Deploy PKG Apps on macOS devices using Intune

A PKG-based application is an installer package that combines all the essential application components, scripts, and metadata into a single .pkg file. This file contains everything needed to install the application.

You can deploy .pkg apps via Intune using the Line-of-Business app and the macOS app (PKG) method.

This difference relates to where the app is installed. The line-of-business deployment deploys the app to the /Applications/ (managed) location, whereas the macOS app (PKG) can install apps outside of /Applications/ (unmanaged). I will use the Line-of-Business app method to demonstrate the deployment.

A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory. Managed line-of-business apps will be able to be removed using the uninstall assignment on supported devices (macOS 11 and higher). In addition, removing the MDM profile removes all managed apps from the device automatically.

Source: Microsoft


  • The .pkg file must not contain a .dmg or .app file.
  • The .pkg file is signed with a Developer ID Installer certificate from an Apple developer account.
  • .pkg file must contain a payload.

We will use Google Chrome as an example application. First, we’ll download the app and then create a deployment in the Intune admin center.

STEP 1 – Download Google Chrome PKG Installer

You can visit the software vendor’s website to locate the PKG Installer for macOS devices and then download it. As our Example app is Google Chrome, We will visit the link: Google Chrome PKG app and select PKG from the File type drop-down. Click on Download.

Download PKG Installer
Download PKG Installer

STEP 2 – Create an App Deployment

To create an App deployment on the Intune admin center, follow the below steps:

  • Sign in to the Intune admin center.
  • Click on Apps > macOS > macOS apps.
  • Click on + Add.
  • App type: Line-of-business app.
  • Click on the Select button to proceed.

App Information

To get started, click on Select app package file to browse to the .pkg application installer. Then click on the OK button to proceed.

Click on blue folder Icon to browse to googlechrome.pkg file
Click on the blue folder Icon to browse to googlechrome.pkg file
  • Name: Provide a unique name of the application.
  • Description: Describe the application.
  • Publisher: Provide the publisher’s name.
  • Minimum Operating System: Select the Minimum operating system as a condition for application installation.
  • Ignore App version: Select Ignore app version to Yes or No based on the below criteria:
    • Select Ignore app version = Yes if you want the app installed when it’s not found on the target device. If the app is already there but the version number is different, it will be ignored, and the app will not be deployed.
    • Select Ignore app version = No. If you want the app to be installed when it’s not found on the target device or the app version you are deploying is different than the one already installed on the target device,

In general, when deploying a self-updating application such as Google Chrome or Zoom, you should set Ignore the app version to Yes.

Please note that If you have disable AutoUpdate setting for self-updating apps, then can set Ignore app version to No. I have provided more detail about it in my other blog post: How to deploy Zoom using Intune.

  • The App bundle ID (CFBundleIdentifier) and App version (CFBundleShortVersionString) should be pre-populated for you.

If you want to know how to retrieve CFBundleIdentifier and CFBundleShortVersionString Information using macOS Terminal, You can follow refer to the link: How To Deploy DMG Apps On MacOS Devices Using Intune

Find (CFBundleIdentifier) and (CFBundleShortVersionString)
  • Install as Managed: Select Yes.

Please note A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory.

Install as Managed
  • Logo: macOS LOB apps must have a logo. It will not be displayed on the company portal app under the Apps section if they don’t have a logo.
Select a logo for macOS LOB app in JPEG/PNG/JPG file.
Select a logo for macOS LOB app in JPEG/PNG/JPG file.
  • The remaining information is optional. Nevertheless, if you have all the details about this application, it can help other team members better understand it and could prove useful in troubleshooting any issues that may arise.
macOS PKG app deployment configuration from Intune admin center
macOS PKG app deployment configuration from Intune admin center


Click on Add group to add an Entra security group containing macOS devices.

Assign macOS PKG app to devices from Intune
Assign macOS PKG app to devices from Intune

Review + create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End-user Experience

To check if the deployment is completed successfully, follow the below steps:

  • Go to Finder > Go > Applications
  • Look for the Google Chrome application icon to confirm the deployment.
End-user Experience
End-user Experience

Monitor Deployment Progress

You can monitor the app deployment from the Intune admin center. Go to Apps > macOS > Click on your app deployment > Overview page will show the status of Installation.

In case of any issues or deployment failures, you can click on Device install status or User install status to know more details about the error.

Uninstall the PKG app Deployed on macOS using Intune

If you have deployed the PKG app using this method and Install as Managed is selected as Yes, you can simply add the device in the Uninstall assignment section of the deployment, and the application will be uninstalled automatically.

macOS Intune deployment troubleshooting

If you encounter problems deploying the application, check the IntuneMDMDaemon*.log and IntuneMDMAgent*.log files for more information. For guidance on locating these files on a macOS device, refer to my previous blog post titled How To Collect Intune Logs From a MacOS Device.


This blog post discussed deploying PKG apps on macOS devices through Intune. We used the Google Chrome application as an example, which is widely used in many organizations. The app was installed a few minutes after initiating a device check-in through the Company Portal app.

Leave a Comment