How to deploy DMG or APP-format apps to Intune-managed Macs

Published 07-07-2020 08:43 AM 17.1K Views

By: Arnab Biswas | Program Manager - Microsoft Endpoint Manager - Intune

You can use Microsoft Endpoint Manager to deploy the most common app types supported by macOS such as .pkg, .dmg or .app. Natively, Mac MDM only supports installing signed .pkg-type applications. Therefore, for apps that are of non-pkg types, it requires admins to run commands on macOS either manually or as a script to create a signed app package (.intunemac file) that can be distributed using Intune. The rest of the document outlines the recommended app preparation steps. These steps have been tested on macOS 10.15.


Important notes before you begin

  • For apps that require a kernel or system extension, the extension must be deployed as a macOS device configuration profile in Microsoft Endpoint Manager before the app is deployed. The app deployment will not complete successfully if the extension is included in the app package.
  • For apps that require a property list file (plist file), the property list file must be deployed using a macOS device configuration profile in Microsoft Endpoint Manager before the app is deployed. The app deployment will not complete successfully if the property list files are included in the app package.
  • The converted app must be re-signed for successful MDM-deployment. Unsigned applications are rejected by macOS. This also applies to DMGs containing PKG files.
  • It is crucial that the PKG files are created using the commands below. PKG files that are packaged using different packaging commands may not deploy successfully.
  • DMG files containing more than one APP file are not supported.
  • You will need the Microsoft Intune App Wrapping Tool for macOS to complete the steps in the next section. Follow these instructions to set up the App Wrapping Tool correctly.
  • This is not an exhaustive list of all applicable conditions.


App preparation steps

The steps below require that you initiate with an app of DMG or APP format that satisfy the conditions above.

  1. Mount the DMG file.
    Note: Skip this step when starting with APP-format apps.
    hdiutil attach appname.dmg​
  2. Make a temporary folder and navigate to it.
    mkdir ./TargetDirectory
    mkdir ./TargetDirectory​
    cd ./TargetDirectory
  3. Build an intermediate PKG file.
    Note: When using autocomplete, delete the final slash in the APP path. Pass the install-location as an argument to the pkgbuild command.
    pkgbuild --install-location /Applications --component /Volumes/path_to_app/ ./TargetDirectory/intermediate.pkg​
  4. Create the distribution XML file for the intermediate PKG file.
    Note: This is required to build a redistributable package.
    productbuild --synthesize --package /TargetDirectory/intermediate.pkg /TargetDirectory/distribution.xml​
  5. Build the final PKG file. This PKG file is not signed.
    productbuild --distribution ./distribution.xml --package-path ./intermediate.pkg ./unsigned_final.pkg​
  6. Sign the PKG file using a Mac Developer ID certificate.
    productsign --sign “3rd Party Mac Developer Installer: Developer Name (XXXX)” ./unsigned_final.pkg ./signed_final.pkg​
  7. Unmount the DMG file.
    Note: Skip this step when starting with APP-format apps.
    hdiutil detach /Volumes/appname​
  8. Create the INTUNEMAC file from the signed PKG file.
    ./IntuneAppUtil -c signed_final.pkg -o /finalpath​
  9. Add the INTUNEMAC file as a line-of-business application for macOS on Microsoft Endpoint Manager.

This sample script demonstrates how the above steps can convert a DMG file to INTUNEMAC.


Let us know by responding to this post if you have any questions or feedback! You can also ask questions by tagging @IntuneSuppTeam out on Twitter where our Support as a Feature team helps answer quick questions.


Blog post updates:

  • 7/22/20: With an update to the IntuneSuppTeam URL.
Occasional Visitor

@Arnab Biswas Thanks for the post. Let me know for MacOS, how to convert the DMG to PKG if we don't know the Developer ID. Do you recommend any tool or command for the conversion. 


I'm facing difficulties in deploying applications in Intune for MacOS. Also I've few challenges in deploying it and list as follows,

1. We got SentinelOne Anti-virus agent and I don't know how to incorporate the Token key in MacOS package to deploy it in Intune. By default, SentinelOne agent not coming with Token Key. But for Windows, we have Install command parameter in Intune, which helps to provide the token key to get it installed silently. 

2. Though I deployed Zoom package in Intune and it got installed in MacOS 10.15.7, still in Intune portal shows the status as "The app state is unknown" and error code is "0x87D13B67". 


Kindly help me on this. Thanks for understanding.


Hi @Karthick2504,


Usually when you have to provide tokens with macOS packages you can do this with a post-install script. I find i easiest to use a tool like Packages which is freeware to re-package the PKG and add post/pre-install scripts. Keep in mind that regardless of which tool you use to repackage you still need to have a Developer ID to sign the package. If your company does not have this you have to buy one:


I've also tested depoying Zoom and did not get the correct install status of the application. What you need to make sure is that the application contains the correct parameters, specifically:

  • The package version and CFBundleVersion string in the packageinfo file.
  • The correct install-location in the pkg-info file.


You can extract the package information using this command:

  • xar -x -f <.pkg file path> -C <Output folder>


See this URL for more information:

Occasional Visitor

Thanks @arnab biswas @Intune Support Team This is very useful.


We are able to convert some pkg format apps without much difficulty.


I have now been trying to add Sublime Text and iTerm2 in the Intune. Sublime comes as a dmg, while iTerm2 is a zip archive with .app format and I am following the steps listed here for both. But, one point that's unclear is, we have to get Apple Developer ID just to be able to sign the PKG for uploading this to Intune. Is this correct?


I tried looking for certificates from Sublime or iTerm2 developers, but couldn't find this info.


Version history
Last update:
‎Jul 22 2020 01:10 PM
Updated by: