Deployment via Intune

This guide covers deploying the DefensX Agent to macOS devices managed by Microsoft Intune. The process uses a shared installer script and configuration profiles applicable to all customers, plus a customer-specific profile that delivers the unique deployment key and browser settings.

Tip
 The installer script, CA certificate, and DNS Proxy Extension profile are customer-agnostic and only need to be set up once. To deploy to a new customer or deployment, only repeat the Step 5: Create the Customer-Specific Configuration Profile step with the corresponding mobileconfig file.

Step 1: Download Required Files

Log in to the DefensX backend and navigate to Policies & Groups. Under the Deployments section, locate your deployment and click the RMM button.

rmm

In the RMM dialog, click Mac MDM and download the following files:

File How to Download

DefensX-[deployment].mobileconfig

Click Download mobileconfig

DefensX-DNSProxy-Extension.mobileconfig

Click DNS Proxy Extension mobileconfig

DefensX-CA.cer

Click Download DefensX-CA CertificateAs PEM encoded

DefensX-installer.sh

Click Download Installer Script

DefensX-uninstaller.sh

Click Download Uninstaller Script

Keep all files available, they are needed in the steps below.

Step 2: Create and Deploy the Installer Script

  • Sign in to the Microsoft Intune Portal and navigate to DevicesmacOSScripts.

  • Click + Add.

  • Enter DefensX Installer as the script name, then click Next.

  • Upload DefensX-installer.sh.

  • Configure the script settings:

    • Run script as signed-in user: Select No

    • Script frequency: Choose as required

      mac intune install script

  • Assign the script to the appropriate devices or user groups.

  • Review the configuration and click Add to complete.

Step 3: Deploy the CA Certificate

The DefensX CA certificate is required to properly render HTTPS block pages in browsers that do not use the DefensX extension or standalone clients.

  • In the Intune Portal, navigate to DevicesmacOSConfiguration.

  • Click CreateNew Policy.

  • Select TemplatesTrusted certificate, then click Create.

  • Enter DefensX CA Certificate as the profile name.

  • Set Deployment Channel to Device Channel.

  • Upload DefensX-CA.cer.

    intune cacert

  • Assign to the required devices or user groups.

  • Review and click Create.

Step 4: Create the DNS Proxy Extension Configuration Profile

This profile grants the DefensX DNS Proxy Network Extension the permissions it needs to operate without prompting users for approval. It enables DNS policy enforcement without modifying system-level DNS settings.

  • In the Intune Portal, navigate to DevicesmacOSConfiguration.

  • Click CreateNew Policy.

  • In Profile type, select TemplatesCustom, then click Create.

  • Enter DefensX DNSProxy Extension as the profile name, then click Next.

  • In the Configuration settings step:

    • Enter DefensX DNS Proxy Extension as the Custom configuration profile name.

    • Set Deployment channel to Device channel.

    • Click File selection and upload DefensX-DNSProxy-Extension.mobileconfig.

      intune dnsproxy step2

  • Assign to the required devices or user groups.

  • Review and click Create.

Step 5: Create the Customer-Specific Configuration Profile

This profile delivers the unique deployment key and browser settings for a specific customer. Each DefensX deployment has its own mobileconfig file containing the relevant Deployment Key.

  • In the Intune Portal, navigate to DevicesmacOSConfiguration.

  • Click CreateNew Policy.

  • In Profile type, select TemplatesCustom, then click Create.

    mac mdm defensx policy

  • Enter a descriptive name that identifies the customer and deployment, e.g. DefensX [Customer Name] Default Settings, then click Next.

    intune customer profile basics

  • In the Configuration settings step:

    • Enter the same name as the Custom configuration profile name.

    • Set Deployment channel to Device channel.

    • Click File selection and upload the DefensX-[deployment].mobileconfig file downloaded in Step 1.

      intune customer profile step2

  • Assign to the relevant devices or user groups.

  • Review and click Create.

Tip
 You can create multiple customer-specific profiles for different groups — for example, to enable Incognito mode for certain users. Only the customer-specific profile needs to differ; the installer script, CA certificate, and DNS Proxy Extension profile remain the same across all deployments.

Uninstalling DefensX

Important
 Before deploying the uninstall script, remove the devices from the installer script assignment in Step 2. Otherwise Intune will continue reinstalling the agent.

  • In the Intune Portal, navigate to DevicesmacOSScripts and click + Add.

  • Enter DefensX Uninstaller as the script name, then click Next.

  • Upload DefensX-uninstaller.sh.

  • Configure the script settings:

    • Run script as signed-in user: Select No

    • Script frequency: Choose as required

  • Assign to the relevant devices or user groups.

  • Review and click Add to complete.