Managing macOS Apps in Microsoft Intune: A High-Level Guide
Learn how to manage macOS apps in Microsoft Intune using IntuneBrew's intuitive platform. This guide provides an overview of the process and key features.
Microsoft Intune is a powerful unified endpoint management solution that extends its app management capabilities to Apple macOS devices. As more organizations support macOS in the enterprise, Intune's ability to deploy and manage Mac applications has become increasingly crucial. In this guide, we'll provide a high-level overview of how to manage macOS apps with Intune – covering app types, deployment steps, package inspection with pkgutil, best practices, and more.
Intune enables IT administrators to centrally manage macOS apps and devices alongside Windows, iOS, and Android. Through Intune's cloud-based console, you can deploy software, enforce security policies, and maintain compliance on corporate Macs. For macOS specifically, Intune offers multiple methods to distribute applications: integrating with Apple's App Store for volume app deployments, uploading custom app packages, and even using a dedicated Intune management agent for certain app types. By leveraging these features, organizations ensure Macs have the required software and updates, all while keeping control over the app lifecycle (installation, updates, and removal). In the next sections, we'll explore the types of Mac apps Intune can manage and how to deploy them.
Intune supports several types of macOS applications. Understanding these categories will help you choose the optimal deployment method for each app:
Mac App Store Apps via Apple Business Manager (VPP) – Intune can deploy apps from the Mac App Store by syncing with Apple Business Manager (formerly VPP). Administrators obtain app licenses in Apple Business Manager and synchronize them to Intune via a VPP token. This allows silent installation of App Store apps on Macs without requiring users to sign in with an Apple ID. It's ideal for managing licenses for free or purchased apps and ensuring users have necessary App Store software.
Microsoft 365 Apps and Microsoft Office Suite – Intune provides built-in support for deploying Microsoft's own applications on macOS (such as Office 365 apps, Microsoft Edge, Defender ATP, etc.). These are available as pre-defined app entries in Intune, meaning you don't need to upload installer files. Intune will install the selected Microsoft apps and even deploy the Microsoft AutoUpdate (MAU) tool to keep them up to date automatically. This option is recommended when you want the latest version of core Microsoft apps without manually packaging or updating them.
Line-of-Business (LOB) Apps (.pkg) – These are in-house or third-party macOS applications packaged in .pkg installer format that you upload to Intune. LOB apps are typically custom apps not available in the App Store. Intune's macOS LOB app type (in the Intune console) uses the Apple MDM channel to deploy the package to managed Macs. To use this method, the .pkg must meet certain requirements: it should be a flat package (no nested app bundles or disk images inside), signed with an Apple Developer ID Installer certificate, and intended to install the app into the /Applications folder. LOB apps can be marked "Install as managed" during deployment, meaning Intune can manage the app life cycle (e.g. uninstall it or remove it upon device unenrollment) on supported macOS versions.
macOS DMG Apps (Disk Image) – Many Mac apps are distributed as .dmg disk image files. Intune can deploy these via the "macOS app (DMG)" app type, which requires the Intune management agent for macOS to be installed on the device. In this scenario, Intune will instruct the agent to mount the DMG and copy the .app bundle inside to the Applications folder. This method supports apps packaged as disk images that contain one or more .app files. Keep in mind, apps deployed via the Intune agent are considered unmanaged (Intune cannot remove them by MDM command), and they will not be removed automatically if the device is unenrolled from Intune. Use DMG deployment for apps that are only available as disk images or that do not meet the stricter requirements of LOB .pkg deployment.
Unmanaged PKG Apps (Complex PKG) – Intune also offers a "macOS app (PKG)" deployment type (via the Intune agent) for installer packages that don't meet the LOB criteria. This is useful for complex or unsigned PKGs that the standard LOB method can't deploy. Examples include packages with custom install scripts, packages that install to locations outside /Applications, packages without a Developer ID signature, or those containing multiple components. The Intune agent will run these PKGs on the device just like a local installer. As with DMG apps, these installations are unmanaged by MDM (cannot be auto-removed by Intune). This method gives flexibility to deploy almost any PKG installer, at the cost of losing the managed app benefits.
Web Apps (Web Clips) – In addition to actual software, Intune can deploy web apps (web clips) to macOS. A web clip is essentially a shortcut to a URL that appears in the Company Portal as an app icon. This is useful for giving users quick access to internal web resources or web-based tools. Web clips are configured by specifying a URL in Intune; when deployed, they can even be pinned to the Dock for easy access. (Web clips are managed via MDM, but since they are just links, they don't install software on the Mac.)
