Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.velatir.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Velatir desktop client is built for organisation-wide rollouts. This page covers silent installation, MDM integration with Microsoft Intune and Jamf Pro, bring-your-own-CA distribution, and version pinning. On MDM-enrolled Macs, a signed Configuration Profile pre-installs the Velatir root CA, the API key, and the network extension allowlist, so the package itself can install with no end-user prompts. On Windows, the same outcome is achieved by setting MSI properties on the deployment policy. For single-device installation, see Download and install instead.

Prerequisites

  • Administrator access to your MDM platform (Microsoft Intune, Jamf Pro, or equivalent)
  • A Velatir project API key from Dashboard > Settings > API Keys
  • Network reachability from managed devices to api.velatir.com and Velatir’s update storage

Installer Details

PlatformArtefactArchitecture
WindowsVelatir-Bootstrap-<arch>.msix64, arm64 (separate packages per architecture)
macOSVelatir-Bootstrap-macos-<arch>.pkgApple Silicon and Intel (separate packages per architecture)
The Windows installer is signed with Velatir’s DigiCert KeyLocker certificate. The macOS installer is signed with Velatir’s Apple Developer ID and notarised by Apple. Both installers are intentionally small. At first run the bundled agent downloads the rest of the application from Velatir’s distribution storage and stages it in a versioned directory.

Download URLs

Each URL serves the latest published version. Pin to a specific version by replacing latest with the version string if your change-management process requires it.
AssetURL
Windows MSI (x64)https://releases.velatir.com/velatir-agents/windows-x64/latest/Velatir-Bootstrap-x64.msi
Windows MSI (arm64)https://releases.velatir.com/velatir-agents/windows-arm64/latest/Velatir-Bootstrap-arm64.msi
macOS package (Apple Silicon)https://releases.velatir.com/velatir-agents/macos-arm64/latest/Velatir-Bootstrap-macos-arm64.pkg
macOS package (Intel)https://releases.velatir.com/velatir-agents/macos-x64/latest/Velatir-Bootstrap-macos-x64.pkg

MSI Properties (Windows)

PropertyRequiredDescription
VELATIR_API_KEYRecommendedStage the API key at install time. Hidden from MSI logs.
VELATIR_BYO_CA_PATHNoPath to a PFX bundle deployed alongside the MSI for bring-your-own-CA installations.
VELATIR_BYO_CA_PASSWORDNoPassword for the PFX bundle above.

Package Parameters (macOS)

The macOS package supports three silent-configuration paths, checked in this order at install time. A Configuration Profile is the recommended path because it eliminates every installer prompt on MDM-enrolled devices and supports key rotation without reinstall.
MethodRecommended forBehaviour
Configuration Profile with com.apple.ManagedClient.preferences payload (domain com.velatir.agent)Organisation-wide MDM rolloutsProvisions ApiKey and ApiBaseUrl to /Library/Managed Preferences/. The agent reads this on every start and prefers it over the local settings file, so profile updates rotate the key without reinstalling the package.
/var/tmp/velatir-bootstrap.config (key=value file pre-staged before installer)MDM platforms that run a pre-install script before the packageOne-time configuration written into /Library/Application Support/Velatir/appsettings.local.json during install. The preinstall script reads the file and deletes it.
Environment variables on installerAd-hoc unattended installs from the command lineOne-time configuration written into the same settings file.
Recognised keys are the same across all three paths:
KeyRequiredDescription
VELATIR_API_KEYRecommendedThe project API key from the Velatir dashboard.
VELATIR_API_BASE_URLNoOverride the backend URL. Defaults to https://api.velatir.com/api/v1.

Unattended Command-Line Install

sudo VELATIR_API_KEY=vltr_your_api_key_here \
     installer -pkg Velatir-Bootstrap-macos-arm64.pkg -target /
Or pre-stage a configuration file before invoking installer: 
sudo tee /var/tmp/velatir-bootstrap.config > /dev/null <<'EOF'
VELATIR_API_KEY=vltr_your_api_key_here
VELATIR_API_BASE_URL=https://api.velatir.com/api/v1
EOF
sudo installer -pkg Velatir-Bootstrap-macos-arm64.pkg -target /
If none of the three paths supplies a key, the package installs without configuration and an operator can run sudo velatir set-api-key --key vltr_... after install. The agent reports ApiKey missing until configured.

Microsoft Intune (Windows)

Deploy as a Line-of-Business app or as a Win32 app for richer detection logic. The Line-of-Business path is the simplest and is recommended for most organisations.

