MDM & Enterprise Deployment Guide

Last updated: April 30, 2026

Available on: Mac, Windows

Deploy Wispr Flow across your managed fleet with Kandji, Jamf, Mosyle, Intune, or any other MDM. This guide covers the right installers, macOS PPPC profiles, auto-update behavior, network allowlisting, and enterprise policy controls.

Choose the right installer

Use the platform-specific managed installer below. Do not use the macOS DMG or the Windows Squirrel Setup.exe for managed deployments — those are intended for end-user installs.

macOS (PKG)

The PKG installer is the correct artifact for MDM deployment on macOS. Target the localSystem domain so the app installs to /Applications.

Detail

Value

Filename format

Wispr Flow-v<version>.pkg

Install location

/Applications

Bundle identifier

com.electron.wispr-flow.pkg

Signing

Developer ID Installer: Wispr AI INC (C9VQZ78H85)

Notarization

Apple-notarized and stapled (passes Gatekeeper)

Architecture

Universal (Apple Silicon arm64 + Intel x86_64)

Minimum macOS

macOS 12.0 (Monterey)

Pre/post-install scripts

None

Installer UI

Disabled (customize='never')

Windows (MSI)

The WiX MSI is the correct artifact for Windows enterprise deployment. The upgrade GUID is stable across releases, so Intune, SCCM, and similar tools detect and upgrade existing installs automatically.

Detail

Value

Filename

Wispr Flow-v<version>.msi

Install location

C:\Program Files\Wispr Flow\

MSI size

~47 MB

Upgrade GUID

396d8b98-0a0d-5d72-8e7e-5d0c442674e9

Signing

Azure Trusted Signing (SHA256 + timestamp)

Silent install and uninstall:

msiexec /i "Wispr Flow-v<version>.msi" /quiet
msiexec /x "Wispr Flow-v<version>.msi" /quiet

Deploy macOS PPPC profiles

Wispr Flow requires Accessibility and Microphone permissions on macOS. Two ready-to-deploy .mobileconfig PPPC profiles are available to pre-grant these permissions silently. Windows does not require PPPC profiles — all permissions are granted automatically.

Profile

Grants

wispr-flow-all-permissions.mobileconfig

Accessibility + Microphone

wispr-flow-accessibility.mobileconfig

Accessibility only (users prompted for Microphone on first use)

Both profiles use:

  • Bundle ID: com.electron.wispr-flow

  • Team ID: C9VQZ78H85 (Wispr AI INC)

  • StaticCode: false (profiles remain valid across app version updates)

  • PayloadRemovalDisallowed: true

The profiles work with Kandji, Jamf, Mosyle, Intune, and any other MDM that supports Apple configuration profiles. Deploy them before or alongside the app to avoid permission prompts. To request the profile files, email support@wisprflow.ai.

Note: The app may also request Screen Capture permission at runtime for features like context-aware dictation. This is not included in the PPPC profiles. To pre-grant it, create a custom configuration profile for com.electron.wispr-flow.

Manage auto-updates

Wispr Flow includes a built-in auto-updater (Electron's autoUpdater, which is Squirrel-based — not Sparkle). Understanding how it behaves matters when planning fleet updates.

How auto-updates work

  1. The app checks for updates immediately on every launch.

  2. Subsequent checks occur at randomized intervals between 30 minutes and 5 hours.

  3. After an update is downloaded, it waits at least 20 minutes since the last dictation action before applying. On the first download, an additional random delay of up to 60 minutes is added to spread restarts across the fleet. If a dictation is in progress, the update is deferred until it finishes.

  4. If an update fails, it retries up to 3 times with doubling backoff (20 min, 40 min, 80 min), then pauses for 24 hours.

Updates apply only when the system is online and active or idle — not when the screen is locked or the system is sleeping. After all retries fail, a system notification alerts the user. Update status is also visible in the macOS application menu and the system tray on both platforms (e.g., "Update downloading…", "Update ready, restart now?").

Note: Update retry tracking persists across app restarts. If the app restarts after an update attempt but the version hasn't changed, the retry counter increments. The 3-retry limit is cumulative across sessions, not per run.

