Deploying macOS applications via Intune

As of Intune Company Portal 1.7 for macOS (outlined here Intune Company Portal 1.7 released for macOS) users now have the ability to install line of business apps (LoB) from within the company portal.

Below are the steps to publish a macOS LoB app to a macOS device via Intune

1. You need a .pkg installer, .dmg is not supported. I am using Microsoft Teams in this example. Download Teams package file from https://teams.microsoft.com/downloads

2. Download Intune Wrapping tool for Mac from https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac

3. Run the command line tool against your applicaiton, below is an example for Microsoft Teams. Make sure the application has no spaces in the file name i.e. rename Teams osx.pkg to Teams_osx.pkg (having spaces in the filename will cause deployment issues).

    daniil$ ./IntuneAppUtil -c ~/Downloads/Teams_osx.pkg -o ./ -v
    Finding the package type... 
    Microsoft Intune Application Utility for Mac OS X
    Version: 1.0.0.0
    Copyright 2018 Microsoft Corporation
   
   
    Creating intunemac file for /Users/daniil/Downloads/Teams_osx.pkg
     
    File /Users/daniil/Downloads/Teams_osx.pkg is copied to /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/Teams_osx.pkg. 
    Extracting the package.... 
     
    Extract any PAX packages.... 
    Enumerating directory /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/ExtractedPkg/... 
    Parsing the directory /Users/daniil/Downloads/Teams_osx.pkg. 
    Enumerating directory /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/ExtractedPkg/ ... 
    Path: Teams_osx_app.pkg/PackageInfo
     
    File being parsed is /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/ExtractedPkg/Teams_osx_app.pkg/PackageInfo. 
    Found App Bundle Info.
    Name:
    ID:com.microsoft.teams
    Version:119253
    ShortVersion:1.00.119253
    MinimumOSVersion:
     
    Retrieving Package Installation Parameters... 
    Generating Detection Data... 
    Removing optional package /Users/stevengao/Documents/sms_01/Framework/XPlat/ParseMacOSPackage/XMLParser.mm from detection dictionary. 
    Compute MD5 hash with chunk size 10485760 
    MD5 hash is c3cf149158b94b39a5b206d0ed812668 
    MD5 hash is cd471e45494af01d86d3e36a696d2caa 
    MD5 hash is f1832d830d8ad49f0a1b055159f77240 
    MD5 hash is f1c88c40ed1d69656e3bc84430534548 
    MD5 hash is dc8f249dcb653b0ee079c15c0ae3f3b9 
    MD5 hash is 1f341f8a171ca4aebe7a41a09e170d6c 
    MD5 hash is fd941b43a67f7017155c9894adb3b124 
    MD5 hash is 41fb955cb56c1b4a8cbd787e4788dc4c 
    Detection Metadata File /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/detection.xml already exists. 
    Composing the intunemac file output
     
    File /Users/daniil/Downloads/Teams_osx.pkg is copied to /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/IntuneMacPackage/contents/Teams_osx.pkg. 
     
    File /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/detection.xml is copied to /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/IntuneMacPackage/Metadata/Detection.xml. 
      adding: IntuneMacPackage/ (stored 0%)
      adding: IntuneMacPackage/contents/ (stored 0%)
      adding: IntuneMacPackage/contents/Teams_osx.pkg (stored 0%)
      adding: IntuneMacPackage/Metadata/ (stored 0%)
      adding: IntuneMacPackage/Metadata/Detection.xml (stored 0%)
    File .//Teams_osx.pkg.intunemac is copied. 
    Removing /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/IntuneMacPackage ... 
    Output written to .//Teams_osx.pkg.intunemac.
   
    IntuneAppUtil successfully processed "Teams_osx.pkg",
    to deploy refer to the product documentation.
    Removing directory /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/Teams_osx.pkg... 
    Removing directory /var/folders/fy/xtq5xkw56wg3tc2ng7klpw800000gn/T/ExtractedPkg/... 
   

4. This will produce Teams_osx.pkg.intunemac file. This file can now be uploaded into Intune. the *.intunemac file is a zip file that contains the package file and a XML header file (Detection.xml)
   Content of the XML file:

    <?xml version="1.0" encoding="UTF-8"?>
    <PackageMetadata Version="1.0.0.0" TimeStamp="2018-07-30 01:22:37 +0000" MacOSX="10.13.6" xmlns="http://schemas.microsoft.com/Intune/2018/01/01/MACLOBAPP">
    <MacOSLobApp PackageType="pkg" PackageName="Teams_osx.pkg" BundleId="com.microsoft.teams" BuildNumber="0">
    <MD5HashChunkSize Size="10485760"/>
    <MD5Hash>md5hash
    </MD5Hash>
    <MacOSLobChildApp BundleId="com.microsoft.teams" BuildNumber="117852" VersionNumber="1.00.117852"/>
    </MacOSLobApp>
    <InstallerParams VolumeInfo="/" RestartAction="None"/>
    </PackageMetadata>
   

5. In Intune navigate to Client Apps → Apps and add a new Line-of-business app
   

   

   image792×387 62.4 KB
   
   
   

   image718×242 30 KB

6. You will then need to fill in the App Information and provide an icon. In the case of Teams you may switch “Ignore app version” to Yes as Teams updates automatically hence no need to maintain a version via Intune.

