There are two phases:
Apple Business Manager (ABM) — acquire licenses and download the location (.vpptoken) file.
Your MDM — upload the token and deploy the app as a required, device-licensed managed app using a DDM declaration. Examples use Jamf Pro; other DDM-aware MDMs follow the same model.
Prerequisites
Your organization is enrolled in Apple Business Manager with a role of Content Manager or Administrator.
Target Macs are supervised — enrolled via Automated Device Enrollment (ADE) from ABM. User-approved (BYOD) enrollment is not supported for silent install.
Target Macs run macOS 14 or later (macOS 15+ recommended for full Safari Extension management support).
Your MDM is DDM-aware — Jamf Pro 11.x or later, Kandji, Mosyle, Intune (recent versions), or equivalent.
Part 1 — Apple Business Manager
Step 1. Locate the Nudge Security app in ABM
Sign in to Apple Business Manager at
business.apple.com.In the sidebar, select Apps and Books.
In the left-hand filters, choose Custom Apps. The Nudge Security app appears here because it is privately distributed to your organization, not on the public Mac App Store.
Select Nudge Security from the list.
Step 2. Buy licenses
Under Buy Licenses, choose the Location that will own the licenses. Licenses are scoped per location.
Enter the quantity needed (one license per device). Set Assign to to your selected Location.
Click Get to complete the order. Licenses appear in your tenant within a few minutes.
Step 3. Download the location token (.vpptoken)
Click your name in the top-right corner, then choose Preferences.
Open the Payments and Billing section, then select Apps and Books.
Locate your Location under Content Tokens and click Download. This produces a
.vpptokenfile.
Important
A .vpptoken can only be bound to one MDM at a time. If your token is already in use by another MDM, re-downloading it will invalidate the existing binding. Always re-download the token after revoking or rotating it.
Store the token securely — it grants license-assignment authority for the Location it represents.
Part 2 — MDM Configuration (Jamf Pro example)
The steps below describe Jamf Pro 11.x. Other DDM-aware MDMs (Kandji, Mosyle, Intune, Hexnode) follow the same pattern: upload the token, sync the app catalog, then deploy the app as a device-licensed managed app with Required install behavior.
Step 4. Upload the .vpptoken to your MDM
In Jamf Pro, navigate to Settings → Global → Volume Purchasing.
Click New, give the token a display name (e.g., "Nudge Security — Production"), and upload your
.vpptokenfile.Save.
Jamf will sync with ABM and pull the purchased license count. Verify the synced count matches what you bought in ABM.
Step 5. Add the Nudge Security app to Jamf
The Nudge Security app is distributed as a Custom App through Apple Business Manager ("Private — Available as a custom app on Apple Business Manager"). Custom Apps use the same Mac App Store delivery path as public apps, so the Jamf workflow is the same — but the app will not appear in a public App Store search. It is surfaced into Jamf through the VPP token sync you completed in Step 4.
Go to Computers → Mac Apps, then click New.
Select Mac App Store app and click Next. This is the correct option for Custom Apps.
Search for Nudge Security. The app appears in the results because your VPP token includes licenses for it. Select it and click Add.
If Nudge Security does not appear in search
The VPP token has not yet synced the Custom App into Jamf's catalog. Go to Settings → Global → Volume Purchasing, open the token you uploaded, and trigger a manual sync. Wait a few minutes, then retry the search.
Confirm in Apple Business Manager that licenses were purchased and assigned to the correct Location — the one tied to the .vpptoken now in Jamf.
Step 6. Configure for force (silent) install
On the app's General tab, set each option exactly as listed below. These settings are what trigger Jamf to deliver the app as a Declarative Device Management (DDM) configuration with Required install behavior.
Setting | Value |
Distribution Method | Install Automatically/Prompt Users → Install Automatically |
Assign to | Device-based assignments (not user-based) |
Make app managed when possible | Enabled |
Remove app when MDM profile is removed | Enabled (optional, recommended) |
Convert unmanaged to managed | Enabled |
Use DDM to install apps | Enabled (Jamf 11.5+) |
Why these matter: Device-based assignment lets the MDM install the app silently from a license bound to the device serial number, with no per-user install action required. Install Automatically (vs. Prompt Users) suppresses the user prompt. Enabling DDM delivery routes the install through com.apple.configuration.app.managed with InstallBehavior = Required, which gives the app force-install semantics on supervised devices.
Step 7. Scope to your supervised devices
Switch to the Scope tab.
Add a Smart Group or static group that contains only supervised, ADE-enrolled Macs. A typical Smart Group criterion:
Enrollment Method like "PreStage enrollment".Save. Jamf will assign a device-based license to each in-scope Mac and deliver the install command at the next check-in.
Verification
On a target Mac, confirm the install was delivered via DDM and the app is managed. Open Terminal and run:
# Verify the device is supervised and ADE-enrolled
sudo profiles status -type enrollment
# Inspect active DDM declarations
sudo profiles status -type=management
Look for a declaration with a type of com.apple.configuration.app.managed referencing Nudge Security. Its status should be active: true and valid: valid. The app itself should appear in /Applications, and in System Settings → General → Device Management the app should be listed as a managed app.
