NinjaOne Agent Installation: Deployment via Microsoft Intune

Topic

This article explains how to install the NinjaOne agent via Microsoft Intune.

Environment

NinjaOne Integrations
Microsoft Intune

Description

You can use Microsoft Intune to deploy the NinjaOne agent onto your Microsoft Windows or Apple macOS devices. We've improved this process with the implementation of our Microsoft Intune integration. You can use the process below, or refer to Getting Started with the Microsoft Intune Integration in NinjaOne for a streamlined experience.

According to Microsoft documentation, mixing the installation of Win32 apps and line-of-business apps during Windows Autopilot enrollment may cause the app installation to fail, as both may attempt to use the Trusted Installer service simultaneously. However, mixing Win32 and line-of-business apps during Windows Autopilot device preparation is supported.

Select a category to learn more:

Microsoft Intune Deployment Instructions for Windows
Microsoft Intune Deployment Instructions for macOS
Frequently-Asked Questions

Microsoft Intune Deployment Instructions for Windows

Prepare the Installer File

Download the NinjaOne agent installer file by adding a device in NinjaOne. For more information, refer to NinjaOne Agent Installation: Add Device (Windows).
Ensure the file for the NinjaOne agent is ready for deployment.

Add the NinjaOne Agent as a Line of Business Application in Microsoft Intune

First, you must add the application to Microsoft Intune. Refer to Microsoft's instructions (external link) for more information.

Navigate to Sign in to Microsoft Azure (external link).
Navigate to Apps → All apps and click + Create.

intune_all apps_create.png — **Figure 1**: Add a new app in the Microsoft Intune admin center

Select Line-of-business app from the App type drop-down menu and click Select.

intune_select app type.png — **Figure 2**: Select line-of-business app type (click to enlarge)

Upload the MSI File

Click Select app package file. You can use a Windows Installer Package or a PKG file.
In the app package file pane, click Browse to locate and select the NinjaOne agent file, then click OK to upload it.

Configure the App Information

Use the following table to complete the applicable App information fields. Complete all other fields to your preference. Then, click Next to proceed to the next step.

Field Name	Data
Name	Enter a unique identifier for the application, such as NinjaOne Agent.
Description	Enter a summary for the application's purpose.
Publisher	Enter NinjaOne.
Ignore app version	Select Yes.

intune_lob_add app.png — **Figure 3**: Complete the applicable app information fields (click to enlarge)

Assign the Application

In the Assignments section, specify the groups of devices or users to which you want to deploy the NinjaOne agent.

Click Add group.

intune_lob_add app_add group.png — **Figure 4**: Add groups to the app

Select the checkbox for each group you want to add and then click Select to confirm.

intune_lob_add app_add group_select group.png — **Figure 5**: Select groups to add to the app

Click Next on the Assignments page.
On the Review + create page, review the settings.
Click Create, then monitor the deployment.

You can view the installation status in the Microsoft Intune portal at Apps → Monitor → App install status.

Microsoft Intune Deployment Instructions for macOS

For devices on macOS Catalina (10.15) and higher, macOS requests manual approval for various Security and Privacy settings before opening downloaded software for the first time. To learn how to install the agent with macOS's enhanced Security and privacy settings, refer to NinjaOne Agent Installation: Add Device (macOS).

Detection Criteria

Some MDMs may not properly detect whether the agent is installed on the device, even if the agent is deployed successfully. By default, most MDMs will likely check the /Applications/ folder for the specified file or check PKG receipts; however, these are not proper indicators for the NinjaOne agent.

