> ## Documentation Index
> Fetch the complete documentation index at: https://docs.corridor.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# MDM Support Guide

> Provision Corridor across your organization using Mobile Device Management tools.

<Note>
  MDM rollout is available on **Enterprise** plans only.
</Note>

If your enterprise uses an MDM (Mobile Device Management) tool, you can provision Corridor across all employees automatically. With MDM, developers don't need to separately install the Corridor extension or sign up—everything is handled for them.

## Supported platforms

| MDM    | OS Support     |
| ------ | -------------- |
| Kandji | macOS          |
| Intune | macOS, Windows |
| JAMF   | macOS          |

### Supported IDEs

* VS Code
* Windsurf
* Cursor

## Prerequisites

* **Enterprise tier subscription** to Corridor. You can verify this at [app.corridor.dev/teams](https://app.corridor.dev/teams)
* **Team admin role** in Corridor. You can verify this at [app.corridor.dev/teams](https://app.corridor.dev/teams)—you should see "Admin" next to your email

## Verifying a domain

In order to use the MDM scripts, you must verify an email domain for your team. Corridor will only provision users with the email domain you have verified.

<Steps>
  <Step title="Navigate to Teams">
    Go to [app.corridor.dev/teams](https://app.corridor.dev/teams).
  </Step>

  <Step title="Enter your domain">
    Go to the **Domain Verification** section and enter your organization's domain name (e.g., `acme.com`).
  </Step>

  <Step title="Add DNS record">
    Copy the DNS TXT record provided and add it to your DNS provider.
  </Step>
</Steps>

## Creating a universal team token

In order to use the MDM scripts, you must create a universal team token to identify your team and verify your team admin access.

<Steps>
  <Step title="Navigate to Teams">
    Go to [app.corridor.dev/teams](https://app.corridor.dev/teams).
  </Step>

  <Step title="Generate a token">
    Under **Universal Team Tokens**, click **Generate New Tokens**. Add a token name and select an expiration date.
  </Step>

  <Step title="Copy the token">
    Copy the universal team token—you'll use it in the MDM scripts below.
  </Step>
</Steps>

## JAMF (macOS only)

For JAMF, you must create a configuration profile to push the `User email` and `Device serial` fields to each managed computer.

### Creating a configuration profile

#### Prerequisites

To set up a JAMF configuration profile, you must have:

* A push certificate in JAMF Pro. [See instructions here](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Push_Certificates#concept-6218).
* The `Enable certificate-based authentication` and `Enable push notifications` settings configured in Jamf Pro. For more information, see [Security Settings](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Security_Settings.html#ID-000185c4).

To create the configuration profile:

<Steps>
  <Step title="Add configuration profile">
    In JAMF, go to **Computers** -> **Configuration Profiles**. Click **New**.
  </Step>

  <Step title="Setup configuration profile">
    Set a name like 'Push plist for Corridor' with level 'Computer Level' and Distribution Method 'Install automatically'.
    Set 'Scope' to 'All computers', or just all the computers you want to have access to Corridor.
  </Step>

  <Step title="Upload plist">
    Go back to 'Options', and search for 'Application & Custom Settings'. Click the arrow underneath, and click 'Upload'.
    Click 'Add'. Set the preference domain to `dev.corridor.mdm` and set the file contents to

    ```xml theme={null}
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>UserEmail</key>
        <string>$EMAIL</string>
        <key>SerialNumber</key>
        <string>$SERIALNUMBER</string>
    </dict>
    </plist>
    ```

    Or download [dev.corridor.mdm.plist](https://github.com/CorridorSecurity/CorridorSecurity/blob/main/mdm/dev.corridor.mdm.plist)
    and upload those contents.
  </Step>

  <Step title="Save configuration">
    Save your configuration and check that it was pushed to your devices.
  </Step>
</Steps>

### Add the Corridor script

<Steps>
  <Step title="Create a script">
    In JAMF, go to **Settings** and search for **Scripts**. It should be under **Computer management**.
  </Step>

  <Step title="Download the script">
    Download the Corridor JAMF script:

    ```bash theme={null}
    curl https://raw.githubusercontent.com/CorridorSecurity/CorridorSecurity/refs/heads/main/mdm/jamf-macos.sh -o jamf-macos.sh
    ```
  </Step>

  <Step title="Add your token">
    Replace the `CORRIDOR_TEAM_TOKEN` value at the top of the file with the universal team token you generated.
  </Step>

  <Step title="Upload and save">
    Name the script something along the lines of `Corridor Installation Script`, and upload the script with the shell/bash language option.
    Save the script.
  </Step>
</Steps>

### Create a policy

<Steps>
  <Step title="Create a policy">
    In JAMF, go to **Computers** and then **Policies**. It should be under **Content management**. Click 'New'.
  </Step>

  <Step title="Set the policy">
    Set the policy name to be 'Corridor Installation Policy'. Select 'Recurring Check-in' as the trigger (unless otherwise desired), with the execution frequency as 'Once per computer'.
    Click 'Automatically re-run policy on failure'. Set the scope as desired (All computers or specific computers).
  </Step>

  <Step title="Add the script to the policy">
    In options, click **Scripts** and choose 'Configure Scripts'. Add the `Corridor Installation Script` you created in the previous step, and save the policy.
  </Step>
</Steps>

Now, just wait for the scripts to run on the computers the policy is pushed out to. Once users restart their IDEs, they should be automatically signed in to Corridor and the extension installed.