7. Once you save the settings the package will start uploading to Intune, you then need to assign the application to a group of users.
   

   

   image1116×458 61.4 KB

8. Once assigned the app should become available within the Intune Company Portal app within ~15 mins or so.o Client Apps → Apps and add a new Line-of-business app
   

   

   image792×387 62.4 KB
   
   
   

   image718×242 30 KB

9. You will then need to fill in the App Information and provide an icon. In the case of Teams you may switch “Ignore app version” to Yes as Teams updates automatically hence no need to maintain a version via Intune.

10. Once you save the settings the package will start uploading to Intune, you then need to assign the application to a group of users.
    

    

    image1116×458 61.4 KB

11. Once assigned the app should become available within the Intune Company Portal app within ~15 mins or so.

Deploying apps via Intune would only work if -> install-location is set to =”/Applications”. If the 3rd party Package have a pkg-info with install-location=”/”. Deployment in intune would not work.

Unfortunately at this point in time Intune has limited support for line of business application installation on the Mac OS Platform and can only deploy those applications which are configured with the install-location set for Applications.

I’ve successfully deployed Citrix Files for macOS via Intune

The “Citrix Files” package contains 2 packages inside:

• Fuse_components.pkg - has Install-Location set to /
• Citrix_files.pkg - has Install-Location set to /Applications

This has successfully installed, Fuse_components.pkg installs a filesystem extension which has also installed successfully (this did require an additional profile to be created to whitelist the developer team ID).

wow, i had a case open with MS and i had an update that Install location set to “/” is not supported in Intune.

Could you please share any info which show the details where is location is set to / and app is installed. If possible. Thanks.

My usecase may be different from what you are trying to do

The package I’ve deployed is located here: http://dl.sharefile.com/cfmac

Note this is a DMG file I had to mount it and extract the .pkg from inside.

You can pull it apart and see how its different to the application you are trying to deploy.

The Kernel extension whitelisting I had to do is based on: Whitelisting third-party kernel extensions using profiles | Der Flounder

HI Danil, I have reviewed the link to whitelist kernel extension. Could you let me know which tool have you used to create the profile?

It’s just an xml file, you can just copy the profile text from the link and deploy it.

I generally use Apple Configurator to create the profile header and then fill in the other text.

Hello all,

I have the same issue… When I want to install an app via Intune, I reach the download step, but is still turning around (I have tried with Teams and same issue),.
In Device management, it says “Pending install”.
When I open the package, the install-location is correctly set to “/Applications” in the packageinfo file.
I have convert the .pkg in .intunemac without error…

I have seen in another post that we maybe had to sign the package with an Apple certificate. Is it compulsory?

Is someone able to help me?

Many thanks in advance!

Have you looked through the logs on the macOS machine you are trying to install the package on?

Look at logs generated by the following processes:

• mdmclient
• storeassetd

Hi daniil_michine,

Thanks for your answer and sorry for the delay!
I have looked for these logs, but I don’t find useful information about this problem…

The application Teams is still in downloading state, but there is nothing about Teams in the logs…

In the storeassetd logs, the only weird logs is “storeassetd UpdateController: No VPP Licensed product found, no receipt renewal performed”. Do I need a VPP license in order to install a soft from Intune?

You do not need VPP to deploy applications from Intune (Intune is only now getting VPP support for macOS). Are you able to install other apps? i.e. can you install the Office for macOS via Intune?

Ok thanks!
Yes, I am able to install the Office suite for MacOS
I only have issues with line-of-business apps.

Ensure that you do not have spaces in package names, that caused issues for me as Intune did not replace spaces with %20 so the Mac could not find the download path

Ok thanks! I’ll check this!

Hi again daniil_michine,

Your advice solve my problem!

The name of my Teams package was “Teams_osx.pkg”, I rename it to “Teams.pkg” and it works!

Many thanks!

How can I set Install-location to /Applications ?
I a trying to install an app via Intune, I reach the download step, but is still turning around for long time…,

Is applications need to be notarized to deploy on Catalina via Intune.

Are you pushing a package someone else has built or your own?
You can look inside the package for pkginfo file that should have the install-location defined inside

You can check your package if it has already been notarized

Hi daniil_michine,

Thank you for response.

1. Pushed both type of packages i.e, directly downloaded .pkg and pushed. I have build .pkg using composer tool and pushed through Intune.
   The downloaded Google.pkg got installed through Intune but in the same we have downloaded Firefox.pkg & pushed got stuck in downloading.

2. I have checked the pkginfo file but there is no content present there and file is locked
   

   

   Screen Shot 2020-04-27 at 1.20.08 PM2712×894 226 KB
   
   Uploaded above snip for reference .

3. I am checking on Notarization. When I run given command lines in the link, getting below responses
   spctl -a -vvv -t install go-hello-unsigned
   go-hello-unsigned: accepted
   override=security disabled

For every command override=security disable and go-hello is accepted

Another option of installing apps is via shell scripts in Intune

Here is a github repo with sample scripts: GitHub - microsoft/shell-intune-samples: Sample shell scripts for Intune admins.