Deployment
Deploying SnitchOS with your RMM
Use the per-tenant wrapper script to deploy the universal, code-signed MSI silently through your fleet tooling.
How it works
- Sign in to app.snitchos.com as an admin for the customer's tenant.
- Go to Tenants → <customer> → Manage keys.
- In the RMM mass-deploy installer panel, download
Install-SnitchOS-<slug>.ps1(or the.cmdvariant for batch-only RMMs). - Upload the script to your RMM's script library.
- Push to every target endpoint and run elevated (SYSTEM or an Administrators member).
The script embeds the customer's tenant ID, a multi-use fleet enrollment key, and the CDN URL of the universal MSI. Each endpoint downloads the MSI, verifies its Authenticode signature, and installs silently with the right properties — no per-machine arguments.
Reuse and deliberate rotation
A normal download reuses the tenant's current active fleet key, so an existing RMM deployment task keeps working. Use Rotate & download only when you intend to revoke the previous wrapper, such as after suspected exposure or an administrator departure.
You can rename the downloaded file to match your RMM's naming convention — the customer identity is in the file content, not the filename.
Invocation commands
NinjaOne / Datto RMM / ConnectWise Automate / Kaseya
powershell.exe -ExecutionPolicy Bypass -File "Install-SnitchOS-<slug>.ps1"
Batch-only RMMs
Install-SnitchOS-<slug>.cmd
The .cmd version uses curl.exe (built into Windows 10 1803+ / Server 2019+) and msiexec — no PowerShell required.
Microsoft Intune
Add the .ps1 as a Win32 app PowerShell script. Detection rule: presence of C:\Program Files\SnitchOS\SnitchOS.Agent.exe.
Group Policy
Run the .ps1 as a startup script. Re-runs on later boots are no-ops once the service is installed.
Verify the rollout
The tenant overview lists each new device within about 60 seconds of install; activity populates as users work. Every install also writes a device.enroll entry to the tenant's audit log with the source IP.
After install, your RMM can run the local health helper without showing UI:
& "C:\Program Files\SnitchOS\SnitchOS.HealthCheck.ps1" -Json
SmartScreen and antivirus
- The installer script verifies the MSI's Authenticode signature (Azure Trusted Signing) before invoking
msiexecand refuses anything unsigned or mis-signed. - RMM-pushed installs normally avoid the interactive SmartScreen flow, but endpoint-security behavior depends on the client's policy.
- Defender or another security product may flag the input-count hook. Verify the Authenticode publisher first, then work with the client's security team on the narrowest appropriate allow rule. A file hash changes with each release.
One-off manual install
For a bench machine or single laptop, mint a single-use, short-expiry key from Tenants → Manage keys (don't reuse the fleet key — it pollutes the audit trail), then run elevated:
$msi = "$env:TEMP\SnitchOSSetup.msi"
Invoke-WebRequest "https://cdn.snitchos.com/SnitchOSSetup-latest.msi" -OutFile $msi -UseBasicParsing
msiexec /i $msi /qb TENANT_ID=<tenant-uuid> ENROLLMENT_KEY=<key>
Or simply run the tenant's wrapper .ps1 on that one machine — it's self-contained and does the same thing.
Repair and re-enroll
To silently repair an endpoint with a bad or missing device token, push the same script with -Reenroll:
powershell.exe -ExecutionPolicy Bypass -File .\Install-SnitchOS-<slug>.ps1 -Reenroll
Uninstall and offboarding
Per endpoint, or as an RMM uninstall job:
msiexec /x "{<product-code>}" /qn
Uninstall removes both services and stops collection; existing data stays in the backend per your retention policy. Normal uninstall intentionally leaves local support state behind — to purge it too:
msiexec /x "{<product-code>}" /qn PURGE_CONFIG=1
To decommission a whole customer: mark the tenant inactive (new enrollments are rejected immediately), revoke the fleet key, then uninstall via RMM at your convenience.