Intune - Zero Touch Installation of Desktop App

How to configure Intune zero touch deployment of Banyan Desktop App

This feature requires Banyan Desktop App v1.11.0+.

Devices enrolled via Zero Touch installation only support Banyan’s Passwordless authentication feature via Banyan Desktop App v.2.1.0+.

Overview

Microsoft Intune is used to administer corporate laptops, phones, tablets, and other devices in your enterprise. The Banyan Desktop App can be packaged and distributed to your device fleet via Intune in Zero Touch mode, requiring no interaction from end users. Also, zero touch mode does not require the end user to be an administrator on the device.

The Banyan Desktop App is deployed, installed, and registered in a matter of seconds, making zero touch mode the recommended way to deploy Banyan with Intune.

Steps

The Banyan Desktop App can be silently deployed via Intune and registered with Banyan on Windows and macOS devices. The steps outlined in this guide are currently only for Windows, but we will add steps for macOS very soon.

There are two high-level steps required to silently deploy and install the Banyan Desktop App then register Windows devices with Banyan:

Prerequisites

Please ensure you have created the mdm-config.json file to customize Banyan Desktop App functionality, paying particular attention to the following flags required to enable zero touch mode:

  • mdm_invite_code - Obtained from Command Center (Settings > App Deployment > Invite Code)
  • mdm_present - Set to true
  • mdm_vendor_name - Set to Intune

The example mdm-config.json below shows the three required flags to enable zero touch mode:

{
	“mdm_invite_code”: “exampleinvitecode”,
	“mdm_present”: true,
	“mdm_vendor_name”: “Intune”
}

Step 1. Prepare the Banyan Desktop App .intunewin file for Windows

First, you will prepare and then bundle four simple files (such as a PowerShell script and .xml task file) into an .intunewin file to configure and automate the installation and registration process.

Before you begin, ensure you have downloaded and familiarized yourself with the Win32 Content Prep Tool. For more information on preparing Win32 app content for upload to Intune, refer to Microsoft’s documentation.

1.1 Download the latest Banyan Desktop App for Windows (.exe file).

1.2 Prepare a PowerShell script to silently create the program data folder, place the mdm-config.json, and run the .exe file to install the Desktop App. Name this file Banyan-Install.ps1. For example:

Please note: The example below includes an optional scheduled task (Register-ScheduledTask -Xml (get-content ‘.\Open Banyan.xml’ | out-string) -TaskName “Open Banyan” –Force). Please only include this line if you plan to prepare an .xml task file to launch the Desktop App when a new user logs onto the device (step 1.3)

function Delete() {
$Invocation = (Get-Variable MyInvocation -Scope 1).Value
$Path = ".\Banyan-Install.ps1"
Write-Host $Path
Remove-Item $Path -force
}  

New-Item -Path C:\ProgramData -Name Banyan -ItemType Directory -Force
Copy-Item .\mdm-config.json -Destination C:\ProgramData\Banyan -Force
Start-Process .\Banyan-Setup-1.11.0.exe -Wait
& 'C:\Program Files\Banyan\Banyan.exe' --staged-deploy-key=example_deploy_key_from_banyan_command_center
Register-ScheduledTask -Xml (get-content '.\Open Banyan.xml' | out-string) -TaskName "Open Banyan" –Force

Delete

1.3 Optionally, prepare an .xml task file to launch the Desktop App when a new user logs onto the device. For example:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2020-12-29T21:22:03.3963784</Date>
    <Author>BANYAN</Author>
    <Description>Opens Banyan for any user at login</Description>
    <URI>\Open Banyan</URI>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <GroupId>S-1-5-32-545</GroupId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>"C:\Program Files\Banyan\Banyan.exe"</Command>
    </Exec>
  </Actions>
</Task>

1.4 Place the files from Steps 1.1-.3 along with your prepared mdm-config.json file into a single folder.

1.5 Launch the IntuneWinAppUtil.exe and enter the appropriate folder locations when prompted:

  • Source Folder - The location of the folder referenced in step 1.4.
  • Setup File - The PowerShell filename referenced in step 1.2.
  • Output Folder - Any convenient folder where you want to save the .intunewin file.
  • Specify catalog folder (Y/N)? - Enter N.

The IntuneWinAppUtil bundles up your files into a .intunewin file and saves it in the output folder specified in step 1.5.

Step 2. Distribute the Desktop App to Windows devices via Intune

Now that you’ve prepared the Banyan Desktop App .intunewin, distribute it to your end users via Intune.

2.1 Log in to your Microsoft Endpoint Manager admin center.

2.2 Navigate to Apps > Windows.

2.3 Click + Add.

2.4 Select the App Type of Windows app (Win32), and then click Select.

2.5 Click Select app package file, upload the .intunewin file that you prepared in step 1.5, and then click OK.

2.6 Configure the App information and then click Next:

  • Required Name and Description are pre-populated.
  • For Publisher, enter Banyan Security.
  • For App Version, enter the Banyan Desktop App version (such as 1.11.0).
  • Leave the remaining optional fields as-is.

2.7 Configure the Program fields, and then click Next:

  • For Install Command, enter Banyan-Install.ps1
  • For Uninstall Command, enter C:\Program Files\BanyanApp\Uninstall Banyan.exe" /allusers /S
  • Leave the remaining optional fields as-is.

If your PowerShell execution policy prevents the Banyan-Install.ps1 script from executing, you can enter powershell.exe -executionpolicy Bypass -file Banyan-Install.ps1 to bypass the execution policy.

2.8 Configure the Requirements according to your specific organization’s needs, and then click Next.

2.9 Configure the Detection rules according to your specific organization’s needs, and then click Next:

  • Set Rules format to Manually configure detection rules
  • Create a rule so that:
    • Rule Type = File
    • Path = C:\Program Files\Banyan
    • File or folder = Banyan.exe
    • Detection method = File or folder exists
    • Associated with a 32-bit app on 64-bit clients = No

2.10 Optionally, configure Dependencies or skip this tab.

2.11 On the Assignments tab, assign the Banyan Desktop App to your target users, and then click Next.

2.12 Under Review + create, review and ensure the app configuration is correct, and then click Create. Allow a few minutes for your app to be created.

Once the Banyan App has been created, please allow up to 24 hours for all Corporate Devices to be synced with the new app on Intune. Once Corporate Devices are synced, the Banyan Desktop App should appear on your end user’s devices, launch, and then register with your Banyan organization.

The Banyan Desktop App appears on the applicable Windows device(s) and then registers the device(s) with your Banyan Organization.


In the Command Center, you will see a STAGED USER in your directory along with all staged devices that have been silently enrolled via zero touch installation.

That’s it! You’ve successfully distributed the Banyan Desktop App without any end user interaction using Intune.

Zero Touch Update of Desktop App via Intune

There may be scenarios requiring you to update the Banyan Desktop App after deploying it to your organization’s devices via Intune.

If you want to have organizational control of the Desktop App version, the easiest option is to configure the mdm-config.json file to set mdm_disable_auto_update to true. This flag disables prompts to end users to upgrade their Desktop App because the Device Manager will push the new version.

Then, when you need to upgrade the Banyan Desktop App, simply download the latest version, convert it to an .intunewin, and then deploy it to your organization’s devices. There is no need for the mdm-config.json, PowerShell script, or scheduled .xml task.

Last modified: Jun 17, 2021