By Neil Johnson – Principal Program Manager | Microsoft Endpoint Manager – Intune
Microsoft 365 for Mac, or Microsoft 365 apps for Mac as it’s now known, is a key part of any Microsoft 365 deployment. The Office team has been hard at work making our Mac story the best it possibly can be over the past few years.
The current version has been redesigned based on our Fluent UI which matches Apple’s new Big Sur UI. It makes native use of Apple Silicon processors for improved performance and battery life, but how do you get it deployed to your users?
This article covers all the options available, the advantages and disadvantages of each of them, and why you would choose one over the others. We wrap up with guidance over the scenarios each one might be best used for.
There are three different mechanisms that we can use within Microsoft Intune to get Microsoft 365 Apps deployed to Macs. Each has its own advantages and disadvantages.
Let’s look at each of these in turn.
Microsoft 365 for Mac is published to the Mac App Store, which means that end users can install it themselves if they have an Apple ID. Additionally, if you have an Apple Business Manager account, you can use Intune to push apps from the Mac app store directly to your devices.
Steps to deploy Office via Apple Volume Purchase Plan (VPP)
This method is dependent on having an Apple VPP token configured already. Before following these steps ensure that you’ve followed our documentation on this here.
Once you have an Apple Business Manager VPP token synchronised with Intune, you can use the following steps to license and assign Office Apps to your users.
Open the Microsoft Endpoint Manager admin center and select Tenant Administration > Connectors and tokens > Apple VPP Tokens.
Select the Token you want to sync and click Sync in the ellipsis menu.
If you require a relatively simple deployment of the Microsoft 365 App suite and have investments in both Apple Business Manager and Apple Content caching, then this mechanism of Microsoft 365 Apps for macOS deployment may be the most suitable.
This mechanism is supported natively by Microsoft Intune. It is as simple as checking a box and providing a group of users to deploy it to. Those users will receive the entire Microsoft 365 Apps (which includes Teams and the Microsoft Auto update tool).
Steps to deploy Office via the Microsoft Content Delivery Network
Note: This process will install the entire Microsoft 365 Apps for macOS suite, including Teams. However, it is possible to control which apps are installed via plist. We have a sample plist for this on our GitHub repo here. The instructions for deploying a preference file can be found here.
If you don’t have Apple Business Manager or Apple Content caching and you need the entire suite, plus Teams, this is probably the easiest way to get Office 365 Business Pro for Mac installed.
Our GitHub Repo has two main scripts that help in this circumstance.
These two scripts do the same thing. Once they are deployed onto the Mac, they attempt to download the installer package and then install it. The main benefit here is that you get additional flexibility about the installation process.
This is a sample of some code from installOfficeBusinessPro.sh which will look for a local copy of the installer before downloading from the CDN servers. You would need to handle the downloading of the latest installer package regularly. We have an example script to do this here.
localcopy="http://192.168.68.150/OfficeforMac/OfficeBusinessPro.pkg” weburl="https://go.microsoft.com/fwlink/?linkid=2009112" tempfile="/tmp/office.pkg" # # Check to see if we can access our local copy of Office # curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $localcopy if [ $? == 0 ]; then echo "$(date) | Local copy of $appname downloaded at $tempfile" else echo "$(date) | Couldn't find local copy of $appname, need to fetch from CDN" echo "$(date) | Downloading $appname from CDN" curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $weburl if [ $? == 0 ]; then echo "$(date) | Success" else echo "$(date) | Failure" exit 5 fi fi
The Individual Office apps script has an array that you can specify the specific applications that you want to use. The entries within this array are the <id> values from here.
