This blog post will demonstrate deploying Shell scripts on MacOS devices using Intune. The shell script contains a list of UNIX commands that can be executed on the target device to achieve the desired result. Similar to how the Powershell script is to Windows-based Operating systems.
Here are a few Examples of the Shell script use cases:
- You can create a Shell script to set desktop wallpaper on a macOS device.
- Create a local admin account on macOS using a Shell script.
After creating a Shell script, you can initially test it on the Mac device using the Terminal app to ensure it works correctly. Once you are confident that the script performs as expected, you can utilize the Intune admin center to deploy the shell script to mass deploy the changes.
Another advantage of utilizing the Intune admin center for Shell script deployment is scheduling the script to run regularly. When creating the deployment, a setting called Script Frequency can be used to configure this.
Table of Contents
Prerequisites
Before creating and assigning Shell scripts on macOS devices, it is crucial to ensure that the following prerequisites are in place. Failure to do so may result in deployment errors.
- Devices with macOS 11.0 and later.
- macOS Devices must be enrolled and managed by Intune.
- Target macOS devices must be connected to the Internet without any Proxy.
- Shell scripts begin with #! and must be in a valid location, such as
#!/bin/shor#!/usr/bin/env zsh. - Command-line interpreters for the applicable shells are installed.
Pre-Deployment Points for macOS Shell Scripts
Before you start your deployment of Shell scripts using Intune, There are a few important points to consider. You should review it to understand how the shell script deployment will work.
- Shell scripts require the Microsoft Intune management Extension (IME) to be successfully Installed on the macOS device. This agent is automatically and silently Installed on Intune-managed macOS devices that are assigned at least one shell script using the Intune admin center.
- Shell scripts run in parallel on devices as separate processes.
- Shell scripts run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
- An end user must sign in to the device to execute scripts running as a signed-in user.
- Root user privileges are required if the script requires making changes that a standard user account cannot.
- Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions. Examples include 1) if the disk is full, 2) if the storage location is tampered with, 3) if the local cache is deleted, or 4)if the Mac device restarts.
- Shell scripts running for over 60 minutes are stopped and reported as failed.
Shell Script Preparation
You must prepare and test a Shell script you want to deploy on Intune-managed macOS devices. I am using an example Shell script to demonstrate Shell script deployment using Intune, which will create a local administrator account on Mac devices.
createLocalAdmin.sh
!/bin/sh
accountname=cloudinfraadmin
password="C0mputer@2020"
dscl . -create /Users/$accountname
dscl . -create /Users/$accountname UserShell /bin/bash
dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"
dscl . -create /Users/$accountname UniqueID "2001"
dscl . -create /Users/$accountname PrimaryGroupID 20
dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname
dscl . -passwd /Users/$accountname $password
dscl . -create /Users/$accountname hint "computer"
dscl . -append /Groups/admin GroupMembership $accountnameCreate a Shell Script Deployment on the Intune Portal
Now that the Shell script is ready and manual testing is successful, we will create a Shell script deployment on the Intune admin center and assign it to an Entra Security group containing macOS devices.
- Sign in to the Intune admin center.
- Go to Devices > macOS and select Shell scripts.
- Click on + Add to start creating the deployment.
Basics Tab
Enter the Name and Description and click on Next.
For Example:
- Name: Create a Local administrator account on macOS
- Description: This shell script deployment will create a local admin account on macOS devices.
Script Settings
We will upload the shell script and configure script settings on the Script settings tab. Let’s check the settings below:
- Run script as signed-in user – Select No to run the script using root-level privileges, similar to running the script as an administrator. The default value of this setting is Yes; change it to No. If you have a shell script that you want to execute in User Context, Keep the default value of Yes.
- Hide script notifications on devices – Users will get a Script notification by default. Select Hide to hide script notifications.
- Script frequency – You can configure how often you want the script to execute on the device. By default, it will be executed only once.
- Max number of times to retry if script fails – Select how many times you want the script to be re-executed on failure. When you choose Not Configured, a retry of script execution on failure will not occur.
Assignments Tab
You can now assign this script to an Entra security group containing macOS devices. If the Script deployment is more aligned with Users, you can choose a group containing Users. Our Example shell script will create a local admin on macOS devices; therefore, targeting devices for our demonstration is more appropriate.
Review + add
You can review the Summary of your deployment and Click on the Add button to Start the deployment process.
MacOS Shell script deployment has been created in the Intune admin center. The deployment is from Intune admin center > Devices > macOS > Shell scripts.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitor Deployment Progress
To monitor app deployment, access the Intune admin center. Navigate to Devices > macOS > Shell scripts. Click on a shell script to check its status, then go to the Overview page to view the shell script deployment status.
To check the deployment status on a per-device or per-user basis, select Device status or User status under the “Monitor” section.
macOS Shell Script Deployment Status
After creating a Shell script deployment on Intune, target it to macOS devices/users. The script may take a few hours to execute, and the status may be reported to Intune. Below is the status reported to Intune depending on whether the Script execution was successful or failed.
| Script Status | About the Result |
|---|---|
| Success | Shell script execution was successful. Script returned Zero (0) exit code. |
| Failed | Shell script execution was not successful. Script returned a Non-Zero exit code. |
| No Status | If the device is offline, No status can be reported to Intune until the device is back Online. Therefore, in that case Intune will show as No Status. |
Troubleshooting
In case of any issues with Shell script deployment, there could be a few troubleshooting steps you could take. I have provided some of the things you can check, which will help find out the root cause of the issue.
Shell Scripts are not Executing on target macOS Devices
Even though you have tested the shell script manually before creating a script deployment on the Intune admin center, you may find that the Shell scripts are not executing on the target macOS devices in a few cases.
Below are some of the reasons why shell script execution could be failing:
- If you recently created the Script deployment, you may need to wait for the Intune device check-in process to complete. For more information about the Intune device check-in process on Mac devices, refer to the article: Force Intune Sync on macOS devices. The default device check-in happens every 8 hours.
- Ensure the target device is online and connected to the Internet for successful MDM agent check-in. If the device is online, you can ask the user to open the Company Portal app on their device and Initiate Device check-in once.
- Ensure that the Intune agent is Installed on the target Mac device. Intune agent is Installed at the location /Library/Intune/Microsoft Intune Agent.app. Check if this Microsoft Intune agent.app exists.
- You can check the Intune logs on macOS devices. To collect and investigate the logs for more details about the issue, refer to the step-by-step guide on log collection: How to Collect Intune Logs from macOS Devices.
- There could be issues with the Intune agent. It will recover itself in 24 hours. If you have assigned the shell script to the device, the Intune agent will automatically recover from the Unhealth state to a healthy state.
