import Alert from "@/components/DocsAlert"; import SupportOptions from "@/components/SupportOptions"; import NextStep from "@/components/NextStep"; import PlanBadge from "@/components/PlanBadge"; import { TabsGroup, TabsItem } from "@/components/Tabs"; import { FaApple, FaWindows } from "react-icons/fa";

<PlanBadge plans={["starter", "team", "enterprise"]}>

Distribute Clients

</PlanBadge>

Firezone provides native clients for all major platforms. Use these clients on end-user devices, servers, and any other machine that needs access to your protected Resources.

Installation

See our client app guides for basic installation and usage instructions for the Firezone Client that are appropriate for all Firezone users. Or continue reading below for MDM deployment and headless mode instructions suited for Firezone admins wishing to deploy the clients at scale across their organization.

Provision with MDM

Provisioning the Firezone client onto end-user devices should work out of the box using any of the major MDM vendors using the appropriate distribution method below. If you find an exception, please open a GitHub issue so we can prioritize appropriately.

Platform	Distribution Method
Android / ChromeOS	The Android / ChromeOS client is available from the Google Play Store and as a standalone APK from our changelog page.
Linux	The headless and GUI Linux clients are available from our changelog page.
iOS	The iOS client is available exclusively from the Apple App Store.
macOS	The macOS client is available either from the Apple App Store or as a standalone distributable in both DMG and PKG formats.
Windows	The Windows client is available as a standalone MSI installer from our changelog page.

Allowlisting the macOS System Extension

The macOS client version 1.4.0 and higher includes a System Extension that must be enabled in order to function. For MDM-managed devices, the System Extension can be allowlisted to eliminate the need for the user to perform this step manually.

Follow one of the guides below for your MDM provider, using 47R2M6779T as the Team Identifier and dev.firezone.firezone.network-extension as the Bundle Identifier:

• Jamf Pro
• Kandji
• JumpCloud
• Hexnode
• InTune

Configuring the Client

Use managed configurations to customize or enforce certain Client settings across your workforce. In general, most settings are available for all platforms, but some are platform-specific. The table below lists the available managed configuration available and to which platforms they apply.

<Alert color="warning"> Once a key has been set, the user **will not** be able to change that particular setting in the Client UI. To allow the user to change the setting, you must **unset** the key from the managed configuration. </Alert>

Key	Type	Default Value	Description	Available on	Available since
authURL	String	https://app.firezone.dev	The base auth URL of the Firezone application to sign in to. The accountSlug will be appended to this to form the complete sign-in URL.	macOS, Windows, iOS, Android	1.5.0
apiURL	String	wss://api.firezone.dev	The WebSocket URL of the Firezone control plane.	macOS, Windows, iOS, Android	1.5.0
logFilter	String	info	The RUST_LOG-formatted log filter to apply to the connectivity library logger. Increasing the log level here can help troubleshoot connectivity issues at the cost of increased log file sizes and performance if very verbose logging (i.e. TRACE) is specified.	macOS, Windows, iOS, Android	1.5.0
accountSlug	String	<empty>	The account slug or ID of your Firezone account.	macOS, Windows, iOS, Android	1.5.0
startOnLogin	Boolean	false	Whether the client should start automatically on login.	macOS, Android	1.5.0
connectOnStart	Boolean	false	Whether the client should connect automatically on start.	macOS, Windows, iOS, Android	1.5.0
disableUpdateCheck	Boolean	false	Whether to disable the periodic update checker. The update checker is enabled by default for standalone macOS Clients.	macOS, iOS, Android	1.5.0
checkForUpdates	Boolean	false	Enable or disable the periodic update checker. The update checker is enabled by default for Windows Clients.	Windows	1.5.0
hideAdminPortalMenuItem	Boolean	false	Whether to show or hide the admin portal link in the main menu.	macOS, Windows	1.5.0
hideResourceList	Boolean	false	Whether to show or hide the resource list in the main menu.	macOS, iOS	1.5.10
supportURL	String	https://www.firezone.dev/support	The destination URL used for the support link in the main menu.	macOS, iOS, Windows	1.5.0

Applying managed configuration

Applying managed configuration is generally platform-specific and performed through your organization's MDM provider. For template files and other platform-specific notes, use the following details:

<TabsGroup> <TabsItem title="macOS" icon={FaApple}>

Step 1: Generate a .mobileconfig file

macOS configurations are applied as .mobileconfig provisioning profiles, which can be created by popular profile creator tools, such as Apple Configurator or iMazing Profile Editor. We recommend using iMazing Profile Editor as it has built-in support for generating Firezone profiles.

If you'd prefer to create the file manually, you can download an example profile here.

Step 2: Apply the .mobileconfig file

Consult your MDM provider's documentation for how to apply a provisioning profile to your macOS fleet. Links for some popular MDM providers are below:

• Jamf Pro
• Kandji
• JumpCloud
• Hexnode
• InTune

</TabsItem> <TabsItem title="Windows" icon={FaWindows}>

On Windows, Firezone supports a variety of MDM-based configuration values. These are all read from the HKEY_CURRENT_USER\Software\Policies\Firezone registry key when the Client starts.

<Alert color="warning"> In order for changes to the configuration to be picked up, users need to restart the Windows Client. </Alert>

Microsoft Intune

To set a policy via Microsoft Intune, follow these steps:

1. Download the Firezone policy template:

• Download admx
• Download adml (en_US)

1. Go to the device configuration in the Intune admin center.
2. Select "Import ADMX" and import the downloaded template files.
3. If you have previously imported the Firezone template, you'll need to remove the current one first before uploading an updated one. This is a Microsoft Intune limitation and might be resolved in the future. See this link for details.
4. Once successful, select the "Policies" tab and click on "Create" -> "New policy"
5. For "Platform" select "Windows 10 or later" and for "Profile type" select "Templates".
6. From the list, select "Imported Administrative templates (Preview)" as the template name.
7. Go through the wizard, you can select from all available configuration settings for Firezone on the 2nd step.

</TabsItem> </TabsGroup>

Headless mode operation

The Firezone Client can run in headless mode on Windows, Linux, Android, and ChromeOS platforms using a Service Account token. This mode is useful for deploying the Client on servers, IoT devices, and other headless devices where a user may not be present to keep the Client authenticated.

See the table below for achieving headless mode operation on each platform:

Platform	Headless Mode Operation
Android / ChromeOS	Set the token key using an MDM provider that supports Android managed configurations. If the token is set and valid, Firezone will automatically connect and authenticate using this token when the Client is started.
Linux	See the Linux Headless Client guide.
macOS / iOS	Not yet supported.
Windows	See the Windows Headless Client guide.

<NextStep href="/kb/deploy/dns">Next: Configure DNS</NextStep>

<SupportOptions />