Disclaimer: I’m by no means a macOS guy, I’m a Windows guy and have always been :-). There might be things in this post that can be done smarter or in another way – if so, please let me know.
As stated on docs.microsoft.com, in order to distribute apps to macOS, they need to be in .pkg format and converted to the .intunemac format. Furthermore the .pkg file needs to be signed with a Apple Developer certificate.
Quote from docs:
The .pkg file must be signed using “Developer ID Installer” certificate, obtained from an Apple Developer account. Only .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported.
But what if we need to distribute an app there’s is not in the AppStore or is not in a signed .pkg file? Then we’ll have to repackage it with a packaging tool. I’m using an app called packages. Let me show it and explain.
Before you get started there is some prerequisites:
- A mac (might be obvious 🙂 )
- Intune licens
- “Packages” app downloaded from here and installed on the mac
- Apple developer certificate and full keychain for it. (.cer file and .p12 file) installed on the mac
A few words on the Apple Developer certificate. If you, like me, don’t have access to the Apple developer ID portal, you need to have the Admin create a Apple Developer Certificate. The type needs to be “Developer ID Installer”.
Once created, ask him to download it, install it to the KeyChaim and export the whole certificate chain by selecting the “Developer ID Certification Authority” certificate and the “IT Developer Installer” private key and select Export 2 items:
Install this chain and the .cer file created and you are ready to sign pkg files.
Packages app on macOS
In this example I’ll be repacking Google Chrome .app to pkg.
On the mac, download the packages app from http://s.sudre.free.fr/Software/Packages/about.html open the dmg and install the packages app. Open packages and select Distribution.
Set a name and choose a location to store the project then click Create
Now packages open the project. From here click on the Chrome package under Packages.
From here go to Payload
Set the Default Destination to Applications. Click on Applications and then click Set.
Now simply drag and drop the app from within the GoogleChrome.dmg file into the Applications folder.
Click Finish to add the file
That’s it. We just need to build the package. On the bar on top, Click Build and then Build again.
Make sure the build is done successful.
Now there should be a .pkg file in the build folder selected in the beginning.
Sign the .pkg with Apple developer certificate
There’s multiple way of signing a .pkg file. Packages is also capable of doing it, but i didn’t have any success with it. Instead i found that the commandline tool “productsign” was working flawless for me.
First find the name of the Apple Developer certificate:
Open KeyChain and find the certificate with a name like “Developer ID Installer: <company name>”.
Still on the mac, Open Terminal and use the following command to sign the pkg file (one liner, wordpress cuts it into multiple lines):
productsign --sign "<Apple Developer certificate name here>" "/Users/Shared/packages/googlechrome.pkg" "/Users/Shared/packages/googlechromesigned.pkg"
Now we have two packages, a non signed, and a signed.
We can verify if and who signed the package by double clicking and click on the lock icon in the left corner:
All there’s left now is to wrap the signed pkg with the Intune Wrapper Tool from Microsoft and sistribute with Intune.
I’d suggest using Per Larsen post of deploying Microsoft Edge. There’s also a good description on using Intune Wrapper Tool: