Push GenZAgents to every laptop without touching a terminal.

The flow

1. 1

   IT admin generates an org install token at /settings/api-keys (Enterprise tier). Token starts with org_install_…

2. 2

   IT pushes the chosen MDM template (below) to every managed device. The template references the token as an env var or MDM script parameter.

3. 3

   On run, the installer auto-detects every AI tool the employee has installed and merges our MCP config into each one. Backs up existing configs to .bak files. Writes the placeholder env var; the LITERAL token is not what each tool ends up using.

4. 4

   The first time an employee opens an AI tool, the MCP server detects no per-user GENZAGENTS_API_KEY and opens a browser to sign-in.

5. 5

   Employee signs in via your org SSO (Google / Microsoft Entra / GitHub). They get their OWN sk_live_ key bound to their identity, scoped to your org.

6. 6

   From here on, every receipt is attributed to that individual employee. The install token is no longer used — the per-user key takes over.

Verify the token before fleet-wide deploy

Hit our token introspection endpoint to confirm the token is live and returns the right org name.

# Verify the token is live before deploying it widely
curl -s https://api.genzagents.com/v1/install/whoami \
  -H "Authorization: Bearer $ORG_INSTALL_TOKEN"
# Expected: {"ok":true,"data":{"orgName":"Acme Corp", ...}}

Per-user policy. Trigger on login or expose via self-service. Pass the install token as JAMF script parameter $4.

#!/bin/bash
# GenZAgents MCP installer — JAMF Pro policy script
# Run as: per-user policy, triggered on login or self-service

set -euo pipefail

# Push the org install token via JAMF script parameter $4
ORG_TOKEN="${4:?missing install token (set in JAMF script parameter 4)}"

# Run the installer in silent mode
GENZAGENTS_API_KEY="$ORG_TOKEN" \
  /usr/local/bin/npx -y @genzagentsio/setup --silent --yes

Deploy as a Win32 app or platform script. The install token is pushed via the device's environment variable GENZAGENTS_INSTALL_TOKEN (set via Intune configuration profile).

# GenZAgents MCP installer — Microsoft Intune
# Win32 app · Detection rule: side-file presence

$ErrorActionPreference = "Stop"

# Token pushed via Intune detection rule env or registry-set var
$OrgToken = $env:GENZAGENTS_INSTALL_TOKEN

# Run the installer
$env:GENZAGENTS_API_KEY = $OrgToken
& npx -y @genzagentsio/setup --silent --yes

Push as a per-user macOS script profile.

<!-- VMware Workspace ONE UEM · Profile Script payload
     Push as a per-user macOS script. -->
<plist version="1.0">
  <dict>
    <key>RunOnce</key>
    <false/>
    <key>Script</key>
    <string>#!/bin/bash
GENZAGENTS_API_KEY="$ORG_INSTALL_TOKEN" \
  npx -y @genzagentsio/setup --silent --yes
</string>
  </dict>
</plist>

Notes

• The installer is idempotent — re-running it has no effect once already installed. Schedule weekly if you want to catch new AI tools your employees install.
• The installer never asks for sudo / admin. It only writes to user-owned paths under the employee's home directory.
• If an employee changes laptops, just re-push the policy on the new device. The install token doesn't expire unless you revoke it.
• Audit the installer source at github.com/genzagents/genzagents/tree/main/packages/installer before deploying.
• For ChromeOS / Linux fleets, the same npx @genzagentsio/setup command works in any cross-platform configuration management framework (Puppet / Chef / Ansible / Salt).