GuidesDeploy Determinate with MDM

Most users should use the standard getting started guides for organizations or individuals.

  • Audience: IT administrators
  • Technical assumptions: JAMF, Mosyle, or a similar MDM provider for macOS

In this guide, you’ll create a “self-service” application that executes the script at the end of this article.

Security considerations

The script below behaves similarly to Installomator in that it validates the package before installing:

  • The package isn’t re-installed if there is no update.
  • The package is signed by our Apple Developer ID (X3JQ4VPJZ6).

A non-root user with administrative privileges needs to execute this script.

Handling updates

Re-run the installation script to update Determinate and Nix.


To uninstall Determinate:

Uninstall Nix
sudo /nix/nix-installer uninstall

Installation script
set -eu
scratch=$(mktemp -p /tmp -d -t determinate.XXXXXXXXXX)
finish() {
  rm -rf "$scratch"
trap finish EXIT
realScratch=$(realpath "$scratch")
(pkgutil --pkg-info-plist systems.determinate.Determinate 2> /dev/null || true) > "$realScratch/installed.plist"
installedVersion=$(defaults read "$realScratch/installed.plist" pkg-version 2> /dev/null|| true)
downloadUrl=$(curl -w "%{url_effective}\n" -I -L -s -S -o /dev/null)
currentlyReleased=$(echo "$downloadUrl" | cut -d/ -f4)
echo "Installed: ${installedVersion:-n/a}"
echo "Current release: $currentlyReleased"
if [ "$installedVersion" = "$currentlyReleased" ]; then
  echo "No update required."
  exit 0
echo "Downloading from $downloadUrl"
curl \
  --proto '=https' \
  --tlsv1.2 \
  -sSf \
  -L "$downloadUrl" \
  -o "$realScratch/Determinate.pkg"
actualTeamId=$(spctl -a -vv -t install "$realScratch/Determinate.pkg" 2>&1 | awk -F '(' '/origin=/ {print $2 }' | tr -d '()')
echo "Expected team ID: $TEAM_ID"
echo "Actual team ID: $actualTeamId"
if [ "$actualTeamId" != "$TEAM_ID" ]; then
  echo "Team ID did not match."
  exit 1
installer -verboseR -pkg "$realScratch/Determinate.pkg" -tgt "/"
echo "Complete"