My understanding is that PostgreSql works best as a standalone server, rather than as database that you deploy along with your desktop application. Assuming that understanding is correct, then you'll want to deploy the WinForms app to the various desktops within your network, and then ensure that the PostreSql server is accessible to all those desktops. So in the app.config file or the user settings for your WinForms you would have a connection string that points to that server.
The big thing you need to worry about is the credentials that are stored in that connection string. Most users will be able to read the plaintext app.config or the user settings and see the username and password being used by your application to access the database.
Ideally, each user has their own logon credentials for the database instead of a single shared credential used by all the users. Having individual accounts helps beef up your security stance in terms of being able to keep track of who did what (assuming you are logging it on your server), and being able to quickly remove one person's access when they leave the company instead of having to re-deploy a new app.config to all the desktops on the off chance that person grabbed a copy of the username and password. To facilitate individual account credentials, you'll either prompt the user during installation for the credentials and embed that into the app.config if the app.config is stored in the Program Files tree. If you don't use app.config to store the credentials, and use user settings instead, then you can remove one less deployment headache, and just let the first run of your application ask for the user credentials and then store them into the user settings instead of the app.config.
Most people don't think about the uninstall part of deployments. Most uninstalls programs would know to clean up the app.config that it previously installed, but not all of them will clean up user settings files. You'll need to make sure that uninstall removes the user settings file if you store the user credentials there, otherwise someone may discover the password there. If the user is lazy and re-uses their passwords, a bad guy will likely try that "found" password in their other attempts to compromise systems.
I don't have any direct experience with PostgreSql, but if part of your initial deployment includes setting up the server, then you'll also likely need a way to safely handle the credentials that admin access to the server. And then you'll need some way to provision the individual user accounts that should have access to the database. If provisioning individual user accounts is a pain, and you can opt to go against security best practices and just have a single account shared by all the users. Just be sure that you are going into this configuration with your eyes, and your information security officers eyes open and accept the inherent risks there.