# Edit AppstoInstall array with "id" values from https://macadmins.software/latest.xml for the apps you want to install # Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work. AppsToInstall=( "com.microsoft.word.standalone.365" "com.microsoft.excel.standalone.365" "com.microsoft.powerpoint.standalone.365" "com.microsoft.outlook.standalone.365" "com.microsoft.onenote.standalone.365" "com.microsoft.onedrive.standalone" "com.microsoft.skypeforbusiness.standalone" "com.microsoft.teams.standalone" )
Steps to deploy Microsoft 365 Apps for Mac via the Intune Scripting agent
Example: Deploying Outlook, Word, PowerPoint, and OneDrive to a Mac via the scripting agent.
# Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work. AppsToInstall=( "com.microsoft.outlook.standalone.365" "com.microsoft.word.standalone.365" "com.microsoft.powerpoint.standalone.365" "com.microsoft.onedrive.standalone" )
chmod +x ~/Downloads/installOfficeSuiteInidividualApps.sh
Controlling Microsoft 365 apps for Mac updates with Microsoft AutoUpdate (MAU)
If you are deploying Microsoft 365 Apps for Mac via the CDN (or script agent) you will notice that updates are handled via the Microsoft AutoUpdate tool. To see this, open any of the Office apps and click on Help > Check for Updates.
In the Microsoft AutoUpdate menu, click Advanced to see the Update Channel and if the app is configured for Automatic Updates.
The MAU tool can be configured by deploying Intune property lists. You can even control deadlines for individual app updates as described here. The complete list of available keys for MAU can be found here.
We have three common examples on our GitHub Repo:
Let’s look at these plist examples and how we might use them in a typical deployment where we have a mixture of standard users on the Current channel and a group of early adopters on Preview or Beta.
Note: More information on Office Insiders content for Mac can be found here.
Below is the plist for our production users. The important keys here are:
<key>AcknowledgedDataCollectionPolicy</key> <string>RequiredAndOptionalData</string> <key>ChannelName</key> <string>Current</string> <key>UpdateCache</key> <string>http://192.168.68.150/MAU</string> <key>HowToCheck</key> <string>AutomaticDownload</string> <key>DisableInsiderCheckbox</key> <true/> <key>EnableCheckForUpdatesButton</key> <true/> <key>ExtendedLogging</key> <false/> <key>SendAllTelemetryEnabled</key> <true/> <key>StartDaemonOnAppLaunch</key> <true/> <key>UpdateCheckFrequency</key> <integer>720</integer>
The Beta plist is the same but with one exception:
We would assign the property lists as follows:
Steps to configure in Intune:
Now we have the ‘Current’ config deployed, let’s create one for our ‘Beta’ users.
% cp /Library/Managed\ Preferences/com.microsoft.autoupdate2.plist ~/Desktop % plutil -convert xml1 ~/Desktop/com.microsoft.autoupdate2.plist % cat ~/Desktop/com.microsoft.autoupdate2.plist
Once converted from binary to HTML the plist should look like it did in the original Intune plist.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AcknowledgedDataCollectionPolicy</key> <string>RequiredAndOptionalData</string> <key>ChannelName</key> <string>Beta</string> <key>DisableInsiderCheckbox</key> <false/> <key>EnableCheckForUpdatesButton</key> <true/> <key>ExtendedLogging</key> <false/> <key>HowToCheck</key> <string>AutomaticDownload</string> <key>SendAllTelemetryEnabled</key> <true/> <key>StartDaemonOnAppLaunch</key> <true/> <key>UpdateCheckFrequency</key> <integer>720</integer> </dict> </plist>
There are three ways to handle Microsoft 365 apps for macOS deployment with Intune. There are no right and wrong solutions here, each is applicable in certain circumstances.
Most environments should start with the Intune CDN method of deployment combined with a custom plist for the Microsoft AutoUpdate agent as described in this post. This method provides the best mixture of complexity, flexibility and is the easiest to support for most scenarios.
Apple Volume Purchase Plan (VPP)
Intune Scripting Agent
We’ll be writing more content for macOS over the remainder of this year, so feel free to let us know scenarios that you’d like us to cover.
Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.