Deploy Wispr Flow via MDM

Last updated: April 22, 2026

Available on: Mac, Windows (MDM-managed devices)

Deploy Wispr Flow across your organization with pre-authorized permissions — no manual approvals needed. This guide covers permission profiles, provider-specific steps, and enterprise data policies for macOS and Windows.

Before you begin

Important: Ensure devices are enrolled in your MDM solution and you have permissions to deploy profiles and apps.

macOS permission profiles

Wispr Flow needs two macOS permissions that can be pre-granted via MDM:

Permission

Why

Accessibility

Required for text insertion into applications

Microphone

Required for speech-to-text dictation

Two .mobileconfig profile options are available:

  • wispr-flow-all-permissions.mobileconfig (recommended): Grants both Accessibility and Microphone silently. Download file

  • wispr-flow-accessibility.mobileconfig: Grants Accessibility only; users get a one-time Microphone prompt. Download file

Note: Screen Capture permission (for context-aware features) may be requested at runtime but is not included in the provided MDM profiles and is not shown during onboarding.

Note: The Permissions onboarding page is macOS-only. On Windows, this page is skipped automatically since Windows does not require separate Accessibility or PPPC permissions.

App identity info

IT admins may need these details when configuring their MDM:

Property

Value

Bundle Identifier

com.electron.wispr-flow

Helper App Bundle Identifier

com.electron.wispr-flow.accessibility-mac-app (Swift helper app that performs accessibility operations; IT admins may need to include this in their PPPC profile alongside the main app identifier)

Team ID

C9VQZ78H85

Developer

Wispr AI INC

Code Requirement

identifier "com.electron.wispr-flow" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = C9VQZ78H85

The app is signed and notarized, so it's Gatekeeper-compliant. No need to disable Gatekeeper for deployment.

Note: Wispr Flow appears in both the menu bar and the Dock on macOS. When the Hub window is open, the app icon is visible in the Dock. Users can optionally hide the Dock icon in settings, which switches the app to menu-bar-only mode.

Note: The macOS app is available in separate builds for Apple Silicon (arm64) and Intel (x86_64). Deploy the appropriate architecture-specific PKG for your device fleet.

Note: Notable macOS entitlements: com.apple.security.cs.disable-library-validation, com.apple.security.cs.allow-jit, com.apple.security.cs.allow-unsigned-executable-memory, com.apple.security.device.audio-input, com.apple.security.device.camera (required for Electron framework functionality).

Platform-specific deployment

macOS

  1. Upload the .pkg to your MDM.

  2. Deploy to target devices (installs silently, no user interaction needed).

  3. Deploy the .mobileconfig permission profile to pre-grant Accessibility and Microphone.

The PKG identifier is com.electron.wispr-flow.pkg and installs to /Applications. The auto-updater is enabled by default.

Select the correct architecture-specific PKG for your fleet (Apple Silicon or Intel). MDM administrators can control update frequency via managed configuration: supported values are auto (default), weekly, bi-weekly, or monthly. The auto-updater includes a 20-minute cooldown after user dictation activity and a staggered rollout delay.

When users launch Wispr Flow, the Permissions page shows Accessibility and Microphone as already granted with green checkmarks. The Continue button appears automatically.

Note: If you deploy without pre-authorizing microphone access: On the Permissions onboarding page, clicking the microphone permission shows the native macOS permission dialog. If denied, clicking again opens System Settings > Privacy & Security > Microphone directly (allowing the user to grant it manually). At runtime (outside onboarding), if microphone permission was previously denied, the app opens System Settings automatically when microphone access is needed.

Note: On macOS 26 (Tahoe), Wispr Flow correctly navigates to the right Privacy & Security pane in System Settings when prompting users to grant Accessibility, Microphone, or Screen Capture permissions. If you have devices running macOS 26, ensure they are running the latest version of Wispr Flow.

Windows

Note: Wispr Flow ships two Windows installers: the .msi (WiX, for MDM/enterprise deployment, installs to %ProgramFiles%\Wispr Flow\) and the .exe (Squirrel, for individual users, installs to %LOCALAPPDATA%\WisprFlow\). Use the .msi for MDM deployment.

  1. Upload Wispr Flow-v{version}.msi to your MDM as a line-of-business app.

  2. Run silent install: msiexec /i "Wispr Flow-v{version}.msi" /quiet

Wispr Flow installs to %ProgramFiles%\Wispr Flow\ (when using the MSI installer for MDM deployment) and stores application data at %APPDATA%\Wispr Flow\.

Silent uninstall command: msiexec /x "Wispr Flow-v{version}.msi" /quiet or msiexec /x {396d8b98-0a0d-5d72-8e7e-5d0c442674e9} /quiet (using the fixed upgrade GUID, which works regardless of version).

