MDM Deployment for the Mac Agent/Bundle and Mac Updater (Intune)

This topic describes MDM deployment via Microsoft Intune for Proofpoint Mac Agent and Mac Updater.

Prerequisites

• Preinstall Shell Script: From Agent Realms, download the Shell Script for the Agent Realm. (Administration app > Endpoints >Agent Realms). Select Agent or Updater.

  

  See Shell Script for Mac Agent and Auto Updater.

• Configuration Profile: From Endpoints > Downloads, download latest Management Tools with the Configuration Profile (observeit-OSX-management tools-OSX-X.X.X.tar.gz).

  

  See Management Tools.

• Bundle Package: From Endpoints > Downloads, download and open the latest macOS Agent release (observeit-cloudagent-OSX- bundle-x.x.x.x.tar.gz).

• Updater Package:  From Endpoints > Downloads, download and open the latest macOS Agent release (observeit-autoupdater-OSX-x.x.x.x.tar.gz).

Intune Deployment

Do the following:

1. Upload the Configuration Profile

2. Upload the Package

3. Upload the Preinstall Script

4. Create the Policy

5. Configure the Policy Scope

Upload the Configuration Profile

Intune requires using the unsigned configuration profile. When the configuration profile is uploaded, Intune signs it.

IT Viewer macOS 11.mobileconfig: Unsigned Configuration Profile, to be signed by customer

1. Login to the Intune Admin Center.

2. Access the Configuration page, from Intune Admin Center Home > Devices. Select  MacOS.

3. From Device onboarding > Manage devices > Configurations.

   

4. From the options at the top of the macOS | Configuration page, select Create > New Policy.

   

5. In Create a profile area, Platform is macOS and Profile type is Templates.

   

6. From Search by profile name, select Custom from list of Template names.

   

7. Custom Screen displays.

   

8. In the Basics area, provide a name and an optional description. Click Next.

9. In the Configuration settings, provide a name in the Custom configuration profile name area.

10. Browse to the Configuration Profile you downloaded. (IT Viewer macOS 11.mobileconfig) and upload it.

    

11. "logger" process is supported for macOS Agent 4.4.2 and before. "logger process is not supported for macOS Agent 4.4.3 and higher.

    Optionally, if you want to provide a name for the process other than "logger", locate logger and replace with the name you want.

12. Click Next.

13. In Assignments, assign the groups to include. These are the groups you want to deploy to.

    

14. From Included groups, click Add groups. Select the groups you want to include.

    

15. In Review + create, click Create.

    

16. The Configuration Profile is now signed by Microsoft. (System Settings > Device Management)

    

Upload the Package

From macOS apps, select the pkg you want. (Home > Apps > macOS apps

• Agent Bundle: observeit-cloudagent-OSX- bundle-x.x.x.x.tar.gz
• Updater: observeit-autoupdater-OSX-x.x.x.x.tar.gz

Agent Bundle/ Updater Packages are uploaded from the App area.

1. The list of apps, in Home > Apps|macOS, shows the package Name and Type.

2. Click Create and Select app type panel opens.

   

3. In Select app type, from App type dropdown, select the package (macOs app PKG) and click Select.

4. In Add App > App Information, select the package you want by browsing to it from the App package file area.

5. observeit-cloudagent-OSX-bundle-x.x.x.x.pkg or observeit-autoupdater-OSX.x.x.x.pkg 

6. Click OK.

7. In App package file in Add App, select package and click OK.

8. In App information, complete the required fields.

   Make sure you enter a name for Publisher.

   

9. Click Next.

Upload the Preinstall Shell Script

The Preinstall Shell script is copied to Add App > Program.

1. Using Notepad or other editor, copy the Preinstall Shell Script.

2. Paste it to Pre-install script. area

   

   Paste as is - only change if you want to obfuscate the name, see the next optional step.

3. "logger" process is supported for macOS Agent 4.4.2 and before. "logger process is not supported for macOS Agent 4.4.3 and higher. This step is relevant for macOS Agent 4.4.2 and before.

   Optionally, if you want to change the process name from "logger" for Agent deployment.

   Locate the string: #echo "LOGGER_NAME=logger">>/tmp/it_remote_install.cfg

   Change to: "LOGGER_NAME=<new_name">>/tmp/it_remote_install.cfg

   You must use the same name you used in the Configuration Profile.

4. Click Next

5. In Requirements, from Minimum operating system dropdown, select the macOS version.

   

6. Detection rules are automatically updated.

   In the App bundle ID list, keep only a single entry:

   com.proofpoint.itm.prevention

   

   

7. Click Next.

8. In Assignments, assign the groups to include. These are the groups you want to deploy to.

   

9. In Review + create, click Create.