Tips to manage efficiently your Macs in Enterprise with Microsoft Intune

If you need to manage your macOS devices in an Enterprise. It is recommended to use a?Unified Endpoint Management?(UEM). In our case, I will focus on?Microsoft Intune.

Intune?began supporting?macOS?in November 2015. Since then, a lot has evolved both on the?Apple?side and on the?Intune?side.

As you know, Apple provides a major OS release for all theses devices every years and each time new features become available for the UEM solution, integrating them into?Intune?can take longer and longer.

If you compare with the solution which offer the maximum of features to manage Apple devices (named?JAMF). In their case, all new features are very quickly implemented and made them available to use.

You can explain that because JAMF is dedicated for Apple devices when?Intune?manage all kind of devices (iPhone,?Android,?Mac, IoT?…). So the delay to implement the new features proposed by all the editors or constructors can take more or less duration, and depends priority defined by the?Editors?like?Ivanti, JAMF, Microsoft,?VMWare …

When you want deploy the Mac in your company, obviously you want the last features and you are frustrated if you can use it. So you need to wait a while to use last UEM features, especially for Intune.

Happiness,?Intune?provides the possibility to publish, install, execute customs packages and customs scripts. So just with that, some externals tools and a little bit of development, you can realise what you want and fill the missing points.

Preparing your admin environment

Before to start, I advise you to have:

1. Admin access to?Intune Azure Portal
2. Mac
3. Last release version of?Xcode?downloaded and installed
4. Last release version of?Command Line Tools for Xcode?installed
5. A subscription to?Apple Developer Program
6. Some knowledges in Scripting

Once your environment is ready, you are ready to start.

Scripting

There are a number of reasons why you might want to use the Scripting Agent to handle installation.

• App isn’t signed and you don’t have access to the correct certificate
• App is complex, has embedded apps or multiple payloads (not compatible with macOS MDM stack pkg delivery)
• App has complex dependencies and you want to handle those via a script
• You just don’t want the hassle of packaging the app regularly

Microsoft?provide a list of shell scripts ready to use to deploy a list of common applications.

You can find these scripts below:

https://github.com/microsoft/shell-intune-samples        

It’s a real accelerator to use these script. If you need to develop a script for your own needs. I advise you to take one and modify it.

Because the script are easy to understand and to modify, also you can find some documentation inside to help you.

The features integrated inside allow to :

• Manage Rosetta 2,
• Implement installation logs,
• Avoid multiple installation
• Manage new version

So before to develop a script to deploy a macOS app, check inside if the scripts is available.When you need the scripts, sometimes you need to make available some files on the Internet.

If you use?Intune?probably you can have access to other?Azure?features like?Azure Blob Storage,?it’s an easy way to host your file and have a secure URL.On the right side, you can find an example to host Acrobat files to Azure and get a secure URL to download it (For more information about that you can search?Azure Blob Storage — SAS token and URL?in your favorite browser).

OnBoarding

I find a major missing feature in Intune, this is the possibility to deploy an onboarding system to the Mac.

To fill this void, you can find some softwares available :

• DEPNotify
• Octory
• Splashbuddy

For my part, I have a preference for?Octory. Initially developed by?Alexis Bridou?a French guy :)

DEPNotify

https://gitlab.com/Mactroll/DEPNotify        

Octory

https://www.octory.io/        

SplashBuddy

https://github.com/macadmins/SplashBuddy        

Also?Neil Johnson?at?Microsoft?written an amazing article to create a macOS?OnBoarding?splash screen and use it with?Intune. If you want use?Octory, I invite you to read it.

https://techcommunity.microsoft.com/t5/intune-customer-success/build-a-macos-onboarding-splash-screen-with-microsoft-endpoint/ba-p/2770980        

Custom Settings for macOS devices

Intune?provide a list of settings for some applications mainly for?Microsoft?Applications. Obviously when you deploy Apps for your users, you use lot of Apps not developed by Microsoft and in some case you need to settings them once deployed.

With?iMazing Profile Editor, you create, edit, and sign?Apple configuration profiles. Define settings with ease, ready to be deployed via Intune for your fleets of iPhones, iPads, Macs, and other Apple devices.

https://imazing.com/profile-editor        

Just take a look about some settings for an example like the?OneDrive?App, It’s really?amazing?to get the list of available settings for the mains App on Mac.

Preferences and configuration files

Preference and configuration files in macOS use?property lists?(plists) to specify the attributes, or properties, of an app or process. So it’s very current to need to edit plist file. I suggest you to download and install?PlistEdit Pro?for that.

https://www.fatcatsoftware.com/plisteditpro/        

How to deploy your Apps and Package

Often when you deploy Apps on your Mac, you meet some case where you need to install the App with some requirements and you want setup it once installed.

You can make it with a?package?which contains?postinstall?and?preinstall?scripts. Let’s me show you a simple example, to build your own package with postinstall and preinstall script

How to create a package

First at all, you need to open?Terminal?and go to you favorite folder to store your scripts

mkdir script

touch scripts/preinstall

touch scripts/postinstall

echo ‘#!/bin/sh\r\necho “Running postinstall” > /tmp/my_postinstall.log\r\nexit 0 # all good’ > scripts/postinstall

echo ‘#!/bin/sh\r\necho “Running preinstall” > /tmp/my_preinstall.log\r\nexit 0 # all good’ > scripts/preinstall

chmod u+x scripts/*s        

Finally?build?your?package?with

/usr/bin/pkgbuild — nopayload — scripts scripts — identifier com.package.seb MyPackage.pkg        

How to build a package from an App?

In some case, you have an Application not signed with?.app?extension, but you need to deploy it. But if you want deploy an App without signature, you need a package.

You can find below the command line to build a .pkg from an .app file

/usr/bin/productbuild — component MyApp.app /Applications MyApp.pk        

How to sign a package ?

To sign a package, you need an Apple Developer Certificat. To get it, you have to subscribe at?Apple Developer Enterprise?Program?for?299€/year.

Once you have your certificate, you can execute the following command line in your?Terminal.

/usr/bin/productsign — sign “Developer ID Installer: MYCOMPANY (XXXXXX)” ./MyPackage.pkg ./MyPackage-signed.pkg        

How to wrap an App ?

If you need to deploy a?Managed App?with?Intune through?Line Of Business Application,?one step is?mandatory. You have to wrap the package. The tool to use for this is?IntuneAppUtil.

Available here:

https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac/blob/master/IntuneAppUtil        

Previously, I showed you how to sign a package. It’s important to sign package before wrapping step else it doesn’t work.

IntuneAppUtil -c ./MyPackage-signed.pkg -o ./        

After you executed this command, a new file is generated with an extension?.intunemac.?Only this generated file can be import it inside Intune like a?LOB application.

Conclusion

I hope these tips will help you save a lot of time for your future?macOS deployment with Intune.

If you need some help to deploy your Macs in your Enterprise, Feel you free to contact me or my company :?Econocom.