Enterprise admin guide
This guide walks org admins through configuring Preamp for a large organization. It covers creating the org hierarchy, verifying email domains for automatic onboarding, and monitoring backup compliance through the dashboard API.
Once your organization is set up, deploy the macOS agent to endpoints via your MDM. The signed .pkg files are available on the Package downloads page; the per-vendor flows are documented in the JAMF, Kandji, and Intune & Mosyle guides.
All endpoints require authentication via Authorization: Bearer <deviceToken> from an org admin account.
1. Create your organization
If you haven’t already, create the organization:
curl -X POST https://api.preamp.ai/org/create \
-H "Authorization: Bearer <deviceToken>" \
-H "Content-Type: application/json" \
-d '{ "name": "Cognizant" }'The creating user becomes the org admin automatically.
2. Organization units
Org units let you model your company structure — departments, teams, business units — each with their own policy overrides and delegated admins.
Create a unit
curl -X POST https://api.preamp.ai/org/units \
-H "Authorization: Bearer <deviceToken>" \
-H "Content-Type: application/json" \
-d '{
"name": "Engineering",
"adminUserIds": ["user_abc123"]
}'Response:
{
"unitId": "unit_def456",
"name": "Engineering",
"path": "/Engineering"
}Create child units
Nest units up to 5 levels deep by providing parentUnitId:
curl -X POST https://api.preamp.ai/org/units \
-H "Authorization: Bearer <deviceToken>" \
-H "Content-Type: application/json" \
-d '{
"name": "Backend",
"parentUnitId": "unit_def456"
}'This creates a unit at path /Engineering/Backend.
Set policy overrides
Units can tighten (but never relax) the org-level policy. For example, a team handling sensitive data can require hourly backups even if the org default is daily:
curl -X PUT https://api.preamp.ai/org/units/unit_def456 \
-H "Authorization: Bearer <deviceToken>" \
-H "Content-Type: application/json" \
-d '{
"policyOverrides": {
"minBackupFrequencyHours": 1,
"blockedFileExtensions": [".env", ".pem", ".key"]
}
}'Tightening rules:
| Field | ”Tighter” means |
|---|---|
minBackupFrequencyHours | Smaller (more frequent) |
retentionDaysMin | Larger (longer retention) |
maxRetentionDays | Smaller (stricter cap) |
maxStorageBytesPerUser | Smaller (less storage) |
requiredPaths | Union (more required) |
blockedFileExtensions | Union (more blocked) |
allowedFileExtensions | Intersection (fewer allowed) |
encryptionMode | required-client > org-kms > user-choice |
allowUserOptOut | false wins |
Assign members to units
curl -X POST https://api.preamp.ai/org/units/unit_def456/members \
-H "Authorization: Bearer <deviceToken>" \
-H "Content-Type: application/json" \
-d '{ "userId": "user_xyz789" }'List units
curl https://api.preamp.ai/org/units \
-H "Authorization: Bearer <deviceToken>"Unit admins
Users listed in adminUserIds can manage their unit — update settings, assign members, and view unit-scoped reports — without needing org-wide admin access.
Delete a unit
Units with child units cannot be deleted; remove children first. When a unit is deleted, its members are reassigned to the parent unit (or unassigned if it was a root unit).
curl -X DELETE https://api.preamp.ai/org/units/unit_def456 \
-H "Authorization: Bearer <deviceToken>"3. Domain verification
Instead of inviting users one-by-one, verify your email domain so anyone signing up with a matching email address is automatically enrolled in your organization.
Add a domain
curl -X POST https://api.preamp.ai/org/domains \
-H "Authorization: Bearer <deviceToken>" \
-H "Content-Type: application/json" \
-d '{ "domain": "cognizant.com" }'Response:
{
"message": "Domain added for verification",
"domain": "cognizant.com",
"verificationMethod": "dns-txt",
"dnsRecord": {
"type": "TXT",
"name": "cognizant.com",
"value": "agent-rewind-verify=abc123def456"
}
}Configure DNS
Add the TXT record to your domain’s DNS configuration:
| Type | Name | Value |
|---|---|---|
| TXT | _rewind_backup | agent-rewind-verify=abc123def456 |
This creates a TXT record at _rewind_backup.cognizant.com. Preamp checks for it every 4 hours. Once found, the domain status changes to verified. If the record is not found within 72 hours, verification fails — re-add the domain to try again.
