Distribute the Banyan Desktop App using your Device Manager
- Updated on Nov 10, 2022
- Overview
- Zero Touch Deployment for macOS and Windows
- Distributing the Linux Desktop App
- Customizing desktop app functionality
- Other Deployment Scenarios
Overview
Organizations can use their Device Managers (such as VMware Workspace ONE, Jamf Pro, Microsoft Intune, etc.) to distribute and register the Banyan desktop app to their entire fleet of managed devices. This is the recommended way to deploy Banyan during a production roll out, as it allows you to obtain information about the trust scores of managed devices without any user impact.
Zero Touch Deployment for macOS and Windows
We currently support Zero Touch installation across all device managers but have a detailed guide published for Intune and JAMF. We will continue adding device manager guides.
Banyan’s Zero Touch Installation allows admins to deploy the Banyan app on macOS and Windows without requiring user intervention. This method does not require local users to have admin privileges. The IT Admin deploys the Zero Touch Install script silently via the Device Manager; the end user does not need to interact with the Banyan app at all for the installation and registration to complete successfully.
With Zero Touch Install, the following steps are automated:
- Creating an mdm-config.json file that specifies app functionality
- Downloading the latest Banyan app version and installing it (you can also optionally specify an exact app version)
- Staging the app with the device certificate that contains user information
- Starting the app as the logged-on user
When a user logs into their device after a Zero Touch Install, the Banyan Desktop app can be launched automatically and can run silently in the background. The Device Certificate will also be associated with this user and will support passwordless authentication flows.
Unstage Devices
To return devices to a clean state, pass in the following command line arguments:
unstage- Run as an admin to remove the global staged files, allowing the device to be manually registered.
Run the following as an admin:
Windows: Start-Process -FilePath "C:\Program Files\Banyan\resources\bin\banyanapp-admin.exe" -ArgumentList "unstage"
macOS: '/Applications/Banyan.app/Contents/Resources/bin/banyanapp-admin' unstage
Distributing the Banyan Root Certificate for Windows
To completely eliminate any prompts for the end user when deploying the Banyan Desktop app on Windows via Zero Touch, the Banyan root certificate will need to be pushed via your Device Manager.
Please complete the following steps when supporting Zero Touch with Big Sur:
1. Obtain Banyan root certificate by navigating from Settings > Advanced Settings > Issuing CA Certificate.
2. Update the mdm-config.json to set mdm_ca_certs_preinstalled to true.
3. Leverage your Device Manager to push down the root certificate.
Distributing the Linux Desktop App
The Banyan Desktop app installer for Linux is available in multiple formats (.deb, .rpm). You can download a specific version from the Desktop app Changelog.
There is currently no way to install and register the Linux app silently via Device Manager.
Customizing desktop app functionality
You can customize Banyan desktop app functionality (such as device registration, startup behavior, visible views, etc.) by configuring mdm parameters. For Zero Touch Installs, these parameters can be set in the script. For Linux, the mdm-config.json should be created and placed in the Global Config Directory via your Device Manager.
When you run the installer, the Banyan desktop app executable is placed in the Installation Directory on the device file system, while config files are placed in the Global Config Directory. The location of these directories depends on your Operating System:
| Operating System | Installation Directory | Executable Name | Global Config Directory |
|---|---|---|---|
| macOS | /Applications/Banyan.app |
Banyan |
/etc/banyanapp |
| Windows | %PROGRAMFILES%\Banyan |
Banyan.exe |
C:\ProgramData\Banyan |
| Linux | /opt/Banyan |
banyanapp |
/etc/banyanapp |
The following parameters can be set to customize desktop app functionality:
| Parameter | Permitted Values | Purpose | Description |
|---|---|---|---|
mdm_invite_code |
string | Registration | Provide the Invite Code needed to register a device to your organization. Obtain from Banyan Command Center. |
mdm_device_ownership |
string | Registration | Set device ownership type to one of the following: “C” for corporate-owned, “E” for employee-owned, “S” for corporate-shared, and “O” for other |
mdm_ca_certs_preinstalled |
boolean | Registration | Skip installation of Root and Intermediate CA certificates (because the Device Manager has already installed them) |
mdm_skip_cert_suppression |
boolean | Registration | Skip installation of scripts that suppress browser certificate prompts (because the Device Manager has already run them) |
mdm_deploy_user |
string | Zero Touch Install | Provide the name of the user this device should be registered to |
mdm_deploy_email |
string | Zero Touch Install | Provide the email address of the user this device should be registered to |
mdm_reporting_interval |
integer | Trust Scoring | Set time interval (in minutes) for how often desktop app reports device features |
mdm_present |
boolean | Trust Scoring | Inform Banyan that the device is managed by a Device Manager |
mdm_vendor_name |
string | Trust Scoring | Inform Banyan which Device Manager is managing the device |
mdm_vendor_udid |
string | Trust Scoring | Inform Banyan about the ID used by the Device Manager to uniquely identify this device |
mdm_disable_auto_update |
boolean | App Behavior | Do not prompt the end user to upgrade their desktop app when a new version is released (because the Device Manager will push the new version) |
mdm_login_token_prompt_time |
integer | App Behavior | Denotes the amount of time (in minutes) until the user receives a login token pre-expiration notification |
mdm_start_at_boot |
boolean | App Behavior | Always launch Desktop App on device bootup |
mdm_disable_quit |
boolean | App Behavior | Hide the Quit button in the Desktop App |
mdm_hide_services |
boolean | App Behavior | Hide the Services tab that displays the list of Services a user can access |
mdm_hide_on_start |
boolean | App Behavior | Starts the Desktop App in a minimized state |
Other Deployment Scenarios
Staged user and zero touch installation
In the default Zero Touch flow, the device should be registered to a specified user by setting the mdm-deploy-user and mdm-deploy-email parameters in the mdm-config.json file. The issued device certificate will contain a User Principal Name (UPN) username in the Subject Alternative Name field.
As a fallback, if user information is not specified or obtained during Zero Touch flow the Banyan App will initially be registered to a STAGED USER, indicating it has been silently enrolled via zero touch installation. When a user logs into the device and accesses a service protected by Banyan, their username will automatically be associated with the device.
Multi-user accounts and zero touch installation
Zero touch installation for multi-user accounts registers the device itself as a “Staged User” (without a UPN in the certificate). Then, when each user logs into the desktop app, they receive a certificate with their unique UPN. This allows multiple uniquely identified users to securely use the same device and access their private services.
To enable multi-user accounts on a device using zero-touch installation, set the MULTI_USER parameter in the to true:
Device trust integration with Workspace ONE UEM
For organizations that have Workspace ONE UEM as their Device Manager and have already integrated Banyan via the Workspace ONE UEM API, the Banyan desktop app will capture all the features that it normally captures. In addition, the app will use the Workspace ONE UEM API to check for Device Compliance. If Workspace ONE UEM reports the device as compliant, Banyan will calculate Device Trust Level based on device features captured by the desktop app. If Workspace ONE UEM reports the device as non-compliant, the Device Trust Level is set to Always Deny.
Can’t find what you’re looking for?
We’re happy to help. Contact our team.