Blog Post

Intune Customer Success
3 MIN READ

How to deploy DMG or APP-format apps to Intune-managed Macs

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Jul 07, 2020

By: Arnab Biswas | Product Manager - Microsoft Intune

 

Updated 10/26/22: Refresh content in line with recent updates to Intune. The scenario described in this document is no longer supported, as discussed in What’s new in Microsoft Intune. We now support direct uploading of .pkg app types into Intune. Refer to How to add macOS line-of-business (LOB) to Microsoft Intune for more information about uploading .pkg app types.

 

Updated 03/08/22: You can now upload and deploy DMG-type applications to managed macOS devices from Microsoft Endpoint Manager using the required assignment type. DMG is the file extension for Apple disk image files. For more information, see Add a macOS DMG app to Microsoft Intune.


You can use Microsoft Intune to deploy the most common app types supported by macOS such as .pkg, .dmg, or .app. Natively, Mac MDM only supports installing signed .pkg-type applications. Therefore, apps that are of non-pkg types requires admins to run commands on macOS either manually or as a script that can be distributed using Intune. The rest of the document outlines the recommended app preparation steps. These steps have been tested on macOS 10.15.

 

Important notes before you begin

  • For apps that require a kernel or system extension, the extension must be deployed as a macOS device configuration profile in Microsoft Endpoint Manager before the app is deployed. The app deployment will not complete successfully if the extension is included in the app package.
  • For apps that require a property list file (plist file), the property list file must be deployed using a macOS device configuration profile in Microsoft Endpoint Manager before the app is deployed. The app deployment will not successfully complete if the property list files are included in the app package.
  • The converted app must be re-signed for successful MDM-deployment. Unsigned applications are rejected by macOS. This also applies to DMGs containing PKG files.
  • It is crucial that the PKG files are created using the commands below. PKG files that are packaged using different packaging commands may not deploy successfully.
  • DMG files containing more than one APP file are not supported.
  • You will need to refer to How to add macOS line-of-business (LOB) apps to Microsoft Intune to complete the steps in the next section.

    Note: This is not an exhaustive list of all applicable conditions.

 

App preparation steps

The steps below require that you start with a DMG or APP app that satisfies the conditions above.

  1. Mount the DMG file.
    Note: Skip this step when starting with APP-format apps.
    hdiutil attach appname.dmg​
  2. Make a temporary folder and navigate to it.
    mkdir ./TargetDirectory
    mkdir ./TargetDirectory​
cd ./TargetDirectory
  3. Build an intermediate PKG file.
    Note: When using autocomplete, delete the final slash in the APP path. Pass the install-location as an argument to the pkgbuild command.
    pkgbuild --install-location /Applications --component /Volumes/path_to_app/app_to_convert.app ./TargetDirectory/intermediate.pkg​
  4. Create the distribution XML file for the intermediate PKG file.
    Note: This is required to build a redistributable package.
    productbuild --synthesize --package /TargetDirectory/intermediate.pkg /TargetDirectory/distribution.xml​
  5. Build the final PKG file. This PKG file is not signed.
    productbuild --distribution ./distribution.xml --package-path ./intermediate.pkg ./unsigned_final.pkg​
  6. Sign the PKG file using a Mac Developer ID certificate.
    productsign --sign “3rd Party Mac Developer Installer: Developer Name (XXXX)” ./unsigned_final.pkg ./signed_final.pkg​
  7. Unmount the DMG file.
    Note: Skip this step when starting with APP-format apps.
    hdiutil detach /Volumes/appname​
  8. Create the INTUNEMAC file from the signed PKG file.
    ./IntuneAppUtil -c signed_final.pkg -o /finalpath​
  9. Add the INTUNEMAC file as a line-of-business application for macOS on Microsoft Endpoint Manager.

This sample script demonstrates how the above steps can convert a DMG file to INTUNEMAC.

 

Let us know by responding to this post if you have any questions or feedback! You can also ask questions by tagging @IntuneSuppTeam out on Twitter where our Support as a Feature team helps answer quick questions.

 

Post updates:

  • 07/22/20: With an update to the IntuneSuppTeam URL.
  • 03/08/22: You can now upload and deploy DMG-type applications to managed macOS devices from Microsoft Endpoint Manager using the required assignment type. For more information, see Add a macOS DMG app to Microsoft Intune.
  • 10/26/22: Refresh links and content specific to updates to Intune.
Updated Dec 19, 2023
Version 13.0
macos
  • esique_winfu's avatar
    esique_winfu
    Copper Contributor
    Aug 25, 2022

    salihzett This may not be applicable in your case but I was getting this error in the following situation:

    I was using Packages to make a .pkg containing a pre-install script that used a file in "Additional Resources", but otherwise the .pkg had no payload.