## Kandji (macOS only)

For Kandji, you must create a custom profile with global variables before running the Corridor script.

### Create a custom profile

<Steps>
  <Step title="Add custom profile">
    In Kandji, go to **Library** and search for **Custom Profile**.
  </Step>

  <Step title="Upload the Global Variable Config">
    Upload a Global Variable Config XML to the Custom Profile with the contents below. The keys **must** be named exactly `EMAIL` and `SERIAL_NUMBER` — these are the names the Corridor Kandji script reads at runtime. As an example, you can add the following to the `PayloadContent` variable.

    ```xml theme={null}
    <key>EMAIL</key>
    <string>$EMAIL</string>
    <key>SERIAL_NUMBER</key>
    <string>$SERIAL_NUMBER</string>
    ```

    `$EMAIL` and `$SERIAL_NUMBER` are Kandji's built-in global variables — Kandji substitutes them with the assigned user's email and the device serial number when the profile is pushed to a device. If you already have the variables set with another key, you will have to change the script's variables on lines 71 and 78 (specifically the `SERIAL_NUMBER` and `EMAIL` variables after the print statement) in order to get the script to properly run by picking up the correct Kandji global variables.
  </Step>

  <Step title="Upload the config">
    Upload the Global Variable config XML to the Custom Profile. Click **Continue** and add the profile.
  </Step>
</Steps>

### Add the Corridor script

<Steps>
  <Step title="Create a custom script">
    In Kandji, go to **Library** and search for **Custom Script**. Assign to your desired Blueprints. Select **Execution Frequency: Run once per device**.
  </Step>

  <Step title="Download the script">
    Download the Corridor Kandji script:

    ```bash theme={null}
    curl https://raw.githubusercontent.com/CorridorSecurity/CorridorSecurity/refs/heads/main/mdm/kandji-macos.sh -o kandji-macos.sh
    ```
  </Step>

  <Step title="Add your token">
    Replace the `CORRIDOR_TEAM_TOKEN` value at the top of the file with the universal team token you generated.
  </Step>

  <Step title="Upload and save">
    Upload the file with the correct `CORRIDOR_TEAM_TOKEN` to Kandji and click **Save**.
  </Step>
</Steps>

## Intune

Intune scripts support both macOS and Windows. You must first generate a Microsoft Graph token with the right permissions—this token is used to retrieve the device email.

### Generate a Microsoft Graph token

<Steps>
  <Step title="Open Graph Explorer">
    Go to [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) and sign in.
  </Step>

  <Step title="Set permissions">
    Click **Modify Permissions** and consent to `User.Read` permissions. This requires Admin consent.
  </Step>

  <Step title="Copy the token">
    Refresh the page, then click **Access token** and copy the Microsoft Graph API access token.
  </Step>
</Steps>

### Windows

<Steps>
  <Step title="Navigate to scripts">
    On [intune.microsoft.com](https://intune.microsoft.com), go to **Devices → Scripts and remediations** under Manage Devices.
  </Step>

  <Step title="Add a script">
    Click **Platform scripts → Add → Windows 10 and Later**. Set a name and description.
  </Step>

  <Step title="Download the script">
    Download the Corridor Intune Windows script:

    ```bash theme={null}
    curl https://raw.githubusercontent.com/CorridorSecurity/CorridorSecurity/refs/heads/main/mdm/intune-windows.ps1 -o intune-windows.ps1
    ```
  </Step>

  <Step title="Add your tokens">
    In the script, replace the `CORRIDOR_TEAM_TOKEN` value with your universal token, and replace the `GRAPH_API_TOKEN` value with the Microsoft Graph API access token.
  </Step>

  <Step title="Configure script settings">
    Select **Yes** for "Run this script using the logged on credentials", **No** for "Enforce script signature check", and **No** for "Run script in 64 bit Powershell Host".
  </Step>

  <Step title="Assign and save">
    Assign the script to the selected group of devices and click **Save**. Sync all devices with bulk device actions to force the script to run.
  </Step>
</Steps>

### macOS

<Steps>
  <Step title="Navigate to scripts">
    On [intune.microsoft.com](https://intune.microsoft.com), go to **Devices → Scripts and remediations** under Manage Devices.
  </Step>

  <Step title="Add a script">
    Click **Platform scripts → Add → macOS**. Add a name and description.
  </Step>

  <Step title="Download the script">
    Download the Corridor Intune macOS script:

    ```bash theme={null}
    curl https://raw.githubusercontent.com/CorridorSecurity/CorridorSecurity/refs/heads/main/mdm/intune-macos.sh -o intune-macos.sh
    ```
  </Step>

  <Step title="Add your tokens">
    In the script, replace the `CORRIDOR_TEAM_TOKEN` value with your universal token, and replace the `GRAPH_API_TOKEN` value with the Microsoft Graph API access token.
  </Step>

  <Step title="Configure script settings">
    Select **Yes** for "Run script as signed-in user" and **1 time** for "Max number of times to retry if script fails".
  </Step>

  <Step title="Assign and save">
    Assign the correct groups to the script and click **Save**. Sync all devices with bulk device actions to force the script to run.
  </Step>
</Steps>