Note: On Windows, Wispr Flow checks microphone access by attempting to use the microphone at runtime, rather than reading registry settings. MDM/GPO policies that set registry-level microphone privacy values do not affect whether Wispr Flow can access the microphone — the actual OS permission state is what matters.

MDM provider quick start

Jamf Pro

  1. Upload .pkg via Settings > Packages.

  2. Create a deployment policy targeting the right computers/groups.

  3. Deploy PPPC profile: Configuration Profiles > Upload > select the .mobileconfig.

  4. Update by uploading a new PKG and creating a new policy, or use Patch Management.

Kandji

  1. Navigate to Library > Custom Apps > Add Custom App > upload .pkg.

  2. Add an optional audit script to verify /Applications/Wispr Flow.app exists.

  3. Deploy PPPC: Library > Custom Profiles > Add Profile > upload .mobileconfig.

  4. Update by replacing the PKG in the Custom App.

Microsoft Intune

macOS:

  1. Navigate to Apps > macOS > Add > Line-of-business app > upload .pkg.

  2. Deploy PPPC: Devices > Configuration profiles > Create profile > Templates > Custom > upload .mobileconfig.

Windows:

  1. Navigate to Apps > Windows > Add > Line-of-business app > upload Wispr Flow-v{version}.msi.

  2. Set silent install command: msiexec /i "Wispr Flow-v{version}.msi" /quiet

Rippling

  1. Navigate to IT > Device Management > Software > upload .pkg (macOS) or .msi (Windows).

  2. Set install type to "silent."

  3. Deploy config profiles via IT > Device Management > Configuration Profiles.

Mosyle

  1. Navigate to Management > Apps > Custom Apps > upload .pkg.

  2. Deploy PPPC: Management > Profiles > Custom Profiles.

Munki

  1. Import PKG: munkiimport "Wispr Flow.pkg"

  2. Deploy PPPC profiles separately via your MDM (Munki does not manage profiles).

Munki handles version comparison for updates automatically.

Fleet

  1. Add PKG to the software library or use a custom policy.

  2. Deploy PPPC profiles via Fleet's MDM profile management.

  3. Verify installation: SELECT * FROM apps WHERE name = 'Wispr Flow'

Enterprise data policies

Enterprise admins can configure additional data policies for their team through the admin portal (requires an Enterprise subscription):

Note: ZDR, Local Data Deletion, and Enforce SSO require an Enterprise subscription (Business plan). These settings are not available on Team plans.

  • Zero Data Retention (ZDR): Locks Privacy Mode ON for all team members. Users cannot disable it.

  • Local Data Deletion: Three policy levels available — Store Normally (default), Delete After 24 Hours (deletes transcription history and AI editing data older than 24 hours), or Never Store (never writes transcription or AI editing data to the local device).

  • HIPAA Business Associate Agreement (BAA): Enterprise admins can manage the BAA through the admin portal. Individual (non-enterprise) users can view and sign a BAA directly within the app. Signing permanently locks Privacy Mode ON. To enforce Privacy Mode for all team members, also enable ZDR. BAA and ZDR are independent mechanisms — both can lock Privacy Mode.

  • Enforce SSO: Require all team members to authenticate via your organization's SSO provider. Supports SCIM directory sync for automated user provisioning. SSO enforcement is domain-based — it applies to all users whose email domain matches your enterprise's registered domain(s). An "active" subscription for SSO purposes includes active, trialing, and past_due statuses.

  • Auto-Invite by Domain: Users with matching email domains can request to join your enterprise team. If auto-accept is configured, their request is approved immediately; otherwise, it goes to admins for approval.

Warning: Signing a BAA is irreversible. The signer must enter their legal name to confirm. ZDR can be enabled or disabled by enterprise admins through the admin portal.

Warning: When Never Store is activated, all previously stored transcription history and AI editing data on the device is immediately deleted — it does not just prevent future writes.

Note: SSO enforcement requires an active enterprise subscription. If the subscription lapses, SSO enforcement is automatically suspended and users can log in via other methods.

Managing policies

These policies are configured through the Wispr Flow admin portal. In the desktop app, team admins see an "Admin portal" button in Team settings that opens the portal. Regular team members see a "Contact admins" button instead.

When SCIM directory sync is enabled, the invite button is hidden, join request approve/deny actions are disabled, and the other domain users tab shows: "User management is controlled by your identity provider via SCIM." All user management must be done through your identity provider.

SCIM provisioning respects your seat cap — if the cap is exceeded, new user provisioning is blocked and a warning is logged (the event is acknowledged to prevent retries). If automatic provisioning fails, the system falls back to sending an invitation email. SCIM uses WorkOS as the directory sync provider.

SCIM-provisioned users are added with the default member role. Admin roles must be assigned separately through the admin portal.

