Nightfall Windows Agent Deployment: Microsoft Intune
Learn how to install the Nightfall Agent for Windows using Intune as a Line-of-Business (LOB) app.
The Microsoft Intune installation consists of the following steps:
Connect Microsoft Intune to Nightfall (API-based MDM Onboarding)
Deploy the Nightfall Agent via Intune
Prerequisites
You are a Systems Administrator in Nightfall
You must have access to Microsoft Intune with the necessary admin privileges. An Intune administrator account with permission to approve OAuth access
Get the .msi package and command arguments form https://app.nightfall.ai/endpoint
Download the .msi installer file for the Nightfall Agent.
Note the API Key and Company ID in the command line provided by Nightfall.
Step 1: Connect Microsoft Intune to Nightfall (API-based MDM Onboarding)
This step enables automated mapping of user profiles to devices without requiring manual scripts.
API-based MDM onboarding allows Nightfall to automatically map the user email attribute to specific devices by syncing device inventory from your Microsoft Intune tenant using OAuth-based authentication.
Connecting Microsoft Intune to Nightfall
Log in to the Nightfall Console at https://app.nightfall.ai
Navigate to Settings - MDM Profile
Click Add MDM
Select Microsoft Intune from the list of supported MDM providers
Click Microsoft Intune Login
You will be redirected to Microsoft's login page
Authenticate with your Microsoft admin account
Review and approve the requested permissions:
Read device information
Read user profiles
Access basic organization information
Click Accept to grant permissions
Once authentication is complete, Nightfall will automatically connect to your Intune tenant and begin syncing device data.
Important: This API-based connection enables Nightfall to automatically map user email addresses to devices. You do not need to deploy any additional scripts for user-to-device mapping when using this method.
Permissions Required
Nightfall requests the following Microsoft Graph API permissions:
DeviceManagementManagedDevices.Read.All- Read managed device informationUser.Read.All- Read user profilesOrganization.Read.All- Read basic organization details
These are read-only permissions. Nightfall does not modify device settings or configurations.
After Connection
Once connected, Nightfall will periodically sync device inventory from Microsoft Intune. You can now proceed to deploy the Nightfall agent to your devices following the steps below.
Step 2: Deployment Steps
Log into the Intune Admin Center
Navigate to Microsoft Intune Admin Center.
Go to:
Home > Apps > All Apps > Add
Select App Type
Under App type, choose:
Line-of-business app
Add App Package
In the App package file section, click Select app package file.
Upload the
NightfallAgent.msifile.
Configure App Information
Fill in the Name, Description, and other fields as desired.
Click Next.
Specify Install Command Line
In the Command-line arguments field, enter:
Assign the App
Assign the app to the appropriate device groups or users.
Click Next and complete the wizard.
Monitor Deployment
Go to Monitor > App Install Status to confirm successful deployment.
Verify Installation on a target/test machine
Once installation shows as successfull by Intune, check if the agent is running:
Open Task Manager (
Ctrl + Shift + Esc).Look for the Nightfall Agent & NightfallUI processes under the Processes tab.
Confirm the Nightfall agent is configured to your Nightfall tenant
On the windows machine:
Double-click the Nightfall agent icon in the status bar.
The displayed UUID should match your Nightfall tenant UUID located under https://app.nightfall.ai/settings/
On the Nightfall console:
The newly configured device should be listed under https://app.nightfall.ai/endpoint.
Frequently Asked Questions (FAQs)
Do I still need to install a Nightfall agent on devices after API-based onboarding?
Yes. API-based MDM onboarding enables Nightfall to map user email addresses to devices automatically. You still need to deploy the Nightfall agent to the devices using the steps above.
What permissions does Nightfall need in Microsoft Intune?
Nightfall requires least privilege read-only access to device inventory and user information via Microsoft Graph API. It does not modify device settings or configurations. The user email to device attribution is automatically managed with API-based MDM onboarding and no manual scripts are needed.
Is OAuth-based authentication secure?
Yes. Nightfall uses Microsoft's OAuth 2.0 authentication flow with encrypted connections. Credentials are securely stored and refreshed automatically.
What happens if OAuth permissions are revoked?
If OAuth permissions are revoked:
Device syncing will stop. New devices added or removed will not be reflected in Nightfall during that time.
Nightfall will surface an error in the console.
You can re-authenticate without reconfiguring policies by reconnecting from Settings → MDM Profile.
Can I disconnect or change my MDM connection later?
Yes. Contact Nightfall Support to disconnect or update your MDM connection from Settings → MDM Profile.
What device types are supported with Intune?
Microsoft Intune supports both Windows and macOS devices. Nightfall will sync inventory for both device types when connected via API-based onboarding.
Who should I contact if onboarding fails?
If you encounter issues:
Verify you have admin permissions in Microsoft Intune
Check the error message in the Nightfall console
Ensure you approved all requested OAuth permissions
Contact Nightfall Support for assistance
Last updated
Was this helpful?