Check verification status
curl https://api.preamp.ai/org/domains \
-H "Authorization: Bearer <deviceToken>"Response:
{
"domains": [
{
"domain": "cognizant.com",
"verificationStatus": "verified",
"verifiedAt": "2026-03-27T14:30:00Z",
"createdAt": "2026-03-27T10:00:00Z"
}
]
}How auto-enrollment works
Once a domain is verified:
- A new user signs up with
alice@cognizant.com. - Preamp detects that
cognizant.comis a verified domain for your org. - The user is automatically added as an active member (no admin approval required).
- The user immediately appears in your compliance dashboard.
This replaces the manual invite flow (which is rate-limited to 20/hour) with instant onboarding at any scale.
Remove a domain
curl -X DELETE https://api.preamp.ai/org/domains/cognizant.com \
-H "Authorization: Bearer <deviceToken>"Removing a domain stops future auto-enrollments. Existing members are not affected.
4. Compliance dashboard
The dashboard provides aggregate metrics about your organization’s backup health, updated daily by the compliance check (runs at 06:00 UTC).
Get current metrics
curl https://api.preamp.ai/org/dashboard \
-H "Authorization: Bearer <deviceToken>"Response:
{
"current": {
"totalMembers": 1250,
"inPolicy": 1180,
"outOfPolicy": 55,
"unknown": 15,
"totalStorageBytes": 524288000,
"activeBackups24h": 1200,
"neverBackedUp": 8
},
"trend": [
{
"date": "2026-03-25",
"totalMembers": 1240,
"inPolicy": 1170,
"outOfPolicy": 58,
"complianceRate": 94
},
{
"date": "2026-03-26",
"totalMembers": 1248,
"inPolicy": 1178,
"outOfPolicy": 56,
"complianceRate": 94
}
]
}The trend array contains up to 30 days of historical data for tracking compliance over time.
Get unit-level metrics
Drill into a specific unit:
curl https://api.preamp.ai/org/dashboard/units/unit_def456 \
-H "Authorization: Bearer <deviceToken>"Response:
{
"unitId": "unit_def456",
"metrics": {
"totalMembers": 45,
"inPolicy": 42,
"outOfPolicy": 3,
"totalStorageBytes": 15728640,
"activeBackups24h": 44,
"neverBackedUp": 0,
"complianceRate": 93
}
}Unit admins can view metrics for their own units.
Find non-compliant members
Identify the members most in need of attention:
curl "https://api.preamp.ai/org/dashboard/laggards?limit=10" \
-H "Authorization: Bearer <deviceToken>"Response:
{
"laggards": [
{
"userId": "user_abc",
"email": "bob@cognizant.com",
"complianceStatus": "out-of-policy",
"lastBackupAt": "2026-03-20T08:00:00Z",
"unitId": "unit_def456"
}
]
}5. Recommended setup sequence
For a new enterprise deployment:
- Create the organization and set the org-level policy (
PUT /org/policy). - Verify your email domain(s) so employees auto-enroll on signup.
- Create org units to mirror your department structure.
- Set policy overrides on units that handle sensitive data.
- Designate unit admins to delegate management.
- Deploy the client to employee machines via your MDM — see JAMF, Kandji, or Intune & Mosyle.
- Monitor the dashboard daily for compliance trends.
- Review laggards weekly and follow up with non-compliant teams.
API reference summary
| Endpoint | Method | Description |
|---|---|---|
/org/units | POST | Create an org unit |
/org/units | GET | List all org units |
/org/units/{unitId} | PUT | Update unit name, policy, or admins |
/org/units/{unitId} | DELETE | Delete a unit (no children allowed) |
/org/units/{unitId}/members | POST | Assign a member to a unit |
/org/units/{unitId}/members | GET | List unit members (paginated) |
/org/domains | POST | Add a domain for DNS verification |
/org/domains | GET | List domains and verification status |
/org/domains/{domain} | DELETE | Remove a verified domain |
/org/dashboard | GET | Org-wide metrics + 30-day trend |
/org/dashboard/units/{unitId} | GET | Unit-level metrics |
/org/dashboard/laggards | GET | Non-compliant members list |