Line-of-Business App

Upload the MSI

Sign in to the Microsoft Intune admin centre, then go to Apps > All apps > Add.Select Line-of-Business app as the app type and upload the MSI that matches your fleet architecture (Velatir-Bootstrap-x64.msi or Velatir-Bootstrap-arm64.msi).

Configure app information

Fill in:
  • Name: Velatir for Desktop Applications
  • Description: Velatir AI compliance desktop agent
  • Publisher: Velatir
  • Ignore app version: No
In Command-line arguments, stage the API key:
/qn VELATIR_API_KEY="vltr_your_api_key_here"

Assign to device groups

On the Assignments tab, add the device groups you want to deploy to. The MSI requires administrator rights on the device; Intune handles elevation automatically when assigned in Required mode.

Verify deployment

On a target device, after the next Intune sync, confirm with:
velatir status
velatir version
A successful deployment shows the agent and host running, transparent proxy active, and a masked API key matching the value provided.

Rotating the API Key

To rotate the API key, update the Command-line arguments with the new value and redeploy. The MSI overwrites the existing key and restarts the host: 
/qn VELATIR_API_KEY="vltr_new_key_here"

Configuration Profile (macOS)

A single signed .mobileconfig profile carries everything the desktop client needs to deploy with no installer prompts: root CA trust, the API key, and pre-approval for the network system extension. Push the profile through your MDM platform alongside the .pkg. On MDM-enrolled devices the profile installs silently; the agent then reads its configuration from the managed preferences domain on first launch.

Profile Payloads

Payload TypePurpose
com.apple.security.rootTrusts the Velatir root CA in the System keychain. Eliminates the “changes to System Certificate Trust” prompt during install.
com.apple.ManagedClient.preferences (domain com.velatir.agent)Provisions ApiKey and ApiBaseUrl as managed preferences. Updates propagate without reinstalling the package.
com.apple.system-extension-policyPre-approves the Velatir network extension by Team Identifier. Eliminates the system extension approval prompt for end users.

Profile Template

The skeleton below covers the root CA payload and the managed preferences payload. Replace each PayloadUUID with a fresh value from uuidgen, embed the base64-encoded Velatir root CA, and substitute your API key. 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadIdentifier</key>
    <string>com.velatir.desktopapp.mdm</string>
    <key>PayloadUUID</key>
    <string>REPLACE-WITH-UUIDGEN</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadOrganization</key>
    <string>Your Organisation</string>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadIdentifier</key>
            <string>com.velatir.desktopapp.mdm.rootca</string>
            <key>PayloadUUID</key>
            <string>REPLACE-WITH-UUIDGEN</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadCertificateFileName</key>
            <string>velatir-root.cer</string>
            <key>AllowAllAppsAccess</key>
            <true/>
            <key>PayloadContent</key>
            <data>BASE64_OF_VELATIR_ROOT_CA_DER</data>
        </dict>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadIdentifier</key>
            <string>com.velatir.desktopapp.mdm.preferences</string>
            <key>PayloadUUID</key>
            <string>REPLACE-WITH-UUIDGEN</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadContent</key>
            <dict>
                <key>com.velatir.agent</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>ApiKey</key>
                                <string>vltr_your_api_key_here</string>
                                <key>ApiBaseUrl</key>
                                <string>https://api.velatir.com/api/v1</string>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
        </dict>
    </array>
</dict>
</plist>
The Velatir root CA ships inside the package payload as velatir-root.cer and is published alongside the package. Base64-encode the DER form to embed it in the profile: 
base64 -i velatir-root.cer | tr -d '\n'
To add the system extension pre-approval payload, append the following dictionary to the PayloadContent array. Velatir’s Team Identifier is AA7QLU3S4R. 
<dict>
    <key>PayloadType</key>
    <string>com.apple.system-extension-policy</string>
    <key>PayloadIdentifier</key>
    <string>com.velatir.desktopapp.mdm.sysext</string>
    <key>PayloadUUID</key>
    <string>REPLACE-WITH-UUIDGEN</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>AllowUserOverrides</key>
    <false/>
    <key>AllowedSystemExtensionTypes</key>
    <dict>
        <key>AA7QLU3S4R</key>
        <array>
            <string>NetworkExtension</string>
        </array>
    </dict>
</dict>

Signing the Profile

Sign the profile so your MDM platform deploys it without “unsigned profile” warnings: 
security cms -S -N "Developer ID Application: Your Organisation" \
  -i velatir.mobileconfig \
  -o velatir-signed.mobileconfig
On Macs that are not enrolled in an MDM, end users must manually approve the profile in System Settings > Privacy & Security > Profiles. Apple removed the silent-install path for unenrolled devices in macOS 11, so silent profile install is only supported on MDM-enrolled Macs.

