Disclaimer: I’m by no means a macOS guy, I’m a Windows guy and have always been :-). There might be things in this post that can be done smarter or in another way – if so, please let me know.
As stated on docs.microsoft.com, in order to distribute apps to macOS, they need to be in .pkg format and converted to the .intunemac format. Furthermore the .pkg file needs to be signed with a Apple Developer certificate.
Quote from docs:
The .pkg file must be signed using “Developer ID Installer” certificate, obtained from an Apple Developer account. Only .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported.
But what if we need to distribute an app there’s is not in the AppStore or is not in a signed .pkg file? Then we’ll have to repackage it with a packaging tool. I’m using an app called packages. Let me show it and explain.
Before you get started there is some prerequisites:
- A mac (might be obvious 🙂 )
- Intune licens
- “Packages” app downloaded from here and installed on the mac
- Apple developer certificate and full keychain for it. (.cer file and .p12 file) installed on the mac
A few words on the Apple Developer certificate. If you, like me, don’t have access to the Apple developer ID portal, you need to have the Admin create a Apple Developer Certificate. The type needs to be “Developer ID Installer”.
Once created, ask him to download it, install it to the KeyChaim and export the whole certificate chain by selecting the “Developer ID Certification Authority” certificate and the “IT Developer Installer” private key and select Export 2 items:
Install this chain and the .cer file created and you are ready to sign pkg files.
Packages app on macOS
In this example I’ll be repacking Google Chrome .app to pkg.
On the mac, download the packages app from http://s.sudre.free.fr/Software/Packages/about.html open the dmg and install the packages app. Open packages and select Distribution.
Set a name and choose a location to store the project then click Create
Now packages open the project. From here click on the Chrome package under Packages.
From here go to Payload
Set the Default Destination to Applications. Click on Applications and then click Set.
Now simply drag and drop the app from within the GoogleChrome.dmg file into the Applications folder.
Click Finish to add the file
That’s it. We just need to build the package. On the bar on top, Click Build and then Build again.
Make sure the build is done successful.
Now there should be a .pkg file in the build folder selected in the beginning.
Sign the .pkg with Apple developer certificate
There’s multiple way of signing a .pkg file. Packages is also capable of doing it, but i didn’t have any success with it. Instead i found that the commandline tool “productsign” was working flawless for me.
First find the name of the Apple Developer certificate:
Open KeyChain and find the certificate with a name like “Developer ID Installer: <company name>”.
Still on the mac, Open Terminal and use the following command to sign the pkg file (one liner, wordpress cuts it into multiple lines):
productsign --sign "<Apple Developer certificate name here>" "/Users/Shared/packages/googlechrome.pkg" "/Users/Shared/packages/googlechromesigned.pkg"
Now we have two packages, a non signed, and a signed.
We can verify if and who signed the package by double clicking and click on the lock icon in the left corner:
All there’s left now is to wrap the signed pkg with the Intune Wrapper Tool from Microsoft and sistribute with Intune.
I’d suggest using Per Larsen post of deploying Microsoft Edge. There’s also a good description on using Intune Wrapper Tool:
8 thoughts on “Packaging and signing macOS apps for distribution with Intune”
Pingback: HOWTO: Installing Adobe Creative Cloud with Microsoft Intune on macOS | Larsstaal.com
Thanks for sharing this. I am interested to see if when you deployed Chrome Intune reports back the device as having been installed? I have ran through the procedure you have documented here however, I am finding that although Chrome is indeed installed Intune either reports the device as pending install status or errors out. Are you seeing a successful install?
Thanks for commenting!
Honestly, it doesn’t report back to me either. And i can’t figure out what is missing. From time to time i spent a few minutes/hours on investigating. I’ll update here if i stumble across a fix.
Hi Lars, for what it’s worth, I know why reporting is not working, and I’m using all the same tools mentioned in this but it looks like these two flags just need to be added. Unfortunately, I have had no luck getting these embedded.
Thank you for the comment and the link. I also found that link. From what I have been able to see, my packages looks like the have that information embedded, but to be honest, i’m not 100% sure it is embedded.
And like you, I don’t know how to embed it.
Please keep me updated if you manage to figure it out 🙂
Hi Stewart and Lars,
Thanks for this article!
Did any of you find a solution for this issue?
Thanks for this detailed explanation. But I’m having problems with building of an adobe app. In my case a lightroom.apk.
When I click on build, I keep having errors about access denied. It makes a Build folder. But I it not filled because i get the error “access denied’ on de pkgproj file. I checked acces, and I have all rights on de folder and the files. Do you know what I’m doing wrong?
Thanks in advance.
Hi Jan, i have not experienced that issue. Does it also happen if you try and other app file?