Deploy the agent with Intune

Push the OnTrackio endpoint agent to your fleet with Microsoft Intune so it installs silently on every managed laptop. Each employee then pairs their install to their account once, and the agent reports inventory from then on.

:::note Before you begin

• You administer Microsoft Intune with rights to add apps and assign them to groups.
• You have the signed installers — the macOS .pkg and the Windows .msi. An admin can host them in-product (see Host the installers), or get them from your OnTrackio contact.
• You have an Intune device group for Macs and one for Windows laptops.
• For the Windows Win32 step, install the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe).
• New to the agent? See Agent overview and what data is collected first. :::

How a managed install flows

Stage	Who	What happens
Package	You (admin)	Upload the .pkg / .msi to Intune and assign it as Required.
Install	Intune	The agent installs silently at next device check-in; a tray icon appears.
Pair	Employee	Opens the tray icon, generates a code on My → My device, and types it back into the agent.
Report	Agent	Sends a heartbeat every 6 hours and one usage report per day at 02:00 local time.
Track	You (admin)	Paired devices appear under Admin → Agent fleet.

The agent is a single small binary with no runtime dependencies. It lives in the menu bar (macOS) or system tray (Windows), polls the foreground app once a minute, and is idle the rest of the time.

Deploy to macOS

Upload the .pkg as a macOS app (PKG). The package installs the app to /Applications/OnTrackioAgent.app and a per-user LaunchAgent at /Library/LaunchAgents/io.ontrackio.agent.plist, so every user who logs into the Mac gets their own agent instance.

1. In the Intune admin center, open Apps → macOS → Add, then choose the macOS app (PKG) app type.
2. Upload the signed OnTrackioAgent-<version>.pkg.
3. Set the app information. The package bundle identifier is io.ontrackio.agent — use it for any detection or ignore rules Intune asks for.
4. Assign the app as Required to your managed-Macs group.
5. Save. Intune installs the agent at the next device check-in.

note

The agent runs as a LaunchAgent in the signed-in user's session, not as a root daemon — it needs the user's window-server connection to see the foreground app. It shows no Dock icon; look for it in the menu bar.

Deploy to Windows

Wrap the .msi as a Win32 app, because a Win32 package lets you set explicit install, uninstall, and detection rules. The installer puts the binary at C:\Program Files\OnTrackio\Agent\ontrackio-agent.exe and adds a per-machine autostart entry so the tray agent launches for every profile on the device.

Convert the MSI to .intunewin

1. Open a command prompt in the folder holding OnTrackioAgent-<version>.msi.

2. Run the content prep tool:

   IntuneWinAppUtil.exe -c . -s OnTrackioAgent-<version>.msi -o .

3. The tool writes OnTrackioAgent-<version>.intunewin to the output folder.

Add the Win32 app

1. In the Intune admin center, open Apps → Windows → Add, then choose the Windows app (Win32) app type.

2. Upload the .intunewin file.

3. Set the install and uninstall commands:

   Command	Value
   Install	msiexec /i OnTrackioAgent-<version>.msi /quiet
   Uninstall	msiexec /x {A4F8B2C0-1234-4E5D-9A3B-5C8F7E2D1A09} /quiet

   The uninstall GUID is the package's fixed upgrade code; it doesn't change between versions.

4. Set the install behaviour to System.

5. Add a detection rule of type File:

   Setting	Value
   Path	C:\Program Files\OnTrackio\Agent
   File	ontrackio-agent.exe
   Detection method	File or folder exists

6. Assign the app as Required to your managed-laptops group.

7. Save. Intune installs the agent at the next device check-in.

note

Uninstalling through Intune (or Company Portal) runs the agent's revoke step first, so the server-side record is updated. A user-initiated uninstall revokes cleanly; an admin-initiated uninstall with no signed-in user can't read the per-user signing key, so the revoke is skipped — mark that device revoked by hand on the Agent fleet page in that case. See Manage the fleet and devices.

Host the installers (optional)

You don't have to distribute the installers through Intune alone. An administrator can publish each build in-product so employees can self-install on a loaner or unmanaged machine.

1. In the admin console, open Agent fleet, then select Releases.
2. Publish the current macOS and Windows builds.

Once a build is published, the My device page shows a Download the endpoint agent card with a Download for macOS (.pkg) and Download for Windows (.msi) link, and flags the build that matches the visitor's operating system as Detected. The card hides itself once the account has an active paired device.

What the employee does

After Intune installs the agent, each employee pairs it to their account once.

1. The agent installs silently and a tray icon appears in the menu bar or system tray.
2. The employee opens the tray icon and chooses Pair with account.
3. On My → My device (/my/agent), the employee selects Generate pairing code.
4. The page shows a short code (it starts with OT-) under Pairing code waiting. The employee types it into the agent before it expires, which takes 10 minutes. To get a fresh one, select Regenerate code.
5. The My device page switches to a Paired device card with an Active badge, showing the hostname, operating system, agent version, and last-seen time.

tip

The My device page is also the agent's transparency page: it lists exactly what the agent collects and what it does not, plus the install's reported software. Point employees there if they ask what the agent sees.

Verify the deployment

• In the admin console, open Agent fleet. Each paired install appears as a row with the employee, hostname, reported hardware, operating system, agent version, last-seen time, and a status badge.
• A freshly paired device shows Active. Filter with Active only, or with Stale (>14d) to find installs that have stopped reporting.
• Hardware specs and the first software report land after the agent's first nightly run, not immediately at pairing.

Status	Meaning
Active	Paired and reporting within the last 14 days.
Pending	Installed and a code was issued, but pairing isn't finished yet.
Stale	Paired but last seen more than 14 days ago.
Revoked	Unpaired — on uninstall, or revoked by an admin. The employee must pair again to resume.

Troubleshooting

Symptom	What to do
The app never installs on a device	Confirm the device is in the assigned group and the assignment is Required, then force an Intune sync from the device and wait for the next check-in.
Windows install reports "already installed" or won't upgrade	A newer version is already present, or the same version is installed. Uninstall with the msiexec /x {…} command, then redeploy.
The tray icon never appears on a Mac	The agent runs in the signed-in user's session. Make sure a user is logged in; it won't run at the login window.
A device never moves past Pending	The employee hasn't entered the pairing code, or it expired. Have them open My device, select Generate pairing code, and type the new code into the agent.
A device shows Revoked after an admin-pushed uninstall	Expected when no user was signed in to authorise the revoke. The device is unpaired; no action needed unless you want the employee to re-pair.
A device went Stale	The agent stopped reporting. Confirm the laptop is online and the agent is running; pair again if it was uninstalled.
Employees can't find an installer to self-install	Publish the current build under Agent fleet → Releases so the download card appears on My device.

Related

Agent overviewHow the endpoint agent fits into OnTrackio.Read →What data is collectedExactly what the agent reports, and what it never sees.Read →Enroll your deviceThe employee-side pairing walkthrough.Read →Fleet and devicesReview, link, and revoke paired devices.Read →