Jamf Pro (macOS)

Jamf Pro deploys the Velatir Configuration Profile first, then the signed PKG. Once both are scoped to the same device group, every new device receives the desktop client with no end-user interaction.

Upload and scope the Configuration Profile

In Jamf Pro, go to Computer Management > Configuration Profiles > Upload, then upload the signed velatir.mobileconfig from the previous section.Scope the profile to the device groups that will run Velatir. Use the Distribution Method Install Automatically so the profile lands before the package.The profile delivers the root CA trust, the API key, and the network extension allowlist in a single signed payload.

Upload the PKG

In Computer Management > Packages > New, upload the PKG that matches your fleet:
  • Velatir-Bootstrap-macos-arm64.pkg for Apple Silicon devices
  • Velatir-Bootstrap-macos-x64.pkg for Intel devices
Most fleets will need both packages. Use Jamf smart groups (scoped on Processor Type) to assign each package to the appropriate devices.

Create the install policy

Create a policy that installs the package on the same scope as the profile. Trigger on Recurring Check-in with execution frequency Once per computer.No additional script policy is required for staging the API key — the agent reads it directly from the managed preferences delivered by the Configuration Profile.

Verify deployment

On a target device, after the next Jamf check-in:
velatir status
velatir version
A successful deployment shows the agent and host running, the transparent proxy active, and a masked API key matching the value in the profile.

Rotating the API Key

Update the ApiKey string in the Configuration Profile and re-upload it. Devices apply the new profile on their next check-in and the agent picks up the rotated key on its next start. The package does not need to be reinstalled.

Microsoft Intune (macOS)

Intune deploys the same two artefacts: the Configuration Profile (as a Custom configuration profile) and the PKG (as a line-of-business app).

Push the Configuration Profile

In the Microsoft Intune admin centre, go to Devices > Configuration > Create > New policy.Choose macOS as the platform and Templates > Custom as the profile type. Upload the signed velatir.mobileconfig from the Configuration Profile section above.Assign to the device groups that will run Velatir.

Upload the PKG as a line-of-business app

Go to Apps > macOS > Add and choose Line-of-business app. Upload the PKG that matches your fleet:
  • Velatir-Bootstrap-macos-arm64.pkg for Apple Silicon devices
  • Velatir-Bootstrap-macos-x64.pkg for Intel devices
Fill in:
  • Name: Velatir for Desktop Applications
  • Publisher: Velatir
  • Ignore app version: No

Assign to device groups

Scope the app assignment to the same device groups that received the Configuration Profile. Use Required so devices install on their next sync.No additional configuration script is required — the agent reads the API key from the managed preferences delivered by the profile.

Verify deployment

After the next Intune sync, confirm with:
velatir status
velatir version

Bring Your Own Certificate Authority

Organisations that already operate an internal certificate authority can supply their own CA instead of using the Velatir-issued one. The desktop client uses it as the local MITM authority, so existing trust stores on managed devices do not need a new root. See the dedicated Bring Your Own Certificate page for the full setup, including the certificate format, single-device installation, Intune and Jamf Pro distribution, and rotation guidance.

Version Pinning

By default the agent applies new payloads automatically as they become available. For organisations that prefer to coordinate desktop-app updates with their own change-management process, contact support to enable a per-tenant update channel that the agent will use exclusively. This is the supported way to delay or stagger updates across the organisation.

Operational Recommendations

  • Pilot first. Deploy to a small ring (10–50 users covering representative AI tooling) for two weeks before fleet-wide rollout.
  • Monitor with velatir status --json. A simple Intune Remediation or Jamf extension attribute that runs velatir status --json on each check-in surfaces drift across the fleet.
  • Watch the dashboard, not the device. Once the desktop client is installed, all visibility flows through your Velatir dashboard. Local logs are useful for debugging individual machines, not for fleet health.
  • Rotate keys through the profile, not the package. On macOS, update the ApiKey value in the Configuration Profile and re-upload it. Devices apply the new managed preference on their next MDM check-in and the agent picks it up on its next start, without a package reinstall.
  • Document your CA story. If you use bring-your-own CA, ensure your IT runbooks describe how to rotate it; the desktop client will follow the rotation automatically but only if you redeploy the bundle.

Next Steps

Permissions

Detailed reference for the permissions the installer requests.

CLI reference

Reference for the velatir commands that read and rotate configuration.

Troubleshooting

Diagnose failures during scaled rollouts.

VPN compatibility

Behaviour alongside corporate VPNs.