Intune - Zero Touch Installation of Desktop App

How to configure Intune zero touch deployment of Banyan Desktop App

  • Updated on Feb 18, 2022
This article describes features that are only available in the Banyan Enterprise edition.

Overview

Microsoft Intune is used to administer corporate laptops, phones, tablets, and other devices in your enterprise. The Banyan Desktop App can be distributed to your device fleet via Intune in Zero Touch mode, requiring no interaction from end users. Also, zero touch mode does not require the end user to be an administrator on the device.

The Banyan Desktop App is deployed, installed, and registered in a matter of seconds, making zero touch mode the recommended way to deploy Banyan with Intune.

Steps

There are two high-level steps required to silently deploy and install the Banyan Desktop App then register Windows devices with Banyan:

Prerequisites

Please ensure you are familiar with the mdm-config.json parameters to customize Banyan Desktop App functionality, paying particular attention to the following flags required to enable zero touch mode:

  • mdm_invite_code - Obtained from Command Center (Settings > App Deployment > Invite Code)
  • mdm_start_at_boot - Set to true

Step 1. Prepare the Banyan Zero Touch install script for Windows

Banyan provides a Powershell script that can be configured to automate the installation and registration process. See Banyan App Installer to download and configure the script.

The script will complete the following:

1) Create an mdm-config.json file that specifies app functionality

2) Download the latest Banyan app version and install it (you can also optionally specify an exact app version)

3) Stage the app with the device certificate

4) Start the app as the logged-on user

Step 2. Distribute the Zero Touch install script to Windows devices via Intune

Now that you’ve prepared the script, distribute it to your end users via Intune.

The following steps are based off of the Use PowerShell scripts on Windows 10/11 devices in Intune guide

2.1 Log in to your Microsoft Endpoint Manager admin center.

2.2 Navigate to Devices > Scripts.

2.3 Click + Add and select Windows 10 and later.

2.4 Enter in a Name and Description

2.5 Configure the Script settings and then click Next:

2.6 Add Assignments and select Add.

The Banyan Desktop App appears on the applicable Windows device(s) and then registers the device(s) with your Banyan tenant.

Staged User and Zero Touch installation

This feature needs to be explicitly enabled for your organization. Please contact Banyan Support to enable.

In the default Zero Touch flow, the Banyan App will initially be registered to a STAGED USER, indicating it has been silently enrolled via zero touch installation. When a user logs into the device and accesses a service protected by Banyan, their username will automatically be associated with the device.

You can optionally modify the Zero Touch flow to associate a device with a specific user instead of the STAGED USER by setting the mdm-deploy-user and mdm-deploy-email parameters in the mdm-config.json file. Now the device will always be associated with that specified user. In addition, the issued device certificate will contain a User Principal Name (UPN) username in the Subject Alternative Name field.

Upgrading the Desktop App via Intune

There may be scenarios requiring you to update the Banyan Desktop App after deploying it to your organization’s devices via Intune.

If you want to have organizational control of the Desktop App version, the easiest option is to configure the mdm-config.json file to set mdm_disable_auto_update to true. This flag disables prompts to end users to upgrade their Desktop App because the Device Manager will push the new version.

The Banyan Zero Touch install scripts also cover upgrade scenarios where you can specify the app version or upgrade to latest.