Each of these app types serves different scenarios in macOS app management. Administrators should choose the app type based on the source of the app (App Store vs. custom), the packaging format, and whether the app needs to be managed (removable) or just delivered to the device. Next, we'll walk through the steps to deploy a macOS app using Intune.
Deploying a Mac app with Intune involves a fairly straightforward process in the Intune admin center. Below is a general step-by-step guide using Intune's Apps workflow:
Prerequisites: Before deployment, ensure that the target macOS devices are enrolled in Intune (via device enrollment or user enrollment) and have any necessary agents installed. For example, deploying DMG or unmanaged PKG apps requires the Intune management agent to be present on the Mac. For LOB .pkg apps, make sure the package is properly signed with an Apple Developer certificate and is a supported format. It's also wise to test the installer on a Mac first (see Best Practices section) to verify it runs without errors.
Open Intune Apps and start app addition: Sign in to the Microsoft Intune admin center with an administrator account. Navigate to Apps > All apps, then choose Add (or + Create). In the Select app type pane, pick the appropriate macOS app type for your app. For example, choose "Line-of-business app" for a LOB .pkg installer, "macOS app (DMG)" for a .dmg file, or "macOS app (PKG)" for an unmanaged package. Click Select to proceed to the app configuration steps.
Upload the Mac application package: Intune will prompt you to Select the app package file. Click Select file (Browse) and choose the macOS installer file from your local machine (this could be a .pkg or .dmg depending on the app type you chose). After uploading, Intune will scan the file. If it's a supported package, Intune auto-extracts some app information, such as the app name, bundle identifier, version, and sometimes the app icon. This metadata population helps speed up the next steps.
Configure App Information: On the App information page, fill in the details for the application. Intune may have already populated some fields from the package, but you should verify and complete them. Key fields include:
Name – The display name of the app in the Company Portal (make sure it's unique).
Description – A brief description of the app (visible to end users in the portal).
Publisher – The software vendor or developer name.
Category – (Optional) Categorize the app (e.g., Productivity, Utilities) for easier discovery in the portal.
Minimum Operating System – The lowest macOS version on which this app is allowed to install. (If a device runs an older OS than specified, Intune will skip installation on that device.)
Icon – (Optional) Upload an icon if Intune didn't capture one from the package. Having an icon improves user experience in Company Portal.
Set Additional Options: Intune provides a few Mac-specific options you can configure:
Ignore app version – If set to Yes, Intune will install the app even if an older version is already present on the device. If No, Intune will only install the app if it's not already installed or if the version on the device doesn't match the version you're deploying.
Install as managed – (For macOS LOB .pkg apps) Choose Yes to have the app installed as a managed app via MDM. Managed apps (supported on macOS 11+ for qualifying packages) can be removed by Intune and prevent app data from being backed up to iCloud. Note that to install as managed, the app installer must contain a single .app payload that goes to /Applications and be signed appropriately. The default is No (unmanaged).
Privacy/Information URL – (Optional) URLs for privacy policy or information about the app, shown in Company Portal.
Review Detection Rules (Included Apps): Intune uses detection rules to determine if the app was installed successfully on the Mac. For Mac apps, Intune typically relies on the bundle ID and version of the app. In the portal, you'll see an Included apps or Detection rules section listing the app bundle identifiers and versions that Intune will check. This is auto-filled from the package you uploaded. It's important to review this:
Ensure that only the actual app's bundle ID is listed. If the installer package contained multiple apps or components and Intune detected several, remove any entries that are not the main app or that won't actually get installed in /Applications. The presence of extraneous bundle IDs in the list can cause Intune to think the install failed (if it's checking for something that didn't install).
Confirm the bundle ID and version match the app. If needed, you can find these by installing the app on a test Mac and running commands like:
These commands will output the app's Bundle Identifier and version, respectively, which should match what Intune is looking for. Adjust the detection rules in Intune if necessary to align with the actual app identifiers.
Assignments – Choose who gets the app: After configuring the app, you need to assign it to devices or users. Decide whether the app should be Required, Available for enrolled devices, or Uninstall:
Required: The app will push silently to the targeted groups (device groups or user groups). Intune will install it automatically on those Macs as soon as they check in.
Available: The app will appear in the Company Portal for users to install on demand. This is good for software that not everyone needs, or to give users some choice.
Uninstall: (For managed apps) This assignment type would remove the app from devices in the targeted group if they previously had it installed via Intune.
You can mix assignments, for example, require the app for all corporate devices while making it available for personally-owned enrolled devices.
Finalize and Monitor: Once you have set the assignments, click Create (or Add) to finish. Intune will save the app configuration and begin deploying the app to the designated devices. Deployment status can be monitored in the Intune console under the app's Device install status or in the Reports section. Each managed Mac will attempt to download and install the app. If deployment is successful, Intune will mark the app as installed on that device. If it fails, you may see an error or a status like "Not installed" which will require troubleshooting.
