Deploy at Scale via RMM / GPO / MDM

AUTOMATIONBEST PRACTICESENDPOINT MANAGEMENTMDMOPENFRAMERMM

Phase 2 — Device Deployment · Step 4

Section

June 18, 2026

Published

Vladislav Marchenko

Vladislav Marchenko

Head Of Marketing

Installing one machine by hand is fine for a pilot. For a client with 200 endpoints, you need to push the agent without touching each box. Good news: the OpenFrame install is a single command, which means any tool that can run a command or script on your fleet can deploy it — your existing RMM, Active Directory Group Policy, or an MDM like Intune or Jamf.

What's OpenFrame and what's not: OpenFrame gives you the per-customer install command. The delivery mechanisms below (RMM, GPO, Intune, Jamf) are your existing tooling — OpenFrame doesn't replace them for this step. This guide shows the patterns; the exact clicks live in each of those tools' docs.


Before you start

  • You've successfully done at least one manual install (see the macOS and Windows guides) so you know the command works and you've sorted any AV exclusions.
  • You have the per-customer install command from Devices → Add Device for the right client. The command carries that customer's org ID, so use the correct customer's command for each client's machines.
  • You can push AV exclusions ahead of the rollout (strongly recommended — see below).

Step 0 — Push antivirus exclusions first

This is the one that bites people. New agents get flagged as false positives, and a blocked install means a device silently never enrolls. Before you mass-deploy, push these exclusions through your AV/EDR policy:

Windows:
C:\Program Files\OpenFrame, C:\Program Files\TacticalAgent, C:\ProgramData\OpenFrame, C:\ProgramData\OpenFrameInstall, C:\ProgramData\TacticalRMM, C:\Program Files\Orbit

macOS:
/Library/LaunchDaemons/com.openframe.client.plist, /Library/Application Support/OpenFrame/meshcentral-agent/

Do this once at the policy level and your rollout won't get chewed up machine by machine.


Pattern 1 — Push via your existing RMM

If you're migrating from another RMM, this is the fastest path: use the outgoing tool to install the new one, then retire it.

  1. In your current RMM, create a script/command job.
  2. Paste the OpenFrame install command (the Windows PowerShell or macOS shell version, per the target OS).
  3. Target the customer's device group and run it.
  4. Verify in OpenFrame, then schedule the old agent's removal once you're confident.

The OpenFrame installer runs unattended, so it's well-suited to RMM script delivery.


Pattern 2 — Windows via Group Policy (GPO)

For AD-joined fleets with no RMM yet:

  1. Save the OpenFrame PowerShell install command as a .ps1 script on a share all targets can reach.
  2. Create a GPO with a Startup script (computer-context startup scripts run as SYSTEM, which gives you the elevation the installer needs).
  3. Add a guard so it only runs once — e.g. check for the presence of the OpenFrame install folder and exit if it already exists — so it doesn't re-run on every boot.
  4. Scope the GPO to the right OU and let machines pick it up on reboot.

Pattern 3 — Cross-platform via MDM (Intune, Jamf, etc.)

If you already manage endpoints with an MDM:

  • Windows (Intune): wrap the install command in a Win32 app or a PowerShell platform script, set the customer's command, and assign it to the device group.
  • macOS (Jamf / Intune): deliver the macOS install command as a shell script / policy that runs with root, scoped to the right smart group.

MDM is also the cleanest way to push the AV exclusions from Step 0 alongside the install.


Tag as you scale

The install command supports tagging at enrollment, and the Add Device screen lets you attach tags before generating the command. For a big push, decide your tag scheme first (e.g. Type: laptop/desktop/server, Purpose: ...) so devices arrive already organized instead of needing cleanup later. See Organize Devices with Device Tags.


Verify the rollout

Don't trust "the job ran" — confirm enrollment:

  1. In OpenFrame, open Devices and filter to the customer you deployed to.
  2. Compare the device count to what you expected for that client.
  3. Spot-check a few devices' detail pages for live hardware data.
  4. Chase the stragglers — a machine that ran the job but isn't showing up is usually an AV block or a device that was offline during the push. See Confirm Your First Device Is Connected.

