Kandji audit and remediation scripts to deploy and keep ggshield up to date on macOS.
Inspired by Installomator.
Custom Script (Audit) that checks whether ggshield is:
- Installed at
/usr/local/bin/ggshield - Code-signed with the expected GitGuardian Team ID (
N67C7J5WQ9) - Running the latest version (fetched from GitHub releases)
Exit codes: 0 = pass, 1 = fail (triggers remediation).
If GitHub is unreachable, the version check is skipped to avoid false failures.
Symlink to ../shared/ggshield_install.sh. Custom Script (Remediation) that:
- Fetches the latest release from GitHub (supports both Apple Silicon and Intel)
- Verifies the
.pkgsignature via Gatekeeper (spctl) and validates the Team ID - Confirms the package is notarized by Apple
- Installs the package and verifies the installed binary signature
- Create a Custom Script library item
- Set
ggshield_audit.shas the Audit Script - Set
ggshield_remediation.shas the Remediation Script - Assign to the appropriate Blueprint(s)