Jamf Pro - Zero Touch Installation of the Desktop App

How to configure Jamf Pro zero touch deployment of Banyan Desktop App

  • Updated on Jan 09, 2024

Overview

Jamf Pro is used to administer corporate laptops, phones, tablets, and other devices in your enterprise. The Banyan Desktop App can be packaged and distributed to your device fleet via Jamf Pro in zero touch mode, requiring no interaction from end users. Also, zero touch mode does not require the end user to be an administrator on the device.

The Banyan Desktop App is deployed, installed, and registered in a matter of seconds, making zero touch mode the recommended way to deploy Banyan with Jamf Pro.

Steps

There are two high-level steps required to silently deploy and install the Banyan desktop app then register macOS devices with Banyan:

Prerequisites

  • Deployment Key: Obtained from the Command Center under Settings > Banyan Client tab > Deployment tab, under the heading Zero-Touch Deployment Using a Device Manager.
  • Invite Code: Obtained from Command Center under Settings > Banyan Client tab > Deployment tab > Invite Code.
  • Ensure that you’re familiar with mdm-config.json parameters to customize Banyan Desktop App functionality, paying particular attention to the following flags required to enable zero touch mode:

    • mdm_start_at_boot - Recommended to set as true to ensure the app starts consistently
    • mdm_hide_on_start - Recommended to set as true to ensure the app doesn’t foreground every time the user logs in

Step 1: Prepare the Banyan Zero Touch install script for macOS

Banyan provides a bash script that can be configured to automate the installation and registration process. See Banyan App Installer to download and configure the script.

The script will complete the following:

1) Create an mdm-config.json file that specifies app functionality

2) Download the latest Banyan app version and install it (you can also optionally specify an exact app version)

3) Stage the app with the device certificate that contains user information

4) Start the app as the logged-on user

Step 2: Distribute a Configuration Profile with User info

Banyan’s bash script will leverage name and email when silently registering the Banyan app. This configuration profile will contain the users information on the device for the script to leverage.

2.1 Navigate to Computers > Configuration Profiles and select Add.

  • Name: Zero Touch User Info

2.2 Scroll to Application & Custom Settings in the payloads list and add an External Application.

  • Source: Custom Schema
  • Preference Domain: userinfo

2.3 Edit the schema with the following:

{
  "title": "Zero Touch User Info",
  "description": "Writes user information for Banyan Zero Touch script to leverage",
  "properties": {
    "deploy_user": {
      "title": "Full Name",
      "description": "The Jamf username",
      "property_order": 10,
      "type": "string"
    },
    "deploy_email": {
      "title": "Email",
      "description": "The Jamf user email address",
      "property_order": 10,
      "type": "string"
    }
  }
}

2.4 Map Preference Domain properties to Jamf payload variables

  • Full Name: $FULLNAME
  • Email: $EMAIL

2.5 Assign to all devices and Save.

The profile should contain the actual Full Name and Email address of the user who is registered to it

Step 3. Create a script in Jamf Pro for the zero-touch install

Now that you’ve prepared the script, distribute it to your end users via Jamf Pro.

The following steps are based off of the Jamf scripts guide

3.1 In an Internet browser, log in to your Jamf Pro console and then navigate to Settings > Computer Management > Scripts.

3.2 Click + New.

3.3 Configure the General information

3.4 Configure the Script with any updated parameters.

Note that the first 3 input parameters are reserved for Jamf internal use. Instead, you have to set the Invite Code, Deployment Key and App Version as Parameter 4, Parameter 5 and Parameter 6 respectively.

3.5 Configure parameter labels

3.6 Click Save

Step 4. Running the zero-touch install script from Jamf Pro

4.1 Navigate from Computers > Policies.

4.2 Create a New or edit an existing Policy.

4.3 Configure the Scripts payload with the script from Step 2 and appropriate parameters.

4.4 Click Save

Staged User and Zero Touch installation

In the default Zero Touch flow, the device should be registered to a specified user by setting the mdm-deploy-user and mdm-deploy-email parameters in the mdm-config.json file. The issued device certificate will contain a User Principal Name (UPN) username in the Subject Alternative Name field.

As a fallback, if user information is not specified or obtained during zero-touch flow the Banyan app will initially be registered to a STAGED USER, indicating it has been silently enrolled via zero touch installation. When a user logs into the device and accesses a service protected by Banyan, their username will automatically be associated with the device.

Upgrading the Desktop App via Jamf Pro

There may be scenarios requiring you to update the Banyan Desktop App after deploying it to your organization’s devices via Jamf Pro.

If you want to have organizational control of the Desktop App version, the easiest option is to configure the mdm-config.json file to set mdm_disable_auto_update to true. This flag disables prompts to end users to upgrade their Desktop App because the Device Manager will push the new version.

The Banyan Zero Touch install scripts also cover upgrade scenarios where you can specify the app version or upgrade to latest.


Can’t find what you’re looking for?

We’re happy to help. Contact our team.