Distribute the Desktop App using your Device Manager
- Updated on Dec 19, 2024
- Overview
- Zero touch deployment for macOS and Windows
- Zero touch deployment for CSE’s Chrome Extension
- Distributing the Linux desktop app
- Customizing desktop app functionality
- Other Deployment Scenarios
Overview
Organizations can use their Device Managers (such as VMware Workspace ONE, Jamf Pro, Microsoft Intune, etc.) to distribute and register the desktop app to their entire fleet of managed devices. This is the recommended way to deploy Cloud Secure Edge (CSE) during a production roll out, as it allows you to obtain information about the trust scores of managed devices without any user impact.
Zero touch deployment for macOS and Windows
We currently support zero touch installation across all device managers but have a detailed guide published for Intune and JAMF. We will continue adding device manager guides.
CSE’s zero touch installation allows admins to deploy the app on macOS and Windows without requiring user intervention. This method does not require local users to have admin privileges. The IT Admin deploys the zero touch install script silently via the Device Manager; the end user does not need to interact with the app at all for the installation and registration to complete successfully.
With zero-touch install, the following steps are automated:
- Creating an
mdm-config.json
file that specifies app functionality - Downloading the latest app version and installing it (you can also optionally specify an exact app version)
- Staging the app with the device certificate that contains user information
- Starting the app as the logged-on user
When a user logs into their device after a Zero Touch Install, the desktop app can be launched automatically and can run silently in the background. The Device Certificate will also be associated with this user and will support passwordless authentication flows.
Zero touch deployment for CSE’s Chrome Extension
For steps on how to complete zero touch deployment of CSE’s Chrome Extension, see this doc.
Unstage Devices
To return devices to a clean state, pass in the following command line arguments:
unstage
- Run as an admin to remove the global staged files, allowing the device to be manually registered.
Run the following as an admin:
Windows: Start-Process -FilePath "C:\Program Files\Banyan\resources\bin\banyanapp-admin.exe" -ArgumentList "unstage"
macOS: '/Applications/Banyan.app/Contents/Resources/bin/banyanapp-admin' unstage
Distributing the CSE (formerly Banyan) Root Certificate for Windows
To completely eliminate any prompts for the end user when deploying the desktop app on Windows via zero touch, the CSE root certificate will need to be pushed via your Device Manager.
Please complete the following steps when supporting Zero Touch with Big Sur:
1. Obtain CSE root certificate by navigating from Settings > Configuration tab > Advanced tab > Issuing CA Certificate.
2. Update the mdm-config.json
to set mdm_ca_certs_preinstalled
to true
.
3. Leverage your Device Manager to push down the root certificate.
Distributing the Linux desktop app
The desktop app installer for Linux is available in multiple formats (.deb, .rpm). You can download a specific version from the desktop app changelog.
There is currently no way to install and register the Linux app silently via a device manager.
Customizing desktop app functionality
You can customize desktop app functionality (such as device registration, startup behaviour, visible views, etc.) by configuring mdm parameters. For Zero Touch Installs, these parameters can be set in the script. For Linux, the mdm-config.json
should be created and placed in the Global Config Directory via your Device Manager.
