Blog Post

Intune Customer Success
5 MIN READ

Understanding application types in Microsoft Intune for macOS

Intune_Support_Team's avatar
Feb 05, 2025

By: Iris Yuning Ye | Product Manager - Microsoft Intune

 

As an IT admin managing macOS endpoints, leveraging Microsoft Intune for app deployment can streamline your workflow and enhance security. If you can install an app via macOS embedded terminal, we want to make sure Intune can do the same thing at scale for your devices. Intune supports various app types, each with its unique use cases and benefits. In this blog, we’ll explore the differences among these app types and provide guidance on when and how to use each one.

 

A screenshot of the macOS app types available in the Microsoft Intune admin center. (Apps > macOS > Add app).

There are two channels for apps that are deployed in Intune to managed macOS endpoints:

  1. Apple’s mobile device management (MDM): The MDM channel is the built-in device management channel provided by Apple. When using the MDM channel, there are strict rules ensuring apps are installed from trusted sources are recognized by Apple. Review Apple’s documentation for further details: Distribute custom packages for Mac - Apple Platform Deployment.
  2. Intune agent: The Intune agent channel allows more flexible app installations from Microsoft Intune on managed macOS endpoints. For this channel, admins must upload the DMG or PKG file to Intune. The macOS device then downloads this file and installs the app locally.

 

MDM channel apps

Microsoft apps

These are Microsoft first-party apps that can be directly installed from Intune, and you don’t need to upload any file. In addition, Intune installs Microsoft AutoUpdate to run in the background on macOS, and will update the existing Microsoft apps to the latest version available at the time.

Recommended usage scenario: You want to be on the latest version of the core Microsoft apps without having to upload the apps or maintain upgrades over time. Add these apps through the Intune admin center by selecting the specific apps you want to deploy. Also, ensure your users have the necessary licenses to access these apps.

Find more details in: Understand Microsoft apps in Microsoft Intune.

 

App Store – Volume Purchase Program (VPP) apps

Since Apple VPP apps are managed via Apple Business Manager or Apple School Manger and synchronized to Intune via a VPP token, this option is not available in the dropdown list for Intune app types.

Recommended usage scenario: You need to manage (assign/revoke/reassign) licenses of free or purchased store apps or custom apps. Or, you need to deploy App Store apps without the user having to log in to the App Store. This can be achieved by using device licensing.

Apple supports uploading PKG from App Store, but you will need access to:

  • Apple Developer account
  • Apple Developer certificate
  • Apple App Store notarization

Find more details in: How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune.

 

Web clip

Web clips are used to direct users to specific web resources from within the Intune Company Portal. This is helpful for guiding users to important sites or resources.

Recommended usage scenario: You need to provide easy access to websites as pinned Dock items.

Add a web link in Intune by specifying the URL. It will appear in the Company Portal as “Required app” for easy access.

Find more details in: Add web apps to Microsoft Intune.

 

Web link

Web link shares similar functionalities with Web clip. But web clip has the most up to date settings, so we recommend using web clip to cover web link cases.

Find more details in: Add web apps to Microsoft Intune.

 

Line-of-business (LOB) app

macOS LOB apps are typically developed in-house. This app type requires you to upload a PKG file to Intune. Then, Intune installs the LOB app on the user's device. It’s highly recommended to only upload flat packages, which must not have nested folders within the archive.

Recommended usage scenario: You need to manage app removal on Intune MDM unenrollment and manage whether the app data is backed up to iCloud. The apps must be marked as “install as managed”. Your PKG app is signed using an Apple Developer ID installer certificate.

PKGs for LOB apps must be signed using an Apple Developer ID installer certificate. If you need to distribute a PKG that is unsigned, use the macOS (PKG) option instead.

Find more details in: Understand line-of-business apps for your managed environment.

 

Intune agent channel apps

macOS DMG app

An admin has to upload a DMG file from local when creating a new app policy in admin portal. The .app under the DMG file will be copied to the Application folder to install on the device.

Recommended usage scenario: You need to deploy a disk image that contains one or more applications in .app format to be installed to the Applications folder.

Note that all apps are unmanaged and won’t be uninstalled when the MDM profile is removed.

Find more details in: Add a macOS DMG app to Microsoft Intune.

 

macOS PKG app

An admin has to upload a PKG file from local when creating a new app policy in the admin center. Complex PKGs are also supported by this deployment type.

Complex PKG: A complex PKG refers to a type of package file used primarily in macOS environments that includes more intricate configurations and requirements compared to standard PKG files. These packages often contain multiple components, scripts, and dependencies that need to be managed during the installation process.

Recommended usage scenario:

  1. You need to deploy a PKG with advanced controls for pre-install or post-install scripts.
  2. You need to deploy a PKG containing only scripts and no app payload.
  3. You need to deploy a PKG that the macOS LOB app workflow cannot install.
  4. You need to deploy a PKG that is not signed by an Apple Developer ID installer certificate.

Pre-install and post-install scripts are available for apps installed via Intune agent.

Note that all apps are unmanaged and won’t be uninstalled when the MDM profile is removed.

Find more details in: Add an unmanaged macOS PKG app to Microsoft Intune.

Conclusion

In summary, Intune provides robust support for managing macOS endpoints through its comprehensive app deployment capabilities, allowing you to confidently deploy and manage a variety of application types to meet the diverse needs of your organization.

 

Stay tuned for our next blog on pre- and post-install scripts for macOS!

 

Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.

Updated Feb 05, 2025
Version 1.0
  • hkovanen's avatar
    hkovanen
    Copper Contributor

    Do you have plans deploying custom detection scripts for macOS PKG apps? There are scenarios where the standard detection methods are not sufficient and custom detection script would solve about 99% of my deployment issues.

    • Intune_Support_Team's avatar
      Intune_Support_Team
      Icon for Microsoft rankMicrosoft

      Hi hkovanen 

       

      Great question, and thanks for the feedback! We are happy to confirm that it is in our plans, though no current ETAs to share at this moment in time for its public availability. Once we do have info to share, we'll be sure to update our What's New doc, and we also advise keeping an eye on our X posts @IntuneSuppTeam for future announcements. 

       

      Thanks! 

  • MarcinG's avatar
    MarcinG
    Copper Contributor

    So time ago I needed to deploy something together with a script (when I wanted to deploy only a script) to have confirmation for Company Portal that installation was successful. Does it change now days?

    • Hi MarcinG 

       

      There aren't any changes from our end in regards to this blog, and all methods leveraged would continue stay intact. We hope this article helps as a guide to understand the multiple different app types, and how it can be better used in your environment.

       

      Thanks!