Intune Customer Success

13 MIN READ

Deploying Microsoft 365 Apps for Mac with Microsoft Intune - A Deep Dive

Microsoft

Mar 29, 2021

By Neil Johnson – Principal Program Manager | Microsoft Endpoint Manager – Intune

Microsoft 365 Apps for Mac is a key part of any Microsoft 365 deployment. The Office team has been hard at work making our Mac story the best it possibly can be over the past few years.

Our Fluent UI matches Apple’s Big Sur UI, making native use of Apple silicon processors for improved performance and battery life. How do you get it deployed to your users?

This article covers all the options available, the advantages and disadvantages of each of them, and why you would choose one over the others. We wrap up with guidance over the scenarios each one might be best used for.

Microsoft 365 Apps for Mac deployment methods via Intune

There are three different mechanisms that we can use within Microsoft Intune to get Microsoft 365 Apps deployed to Macs. Each has its own advantages and disadvantages.

Mac App Store via Volume Purchase Program (VPP)
Microsoft Content Delivery Network
Intune Scripting Agent for Mac

Let’s look at each of these in turn.

1. Deploying Microsoft 365 Apps for Mac via Volume Purchase Program (VPP)

Microsoft 365 for Mac is published to the Mac App Store, which means that users can install it themselves if they have an Apple ID. Additionally, if you have an Apple Business Manager account, you can use Intune to push apps from the Mac app store directly to your devices.

Microsoft 365 app suite in the macOS App Store.

Steps to deploy Office via Apple Volume Purchase Plan (VPP)

This method is dependent upon having an Apple VPP token configured already. Before following these steps ensure that you’ve followed our documentation, How to manage iOS and macOS apps purchased through Apple Business Manager with Microsoft Intune.

Once you have an Apple Business Manager VPP token synchronized with Intune, you can use the following steps to license and assign Office Apps to your users.

Open https://business.apple.com/#main/appsandbooks
Click in the search menu box, change Type to "Mac" and search for "Microsoft".

Microsoft apps in the Apple Volume Purchase Plan (VPP) Apps and Books console.
Select the Application that you want to assign licenses to.
Assign the Application to your organization and enter in the number of licenses that you need. Since there’s no cost for these apps it makes sense to enter more licenses than you will need (within reason).

Example screenshot of purchasing the Microsoft Word app with license count.
Once you have entered the values, click Get. The Application will temporarily show as Processing.

Example screenshot of the Microsoft Word app "Processing".
After a few minutes, the status will update and show the number of licenses you have available.

Example screenshot of available licenses for the Microsoft Word app.
Repeat the process for the other applications that you intend to use.
Open the Microsoft Endpoint Manager admin center and select Tenant Administration > Connectors and tokens > Apple VPP Tokens.
Select the Token you want to sync and click Sync in the ellipsis menu.

Available Apple VPP Tokens and Sync button location in the Microsoft Endpoint Manager admin center.
While still in the Microsoft Endpoint Manager admin center, open Apps > macOS and filter for unassigned apps then type "Microsoft" into the search bar.

macOS apps and Filter location in the Microsoft Endpoint Manager admin center.
Select each app that you wish to deploy and assign it to an Azure Active Directory (AD) group.
Select the Application > Properties > Assignments (right at the bottom) > Edit.
Under "Required" select Add group and search for the right group in Azure AD.
Configure the assignment settings and click OK.
- Assignment Settings > Mode = Included
- App settings > License type = Device Licensing
- App settings > Uninstall on device removal = Yes
Click Review and Save. After reviewing, click Save to complete the assignment.
Repeat the assignment for the rest of the Office apps that you want deployed.
To check the configuration, trigger an MDM sync on a user’s device that was assigned the applications. The apps should begin to download and install within a few minutes of the sync completing.

Advantages	Disadvantages
It makes use of Apple’s content caching, which can greatly improve deployment efficiency (Note: Intune can also be used to configure your content caches) It’s possible to deploy the individual apps. It's easy to configure if you already have Apple Business Manager. You can configure the apps to uninstall on unenrollment. You can send an uninstall command to remove unwanted apps.	Teams is not yet in the Mac App Store (could be deployed via scripting agent) You cannot control which update channel to use. When OneDrive is deployed via VPP it will have a different bundleID than if it was installed via a standalone installer. VPP: com.microsoft.OneDrive-mac CDN:com.microsoft.OneDrive Updates via this approach can be unpredictable, especially if apps are permanently open.

If you require a relatively simple deployment of the Microsoft 365 App suite and have investments in both Apple Business Manager and Apple Content caching, then this mechanism of Microsoft 365 Apps for macOS deployment may be the most suitable.

2. Deploying Microsoft 365 Apps for Mac via the Microsoft Content Delivery Network

This mechanism is supported natively by Microsoft Intune. It is as simple as checking a box and providing a group of users to deploy it to. Those users will receive the entire Microsoft 365 Apps for Mac suite, including Teams and the Microsoft Auto update tool.

