This guide explains how to push Qustodio to hundreds of devices by using Microsoft Endpoint (Intune).
- The Bulk Installer needs to be provided by Qustodio Agent.
Create & Configure the Installer
The first step is to configure the Qustodio installer.
The installer kit contains a folder called source, among other files and folders.
Inside this folder there is a file called config.json. This is the configuration file.
The configuration file allows us to parametrize the installation to suit it to our needs, this file contains what the regular installer asks the user to type.
The one included on the repository look as follows :
{
"authentication_code": "---",
"force_uninstall_code": "---",
"device": {
"name": "%wn",
"updates_enabled": true,
"default_protection": {
"enable": true,
"protection_profile_name": "Default Profile",
"protection_profile_create_if_new": true
},
"user_protection": []
}
}
As an example when installing Qustodio, this configuration file will automatically create the device and profile in the Qustodio dashboard with the following properties.
In this case the name of the device will be the hostname and all the user accounts in the device will be protected under a profile called “Default Profile”.
As it is, this configuration needs two more values to become functional
- authentication_code
"authentication_code": "---",
This setting allows us to link the target machine with an Account (like performing login).
To get this code, open the terminal and execute the following command:
curl -X POST -F "username=email-of-my@account.com" -F "password=my-password" -F "client_secret=ATVMaS8672RKxIO3jIN5idKRJW6zjZJ0vHdI0OvZKH2BFD38stMf3EEydDzjh4kqrM5xdh1W27l7qo4t4qpYrypLIT13rky6ZBURmssVTxslyjJRQ2uHZ3P9xk7IMc77" -F "client_id=udmkEuAOT2pq6BqvW7QX5Ye6ZSV4lAUKU3iuMEBq" -F "platform=windows" https://api.qustodio.com/v1/authentication/mass-install/token
Replace email-of-my@account.com with the e-mail of our Qustodio account, and my-apassword with the password of that Account. You should not change the other values. Executing this requires Internet. Keep this token secret.
The result of executing this should be something like {"token":"xxxxxxxxxxxxxxxxx"}. You would need to add this number xxxxxxxxxxxxxxxxx to the JSON config file:
"authentication_code": "xxxxxxxxxxxxxxxxx"
Authentication code expiration
The Authentication code only expires when you ask for another code:
You should only need to execute this command once for all your deployments, and only re-execute it when you want to explicitly invalidate a previous token. (i.e. when the token has been exposed).
Important:
This code is only used during installation, so be vigilant of not re-executing the command while you are deploying Qustodio.
Changing it between deployments is innocuous, as long as you do not use installers with the previous authentication code.
- force_uninstall_code
"force_uninstall_code": "---"
This is a password you define in order to allow offline-only Qustodio installations to be uninstalled.
Qustodio will not uninstall itself unless the computer user is an admin and knows the correct Qustodio credentials.
Other Configuration Parameters
Naming the device
The fifth line of the configuration file is:
"name": "%wn"This represents the name of the device. You can type any name (eg. Lab PC 1). In this case, we are instructing the installer to take the name of the device from the Operative System (eg. hostname in Windows) by using a formatter.
Name customization formatters
This line names the device in Qustodio.
Here we could just add a regular name for the device, like "name": "My Nice Computer",. However, if we are managing several computers the %wn defines a dynamic name for the computer— a variable.
This is, a name that is computed when installing Qustodio. We call this formatters, and they are as follows:
| Formatter | Description |
%wn |
Gets the current device name. In Windows, this is the hostname. Example : FINANCE_PC |
|
|
Gets the current IPv4 address (the ip of the interface of the network destination routing entry of a socket to google DNS), from octet N to octet M, in dotted format Example for IP4 address “192.168.1.333” : %ip4[1,4] yields “192.168.1.333” %ip4[1,2] yields “192.168” %ip4[3,4] yields “1.333” %ip4[4,4] yields “333” |
So, for the example above (%wn), if the computer where Qustodio is installed is named (as hostname), NicePC, the resulting name in Qustodio would be: NicePC.
Note that you can combine formatters and regular text, such as: Computer_%wn_%ip[1,2].
In this case, if the hostname of the computer is lab1 and its IP is 192.168.1.345, the resulting name in Qustodio for the device would be Computer_lab1_192.168.
Defining the profile
The ninth line of the configuration file is:
1 "protection_profile_name": "Default Profile"This defines the profile in Qustodio to link the device to. In this case, the device is linked to a profile called Default Profile. You can type in here anything, and use formatters
TIP: In case that you would like to assign the Qustodio instance to a particular profile already created, then you would type the name of the profile on the JSON file, and generate a new Intune Package to be uploaded to Intune and assign it to the proper group of devices.
In case that the relation that you are searching for the devices to have is a 1:1 based relationship, then you can put %wn and it will take the name of the hostname and create a new profile each computer with the name of the hostname.
