A PKG-based application is an installer package that combines all the essential application components, scripts, and metadata into a single .pkg file. This file contains everything needed to install the application.
You can deploy .pkg apps via Intune using the Line-of-Business app and the macOS app (PKG) method.
This difference relates to where the app is installed. The line-of-business deployment deploys the app to the /Applications/ (managed) location, whereas the macOS app (PKG) can install apps outside of /Applications/ (unmanaged). I will use the Line-of-Business app method to demonstrate the deployment.
A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory. Managed line-of-business apps will be able to be removed using the uninstall assignment on supported devices (macOS 11 and higher). In addition, removing the MDM profile removes all managed apps from the device automatically.
Source: Microsoft
Table of Contents
Prerequisites
- The .pkg file must not contain a .dmg or .app file.
- The .pkg file is signed with a Developer ID Installer certificate from an Apple developer account.
- .pkg file must contain a payload.
We will use Google Chrome as an example application. First, we’ll download the app and then create a deployment in the Intune admin center.
STEP 1 – Download Google Chrome PKG Installer
You can visit the software vendor’s website to locate the PKG Installer for macOS devices and then download it. As our Example app is Google Chrome, We will visit the link: Google Chrome PKG app and select PKG from the File type drop-down. Click on Download.
STEP 2 – Create an App Deployment
To create an App deployment on the Intune admin center, follow the below steps:
- Sign in to the Intune admin center.
- Click on Apps > macOS > macOS apps.
- Click on + Add.
- App type: Line-of-business app.
- Click on the Select button to proceed.
App Information
To get started, click on Select app package file to browse to the .pkg application installer. Then click on the OK button to proceed.
- Name: Provide a unique name of the application.
- Description: Describe the application.
- Publisher: Provide the publisher’s name.
- Minimum Operating System: Select the Minimum operating system as a condition for application installation.
- Ignore App version: Select Ignore app version to Yes or No based on the below criteria:
- Select Ignore app version = Yes if you want the app installed when it’s not found on the target device. If the app is already there but the version number is different, it will be ignored, and the app will not be deployed.
- Select Ignore app version = No. If you want the app to be installed when it’s not found on the target device or the app version you are deploying is different than the one already installed on the target device,
In general, when deploying a self-updating application such as Google Chrome or Zoom, you should set Ignore the app version to Yes.
Please note that If you have disable AutoUpdate setting for self-updating apps, then can set Ignore app version to No. I have provided more detail about it in my other blog post: How to deploy Zoom using Intune.
Note
- The App bundle ID (CFBundleIdentifier) and App version (CFBundleShortVersionString) should be pre-populated for you.
If you want to know how to retrieve CFBundleIdentifier and CFBundleShortVersionString Information using macOS Terminal, You can follow refer to the link: How To Deploy DMG Apps On MacOS Devices Using Intune
Find (CFBundleIdentifier) and (CFBundleShortVersionString)
- Install as Managed: Select Yes.
Please note A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory.
Install as Managed
- Logo: macOS LOB apps must have a logo. It will not be displayed on the company portal app under the Apps section if they don’t have a logo.
- The remaining information is optional. Nevertheless, if you have all the details about this application, it can help other team members better understand it and could prove useful in troubleshooting any issues that may arise.
Assignments
Click on Add group to add an Entra security group containing macOS devices.
Review + create
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End-user Experience
To check if the deployment is completed successfully, follow the below steps:
- Go to Finder > Go > Applications
- Look for the Google Chrome application icon to confirm the deployment.
Monitor Deployment Progress
You can monitor the app deployment from the Intune admin center. Go to Apps > macOS > Click on your app deployment > Overview page will show the status of Installation.
In case of any issues or deployment failures, you can click on Device install status or User install status to know more details about the error.
Uninstall the PKG app Deployed on macOS using Intune
If you have deployed the PKG app using this method and Install as Managed is selected as Yes, you can simply add the device in the Uninstall assignment section of the deployment, and the application will be uninstalled automatically.
macOS Intune deployment troubleshooting
If you encounter problems deploying the application, check the IntuneMDMDaemon*.log and IntuneMDMAgent*.log files for more information. For guidance on locating these files on a macOS device, refer to my previous blog post titled How To Collect Intune Logs From a MacOS Device.
Conclusion
This blog post discussed deploying PKG apps on macOS devices through Intune. We used the Google Chrome application as an example, which is widely used in many organizations. The app was installed a few minutes after initiating a device check-in through the Company Portal app.