Steps to deploy Office via the Microsoft Content Delivery Network

Open the Microsoft Endpoint Manager center and select Apps > macOS > Add
Under Select App Type, choose Microsoft 365 Apps > macOS

Selecting the Microsoft 365 Apps in the Microsoft Endpoint Manager admin center.
Adjust the Suite description details as required and click Next to continue.

Microsoft 365 Apps for macOS - App properties in the Microsoft Endpoint Manager admin center.
Assign Scope Tags if you need them, click Next.
Under Required click "Add group" and search for an appropriate group to target the Microsoft 365 Apps for Mac to.

Microsoft 365 App Suite for macOS - Assignment properties in the Microsoft Endpoint Manager admin center.
Click Next, review, and then click Create to assign the Microsoft 365 Apps to the Azure AD group.
To check the configuration, trigger an MDM sync on a user’s device that was assigned the applications. The apps should begin to download and install within a few minutes of the sync completing.

Note: This process will install the entire Microsoft 365 Apps for macOS suite, including Teams. However, it is possible to control which apps are installed via plist. Refer to our sample plist on our GitHub repo. The instructions for deploying a preference file can be found in Add a property list file to macOS devices using Microsoft Intune.

Advantages	Disadvantages
It's easy to deploy. It includes the Microsoft Autoupdate (MAU) tool, which can be configured via plist to auto update and deploy insider builds of Office for testing to some users. It's possible to create a local MAU cache server for updates.	The initial download size (1.8GB) is large and doesn’t use local caching.

If you don’t have Apple Business Manager or Apple Content caching and you need the entire suite, plus Teams, this is probably the easiest way to get Office 365 Business Pro for Mac installed.

3. Deploying Microsoft 365 Apps for Mac via the Intune Scripting Agent for Mac

This approach uses the Intune scripting agent to download and install the Office suite or individual apps. There are examples of this approach on our Intune Shell Samples GitHub Repo.

Our GitHub Repo has two main scripts that help in this circumstance.

These two scripts do the same thing. Once they are deployed onto the Mac, they attempt to download the installer package and then install the Microsoft 365 Apps for Mac suite. The main benefit here is that you get additional flexibility with the installation process.

Note: For changing or supporting older macOS versions, our sample script for OfficePro deployment checks the OS version and attempts to select the latest version that is supported. See Upgrade macOS to continue receiving Microsoft 365 and Office for Mac updates for more information.

This is a sample of some code from installOfficeBusinessPro.sh which will look for a local copy of the installer before downloading from the CDN servers. You would need to handle the downloading of the latest installer package regularly. We have an example script to do this here.

localcopy="http://192.168.68.150/OfficeforMac/OfficeBusinessPro.pkg”
weburl="https://go.microsoft.com/fwlink/?linkid=2009112"
tempfile="/tmp/office.pkg"
 
#
# Check to see if we can access our local copy of Office
#
curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $localcopy
if [ $? == 0 ]; then
 
     echo "$(date) | Local copy of $appname downloaded at $tempfile"
 
else
 
    echo "$(date) | Couldn't find local copy of $appname, need to fetch from CDN"
    echo "$(date) | Downloading $appname from CDN"
 
    curl -s --connect-timeout 30 --retry 300 --retry-delay 60 -L -o $tempfile $weburl
    if [ $? == 0 ]; then
 
         echo "$(date) | Success"
    
    else
    
         echo "$(date) | Failure"
         exit 5
    
    fi
 
fi

The Individual Office apps script has an array that allows you to specify applications you want to use. The entries within this array are the <id> values from here.

# Edit AppstoInstall array with "id" values from 
https://macadmins.software/latest.xml for the apps you want to install
# Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work.
AppsToInstall=(   "com.microsoft.word.standalone.365"
                  "com.microsoft.excel.standalone.365"
                  "com.microsoft.powerpoint.standalone.365"
                  "com.microsoft.outlook.standalone.365"
                  "com.microsoft.onenote.standalone.365"
                  "com.microsoft.onedrive.standalone"
                  "com.microsoft.skypeforbusiness.standalone"
                  "com.microsoft.teams.standalone"
                  )

Steps to deploy Microsoft 365 Apps for Mac via the Intune Scripting agent

Example: Deploying Outlook, Word, PowerPoint, and OneDrive to a Mac via the scripting agent.

Download a copy of our sample file installOfficeSuiteIndividualApps.sh and save it to your device.

Open the file in your text editor of choice and modify the AppsToInstall array to only include Outlook, Word, PowerPoint and OneDrive.