Depending on what the MDM allows, there are a few ways to confirm that the NinjaOne agent was properly installed:

Application Files

Check the /Applications/ folder for the installed apps:
- /Applications/NinjaRMMAgent/uninstall.app
- /Applications/NinjaRMMAgent/programfiles/njbar.app
- /Applications/NinjaRMMAgent/programfiles/njdialog.app
  If the MDM is checking for installed apps, you can use one (or all three) of the installed apps above to verify that you installed the application successfully.
View the bundle ID and version with the following commands after installing the NinjaOne agent, making sure to replace {appPath} with one of the paths above:
- defaults read {appPath}/Contents/Info.plist CFBundleIdentifier
- defaults read {appPath}/Contents/Info.plist CFBundleShortVersionString
  For example, you can see the following input/output for njbar.app:
```
/Applications/NinjaRMMAgent/programfiles/njbar.app/Contents/Info.plist CFBundleIdentifier org.njbar.daemon
/Applications/NinjaRMMAgent/programfiles/njbar.app/Contents/Info.plist CFBundleShortVersionString 5.8.9154
```

Program Files

Some MDMs support simply checking to confirm if a certain file exists after installation. We recommend using the following file:

/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent

Install Check Script

Some MDMs support using a custom script to check if an application is installed. It may be necessary to use only a script that checks if the above file exists and returns the appropriate value if it does. The specifics may depend on the platform itself. Below, and attached at the end of the article, NinjaOne offers a script that can help with deployment.

You must change the URL to match either your generated installer URL or the generic installer URL.
Note: If you are using the generic installer URL, you must also replace Token='' with Token='YourActualTokenID'.

#!/bin/bash

# SYNOPSIS
# This script is used to install the NinjaOne agent. Supports generic installer or generated URL.

# DESCRIPTION
# This script is used to install the NinjaOne agent. Supports generic installer or generated URL.

------------------------------------------------------------

Write-LogEntry() {
    if [[ -z "$1" ]]; then
        Write-LogEntry "Usage: Write-LogEntry "You must supply a message when calling this function.""
        return 1
    fi

    local message="$1"

    local log_path="/tmp/NinjaOneInstall.log"
    local timestamp
    timestamp=$(date +"%Y-%m-%d %H:%M:%S")

    # Append the log entry to the file and print it to the console
    echo "$timestamp - $message" >>"$log_path"
    echo "$timestamp - $message"
}

# Adjust URL to your generated URL or to the generic URL
URL=''
# If using generic installer URL, a token must be provided
Token=''
Folder='/tmp'
Filename=$(basename "$URL")

if [[ $EUID -ne 0 ]]; then
    Write-LogEntry "This script must be run as root. Try running it with sudo or as the system/root user."
    exit 1
fi

if [[ -z "$URL" ]]; then
    Write-LogEntry 'Please provide a URL. Exiting.'
    exit 1
fi

Write-LogEntry 'Performing checks...'

CheckApp='/Applications/NinjaRMMAgent'
if [[ -d "$CheckApp" ]]; then
    Write-LogEntry 'NinjaOne agent already installed. Please remove before installing.'
    rm "$Folder/$Filename"
    exit 1
fi

if [[ "$Filename" != *.pkg ]]; then
    Write-LogEntry 'Only PKG files are supported in this script. Cannot continue.'
    exit 1
fi

if [[ "$Filename" == 'NinjaOneAgent.pkg' ]]; then
    if [[ -z "$Token" ]]; then
        Write-LogEntry 'A generic install URL was provided with no token. Please provide a token to use the generic installer. Exiting.'
        exit 1
    fi

    if [[ ! $Token =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
        Write-LogEntry 'An invalid token was provided. Please ensure it was entered correctly.'
        exit 1
    fi

    Write-LogEntry 'Token provided and generic installer being used. Continuing...'
    echo "$Token" >"$Folder/.~"
else
    if [[ -n "$Token" ]]; then
        Write-LogEntry 'A token was provided, but the URL appears to be for a generated installer and not the generic installer.'
        Write-LogEntry 'Script will not continue. Please use either a generic installer URL, or remove the token. You cannot use both.'
        exit 1
    fi
fi

Write-LogEntry 'Downloading installer...'

if ! curl -fSL "$URL" -o "$Folder/$Filename"; then
    Write-LogEntry 'Download failed. Exiting Script.'
    exit 1
fi

if [[ ! -s "$Folder/$Filename" ]]; then
    Write-LogEntry 'Downloaded an empty file. Exiting.'
    exit 1
fi

if ! pkgutil --check-signature "$Folder/$Filename" | grep -q "NinjaRMM LLC"; then
    Write-LogEntry 'PKG file is not signed by NinjaOne. Cannot continue.'
    exit 1
fi