When you run the installer, the desktop app executable is placed in the Installation Directory on the device file system, while config files are placed in the Global Config Directory. The location of these directories depends on your Operating System:
Operating System | Installation Directory | Executable Name | Global Config Directory |
---|---|---|---|
macOS | /Applications/Banyan.app |
Banyan |
/etc/banyanapp |
Windows | %PROGRAMFILES%\Banyan |
Banyan.exe |
C:\ProgramData\Banyan |
Linux | /opt/Banyan |
banyanapp |
/etc/banyanapp |
The following parameters can be set to customize desktop app functionality:
Parameter | Permitted Values | Purpose | Description |
---|---|---|---|
mdm_invite_code |
string | Registration | Provide the Invite Code needed to register a device to your organization. Obtain from Command Center. |
mdm_device_ownership |
string | Registration | Set device ownership type to one of the following: “C” for corporate-owned, “E” for employee-owned, “S” for corporate-shared, and “O” for other |
mdm_ca_certs_preinstalled |
boolean | Registration | Skip installation of Root and Intermediate CA certificates (because the Device Manager has already installed them) |
mdm_skip_cert_suppression |
boolean | Registration | Skip installation of scripts that suppress browser certificate prompts (because the Device Manager has already run them) |
mdm_deploy_user |
string | Zero Touch Install | Provide the name of the user this device should be registered to |
mdm_deploy_email |
string | Zero Touch Install | Provide the email address of the user this device should be registered to |
mdm_reporting_interval |
integer | Trust Scoring | Set time interval (in minutes) for how often desktop app reports device features |
mdm_present |
boolean | Trust Scoring | Inform CSE that the device is managed by a Device Manager |
mdm_vendor_name |
string | Trust Scoring | Inform CSE which Device Manager is managing the device |
mdm_vendor_udid |
string | Trust Scoring | Inform CSE about the ID used by the Device Manager to uniquely identify this device |
mdm_disable_auto_update |
boolean | App Behavior | Do not prompt the end user to upgrade their desktop app when a new version is released (because the Device Manager will push the new version) |
mdm_login_token_prompt_time |
integer | App Behavior | Denotes the amount of time (in minutes) until the user receives a login token pre-expiration notification |
mdm_start_at_boot |
boolean | App Behavior | Always launch desktop app on device bootup |
mdm_disable_quit |
boolean | App Behavior | Hide the Quit button in the Desktop App |
mdm_hide_services |
boolean | App Behavior | Hide the Services tab that displays the list of Services a user can access |
mdm_hide_on_start |
boolean | App Behavior | Starts the Desktop App in a minimized state |
mdm__overwrite_k8_config |
boolean | App Behavior | Replaces kube config file when set to true ; updates kube config file by default (without this parameter) or when set to false |
Configuring the mdm_start_at_boot parameter
When the mdm_start_at_boot
parameter is included in the mdm-config.json
configuration file, the CSE app checks this parameter every time the app starts. This happens whenever an end user (i) opens the app, (ii) registers the app for the first time, or (iii) restarts the app.
This check is done during the app’s ready phase. If mdm_start_at_boot
is set to true
, the app will use Electron’s setLoginItemSettings API to ensure that the app starts automatically when the computer boots up.
On macOS devices, the setLoginItemSettings API creates an entry in the Login Items and Extensions section of System Settings, allowing the app to start when the computer boots up.
On Windows devices, this adds a Registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
, which tells the system to launch the app when the computer boots up.
The mdm_start_at_boot
parameter is not applicable for Linux; so, if set, it has no effect.
Other Deployment Scenarios
Staged user and zero touch installation
In the default Zero Touch flow, the device should be registered to a specified user by setting the mdm-deploy-user
and mdm-deploy-email
parameters in the mdm-config.json
file. The issued device certificate will contain a User Principal Name (UPN) username in the Subject Alternative Name field.
As a fallback, if user information is not specified or obtained during zero-touch flow the app will initially be registered to a STAGED USER, indicating it has been silently enrolled via zero touch installation. When a user logs into the device and accesses a service protected by Cloud Secure Edge, their username will automatically be associated with the device.
Device trust integration with Workspace ONE UEM
For organizations that have Workspace ONE UEM as their Device Manager and have already integrated CSE via the Workspace ONE UEM API, the desktop app will capture all the features that it normally captures. In addition, the app will use the Workspace ONE UEM API to check for Device Compliance. If Workspace ONE UEM reports the device as compliant, CSE will calculate Device Trust Level based on device features captured by the desktop app. If Workspace ONE UEM reports the device as non-compliant, the Device Trust Level is set to Always Deny.