Due to OS restrictions (especially, with macOS Ventura), older versions of the HEIMDAL Agent (2.6.x) are unable to automatically upgrade to our latest version 3.x.x. For this reason, we have created a shell script that can be added in Microsoft Intune to take care of this scenario.
1. Creating the Intune MDM profiles (NGAV Full Disk Access and TPE DNS Extension)
2. Adding the shell script in Microsoft Intune
CREATING THE INTUNE MDM PROFILES
In order for the HEIMDAL Agent to be deployed through Microsoft Intune, you need to make sure that the following Configuration profiles are created prior to pushing the HEIMDAL Agent. These profiles are used to grant permission to the HEIMDAL Agent to get Full Disk Access (needed by the Next-Gen Antivirus to scan the device) and to install the DNS Extension (needed by the DNS Security Endpoint to filter the DNS traffic).
To create the 2 profiles, follow the steps below:
A. Full Disk Access
1. Login to Microsoft Intune and access Devices -> macOS -> Configuration profiles.
2. Press Create profile and in the Profile type select Templates -> Custom and click Create.
3. Give the profile a name, select the Device channel as Deployment channel, and load the mobile configuration file that you can download from the bottom of this article (Heimdal Agent - NGAV Full Disk Access.mobileconfig). After loading the file, press Next.
4. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
5. After reviewing the profile, press Create.
B. TPE DNS Proxy and TPE System Extension
1. Go back to the Configuration profiles.
2. Press Create profile and in the Profile type select Templates -> Custom and click Create.
3. Give the profile a name, select the Device channel as Deployment channel, and load the mobile configuration file that you can download from the bottom of this article (Heimdal Agent - TPE DNS Proxy.mobileconfig). After loading the file, press Next.
4. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
5. After reviewing the profile, press Create.
6. Go back to the Configuration profiles.
7. Press Create profile and in the Profile type select Templates -> Extensions and click Create.
8. Give it a name and press Next.
9. In the Configuration settings, expand the System extensions dropdown and add the following:
- Allowed system extensions: com.heimdalsecurity.heimdalAgent.dnsNetworkExtension (as Bundle identifier) and Y54WA7N8WR (as Team identifier);
- Allowed system extension types: Y54WA7N8WR (as Team identifier) and Network extensions (as Allowed system extension types).
10. Make sure you assign this profile to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
11. After reviewing the profile, press Create. This profile will allow the TPE DNS Proxy extension in System Preferences -> Privacy and Security.
These 2 profiles should allow the HEIMDAL Agent to install the following DNS Proxy:
IMPORTANT
Due to Apple's ecosystem limitation, configuration profiles can be pushed only to Mac devices that are running macOS Ventura or higher. This means that on other macOS versions prior to Ventura, the Heimdal Agent TPE DNS Extension and the HEIMDAL Agent NGAV Full Disk Access permission need to be approved manually by the user after the HEIMDAL Agent deployment (installation).
ADDING THE SHELL SCRIPT IN MICROSOFT INTUNE
1. Access Devices -> macOS -> Shell scripts and press Add.
2. In the Basics tab, give the shell script a name and a description and press Next.
3. In the Script settings tab, upload the script that you can find at the bottom of this article (installHeimdalAgent.sh). The script does not include any Heimdal license key, so, this means you will have to edit the script and add your Heimdal license key in the heimdalKEY="add_key_here" variable (line 38):
4. Configure Run script as signed-in user to No, Hide script notifications on devices to Yes, and the Script frequency and Max number of times to retry if script fails to your own preferences. After that press Next.
5. Make sure you assign this shell script to all devices/groups where the HEIMDAL Agent follows to be installed and press Next.
6. Review the shell script and press Add.
Once the assignment has been configured, Intune will take care of the deployment and it will install the HEIMDAL Agent on the computers that are selected for deployment. On macOS devices, Intune requires Company Portal in order to push settings and applications. Once you have Company Portal running on the device, you can follow the steps below:
1. On the computer where you want the deployment to occur, run Company Portal.
2. From the Company Portal, select the device, click the 3-dot button, and Check status.
3. The Company Portal will sync with Intune and will apply the new settings or install the applications that are assigned on the endpoint.
4. It will take a couple of minutes until the application is pushed by Intune onto the device, but you can have a look in the Finder -> Applications to see when the deployment takes place.