By following these steps, you can deploy most macOS applications through Intune. Next, we will discuss using pkgutil and other command-line tools for inspecting Mac application packages and troubleshooting installation issues, which is especially useful when dealing with custom LOB apps.
When managing macOS app deployments, you may need to inspect installer packages (.pkg files) or troubleshoot why an app isn't installing as expected. macOS provides a built-in command-line tool called pkgutil that is very handy for examining package files and their installation details. Here are some ways to use pkgutil (and other tools) for Intune app deployment troubleshooting:
Verify the PKG is properly signed: Intune requires LOB .pkg files to be signed with an Apple Developer ID Installer certificate for managed deployments. You can check a package's signature by running pkgutil --check-signature /path/to/your/app.pkg in the Terminal. This command will output information about the package's signature, including who signed it and whether the signature is trusted by the system. For example, running pkgutil --check-signature GoogleChrome.pkg should show that it's signed by Developer ID Installer (Google, Inc., etc.). If the package is unsigned or improperly signed, Intune may reject it for LOB deployment – in that case, you might need to sign the package or use the "macOS app (PKG)" agent-based method instead.
Expand and inspect the package contents: If an app isn't deploying or reporting installed in Intune, it's useful to look inside the .pkg to check its metadata. The pkgutil tool can expand a flat pkg file into a folder. Use the command:
This will create the output folder (don't pre-create it; pkgutil will create it) and dump the package's files into it. Within the expanded contents, look for files like PackageInfo or Distribution. Open these in a text editor to find keys such as CFBundleIdentifier, CFBundleShortVersionString (or CFBundleVersion), and install-location. These values tell you what app the package is installing and where. For Intune's LOB detection to work, the package's PackageInfo should include the app's bundle identifier and version, and typically the install-location should be /Applications (for a single-app installer). If you find that the package is missing a CFBundleVersion or has an incorrect install path, that could explain deployment issues.
Check for required metadata: As mentioned, a common issue with failed Mac app deployments via Intune is a package that lacks required metadata. Intune's MDM installation will not report success unless the package version (CFBundleVersion) and a valid install-location (usually /Applications) are present in the installer's info. By inspecting the expanded package files or using tools like pkgutil, you can verify if those entries exist. If they don't, the app developer or packager may need to rebuild the installer with the correct settings. For example, a package that installs an app to an unexpected location or doesn't declare a bundle version might install on the Mac but Intune won't recognize it as successfully installed. In such cases, repackaging the app (or using the Intune agent method, which is more lenient) may be necessary.
Test installation manually: Before deploying via Intune, it's a best practice to test the installer on a macOS device. You can use the Terminal to run the installer with the command-line utility installer. For example:
sudo installer -pkg /path/to/app.pkg -target /
This attempts to install the package on the local machine. If there are any installation errors, they will be displayed in the Terminal, which can help identify issues with the package. Ensure that the installer completes without errors and that the application is indeed installed (check the /Applications folder or wherever its expected location is). Manually testing in this way satisfies one Intune prerequisite: that the PKG can successfully run via the installer command. If it fails locally, it will certainly fail via Intune.
Consult Intune logs on the Mac: (Advanced troubleshooting) Intune's Mac management agent and MDM framework generate log files on the client device that can help diagnose deployment problems. Logs like IntuneMDMDaemon.log and IntuneMDMAgent.log on the Mac (found in /Library/Logs/Microsoft/ or in the Console app under "Intune") may contain error messages if an app failed to install. For example, they might show an error code from the macOS installer or a detection check failing. Reviewing these logs goes beyond pkgutil, but it's useful to know where to look if you've verified the package is correct and need more clues.
Using pkgutil and these troubleshooting steps, you can pinpoint most issues with macOS app deployment in Intune. For instance, you might discover that a package wasn't signed, or that it installed to a non-standard directory, or that the bundle ID Intune expected didn't match the app. With that information, you can then repackage the app or adjust Intune's settings accordingly.
Successfully managing macOS applications in Intune goes beyond just uploading packages. Consider the following best practices to streamline deployments and avoid common pitfalls:
Package Apps Correctly (Signing and Format): Always prepare your macOS app installers in line with Intune's requirements. Use flat PKG packages (the standard format produced by tools like productbuild or Packages) rather than older bundle or metapackage formats. Sign your .pkg files with an Apple Developer ID Installer certificate from your Apple Developer account. A signed package not only is required for Intune LOB apps, but it also assures macOS that the installer is trusted. Additionally, ensure the package actually contains an application payload (some PKGs just run scripts or expect an app to already be present – those can confuse Intune's detection). The installer should target the correct location, typically the /Applications directory for apps. If your package doesn't meet all these criteria (for example, maybe it installs to a custom path or isn't signed), consider using the "macOS app (PKG)" Intune agent method which is more forgiving – but when possible, adhering to the standard lets you take advantage of managed app features.
