In order to deploy the HEIMDAL Agent through Microsoft Intune, you need to download the HEIMDAL Agent package, replace the filename with the license key, upload it to Intune, and push it to your macOS endpoints/groups.
1. Creating the Intune MDM profiles
2. Adding the new app in Microsoft Intune
3. Deploying the HEIMDAL Agent
CREATING THE INTUNE MDM PROFILES
For the HEIMDAL Agent to be deployed through Microsoft Intune, you need to make sure that the following Configuration profiles are created before pushing the HEIMDAL Agent. These profiles are used to grant permission to the HEIMDAL Agent to get Full Disk Access (needed by the Next-Gen Antivirus to scan the device) and to install the DNS Proxy Extension (needed by the DNS Security - Endpoint to filter the DNS traffic).
To create the 2 profiles, follow the steps below:
A. DNS-E Proxy
1. Login to Microsoft Intune and access Devices -> Configuration (under Manage devices) -> Policies tab.
2. Press Create -> New Policy, and in the right-side slide, select macOS in the Platform dropdown and Templates in the Profile type dropdown. Select the Custom Template name and click Create.
4. Give the profile a name, select the Device channel as Deployment channel, and load the mobile configuration file that you can download from the bottom of this article (Heimdal Agent - DNS-E Proxy.mobileconfig). After loading the file, press Next.
4. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
5. After reviewing the profile, press Create.
This profile should allow the HEIMDAL Agent to install the following DNS Proxy:
B. Full Disk Access (Next-Gen Antivirus)
1. Login to Microsoft Intune and access Devices -> Configuration (under Manage devices) -> Policies tab.
2. Press Create -> New Policy, and in the right-side slide, select macOS in the Platform dropdown and Templates in the Profile type dropdown. Select the Custom Template name and click Create.
3. Give the profile a name, select the Device channel as Deployment channel, and load the mobile configuration file that you can download from the bottom of this article (Heimdal Agent - NGAV Full Disk Access.mobileconfig). After loading the file, press Next.
4. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
5. After reviewing the profile, press Create.
C. Full Disk Access (Ransomware Encryption Protection)
1. Login to Microsoft Intune and access Devices -> Configuration (under Manage devices) -> Policies tab.
2. Press Create -> New Policy, and in the right-side slide, select macOS in the Platform dropdown and Templates in the Profile type dropdown. Select the Custom Template name and click Create.
3. Give the profile a name, select the Device channel as Deployment channel, and load the mobile configuration file that you can download from the bottom of this article (Heimdal Agent - REP Full Disk Access.mobileconfig). After loading the file, press Next.
4. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
5. After reviewing the profile, press Create.
D. Managed Login Items
1. Login to Microsoft Intune and access Devices -> Configuration (under Manage devices) -> Policies tab.
2. Press Create -> New Policy, and in the right-side slide, select macOS in the Platform dropdown and Templates in the Profile type dropdown. Select the Custom Template name and click Create.
3. Give the profile a name, select the Device channel as Deployment channel, and load the mobile configuration file that you can download from the bottom of this article (Heimdal Agent - Managed Login Items.mobileconfig). After loading the file, press Next.
4. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
5. After reviewing the profile, press Create.
ADDING THE NEW APP IN MICROSOFT INTUNE
1. Log in to the Microsoft 365 admin center and access Microsoft Intune.
2. On the left-side menu, click on Apps and then on All apps to access the list of available applications.
3. Press Add to add the new app, select the macOS app (PKG) type and press the Select button.
4. From the Add App window, press Select app package file, browse for the App package file (on the right-side pane), and press OK.
5. Configure the app by specifying the required information in the fields below and press Next:
- Name - You can configure it to be Heimdal Thor Agent (or Heimdal Agent);
- Description - You can give it a description that will be visible in the Company Portal;
-
Publisher - You can specify the publisher name: Heimdal Security;
- the rest of the fields are optional;
6. In the Program tab you need to configure the following pre-install script to make sure the Heimdal Agent gets activated with your Heimdal license key. On the 3rd line of the script, don't forget to replace the text between the parenthesis with your Heimdal license key.
#!/bin/sh
NEW_AGENT_BASE_PATH="/Users/Shared/.ThorAgent/"
# Create the directory if it doesn't exist
mkdir -p "${NEW_AGENT_BASE_PATH}"
# Write the key to the file
echo "REPLACE_THIS_WITH_YOUR_HEIMDAL_KEY" > "${NEW_AGENT_BASE_PATH}license.key"
7. In the Requirements tab you need to select the Minimum operating system: macOS Mojave 10.14.
8. From the Detection rules, you need to remove all the App Bundle IDs except the last one. This is because the HEIMDAL Agent package includes a couple of components that get installed in order to work, but they need to be removed from the App bundle ID list to allow Intune to validate the app installation status. This means that the following components (prerequisites) need to be deleted: com.heimdalsecurity.HeimdalDomain, org.cocoapods.SSZipArchive, org.cocoapods.RealmSwift, com.heimdalsecurity.HMLog, org-sparkle-project.Sparkle, orc.cocoapods.Realm, com.heimdalsecurity.HeimdalClient, com.heimdalsecurity.SharedUI, org.cocoapods.SnapKit, org.cocoapods.Socket.
The only app bundle ID that needs to be left on the list is the com.heimdalsecurity.heimdalAgent.
9. Once the application is added, you can assign it to a group or multiple groups, to a user or all users, or to a device or all devices. After you select the assignment press Next.
10. Review the configuration and press Create.
DEPLOYING THE HEIMDAL AGENT
Once the assignment has been configured, Intune will take care of the deployment and it will install the HEIMDAL Agent on the computers that are selected for deployment. On macOS devices, Intune requires Company Portal to push settings and applications. Once you have Company Portal running on the device, you can follow the steps below:
1. On the computer where you want the deployment to occur, run Company Portal.
2. From the Company Portal, select the device, click the 3-dot button, and Check status.
3. The Company Portal will sync with Intune and will apply the new settings or install the applications that are assigned on the endpoint.
4. It will take a couple of minutes until the application is pushed by Intune onto the device, but you can have a look in the Finder -> Applications to see when the deployment takes place.
5. Once the deployment is finished, the Microsoft Intune will display an Installed status: