |
| Uninstall | msiexec /x "{QUILR-MSI-PRODUCT-CODE}" /qn /norestart |
| Install behavior | System |
| Device restart | No specific action |
Requirements: architecture x64, minimum OS Windows 10 1809 (or your baseline). Detection rule: use the MSI detection type and allow auto-population of the product code. Assignment: Required → add WIN-Quilr-Pilot → Review + Create.
Devices sync within 8 hours, or manually via Settings → Accounts → Access work or school → Sync.
msedge.exe and chrome.exe — cover those with the Quilr browser extension. Test interception in Firefox or a native app.Rollback
- Change the MSI assignment from Required to Uninstall
- Unassign both CA certificate profiles
- Verify
certutil -store Root|CA | findstr /i quilrand the service query all return nothing
Microsoft Intune — macOS (PKG + profiles)
Strict order: CA certificates → custom configuration profiles → PKG app.
CA certificates
Create two Trusted Certificate profiles, each scoped to MAC-Quilr-Pilot:
- Root CA →
quilr-root-ca.crt - Intermediate CA →
quilr-ea-intermediate-ca.crt
Custom configuration profiles (Device channel)
| File | Profile name | Purpose |
|---|---|---|
quilr-endpoint-agent_FullDiskAccess.mobileconfig | Quilr Endpoint Agent — Full Disk Access (PPPC) | Grants file-system & app-management access |
quilr-endpoint-agent-nw-extension.mobileconfig | Quilr Endpoint Agent — Network Extension | Activates system extension & content filter |
The PPPC profile pre-approves kTCCServiceSystemPolicyAllFiles and kTCCServiceAppManagement with no user prompt.
PKG app with pre-install script
Apps → Add → macOS app (PKG), upload quilr-endpoint-agent-installer.pkg. In the Pre-install script section, inject the tenant config:
#!/bin/bash
TENANT="<TENANT-ID>"
printf '{"tenant_id":"%s","discover_skip":false}\n' "$TENANT" > /tmp/quilr-endpoint-agent.json
exit 0Assign to the same device group; confirm under Apps → Device install status.
.mobileconfig (Device channel) → 4) PKG app with pre-install script. Intune’s macOS PKG app has no uninstall intent — roll back by deploying a shell-script uninstaller, then unassigning the app, profiles, and certs.Jamf Pro — macOS
Four-part sequence: certificates → profiles → package + policy.
CA certificates (deploy first)
- Computers → Configuration Profiles → New
- Name “Quilr CA — Trust Chain,” category Certificates, level Computer Level
- Add two Certificate payloads — upload root and intermediate
- Disable “Allow export from keychain” for the root
- Scope to your target group and save
security find-certificate -a /Library/Keychains/System.keychain | grep -i quilrConfiguration profiles (deploy second)
Upload each .mobileconfig as a separate profile (Upload, Install Automatically, Computer Level), scoped to the same group:
quilr-endpoint-agent_FullDiskAccess.mobileconfig→ “Quilr Endpoint Agent — PPPC” (grantsSystemPolicyAllFiles+SystemPolicyAppBundlesto/Applications/QuilrAIProxy.app)quilr-endpoint-agent-nw-extension.mobileconfig→ “Quilr Endpoint Agent — Network Extension”
profiles list | grep -i quilr # expect 3 entries totalPackage + install policy (deploy third)
Pre-install script
Settings → Computer Management → Scripts → New, name “Quilr — Write tenant config (pre-install)”:
#!/bin/bash
TENANT="<TENANT-ID>"
printf '{"tenant_id":"%s","discover_skip":false}\n' "$TENANT" > /tmp/quilr-endpoint-agent.json
exit 0Package & policy
- Settings → Computer Management → Packages → New → upload
quilr-endpoint-agent-installer.pkg(category “Endpoint Security,” priority 10) - Computers → Policies → New → “Install Quilr Endpoint Agent”
- Triggers: Recurring Check-in + Enrollment Complete; frequency Once per computer
- Packages tab: add installer, action = Install; attach the pre-install script with Priority = Before
- Scope to the same group; save
tccutil reset SystemPolicyAllFiles and remove /Applications/QuilrAIProxy.app via a cleanup policy if desired.Kandji — macOS
Five library items, assigned to a Blueprint (e.g. “macOS — Quilr Pilot”), in strict order.
Certificates (deploy first)
Library → Add Library Item → Certificate ×2: “Quilr Root CA” (quilr-root-ca.crt) and “Quilr Intermediate CA” (quilr-ea-intermediate-ca.crt). Disable “Allow export from keychain.” Confirm both show Status: Installed before proceeding.
