Deploy Wispr Flow via MDM

Last updated: May 13, 2026

Available on: Mac, Windows (MDM-managed devices)

Roll Wispr Flow out to your fleet with pre-authorized permissions, silent installs, and admin-controlled update frequency. This guide covers permission profiles, per-provider deployment steps, and enterprise data policies for macOS and Windows. Most deployments take 15–30 minutes per MDM.

macOS permission profiles

Wispr Flow needs two macOS permissions. Only Accessibility can be pre-granted via MDM — macOS does not allow MDM pre-grant of microphone access for third-party apps.

Permission

Why

Accessibility

Required for text insertion into applications

Microphone

Required for speech-to-text dictation

A .mobileconfig profile is available:

  • wispr-flow-accessibility.mobileconfig: Grants Accessibility only. Users get a one-time Microphone prompt the first time Flow needs the microphone. Download file

Note: Screen Capture permission (used for context-aware features) may be requested at runtime. It is not included in the provided MDM profile and is not shown during onboarding.

App identity info

These details are required when configuring your MDM:

Property

Value

Bundle Identifier

com.electron.wispr-flow

Helper App Bundle Identifier

com.electron.wispr-flow.accessibility-mac-app (Swift helper app for accessibility operations; include this in your PPPC profile alongside the main app identifier)

Team ID

C9VQZ78H85

Developer

Wispr AI INC

Code Requirement

identifier "com.electron.wispr-flow" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = C9VQZ78H85

The app is signed and notarized, so it is Gatekeeper-compliant. You do not need to disable Gatekeeper for deployment. Wispr Flow appears in both the menu bar and the Dock on macOS; users can hide the Dock icon in settings to switch the app to menu-bar-only mode.

Notable macOS entitlements (required for Electron framework functionality): com.apple.security.cs.disable-library-validation, com.apple.security.cs.allow-jit, com.apple.security.cs.allow-unsigned-executable-memory, com.apple.security.cs.allow-dyld-environment-variables, com.apple.security.device.audio-input, com.apple.security.device.camera.

MDM-managed auto-update policy

IT administrators can control how often Wispr Flow checks for and applies updates. When a policy is set, end users cannot override it — the Settings sidebar displays a message indicating that updates are managed by their organization, along with the next scheduled check date.

Update frequency options

Value

Behavior

auto

Default. Checks at a randomized interval between 30 minutes and 5 hours.

weekly

Checks once per week.

bi-weekly

Checks every two weeks.

monthly

Checks every 30 days.

Deploying the update policy

macOS

Deploy the wispr-flow-managed-config.mobileconfig file via your MDM (Jamf, Kandji, Mosyle, Intune, Rippling, etc.). The profile sets the UpdateFrequency value under managed preferences at com.electron.wispr-flow.

Windows

Two options are available:

  • PowerShell script: Deploy wispr-flow-set-update-frequency.ps1 as a post-install script (suitable for script-based MDMs like Rippling or Chef).

  • Registry / policy template: Set the registry value HKLM\SOFTWARE\Policies\WisprAI\Flow\UpdateFrequency (REG_SZ) directly via Intune, SCCM, GPO, or any registry-capable MDM.

Platform-specific deployment

macOS

  1. Upload the architecture-specific .pkg (Apple Silicon or Intel) to your MDM. The macOS app ships in separate builds — deploy the one that matches your fleet.

  2. Deploy to target devices. The PKG installs silently to /Applications with no user interaction.

  3. Deploy wispr-flow-accessibility.mobileconfig to pre-grant Accessibility.

To verify: launch Wispr Flow on a test device. The Permissions onboarding page should show Accessibility as already granted with a green checkmark. Users see a one-time native macOS Microphone prompt the first time Flow needs the microphone.

The PKG identifier is com.electron.wispr-flow.pkg. The auto-updater is enabled by default, with a 20-minute cooldown after user dictation activity and a staggered rollout delay. Admins can control update frequency via the MDM-managed auto-update policy above.

Note: On the Permissions onboarding page, clicking the microphone permission shows the native macOS dialog. If denied, clicking again opens System Settings → Privacy & Security → Microphone. At runtime, if microphone permission was previously denied, the app opens System Settings automatically when access is needed.