Important: There is no user-facing toggle or MDM configuration to disable auto-updates. The auto-updater needs write access to the app bundle in /Applications. If end users are not local admins, macOS prompts them for admin credentials when an update is available.

Update non-admin users via MDM

If your users are not local admins on macOS, manage updates through your MDM tool:

  1. Push new PKG versions to the fleet as they are released.

  2. Install silently to /Applications — no user interaction required.

  3. Verify on next launch that the built-in updater detects the new version and skips its update cycle.

Network requirements

If your organization restricts outbound traffic, allowlist these domains. The Windows MSI is roughly 47 MB — plan deployment bandwidth and caching accordingly for large fleets or bandwidth-constrained sites.

Domain

Purpose

dl.wisprflow.com

CDN for update delivery (may redirect to S3 origin)

wispr-packages.s3.us-west-2.amazonaws.com

S3 origin for update packages

api.wisprflow.ai

Wispr Flow API (auth, enterprise policies, preferences sync)

dodjkfqhwrzqjwkfnthl.supabase.co

Authentication service (Supabase)

o4506267787395072.ingest.sentry.io

Error reporting (Sentry)

wisprflow.ai

Web app and account management

The app also registers the custom URL scheme wispr-flow://. If your organization restricts URL scheme handlers, allow this scheme.

Configure enterprise policy controls

Enterprise policies are enforced server-side through the Wispr Flow admin portal, not through MDM managed preferences. Enterprise data is fetched on each app launch, so changes in the admin portal take effect the next time the app starts.

  • Zero Data Retention (ZDR): Disables data sharing for model improvement. No dictation data is retained on Wispr servers or used for training. Enterprise plan only.

  • Local data retention policy: Controls how long transcription data is kept on device. Options: Store normally, Delete after 24 hours, Never store. With "Delete after 24 hours," the app deletes transcription history and polish data older than 1 day on each launch. With "Never store," all local history and polish data is deleted on every launch. Local data storage is configured separately from ZDR. Enterprise plan only.

  • Context awareness: Controls whether the app reads surrounding text from active applications to improve dictation accuracy. Found under Data Controls in Organization settings. Set to "Available" by default (users can toggle it themselves) or "Disable for all users" to force it off org-wide. When disabled, each user's toggle in Data & Privacy is turned off and locked. Enterprise plan only.

  • Hide team leaderboard: Removes the Leaderboard tab from the Insights page and suppresses weekly leaderboard rank notifications for all members. Admins retain full access to both. Found under Organization settings. Enterprise plan only.

  • SSO enforcement: Requires single sign-on for all team members. Enterprise plan only.

  • SCIM provisioning: Automated user provisioning and deprovisioning.

  • Auto-invite by domain: Automatically invites users who sign up with your company's email domain. Available to all enterprise teams by default.

  • IT Admin role: Grants a team member access to manage the team, billing, and SSO without consuming a dictation seat. IT Admins cannot use Wispr Flow dictation. Assign this role from the role dropdown in the Members table, or select it when inviting a new member. Changing a member to or from IT Admin triggers a confirmation dialog explaining the impact on their product access and your paid seat count.

Note: SSO enforcement is automatically suspended if the enterprise subscription lapses, allowing users to log in via standard methods until the subscription is renewed.

Warning: When SCIM directory sync is active, manual member management is disabled — all user adds and removes must go through your identity provider. SCIM provisioning is also subject to the enterprise seat cap; new provisioning stops when the cap is reached.

Warning: Signing the HIPAA BAA in-app permanently locks privacy mode ON. This action is irreversible.

App identity and signing

Detail

macOS

Windows

Bundle ID / App name

com.electron.wispr-flow

Wispr Flow

Team ID

C9VQZ78H85

N/A

App signing

Developer ID Application: Wispr AI INC

Azure Trusted Signing (SHA256)

Installer signing

Developer ID Installer: Wispr AI INC

Same as app signing

Sandboxed

No

N/A

macOS hardened runtime entitlements include JIT compilation, unsigned executable memory, DYLD environment variables, disabled library validation (standard for Electron-based apps), audio input device access (com.apple.security.device.audio-input), and camera access (com.apple.security.device.camera).

