Onboard macOS devices with AgentP using Kandji

In this topic, you will learn how to deploy Portnox™ AgentP on managed macOS devices by using Kandji.

There are two options to deploy AgentP on managed macOS devices using Kandji:

  1. Onboard devices using SCEP certificates and use AgentP for risk assessment only (recommended)
  2. Deploy AgentP and have the users onboard manually

If you choose the first option, begin by completing the steps in the following topic: Onboard macOS devices with certificates using Kandji and SCEP. Then, continue with steps in the current topic.

Note: Do not install AgentP on managed devices before you complete the certificate-based onboarding. If you already installed AgentP, make sure to uninstall it and delete all related configuration and profiles.

Get issuer information from Portnox Cloud

In this task, you will copy the issuer name from the Portnox™ Cloud portal, so you can use it later when creating a configuration script for AgentP.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

    More options appear under the CLEAR GENERAL SETTINGS heading and description.

  3. Scroll down to the TRUSTED ROOT CERTIFICATES section and copy the value of the Issued to field in this section to a text file.

Add the AgentP installation package to Kandji

In this task, you will download the Portnox™ AgentP installation package for macOS and upload it to a Kandji custom app profile to be later distributed to managed macOS devices.

  1. Open the Download Portnox AgentP page in your browser.
  2. Click on the tile that represents the macOS system to download the AgentP installer.

  3. Open your Kandji instance in the browser and log in.
    For example, vorlon.kandji.io
  4. In the Kandji main menu, click on the LIBRARY option.

    Kandji shows the Library pane on the right-hand side.

  5. In the top-right corner of the Library pane, click on the Add new button.

    Kandji shows the Add Library item pane on the right-hand side.

  6. In the Add Library item pane, in the Search box on the right-hand side, start typing custom app and then click on the Custom Apps tile in the General section.

  7. In the Custom Apps section on the bottom of the right-hand side pane, click on the Add & Configure button.

    Kandji shows the Custom App pane on the right-hand side.

  8. In the Add a title field on top of the Custom App pane, enter the name for the new custom app profile.

    We used the name Vorlon AgentP but you can use any name you like.

  9. In the Blueprint field, select the blueprint you created earlier.

  10. In the Install Details section, select the Installer Package option.

  11. Click on the click to upload link below, and select the AgentP installation package file that you downloaded earlier (PortnoxAgentP.pkg).

  12. Click on the Add Preinstall Script button above the icon that symbolizes the package you just uploaded.

  13. Enter the script code in the Preinstall Script text field.

    Adjust your script to your environment and requirements.

    mkdir -p /var/agentp
json='{"HideUI":true}'
echo $json > /var/agentp/uipreferences.cfg
json='{"Mode":"certificate","Certificate":"issuer:issued_to","User":"[current]","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"your_domain","profileInstallationNeeded":false}'
echo $json > /var/agentp/unattended.cfg
chmod a+rw /var/agentp
chmod a+rw /var/agentp/uipreferences.cfg
chmod a+rw /var/agentp/unattended.cfg
    1. As issued_to, paste the value that you copied earlier from the Portnox Cloud portal.
      For example: 
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","User":"[current]","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"your_domain","profileInstallationNeeded":false}'
    2. As your_domain, use the domain serviced by Portnox Cloud (the domain configured in your authentication repository integration).
      For example: 
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","User":null,"AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"vorlon.com","profileInstallationNeeded":false}'

    • If you are using user-based certificates, not device-based certificates, you can remove the User value from the configuration string. Then, AgentP will use the certificate UPN or Subject as the user name.

      For example: 
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"vorlon.com","profileInstallationNeeded":false}'

    • If you did not onboard macOS devices using SCEP certificates and you want AgentP to download the profile and have the user of the device confirm profile installation, set profileInstallationNeeded to true.

      For example: 
      json='{"Mode":"certificate","Certificate":"issuer:Vorlon - Portnox CLEAR","User":"[current]","AutoSwitch":true,"UseCertificateSerialNumberAsDeviceId":true,"Domain":"vorlon.com","profileInstallationNeeded":true}'
  14. Adjust values of any other fields if necessary and then click on the Save button in the bottom-right corner of the Custom App configuration pane.