Installing one machine by hand is fine for a pilot. For a client with 200 endpoints, you need to push the agent without touching each box. Good news: the OpenFrame install is a single command, which means any tool that can run a command or script on your fleet can deploy it — your existing RMM, Active Directory Group Policy, or an MDM like Intune or Jamf.
What's OpenFrame and what's not: OpenFrame gives you the per-customer install command. The delivery mechanisms below (RMM, GPO, Intune, Jamf) are your existing tooling — OpenFrame doesn't replace them for this step. This guide shows the patterns; the exact clicks live in each of those tools' docs.
Before you start
- You've successfully done at least one manual install (see the macOS and Windows guides) so you know the command works and you've sorted any AV exclusions.
- You have the per-customer install command from Devices → Add Device for the right client. The command carries that customer's org ID, so use the correct customer's command for each client's machines.
- You can push AV exclusions ahead of the rollout (strongly recommended — see below).
Step 0 — Push antivirus exclusions first
This is the one that bites people. New agents get flagged as false positives, and a blocked install means a device silently never enrolls. Before you mass-deploy, push these exclusions through your AV/EDR policy:
Windows:
C:\Program Files\OpenFrame, C:\Program Files\TacticalAgent, C:\ProgramData\OpenFrame, C:\ProgramData\OpenFrameInstall, C:\ProgramData\TacticalRMM, C:\Program Files\Orbit
macOS:
/Library/LaunchDaemons/com.openframe.client.plist, /Library/Application Support/OpenFrame/meshcentral-agent/
Do this once at the policy level and your rollout won't get chewed up machine by machine.
Pattern 1 — Push via your existing RMM
If you're migrating from another RMM, this is the fastest path: use the outgoing tool to install the new one, then retire it.
- In your current RMM, create a script/command job.
- Paste the OpenFrame install command (the Windows PowerShell or macOS shell version, per the target OS).
- Target the customer's device group and run it.
- Verify in OpenFrame, then schedule the old agent's removal once you're confident.
The OpenFrame installer runs unattended, so it's well-suited to RMM script delivery.
Pattern 2 — Windows via Group Policy (GPO)
For AD-joined fleets with no RMM yet:
- Save the OpenFrame PowerShell install command as a
.ps1script on a share all targets can reach. - Create a GPO with a Startup script (computer-context startup scripts run as SYSTEM, which gives you the elevation the installer needs).
- Add a guard so it only runs once — e.g. check for the presence of the OpenFrame install folder and exit if it already exists — so it doesn't re-run on every boot.
- Scope the GPO to the right OU and let machines pick it up on reboot.
Pattern 3 — Cross-platform via MDM (Intune, Jamf, etc.)
If you already manage endpoints with an MDM:
- Windows (Intune): wrap the install command in a Win32 app or a PowerShell platform script, set the customer's command, and assign it to the device group.
- macOS (Jamf / Intune): deliver the macOS install command as a shell script / policy that runs with root, scoped to the right smart group.
MDM is also the cleanest way to push the AV exclusions from Step 0 alongside the install.
Tag as you scale
The install command supports tagging at enrollment, and the Add Device screen lets you attach tags before generating the command. For a big push, decide your tag scheme first (e.g. Type: laptop/desktop/server, Purpose: ...) so devices arrive already organized instead of needing cleanup later. See Organize Devices with Device Tags.
Verify the rollout
Don't trust "the job ran" — confirm enrollment:
- In OpenFrame, open Devices and filter to the customer you deployed to.
- Compare the device count to what you expected for that client.
- Spot-check a few devices' detail pages for live hardware data.
- Chase the stragglers — a machine that ran the job but isn't showing up is usually an AV block or a device that was offline during the push. See Confirm Your First Device Is Connected.
Quick checklist
- One manual install validated first
- AV exclusions pushed via policy before the rollout
- Correct per-customer command used for each client
- Delivered via RMM, GPO, or MDM as appropriate
- Tagging scheme decided up front
- Enrollment counts verified per customer, stragglers chased
What's next
Fleet's in. Make it manageable: give machines friendly names with Add a Device Display Name / Nickname, and group them with Organize Devices with Device Tags. Then you're ready for Phase 3 — Platform Navigation.
Based on OpenFrame v0.9.19. A built-in native RMM is on OpenFrame's roadmap; until then, these patterns use your existing delivery tooling. Always pull the current install command from your console.
