All Collections
Agents
Deploying Mac Desktop Agent Through Kandji
Deploying Mac Desktop Agent Through Kandji

This article explains how to deploy Mac Desktop Agent using Kandji

C
Written by Chinmay Panda
Updated this week

In order to deploy Zluri Desktop Agent via Kandji MDM, follow these steps:

Latest MAC version of Zluri Agent : 3.0.8

Note: The first step in installing the agent using an MDM is to integrate the MDM with Zluri, here you need to integrate Kandji with ZLuri before you go ahead with the following steps, also you need to have all the devices you are installing the agent in, enrolled in kandji.

Permissions Zluri agent requires:
1. Screen Recording Permissions -- - THIS IS A NOT A MANDATORY PERMISSION
For details on why you may consider giving this permission, click here.

Please note that there are chances of end users being notified once Zluri is installed in their system, this notification is NOT under our control, entirely under the system's control and cannot be avoided.

Creation of blueprint and adding the scripts

1. Click ‘Blueprints’ from the left navigation menu.

2. Click ‘New Blueprint’

3. Click ‘start from scratch’

4. Enter name & description

5. Click ‘Library’

6. Click ‘Add New’

7. Select ‘Mac’ & Click ‘Custom Apps’

8. Click ‘Add & Configure’

9. Add Title, Select the Blueprint created above.

10. In installation, Select ‘Audit & Enforce’

 

validateInstallation() {
    local ZLURI_APP="/Applications/Zluri.app"
 
    if [[ -e $ZLURI_APP ]]
        then
            # exit with code 0 (success) if file exists
            return 1
        else
            # exit with code 1 (fail) if file does not exists
            return 0
    fi
}
 
validateInstallation
IS_INSTALLED=$?
 
if [[ IS_INSTALLED -gt 0 ]]
  then
    exit 0
  else
    exit 1
fi

11. Add the pre install script, upload the package & add the post install script.

Preinstall script:

#!/bin/bash
 
ZLURI_PERMISSION=$(sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT COUNT(*) FROM access WHERE service='kTCCServiceScreenCapture' AND client='com.zluri' AND auth_value=2;")
 
if [[ "$ZLURI_PERMISSION" -gt 0 ]]
 then
  exit 0
  else
  echo "Permission is not there for Zluri"
fi
 
exit 0

Post-install script:

#!/bin/bash
UUID=$(defaults read /Library/Preferences/io.kandji.Kandji.plist ComputerURL | awk -F'/' '{print $5 }')
ORG_TOKEN=<org_token>
TYPE="kandji"
 
 
open -a zluri.app --args --uuid="$UUID" --org_token="$ORG_TOKEN" --mdm-mac-type="$TYPE" --silent_auth=on --screen_recording=on

Please check with the CSM for the Org_token

NOTE: SCREEN RECORDING IS COMPLETELY OPTIONAL, if you do not want your organisation to share screen recording permissions, you can change the last line of script to:

open -a zluri.app --args --uuid="$UUID" --org_token="$ORG_TOKEN" --mdm-mac-type="$TYPE" --silent_auth=on --screen_recording=off

12. We need to restart after installation so, check the "Restart after successful install"

13. Save the Blueprint.

With these steps we finish creating a blueprint with the required scripts.

Setting up a script for installation of the agent on quit and on logout

  1. Go to Library

2. Click on + Add New and select the one that says Custom Scripts

3.Click on Add & Configure and you will be directed to a screen

4. Here, Choose a suitable name for the script and Choose the Zluri blueprint

5. Under Execution Frequency, choose Run Every 15 minutes

6. Under Audit Script enter the script given below

#!/bin/bash

ZLURI_PROCESS=$(ps aux | grep -v grep | grep -ci zluri)
OSQUERY_PROCESS=$(ps aux | grep -v grep | grep -ci osquery)

if [[ $ZLURI_PROCESS -gt 0 ]] && [[ $OSQUERY_PROCESS -gt 0 ]]
then
exit 0
else
exit 1
fi

7. Click on Add Remediation Script and enter the following script:

Note: Replace the ORG_TOKEN with your organization’s token

#!/bin/bash
UUID=$(defaults read /Library/Preferences/io.kandji.Kandji.plist ComputerURL | awk -F'/' '{print $5 }')
ORG_TOKEN=<add your org token>
TYPE="kandji"
open -a zluri.app --args --uuid="$UUID" --org_token="$ORG_TOKEN" --mdm-mac-type="$TYPE" --silent_auth=on --screen_recording=on

NOTE: SCREEN RECORDING IS COMPLETELY OPTIONAL, if you do not want your organisation to share screen recording permissions, you can change the last line of script to:

open -a zluri.app --args --uuid="$UUID" --org_token="$ORG_TOKEN" --mdm-mac-type="$TYPE" --silent_auth=on --screen_recording=off

8. Finally, Click Save

With this we complete the setup required for the installation of the Zluri Mac agent

Now, Go to ‘Devices’

Select ‘Assign Blueprint’, Select the Blueprint and Click ‘Change’

After 15 minutes(minimum) the blueprint will be executed and the zluri app will be installed with authentication.


Note: Screen recording permissions are optional for the zluri agent,
click here to know why we need the screen recording permissions,

click here to know how to give the permissions.


Did this answer your question?