Troubleshooting
Symptom | Likely cause |
User is prompted to sign in with an Apple Account before install. | License was assigned as user-based instead of device-based. Re-check the app's Distribution settings in your MDM. |
App downloads but is marked unmanaged. | Make app managed when possible is disabled, or the Mac is not supervised. |
App never appears on the device. | Device is out of scope, has no license available, or has not checked in. Force a check-in (sudo profiles renew -type enrollment) and confirm license counts in your MDM. |
Install Automatically option is greyed out. | Token is missing or the app catalog has not synced. Re-sync from your MDM's Volume Purchasing settings. |
Declaration shows valid: unknown in profiles status. | MDM uploaded the configuration via the legacy profile channel rather than DDM. Upgrade your MDM (Jamf 11.5+) or re-create the app definition with DDM delivery enabled. |
Part 3 — Deliver the Deployment Key
Installing the Nudge Security app from Parts 1 and 2 places the binary on the device, but the app needs an organization-specific deployment key to register with your Nudge Security tenant. The key is delivered as a Managed App Configuration profile, which the Nudge Security team provides as a .mobileconfig file (typically named safari-app-config-prod.mobileconfig).
Payload type:
com.apple.app.managed
Target app bundle ID:
com.nudgesecurity.extension
Step 8. Retrieve your deployment key
Sign in to the Nudge Security admin console at https://www.nudgesecurity.io.
Navigate to Settings → Extension (https://www.nudgesecurity.io/settings#extension).
Copy your deployment key. Treat this value as a secret — it authenticates devices into your tenant.
Step 9. Edit the configuration file
Open the .mobileconfig file from Nudge Security in any text editor and update the placeholder values:
<key>nudge-security-deployment-key</key>
<string>REPLACE_WITH_DEPLOYMENT_KEY</string>
<!-- Optional: pre-register a specific user email. -->
<!-- Remove these two lines if you do not need this. -->
<key>registered-user</key>
<string>REPLACE_WITH_MDM_EMAIL_VARIABLE</string>
Replace
REPLACE_WITH_DEPLOYMENT_KEYwith the value from Step 8.If you do not need to pre-register a specific user, delete both the
registered-user keyand its<string>value.Otherwise, replace
REPLACE_WITH_MDM_EMAIL_VARIABLEwith your MDM's variable for the assigned user's email address. Your MDM substitutes the variable for the user's actual email before the profile is delivered to each device, so a single template serves your whole fleet. The syntax depends on which MDM you use:MDMReplace withJamf Pro
$EMAILMicrosoft Intune{{mail}}Kandji$EMAILMosyle%Email%Workspace ONE / Omnissa{EmailAddress}Cisco Meraki Systems Manager$OWNEREMAIL
For example, a Jamf Pro–targeted file would read:
<key>registered-user</key>
<string>$EMAIL</string>
And for Microsoft Intune:
<key>registered-user</key> <string>{{mail}}</string>
You can also hardcode a specific address (e.g.
<string>jane.doe@example.com</string>) if you only need to register one user.Save the file. Do not modify the
PayloadUUIDvalues unless you are creating a unique copy per environment.
Step 10. Upload the profile to Jamf Pro
In Jamf Pro, navigate to Computers → Configuration Profiles.
Click Upload in the top-right corner and select the edited .mobileconfig file.
Jamf parses the profile and pre-fills the General and Application & Custom Settings panes. Review and adjust:
Name:
Nudge Security — App Configuration (Prod)(or your preferred convention)Category: assign to an existing category (e.g., Security)
Distribution Method: Install Automatically
Level: Computer Level (matches the
PayloadScope: Systemin the file)
Open the Scope tab. Add the same Smart Group used in Part 2, Step 7 — the supervised, ADE-enrolled Macs that received the app install.
Click Save. Jamf delivers the profile at each in-scope device's next check-in.
Important — the host app must launch once
Managed App Configuration values are passed from macOS to the Safari Web Extension via the host app. The extension only picks up the deployment key the first time the Nudge Security host app is launched after the profile is installed.
Most users will not open the app on their own. To force this without user action, deploy a small Jamf policy scoped to the same Smart Group that runs once at the next check-in:
open -gj "/Applications/Nudge Security.app"
The -g flag launches the app without bringing it to the foreground; -j launches it hidden. The app self-terminates after propagating the configuration.
Verify on a target Mac
After the profile reaches a target device and the host app has launched once, confirm the configuration was applied:
# Confirm the configuration profile is installed
sudo profiles list -type configuration | grep -i nudge
# Inspect the values delivered to the app
defaults read com.nudgesecurity.extension
The output should include nudge-security-deployment-key and, if configured, registered-user. The Safari extension is now able to register with your tenant on first activation.
Part 4 — Auto-enable the Safari Extension (Optional)
By default, Safari requires the user to enable a newly installed extension manually in Safari Settings → Extensions. To skip that user step entirely, deploy the Safari Extension Settings declaration provided separately by Nudge Security (typically named safari-extension-settings-prod.mobileconfig).
Payload type: com.apple.configuration.safari.extensions.settings
Requires: macOS 15 or later on a supervised device.
Deployment in Jamf follows the same flow as Part 3:
In Jamf Pro, go to Computers → Configuration Profiles and click Upload.
Select the
safari-extension-settings-prod.mobileconfigfile. No editing is required — the file ships with the production extension's bundle and team identifiers pre-populated.Set Distribution Method to Install Automatically and Level to User Level. Safari extension enablement is per-user on macOS, so this profile must target the user channel — not the device channel.
Scope to the same Smart Group used in Parts 2 and 3, then Save.
Common pitfall — User Level vs. Computer Level
If this profile is saved at Computer Level, the device will accept it without error but Safari will ignore the extension state portion. The user must still toggle the extension on manually. Always set Level: User for the Safari Extension Settings profile.
End-to-end verification
On a target Mac running macOS 15 or later, after all four parts are deployed:
The Nudge Security app appears in
/Applicationsand is listed as a managed app in System Settings → General → Device Management.Opening Safari → Settings → Extensions shows the Nudge Security extension with a managed badge and an enabled state that the user cannot toggle off.
Within a few minutes of the first Safari launch, the device appears in your Nudge Security admin console under Browser Extensions, registered to the email in
registered-user(if configured) or to the user who first opened Safari.