The JSON config file settings
Here follows an explanation of all the supported settings you can add in the JSON config file:
| Property |
Type |
Mandatory |
DescriptionProperty |
authentication_code |
String |
Yes |
This is a string containing the authentication code of your account. You can obtain this through Qustodio´s API. See the below point. Internet connection is mandatory in order to install the product. |
force_uninstall_code |
String |
Yes |
This is a manual String that you MUST specify. It needs to contain at least 5 characters. When installing and uninstalling the product the program authenticates against Qustodio´s servers using the authentication_code. But if for some reason you want to uninstall the product in a device that does not have an internet connection (aka offline uninstall) this token will be used. So be sure to take note of the string you are setting and keep it private/safe place. Qustodio will not be able to recover it. |
device |
Object |
Yes |
This is an Object containing the information of the device. When installing the product on a machine, this is the configuration that will be applied. |
device.name |
String |
Yes |
This is the device name that will appear in your Qustodio Dashboard. There are some formats that can be applied so you do not have to apply it on each device manually. See the below point for more info. Maximum size allowed is 60 characters. |
device. updates_enabled |
Boolean |
Yes |
Qustodio applies automatic updates of product versions to their clients. If you want to manually control the updates you can setup this option to false. We recommend this to be set as true so that your client always the latest version Qustodio. Updating Qustodio is a completely transparent process for the user, and it is the only way to ensure devices are fully protected all the time. If you set this to false, you will need uninstall Qustodio and go through the installation process every time you want to upgrade the product. |
device. default_protection |
Object |
Yes |
This object specifies the default configuration for:
|
|
|
Boolean |
Yes |
Would you like to use the default protection configuration on this device? If yes set to true and all the users that are not specified on the device.user_protection array will be protected under the device.default_protection.protection_profile_name |
|
|
String |
Mandatory when default protection is enabled |
Profile name to be applied. If default_protection.enable is set to true then this profile will be applied to the users. If this profile was created previously if will be on the dashboard. If not you can force to create the profile name by setting this value default_protection.protection_profile_create_if_new to true. It will then automatically create the new profile. Maximum size allowed is 40 characters. |
|
|
Boolean |
Mandatory when default protection is enabled |
If the default_protection.enable is set to true and the profile default_protection.protection_profile_name does not exist , then it will automatically be created on our system. |
device. user_protection |
Array of Objects |
Yes, but could be an empty array |
Its an array containing specific local user configurations. |
|
|
String |
Yes |
Existing device username. Maximum size allowed is 60 characters. |
|
|
Boolean |
Yes |
This is asking if you would like the user to be protected with a specific profile? |
|
|
String |
Mandatory when user protection is enabled |
Is the profile name to be applied to local specified user when user_protection[x].enable_protection is enabled. Maximum size allowed is 40 characters. |
Installing
At this point Qustodio Desktop is configured, so the next step is installing it.
You can directly install it through the command line, or package it and upload it to an MDM (Microsoft Intune) to automatically install it.
In this guide we explain the following ways:
-
Installing it directly through the command line.
-
Packaging it and uploading it to Microsoft Intune.
The machine you are installing Qustodio onto must have an active Internet connection, or otherwise the installation will fail.
Install it directly through the command line
This is the best way to try the configuration in a single machine, or to manually provide it to a small to medium fleet of devices, by for example using scripts.
In order to perform the install, open a Command Prompt with Administrator credentials, navigate to the source folder, and execute the following:
Install.cmdAfter a while, you will see, in the Command Prompt, Successfully Installed Qustodio or an error message.
Generate the package, and upload it to Microsoft Intune
Microsoft Intune (also known as Microsoft Endpoint) requires us to package Qustodio in a special file with the extension of .intunewin.
In order to generate this file, place the whole contents of this kit in a 64bit Windows 10 (updated from 2019 or beyond), and execute the create-intunewin.cmd file, either by double clicking or by using the command line. After a few seconds, it should create an .intunewin file.
Upload the package to Intune
The following steps constitute a simple example of adding Qustodio into Intune.
Go to Microsoft Endpoint Manager admin center, login, and then click Apps and Add.
Select Windows app (Win32) and press the Select button.
In the App Information page, click on Select app package file, press Select a file and select the file with extension intunewin that Qustodio has sent to you.
In the Publisher field type Qustodio and press Next:
In the Program page, for the Install command field type exactly "Install.cmd"—checkout in the below image the use of double apostrophes—and for the field Device restart behavior select Determine behavior based on return codes. Then, press Next.
In the Requirements page, for the field Operating system architecture select both options (32-bit and 64-bit), and for the Minimum operating system field select any option, like Windows 10 1607. Then, press Next.
In the Detection rules page, for the Rules format field, select Manually configure detection rules.
Then, select +Add. On the new panel, for the field Rule type select MSI, press OK, and finally Next.
In the Dependencies page, press Next. And do the same for the Supersedence page.
In the Assignments page, add users and devices that you want the Qustodio application installed into the Required section.
For example, clicking on Add all devices will install the Qustodio application into all devices. Once you are done, press Next.
Microsoft Intune will upload the package and automatically install it into your Windows computers.
You can know whether Intune is installing Qustodio in a Windows device as, unless you configure Intune otherwise, it notifies each computer of the installation progress.
Finally, the user sees the Qustodio logo in the system tray of their machine upon correct installation, unless Qustodio is setup to be hidden.
Note: that Intune can take up to several hours to deploy an application.
Uninstall Qustodio
Manually
If you have access to the computer you want to uninstall Qustodio, you can manually do it in several ways:
Uninstall Qustodio through the UI
The regular way to uninstall Qustodio in Windows is to open Windows Settings, go to Apps & Features, select Qustodio, press Uninstall, and follow the Uninstall Wizard.
Uninstalling Qustodio through Microsoft Intune
You can uninstall Qustodio like any Intune application. To do so, go to Microsoft Endpoint Manager admin center, click Apps, select the Qustodio application, click on Properties, and finally click on the Edit link near Assignments.
In the Assignments page, remove the Required devices, users, or groups that you want Qustodio to be uninstalled from, and add them instead into the Uninstall section.
Finally save your changes. The following screen capture illustrates uninstalling Qustodio from all devices.
