AI Endpoints

Setup — MDM deployment

Push one profile from your MDM and every managed Mac enrolls, trusts the tenant CA, and reports its AI apps — zero end-user action.

What the profile installs

Tenant CA trust

A per-tenant root CA, trusted fleet-wide via the universal cert-trust payload — works with any MDM, no SCEP.

System-extension allow

Pre-approves the Waxell network extension by Team ID, so it activates without a user prompt.

Managed config

The enrollment URL + tenant key + capture scope. The app reads it and configures the extension — nothing typed by the user.

Deploy in 4 steps

Download the profile

Generate your tenant's .mobileconfig (carries your CA, the extension allow-list, and the managed config). Replace $WAX_KEY with a tenant API key:

curl -fsSL https://api.waxell.dev/api/waxell/v1/endpoint/mdm-profile/ \
  -H "X-Wax-Key: $WAX_KEY" \
  -o waxell-ai-endpoints.mobileconfig

Add ?hosts=api.openai.com,api.anthropic.com to pre-enable capture for specific hosts (default: capture off).

Upload to your MDM

Add it as a custom configuration profile:

Hexnode — Policies → macOS → Custom Configuration → upload the .mobileconfig
Jamf Pro — Configuration Profiles → Upload → Custom Settings
Intune — Devices → macOS → Configuration → Templates → Custom
Kandji — Library → Add → Custom Profile

Scope to your Macs

Assign the profile to the device group(s) you want governed. Also deploy the Waxell agent app (same MDM, as a .pkg) so it can read the managed config and run the network extension.

Verify

Within a few minutes each Mac enrolls and scans itself. Watch the AI Apps tab fill in, then map apps to agents on Devices and set policy on Guard.

Privacy & safety

Interception is default-OFF — nothing is terminated until an admin enables capture per host on the Guard tab.
TLS is terminated only for catalog AI hosts — never banking, health, or mail.
Secrets & PII are DLP-redacted on-device — raw payloads never leave the Mac.