In this blog post, we will learn how to deploy Shell scripts on macOS devices using Intune. Shell script contains a list of UNIX commands to be executed on the target device to achieve the desired result. Similar to how the Powershell script is to Windows-based Operating systems.
Here are a few Examples of the Shell script use cases:
- You can create a Shell script to set desktop wallpaper on a macOS device.
- Create a local admin account on macOS using a Shell script.
After creating a Shell script, you can initially test it on the Mac device using the Terminal app to ensure it works correctly. Once you are confident that the script performs as expected, you can utilize the Intune admin center to deploy the shell script to mass deploy the changes.
Another advantage of utilizing the Intune admin center for Shell script deployment is scheduling the script to run regularly. This can be configured using a setting called “Script Frequency” when creating the deployment.
Table of Contents
Before creating and assigning Shell scripts on macOS devices, it is crucial to ensure that the following prerequisites are in place. Failure to do so may result in deployment errors.
- Devices with macOS 11.0 and later.
- macOS Devices must be enrolled and managed by Intune.
- Target macOS devices must be connected to the Internet without any Proxy.
- Shell scripts begin with #! and must be in a valid location, such as
- Command-line interpreters for the applicable shells are installed.
Pre-Deployment Points for macOS Shell Scripts
Before you start your deployment of Shell scripts using Intune, There are a few important points to consider. You should review it to understand how the shell script deployment will work.
- Shell scripts require the Microsoft Intune management Extension (IME) to be successfully Installed on the macOS device. This agent is automatically and silently Installed on Intune-managed macOS devices that are assigned at least one shell script using the Intune admin center.
- Shell scripts run in parallel on devices as separate processes.
- Shell scripts run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
- An end user must sign in to the device to execute scripts running as a signed-in user.
- Root user privileges are required if the script requires making changes that a standard user account cannot.
- Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions. Examples include 1) if the disk is full, 2) if the storage location is tampered with, 3) if the local cache is deleted, or 4)if the Mac device restarts.
- Shell scripts running for over 60 minutes are stopped and reported as “failed“.
Shell Script Preparation
You must prepare and test a Shell script you want to deploy on Intune-managed macOS devices. For the purpose of the demonstration of Shell script deployment using Intune, I am taking an example Shell script, which will create a local administrator account on Mac devices.
dscl . -create /Users/$accountname
dscl . -create /Users/$accountname UserShell /bin/bash
dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"
dscl . -create /Users/$accountname UniqueID "2001"
dscl . -create /Users/$accountname PrimaryGroupID 20
dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname
dscl . -passwd /Users/$accountname $password
dscl . -create /Users/$accountname hint "computer"
dscl . -append /Groups/admin GroupMembership $accountname
Create a Shell Script Deployment on the Intune Portal
Now that we have the Shell script ready and manual testing is successful, we will create a Shell script deployment on the Intune admin center and assign it to an Entra Security group containing macOS devices.
- Sign in to the Intune admin center.
- Go to Devices > macOS and select Shell scripts.
- Click on + Add to start creating the deployment.
Enter the Name and Description and click on Next.
- Name: Create a Local administrator account on macOS
- Description: This shell script deployment will create a local admin account on macOS devices.
On the Script settings tab, we will upload the shell script and configure script settings. Let’s check the settings below:
- Run script as signed-in user – Select No to run the script using root-level privileges similar to running the script as an administrator. The default value of this setting is Yes; change it to No. If you have a shell script that you want to execute in User-context, then Keep the default value of Yes.
- Hide script notifications on devices – By Default. Users will get a Script notification. Select Hide to hide script notifications.
- Script frequency – You can configure how often you want the script to execute on the device. By default, the script will be executed only once.
- Max number of times to retry if script fails – Select how many times you want the script to be re-executed on failure. When you choose “Not Configured,” a retry of script execution on failure will not occur.
You can now assign this script to an Entra security group containing macOS devices. If the Script deployment is more aligned with Users, then you can choose a group that contains Users. Our Example shell script will create a local admin on macOS devices; therefore, it’s more appropriate to target devices for our demonstration.
Review + add
You can go through the Summary of your deployment and Click on Add button to Start the deployment process.
macOS Shell script deployment has been created on the Intune admin center. You can find the deployment from Intune admin center > Devices > macOS > Shell scripts.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Monitor Deployment Progress
To monitor app deployment, access the Intune admin center. Navigate to “Devices” > “macOS” > “Shell scripts.” Click on a shell script to check its status, then go to the “Overview” page to view the shell script deployment status.
To check the deployment status on a per-device or per-user basis, select “Device status” or “User status” under the “Monitor” section.
macOS Shell Script Deployment Status
After you create a Shell script deployment on Intune and target it to macOS devices/users. It may take a couple of hours for the script to execute and report the status to Intune. You will find below status reported to Intune depending upon if the Script execution was successful or failed.
|About the Result
|Shell script execution was successful. Script returned Zero (0) exit code.
|Shell script execution was not successful. Script returned a Non-Zero exit code.
|If the device is offline, No status can be reported to Intune until the device is back Online. Therefore, in that case Intune will show as “No Status“
In case of any issues with Shell script deployment, there could be a few troubleshooting steps you could take. I have provided some of the things you can check, which will help find out the root cause of the issue.
Shell Scripts are not Executing on target macOS Devices
Even though you have tested the shell script manually before creating a script deployment on the Intune admin center, in a few cases, you may find that the Shell scripts are not executing on the target macOS devices.
Below are some of the reasons why shell script execution could be failing:
- If you recently created the Script deployment, you may need to wait for the Intune device check-in process to complete. For more information about the Intune device check-in process on Mac devices, refer to the article: Force Intune Sync on macOS devices. The default device check-in happens every 8 hours.
- Ensure the target device is online and connected to the Internet for successful MDM agent check-in. If the device is online, you can ask the user to open the Company Portal app on their device and Initiate Device check-in once.
- Ensure that the Intune agent is Installed on the target Mac device. Intune agent is Installed at the location /Library/Intune/Microsoft Intune Agent.app. Check if this Microsoft Intune agent.app exists.
- You can check the Intune logs on macOS devices. To collect and investigate the logs to get more details about the issue, refer to the step-by-step guide on log collection: “How to Collect Intune Logs from macOS Devices“.
- There could be issues with the Intune agent. It will recover itself in 24 hours. If you have assigned the shell script to the device, the Intune agent will automatically recover from the Unhealth state to a healthy state.