Blog Post

Intune Customer Success
2 MIN READ

Support Tip: Install Rosetta 2 on new Apple Silicon (M1) Macs to run apps built for Intel Macs

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Jan 22, 2021

3/30 Update: In the March (2103) service release, when you deploy shell scripts or custom attributes for macOS devices from Microsoft Endpoint Manager, it will deploy the new universal version of the Intune management agent app that runs natively on Apple Silicon Mac machines. To learn more see: Intune management agent for macOS devices is now a universal app.

 

Apple recently announced Apple Silicon Macs. These devices run on 64-bit ARM (RISC) CPUs relative to the previous generation of Macs that ran on Intel CPUs. Apple also announced a translation layer called Rosetta 2 that allows apps built for Intel Macs to run on the new Apple Silicon Macs.

 

Intune apps on macOS such as Intune Company Portal and the Intune MDM agent depend on the Rosetta 2 translation layer for managing Apple Silicon Macs. If you purchase a new Apple Silicon Mac running macOS 11.x (Big Sur), Rosetta 2 does not come pre-installed and the end-user is prompted by macOS to install it on first launch of an Intel-based application.

 

macOS installation prompt for Rosetta

 

If you are upgrading to macOS 11 on Intel Macs, this is not an issue.

 

Additional scenario to consider - Apple Silicon (M1) Macs fail to run shell scripts when enrolled via Apple Automated Device Enrollment (ADE)

In this scenario, the device gets enrolled into Intune using macOS Setup Assistant. If you have configured shell scripts for these Macs, the Intune MDM agent is automatically installed on the Mac. However, the Intune MDM agent cannot start because Rosetta 2 is not installed. macOS 11 does not prompt the end user to install Rosetta 2 in this case.

 

If you are enrolling your Apple Silicon Macs using Company Portal, you will be prompted to install Rosetta 2 on first launch of Company Portal.

 

Recommendation

Install Rosetta 2 on Apple Silicon Macs to ensure app compatibility with Intel-based apps using one of the following steps:

  • Recommend users to install Rosetta 2 manually by launching any installed Intel-based app on the Apple Silicon Mac.

  • Recommend users to open Terminal and run the following command or provide a script that runs this command to users:

    • /usr/sbin/softwareupdate --install-rosetta (root permission not required)
    • /usr/sbin/softwareupdate --install-rosetta --agree-to-license (root permission required)

 

Let us know if you have any additional questions on this by replying back to this post or tagging @IntuneSuppTeam out on Twitter.

 

Blog post updates:

3/3: We appreciate all the customer feedback and are excited to announce that the Intune management agent for macOS devices will be a universal app.

3/30: With the March (2103) service release - The Intune management agent for macOS devices is now a universal app.

Updated Dec 19, 2023
Version 8.0
support tip

13 Comments

Show More
  • matwa's avatar
    matwa
    Brass Contributor
    Jan 24, 2021

    Dear Intune_Support_Team 

     

    another idea:

    Why don't you just provide an officially signed app which just calls the Rosetta install script? At least as an interims solution.

    This would make a lot of people happy.

     

  • matwa's avatar
    matwa
    Brass Contributor
    Jan 24, 2021

    Dear Intune_Support_Team ,

     

    your post unfortunately describes the chicken-and-egg situation at it's best.

     

    The problem on ADE enrolled devices is the worst one for those who rely on it (as I do).

    As you mentioned, not even scripts are executed because the Intune MDM Agent is still as intel binary only available (may I ask why?).

     

    So, what I'm currently trying to do is to develop an App which does just call a script which executes your already mentioned

    /usr/sbin/softwareupdate --install-rosetta --agree-to-license

    command. 

    I created an app few weeks ago, signed it (with an apple developer id) and also notarized it to make it compliant with gatekeeper. In a test locally it worked as expected: But on a freshly enrolled device it does not get installed due to some weird certificate resolving issues. I have to dig deeper into it.

    Is there any release plan for the Intune MDM Agent as an universal binary at least? This would make administrator life with the new M1 so much easier.