Windows

  1. Upload Wispr Flow-v{version}.msi to your MDM as a line-of-business app.

  2. Run a silent install: msiexec /i "Wispr Flow-v{version}.msi" /quiet

To verify: confirm %ProgramFiles%\Wispr Flow\ exists on a target device and launch the app. Application data is stored at %APPDATA%\Wispr Flow\.

On Windows, Accessibility is not required. The Permissions onboarding page only shows the Microphone card, with an "Open Settings" button that opens Windows Settings → Privacy → Microphone. The page is skipped automatically when Flow detects that mic access is already granted.

To uninstall silently, run msiexec /x "Wispr Flow-v{version}.msi" /quiet or use the fixed upgrade GUID (works regardless of version): msiexec /x {396d8b98-0a0d-5d72-8e7e-5d0c442674e9} /quiet.

Note: Wispr Flow ships two Windows installers. Use the .msi (WiX) for MDM/enterprise deployment. The .exe (Squirrel) is for individual users and installs to %LOCALAPPDATA%\WisprFlow\.

Note: On Windows, Flow checks microphone access by attempting to use the microphone at runtime, not by reading registry settings. MDM/GPO policies that set registry-level microphone privacy values do not affect whether Flow can access the microphone — the actual OS permission state is what matters.

MDM provider quick start

Jamf Pro

  1. Upload the .pkg via Settings → Packages.

  2. Create a deployment policy targeting the right computers or groups.

  3. Deploy the PPPC profile: Configuration Profiles → Upload → select wispr-flow-accessibility.mobileconfig.

  4. Update by uploading a new PKG and creating a new policy, or use Patch Management.

Kandji

  1. Navigate to Library → Custom Apps → Add Custom App and upload the .pkg.

  2. Add an optional audit script to verify /Applications/Wispr Flow.app exists.

  3. Deploy the PPPC profile: Library → Custom Profiles → Add Profile and upload wispr-flow-accessibility.mobileconfig.

  4. Update by replacing the PKG in the Custom App.

Microsoft Intune

macOS:

  1. Navigate to Apps → macOS → Add → Line-of-business app and upload the .pkg.

  2. Deploy the PPPC profile: Devices → Configuration profiles → Create profile → Templates → Custom and upload wispr-flow-accessibility.mobileconfig.

  3. Deploy the update policy: Devices → Configuration profiles → Create profile → Templates → Custom and upload wispr-flow-managed-config.mobileconfig.

Windows:

  1. Navigate to Apps → Windows → Add → Line-of-business app and upload Wispr Flow-v{version}.msi.

  2. Set the silent install command: msiexec /i "Wispr Flow-v{version}.msi" /quiet

  3. Set the update policy by deploying the registry value HKLM\SOFTWARE\Policies\WisprAI\Flow\UpdateFrequency (REG_SZ) via a Configuration profile or Settings Catalog.

Rippling

macOS:

  1. Navigate to IT → Device Management → Software and upload the architecture-specific .pkg.

  2. Set install type to "silent."

  3. Deploy wispr-flow-accessibility.mobileconfig via IT → Device Management → Configuration Profiles.

  4. Deploy wispr-flow-managed-config.mobileconfig via Configuration Profiles to set the update frequency policy.

Windows:

  1. Navigate to IT → Device Management → Software and upload Wispr Flow-v{version}.msi.

  2. Set install type to "silent."

  3. Deploy wispr-flow-set-update-frequency.ps1 as a post-install script to set the update frequency policy.

Mosyle

  1. Navigate to Management → Apps → Custom Apps and upload the .pkg.

  2. Deploy the PPPC profile via Management → Profiles → Custom Profiles and upload wispr-flow-accessibility.mobileconfig.

Munki

  1. Import the PKG: munkiimport "Wispr Flow.pkg"

  2. Deploy PPPC profiles separately via your MDM (Munki does not manage profiles).

Munki handles version comparison for updates automatically.

Fleet

  1. Add the PKG to the software library or use a custom policy.

  2. Deploy PPPC profiles via Fleet's MDM profile management.

  3. Verify installation with: SELECT * FROM apps WHERE name = 'Wispr Flow'

Enterprise data policies

Enterprise admins can configure additional data policies for their team through the Wispr Flow admin portal. In the desktop app, team admins see an "Admin portal" button in Team settings that opens the portal. Regular team members see a "Contact admins" button instead.

