Jamf Pro - Zero Touch Installation of the Desktop App

How to configure Jamf Pro zero touch deployment of the desktop app

  • Updated on May 21, 2024


Jamf Pro is used to administer corporate laptops, phones, tablets, and other devices in your enterprise. The desktop app can be packaged and distributed to your device fleet via Jamf Pro in zero touch mode, requiring no interaction from end users. Also, zero touch mode does not require the end user to be an administrator on the device.

The desktop app is deployed, installed, and registered in a matter of seconds, making zero touch mode the recommended way to deploy Cloud Secure Edge (CSE) with Jamf Pro.


There are two high-level steps required to silently deploy and install the desktop app then register macOS devices with CSE:


  • Deployment Key: Obtained from the Command Center under Settings > Banyan Client tab > Deployment tab, under the heading Zero-Touch Deployment Using a Device Manager.
  • Invite Code: Obtained from Command Center under Settings > Banyan Client tab > Deployment tab > Invite Code.
  • Ensure that you’re familiar with mdm-config.json parameters to customize Banyan Desktop App functionality, paying particular attention to the following flags required to enable zero touch mode:

    • mdm_start_at_boot - Recommended to set as true to ensure the app starts consistently
    • mdm_hide_on_start - Recommended to set as true to ensure the app doesn’t foreground every time the user logs in

Step 1: Prepare the zero touch install script for macOS

CSE provides a bash script that can be configured to automate the installation and registration process. See Banyan App Installer to download and configure the script.

The script will complete the following:

1) Create an mdm-config.json file that specifies app functionality

2) Download the latest app version and install it (you can also optionally specify an exact app version)

3) Stage the app with the device certificate that contains user information

4) Start the app as the logged-on user

Step 2: Distribute a Configuration Profile with User info

CSE’s bash script will leverage name and email when silently registering the app. This configuration profile will contain the users information on the device for the script to leverage.

2.1 Navigate to Computers > Configuration Profiles and select Add.

  • Name: Zero Touch User Info

2.2 Scroll to Application & Custom Settings in the payloads list and add an External Application.

  • Source: Custom Schema
  • Preference Domain: userinfo

2.3 Edit the schema with the following:

  "title": "Zero Touch User Info",
  "description": "Writes user information for zero touch script to leverage",
  "properties": {
    "deploy_user": {
      "title": "Full Name",
      "description": "The Jamf username",
      "property_order": 10,
      "type": "string"
    "deploy_email": {
      "title": "Email",
      "description": "The Jamf user email address",
      "property_order": 10,
      "type": "string"

2.4 Map Preference Domain properties to Jamf payload variables

  • Full Name: $FULLNAME
  • Email: $EMAIL

2.5 Assign to all devices and Save.

The profile should contain the actual Full Name and Email address of the user who is registered to it

Step 3. Create a script in Jamf Pro for the zero-touch install

Now that you’ve prepared the script, distribute it to your end users via Jamf Pro.

The following steps are based off of the Jamf scripts guide

3.1 In an Internet browser, log in to your Jamf Pro console and then navigate to Settings > Computer Management > Scripts.

3.2 Click + New.

3.3 Configure the General information

3.4 Configure the Script with any updated parameters.

Note that the first 3 input parameters are reserved for Jamf internal use. Instead, you have to set the Invite Code, Deployment Key and App Version as Parameter 4, Parameter 5 and Parameter 6 respectively.

3.5 Configure parameter labels

3.6 Click Save

Step 4. Running the zero-touch install script from Jamf Pro

4.1 Navigate from Computers > Policies.

4.2 Create a New or edit an existing Policy.

4.3 Configure the Scripts payload with the script from Step 2 and appropriate parameters.

4.4 Click Save

Staged user and zero touch installation

In the default Zero Touch flow, the device should be registered to a specified user by setting the mdm-deploy-user and mdm-deploy-email parameters in the mdm-config.json file. The issued device certificate will contain a User Principal Name (UPN) username in the Subject Alternative Name field.

As a fallback, if user information is not specified or obtained during zero-touch flow the app will initially be registered to a STAGED USER, indicating it has been silently enrolled via zero touch installation. When a user logs into the device and accesses a service protected by Cloud Secure Edge, their username will automatically be associated with the device.

Upgrading the desktop app via Jamf Pro

There may be scenarios requiring you to update the desktop app after deploying it to your organization’s devices via Jamf Pro.

If you want to have organizational control of the desktop app version, the easiest option is to configure the mdm-config.json file to set mdm_disable_auto_update to true. This flag disables prompts to end users to upgrade their Desktop App because the Device Manager will push the new version.

The zero touch install scripts also cover upgrade scenarios where you can specify the app version or upgrade to latest.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.