Deploying the Datto RMM Agent using Microsoft Intune
Overview
Microsoft Intune has functionality to deploy and run PowerShell scripts to Managed Windows 10 devices and Bash and Shell scripts to managed macOS devices, provided that they are fully enrolled in Microsoft Intune and not just Azure AD domain-joined. We can leverage this functionality to deploy scripts that will download and install the Datto RMM Agent.
The process consists of three stages:
- Create scripts for each Datto RMM site you wish to deploy Agents to.
- For each site, create a Device Group within the Microsoft Intune portal containing that customer’s Windows or macOS devices.
- Upload the correct script for that customer’s Datto RMM site for the respective OS and associate it with the Device Group you created for them.
NOTE Datto provides an automated process for new Datto RMM partners to bulk import sites and to create the PowerShell and Bash/Shell scripts required for deploying from Microsoft Intune quickly and easily. For more information, refer to Automated deployment of the Datto RMM Agent using alternative tools.
Video
You will need a script for each site you wish to deploy Agents to. The generic script you need is below, but must be customized for each site. Perform the following steps to create and customize the script.
- Copy and paste this script block into a text editor:
$Platform="<Paste your platform name here>"
$SiteID="<paste your Site ID here>"
<#
Datto RMM Agent deploy by MS Azure Intune
Designed and written by Jon North, Datto, March 2020
Download the Agent installer, run it, wait for it to finish, delete it
#>
# First check if Agent is installed and instantly exit if so
If (Get-Service CagService -ErrorAction SilentlyContinue) {Write-Output "Datto RMM Agent already installed on this device" ; exit}
# Download the Agent
$AgentURL="https://$Platform.centrastage.net/csm/profile/downloadAgent/$SiteID"
$DownloadStart=Get-Date
Write-Output "Starting Agent download at $(Get-Date -Format HH:mm) from $AgentURL"
try {[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType],3072)}
catch {Write-Output "Cannot download Agent due to invalid security protocol. The`r`nfollowing security protocols are installed and available:`r`n$([enum]::GetNames([Net.SecurityProtocolType]))`r`nAgent download requires at least TLS 1.2 to succeed.`r`nPlease install TLS 1.2 and rerun the script." ; exit 1}
try {(New-Object System.Net.WebClient).DownloadFile($AgentURL, "$env:TEMP\DRMMSetup.exe")}
catch {$host.ui.WriteErrorLine("Agent installer download failed. Exit message:`r`n$_") ; exit 1}
Write-Output "Agent download completed in $((Get-Date).Subtract($DownloadStart).Seconds) seconds`r`n`r`n"
# Install the Agent
$InstallStart=Get-Date
Write-Output "Starting Agent install to target site at $(Get-Date -Format HH:mm)..."
& "$env:TEMP\DRMMSetup.exe" | Out-Null
Write-Output "Agent install completed at $(Get-Date -Format HH:mm) in $((Get-Date).Subtract($InstallStart).Seconds) seconds."
Remove-Item "$env:TEMP\DRMMSetup.exe" -Force
Exit
- Copy the platform name of your Datto RMM account and paste it between the quotes of the $Platform="<Paste your platform name here>" line. The platform name is at the start of the URL; it will be Pinotage or Merlot (EMEA), Concord, Vidal, or Zinfandel (NA), or Syrah (APAC).
- Copy the target site ID and paste it at the end of the SiteID=<paste your Site ID here> line. To find the site ID, refer to Site ID in Editing a site.
- Save the resulting script as a file with the extension .ps1. Repeat this process for each site you want to deploy Agents to.
NOTE The ID column is displayed by default, but may have been removed from your view. If this is the case, you can add it via the Column Chooser. Refer to List of sites and Column Chooser field definitions.
NOTE If you have a large number of sites, you may find it easier to download the list. You can do this with the site variable import template. Refer to Import Site Variables in Global Settings.
NOTE Ensure the files are saved with the .ps1 extension. If you have hidden file extensions, it may be that your text editor will append a .txt extension that you will not be able to see.