Write-LogEntry 'Download successful. Beginning installation...'

installer -pkg "$Folder/$Filename" -target /

CheckApp='/Applications/NinjaRMMAgent'
if [[ ! -d "$CheckApp" ]]; then
    Write-LogEntry 'Failed to install the NinjaOne Agent. Exiting.'
    rm "$Folder/$Filename"
    exit 1
fi

Write-LogEntry 'Successfully installed NinjaOne!'
rm "$Folder/$Filename"
exit 0

Relevant MDM Profiles

Regardless of how you deploy the NinjaOne agent, several relevant MDM profiles can help streamline the process and ensure the agent functions correctly. The payload names and exact setting names may change slightly between different MDMs.

Note that these configurations may be combined into a single policy or separated into different policies, depending on individual preference or MDM requirements.

Give the NinjaOne agent access to all files.
- Payload Type: Privacy Preferences Policy Control
- Permissions: SystemPolicyAllFiles
- Values:
  - Allowed: True
    Make sure you remove the Authorization key from the payload.
- Static Code: False
- Code Requirement: identifier "ninjarmm-macagent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E
- Identifier Type: path
- Identifier: /Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent
Prevent end users from turning off NinjaOne Agent background processing.
- Payload Type: Service Management Managed Login Items
- Values:
  - Comment: NinjaOne agent
  - RuleType: TeamIdentifier
  - RuleValue: EBNT3ZX97E
Give NinjaOne Remote access to all files and Accessibility settings.
- Payload Type: Privacy Preferences Policy Control
- Permissions:
  - SystemPolicyAllFiles
  - Accessibility
- Values:
  - Allowed: True
    Make sure you remove the Authorization key from the payload
  - Static Code: False
  - Code Requirement: identifier "com.ninjarmm.ncstreamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E
  - Identifier Type: Bundle ID
  - Identifier: com.ninjarmm.ncstreamer
Optional: Allow a standard user to allow screen capture with NinjaOne Remote. You can combine this payload with the previous payload.
- Payload Type: Privacy Preferences Policy Control
- Permissions: ScreenCapture
- Values: Make sure you remove the Allowed key from the payload
  - Authorization: AllowStandardUserToSetSystemService
  - Static Code: False
  - Code Requirement: identifier "com.ninjarmm.ncstreamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EBNT3ZX97E
  - Identifier Type: Bundle ID
  - Identifier: com.ninjarmm.ncstreamer

Frequently-Asked Questions

Select a question to view the answer:

How does NinjaOne prevent deduplication when deployed via Intune?
How will this installation work when the version changes?
Why is LOB (line of business) preferred to Win32?
Why is my deployment of the NinjaRMM Agent install failing with an error during the PKG installation process?

How does NinjaOne prevent deduplication when deployed via Intune?

We prevent duplication in two ways:

Microsoft Intune checks for the NinjaOne service before installation; if it is already present, Intune skips the attempt to install the NinjaOne agent and marks the device as compliant.
We link the endpoint based on normalized serial numbers retrieved from Intune, which enables us to match the Intune record with the existing NinjaOne device.

Duplications may still occur in edge cases if the serial number is not unique. When this issue occurs, you must correct the non-unique serial number.

How will this installation work when the version changes?

Microsoft Intune will not update the install; however, NinjaOne will push agent updates as needed. If in the future, you notice that the installed version differs significantly from the available download version, you can revert and update the Microsoft Intune package.

Why is LOB (line of business) preferred to Win32?

LOB is generally safer, as it can bypass some roadblocks that certain manufacturers impose. For example, some manufacturers bundle their devices with the SCCM agent; if Microsoft Intune detects the SCCM agent, then App32 deployments are blocked. Only LOBs will punch through that.

Why is my deployment of the NinjaRMM Agent install failing with an error during the PKG installation process?

An error with the installation detection can cause this error. Microsoft Intune automatically sets the CFBundleIdentifier value as com.bitrock.appinstaller. You must check the uninstall.app info.plist file in the installed agent folder within "Applications" and set the Included apps information as shown in Figure 2.