In order to deploy the HEIMDAL Agent for macOS through Jamf PRO, you need to use the attached bash script.
1. Adding the bash script to Jamf Pro
2. Adding the Configuration Profiles
3. Deploying the newly added script
ADDING THE BASH SCRIPT TO JAMF PRO
In order to add the bash script to Jamf Pro, follow the steps below:
1. Log in to the Jamf Pro.
2. Access the Settings page, in the All tab search for the Categories section, and create a new one (if not created):
3. Access the Settings page, in the All tab search for the Scripts section, and create a new script. Make sure you give it a name, assign it to a category, and continue with the next tabs.
4. In the Scripts tab, select the Shell/Bash mode with the Default theme and paste in the script you find in the install_Heimdal_jamf.sh file attached at the bottom of this article. Make sure you add your HEIMDAL license key in the heimdalKEY variable (at line 38). Use a text editor allows you to explicitly set the line ending type when saving a file. Popular editors like Visual Studio Code, Sublime Text, Notepad++, and Atom offer this functionality. After adding the HEIMDAL license key, make sure you switch the line ending format from Windows (CFLF) to Unix/Linux (LF).
5. You can continue editing the Options or the Limitations tabs in case you have specific settings that you want to use and press Save.
ADDING THE CONFIGURATION PROFILES
Due to the requirements of macOS Ventura (and above), the HEIMDAL Agent requires the addition of 4 profiles (one for the DNS Security Endpoints DNS Proxy, one for the Next-Gen Antivirus Full Disk Access, one to prevent the ability to disable the HEIMDAL Agent by an elevated user and one for the REP Full Disk Access) that can be pushed through Jamf Pro from the Configuration Profiles section. To have them deployed, follow the steps below:
1. In the Jamf Pro portal, access the Configuration Profiles and press the Upload button to add a new profile (we will be adding the DNS-E Extension profile first). Download the Heimdal Agent - DNS-E Extension.mobileconfig file attached at the bottom of this article, browse for it in the Jamf Pro portal, and press Upload.
Configure the General settings in the Options tab and the Scope settings and press Save.
2. Download the Heimdal Agent - NGAV Full Disk Access.mobileconfig file attached at the bottom of this article, and in the Configuration Profiles pages, press the Upload button to upload it.
3. Repeat the step above for the Heimdal Agent - Managed Login Items.mobileconfig and the Heimdal Agent - REP Full Disk Access.mobileconfig files.
4. Configure the General settings in the Options tab and the Scope settings and press Save. The Configuration Profiles should look like this:
The Heimdal Agent - DNS-E Extension should allow the HEIMDAL Agent to install the following DNS Proxy:
IMPORTANT
Configuration profiles can be pushed only to Mac devices that are running macOS Ventura or higher. This means that on other macOS versions before Ventura, the Heimdal Agent DNS-E Extension, the HEIMDAL Agent NGAV Full Disk Access, and the HEIMDAL Agent REP Full Disk Access permission must be manually approved by the user after the HEIMDAL Agent deployment (installation).
DEPLOYING THE NEWLY ADDED SCRIPT
1. Next, you need to create a new Policy that will be used to deploy the HEIMDAL Agent. On the Policies page, press the New button and create the policy. In the General tab, give the policy a Display Name, enable it, and select the Category and the Triggers (that suit you).
2. On the Scripts page, select the Priority and Parameter Values (if needed).
3. To finish the policy configuration, please also have a look at the Scope, Self-Service, and User interaction tabs to set them up according to your preference. After that press the Save button.
4. The HEIMDAL Agent will get installed automatically, according to the triggers you have configured on the policy. The policy can be manually triggered by running the following command line in the Terminal:
sudo jamf policy -verbose