Recently, I have created a blog post on how to deploy DMG apps on macOS devices using Intune. DMG based app is a disk image type file which contains one or more applications and is mounted as a volume in finder. Its like an ISO file in Windows. DMG files can be used to distribute applications (.app) files.
Whereas PKG based application is an Installer package which contains all necessary application components, scripts, metadata in a one .pkg file required for Installation of the application.
If you have enrolled macOS devices into Intune, you can easily deploy .pkg type applications. There are two way to deploy .pkg apps via Intune. First one is using Line-of-business app and Second one as macOS app (PKG) method.
The different between Line-of-business app and macOS app (PKG) deployment is that the Line of business app deployment can Install the app as managed application and macOS app (PKG) option is for unmanaged applications. The difference is mainly when the package installs the app in /Applications/ directory (managed) or Outside of /Applications/ directory (Unmanaged).
A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory. Managed line-of-business apps will be able to be removed using the uninstall assignment on supported devices (macOS 11 and higher). In addition, removing the MDM profile removes all managed apps from the device.
Source: Microsoft
Before we can create .PKG file deployment from Intune admin center, we need to know about the prerequisites:
- The .pkg file must not contain a .dmg or .app file.
- The .pkg file is signed with “Developer ID Installer” certificate obtained from an Apple developer account.
- .pkg file must contain a payload.
I are going to take an example application as Google chrome. I will first download the app and then create a deployment on Intune admin center.
Steps to deploy PKG app on macOS using Intune
We are using Google chrome application as an example application, however the steps given in this blog post can be used to deploy any other PKG app using Intune. Here are the steps:
- Download Google chrome PKG app
- Login on Microsoft Intune admin center
- Click on Apps > macOS > macOS apps
- Click on + Add to start the creation of deployment
- App type: Line-of-business app
- Click on Select button to proceed
App Information
Click on Select app package file to select .pkg application installer. Browse to App package file and then click on OK button to proceed.
- Name: Provide a unique name of the application. This name will appear on Company Portal app.
- Description: Provide a description of the application. This description will show on Company Portal app.
- Publisher: Provide the publisher name.
- Minimum Operating system: Select Minimum operating system as a condition for application installation. As all of my organization’s devices are on macOS Ventura 13.0.
- Ignore App version: Select Ignore app version to Yes or No based on below criteria:
- Select Ignore app version = Yes If you want to app to be Installed when its not found on the target device. If the app is already there but the version number is different, it will be ignored and app will not be deployed.
- Select Ignore app version = No If you want to app to be Installed when its not found on the target device or the app version you are deploying is different than the one already Installed on the target device.
Generally when you are deploying a self updating application like Google chrome or Zoom, you should select Ignore the app version to Yes.
- App bundle ID (CFBundleIdentifier) and App version (CFBundleShortVersionString): These details should get pre-populated for you as com.google.Chrome and <app version number>. However if you need to find this information then you can follow below steps:
To find CFBundleIdentifier and CFBundleShortVersionString information, you can Install Google chrome pkg file (the same file you are deploying via Intune) on a test mac device and then use below commands on macOS terminal to find this info:
defaults read /Applications/Google\ Chrome.app/Contents/Info CFBundleIdentifierdefaults read /Applications/Google\ Chrome.app/Contents/Info CFBundleShortVersionString
- Install as Managed: Select Yes. Please note “A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory“.
- Logo: macOS LOB apps must have a logo. If they don’t have a logo, it will not be displayed on the company portal app under Apps section.
Rest of the Information is optional to fill. However if you have all the information about this application, Its recommended to fill in all the information. This will be helpful for other team members to know more about this particular application and could be helpful while troubleshooting any issues.
Assignments
There are three group assignments options. Required, Available for enrolled devices and Uninstall. Add it to Required assignment to make the application installation mandatory and to deploy it as soon as possible.
Click on Add group and select an Azure AD group containing users or devices. If you prefer a more controlled deployment to specific devices only, then make sure to only add macOS devices in the Azure AD group. Once your testing is successful and you want to deploy this application on all Organization devices, you can click on + Add all devices.
Review + create
On Review + create page, review the app deployment information and click on Create to finish.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the app deployment process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on macOS device which will speed up the process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing this app deployment on a test device then this can speed up your testing and can save some time.
End user Experience
Let’s check the end user experience and see if the application is Installed as per the app deployment. After the device check-in process completes, the application will be installed on the device. You can go to the Applications directory to find Google Chrome in the list.
Finder > Go > Applications
Monitor app deployment using Intune admin center
You can monitor the app deployment from Intune admin center. Go to Apps > macOS > click on the application > Overview page will show the status of Installation similar to as shown in below screenshot.
In case of any issues or deployment failures, you can click on Device install status or User install status to know more details about the error description and error code.
How to Uninstall PKG app deployed on macOS using Intune
If you have deployed PKG app using this method and Install as Managed is selected as Yes. Then you can simply add the device in Uninstall assignment section of the deployment and the application will be uninstalled automatically.
macOS Intune deployment troubleshooting
If you face any issues with application deployment, you can refer to IntuneMDMDaemon*.log and IntuneMDMAgent*.log files. To find out the more information about how to locate these files on macOS device, you can refer to my other blog post: How To Collect Intune Logs From MacOS Device.
Conclusion
In this blog post, we have seen how to deploy PKG apps on macOS devices using Intune. We took an example of Google chrome application which is a common application used in most organizations. The app installation took couple of minutes after forcing the device check-in from Company portal app.