Quick checklist

  • One manual install validated first
  • AV exclusions pushed via policy before the rollout
  • Correct per-customer command used for each client
  • Delivered via RMM, GPO, or MDM as appropriate
  • Tagging scheme decided up front
  • Enrollment counts verified per customer, stragglers chased

What's next

Fleet's in. Make it manageable: give machines friendly names with Add a Device Display Name / Nickname, and group them with Organize Devices with Device Tags. Then you're ready for Phase 3 — Platform Navigation.


Based on OpenFrame v0.9.19. A built-in native RMM is on OpenFrame's roadmap; until then, these patterns use your existing delivery tooling. Always pull the current install command from your console.

Vladislav Marchenko

Head Of Marketing

Hi all! My name is Vlad and I’ve been brought on to head the marketing team at Flamingo. Thankfully, this isn’t the first time I will be building a marketing department from scratch, so the experience should come in handy. Now it’s time to dive into the world of MSPs and find myself in this new world.

More in Phase 2 — Device Deployment

Related Content

Product Releases

Webinars

Case Studies

Blog Posts

Frequently Asked Questions

MSP AI Agents

Yes. In production MSP shops today, 10% to 25% of tickets close before a human opens them. Thread alone has processed 173 million tickets across 750-plus MSP partners at 96% triage accuracy, handing back 490,000-plus technician hours. Agents own the low-risk, high-volume work (password resets, MFA enrollment, known installs, onboarding and offboarding) and flag anything that touches production data or needs judgment for a human to take.
On a five-person desk, reported deployments show $78,000 to $130,000 in annual direct labor savings, roughly 30% fewer escalations, and 15% to 20% better SLA compliance. Broader MSP adoption data adds ticket handling time cut by 45% and five to 12 points of margin, all from reclaimed capacity rather than headcount cuts.
An AI agent for an MSP is software that reads a ticket, decides the action, performs it across your tools, and records the result without a technician driving each step. It differs from a chatbot or copilot by taking action, not just suggesting one.

AI MSP

MSPs use AI to triage and route tickets, cut alert noise, schedule patches, assist L1 security work, and draft client reports. Kaseya's 2025 benchmark found 30% already use it to eliminate tedious tasks, with ticket triage the most common starting point.
Most MSPs start with AI features inside their existing PSA, RMM, and ticketing systems rather than standalone products. Common categories include AI ticket triage, alert correlation, scripting assistants, and AI-native all-in-one platforms like OpenFrame that run intelligence across the whole stack.
Start with a readiness assessment, not a tool purchase. Confirm your ticket history is clean and your RMM, PSA, and monitoring systems connect. Then pick one high-volume, low-risk workflow, usually ticket triage, and pilot it on internal tickets before any client sees it.
Automate high-volume, low-risk tasks first. Ticket triage and alert noise reduction top the list because they run constantly and a human still resolves the underlying issue. Save security approvals, billing changes, and client-facing actions for later, always with a human in the loop.

AI Safety

It can be, with governance. Keep a human in the loop on high-risk actions, log every automated step for audit, and choose platforms that keep your data yours with no vendor lock-in. Pilot on internal data first so you catch issues before client systems are involved.

AI for MSPs

Set a baseline before rollout, then track tickets closed per technician, mean time to resolution, percentage of tickets resolved with no human touch, technician hours reclaimed, and cost per ticket. AI-driven automation commonly cuts operational cost per ticket by 25 to 40%.

About OpenFrame

OpenFrame isn't built to plug into your stack. It replaces it. Instead of duct-taping a dozen tools together (RMM, MDM, SIEM, patching, remote access, each its own login and bill), we bundle it into one unified platform: RMM, MDM, monitoring, automation, remote access, patch management, security monitoring, and ticketing, plus built-in AI copilots. So "does it integrate with X?" usually means: you won't need X anymore.