This article describes features that are only available in the Banyan Enterprise edition.

• Overview
• Steps
  • Prerequisites
  • Step 1: Prepare the Banyan Zero Touch install script for Windows
  • Step 2: Distribute the Zero Touch install script to Windows devices via Intune
• Staged User and Zero Touch installation
• Upgrading the Desktop App via Intune

Zero Touch Installs for Windows require additional steps. See here for more details.

Overview

Microsoft Intune is used to administer corporate laptops, phones, tablets, and other devices in your enterprise. The Banyan Desktop App can be distributed to your device fleet via Intune in Zero Touch mode, requiring no interaction from end users. Also, zero touch mode does not require the end user to be an administrator on the device.

The Banyan Desktop App is deployed, installed, and registered in a matter of seconds, making zero touch mode the recommended way to deploy Banyan with Intune.

Steps

There are two high-level steps required to silently deploy and install the Banyan desktop app then register Windows devices with Banyan:

• Step 1. Prepare the Banyan Zero Touch Install script for Windows - Configure zero touch script with the appropriate deployment parameters for your organization.
• Step 2. Distribute the Zero Touch Install script to Windows devices via Intune - Push down the configured powershell script to your end users via Intune to register their devices with Banyan.

Prerequisites

• Deployment Key: Obtained from the Command Center under Settings > App Deployment > Zero-Touch Deployment Using a Device Manager.
• Invite Code: Obtained from Command Center under Settings > App Deployment > Invite Code.

• Ensure that you’re familiar with mdm-config.json parameters to customize Banyan Desktop App functionality, paying particular attention to the following flags required to enable zero touch mode:

  • mdm_start_at_boot - Recommended to set as true to ensure the app starts consistently
  • mdm_hide_on_start - Recommended to set as true to ensure the app doesn’t foreground every time the user logs in

Step 1: Prepare the Banyan Zero Touch install script for Windows

1.1 Download the script from the Banyan repo: [Banyan App Installer](Banyan App Installer](https://github.com/banyansecurity/app-installer/blob/main/device_manager/banyan-windows-intune.ps1).

1.2 Configure the script by entering the following values:

• The INVITE_CODE value: This value can be found in Banyan’s Cloud Command Center under Settings > Desktop & Mobile > App Deployment.

• The DEPLOYMENT_KEY value: This value can also be found under Settings > App Deployment, under the sub-header Zero-Touch Deployment Using a Device Manager. Select the Copy icon to the right of the Deployment Key value, and enter the copied value into your script.

• The APP_VERSION value: You have the option of specifying an app version or leaving this value blank; if left blank, this field will auto-populate with the latest app version.

Note: Once configured, Banyan’s script automates the installation and registration process. The script will (i) generate an mdm-config.json file; (ii) download and install the latest version of Banyan’s app; (iii) stage the app with the device certificate,(iv) and start the app as the logged-in user.

Step 2: Distribute the Zero Touch install script to Windows devices via Intune

Now that you’ve prepared the script, distribute it to your end users via Intune.

The following steps are based off of the Use PowerShell scripts on Windows 10/11 devices in Intune guide

2.1 Log in to your Microsoft Endpoint Manager admin center.

2.2 Navigate to Devices > Scripts.

2.3 Click + Add and select Windows 10 and later.

2.4 Enter in a Name and Description

2.5 Configure the Script settings and then click Next:

2.6 Add Assignments and select Add.

The Banyan Desktop App appears on the applicable Windows device(s) and then registers the device(s) with your Banyan tenant.

Staged User and Zero Touch installation

In the default Zero Touch flow, the device should be registered to a specified user by setting the mdm-deploy-user and mdm-deploy-email parameters in the mdm-config.json file. The issued device certificate will contain a User Principal Name (UPN) username in the Subject Alternative Name field.

As a fallback, if user information is not specified or obtained during Zero Touch flow the Banyan App will initially be registered to a STAGED USER, indicating it has been silently enrolled via zero touch installation. When a user logs into the device and accesses a service protected by Banyan, their username will automatically be associated with the device.

Upgrading the Desktop App via Intune

There may be scenarios requiring you to update the Banyan Desktop App after deploying it to your organization’s devices via Intune.

If you want to have organizational control of the Desktop App version, the easiest option is to configure the mdm-config.json file to set mdm_disable_auto_update to true. This flag disables prompts to end users to upgrade their Desktop App because the Device Manager will push the new version.

The Banyan Zero Touch install scripts also cover upgrade scenarios where you can specify the app version or upgrade to latest.

---

Can’t find what you’re looking for?

We’re happy to help. Contact our team .