# Note: This script only handles installation of pkg files, DMG and ZIP files will NOT work.
AppsToInstall=(     "com.microsoft.outlook.standalone.365"
                    "com.microsoft.word.standalone.365"
                    "com.microsoft.powerpoint.standalone.365"
                    "com.microsoft.onedrive.standalone"
)

Mark the script as executable by opening a Terminal session and using the chmod +x command. Assuming that you downloaded the script to ~/Downloads type:
```
chmod +x ~/Downloads/installOfficeSuiteInidividualApps.sh
```
If possible, find a test device and copy the script across. Run it as root by typing:
```
sudo ~/Downloads/installOfficeSuiteInidividualApps.sh
```
Open the Microsoft Endpoint Manager admin center and navigate to Devices > macOS > Shell Scripts > Add.
Enter a Name and Description and then click Next.

Creating a new custom macOS script in the Microsoft Endpoint Manager admin center.
Click in the file browse UI in the Upload script dialog and select the saved installOfficeSuiteInstallIndividualApp.sh file.
1. Run script as signed-in user = No
2. Hide script notifications on device = Not configured
3. Script frequency = Not configured
4. Set the Max number of retries to 3, Run and leave the rest as not configured.
  
  Custom macOS script - Script settings in the Microsoft Endpoint Manager admin center.
Assign Scope Tags if you need them, click Next.
Under "Required" click Add group and search for an appropriate group to target the script to.

Custom macOS script - Assignment settings in the Microsoft Endpoint Manager admin center.
Click Next, review, and then click Create to assign the script to the Azure AD group.
The Intune script agent runs on an 8hr check-in cycle but can be manually triggered by the user.
1. Open the Company Portal app (sign-in if prompted).
2. Select the device you are using.
3. Click Check Settings under the ellipses menu.
  
  "Check status" location in the Company Portal for macOS.
4. The script agent will check-in against the service and attempt to run the script.

The script will log to this log file.

/Library/Intune/Scripts/installOfficeSuiteIndividual/installOfficeSuiteIndividual.log

The Intune script agent itself creates a daily log in this location.
```
/Library/Logs/Microsoft/Intune
```

Advantages	Disadvantages
Fastest install time. Additional logging. Can deploy either entire suite or individual apps. Possible to cache the initial installation files on local webserver. Possible to create a local MAU cache server for updates. Includes the Microsoft Autoupdate (MAU) tool which can be configured via plist to auto update and deploy insider builds of Office for testing to some users.	Requires additional server infrastructure for caching. Requires bash scripting skills. Additional infrastructure complexity.

Controlling Microsoft 365 apps for Mac updates with Microsoft AutoUpdate (MAU)

If you are deploying Microsoft 365 Apps for Mac via the CDN (or script agent) you will notice that updates are handled via the Microsoft AutoUpdate tool. To see this, open any of the Office apps and click on Help > Check for Updates.

Screenshot of the Microsoft AutoUpdate (MAU) tool.

In the Microsoft AutoUpdate menu, click Advanced to see the Update Channel and if the app is configured for Automatic Updates.

Screenshot of the Microsoft AutoUpdate (MAU) tool and Preferences options.

The MAU tool can be configured by deploying Intune property lists. You can even control deadlines for individual app updates as described in Set a deadline for updates from Microsoft AutoUpdate. The complete list of available keys for MAU can be found here.

We have three common examples on our GitHub Repo:

Let’s look at these plist examples and how we might use them in a typical deployment where we have a mixture of standard users on the Current channel and a group of early adopters on Preview or Beta.

Note: More information on Office Insiders content for Mac can be found here.

Below is the plist for our production users. The important keys here are:

ChannelName: Tells MAU which version of Office to install
DisableInsiderCheckbox: Prevents the end user from changing the update channel
UpdateCache: Tells MAU where to look locally for updates (see MAU Cache)

<key>AcknowledgedDataCollectionPolicy</key>
<string>RequiredAndOptionalData</string>
<key>ChannelName</key>
<string>Current</string>
<key>UpdateCache</key>
<string>http://192.168.68.150/MAU</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>DisableInsiderCheckbox</key>
<true/>
<key>EnableCheckForUpdatesButton</key>
<true/>
<key>ExtendedLogging</key>
<false/>
<key>SendAllTelemetryEnabled</key>
<true/>
<key>StartDaemonOnAppLaunch</key>
<true/>
<key>UpdateCheckFrequency</key>
<integer>720</integer>

The Beta plist is the same but with one exception:

ChannelName = Beta

<key>ChannelName</key>
<string>Beta</string>

We would assign the property lists as follows:

Current Office 365 for Mac users
- Assign com.microsoft.autoupdate2_current.plist to the same group that Office 365 Business application or deployment script was assigned to
- Exclude your Beta Office 365 Business users group
Beta Office 365 for Mac users
- Assign com.microsoft.autoupdate2_beta.plist to your Beta Office 365 Business users group

Steps to configure in Intune:

Open the Microsoft Endpoint Manager admin center and navigate to Devices > macOS > Configuration Profiles > Create Profile > Preference File > Create.
Set a Name and Description and click Next.
Enter the preference domain name as: com.microsoft.autoupdate2
Click on the file browser UI and select the current plist that you downloaded from our GitHub site. Then click Next.

