In this blog post, we will demonstrate the steps to deploy shell scripts on macOS devices using Intune admin center. Shell script contains a list of UNIX commands that can be executed on the target device to achieve the desired result.
- Shell Script Use Cases
- You can create a Shell script to set desktop wallpaper on a macOS device.
- Create a local admin account on macOS using a Shell script.
Best practice for deploying shell scripts on macOS is to first test the script on a test device first. This will reduce the failure rate and saves a lot of time in deployment process. One of the advantages of deploying shell scripts via Intune is that you can schedule script deployment and set a script frequency.
Contents
Prerequisites
- Devices with macOS 11.0 and later.
- macOS Devices must be enrolled and managed by Intune.
- Target macOS devices must be connected to the Internet without any Proxy.
- Shell scripts begin with #! and must be in a valid location, such as
#!/bin/shor#!/usr/bin/env zsh. - Command-line interpreters for the applicable shells are installed.
Pre-Deployment Points for macOS Shell Scripts
Before you start your deployment of Shell scripts using Intune, There are a few important points to consider. You should review it to understand how the shell script deployment will work.
- Shell scripts requires Microsoft Intune management Extension (IME) which would be automatically and silently installed on the device that are assigned at least one shell script from Intune admin center.
- Shell scripts run in parallel on devices as separate processes.
- Shell scripts run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
- An end user must sign in to the device to execute scripts running as a signed-in user.
- Root user privileges are required if the script requires making changes that a standard user account cannot.
- Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions. Examples include 1) if the disk is full, 2) if the storage location is tampered with, 3) if the local cache is deleted, or 4) if the Mac device restarts.
- Shell scripts running for over 60 minutes are stopped and reported as failed.
Shell Script Preparation
You need to prepare and test a Shell script to deploy on Intune-managed macOS devices. I am using below example Shell script for demonstration, which will create a local administrator account on Mac devices. You can use the steps in this post to deploy any Shell script on Mac.
createLocalAdmin.sh
!/bin/sh
accountname=cloudinfraadmin
password="C0mputer@2020"
dscl . -create /Users/$accountname
dscl . -create /Users/$accountname UserShell /bin/bash
dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"
dscl . -create /Users/$accountname UniqueID "2001"
dscl . -create /Users/$accountname PrimaryGroupID 20
dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname
dscl . -passwd /Users/$accountname $password
dscl . -create /Users/$accountname hint "computer"
dscl . -append /Groups/admin GroupMembership $accountnameCreate a Shell Script Deployment
Now that the Shell script is ready and manual testing is successful, we will create a Shell script deployment on the Intune admin center.
- Sign in to the Intune admin center > Devices > macOS >Shell scripts.
- Click on + Add to start creating the deployment.
- Basics Tab: Enter the Name and Description and click on Next.
- Script Settings
- Run script as signed-in user: Select No to run the script using root-level privileges, similar to running the script as an administrator. The default value of this setting is Yes; change it to No. If you have a shell script that you want to execute in User context, keep the default value of Yes.
- Hide script notifications on devices: Users will get a Script notification by default. Select Hide to hide script notifications.
- Script frequency: You can configure how often you want the script to execute on the device. By default, it will be executed only once.
- Max number of times to retry if script fails: Select how many times you want the script to be re-executed on failure. When you choose Not Configured, a retry of script execution on failure will not occur.
- Assignments Tab: You can now assign this script to an Entra security group containing macOS devices. If the Script deployment is more aligned with Users, you can select a group containing Users. Our example shell script will create a local admin on macOS devices; therefore, targeting devices for our demonstration is more appropriate.
- Review + add: Review the Summary of your deployment and Click on the Add.
MacOS Shell script deployment has been created in the Intune admin center. The deployment is from Intune admin center > Devices > macOS > Shell scripts.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitor Deployment Progress
To monitor app deployment, access the Intune admin center. Navigate to Devices > macOS > Shell scripts. Click on a shell script to check its status, then go to the Overview page to view the shell script deployment status.
To check the deployment status on a per-device or per-user basis, select Device status or User status under the Monitor section.
macOS Shell Script Deployment Status
After creating a Shell script deployment on Intune, target it to macOS devices/users. The script may take a few hours to execute, and the status will be reported back to Intune. Below is the status reported to Intune depending on whether the Script execution was successful or failed.
| Script Status | About the Result |
|---|---|
| Success | Shell script execution was successful. Script returned Zero (0) exit code. |
| Failed | Shell script execution was not successful. Script returned a Non-Zero exit code. |
| No Status | If the device is offline, No status can be reported to Intune until the device is back Online. Therefore, in that case, Intune will show as No Status. |
Troubleshooting
In case of any issues with Shell script deployment, there could be a few troubleshooting steps you could take. I have provided below guidance on this which can help you find the root cause of the issue.
Shell Scripts are not Executing on target macOS Devices
Even though you have tested the shell script manually before creating a script deployment on the Intune admin center, you may find that in few cases, the Shell scripts are not executing on the target macOS devices.
Below are some of the reasons why shell script execution could be failing:
- If you recently created the Script deployment, you may need to wait for the Intune device check-in process to complete. For more information about the Intune device check-in process on Mac devices, refer to the article: Force Intune Sync on macOS devices. The default device check-in happens every 8 hours.
- Ensure the target device is online and connected to the Internet for successful MDM agent check-in. If the device is online, you can ask the user to open the Company Portal app on their device and Initiate Device check-in once.
- Ensure that the Intune agent is Installed on the target Mac device. Intune agent is Installed at the location /Library/Intune/Microsoft Intune Agent.app. Check if this Microsoft Intune agent.app exists.
- You can check the Intune logs on macOS devices. To collect and investigate the logs for more details about the issue, refer to the step-by-step guide on log collection: How to Collect Intune Logs from macOS Devices.
- There could be issues with the Intune agent. It will recover itself in 24 hours. If you have assigned the shell script to the device, the Intune agent will automatically recover from the Unhealthy state to a healthy state.
