This is a per-vendor cheat sheet for the MDM rollout path. Each section tells you where in the MDM's UI to upload the script and where to set the one parameter (the ingest token) the install script needs. The OTLP endpoint https://ai-events.toriihq.com is baked into every script - you don't pass it. For the general MDM workflow, see Rolling out LLM token tracking via MDM.
All Torii install scripts accept the token in three ways - your MDM only needs to support one:
-
Flag:
--token <token>on the invocation -
Environment variable:
TORII_TOKEN(legacyTOKENstill honored) -
Jamf positional parameter:
$4= token (Jamf Pro convention only; legacy policies with$4= endpoint and$5= token are still honored)
Re-running the script on an already-configured machine is safe - it converges: nothing is rewritten unless something changed, and only the Torii-owned telemetry keys are touched. If a machine routes telemetry through your own OTLP collector and you want to keep it that way, deploy the collector path instead of the direct install.
Jamf Pro
Supported OS: macOS
Where to upload: Settings → Computer Management → Scripts → New. Paste the script body (or upload the .sh file).
Where parameters go: Policy script options → Parameter 4 = TOKEN. Jamf passes $1=hostname, $2=user, $3=trigger, and then your admin-configurable values start at $4. The Torii script detects this convention automatically. Legacy policies created when Parameter 4 was the endpoint and Parameter 5 the token keep working - the script recognizes a URL in $4 and treats it as an endpoint override.
Run frequency: Recurring Check-in for Claude Code (writes a system-wide file once per Mac). Login + Recurring Check-in for Gemini and Codex (writes the user's home directory once per user per Mac).
Docs: Jamf Pro: Scripts
Kandji
Supported OS: macOS
Where to upload: Library → Add Library Item → Custom Script → Audit & Enforce. Paste the script.
Where parameters go: Kandji does not expose script variables as shell environment variables - that path does not work. Use the Kandji-specific install script Torii publishes for Claude Code: install-claude-code-telemetry-macos-kandji.sh. The Torii webapp pre-substitutes your TOKEN into the script body before you download it (the endpoint is hard-coded), so the file is fully self-contained when you paste it into Kandji. Bonus: Kandji also substitutes its own $EMAIL variable when it deploys, so the user's business email shows up in enduser.id on every event rather than the macOS short name. For Codex CLI and Gemini CLI, use the install-{codex,gemini-cli}-telemetry-macos-embedded.sh variants (same pre-baked pattern; identity is sourced differently for those tools so one file serves all macOS MDMs).
Run frequency: Audit & Enforce runs on the Kandji default check-in schedule (~15 minutes). The script is idempotent - running on every check-in is safe but wasteful; if Kandji supports it, use a once-per-user or once-per-machine assignment for the relevant tool.
Docs: Kandji: Custom Script overview
Mosyle
Supported OS: macOS
Where to upload: Management → Custom Profiles → Shell Script. Paste the script.
Where parameters go: Mosyle does not expose script-profile variables as shell environment variables. Use the Mosyle-specific install script: install-claude-code-telemetry-macos-mosyle.sh (for Claude Code) or install-{codex,gemini-cli}-telemetry-macos-embedded.sh (for Codex / Gemini). The Torii webapp pre-substitutes your TOKEN into the body before download (the endpoint is hard-coded). Mosyle also substitutes its own %email% token at deploy time, so the user's enrolled email lands in enduser.id for Claude Code events (degrades gracefully to the console user if Mosyle didn't populate that variable).
Docs: Mosyle manuals
Microsoft Intune
Supported OS: macOS, Linux (via Intune for Linux), Windows
Where to upload: Devices → Scripts (per-platform) → Add. Paste the script. Run as the signed-in user (default) for Gemini, Codex, and Linux/Windows Claude Code; run as root/SYSTEM for macOS Claude Code (system-wide install).
Where parameters go (macOS): Intune for macOS does not expose script-setting variables as shell environment variables. Use the Intune-specific install script: install-claude-code-telemetry-macos-intune.sh (for Claude Code) or install-{codex,gemini-cli}-telemetry-macos-embedded.sh (for Codex / Gemini). The Torii webapp pre-substitutes your TOKEN into the body before download (the endpoint is hard-coded) - when you paste it into Intune's shell-script setting, no further configuration is required. Intune for macOS has no native template-variable substitution, so enduser.id falls back to the macOS console user.
Where parameters go (Linux, Windows): For Intune on Linux and Windows the existing flow still applies - see the article on the deployment-method picker. (Linux and Windows per-MDM variants are tracked as a follow-up.)
