How do I roll out GenZAgents to 200 engineers?

/admin/install-tokens → Generate. The token is install_only-scoped — it can ONLY call /v1/install/* endpoints. Even if leaked from a laptop /etc/genzagents.env, it can't read receipts, can't register agents, can't do anything except configure tools on the user's laptop. Minimal blast radius.

/integrations/mdm shows ready-to-deploy templates. JAMF policy XML. Intune PowerShell script. Workspace ONE configuration profile. Each template installs @genzagentsio/setup via npm + writes /etc/genzagents.env with the install token + runs the setup CLI.

Deploy to a smart group of 5 trusted engineers first. Verify: GenZAgents shows up in Claude Desktop / Cursor / Cline (or whichever AI tools they use). Verify: receipts flowing on /dashboard. Verify: no breakage of existing MCP servers or other workflows. Standard pilot validation.

Once pilot validates: extend to the full smart group. Monitor /admin/install-fleet for completion — should show 200 laptops registered within 24-48 hours (limited by MDM sync cadence, not our side). Standard MDM rollout pace.

Token rotation: update MDM secret quarterly, re-push. Install fleet audit: /admin/install-fleet weekly for laptops not reporting (decommissioned / out of sync / error states). Tier upgrades: handled per-org-token (the token tier determines the org's available features).

Engineers see GenZAgents configured the morning after the MDM push. They don't need to enter anything; the agent DID + API key were configured by the install token flow. They open their normal AI tool; receipts start flowing. Zero friction by design.