Intune macOS Application Deployment – Part 1

Opening Pandoras Box

Through countless hours of pain, i have decided to document everything that i can remember with regards to my experience in learning about packaging and deploying applications for macOS via Intune, or what is now known as, Microsoft Endpoint Manager. To state that this was just a learning experience is not enough. This was a growth experience, a test of my patience, will, determination and left me feeling 100% justified in my hate of everything Apple and macOS.

And so, with that introduction, if you’re still feeling up-to the task, lets delve into the cluster-fuck shitshow that is…macOS application deployment via Intune.

The road to misery

Tearjerker 1 – You will need a macOS VM, or a macOS Device

Lets begin by piecing up the Microsoft article on How to add macOS line-of-business apps to Microsoft Intune | Microsoft Docs

The first thing that we notice is that, similar to deploying applications for Windows via Intune, we will need to utilise an external tool to first prepare our installation package. The tool being mentioned here is the intune app wrapping tool which can be found here. The second thing to take note of, is that this process must take place on a macOS device, so get a VM up and running, or, source a macOS device.

Tearjerker 2 – You will most likely need an Apple Developer Certificate

Part of the requirements to be able to deploy applications to macOS devices via a MDM Platform, is that the applications need to be signed, and notarized.

What is application signing?

Code signing your app assures users that it’s from a known source and hasn’t been modified since it was last signed. Before your app can integrate app services, be installed on a device, or be submitted to the App Store, it must be signed with a certificate issued by Apple.

What is application notarization

Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly.

There are several pain points here, So, lets break this down.

The majority of the applications that you will wish to deploy to users via intune, will in-fact, not be signed or notarized. This is a requirement that was introduced by Apple with the release of macOS Catalina 10.15. However, before we go down the path of paying $100 for a developer certificate to the lovely company that loves to make our lives easier, lets first determine whether or not we will require this certificate.

How do i check that my .pkg is signed and notarized?

Checking Signed Status

To check whether or not an application is signed, we can utilise the command below. Refer to the code and image below as an example.

pkgutil --check-signature ./fullpathto/application.pkg

Checking Notarization Status

If you’re going to go off the Microsoft documentation found here on how to check if an app is notarized – expect everything to return a failed result(not notarized). To check whether or not an app is notarized, refer to the code and image below as an example.

spctl -a -vvv -t install ./fullpathto/application.pkg

Based on our example above of the application Zoom. We can see and confirm that this application has been signed and notarized, and is therefore ready for packaging into a .intunemac file, and deployed to end user devices via Intune.

The steps involved in converting your .pkg file into a .intunemac file can be found here.

My application is not signed/notarized, how do i achieve this?

Simply follow the link below 🙂

Intune macOS Application Deployment – Part 2 | NotBad.Tech

4 Replies to “Intune macOS Application Deployment – Part 1”

  1. I am about to go down this same path of misery – so thanks for taking out any of the speed bumps or walls that you have already hit!

  2. Looking forward to your next post. I am actually stuck at the same point you are where I have created an unsigned pkg and I need to get it signed. Thanks for the help!

Leave a Reply

Your email address will not be published.