    I fixed the error by making a placeholder .app in Platypus, adding it to the Payload tab in Packages, then making a post-installation script that removed the .app from the Applications folder.

    After then following steps 4 (create distribution.xml) and 5 (build unsigned package w/ distribution.xml), I was able to upload to Intune without any errors. There's probably a better/more efficient way to do this but that's what fixed it for me.

  • Jeetendra's avatar
    Jeetendra
    Brass Contributor
    May 25, 2022

    Any Idea about the downloading flow of .pkg files on macOS like cached location.

  • SisterAdministrator's avatar
    SisterAdministrator
    Copper Contributor
    May 24, 2022

    Can anyone point me in the right direction for finding the info highlighted in bold for step 6.

    productsign --sign “3rd Party Mac Developer Installer: Developer Name (XXXX)”./unsigned_final.pkg ./signed_final.pkg​

    We are deploying Photo Mechanic so I'm assuming it's:

    productsign --sign “3rd Party Mac Developer Installer: VideoLAN (XXXX)”./unsigned_final.pkg ./signed_final.pkg​

     

    Just not sure how to get the cert number part e.g. (XXXX)

    *** EDIT MAY 28 2022 *** 

     

    I'm posting an update as I have made progress since the last post.

     

    To perform step 6. you need to have an Apple ID that is enrolled in the Apple Developer program and create an Apple Developer ID Installer Certificate.

    Apple Developer program
    This Apple support article outlines the steps for how to enroll in the Apple Developer program:
    https://developer.apple.com/support/app-account

    The Apple Developer Program annual fee is 99 USD and the Apple Developer Enterprise Program annual fee is 299 USD, in local currency where available.

    Apple Developer ID Installer Certificate
    When you have an account enrolled in the Apple Developer program, the next step is to create an Apple Developer Installer Certificate as outlined in the following guide:
    https://forums.ivanti.com/s/article/Obtaining-an-Apple-Developer-ID-Certificate-for-macOS-Provisioning?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1#:~:text=Creating%20the%20Certificate%20(XCode),and%20select%20Developer%20ID%20Installer.

    I have now performed the above steps and added the certificate to my keychain and was able to sign the package with:

    productsign --sign "Publisher Name (XXXXXXXXXX)" ./unsigned_final.pkg ./signed_final.pkg​

    I then uploaded the pkg to intune and it deployed successfully. I will now be performing this with the other 7 apps I need to deploy.

    I am very happy this is working now 🙂


     

  • salihzett's avatar
    salihzett
    Iron Contributor
    Apr 13, 2022

    sure. same.

    also created a ticket but this seems this is too high for the support, and I don't know any PKG experts.

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    Apr 13, 2022

    Hi salihzett Thanks for comment and we understand that the .pkg file in question is created in composer. It is crucial that the PKG files are created using the commands listed in this blog. PKG files that are packaged using different packaging commands may not deploy successfully. Have you tried following the listed steps to add the .pkg file?

  • salihzett's avatar
    salihzett
    Iron Contributor
    Apr 11, 2022

    Intune_Support_Team 
    Do you know why some pkgs make the issue:
    The selected app package does not appear to have either a ProductCode or ProductVersion.


    This comes mostly from self-created pkgs with Composer.

  • Abdul Jalil Abou Alzahab's avatar
    Abdul Jalil Abou Alzahab
    Iron Contributor
    Jan 19, 2022

    Intune_Support_Team I'm getting an error on step 5

    productbuild --distribution ./distribution.xml --package-path ./intermediate.pkg ./unsigned_final.pkg​

     

    productbuild: warning: package intermediate.pkg could not be loaded
    2022-01-19 15:05:31.075 productbuild[43028:5831090] CFURLCopyResourcePropertiesForKeys failed because it was passed a URL which has no scheme
    productbuild: Copying package intermediate.pkg...
    productbuild: error: Cannot copy package "intermediate.pkg" into product.2022-01-19 15:05:31.080 productbuild[43028:5831090] CFURLCopyResourcePropertyForKey failed because it was passed a URL which has no scheme
    (The file “intermediate.pkg” doesn’t exist.)

     

    Could you please help?

  • ptbMIF's avatar
    ptbMIF
    Copper Contributor
    Jan 19, 2022

    Cheers to all & cheers to Intune_Support_Team,

     

    hope everyone is doing well. I have a question regarding the repackaging of Apps. I work for a services company with a lot of customers and different services that our customers use. Because of this I have a good comparison between in this case Jamf and Intune.

     

    Above it says, that 'The converted app must be re-signed for successful MDM-deployment. Unsigned applications are rejected by macOS.' This is definitely true for Intune. In Jamf I'm able to create .pkg files and deploy them !without! the need to sign the app.

     

    Why is this required in Intune?

     

    Thanks in advance!

    Panagiotis