(MDM) Installing the agent using Microsoft Intune

Microsoft Intune is a cloud-based endpoint management solution. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. You can deploy Forcepoint agent using Microsoft Intune.

Applications are uploaded and configured in the Microsoft Endpoint Manager admin center (MEM).

Steps

  1. Sign into the Forcepoint ONE Data Security management portal and download the Windows agent installation package.
  2. Unzip the downloaded installer package.
  3. Create a .intunewin file for F1A using the instructions provided in: https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare.
    Note: When specifying the source files, be sure to include not just the installer but also the ca.cer file, localConfig.xml and the manifest file akin to the below screen shot.
  4. In MEM, navigate to Apps > Windows > + Add and choose the application type (App type) as Windows app (Win32).
  5. You can configure the Win32 application using the Add App wizard. The first page of the wizard, requires you to browse and select the .intunewin file created in Step 3.
  6. On the App Information tab, you must populate the app metadata fields. For example, the name, description, publisher, category, and even icon. You are only required to fill out the mandatory fields.
    Following is an example of information that you can enter in the mandatory fields:
    Click Next.
  7. On the Program tab, you need to enter the following:
    • Install and uninstall commands for F1A.
      Note: In this example, we are using an .exe, so we need to specify the commands manually. When you enter the commands, they run relatively. This means if you must reference a sub folder, you only need to enter the relative path as if installing from a command prompt where the active folder is an extract of your package. Similarly, you can reference system variables.
    • For the Install Behavior, choose the option System (NT AUTHORITY\SYSTEM), as this executes the installation with administrative rights.
      Note: In cases where only user specific installation is required, you can execute in the user context. However, choosing the option System is recommended.
    • Device restart behavior defines whether the app triggers restart or not. In this case, select the App install may force a device restart option.
  8. On the Requirements tab you need to specify the prerequisites for agent installation on clients in scope. If the devices you target the agent to, do not meet what you specify here, the agent is not installed.
    • Following fields are mandatory:
      • Operating system architecture: Can be x86, x64, or both.
      • Minimum operating system: Can be Windows 10 1607
    (Optional) The Configure additional requirement rules option, allows you to query files, directories, registry entries, or use scripts. You can, for example, not allow the app to install if a certain file is or is not present – or even query the version attribute of that file. Scripts can run, then based on the output, you can determine whether the app installs. Click +Add link to add additional requirements rule.
  9. On the Detection rules tab, for MS Intune to know whether the agent is installed, you need to include the detection rules. These are mandatory because, without them, MS Intune would not know when to stop trying to install the agent, or how to report success/failure.
    • You can use a script to determine success or failure or use the Manually configure detection rules option for stating options like the presence of a file or registry entry. Click the +Add link to add details on the detection rules. Following is an example:

  10. (Optional) On the Dependencies tab, there are checks (in addition to the earlier requirements) for other Intune-managed apps being installed before this one is. For example, you may be deploying a plug-in for VLC. A dependency will make sure it is only installed if VLC is present, and you can even choose to automatically install the dependency too.
    Click Next.
  11. On the Supersedence tab, there are options that allow you to update or replace applications. The former will uninstall the app you specify under Apps that this app will supersede, then install the app you are configuring. In order to add apps to the list, click +Add.
    Note: If you are using Supersedence to update, under the earlier detection rule you should specify a version number rather than just the existence of a file.
    Click Next.
  12. On the Assignments tab, you manage which Azure AD groups the app is targeted towards within assignments. There are the three assignment types:
    • Required: Groups that will have the application force installed. This can be a user group, device group, all users, or all devices.
    • Available for enrolled devices: Groups that will be able to retrieve the app from the Windows app store. This must be a user group or all users.
    • Uninstall: Groups that will have the application force uninstalled. This can be a user group, device group, all users, or all devices.
    Note: If you assign an app to a user, it will “follow” that user as they move from MS Intune device to MS Intune device, with the MS Intune Management Extension attempting to install it on each device they use. For all assignment types, you can choose what kind of notifications are presented to the user: for example, show all toast notifications or only if a restart is required.
  13. On the Review + create tab, you can confirm the settings you have entered. Hitting Create will then upload the application.
  14. Upon completing all steps, you should see a notification containing the application details you have specified earlier, simply stating that installation of the endpoint agent has begun.