Packaging and signing macOS apps for distribution with Intune

Disclaimer: I’m by no means a macOS guy, I’m a Windows guy and have always been :-). There might be things in this post that can be done smarter or in another way – if so, please let me know.

As stated on docs.microsoft.com, in order to distribute apps to macOS, they need to be in .pkg format and converted to the .intunemac format. Furthermore the .pkg file needs to be signed with a Apple Developer certificate.

 Quote from docs:

The .pkg file must be signed using “Developer ID Installer” certificate, obtained from an Apple Developer account. Only .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported.

But what if we need to distribute an app there’s is not in the AppStore or is not in a signed .pkg file? Then we’ll have to repackage it with a packaging tool. I’m using an app called packages. Let me show it and explain.

Prerequisites

Before you get started there is some prerequisites:

  • A mac (might be obvious 🙂 )
  • Intune licens
  • “Packages” app downloaded from here and installed on the mac
  • Apple developer certificate and full keychain for it. (.cer file and .p12 file) installed on the mac

Certificate

A few words on the Apple Developer certificate. If you, like me, don’t have access to the Apple developer ID portal, you need to have the Admin create a Apple Developer Certificate. The type needs to be “Developer ID Installer”.

Once created, ask him to download it, install it to the KeyChaim and export the whole certificate chain by selecting the “Developer ID Certification Authority” certificate and the “IT Developer Installer” private key and select Export 2 items:

Install this chain and the .cer file created and you are ready to sign pkg files.

Packages app on macOS

In this example I’ll be repacking Google Chrome .app to pkg.

On the mac, download the packages app from http://s.sudre.free.fr/Software/Packages/about.html open the dmg and install the packages app. Open packages and select Distribution.

Set a name and choose a location to store the project then click Create

Now packages open the project. From here click on the Chrome package under Packages.

From here go to Payload

Set the Default Destination to Applications. Click on Applications and then click Set.

Now simply drag and drop the app from within the GoogleChrome.dmg file into the Applications folder.

Click Finish to add the file

That’s it. We just need to build the package. On the bar on top, Click Build and then Build again.

Make sure the build is done successful.

Now there should be a .pkg file in the build folder selected in the beginning.

Sign the .pkg with Apple developer certificate

There’s multiple way of signing a .pkg file. Packages is also capable of doing it, but i didn’t have any success with it. Instead i found that the commandline tool “productsign” was working flawless for me.

First find the name of the Apple Developer certificate:

Open KeyChain and find the certificate with a name like “Developer ID Installer: <company name>”.

Still on the mac, Open Terminal and use the following command to sign the pkg file (one liner, wordpress cuts it into multiple lines):

productsign --sign "<Apple Developer certificate name here>" "/Users/Shared/packages/googlechrome.pkg" "/Users/Shared/packages/googlechromesigned.pkg"

Now we have two packages, a non signed, and a signed.

We can verify if and who signed the package by double clicking and click on the lock icon in the left corner:

All there’s left now is to wrap the signed pkg with the Intune Wrapper Tool from Microsoft and sistribute with Intune.

I’d suggest using Per Larsen post of deploying Microsoft Edge. There’s also a good description on using Intune Wrapper Tool:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s