Using Intune

Unfortunately, Intune does not support deployment of zipped PKG files natively (ZIP contains the agent_parameter.json, certificate, and installer). Therefore, there are a few extra steps required to deploy to Macs via Intune.


Overview

Using Microsoft Intune to deploy dope.security on macOS involves three major steps:

  1. Deploy MDM Profile to Mac devices via Intune

  2. Create a.pkg with all required files and a unique receipt identifier.

  3. Write a post-install script to automate additional installation tasks and clean-up.

  4. Upload and configure your PKG in Intune with the proper detection rules.


1. Create a PKG with Files and a Custom Receipt

Due to Intune limitations, a single macOS installer package (.pkg) needs to be created:

  • The installer files required by dope.security (installer, agent_parameters.json, certificate) downloadable from the dope.console

  • Unique package identifier for Intune/macOS to confirm successful install

Steps

  1. Organize Files

    • Create a temp directory with the three dope.security installation files:

      e.g. /tmp/myfiles
  2. Build the Package

    • Use pkgbuild to create the .pkg. Below is a simple example:

      bash;
      pkgbuild --root /tmp/myfiles --identifier installer.dope.com --version 1.0 --install-location /tmp /tmp/my_package.pkg
    • Key flags:

      • --identifier installer.dope.com: A unique identifier for this package.

      • --install-location /tmp: Where the files will be placed on the Mac. Adjust to suit your environment, for instance /Applications or /usr/local/bin.

  3. Verify the Package

    • Check Package Signature:

      pkgutil --check-signature /tmp/my_package.pkg
    • List Package Contents:

      pkgutil --payload-files /tmp/my_package.pkg
    • Confirm it includes the three files before proceeding


2. Customize Post-Install Script

The post-install script automates the extra steps-- running the dope.security installer and cleaning up.

Change the package version to what you've downloaded in the script below

Post-Install Script

#!/bin/bash

# Variables
INSTALLER_PATH="/tmp/dope_security_1.0.INSERT_VERSION.pkg"
LOG_FILE="/var/log/dope_install.log"

# Step 1: Silent installation
echo "Starting silent installation..." | tee -a "$LOG_FILE"
sudo installer -pkg "$INSTALLER_PATH" -target / >> "$LOG_FILE" 2>&1

# Step 2: Cleanup
echo "Cleaning up temporary files..." | tee -a "$LOG_FILE"
rm -f "$INSTALLER_PATH"

# Finalize
echo "Installation complete." | tee -a "$LOG_FILE"
exit 0

3. Upload the PKG to Intune

Intune needs the package and detection to ensure successful installation. Upload the .pkg file, configure the Intune checks, and add the post-install script.

Steps

  1. Upload the PKG

  2. Configure Detection Logic

    • For detection, use:

    security.dope.DopeSecurityApp
  3. Add the Post-Install Script

    • Paste your postinstall script here.

  4. Test the Deployment

    • Assign the app to a test device or test group.

    • Once installed, verify:

      • dope.security is active and running.

      • The PKG appears:

        FOUND="$(mdfind 'kMDItemKind == "Application"' -onlyin /Applications | while read app; do BID="$(mdls -name kMDItemCFBundleIdentifier -raw "$app" 2>/dev/null)"; [ "$BID" = "security.dope.DopeSecurityApp" ] && echo "$app" && break; done)"; [ -z "$FOUND" ] && echo "Not found" || echo "Found at $FOUND"

Last updated