Note: ZDR, Local Data Deletion, Enforce SSO, Context Awareness, and IP Allowlist require an Enterprise (Flow Business) subscription. Disable Team Trial requires any active Team or Enterprise subscription. These settings are not available on individual or Team-only plans. Users see this plan labeled "Enterprise" in the app.

  • Zero Data Retention (ZDR): Locks Privacy Mode ON for all team members. Users cannot disable it.

  • Local Data Deletion: Three policy levels are available — Store Normally (default), Delete After 24 Hours (deletes transcription history and AI editing data older than 24 hours), or Never Store (never writes transcription or AI editing data to the local device).

Warning: When Never Store is activated, all previously stored transcription history and AI editing data on the device is immediately deleted — it does not just prevent future writes.

  • HIPAA Business Associate Agreement (BAA): Enterprise admins manage the BAA through the admin portal. Individual users can view and sign a BAA directly within the app. Signing permanently locks Privacy Mode ON. To enforce Privacy Mode for all team members, also enable ZDR. BAA and ZDR are independent — both can lock Privacy Mode.

Warning: Signing a BAA is irreversible. The signer must enter their legal name to confirm. ZDR, by contrast, can be enabled or disabled by enterprise admins through the admin portal.

  • Enforce SSO: Requires all team members to authenticate via your organization's SSO provider. SSO enforcement is domain-based and applies to all users whose email domain matches your enterprise's registered domain(s). Supports SCIM directory sync for automated user provisioning.

Note: SSO enforcement requires an active Enterprise subscription (active, trialing, or past_due). If the subscription lapses, SSO enforcement is automatically suspended and users can log in via other methods.

  • Auto-Invite by Domain: Users with matching email domains can request to join your enterprise team. If auto-accept is configured, requests are approved immediately; otherwise, they go to admins for approval.

SCIM directory sync

When SCIM directory sync is enabled, the invite button is hidden, join request approve and deny actions are hidden, and the other domain users tab shows: "User management is controlled by your identity provider via SCIM." All user management must be done through your identity provider. Wispr Flow uses WorkOS as the directory sync provider.

SCIM provisioning respects your seat cap. If the cap is exceeded, new user provisioning is blocked and a warning is logged. If automatic provisioning fails, the system falls back to sending an invitation email.

SCIM-provisioned users are added with the default Member role. Admin or IT Admin roles must be assigned manually after the user is provisioned, via the admin portal.

Compliance documentation

Enterprise customers can request SOC 2 Type II compliance documentation by contacting Wispr support.

Common issues

Wispr Flow crashes on launch on Windows (GPU-related crash)

Some Windows users — across Intel, NVIDIA, and AMD GPUs — experienced crashes where Wispr Flow failed to start because of an error initializing the graphics process. This was fixed in a subsequent release. Hardware acceleration is now disabled on Windows, so the app uses software rendering instead. There is no visible difference in appearance or performance. Update Wispr Flow to the latest version to resolve.

Microphone list is empty in settings after upgrading on Windows

After upgrading to version 1.4.894 on Windows, some users saw a blank microphone selection dialog in settings with no audio devices listed. This was fixed in a subsequent release. Update Wispr Flow to the latest version to resolve.

Windows users incorrectly told microphone privacy is disabled (MDM/GPO-managed devices)

On some Windows machines — particularly those managed by MDM/GPO policies, Dell Optimizer, or other privacy management tools — Wispr Flow incorrectly showed a "microphone privacy disabled" error and blocked dictation, even when the microphone was working. This was caused by registry values that did not reflect the actual microphone permission state. This was fixed in a subsequent release; Flow now checks microphone access at runtime. Update Wispr Flow to the latest version to resolve.

Clicking to grant permissions opens the wrong System Settings pane on macOS 26 (Tahoe)

On macOS 26 (Tahoe), clicking to grant Accessibility, Microphone, or Screen Capture permissions during onboarding could open the wrong System Settings pane or nothing at all. This was fixed in a subsequent release. Update Wispr Flow to the latest version to resolve.

