Distribute Clients
Firezone provides native clients for all major platforms. Use these clients on end-user devices, servers, and any other machine that needs access to your protected Resources.
Installation
See our client app guides for basic installation and usage instructions for the Firezone Client that are appropriate for all Firezone users. Or continue reading below for MDM deployment and headless mode instructions suited for Firezone admins wishing to deploy the clients at scale across their organization.
Provision with MDM
Provisioning the Firezone client onto end-user devices should work out of the box using any of the major MDM vendors using the appropriate distribution method below. If you find an exception, please open a GitHub issue so we can prioritize appropriately.
| Platform | Distribution Method |
|---|---|
| Android / ChromeOS | The Android / ChromeOS client is available from the Google Play Store and as a standalone APK from our changelog page. |
| Linux | The headless and GUI Linux clients are available from our changelog page. |
| iOS | The iOS client is available exclusively from the Apple App Store. |
| macOS | The macOS client is available either from the Apple App Store or as a standalone distributable in both DMG and PKG formats. |
| Windows | The Windows client is available as a standalone MSI installer from our changelog page. |
Allowlisting the macOS System Extension
The macOS client version 1.4.0 and higher includes a System Extension that must be enabled in order to function. For MDM-managed devices, the System Extension can be allowlisted to eliminate the need for the user to perform this step manually.
Follow one of the guides below for your MDM provider, using 47R2M6779T as the
Team Identifier and dev.firezone.firezone.network-extension as the Bundle
Identifier:
Configuring the Client
Use managed configurations to customize or enforce certain Client settings across your workforce. In general, most settings are available for all platforms, but some are platform-specific. The table below lists the available managed configuration available and to which platforms they apply.
Once a key has been set, the user will not be able to change that particular setting in the Client UI. To allow the user to change the setting, you must unset the key from the managed configuration.
| Key | Type | Default Value | Description | Available on | Available since |
|---|---|---|---|---|---|
authURL | String | https://app.firezone.dev | The base auth URL of the Firezone application to sign in to. The accountSlug will be appended to this to form the complete sign-in URL. | macOS, Windows, iOS, Android | 1.5.0 |
apiURL | String | wss://api.firezone.dev | The WebSocket URL of the Firezone control plane. | macOS, Windows, iOS, Android | 1.5.0 |
logFilter | String | info | The RUST_LOG-formatted log filter to apply to the connectivity library logger. Increasing the log level here can help troubleshoot connectivity issues at the cost of increased log file sizes and performance if very verbose logging (i.e. TRACE) is specified. | macOS, Windows, iOS, Android | 1.5.0 |
accountSlug | String | <empty> | The account slug or ID of your Firezone account. | macOS, Windows, iOS, Android | 1.5.0 |
startOnLogin | Boolean | false | Whether the client should start automatically on login. | macOS, Android | 1.5.0 |
connectOnStart | Boolean | false | Whether the client should connect automatically on start. | macOS, Windows, iOS, Android | 1.5.0 |
disableUpdateCheck | Boolean | false | Whether to disable the periodic update checker. The update checker is enabled by default for standalone macOS Clients. | macOS, iOS, Android | 1.5.0 |
checkForUpdates | Boolean | false | Enable or disable the periodic update checker. The update checker is enabled by default for Windows Clients. | Windows | 1.5.0 |
hideAdminPortalMenuItem | Boolean | false | Whether to show or hide the admin portal link in the main menu. | macOS, Windows | 1.5.0 |
supportURL | String | https://www.firezone.dev/support | The destination URL used for the support link in the main menu. | macOS, iOS, Windows | 1.5.0 |
Applying managed configuration
Applying managed configuration is generally platform-specific and performed through your organization's MDM provider. For template files and other platform-specific notes, use the following details:
Step 1: Generate a .mobileconfig file
macOS configurations are applied as .mobileconfig provisioning profiles, which
can be created by popular profile creator tools, such as
Apple Configurator or
iMazing Profile Editor. We recommend using
iMazing Profile Editor as it has built-in support for generating Firezone
profiles.
If you'd prefer to create the file manually, you can download an example profile here.
Step 2: Apply the .mobileconfig file
Consult your MDM provider's documentation for how to apply a provisioning profile to your macOS fleet. Links for some popular MDM providers are below:
On Windows, Firezone supports a variety of MDM-based configuration values. These
are all read from the HKEY_CURRENT_USER\Software\Policies\Firezone registry
key when the Client starts.
In order for changes to the configuration to be picked up, users need to restart the Windows Client.
Microsoft Intune
To set a policy via Microsoft Intune, follow these steps:
- Download the Firezone policy template:
- Go to the device configuration in the Intune admin center.
- Select "Import ADMX" and import the downloaded template files.
- If you have previously imported the Firezone template, you'll need to remove the current one first before uploading an updated one. This is a Microsoft Intune limitation and might be resolved in the future. See this link for details.
- Once successful, select the "Policies" tab and click on "Create" -> "New policy"
- For "Platform" select "Windows 10 or later" and for "Profile type" select "Templates".
- From the list, select "Imported Administrative templates (Preview)" as the template name.
- Go through the wizard, you can select from all available configuration settings for Firezone on the 2nd step.
Headless mode operation
The Firezone Client can run in headless mode on Windows, Linux, Android, and ChromeOS platforms using a Service Account token. This mode is useful for deploying the Client on servers, IoT devices, and other headless devices where a user may not be present to keep the Client authenticated.
See the table below for achieving headless mode operation on each platform:
| Platform | Headless Mode Operation |
|---|---|
| Android / ChromeOS | Set the token key using an MDM provider that supports Android managed configurations. If the token is set and valid, Firezone will automatically connect and authenticate using this token when the Client is started. |
| Linux | See the Linux Headless Client guide. |
| macOS / iOS | Not yet supported. |
| Windows | See the Windows Headless Client guide. |
Need additional help?
See all support options or try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.