MDM & Enterprise Deployment Guide

Deploy Wispr Flow across a managed fleet using Kandji, Jamf, Mosyle, Intune, or any MDM that supports standard installer packages and Apple configuration profiles. This guide covers installer selection, macOS PPPC profiles, auto-update behavior, network allowlisting, and enterprise policy controls.

Choose the right installer

Use the platform-specific managed installer below. Do not use the macOS DMG or the Windows Squirrel Setup.exe for managed deployments — those are intended for end-user installs.

msiexec /i "Wispr Flow-v<version>.msi" /quiet
msiexec /x "Wispr Flow-v<version>.msi" /quiet

Deploy macOS PPPC profiles

Wispr Flow requires Accessibility permission on macOS. A ready-to-deploy .mobileconfig PPPC profile pre-grants this permission silently. Windows does not require PPPC profiles.

The profile uses:

• Bundle ID: com.electron.wispr-flow (also target the helper bundle com.electron.wispr-flow.accessibility-mac-app for Accessibility)

• Team ID: C9VQZ78H85 (Wispr AI INC)

• StaticCode: false (profiles remain valid across app version updates)

• PayloadRemovalDisallowed: true

The profile works with Kandji, Jamf, Mosyle, Intune, and any other MDM that supports Apple configuration profiles. Deploy it before or alongside the app to avoid Accessibility permission prompts. To request the profile file, email support@wisprflow.ai.

Manage auto-updates

Wispr Flow includes a built-in auto-updater (Electron's autoUpdater, Squirrel-based — not Sparkle). Understanding how it behaves matters when planning fleet updates.

How auto-updates work

1. Check on launch: Packaged production builds check for updates on launch when the system is active or idle and online. Development builds do not check.

2. Check on interval: By default, subsequent checks occur at randomized intervals between 30 minutes and 5 hours. IT administrators can change this interval using the MDM update frequency policy — see below.

3. Apply with delay: After download, the updater waits at least 20 minutes since the last dictation before applying. The first attempt adds a 0–60 minute stagger (20–80 min total) to spread restarts across the fleet. Updates defer while a dictation or meeting recording is in progress.

4. Retry on failure: Failed updates retry up to 3 times with doubling backoff (20, 40, 80 min), then pause for 24 hours. After the 24-hour pause, the retry counter resets to 0 automatically — no user action needed.

Updates apply only when the system is online and active or idle — not when the screen is locked or the system is sleeping. Manual "Check for updates" menu clicks bypass the active/online guard.

After all retries fail, a system notification alerts the user. Update status appears in the macOS application menu and the system tray on both platforms (e.g., "Update downloading…", "Update ready, restart now?").

Three update channels exist: production, beta (internal users alternate), and override.

Control update frequency via MDM

IT administrators can configure how often Wispr Flow checks for and applies updates using a managed policy. When this policy is set, end users cannot override it, and the Settings sidebar displays a message indicating that updates are managed by their organization along with the next scheduled check date.

The available update frequency options are:

• auto (default) — randomized check interval between 30 minutes and 5 hours

• weekly — checks once per week

• bi-weekly — checks once every two weeks

• monthly — checks once every 30 days

Deploy the policy using the method appropriate for your MDM platform:

Update non-admin users via MDM

If your users are not local admins on macOS, manage updates through your MDM tool:

1. Push new PKG versions to the fleet as they are released.

2. Install silently to /Applications — no user interaction required.

3. Verify on next launch that the built-in updater detects the new version and skips its update cycle.

Allowlist network domains

If your organization restricts outbound traffic, allowlist the domains below. The Windows MSI is approximately 47 MB — plan deployment bandwidth and caching accordingly for large fleets or bandwidth-constrained sites.

The app also registers the custom URL scheme wispr-flow://. If your organization restricts URL scheme handlers, allow this scheme.

Configure enterprise policy controls

Enterprise policies are enforced server-side through the Wispr Flow admin portal, not through MDM managed preferences. Enterprise data is fetched on each app launch, so changes take effect the next time the app starts. All policies below are Enterprise plan only.

Data and privacy controls

• Zero Data Retention (ZDR): Disables data sharing for model improvement. No dictation data is retained on Wispr servers or used for training.

• Local data retention policy: Controls how long transcription data is kept on device. Options: Store normally, Delete after 24 hours, Never store. With "Delete after 24 hours," the app deletes transcription history and polish data older than 1 day on each launch. With "Never store," all local history and polish data is deleted on every launch. The enterprise policy acts as a floor — users can choose options at least as restrictive as the org setting. The user toggle is fully locked only when the org sets "Never store."

