MDM Provisioning

Firezone provides native clients for all major platforms. Use these clients on end-user devices, servers, and any other machine that needs access to your protected Resources. This guide covers deploying and provisioning those clients at scale across your organization with a mobile device management (MDM) provider.

Installation

See our client app guides for basic installation and usage instructions for the Firezone Client that are appropriate for all Firezone users. Or continue reading below for MDM deployment and headless mode instructions suited for Firezone admins wishing to deploy the clients at scale across their organization.

Distribute Clients with MDM

Provisioning the Firezone client onto end-user devices should work out of the box using any of the major MDM vendors using the appropriate distribution method below. If you find an exception, please open a GitHub issue so we can prioritize appropriately.

PlatformDistribution Method
Android / ChromeOSThe Android / ChromeOS client is available from the Google Play Store and as a standalone APK from our changelog page.
LinuxThe headless and GUI Linux clients are available from our changelog page.
iOSThe iOS client is available exclusively from the Apple App Store.
macOSThe macOS client is available either from the Apple App Store or as a standalone distributable in both DMG and PKG formats.
WindowsThe Windows client is available as a standalone MSI installer from our changelog page.

Allowlisting the macOS System Extension

The macOS client version 1.4.0 and higher includes a System Extension that must be enabled in order to function. For MDM-managed devices, the System Extension can be allowlisted to eliminate the need for the user to perform this step manually.

Follow one of the guides below for your MDM provider, using 47R2M6779T as the Team Identifier and dev.firezone.firezone.network-extension as the Bundle Identifier:

Configuring the Client

Use managed configurations to customize or enforce certain Client settings across your workforce. See the Managed configurations reference for the full list of available keys, the platforms they apply to, and each key's default value.

Applying managed configuration

Applying managed configuration is generally platform-specific and performed through your organization's MDM provider. For template files and other platform-specific notes, use the following details:

Step 1: Generate a .mobileconfig file

macOS configurations are applied as .mobileconfig provisioning profiles, which can be created by popular profile creator tools, such as Apple Configurator or iMazing Profile Editor. We recommend using iMazing Profile Editor as it has built-in support for generating Firezone profiles.

If you'd prefer to create the file manually, you can download an example profile here.

Step 2: Apply the .mobileconfig file

Consult your MDM provider's documentation for how to apply a provisioning profile to your macOS fleet. Links for some popular MDM providers are below:

Headless mode operation

The Firezone Client can run in headless mode on Windows, Linux, Android, and ChromeOS platforms. Headless Clients support two ways to authenticate:

  • A long-lived Service Account token -- best for deploying the Client on servers, IoT devices, and other unattended systems.
  • A short-lived user token obtained via browser-based sign-in -- available on the Linux and Windows headless Clients via the sign-in subcommand, suitable when a human user wants to authenticate the Client without using a GUI.

See the table below for achieving headless mode operation on each platform:

PlatformHeadless Mode Operation
Android / ChromeOSSet the token key using an MDM provider that supports Android managed configurations. If the token is set and valid, Firezone will automatically connect and authenticate using this token when the Client is started.
LinuxSee the Linux Headless Client guide.
macOS / iOSNot yet supported.
WindowsSee the Windows Headless Client guide.

Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: July 01, 2026