Microsoft AutoUpdate PLIST for Standard users - Preference file settings.
Assign Scope Tags if you need them, click Next.
Under "Required" click Add group and search for the same group that you assigned Office 365 for Mac to.
Under "Excluded Groups" click Add group and search for the group(s) that you are going to assign the Beta and/or Preview plist to.

Microsoft AutoUpdate PLIST for Standard users - Assignment settings.
Click Next, Review the content and then click Create.

Now we have the ‘Current’ config deployed, let’s create one for our ‘Beta’ users.
Click Devices > macOS > Configuration Profiles > Create Profile > Preference File > Create.
Set a Name and Description and click Next.
Enter the preference domain name as: com.microsoft.autoupdate2
Click on the file browser UI and select the Beta plist that you downloaded from our GitHub site. Then click Next.
Microsoft AutoUpdate PLIST for InsideFast users - Preference file settings.
Assign Scope Tags if you need them, click Next.
Under "Required" click Add group and search for the group that you want to use to assign Microsoft 365 apps for macOS Beta channel to.
Do not put anything in Excluded groups.
Microsoft AutoUpdate PLIST for InsideFast users - Assignment settings.
Click Next, Review the content and then click Create
Click Devices > macOS > Configuration Profiles > Search for "AutoUpdate" and you should have two Preference File policies, one for InsiderFast users and one for Standard.
Configuration Profiles for macOS search result for "auto" in the Microsoft Endpoint Manager admin center.
To check the configuration, trigger an MDM sync on a user’s device that is in the Current group and then repeat for another user in the Beta group. After sync the Microsoft AutoUpdate tool should reflect the changes.
This is what a user in the Beta group should see once their device has completed it’s next MDM sync.
Microsoft AutoUpdate (MAU) tool - Preference settings.
Microsoft AutoUpdate (MAU) tool - Available updates.
Note: To troubleshoot MAU property list files look on the target machine under /Library/Managed Preferences for com.microsoft.autoupdate2.plist. If this file is present, it means that Intune has deployed the configuration.

To check the contents of the deployed plist use the following commands:

% cp /Library/Managed\ Preferences/com.microsoft.autoupdate2.plist ~/Desktop 
% plutil -convert xml1 ~/Desktop/com.microsoft.autoupdate2.plist 
% cat ~/Desktop/com.microsoft.autoupdate2.plist

Once converted from binary to HTML the plist should look like it did in the original Intune plist.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AcknowledgedDataCollectionPolicy</key>
    <string>RequiredAndOptionalData</string>
    <key>ChannelName</key>
    <string>Beta</string>
    <key>DisableInsiderCheckbox</key>
    <false/>
    <key>EnableCheckForUpdatesButton</key>
    <true/>
    <key>ExtendedLogging</key>
    <false/>
    <key>HowToCheck</key>
    <string>AutomaticDownload</string>
    <key>SendAllTelemetryEnabled</key>
    <true/>
    <key>StartDaemonOnAppLaunch</key>
    <true/>
    <key>UpdateCheckFrequency</key>
    <integer>720</integer>
</dict>
</plist>

The Microsoft Autoupdate app generates a log file in the following location.
```
/Library/Logs/Microsoft/autoupdate.log
```

Summary

There are three ways to handle Microsoft 365 apps for macOS deployment with Intune. There are no right and wrong solutions here, each is applicable in certain circumstances.

Most environments should start with the Intune CDN method of deployment combined with a custom plist for the Microsoft AutoUpdate agent, as described in this post. This method provides the best mixture of complexity and flexibility and is the easiest to support for most scenarios.

Deployment Method	Use when…
Apple Volume Purchase Plan (VPP)	You have Apple Business Manager and you have deployed Apple Content caching. You don’t need to support Beta or Preview builds. You don’t need to ensure that the Microsoft 365 apps for macOS are up to date.
Intune CDN	You want to deploy with the least amount of effort. Your network can cope with the initial download demands (1.8G per device). You want to ensure that the Microsoft 365 apps for macOS are updated reliably. You want to have some users on Beta or Preview for early adopter testing. You want to take advantage of Microsoft AutoUpdate cache locally.
Intune Scripting Agent	Speed of download and install is important. You need additional logging. You want to locally cache the initial download. You want to take advantage of Microsoft AutoUpdate cache locally. You want to have some users on Beta or Preview for early adopter testing. You want to ensure that the Microsoft 365 apps for macOS are updated reliably. You want to deploy specific apps and not just the entire suite. You have some in-house bash scripting skills (or time to learn).