MDM Provisioning
Firezone provides native clients for all major platforms. Use these clients on end-user devices, servers, and any other machine that needs access to your protected Resources. This guide covers deploying and provisioning those clients at scale across your organization with a mobile device management (MDM) provider.
Installation
See our client app guides for basic installation and usage instructions for the Firezone Client that are appropriate for all Firezone users. Or continue reading below for MDM deployment and headless mode instructions suited for Firezone admins wishing to deploy the clients at scale across their organization.
Distribute Clients with MDM
Provisioning the Firezone client onto end-user devices should work out of the box using any of the major MDM vendors using the appropriate distribution method below. If you find an exception, please open a GitHub issue so we can prioritize appropriately.
| Platform | Distribution Method |
|---|---|
| Android / ChromeOS | The Android / ChromeOS client is available from the Google Play Store and as a standalone APK from our changelog page. |
| Linux | The headless and GUI Linux clients are available from our changelog page. |
| iOS | The iOS client is available exclusively from the Apple App Store. |
| macOS | The macOS client is available either from the Apple App Store or as a standalone distributable in both DMG and PKG formats. |
| Windows | The Windows client is available as a standalone MSI installer from our changelog page. |
Allowlisting the macOS System Extension
The macOS client version 1.4.0 and higher includes a System Extension that must be enabled in order to function. For MDM-managed devices, the System Extension can be allowlisted to eliminate the need for the user to perform this step manually.
Follow one of the guides below for your MDM provider, using 47R2M6779T as the
Team Identifier and dev.firezone.firezone.network-extension as the Bundle
Identifier:
Configuring the Client
Use managed configurations to customize or enforce certain Client settings across your workforce. See the Managed configurations reference for the full list of available keys, the platforms they apply to, and each key's default value.
Applying managed configuration
Applying managed configuration is generally platform-specific and performed through your organization's MDM provider. For template files and other platform-specific notes, use the following details:
Step 1: Generate a .mobileconfig file
macOS configurations are applied as .mobileconfig provisioning profiles, which
can be created by popular profile creator tools, such as
Apple Configurator or
iMazing Profile Editor. We recommend using
iMazing Profile Editor as it has built-in support for generating Firezone
profiles.
If you'd prefer to create the file manually, you can download an example profile here.
Step 2: Apply the .mobileconfig file
Consult your MDM provider's documentation for how to apply a provisioning profile to your macOS fleet. Links for some popular MDM providers are below:
On Windows, Firezone supports a variety of MDM-based configuration values. These
are all read from the HKEY_CURRENT_USER\Software\Policies\Firezone registry
key when the Client starts.
In order for changes to the configuration to be picked up, users need to restart the Windows Client.
Microsoft Intune
To set a policy via Microsoft Intune, follow these steps:
- Download the Firezone policy template:
- Go to the device configuration in the Intune admin center.
- Select "Import ADMX" and import the downloaded template files.
- If you have previously imported the Firezone template, you'll need to remove the current one first before uploading an updated one. This is a Microsoft Intune limitation and might be resolved in the future. See this link for details.
- Once successful, select the "Policies" tab and click on "Create" → "New policy"
- For "Platform" select "Windows 10 or later" and for "Profile type" select "Templates".
- From the list, select "Imported Administrative templates" as the template name.
- Go through the wizard, you can select from all available configuration settings for Firezone on the 2nd step.
Headless mode operation
The Firezone Client can run in headless mode on Windows, Linux, Android, and ChromeOS platforms. Headless Clients support two ways to authenticate:
- A long-lived Service Account token -- best for deploying the Client on servers, IoT devices, and other unattended systems.
- A short-lived user token obtained via browser-based sign-in -- available on
the Linux and Windows headless Clients via the
sign-insubcommand, suitable when a human user wants to authenticate the Client without using a GUI.
See the table below for achieving headless mode operation on each platform:
| Platform | Headless Mode Operation |
|---|---|
| Android / ChromeOS | Set the token key using an MDM provider that supports Android managed configurations. If the token is set and valid, Firezone will automatically connect and authenticate using this token when the Client is started. |
| Linux | See the Linux Headless Client guide. |
| macOS / iOS | Not yet supported. |
| Windows | See the Windows Headless Client guide. |
Need help? See all support options.