You will need a script for each site you wish to deploy Agents to. The generic script you need is below, but must be customized for each site. Perform the following steps to create and customize the script.
- Copy and paste this script block into a text editor:
- Copy the platform name of your Datto RMM account and paste it at the end of the Platform=<Paste your platform name here> line. The platform name is at the start of the URL; it will be Pinotage or Merlot (EMEA), Concord, Vidal, or Zinfandel (NA), or Syrah (APAC).
- Copy the target site ID and paste it at the end of the SiteID=<paste your Site ID here> line. To find the site ID, refer to Site ID in Editing a site.
- Save the resulting script as a file with the extension .bash. Repeat this process for each site you want to deploy Agents to.
#!/bin/bash
Platform=<Paste your platform name here>
SiteID=<paste your Site ID here>
# Datto RMM Agent deploy designed and written by Jon North, Datto, March 2021
# Download the Agent installer, run it, wait for it to finish, delete it
# First check if Agent is already installed and instantly exit if so
if [ -d "/Applications/AEM Agent.app" ] ; then
echo "Datto RMM Agent already installed on this device" ; exit
fi
# Output target site ID and timestamp
echo "Target site ID: $RMMSiteID"
echo "Current date and time is `date`"
AgentFilename='/tmp/DRMMSetup_'$(date +"%Y-%m-%d_%H-%M")
# Download the Agent
curl -o $AgentFilename.zip https://$Platform.centrastage.net/csm/profile/downloadMacAgent/$SiteID
# Unzip and install the Agent
mkdir $AgentFilename
unzip -a -o $AgentFilename.zip -d $AgentFilename
installer -pkg "$AgentFilename/AgentSetup/CAG.pkg" -target /
rm $AgentFilename.zip
rm -rf $AgentFilename
exit
IMPORTANT If you are creating the script on a Windows device, ensure you use Unix-style newline characters or the script will fail to run on your macOS devices. Native Windows applications Notepad and Wordpad cannot do this, but the freeware application Notepad++ is able to. In the Edit menu, select EOL Conversion and then Unix (LF), NOT Macintosh (CR):
NOTE Ensure the files are saved with the .bash extension. If you have hidden file extensions, it may be that your text editor will append a .txt extension that you will not be able to see.
NOTE The ID column is displayed by default, but may have been removed from your view. If this is the case, you can add it via the Column Chooser. Refer to List of sites and Column Chooser field definitions.
NOTE If you have a large number of sites, you may find it easier to download the list. You can do this with the site variable import template. Refer to Import Site Variables in Global Settings.
For each customer whose Datto RMM site you will deploy to, you need to create a Device or User Group within the Microsoft Intune portal.
If your customer has Azure AD Premium, you should be able to create a Dynamic group that self-updates; if not, you must create an Assigned group that you must populate and update/maintain manually. For a Dynamic group, we recommend setting the Membership Rule as follows:
- Property: deviceOSType
- Operator: Contains
- Value: Windows or mac as appropriate
Full instructions on creating groups in Microsoft Intune can be found in the following Microsoft article: Add groups to organize users and devices.
- In the Microsoft Intune portal for the customer, select Devices. Then, in the Policy section, select Scripts:
- Click the icon next to the Script location field and browse to where you saved your PowerShell or Bash/Shell script:
- For Windows, ensure that you set the following three options to NO:
- For macOS, ensure you set Run script as signed-in user to NO. The other three options should remain as Not configured.
- Click Next.
- Assign the script to the correct group for the devices you are deploying to. Click Select groups to include or Add groups as applicable, then select the group you created previously from the list on the right:
- Click Next and confirm your configuration in the review screen that appears.
- Click Add to deploy the script to the devices in the group. The Datto RMM Agents will be installed when the script is run, which will be on the next sync.
Full information about deploying PowerShell scripts to enrolled Windows 10 devices within Microsoft Intune can be found in the Microsoft article here: Use PowerShell scripts on Windows 10/11 devices in Intune. Full information about deploying Bash and Shell scripts to enrolled macOS devices within Microsoft Endoint Manager can be found in the Microsoft article here: Use shell scripts on macOS devices in Intune.