Deploy Endpoint Protection
GitGuardian Endpoint Protection requires the deployment of ggshield onto each machine so it runs scheduled scans, and deploy Honeytokens. The outcome you validate in GitGuardian is visibility: fleet coverage and discovered secrets in the GitGuardian's Endpoints Protection section. Plan for both the MDM rollout and how your team will use that dashboard after the first scans complete.
The recommended and currently validated approach is an MDM scheduled script. The table below summarizes all supported deployment approaches.
| Option | Best fit | Guidance |
|---|---|---|
| MDM scheduled script | Managed macOS or Linux endpoints | Recommended starting point; this is the approach validated in the current implementation. |
| MDM install + local schedule | Endpoints that need to scan even when MDM does not trigger jobs reliably | Use launchd on macOS or systemd on Linux; validate in your environment before broad rollout. |
| Config management | Server or mixed fleets | Tools like Ansible, Puppet, Chef, or Salt can install ggshield and create the recurring job. |
Regardless of the approach, the core setup steps are the same: deploy ggshield at scale with a service account token.