FAQs

Do end users need to do anything after deployment?

Yes. Users still go through onboarding when they first launch Wispr Flow. They choose between "Help improve Flow" (the default, allows data collection) and "Privacy Mode" (no dictation data stored or used for training). Privacy Mode must be actively chosen unless it is locked by enterprise policy (ZDR or HIPAA BAA).

On macOS with the PPPC profile deployed, the Permissions page shows Accessibility as already granted. Users see a one-time native macOS prompt for Microphone access.

What happens if I deploy without the configuration profile?

Users are prompted to manually grant Accessibility permissions in System Settings the first time they launch Wispr Flow. The app guides them through the process, but it requires user interaction. For microphone access, users see a native macOS permission dialog the first time Flow needs the microphone.

Can I use this profile for non-managed devices?

No. The configuration profile is for MDM-managed deployments only. On non-managed devices, users follow the standard installation process and approve Accessibility permissions manually.

What MDM solutions are supported?

Instructions are provided for Jamf Pro, Kandji, Microsoft Intune, Rippling, Mosyle, Munki, and Fleet. The .mobileconfig profile works with any MDM that supports custom configuration profiles. For other MDM solutions, contact Wispr support.

Can admins control how often Wispr Flow updates?

Yes. See the MDM-managed auto-update policy section above for available frequency values and deployment details. When a policy is active, users cannot change this setting and will see a message in the Settings sidebar confirming that updates are managed by their organization.

Permissions are not pre-granted after deploying the PPPC profile (macOS)

Make sure the profile is deployed to the device, not just the user. On macOS 15+, a restart may be needed after profile installation. Verify the profile is installed by checking System Settings → Profiles on the target device.

The app fails to launch after PKG install (macOS)

Check Console.app for crash logs related to com.electron.wispr-flow. Verify the app signature: codesign --verify --deep /Applications/Wispr\ Flow.app

The MSI fails when deployed via MDM (Windows)

Make sure you are deploying as SYSTEM, not user context. Use the .msi installer, not the .exe.

How do I check the installed version?

  • macOS: Run defaults read /Applications/Wispr\ Flow.app/Contents/Info.plist CFBundleShortVersionString

  • Windows: Check the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for the Wispr Flow entry.

How do I uninstall Wispr Flow?

  • macOS: Delete /Applications/Wispr Flow.app. Optionally remove user data at ~/Library/Application Support/Wispr Flow/.

  • Windows: Uninstall via Add/Remove Programs, or silently with msiexec /x "Wispr Flow-v{version}.msi" /quiet. The GUID approach msiexec /x {396d8b98-0a0d-5d72-8e7e-5d0c442674e9} /quiet is recommended for MDM scripts. Optionally remove user data at %APPDATA%\Wispr Flow\.

The MSI always installs to %ProgramFiles%\Wispr Flow\ — users cannot pick a custom install location.

What does "helper service persistent failure" mean?

If the native helper app fails to start after multiple retries, a persistent notification appears. Verify the helper app exists at the expected path inside Wispr Flow.app/Contents and check Accessibility permissions.

Limitations and notes

  • MDM deployment is supported on Mac and Windows only.

  • The macOS app ships in separate Apple Silicon (arm64) and Intel (x86_64) builds — deploy the architecture that matches your fleet.

  • On macOS, only Accessibility can be pre-granted via MDM. Microphone access cannot be pre-granted for third-party apps by MDM — users will be prompted on first use.

  • When an MDM-managed update frequency policy is active, the setting cannot be overridden by end users.

  • SCIM provisioning currently assigns the default Member role only; Admin and IT Admin roles must be assigned manually in the admin portal.

  • Granular per-domain capture policies are in development; the currently shipped Auto-Invite is an enterprise-wide toggle.

Still need help?

Reach out to Wispr support if:

  • You need help configuring one of the MDM providers listed above.

  • Permissions are not granting correctly after profile deployment.

  • You need help configuring enterprise data policies or requesting SOC 2 documentation.

When you write in, include your MDM provider, OS version, the Wispr Flow version, and what you have already tried. Most MDM issues are resolved in one or two replies.