# Takumi Guard: Admin Deployment for Organization-Wide Setup Takumi Guard now provides **deployment scripts for organization-wide setup**. Administrators can roll out Guard to all developer machines using their existing management tools — no developer interaction required. ## Overview Setting up Takumi Guard on individual developer machines can be time-consuming, especially for large teams. The new admin deployment feature provides ready-to-use scripts that configure npm, pip, uv, and Poetry to use the Guard registry proxy, handling token issuance and credential setup automatically. Tokens issued by the setup script can be viewed and managed in the Shisho Cloud console under **Guard** > **Tokens**. ![Token management UI](/docs/_md-assets/51a8daa7d5-ui-tokens.png) ## Getting Started The following diagram shows the overall architecture of admin deployment. ```mermaid flowchart LR subgraph AdminSide[Administrator / MDM] Admin[Administrator] MDM[Deployment Tool] end subgraph Cloud[Takumi / Shisho Cloud Console] Console[Console] API[Guard API] end Dev1[Developer Machine A] Dev2[Developer Machine B]:::faded Dev3[Developer Machine ...]:::faded Proxy[Guard Registry Proxy] Admin -- Create Bot and get admin API key --> Console Admin -- Register script incl. admin API key --> MDM MDM -- Run setup script --> Dev1 MDM -.-> Dev2 MDM -.-> Dev3 Dev1 & Dev2 & Dev3 -- Issue per-device registry token --> API Dev1 & Dev2 & Dev3 -- Package downloads --> Proxy classDef faded opacity:0.4 ``` Steps: 1. Create a Bot in the Shisho Cloud console (**Settings** > **Bots**) and assign the "Takumi Guard Token Issuer" role 2. Generate an API key for the Bot 3. Download the setup script from **Guard** > **Settings** > **Admin Deployment** 4. Wrap the script with your management tool (Jamf, Intune, Ansible, etc.) and deploy For detailed instructions, see the [Admin Deployment guide](/docs/t/guard/features/admin-deployment). :::info Paid Feature This feature requires an active Takumi subscription with Guard enabled. See [Pricing & Billing](/docs/t/guard/billing) for details. ::: ## Key Features ### Multi-ecosystem support Configures npm, pip, uv, and Poetry in a single script execution. No need to prepare separate instructions for each package manager your developers use. ### Idempotent execution Safe to run multiple times. On the first run, the script issues a token and updates configuration files. On subsequent runs, it detects existing tokens and reuses them, skipping already-configured tools. This makes it safe to push via your management tool on a recurring schedule. ### Incremental scope Start with npm only, then add PyPI later — incremental adoption is fully supported. Existing configurations are preserved when adding new ecosystems. ```sh # First run: npm only TG_BOT_API_KEY="..." ./setup.sh BOT_ID USER_ID npm # Later: add PyPI (npm config is preserved) TG_BOT_API_KEY="..." ./setup.sh BOT_ID USER_ID pypi ``` ### Backup creation Before modifying any configuration file, the script automatically creates a timestamped persistent backup (e.g., `~/.npmrc-backup-20260408-162351`). To revert Guard configuration, simply copy the backup file back. ## Important Notes Existing users who are already using Guard with email-verified tokens (`tg_anon_…`) cannot be consolidated into org user tokens (`tg_org_…`). Email-verified tokens and org user tokens are independent authentication methods. Existing email-verified tokens continue to work as before, but they are separate from the org user tokens issued by admin deployment. If you want unified management across your organization, we recommend distributing org user tokens via admin deployment and asking developers to remove their existing email-verified token configurations. ## Getting Started with Your Organization To use Guard's organization features (admin deployment, installation log search, etc.), you need a Takumi subscription with Guard enabled. 1. Go to [https://cloud.shisho.dev/hello/takumi](https://cloud.shisho.dev/hello/takumi) and sign in 2. Register your organization and subscribe to Takumi 3. Navigate to **Guard** > **Settings** from the sidebar 4. Click "Enable" to activate Guard ![Guard settings page](/docs/_md-assets/2cd981c76b-ui-guard-settings.png) Once Guard is enabled, follow the [Admin Deployment guide](/docs/t/guard/features/admin-deployment) to begin setup.