• Context awareness: Controls whether the app reads surrounding text from active applications to improve dictation accuracy. Set to "Available" by default (users can toggle it themselves) or "Disable for all users" to force it off org-wide. When disabled, each user's toggle in Data & Privacy is turned off and locked.

Team and access controls

• Hide team leaderboard: Removes the Leaderboard tab from the Insights page and suppresses weekly leaderboard rank notifications for everyone in the org, including admins. There is no admin bypass.

• IP allowlist: Restricts authenticated access to your team's data to specific IP addresses or ranges. Configure under Network access in Organization settings. Enter IPv4 and IPv6 addresses or ranges (one per line or comma-separated). The portal shows your current IP and will not let you save a list that would lock you out. Disabling the allowlist requires confirmation and clears all saved ranges.

  1. Maximum 64 CIDR entries.

  2. Wildcards (0.0.0.0/0, ::/0) are rejected — clear the allowlist to disable.

  3. The IP allowlist UI is only visible when Wispr enables the per-enterprise ipAllowlistUiVisible flag — not automatic for all Enterprise customers.

  4. The allowlist is cached server-side for 30 seconds — changes can take up to 30s to propagate.

  5. When a user's network is blocked by the IP allowlist, the app automatically signs them out and shows a lockout screen with the message "Your network isn't allowed." Users are prompted to switch to an approved network or contact their admin, and can tap Retry to attempt sign-in again or Sign out to log out.

• SSO enforcement: Requires single sign-on for all team members. Automatically suspended if the enterprise subscription lapses, allowing users to log in via standard methods until the subscription is renewed.

• SCIM provisioning: Automated user provisioning and deprovisioning through your identity provider. When SCIM is enabled, the desktop Team page hides the Add-new-user button and shows a SCIM-managed notice. SCIM provisioning falls back to invitation flow on provisioning failure.

• Auto-invite by domain: Domain-based auto-invite is gated behind a feature flag (domain-capture) that is not yet enabled, and additionally requires DNS verification of the company domain via TXT record. The autoInvite setting key defaults to true server-side, but the feature is not yet broadly available.

• IT Admin role: Grants a team member access to manage the team, billing, and SSO without consuming a dictation seat. IT Admins cannot use Wispr Flow dictation. Assign this role in the web Admin Portal — the desktop Team page Role column is read-only, and the desktop invite dialog only offers Member and Admin roles.

• HIPAA BAA signing: Available in-app for enterprise teams that require it.

Reference: app identity, signing, and storage

App identity and signing

macOS hardened runtime entitlements include JIT compilation, unsigned executable memory, DYLD environment variables, disabled library validation (standard for Electron-based apps), audio input device access (com.apple.security.device.audio-input), and camera access (com.apple.security.device.camera).

Data storage locations

Verify the installed version

To check the installed version on managed devices:

defaults read /Applications/Wispr\ Flow.app/Contents/Info.plist CFBundleShortVersionString

Deployment checklist

1. Choose the right installer: PKG on macOS, MSI on Windows. Do not use the DMG or Setup.exe for managed deployments.

2. Deploy the wispr-flow-accessibility.mobileconfig PPPC profile on macOS before or alongside the app to pre-grant Accessibility. Users will be prompted for Microphone on first use.

3. Allowlist network domains so updates and authentication work — at minimum, dl.wisprflow.com and api.wisprflow.ai.

4. Configure the MDM update frequency policy if you need to control how often the app checks for updates (see Manage auto-updates above).

5. Configure enterprise policies (ZDR, data retention, context awareness, hide team leaderboard, IP allowlist, SSO) in the Wispr Flow admin portal.

6. Assign the IT Admin role via the web Admin Portal.

7. Plan for updates: if users are not local admins on macOS, push PKG updates via MDM so the auto-updater doesn't prompt for credentials.

8. Verify deployment using the version-check commands in the reference section above.

FAQs

Still need help?

Email support@wisprflow.ai if:

• You need the PPPC .mobileconfig profile files or the managed config profile for your MDM deployment.

• You have questions about enterprise policy configuration or HIPAA BAA signing.

• You hit issues deploying the PKG or MSI across your fleet.

Include your MDM platform, OS version, and what you've already tried — most enterprise deployment questions are resolved in one reply.