Build your install command
Generate an ingest key on the Setup tab of the Velatir dashboard. The same key works for every device.Deploy with your MDM
Microsoft Intune (Windows)
Microsoft Intune (Windows)
- Go to Apps → All apps → Add, choose Line-of-business app, and upload the MSI from the builder above.
- Under App information → Command-line arguments, paste the Intune arguments from the builder.
- Assign to your device groups in Required mode. Intune handles elevation.
Jamf Pro (macOS)
Jamf Pro (macOS)
- Upload the PKG from the builder under Packages and deploy it with a policy scoped to your Macs (Recurring Check-in, Once per computer).
- Add a configuration profile, scoped to the same Macs, with two payloads:
- Application & Custom Settings → preference domain
com.velatir.agent, keyApiKeyset to your ingest key. This is the macOS equivalent of the MSI’sINGEST_KEY; update it later to rotate the key with no reinstall. - System Extensions → allow Team Identifier
AA7QLU3S4R(Network Extension), so the agent activates with no end-user prompt.
- Application & Custom Settings → preference domain
Microsoft Intune (macOS)
Microsoft Intune (macOS)
- Upload the PKG from the builder under Apps → macOS → Add → Line-of-business app, assigned Required.
- In Devices → Configuration, scope a profile to the same devices that:
- sets the
com.velatir.agentpreferenceApiKeyto your ingest key (the macOS equivalent of the MSI’sINGEST_KEY, updatable to rotate the key with no reinstall), and - allows the system extension with Team Identifier
AA7QLU3S4R(System Extensions).
- sets the
SCCM and other tools
SCCM and other tools
Any tool that runs
msiexec (Windows) or installer (macOS) works: use the command from the builder above. For a Windows detection rule, check for the VelatirAgent service or the install path C:\Program Files\Velatir\.macOS never installs a certificate through MDM: Velatir generates a unique CA on each device, so there is no shared root to distribute.
Reference
MSI properties (Windows)
MSI properties (Windows)
| Property | Required | Description |
|---|---|---|
INGEST_KEY | Recommended | Stages the ingest key at install time. Hidden from MSI logs. (VELATIR_API_KEY is accepted as a deprecated alias.) |
VELATIR_HIDE_TRAY | No | Set to 1 to hide the system-tray icon. Windows only; on macOS use velatir hide. velatir show reverses it at runtime. |
VELATIR_BYO_CA_PATH | No | Path to a PFX bundle for bring-your-own-CA installs. |
VELATIR_BYO_CA_PASSWORD | No | Password for the PFX bundle above. |
Rotate the ingest key
Rotate the ingest key
Windows. Redeploy with the new key in the command-line arguments. The host restarts and picks it up.macOS. Update the
ApiKey value in the com.velatir.agent managed preference in your MDM. Devices apply it on the next check-in, with no reinstall.Monitor the fleet
Monitor the fleet
Run
velatir status --json as a Microsoft Intune Remediation or a Jamf Pro extension attribute. It reports client state, version, and the last trace timestamp, so you can spot drift across the fleet from your dashboard.Pin a version
Pin a version
Velatir auto-updates by default. To coordinate updates with your own change-management process, contact support to enable a per-tenant update channel.
Bring your own CA
Bring your own CA
Supply your own certificate authority instead of the Velatir-issued one. See Bring your own certificate for the format, distribution, and rotation.
Next steps
Permissions
What the installer asks for on each platform.
Health checks
Monitor agent and capture health across the fleet.
VPN compatibility
Behaviour alongside corporate VPNs.
Troubleshooting
Diagnose failures during scaled rollouts.