Due to OS restrictions (especially, with macOS Ventura), older versions of the HEIMDAL Agent (2.6.x) are unable to automatically upgrade to our latest version 3.x.x. For this reason, we have created a shell script that can be added in Microsoft Intune to take care of this scenario.
1. Creating the Intune MDM profiles (Full Disk Access and DNS Extension)
2. Adding the shell script in Microsoft Intune
CREATING THE INTUNE MDM PROFILES
In order for the HEIMDAL Agent to be deployed through Microsoft Intune, you need to make sure that the following Configuration profiles are created prior to pushing the HEIMDAL Agent. These profiles are used to grant permission to the HEIMDAL Agent to get Full Disk Access (needed by the Next-Gen Antivirus to scan the device) and to install the DNS extension (needed by the Threat Prevention Endpoint to filter the DNS traffic.
To create the 2 profiles, follow the steps below:
A. Full Disk Access
1. Login to Microsoft Intune and access Devices -> macOS -> Configuration profiles.
2. Press Create profile and in the Profile type select Templates -> Custom and click Create.
3. Give the profile a name, select the Device channel as Deployment channel, and load the mobile configuration file that you can download from the bottom of this article (Full Disk Access - heimdal_custom_configuration_profile.mobileconfig). After loading the file, press Next.
4. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
5. After reviewing the profile, press Create.
B. DNS Extension
1. Go back in the Configuration profiles, press Create profile and in the Profile type select Templates -> Extensions and click Create.
2. In the Basics tab, give it a name and a description and click Next.
3. In the Configuration settings, leave the Kernel extensions just the way they are and extend the System extensions.
4. Set the Block user overrides to Yes. In the Bundle identifier insert com.heimdalsecurity.heimdalAgent.dnsNetworkExtension
5. On the same line as the Bundle identifier, insert the following Team identifier: Y54WA7N8WR
6. Press Next and make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
7. Review the profile and press Create.
ADDING THE SHELL SCRIPT IN MICROSOFT INTUNE
1. Access Devices -> macOS -> Shell scripts and press Add.
2. In the Basics tab, give the shell script a name and a description and press Next.
3. In the Script settings tab, upload the script that you can find at the bottom of this article (installHeimdalAgent.sh). The script does not include any Heimdal license key, so, this means you will have to edit the script and add your Heimdal license key in the heimdalKEY="add_key_here" variable (line 36):
4. Configure Run script as signed-in user to No, Hide script notifications on devices to Yes, and the Script frequency and Max number of times to retry if script fails to your own preferences. After that press Next.
5. Make sure you assign this shell script to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
6. Review the shell script and press Add.
Once the assignment has been configured, Intune will take care of the deployment and it will install the HEIMDAL Agent on the computers that are selected for deployment. On macOS devices, Intune requires Company Portal in order to push settings and applications. Once you have Company Portal running on the device, you can follow the steps below:
1. On the computer where you want the deployment to occur, run Company Portal.
2. From the Company Portal, select the device, click the 3-dot button, and Check status.
3. The Company Portal will sync with Intune and will apply the new settings or install the applications that are assigned on the endpoint.
4. It will take a couple of minutes until the application will be pushed by Intune onto the device, but you can have a look in the Finder -> Applications to see when the deployment takes place.