Enterprise customers can access SOC2 compliance documentation through the admin portal.

Common issues

Wispr Flow crashes on launch on Windows (GPU-related crash)

Some Windows users — across Intel, NVIDIA, and AMD GPUs — experienced crashes where Wispr Flow failed to start, caused by an error initializing the graphics process. This was fixed in a subsequent release. Hardware acceleration is now disabled on Windows, so the app uses software rendering instead. There is no visible difference in appearance or performance.

  1. Update Wispr Flow to the latest version.

Microphone list is empty in settings after upgrading on Windows

After upgrading to version 1.4.894 on Windows, some users saw a blank microphone selection dialog in settings with no audio devices listed. This was fixed in a subsequent release.

  1. Update Wispr Flow to the latest version.

Windows users incorrectly told microphone privacy is disabled (MDM/GPO-managed devices)

On some Windows machines — particularly those managed by MDM/GPO policies, Dell Optimizer, or other privacy management tools — Wispr Flow incorrectly showed a "microphone privacy disabled" error and blocked dictation, even when the microphone was actually working. This was caused by registry values that did not reflect the actual microphone permission state.

This was fixed in a subsequent release. Flow now checks microphone access by attempting to use the microphone at runtime, so registry values set by MDM/GPO policies no longer cause false blocks.

  1. Update Wispr Flow to the latest version.

Clicking to grant permissions opens the wrong System Settings pane on macOS 26 (Tahoe)

On macOS 26 (Tahoe), clicking to grant Accessibility, Microphone, or Screen Capture permissions during onboarding could open the wrong System Settings pane or nothing at all. This was fixed in a subsequent release.

  1. Update Wispr Flow to the latest version.

FAQs

Do end users need to do anything after deployment?

Yes. Users still go through onboarding when they first launch Wispr Flow. They see a data usage preference page where they choose between "Help improve Flow" (allows data collection to improve the product) and "Privacy Mode" (no dictation data stored or used for training). "Help improve Flow" is the default selection. Users must actively choose Privacy Mode unless it's locked by enterprise policy (ZDR or HIPAA BAA).

On macOS with the PPPC profile deployed, users then see the Permissions page with Accessibility and Microphone already granted (green checkmarks), and click Continue without needing to approve anything manually. If a permission was revoked after being granted, the app highlights the missing permission and shows an error — users need to re-grant it before continuing.

What happens if I deploy without the configuration profile?

Users are prompted to manually grant Accessibility permissions in System Settings when they first launch Wispr Flow. The app guides them through this process, but it requires user interaction. For microphone access, users see a native macOS permission dialog the first time Flow needs the microphone.

Can I use this profile for non-managed devices?

No. The configuration profile is designed for MDM-managed deployments only. For non-managed devices, users follow the standard installation process and approve Accessibility permissions manually.

What MDM solutions are supported?

Instructions are provided for Jamf Pro, Kandji, Microsoft Intune, Rippling, Mosyle, Munki, and Fleet. The .mobileconfig profiles work with any MDM that supports custom configuration profiles. For other MDM solutions, contact Wispr support for assistance.

Permissions not pre-granted after deploying PPPC profile (macOS)?

Ensure the profile is deployed to the device (not just the user). On macOS 15+, a restart may be needed after profile installation. Verify the profile is installed by checking System Settings > Profiles on the target device.

App fails to launch after PKG install (macOS)?

Check Console.app for crash logs related to com.electron.wispr-flow. Verify the app signature by running: codesign --verify --deep /Applications/Wispr\ Flow.app

MSI fails when deployed via MDM (Windows)?

Ensure you are deploying as SYSTEM (not user context). Use the .msi installer, not .exe.

How do I check the installed version?

  • macOS: Run: defaults read /Applications/Wispr\ Flow.app/Contents/Info.plist CFBundleShortVersionString

  • Windows: Check registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for the Wispr Flow entry.

How do I uninstall Wispr Flow?

  • macOS: Delete /Applications/Wispr Flow.app. Optionally remove user data: ~/Library/Application Support/Wispr Flow/

  • Windows: Uninstall via Add/Remove Programs, or silently: msiexec /x "Wispr Flow-v{version}.msi" /quiet or msiexec /x {396d8b98-0a0d-5d72-8e7e-5d0c442674e9} /quiet (GUID approach recommended for MDM scripts). Optionally remove user data: %APPDATA%\Wispr Flow\

What does "helper service persistent failure" mean?

If the native helper app fails to start after multiple retries, a persistent notification is shown. Verify the helper app exists at the expected path inside Wispr Flow.app/Contents and check accessibility permissions.

Still need help?

Reach out to Wispr support if:

  • You need help configuring any of the MDM providers listed above

  • Permissions are not granting correctly after profile deployment

  • You need assistance configuring enterprise data policies or accessing SOC2 documentation