Deploy PKG Apps on macOS using Intune

There are two type of application installers for app deployment on macOS via Intune, these are .dmg and .pkg. In my other blog post, we learnt the steps to deploy .dmg apps on macOS using Intune. This blog post is about deployment of .pkg apps.

When it comes to the deployment of .pkg apps, we have two ways to deploy it. First method is using macOS (PKG) and second option is using line-of-business app method. These methods are prefered methods of deployment for unmanaged and managed PKG apps. Let’s understand the different between the two.

Managed PKG AppUnmanaged PKG App
Use line-of-business method of deploymentUse macOS (PKG) method of deployment
Install as managed option
– Applies to macOS 11 and higher.
– Applies when only one app in the .pkg distribution package.
– Applies when application Installs in /Applications directory.
– Uninstall the app easily using the same deployment subject to Install as managed option is set to Yes.
Install as managed option not available for this type of deployment.

Applies to applications which are installed outside of /Applications/ directory.

Difficult to uninstall the app from macOS device after it has been deploy using this method.
For straightforward and less complex .pkg applications deploymentFor relatively complex applications which require custom packages, pre-install and post-install scripts.
.pkg app installer file must be signed by Developer ID Installer certificate obtained from Apple developer account.This method can be used for Unsigned apps.

In this blog post, I will demonstrate line-of-business app option to deploy .pkg app on macOS devices. This option is recommended if the app deployment is not complex and .pkg app is also signed by developer ID installer certificate. To understand more about deployment unmanaged PKG apps, please refer to the Microsoft link: Add an unmanaged macOS PKG app.

Prerequisites

There are some prerequistes for deploying a managed .pkg app file on Mac using Intune. Please find it below:

  • The .pkg file must not contain a .dmg or .app file.
  • The .pkg file is signed with a Developer ID Installer certificate from an Apple developer account.
  • .pkg file must contain a payload.
  • macOS LOB apps size must not exceed 2GB.

Step 1 – Download Google Chrome PKG Installer

First step is to download PKG Installer of an app. For demonstration purpose, I will be using Google chrome app. However, you can use the same steps to deploy any PKG app through Intune.

Download PKG Installer
Download PKG Installer

Step 2 – Create PKG App Deployment on Intune

  • Sign in to the Intune admin center > Apps > macOS > macOS apps.
  • Click on + Add.
  • App type: Line-of-business app.
  • Click on the Select button to proceed.
  • App Information – To get started, click on Select app package file to browse to the .pkg application installer. Then click on the OK button to proceed.
Click on blue folder Icon to browse to googlechrome.pkg file
Click on the blue folder Icon to browse to googlechrome.pkg file
  • Name: Provide a unique name of the application.
  • Description: Describe the application.
  • Publisher: Provide the publisher’s name.
  • Minimum Operating System: Select the Minimum operating system as a condition for application installation.
  • Ignore App version: Select Ignore app version to Yes or No based on the below criteria:
    • Select Ignore app version = Yes if you want the app installed when it’s not found on the target device. If the app is already there but the version number is different, it will be ignored, and the app will not be deployed.
    • Select Ignore app version = No. If you want the app to be installed when it’s not found on the target device or the app version you are deploying is different than the one already installed on the target device,

In general, when deploying a self-updating application such as Google Chrome or Zoom, you should set Ignore the app version to Yes.

In some cases, you may choose to disable the autoupdating setting for an app. In that case you can select Ignore app version to No which will allow you to control the app updates by only managing the deployments of new versions using Intune.

Note
  • The App bundle ID (CFBundleIdentifier) and App version (CFBundleShortVersionString) should be pre-populated for you.

If you want to know how to retrieve CFBundleIdentifier and CFBundleShortVersionString Information using macOS Terminal, You can follow refer to the link: Deploy DMG Apps On MacOS Devices Using Intune

Find (CFBundleIdentifier) and (CFBundleShortVersionString)
  • Install as Managed: Select Yes (Please note that Uninstall assignment will only be enabled if Install as Managed is set to Yes).

Please note a macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory.

Install as Managed = Yes
  • Logo: Upload a logo that’s associated with the app. This logo will appear next to the app on Company Portal.​
Select a logo for macOS LOB app in JPEG/PNG/JPG file.
Select a logo for macOS LOB app in JPEG/PNG/JPG file.
macOS PKG app deployment configuration from Intune admin center
macOS PKG app deployment configuration from Intune admin center
  • Assignments – Click on Add group to add an Entra security group containing macOS devices.
Assign macOS PKG app to devices from Intune
Assign macOS PKG app to devices from Intune
  • Review + create – Review the deployment and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End User Experience

To check if the PKG app deployment has been completed successfully, follow the below steps:

  • Go to Finder > Go > Applications
  • Look for the Google Chrome application icon to confirm the deployment.
End-user Experience
End-user Experience

Monitor Deployment Progress

You can monitor the app deployment from the Intune admin center. Go to Apps > macOS > Click on your app deployment > Overview page will show the status of Installation.

In case of any issues or deployment failures, you can click on Device install status or User install status to know more details about the error.

Uninstall PKG app from macOS devices using Intune

If you have deployed the PKG app using line-of-business method and Install as Managed is selected as Yes, you can simply add the device in the Uninstall assignment section of the deployment, and the application will be uninstalled automatically. Please note uninstall assignment option will not be available if Install as Managed is set to No.

macOS Intune deployment troubleshooting

If you encounter problems deploying the application, check the IntuneMDMDaemon*.log and IntuneMDMAgent*.log files for more information. For guidance on locating these files on a macOS device, refer to my previous blog post titled How To Collect Intune Logs From a MacOS Device.

Conclusion

This blog post discussed deploying PKG apps on macOS devices through Intune. We used the Google Chrome application as an example, which is widely used in many organizations. The app was installed a few minutes after initiating a device check-in through the Company Portal app.

Leave a Comment