Data storage locations

macOS

  • Preferences: ~/Library/Application Support/Wispr Flow/config.json

  • Logs: ~/Library/Logs/Wispr Flow/

  • App bundle: /Applications/Wispr Flow.app

Preferences are stored in a JSON file (electron-store), not in macOS NSUserDefaults. MDM profiles cannot currently inject or override user preferences.

Windows

  • User data: %APPDATA%\Wispr Flow\

  • MSI install: C:\Program Files\Wispr Flow\

  • Per-user install (not for enterprise): %LOCALAPPDATA%\WisprFlow\

Verify the installed version

To check the installed version on managed devices:

macOS

Run this command in Terminal or via your MDM script runner:

defaults read /Applications/Wispr\ Flow.app/Contents/Info.plist CFBundleShortVersionString

Windows

Check the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for the Wispr Flow entry.

Deployment checklist

  1. Choose the right installer: PKG on macOS, MSI on Windows. Do not use the DMG or Setup.exe for managed deployments.

  2. Deploy PPPC profiles on macOS before or alongside the app to prevent permission prompts.

  3. Allowlist network domains so updates and authentication work — at minimum, dl.wisprflow.com and wispr-packages.s3.us-west-2.amazonaws.com.

  4. Configure enterprise policies (ZDR, data retention, context awareness, hide team leaderboard, SSO) in the Wispr Flow admin portal.

  5. Assign the IT Admin role to any team members who need to manage the team, billing, or SSO but won't be using Wispr Flow for dictation. This keeps your paid dictation seat count accurate.

  6. Plan for updates: if users are not local admins on macOS, push PKG updates via MDM so the auto-updater doesn't prompt for credentials.

  7. Note that the app automatically enables "Launch at login" on first run.

  8. Verify deployment using the version-check commands above.

FAQs

Can I disable auto-updates via MDM?

Not currently. The MDM managed preferences infrastructure exists in the app but no configuration keys are active yet. The intended macOS path is /Library/Managed Preferences/com.electron.wispr-flow.plist and the Windows registry path is HKLM\SOFTWARE\Policies\WisprAI\Flow. Update frequency types (auto, weekly, bi-weekly, monthly) are defined in code, but the MDM read logic is not yet implemented — the app always uses "auto" today. These options are planned for a future release.

Do PPPC profiles need to be redeployed when the app updates?

No. Both profiles use StaticCode=false, so they remain valid across app version updates without redeployment.

Can I use MDM to push app preferences?

Not at this time. Wispr Flow stores preferences in a JSON file (electron-store), not in macOS NSUserDefaults or the Windows registry. Enterprise-level settings (ZDR, data retention, context awareness, SSO) are managed server-side via the admin portal.

Which preferences sync across devices?

Seven preference fields sync to the server: usage data sharing, selected languages, personalization styles, personalization onboarding status, polish instructions, local data policy, and fulfilled intents. Auto-cleanup level also syncs when auto-cleanup is active. All other preferences (theme, shortcuts, sounds, launch-at-login, etc.) are local to each device.

What macOS version is required?

macOS 12.0 (Monterey) or later.

Can admins prevent Flow from reading surrounding text in active apps?

Yes — see the Context awareness control in the policy section above. Set it to "Disable for all users" in Organization settings → Data Controls. Enterprise plan only.

Can admins hide the team leaderboard from regular members?

Yes — see the Hide team leaderboard control in the policy section above. Admins always retain full access. Enterprise plan only.

Does the IT Admin role use a paid dictation seat?

No. IT Admins can manage the team, billing, and SSO but cannot use Wispr Flow for dictation, and they do not consume a paid dictation seat. When you change a member's role to or from IT Admin, a confirmation dialog will explain the impact on their access and your seat count.

Still need help?

Reach out to our support team if:

  • You need the PPPC .mobileconfig profile files for your MDM deployment.

  • You have questions about enterprise policy configuration or HIPAA BAA signing.

  • You hit issues deploying the PKG or MSI across your fleet.

Email support@wisprflow.ai. Include your MDM platform, OS version, and what you've already tried — most enterprise deployment questions are resolved in one reply.