Run frequency: Intune's default is once on next sync. Pair with a detect script in a separate "Detection rule" or "Compliance" policy for self-healing - Torii ships matching detect-* scripts for all tools and OSes.
Script size cap: Intune rejects shell scripts larger than 200 KB. The Torii install scripts are well under this (the largest is the Linux Claude Code installer at ~12 KB). The Linux helper binary is fetched at runtime, not embedded - so the 200 KB cap is never a problem.
Docs: Intune: macOS shell scripts
JumpCloud
Supported OS: macOS, Linux, Windows
Where to upload: Commands → New Command → choose target OS → Custom. Paste the script.
Where parameters go: JumpCloud Command Variables are not environment variables - they are {{name}} placeholders substituted into the command body at runtime (the value is wrapped in single quotes automatically). Defining a variable named TORII_TOKEN does nothing by itself; the command body must reference it - so Torii ships JumpCloud-specific script variants with that reference already baked in: install-<tool>-telemetry-macos-jumpcloud.sh, …-linux-jumpcloud.sh, and install-<tool>-telemetry-jumpcloud.ps1 (Windows). The flow is:
- On the JumpCloud command, open the Variables panel and add a Command Variable named exactly
TORII_TOKENwith your ingest token as the value. - Paste the matching
-jumpcloudscript variant unmodified as the command body.
JumpCloud substitutes the variable into the baked-in reference at runtime. If the variable is missing (or you pasted the variant outside JumpCloud), the script exits with a clear error instead of installing with a bad token. No hand-editing of the script is needed. Use the insert icon in the command editor’s Variables panel to get the exact placeholder syntax, and don’t add extra quotes around it. Caution: JumpCloud substitutes the placeholder anywhere it appears in the body - don’t echo it or put it in a comment, or the real token value will be written to your command-results log.
Docs: JumpCloud: Manage Variables
Workspace ONE UEM (Omnissa)
Supported OS: macOS, Linux, Windows
Where to upload: Resources → Scripts → Add Script (target Windows, macOS, or Linux). Paste the script.
Where parameters go: Use a script variable for TORII_TOKEN (the legacy name TOKEN still works). Workspace ONE encrypts script variables in transit, so this is the preferred path over hard-coding the token in the script body.
Docs: Omnissa docs
Microsoft Configuration Manager (SCCM / MECM)
Supported OS: Windows
Where to upload: Software Library → Scripts → Create Script. Paste the PowerShell. Approve the script (SCCM's two-person review workflow), then deploy to a Device Collection.
Where parameters go: SCCM exposes parameters via the script's PowerShell param() block. The Torii PowerShell installer accepts -Token as a named parameter; set Script parameters to Token on the Script item.
Docs: SCCM: Create and run scripts
Other / configuration-management tools (Ansible, Puppet, Chef, Salt, etc.)
Supported OS: macOS, Linux, Windows
Any tool that can run a shell or PowerShell script as root or SYSTEM on the target machine works. Pass TORII_TOKEN as an environment variable to the script invocation (legacy TOKEN still honored), or use the explicit --token flag.
Ansible example:
- name: Install Torii Claude Code telemetry
ansible.builtin.shell:
cmd: bash install-claude-code-telemetry-linux.sh --token "{{ '{{' }} torii_token {{ '}}' }}"
no_log: true
Use no_log: true (Ansible), sensitive => true (Puppet), or equivalent in your tool to keep the token out of the log.
Per-MDM quick reference table
| MDM | Token field | OS |
|---|---|---|
| Jamf Pro | Policy → script options → Parameter 4 | macOS |
| Kandji | None - pre-filled script from Torii (token baked in) | macOS |
| Mosyle | None - pre-filled script from Torii (token baked in) | macOS |
| Microsoft Intune | macOS: pre-filled script. Linux/Windows: edit the token into the script body (Intune has no script-variable or env-var mechanism) | macOS, Linux, Windows |
| JumpCloud | Command Variable named TORII_TOKEN + the -jumpcloud script variant (reference pre-baked; Command Variables are placeholders, not env vars) |
macOS, Linux, Windows |
| Workspace ONE | Script → script variables (TORII_TOKEN); encrypted in transit | macOS, Linux, Windows |
| SCCM | Script → Script parameters (Token) | Windows |
| Ansible / Puppet / Chef / Salt | Pass TOKEN as an env var to the script invocation, or use the --token flag |
All |