Using Intune

Unfortunately, Intune does not support deployment of zipped PKG files natively (ZIP contains the agent_parameter.json, certificate, and installer). Therefore, there are a few extra steps required to deploy to Macs via Intune.

Review Installing using MDM on Mac and ensure that the MDM profile is on the devices you install to. Otherwise, the user will need to manually accept permissions.

Overview

Using Microsoft Intune to deploy dope.security on macOS involves three major steps:

Deploy MDM Profile to Mac devices via Intune
Create a.pkg with all required files and a unique receipt identifier.
Write a post-install script to automate additional installation tasks and clean-up.
Upload and configure your PKG in Intune with the proper detection rules.

1. Create a PKG with Files and a Custom Receipt

Due to Intune limitations, a single macOS installer package (.pkg) needs to be created:

The installer files required by dope.security (installer, agent_parameters.json, certificate) downloadable from the dope.console
Unique package identifier for Intune/macOS to confirm successful install

Steps

Organize Files
- Create a temp directory with the three dope.security installation files:
  e.g. /tmp/myfiles
Build the Package
- Use pkgbuild to create the .pkg. Below is a simple example:
  bash; pkgbuild --root /tmp/myfiles --identifier installer.dope.com --version 1.0 --install-location /tmp /tmp/my_package.pkg
- Key flags:
  - --identifier installer.dope.com: A unique identifier for this package.
  - --install-location /tmp: Where the files will be placed on the Mac. Adjust to suit your environment, for instance /Applications or /usr/local/bin.
Verify the Package
- Check Package Signature:
  pkgutil --check-signature /tmp/my_package.pkg
- List Package Contents:
  pkgutil --payload-files /tmp/my_package.pkg
- Confirm it includes the three files before proceeding

2. Customize Post-Install Script

The post-install script automates the extra steps-- running the dope.security installer and cleaning up.

Change the package version to what you've downloaded in the script below

Post-Install Script

#!/bin/bash

# Variables
INSTALLER_PATH="/tmp/dope_security_1.0.INSERT_VERSION.pkg"
LOG_FILE="/var/log/dope_install.log"

# Step 1: Silent installation
echo "Starting silent installation..." | tee -a "$LOG_FILE"
sudo installer -pkg "$INSTALLER_PATH" -target / >> "$LOG_FILE" 2>&1

# Step 2: Cleanup
echo "Cleaning up temporary files..." | tee -a "$LOG_FILE"
rm -f "$INSTALLER_PATH"

# Finalize
echo "Installation complete." | tee -a "$LOG_FILE"
exit 0

3. Upload the PKG to Intune

Intune needs the package and detection to ensure successful installation. Upload the .pkg file, configure the Intune checks, and add the post-install script.

Steps

Upload the PKG
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to: Devices > macOS > macOS Apps > Add.
- When prompted, select and upload your .pkg (e.g., /tmp/my_package.pkg).
Configure Detection Logic
- For detection, use:
```
security.dope.DopeSecurityApp
```
Add the Post-Install Script
- Paste your postinstall script here.

Test the Deployment

Assign the app to a test device or test group.

Once installed, verify:

dope.security is active and running.

The PKG appears:

FOUND="$(mdfind 'kMDItemKind == "Application"' -onlyin /Applications | while read app; do BID="$(mdls -name kMDItemCFBundleIdentifier -raw "$app" 2>/dev/null)"; [ "$BID" = "security.dope.DopeSecurityApp" ] && echo "$app" && break; done)"; [ -z "$FOUND" ] && echo "Not found" || echo "Found at $FOUND"

PreviousUsing Kandji NextInstalling using Intune on Win

Last updated 9 months ago