If the MSP desires to apply security policies at the user level, an extra step is required where individual users need to be mapped and linked to the devices/ endpoints that will be secured by SASE. The users can be linked to devices by using one of the three methods below. These methods are extension of the Approach 3 (User-Based Activation) described in the RMM deployment options (see picture below)
The instructions for deploying using the above three methods are described below. Note that a hybrid approach where the MSP admin is able to include user information in the script for some devices and not for all devices is allowed. In this case, for example, a user interaction with Azure AD MFA is only required for devices which do not have the user information from RMM deployment. Similarly, if the CSV file that is uploaded to Exium admin console does not contain mapping for all users and devices, the MSP IT admin can include the user information for the devices missing this information in the RMM script as in Method A.
You can run any of the RMM scripts provided by the methods below locally on a machine.
Click Start (Windows sign on the bottom-left) , type PowerShell, right-click Windows PowerShell, and then click Run as administrator. A PowerShell window will open up where you will paste and run the script copied from the methods described below.
In this approach, individual user information needs to be passed as additional input parameter. You may automate this process if you have information linking users to devices in your RMM system.
We have made it easy for you to copy the script for a user deployment. Note the script copied below can also be run locally with admin or root privilege on the machine to test before pushing it via RMM.
Note the script you copy this way already has TOKEN, Workspace name and user name included. You do not need to modify the script as it is complete for deployment for a particular user.
In the Azure AD approach (applied to other SSO/ MFA as well) described in the Figure below, Exium agent is pushed to the endpoints via a single push button in the RMM, no user information or linking users to devices is required.
This makes the deployment automated to a large number of devices. However, an additional step 2 (see Figure below) is required where user authenticates via MFA (Azure AD etc.) to activate the Exium service on the endpoint.
In this method, when the RMM script is pushed to the devices, it puts an “Exium App” on users' desktops. The users click on the App to authenticate via Azure AD/ MFA. Once a user is successfully authenticated, user's device registers with the SASE platform to automatically activate the service for the user.
We have made it easy for you to copy the script for deployment. Note the script copied below can also be run locally with admin or root privilege on the machine to test before pushing it via RMM.
Once installation is completed, users will see “SASE App” on their Desktop as shown in the screenshot below. This App will be used by the user to activate/deactivate secure connection using Azure AD authentication.
Double-click on the "SASE App" icon as in the above screen shot, login screen will open in browser after a few seconds, as shown in the screenshot below. This may take few seconds, please wait while this login pop-up show up
Please SignIn with your Azure AD credentials and complete the authentication procedure. Once authenticated, Exium service will be activated and Tray icon will show connection status (Please see screenshot)
Also connection status will be shown web page as shown in picture
In this option, CSV file linking the user identities to the devices is required. MSP IT admin can upload this file to the Exium Admin console. See instructions below.
You can download a sample CSV file by clicking on the question mark as shown in the screen shot below.
After uploading the CSV file to the admin console, follow the steps below.
Note the script you copy this way already has TOKEN and Workspace name. You do not need to modify the script as it is complete for deployment.
You can uninstall Exium SASE agent on the Windows endpoint by using the script below:
Please check out the Scripts to connect, disconnect, reinstall and reconfigure Exium SASE agent.