Test Installation and Gather App Details: Before deploying to users, test the app installation on a pilot Mac. Install the app manually or using the installer command to make sure it installs cleanly. During this test, verify that the app appears in the Applications folder (or intended location), launches correctly, and is the expected version. Also use this opportunity to gather the app's bundle identifier and version straight from the installed app (using the defaults read ... CFBundleIdentifier commands as shown earlier, or codesign -dv <app> to dump code signature info which includes the bundle ID). Having the exact bundle ID and version will help you confirm Intune's detection rules. If Intune didn't auto-fill them, you can manually input these values when configuring the app. This testing step can prevent a lot of headaches by ensuring that what Intune deploys is known-good.
Use Managed App Deployment When Possible: Whenever feasible, deploy Mac apps as managed apps via Intune MDM. Mark the "Install as managed" option to Yes for LOB apps that qualify. A managed app means Intune can assert more control: for example, you can issue an uninstall command from Intune (or use an "Uninstall" assignment) to remove the app if it's no longer needed, and if a device is unenrolled from Intune, managed apps can be automatically removed by the MDM profile. Additionally, macOS gives managed apps certain protections, like their data can be excluded from Time Machine or iCloud backups for corporate security. Keep in mind that not every app can be installed as managed (the package must install a single .app in Applications and be properly signed), but for those that can, this approach improves manageability and security.
Leverage Apple Business Manager for App Store Apps: For any application that is available in the Mac App Store, prefer using Apple Business Manager (ABM) integration instead of packaging it yourself. Through ABM, you can obtain licenses (even for free apps) and assign them via Intune without needing users to have an Apple ID on the device. Intune's synchronization with ABM (via VPP tokens) allows you to seamlessly deploy App Store apps. The apps will install/update through Apple's infrastructure, and you can reclaim or reassign licenses as staff changes. This ensures the app is installed in a supported, Apple-approved way, and generally reduces maintenance (since updates can be handled by the App Store). It's also the only straightforward way to push App Store–exclusive apps like Microsoft Remote Desktop or others that you can't legally repackage.
Keep Apps Up to Date and Monitor Deployments: Treat app management as an ongoing process. For LOB apps, when a new version of your software is released, plan to update the Intune app by uploading the new .pkg and bumping the version in Intune (Intune can detect version changes and prompt updates on devices). Regularly review Intune reports or Azure AD device app lists to see which machines have which versions, ensuring consistency. Also, monitor deployment status after assigning apps – Intune will show devices as Installed, Failed, or Not Installed. Investigate any failures promptly: often it could be due to a missing prerequisite (e.g. the device not on the minimum OS), an incorrect detection rule, or a package issue. By staying on top of these, you can proactively address issues. Remember to also educate end users if you're making apps available in the Company Portal – let them know how to find and install available apps, and which ones are required versus optional.
Implementing these best practices will significantly improve your success in managing macOS applications with Intune. Proper packaging and signing ensures Intune can deploy your apps; testing and gathering app info helps you configure Intune correctly; using managed apps and official distribution channels increases control and reliability; and keeping an eye on deployments and updates maintains a healthy application ecosystem on your Macs.
Managing macOS apps in Microsoft Intune enables organizations to provide Mac users with the software they need while maintaining oversight and control. In this article, we covered how Intune supports various app types – from App Store apps via Apple Business Manager to custom PKG/DMG installers – and the process to deploy them to enrolled Macs. We also discussed using tools like pkgutil to inspect and troubleshoot Mac app packages, ensuring that you can resolve issues that might arise during deployments. By following best practices such as signing and testing packages, leveraging managed app capabilities, and using Apple's deployment programs, IT admins can streamline macOS app management in Intune.
In summary, Microsoft Intune offers a comprehensive toolkit for macOS app deployment, balancing flexibility with security. Whether you're pushing Microsoft Office to hundreds of Macs or rolling out a specialized in-house app, Intune's integration with macOS makes the job more efficient. With proper planning and the guidelines above, you can keep your Mac fleet's applications up-to-date, correctly configured, and aligned with your organization's policies – all through the convenience of Intune's cloud-based management. Embracing these practices will help ensure a smooth experience for both IT and end-users, as macOS devices become first-class citizens in your unified endpoint management strategy.
IntuneBrew