For Operations

GenZAgents for IT admins — push the AI audit layer via MDM in 5 minutes

You've been asked to "deploy GenZAgents to all 200 engineers". The good news: the setup CLI deploys via your MDM in 5 minutes. The bad news: nothing, actually — it really is that simple.
Join the launch waitlistInstall MCP server

The MDM-friendly install path

GenZAgents ships @genzagentsio/setup — a CLI that detects installed AI tools (Claude Desktop, ChatGPT Desktop, Cursor, Cline, Windsurf) and writes the right MCP config block for each. Idempotent. The org install token (install_only-scoped) lives in /etc/genzagents.env (mode 600). Engineers see GenZAgents configured after their next laptop sync; they don't click anything, don't reset preferences, don't need to remember a password.

JAMF / Intune / Workspace ONE templates

We ship ready-to-deploy templates at /integrations/mdm. JAMF policy XML, Intune PowerShell scripts, Workspace ONE configuration profiles. Drop into your MDM, set the install-token env var, deploy to your engineering smart group. Standard MDM workflow.

What happens on an engineer's laptop

MDM pushes the package. The post-install script runs `npx @genzagentsio/setup --org-install`. The CLI reads the org install token from /etc/genzagents.env. It detects which AI tools are installed (e.g. Claude Desktop and Cursor). It writes the MCP config block to each tool's config file (using config-merge so existing entries are preserved). It registers the laptop with the GenZAgents API and gets a per-laptop human_id back. Done — receipts start flowing on the engineer's next AI conversation.

Security model — install_only-scoped tokens

The org install token can ONLY call /v1/install/* endpoints. Even if leaked from /etc/genzagents.env, it can't read receipts, can't register agents in other orgs, can't do anything except configure tools on the user's laptop. The blast radius is small by design. Rotate tokens by updating the MDM secret and re-pushing.

Audit of the install fleet

/admin/install-fleet shows every laptop that's registered: hostname, last-seen timestamp, MCP version, OS, which AI tools are configured. Standard fleet-management view. Useful for compliance audits ("show every laptop with GenZAgents installed and active in the last 30 days") and for catching install failures ("these 3 laptops haven't reported in 14 days — investigate").

Uninstall path

For laptops being decommissioned: `npx @genzagentsio/setup --uninstall` removes the MCP config block from each tool's config file (preserving everything else), unregisters the laptop from the API, deletes /etc/genzagents.env. Run via MDM during the decommission workflow. The laptop is clean.

Common questions

Does the install work for non-admin engineers?

The MDM-pushed install runs with admin privileges. Subsequent operation (AI tools reading the MCP config) runs as the user. Standard MDM-managed-software pattern.

What about engineers on personal laptops (BYOD)?

They install manually via `npx @genzagentsio/setup`. The setup CLI prompts for the org install token. We don't recommend BYOD for AI audit; if your org policy requires it, the workflow still works.

How do I push a configuration change after initial install?

Update the MDM payload and re-push. The setup CLI is idempotent; re-running it re-applies the latest config.

Does this conflict with other MCP servers (e.g. Notion, Linear)?

No — we merge into the mcpServers map without touching existing entries. Engineers keep their custom MCP servers.

Related

For: Security engineers

AI activity is the new forensic frontier. Receipts give you cryptographic chain of custody; anomaly detection gives you real-time alerts.

For: Platform engineers

Your job is to make AI usable and safe across the eng org. GenZAgents is the receipt-issuance + audit + portability layer you'd otherwise build internally.

For: CTOs

AI tools are becoming the new lock-in. CTOs who don't own their team's AI work history end up paying renewal premium to providers indefinitely. GenZAgents is the vendor-neutral layer that prevents that.

For: CISOs

AI conversations are the largest unmonitored vector in most orgs. Anomaly detection + cryptographic audit + evidence packs close the gap.

Get the trust layer for your AI work

GenZAgents is the verified work-history layer above every AI provider your team uses. Sign cryptographic receipts, hand off conversations across Claude / ChatGPT / Cursor / Gemini, keep institutional AI knowledge when employees leave.

Join the launch waitlistInstall MCP server

Last reviewed · 3 min read· Open spec· Changelog