This article describes the recommended method of installing the ºÚÁϺ£½Ç91Èë¿Ú Agent on macOS devices using a third-party MDM solution. This method of unattended installation uses an install script provided on ºÚÁϺ£½Ç91Èë¿Ú's GitHub. When properly configured, the script installs the ºÚÁϺ£½Ç91Èë¿Ú Agent and the ºÚÁϺ£½Ç91Èë¿Ú Service Account that is required to handle password synchronization.
Prerequisites:
- The Privacy Preferences Policy Control (PPPC) profile must be present on each device on which you intend to deploy the ºÚÁϺ£½Ç91Èë¿Ú Agent. This will give the agent the permissions required to handle PAM authentication responsibilities. See instructions for installing the PPPC profile in Grant Permissions for a Non-ºÚÁϺ£½Ç91Èë¿Ú MDM.
- Your MDM solution must be able to either run Bash/zsh commands or create policies that deliver and run Bash/zsh scripts.
- You will need the username and password of an Admin account that has a secure token. Use the dscl utility in Terminal to verify the secure token status of an account:
- To find the usernames of user accounts on the device: dscl . -list /Users | grep -v "^_"
- To check the secure token status of a user, replacing USERNAME with a target username: dscl . -read /Users/USERNAME AuthenticationAuthority | grep "SecureToken"
The local Admin account must be logged into at least once on each device in order to receive a valid secure token (unless the account was created during initial setup of the device).
Installing the Agent and Service Account Using the Install Script
Follow these steps to install the ºÚÁϺ£½Ç91Èë¿Ú Agent and Service Account:
- Copy the install script.
- Paste the script into a text editor and update the undefined parameters.
- Upload the install script into the MDM's administrator console.
- Create and apply a policy to install the agent using the script.
Copying the Install Script
- Copy the install script: .
Updating the Script
After copying the install script in the previous step, paste the contents into a text editor, and make the following changes:
- At the top of the script, note there are three undefined parameters:
- CONNECT_KEY,
- SECURETOKEN_ADMIN_USERNAME, and
- SECURETOKEN_ADMIN_PASSWORD.
- Replace the CONNECT_KEY value in the script with the ºÚÁϺ£½Ç91Èë¿Ú Connect Key.
- To find the Connect Key, log in to the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal and go to DEVICE MANAGEMENT > Devices.
- Click ( + ) to add a device.
- Scroll to Connect Key and click copy.
- Paste the Connect Key into the CONNECT_KEY value field in the script.
- Replace the SECURETOKEN_ADMIN_USERNAME and SECURETOKEN_ADMIN_PASSWORD values with the username and password of a pre-existing local Admin account that has a secure token.
The username and password of this local Admin account must be the same on all your Macs in order for the installation script to function at scale.
- After the three required parameters have been filled, set the SILENT_INSTALL parameter to 0 and the UNATTENDED_INSTALL parameter to 1. This allows the script to run without displaying interactive prompts, and will leverage the parameters defined above to create the ºÚÁϺ£½Ç91Èë¿Ú Service Account.
The local Admin account must be logged into at least once on each device in order to receive a valid secure token (unless the account was created during initial setup of the device).
Uploading the Script
- In in your MDM solution's administrator console, upload the configured install script. Refer to the vendor's documentation for support.
Applying the Script with a Policy
- Apply the policy to a test Mac. Allow some time for the Mac to receive and execute the policy.
- To verify the ºÚÁϺ£½Ç91Èë¿Ú Agent has been installed successfully on the Mac, check that the device appears in the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal. See Bind Users to Devices to proceed to bind a user to the device.