Custom profiles (deploy second)
Library → Add Library Item → Custom Profile ×2 using the PPPC and Network Extension .mobileconfig files. The PPPC profile grants kTCCServiceSystemPolicyAllFiles and kTCCServiceAppManagement (macOS 14+). Wait until both show “Installed.”
Custom App with Audit & Enforce (deploy last)
Library → Add Library Item → Custom App, name “Quilr Endpoint Agent,” upload the PKG. Paste the pre-install script:
#!/bin/bash
TENANT="<TENANT-ID>" # from Quilr support
printf '{"tenant_id":"%s","discover_skip":false}\n' "$TENANT" \
> /tmp/quilr-endpoint-agent.json
exit 0Audit script (exit 0 = healthy)
#!/bin/bash
APP="/Applications/QuilrAIProxy.app"
PLIST="/Library/LaunchDaemons/ai.quilr.sentinel.plist"
EXPECTED_VERSION="2026.05.08"
[ -d "$APP" ] || { echo "missing: $APP"; exit 1; }
[ -f "$PLIST" ] || { echo "missing: $PLIST"; exit 1; }
INSTALLED=$(defaults read "$APP/Contents/Info.plist" CFBundleShortVersionString 2>/dev/null)
[ "$INSTALLED" = "$EXPECTED_VERSION" ] || { echo "version drift"; exit 1; }
launchctl print system/ai.quilr.sentinel >/dev/null 2>&1 || { echo "daemon not loaded"; exit 1; }
exit 0Post-install script (optional)
#!/bin/bash
sleep 2
launchctl print system/ai.quilr.sentinel >/dev/null 2>&1 || {
echo "post-install: daemon not loaded — kickstarting"
sudo launchctl kickstart -k system/ai.quilr.sentinel
}
exit 0Assign the Custom App to your Blueprint; monitor per-device progress under Library Item → Status.
ManageEngine Endpoint Central — Windows (MSI)
Stage the bundle
Download quilr-endpoint-agent-win-install-bundle.zip and copy the files to a location Endpoint Central can reach — a UNC share (e.g. \\EPC-SERVER\SoftwareRepository\Quilr\) or the admin workstation for HTTP upload.
Add the MSI to the software repository
Software Deployment → Package Creation → Packages → Add Package → Windows. Name “Quilr Endpoint Agent,” type “MSI/MSP.” Locate the installable from the shared folder or local computer.
TENANTID=<TENANT-ID>. Without it the agent installs but cannot phone home — it sits idle. Leave MST File Name blank unless Quilr provides a transform. Architecture: 64-bit.Deploy CA certificates (optional)
The MSI writes the CAs automatically. To pre-stage them: Configurations → Add Configuration → Computer → Custom Script, name “Quilr CA Trust,” associate both .crt files:
certutil -addstore -f Root "%~dp0quilr-root-ca.crt"
certutil -addstore -f CA "%~dp0quilr-ea-intermediate-ca.crt"Target WIN-Quilr-Pilot and deploy.
Install MSI/EXE Software configuration
Configurations → Add Configuration → Computer → Install MSI/EXE Software, name “Quilr Endpoint Agent — Install.”
- Package Type: MSI · MSI Package Name: “Quilr Endpoint Agent”
- Operation Type: Install Completely · Install as: System User
- Allow user interaction: No (silent)
- Installation Option: “During or After Startup” · Reboot Policy: “Do not reboot”
- Target:
WIN-Quilr-Pilot→ Deploy
Force-install the browser extension (Edge & Chrome)
Because the agent excludes msedge.exe and chrome.exe, deploy the extension via Registry configurations. Obtain the exact extension IDs/URLs from Quilr support.
| Browser | Registry key & value |
|---|---|
| Edge | HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist → value 1 (REG_SZ) = <edge-ext-id>;https://edge.microsoft.com/extensionwebstorebase/v1/crx |
| Chrome | HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist → value 1 (REG_SZ) = <chrome-ext-id>;https://clients2.google.com/service/update2/crx |
Verify in edge://extensions / chrome://extensions: extension present, enabled, “Installed by your organization.”
Validate after MDM rollout
Whichever platform you used, repeat the validation on a pilot device — install vector changed, runtime expectations didn’t. The full check-list (Console-side validation + on-device badges + functional tests) lives in Step 6 · Verify MDM Install. Promote pilot → production only after every check is green.