Deploy Watchman Monitoring as a Custom App

By Jonathan Connor

Use this guide to deploy the Watchman Monitoring client as a custom app from your Kandji instance.

Depending on the App product and version installed, the app path, privacy access, and kernel or system extension requirements may change. As with all Custom Apps, we urge you to test this thoroughly before deploying to a Mac that is in production.


  • Download the Watchman Monitoring client installer package for Mac from your Watchman portal ([your_subdomain]

  • Copy the watchman_client_ae_script.zsh script from the Kandji support GitHub repository (GitHub Link).

  • Download the watchman_monitoring_service_management.mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-click the link and select Save link as download the mobileconfig file directly.
    • This configuration profile allows managed background items for Watchman Monitoring.

Configure the Service Management Profile

  1. Give the profile a Name.

  2. Assign your custom profile to the same test Blueprint as above.

  3. For Install on, select Mac.

  4. When adding this profile, add an Assignment Rule to only apply the profile to computers where the macOS Version is greater than or equal to 13, as shown below.

  5. Upload the service management profile that you downloaded previously from GitHub.

  6. Save your custom profile.

Using an Assignment Rule for the service management payload ensures this payload is only deployed to Mac computers running macOS Ventura or later. The audit and enforcement script provided by Kandji only checks for the presence of the service management payload on macOS Ventura or later.

Custom app

The steps below will deploy the Watchman Monitoring client and register the Mac to the default [Blank] group. See the Adding devices to a specific Watchman group section for the steps needed to add a Mac to a specific group in the Watchman Monitoring console.

  1. Create a Custom App in Kandji by going to Library > Add New > Custom App > Add & Configure.

  2. Give the Custom App a name. Example: Watchman client. Optionally, add a custom icon

  3. Assign to a test blueprint.

  4. Change the installation type to Audit and Enforce.

  5. Copy and paste the watchman_client_ae_script.zsh script from earlier into the Audit & Enforce text box. No modification is needed.

    • The script looks for the following profile identifier and the name of the installed Sophos app before attempting to install the app. If you would like to use this script with another profile, update the profile identifier prefix information to match what is in your profile.
      Background Service Management Profile: io.kandji.watchman-monitoring.service-management
      App name: "MonitoringClient"
  6. Select Installer Package (install .pkg or .mpkg) as the deployment type

  7. Upload the installer package.

  8. Click Save

Adding devices to a specific Watchman group

If you want the Mac computer to register to a specific group in the Watchman Monitoring console, you can use a preinstall script to achieve this.

  1. Click Add Preinstall Script and paste the preinstall script from below.

  2. Update the ENTER_GROUP_NAME variable appropriately.

  3. Click Save.

Preinstall Script

#!/usr/bin/env zsh

# Preinstall script for Watchman client

# Define the Watchman group name that the Mac should be added to

# Write the group name to the client settings file.
/bin/echo "Setting group to: $GROUP_NAME"
/usr/bin/defaults write /Library/MonitoringClient/ClientSettings ClientGroup -string "$GROUP_NAME"

exit 0